Blockchain

Digital Signatures: ECDSA and EdDSA

A Bitcoin transaction passes through dozens of strangers' nodes across the globe. Not one of them knows the sender personally. Yet each can mathematically prove that the owner - and no one else - authorized the transfer. Without a passport, without a password, without a central server. How? Using digital signatures - the technology that turns a random 256-bit number into an unforgeable "seal" on every transaction.

**Bitcoin** - every transaction contains an ECDSA signature. The network processes ~400,000 signatures per day, and each one is verified by every full node
**Solana** - uses Ed25519 for speed: verifying ~65,000 signatures per second is necessary for the network's throughput
**Ethereum** - ECDSA on secp256k1 secures every ETH transfer, smart contract call, and deployment. A Taproot-like analog (EIP-7702) is being explored for account abstraction

Diffie, Hellman, and the Birth of Asymmetric Cryptography

In 1976, Whitfield Diffie and Martin Hellman published the paper *"New Directions in Cryptography"*, which turned the domain of cryptography upside down. Before that, all cryptography was **symmetric**: sender and receiver had to exchange a secret key in advance. That worked for the military and diplomats, but not for the internet. Diffie and Hellman proposed the idea of **asymmetric** keys: two mathematically linked keys, one of which can be published openly. It later turned out that British intelligence agency GCHQ had arrived at the same ideas several years earlier (James Ellis and Clifford Cocks), but kept the results classified.

Without asymmetric cryptography there would be no HTTPS, no blockchain, and no way to securely visit a website. Every time a browser shows a padlock, Diffie and Hellman's legacy is at work.

Предварительные знания

Hash Functions: the foundation of blockchain

Key Pairs: Asymmetric Cryptography

Before 1976, cryptography had a fundamental problem: to exchange a secret message, sender and receiver had to **agree on a secret key in advance**. But transmitting that key over an insecure channel was the unsolved riddle.

**Asymmetric cryptography** solved this problem by splitting the key into two: a **private key** (secret) and a **public key**. They are mathematically linked, but knowing the public key makes computing the private key impossible.

Analogy: a mailbox

How a key pair works

Public key = a mailbox address with a slot. Private key = the key to that mailbox. • Anyone can drop a letter in (encrypt with public key) • Only the owner can take letters out (decrypt with private key) • The owner can put a seal on something (sign with private key) • Anyone can verify the seal (verify with public key) In blockchain a signature proves: "It was me, the owner of this address, who authorized the transaction."

In blockchain the private key is a **random number** 256 bits long. From it the public key is mathematically computed (a point on an elliptic curve), and from the public key - the **wallet address**.

**Private key = full control.** Whoever knows the private key owns all funds on the address. There is no "password recovery", no support team. By some estimates, **3.7 million BTC** (~$150B) are lost forever due to lost private keys.

**Why is computing the private key from the public key infeasible?** This is the Elliptic Curve Discrete Logarithm Problem (ECDLP). For secp256k1, the best known algorithm requires ~$2^{128}$ operations - more than the number of atoms in the Solar System.

Alice has Bob's wallet address. What can she do with it?

ECDSA: Bitcoin Signatures

**ECDSA** (Elliptic Curve Digital Signature Algorithm) is the digital signature algorithm used in **Bitcoin**, **Ethereum**, and most early blockchains. It is based on the mathematics of elliptic curves - Bitcoin uses the **secp256k1** curve.

The transaction signing process: 1. Take the transaction data and compute its **hash** (SHA-256) 2. Generate a **random number k** (nonce) - a critically important step! 3. Compute a point on the curve $R = k \cdot G$, take its x-coordinate as $r$ 4. Compute $s = k^{-1} \cdot (hash + r \cdot privateKey) \mod n$ 5. The signature is the pair $(r, s)$

**Why secp256k1?** Satoshi Nakamoto chose this curve for Bitcoin instead of the popular NIST P-256. Reason: secp256k1 was created by Certicom and has "transparent" parameters (so-called *nothing-up-my-sleeve numbers*), whereas the NIST curve parameters are suspected of containing an NSA backdoor.

**Critical vulnerability: nonce reuse.** If the **same** nonce $k$ is used to sign two different messages, the private key is **extracted directly**: $privateKey = (s_1 - s_2)^{-1} \cdot (hash_1 \cdot s_2 - hash_2 \cdot s_1) \cdot r^{-1}$ This is exactly how in 2010 **Sony** lost the PlayStation 3 master key: they signed all updates with the same $k$. Hackers computed the private key and gained full control over the console.

To create an ECDSA signature for a transaction, three inputs are required: the transaction hash, the private key, and... what else?

EdDSA: The Next Generation of Signatures

**EdDSA** (Edwards-curve Digital Signature Algorithm) is a modern alternative to ECDSA, developed by Daniel Bernstein in 2011. The most popular implementation is **Ed25519** on the Curve25519 curve.

EdDSA addresses three serious problems with ECDSA:

ECDSA problem	EdDSA solution
Requires a high-quality random number generator for the nonce	Nonce is deterministic: computed from the private key and message - reuse is impossible by construction
Vulnerable to side-channel attacks (nonce leakage via timing/power analysis)	All operations run in constant time - no information leakage
Slow verification (~4,000 signatures/sec)	2–3× faster (~8,000+ signatures/sec, even faster in batch mode)

**Who uses EdDSA?** - **Solana** - Ed25519 for all transactions (speed is critical at 65,000 TPS) - **Cardano** - Ed25519 Extended for hierarchical keys - **Polkadot** - Sr25519 (Schnorr on Ristretto255, a relative of EdDSA) - **SSH/TLS** - Ed25519 has become the standard for SSH keys (`ssh-keygen -t ed25519`)

**Why is Bitcoin still on ECDSA?** Bitcoin added support for Schnorr signatures (BIP-340, Taproot, 2021) - they share EdDSA's advantages. A full switch to Ed25519 would require a hard fork, which the community is reluctant to attempt. Ethereum also stays on ECDSA (secp256k1) for the same reason.

Why did Solana choose Ed25519 over ECDSA?

Signature Verification in Blockchain

Every node in a blockchain **independently verifies** every signature on every transaction. There is no central authority - "trust through mathematics". But when the network processes thousands of transactions per second, signature verification becomes the **bottleneck**.

**Batch Verification** is a technique for verifying **N signatures faster** than verifying them individually. Ed25519 supports this natively:

**Multisig (multi-signature)** is a scheme requiring signatures from multiple participants. A popular configuration is **2-of-3**: out of three keys, any **two** signatures are sufficient to authorize a transaction.

Multisig 2-of-3: protecting a corporate wallet

A practical usage scenario

A company holds $10M in cryptocurrency. 3 keys are distributed: • CEO (key A) - in a hardware wallet • CFO (key B) - in a bank vault • CTO (key C) - in cold storage Any 2 of 3 signatures are required to transfer funds: ✓ CEO + CFO - standard transfer ✓ CEO + CTO - CFO is on vacation ✓ CFO + CTO - CEO lost their key ✗ CEO alone - insufficient ✗ Hacker + CEO - useless without a second legitimate key If one key is stolen → the attacker still can't transfer funds. The company replaces the compromised key while retaining control via the remaining two.

**Signature attacks** - real incidents that shaped modern security standards:

Attack	Year	Consequences	Lesson
Sony PS3 nonce reuse	2010	Console master key exposed, full DRM bypass	Never reuse a nonce → deterministic signatures (RFC 6979)
Android SecureRandom bug	2013	Bitcoin theft from Android wallets	Mobile random number generators are unreliable → EdDSA with deterministic nonce
ROCA (Return of Coppersmith Attack)	2017	RSA keys on Estonian ID cards compromised	Even hardware implementations can have bugs → audit is required
Profanity vanity address exploit	2022	Over $160M stolen from addresses generated by Profanity	Weak key generator → all addresses are vulnerable

**Schnorr signatures (BIP-340)** - the future of Bitcoin. Advantages: - **Linearity**: N multisig signatures compress into **one** - saving space and gas - **Batch verification**: like EdDSA, supports fast batch verification - **Privacy**: a multisig transaction is indistinguishable from a regular one - observers can't tell how many signers participated

A digital signature encrypts the transaction, hiding its contents from observers

A digital signature **does not encrypt** data - the transaction remains fully visible. The signature proves **authorship** and **integrity**: that exactly the key owner created this transaction and the data was not altered. In public blockchains (Bitcoin, Ethereum) all transactions are visible to everyone.

The confusion arises because both signatures and encryption use key pairs. But the goals are different: encryption hides content (confidentiality), while a signature confirms the author (authentication). In blockchain, transparency is an intentional property, not a flaw.

A corporate wallet is protected by multisig 2-of-3. A hacker steals one of the three private keys. What can they do?

Key Ideas

**Key pair** - a private key (secret, 256 bits) and a public key (wallet address). The private key signs transactions, the public key lets anyone verify the signature
**ECDSA** (secp256k1) - the signature algorithm of Bitcoin and Ethereum. Requires a unique random nonce for each signature, otherwise the private key is revealed (as in the Sony PS3 case)
**EdDSA** (Ed25519) - a modern alternative: deterministic nonce, 2–3× faster, resistant to side-channel attacks. Used in Solana, Cardano, and SSH
**Multisig** (2-of-3) protects against the theft of a single key, and **batch verification** speeds up checking thousands of signatures. Remember: a signature doesn't encrypt data - it proves authorship, like that mathematical "seal" that lets dozens of strangers' nodes trust every transaction

Вопросы для размышления

Quantum computers will be able to break ECDSA and EdDSA (Shor's algorithm). How are blockchain networks preparing for this? What will happen to Bitcoin if a quantum computer arrives before the network migrates to post-quantum signatures?
If a private key is just a random number, what stops an attacker from randomly generating someone else's key? Calculate the probability, given that the key is 256 bits.
Multisig 2-of-3 protects against the theft of one key. For a DAO with 1,000 participants, why does naive multisig 500-of-1000 not work, and what alternatives exist (threshold signatures, MPC)?

Связанные уроки

bc-02-hashing — Digital signatures sign the hash of a message; hashing is the prerequisite
bc-07-ecc — ECC is the math behind ECDSA (the signature scheme used in Bitcoin and Ethereum); this signatures lesson is the abstract intro
bc-22-bitcoin-utxo — Bitcoin UTXO spending requires a valid signature over the transaction hash
bc-10-bls — BLS is an advanced signature scheme that supports aggregation; classical signatures are the prerequisite
crypto-28-digital-signatures

Blockchain

Digital Signatures: ECDSA and EdDSA

**Bitcoin** - every transaction contains an ECDSA signature. The network processes ~400,000 signatures per day, and each one is verified by every full node
**Solana** - uses Ed25519 for speed: verifying ~65,000 signatures per second is necessary for the network's throughput
**Ethereum** - ECDSA on secp256k1 secures every ETH transfer, smart contract call, and deployment. A Taproot-like analog (EIP-7702) is being explored for account abstraction

Diffie, Hellman, and the Birth of Asymmetric Cryptography

Without asymmetric cryptography there would be no HTTPS, no blockchain, and no way to securely visit a website. Every time a browser shows a padlock, Diffie and Hellman's legacy is at work.

Предварительные знания

Hash Functions: the foundation of blockchain

Key Pairs: Asymmetric Cryptography

Analogy: a mailbox

How a key pair works

In blockchain the private key is a **random number** 256 bits long. From it the public key is mathematically computed (a point on an elliptic curve), and from the public key - the **wallet address**.

Alice has Bob's wallet address. What can she do with it?

ECDSA: Bitcoin Signatures

To create an ECDSA signature for a transaction, three inputs are required: the transaction hash, the private key, and... what else?

EdDSA: The Next Generation of Signatures

**EdDSA** (Edwards-curve Digital Signature Algorithm) is a modern alternative to ECDSA, developed by Daniel Bernstein in 2011. The most popular implementation is **Ed25519** on the Curve25519 curve.

EdDSA addresses three serious problems with ECDSA:

ECDSA problem	EdDSA solution
Requires a high-quality random number generator for the nonce	Nonce is deterministic: computed from the private key and message - reuse is impossible by construction
Vulnerable to side-channel attacks (nonce leakage via timing/power analysis)	All operations run in constant time - no information leakage
Slow verification (~4,000 signatures/sec)	2–3× faster (~8,000+ signatures/sec, even faster in batch mode)

Why did Solana choose Ed25519 over ECDSA?

Signature Verification in Blockchain

**Batch Verification** is a technique for verifying **N signatures faster** than verifying them individually. Ed25519 supports this natively:

Multisig 2-of-3: protecting a corporate wallet

A practical usage scenario

**Signature attacks** - real incidents that shaped modern security standards:

Attack	Year	Consequences	Lesson
Sony PS3 nonce reuse	2010	Console master key exposed, full DRM bypass	Never reuse a nonce → deterministic signatures (RFC 6979)
Android SecureRandom bug	2013	Bitcoin theft from Android wallets	Mobile random number generators are unreliable → EdDSA with deterministic nonce
ROCA (Return of Coppersmith Attack)	2017	RSA keys on Estonian ID cards compromised	Even hardware implementations can have bugs → audit is required
Profanity vanity address exploit	2022	Over $160M stolen from addresses generated by Profanity	Weak key generator → all addresses are vulnerable

A digital signature encrypts the transaction, hiding its contents from observers

A corporate wallet is protected by multisig 2-of-3. A hacker steals one of the three private keys. What can they do?

Key Ideas

**Key pair** - a private key (secret, 256 bits) and a public key (wallet address). The private key signs transactions, the public key lets anyone verify the signature
**ECDSA** (secp256k1) - the signature algorithm of Bitcoin and Ethereum. Requires a unique random nonce for each signature, otherwise the private key is revealed (as in the Sony PS3 case)
**EdDSA** (Ed25519) - a modern alternative: deterministic nonce, 2–3× faster, resistant to side-channel attacks. Used in Solana, Cardano, and SSH
**Multisig** (2-of-3) protects against the theft of a single key, and **batch verification** speeds up checking thousands of signatures. Remember: a signature doesn't encrypt data - it proves authorship, like that mathematical "seal" that lets dozens of strangers' nodes trust every transaction

Вопросы для размышления

Quantum computers will be able to break ECDSA and EdDSA (Shor's algorithm). How are blockchain networks preparing for this? What will happen to Bitcoin if a quantum computer arrives before the network migrates to post-quantum signatures?
If a private key is just a random number, what stops an attacker from randomly generating someone else's key? Calculate the probability, given that the key is 256 bits.
Multisig 2-of-3 protects against the theft of one key. For a DAO with 1,000 participants, why does naive multisig 500-of-1000 not work, and what alternatives exist (threshold signatures, MPC)?

Связанные уроки

bc-02-hashing — Digital signatures sign the hash of a message; hashing is the prerequisite
bc-07-ecc — ECC is the math behind ECDSA (the signature scheme used in Bitcoin and Ethereum); this signatures lesson is the abstract intro
bc-22-bitcoin-utxo — Bitcoin UTXO spending requires a valid signature over the transaction hash
bc-10-bls — BLS is an advanced signature scheme that supports aggregation; classical signatures are the prerequisite
crypto-28-digital-signatures

Digital Signatures: ECDSA and EdDSA

Diffie, Hellman, and the Birth of Asymmetric Cryptography

Предварительные знания

Key Pairs: Asymmetric Cryptography

Analogy: a mailbox

ECDSA: Bitcoin Signatures

EdDSA: The Next Generation of Signatures

Signature Verification in Blockchain

Multisig 2-of-3: protecting a corporate wallet

Key Ideas

Related Topics

Вопросы для размышления

Связанные уроки

Digital Signatures: ECDSA and EdDSA

Diffie, Hellman, and the Birth of Asymmetric Cryptography

Предварительные знания

Key Pairs: Asymmetric Cryptography

Analogy: a mailbox

ECDSA: Bitcoin Signatures

EdDSA: The Next Generation of Signatures

Signature Verification in Blockchain

Multisig 2-of-3: protecting a corporate wallet

Key Ideas

Related Topics

Вопросы для размышления

Связанные уроки