02 - Elliptic Curve Signatures in Bitcoin

Bitcoin signatures use a well known and widely used cryptographic technique known as Elliptic Curve Digital Signature algorithm (ECDSA). ECDSA was developed over many years and was accepted in 1998 as an ISO standard, in 1999 as an ANSI standard, and in 2000 as IEEE and NIST standards. ECDSA is closely linked to Elliptic Curve Encryption (ECE) and key pairs that are used to encrypt data with ECE can also be used to generate digital signatures with ECDSA.

An elliptic curve signature is generated by applying an elliptic curve function to a message. For the purposes of this exercise there is no direct need to understand the mathematics. Students who wish to gain further expertise in this area are urged to take the Bitcoin Primitives course, Introduction to Digital Signatures in Bitcoin.

For Bitcoin to work, the nodes that validate transactions must have a way of reconstructing the message signed by the user without the user having to provide anything but the Bitcoin transaction they are sending to the network.

This is achieved by making the message from a rigidly defined transaction pre-image that is comprised of a set of information that the node can extract directly from the transaction in order to reconstruct the message. That information is made up of the following set of 11 parameters:

To calculate a signature the following mathematical data points are used:

1. A keypair In the sect256k1 calculated with: P = S · G where: P is the public key, calculated using: S, the Private key, an integer value in the range 0 - n where n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 G, the Generator Point, a point on the elliptic curve with the following co-ordinate: x - 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 y - 483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8\

2. Message m where: m is the transaction pre-image as defined on page 2

Using these datapoints the following method is applied:

1. Calculate R = k · G where k is typically a randomly generated number (called an ephemeral key) generated on demand. When using R-Puzzles, k is pre-known and is used as part of the evaluation process

2. Define r = x-coordinate of R

3. Calculate s = k^-1(H(m) + S * r)mod n Unpacking this:

   1. H(m) is the double SHA256 hash of message m

   2. Treating the SHA256 hash as an integer, we add S x r which is the private key multipled by the ephemeral key's x co-ordinate

   3. We multiply the sum from step 2 by k^-1

   4. We perform a modulo function with n as the denominator and the result of step 3 as numerator to get the signature

The full signature is a concatenation of r and s in DER format as outlined below: