Elliptic Curve Cryptography (ECC) | Bitcoin Glossary | Mapping Bitcoin

Overview

Elliptic Curve Cryptography (ECC) is the mathematical foundation underlying Bitcoin's key generation and digital signature system. It provides the same security as traditional public-key cryptography (like RSA) but with significantly smaller key sizes, making it well-suited for a system where signatures must be stored permanently on the blockchain.

The secp256k1 Curve

Bitcoin uses a specific elliptic curve called secp256k1, defined by the equation:

y² = x³ + 7  (mod p)

Where p = 2²⁵⁶ - 2³² - 977
(a very large prime number)

This curve was an unusual choice when Bitcoin was created, as most systems used the NIST-recommended secp256r1 curve. Satoshi's choice of secp256k1 is believed to have been motivated by the fact that its parameters are not arbitrary, reducing concerns about potential backdoors in the curve constants.

Key Generation

┌──────────────────────────────────┐
│  1. Generate random 256-bit     │
│     number (private key k)      │
└──────────────┬───────────────────┘
               │
               ▼
┌──────────────────────────────────┐
│  2. Multiply generator point G  │
│     by private key:             │
│     K = k × G                   │
│     (elliptic curve point       │
│      multiplication)            │
└──────────────┬───────────────────┘
               │
               ▼
┌──────────────────────────────────┐
│  3. Result K is the public key  │
│     (a point on the curve)      │
│     K = (x, y) coordinates      │
└──────────────────────────────────┘

The security of ECC rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given the public key K and generator point G, it is computationally infeasible to determine the private key k. This is a one-way function -- multiplication is easy, but division (finding the scalar from the result) is practically impossible with current mathematics.

Key Properties

• Private key: A random 256-bit integer (between 1 and the curve order n)
• Public key: A point on the curve (two 256-bit coordinates, or 33 bytes compressed)
• Security level: secp256k1 provides approximately 128 bits of security
• Key space: Approximately 2^256 possible private keys -- more than the estimated number of atoms in the observable universe

Why ECC Over RSA?

Common Misconceptions

• Quantum computers could theoretically break ECC using Shor's algorithm. However, practical quantum computers capable of this are not expected for many years, and the Bitcoin community has time to plan for post-quantum cryptographic upgrades.
• The private key is not derived from the public key by "reversing" a hash. It is related through elliptic curve point multiplication, which is a different mathematical operation.
• Compressed and uncompressed public keys represent the same point on the curve. Compressed keys store only the x-coordinate plus a parity byte.