Aarunya AppsAarunya Apps

ES512 JWT Algorithm

ES512 uses the P-521 (secp521r1) elliptic curve with SHA-512. Despite the name, the curve is P-521 — not P-512 (a common misconception: there is no P-512 curve). P-521 provides approximately 260-bit security, equivalent to RSA-15360. It is the strongest ECDSA option in RFC 7518.

Family
ECDSA
Hash
SHA-512
Key type
asymmetric
Performance
Medium (0.1–1ms)

Key Requirements

EC key pair on the P-521 (secp521r1) curve. Generate: openssl ecparam -name secp521r1 -genkey -noout -out ec-private.pem

JWT Header

Every JWT using ES512 has this header (base64url-encoded as the first segment):

{
  "alg": "ES512",
  "typ": "JWT"
}

Code Examples

Node.js — Sign (jose library)
import { SignJWT, importPKCS8 } from 'jose'

const privateKey = await importPKCS8(process.env.EC_PRIVATE_KEY!, 'ES512')

export async function signToken(payload: Record<string, unknown>) {
  return new SignJWT(payload)
    .setProtectedHeader({ alg: 'ES512' })
    .setIssuedAt()
    .setExpirationTime('1h')
    .sign(privateKey)
}
Node.js — Verify (jose library)
import { jwtVerify, importSPKI } from 'jose'

const publicKey = await importSPKI(process.env.EC_PUBLIC_KEY!, 'ES512')

export async function verifyToken(token: string) {
  const { payload } = await jwtVerify(token, publicKey, { algorithms: ['ES512'] })
  return payload
}
Python — PyJWT
import jwt
from cryptography.hazmat.primitives import serialization

with open("ec-private.pem", "rb") as f:
    private_key = serialization.load_pem_private_key(f.read(), password=None)
with open("ec-public.pem", "rb") as f:
    public_key = serialization.load_pem_public_key(f.read())

token = jwt.encode({"sub": "1234"}, private_key, algorithm="ES512")
payload = jwt.decode(token, public_key, algorithms=["ES512"])

When to Use ES512

Maximum ECDSA security level when required by policy. For nearly all applications, ES256 or ES384 provides more than adequate security. Use ES512 when a security framework mandates the highest available EC strength.

Security Considerations

ES512 uses P-521, not P-512 (important: ensure your library correctly implements secp521r1). P-521's prime size (521 bits, not 512) is an unusual choice — it was selected for mathematical properties, not for the neat power-of-2 size.

Related Algorithms

Standardised in RFC 7518 §3.4 — JSON Web Algorithms (JWA).

Decode a real JWT

Paste any JWT into the debugger to inspect the header, payload, and verify an ES512 signature.

Open JWT Debugger

Frequently Asked Questions

How does ECDSA compare to RSA for JWT signing?

ECDSA provides equivalent security to RSA with much smaller keys: ES256 (P-256, 256-bit key) ≈ RSA-3072. This means smaller JWT signatures, faster verification, and shorter key material. ES256 is the preferred modern choice when asymmetric signing is needed.

What elliptic curve does ES256 use?

ES256 uses the P-256 curve (also known as secp256r1 or prime256v1). ES384 uses P-384 (secp384r1), and ES512 uses P-521 (secp521r1 — note: P-521, not P-512). The curve is specified in the 'crv' field of the JWK.

Is ECDSA safe from the nonce-reuse attack?

Modern ECDSA implementations in JavaScript (Node.js crypto, WebCrypto) and reputable libraries use the OS CSPRNG for nonce generation — making nonce reuse extremely unlikely. The infamous PS3 ECDSA attack happened because Sony used a constant nonce, not a random one. Using the jose or jsonwebtoken library protects you from this.