When someone sends bitcoin to you, they send the bitcoin to your address. If you want to spend any of the bitcoin that is sent, you create a transaction and specify where your bitcoin ought to go. By adding a digital signature, you can prove that you know the private key that corresponds to the address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfN. Such a transaction does not belong in the blockchain because it is missing a valid digital signature. Most cryptocurrencies use elliptic curves, because a 256-bit private key is just as secure as a 3072-bit RSA private key.
Introduction
When someone sends bitcoin to you, they send the bitcoin to your address. If you want to spend any of the bitcoin that is sent to your address, you create a transaction and specify where your bitcoin ought to go. Such a transaction may look like:
Transfer 5 bitcoin from 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa (your address) to 12c6DSiU4Rq3P4ZxziKxzrL5LmMBrzjrJX (the recipient address).
Of course, anyone can create a transaction that looks like the one above, so if it was added to the blockchain as is and without issue, then you would be out $30,000+ whether you like it or not. Luckily, such a transaction does not belong in the blockchain, because it is missing a valid digital signature. By adding a digital signature, you can prove that you know the private key that corresponds to the address 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfN. If you don’t know the corresponding private key, then you probably shouldn’t have been telling people to send bitcoin to you via that address since you are unable to spend any of the bitcoin sent there!
When you create a bitcoin address for yourself (or an address/account for any other cryptocurrency), you generate the private key first. From the private key, you compute the corresponding public key and by hashing that public key you get your address. Hopefully you can’t choose an address first and then determine the private key from that, otherwise you could determine the private key for any address using the same method. What is Satoshi’s address again?
Public-key cryptography
Public keys, private keys, and digital signatures form the basic components of public-key cryptography. No matter what mathematical basis is used to implement a public-key cryptographic system, it must satisfy the following, at least for our purposes:
- It is computationally infeasible to derive the private key corresponding to a given public key.
- It is possible to prove that one knows the private key corresponding to a public key without revealing any useful information about the private key in the process. Furthermore, such a proof can be constructed in a way that it requires a specific message to be verified. This way, the proof forms a digital signature for that message.
One way to do public-key cryptography is with elliptic curves. Another way is with RSA, which revolves around prime numbers. Most cryptocurrencies — Bitcoin and Ethereum included — use elliptic curves, because a 256-bit elliptic curve private key is just as secure as a 3072-bit RSA private key. Smaller keys are easier to manage and work with.
Elliptic curve cryptography
What is an elliptic curve? An elliptic curve consists of all the points that satisfy an equation of the following form:
y² = x³+ax+b
where 4a³+27b² ≠ 0 (this is required to avoid singular points).
Here are some example elliptic curves:
Notice that all the elliptic curves above are symmetrical about the x-axis. This is true for every elliptic curve because the equation for an elliptic curve is:
y² = x³+ax+b
And if you take the square root of both sides you get:
y = ± √x³+ax+b
So if a=27 and b=2 and you plug in x=2, you’ll get y=±8, resulting in the points (2, -8) and (2, 8).
The elliptic curve used by Bitcoin, Ethereum, and many other cryptocurrencies is called secp256k1. The equation for the secp256k1 curve is y² = x³+7. This curve looks like:
Satoshi chose secp256k1 for no particular reason.
Point addition
You know how you can add two numbers together to get a third number? You can add two points on an elliptic curve together to get a third point on the curve.
To add two points on an elliptic curve together, you first find the line that goes through those two points. Then you determine where that line intersects the curve at a third point. Then you reflect that third point across the x-axis (i.e. multiply the y-coordinate by -1) and whatever point you get from that is the result of adding the first two points together.
Let’s take a look at an example of this. Let’s say you want to add the following two points together:
First, you find the line that goes through the two points:
Then you find the third point on the curve that the line intersects:
Then you reflect that point across the x-axis:
Therefore, P+Q=R.
To do elliptic curve cryptography properly, rather than adding two arbitrary points together, we specify a base point on the curve and only add that point to itself.
For example, let’s say we have the following curve with base point P:
Initially, we have P, or 1•P.
Now let’s add P to itself. First, we have to find the equation of the line that goes through P and P. There are infinite such lines! In this special case, we opt for the tangent line.
Now we find the “third” point that this line intersects and reflect it across the x-axis.
Thus P added to itself, or P+P, equals 2•P.
If we add P to itself again, we’ll be computing P added to itself added to itself, or P+P+P. The result will be 3•P. To compute 3•P, we can just add P and 2•P together.
We can continue to add P to itself to compute 4•P and 5•P and so on.
Th
