Blockchain

Elliptic Curves (ECC)

Every Bitcoin wallet is a point on a mathematical curve. A point whose coordinates are computed from a random 256-bit number. And here's what's astonishing: computing the point from the number takes a millisecond, while recovering the number back from the point takes longer than the Universe has existed. This asymmetry, written into the equation y² = x³ + 7, protects a trillion dollars of the crypto market right now.

  • **Bitcoin and Ethereum** - every address, every transaction is signed on secp256k1. Over $1 trillion is secured by this curve
  • **Signal, WhatsApp, Telegram** - 2+ billion users exchange messages over X25519 (Curve25519). Every message is encrypted using elliptic curves
  • **SSH and TLS 1.3** - connecting to a server via `ssh-keygen -t ed25519` uses Ed25519. Most modern HTTPS connections use ECDHE on Curve25519

Daniel Bernstein: The Rebel Cryptographer

In 1995, 24-year-old graduate student Dan Bernstein sued the US government. He argued that restrictions on exporting cryptographic software violated the First Amendment (freedom of speech). And he **won** - the court ruled that source code is a form of free expression. Ten years later, in 2005–2006, Bernstein published Curve25519 and Salsa20 - algorithms designed to be **resistant to implementation errors**. His philosophy: if a developer can make a mistake - they will; a cryptographer's job is to make the mistake impossible.

Curve25519 became the de facto standard for a new generation of protocols: Signal, WireGuard, TLS 1.3. The "security by design" approach changed the entire industry.

Предварительные знания

  • Digital Signatures: ECDSA and EdDSA

secp256k1: Bitcoin's Curve

Every Bitcoin address, every transaction worth billions of dollars - all of it rests on one mathematical formula: **y² = x³ + 7**. This formula defines the elliptic curve **secp256k1** - the curve Satoshi Nakamoto chose for Bitcoin.

An elliptic curve is a set of points (x, y) satisfying an equation of the form **y² = x³ + ax + b**. For secp256k1 the coefficients are a = 0, b = 7. But in cryptography we don't work with real numbers - we work with numbers modulo a huge prime **p**.

**NIST vs Koblitz curves.** There are two families of curves: - **NIST curves** (P-256, P-384) - parameters chosen by NIST, but the origin of the "seed" values is unexplained. Cryptographers suspect a possible NSA backdoor. - **Koblitz curves** (secp256k1) - parameters are determined by the structure itself, with no "magic" constants. The formula y² = x³ + 7 is one of the simplest possible. Satoshi chose secp256k1 precisely for its transparency: the parameters contain nothing suspicious.

Why a = 0, b = 7? Among all curves y² = x³ + b (with a = 0), the curve with b = 7 gives **structurally convenient** parameters: the group order n is a prime, which is important for security. Also, computations on a curve with a = 0 are **faster** - one multiplication can be skipped when evaluating x³ + ax + b.

**secp256k1 is not perfect for all tasks.** It requires careful implementation: - ECDSA on secp256k1 needs a high-quality random number generator for nonce k. A bad nonce k → private key leakage. - In 2013, an Android Bitcoin wallet lost funds due to a bug in the random number generator that produced the same k values repeatedly.

Why did Satoshi choose secp256k1 instead of the standard NIST P-256?

Curve25519: Security by Design

In 2006, cryptographer Daniel Bernstein proposed an alternative: **Curve25519** - a curve designed to **eliminate entire classes of implementation errors**. While secp256k1 demands care from the developer, Curve25519 makes an incorrect implementation **nearly impossible**.

Curve25519 uses the **Montgomery form**: **By² = x³ + Ax² + x**, where A = 486662, B = 1. The modulus is the prime **p = 2²⁵⁵ − 19** (hence the name). This form allows scalar multiplication using **only the x-coordinate** - this is the Montgomery Ladder.

**Two faces of one curve:** - **X25519** - a key exchange protocol (Diffie-Hellman on Curve25519). Used in TLS 1.3, Signal, WireGuard. - **Ed25519** - a digital signature algorithm. Uses a **birationally equivalent** Edwards curve (twisted Edwards curve): **−x² + y² = 1 − (121665/121666)x²y²**. One mathematical structure, two applications. Solana, Cardano, and Polkadot use Ed25519 for signatures.

Why is Curve25519 "secure by design"? 1. **Constant-time operations** - the Montgomery Ladder algorithm runs in the same amount of time for any key, protecting against timing attacks. 2. **No cofactor pitfalls** - the cofactor h = 8 is handled automatically. 3. **Simple modulus** p = 2²⁵⁵ − 19 enables efficient arithmetic without branching. 4. **Deterministic signatures** - Ed25519 doesn't require a random nonce, unlike ECDSA.

Signal Protocol and Curve25519

How a messenger protects billions of messages

Signal Protocol (used in Signal, WhatsApp, Facebook Messenger): 1. X25519 - key exchange when establishing a session 2. Ed25519 - signatures for authentication 3. Double Ratchet - key rotation after each message Each of the 2+ billion WhatsApp users uses Curve25519 with every message. This is the most widely used elliptic curve in the world.

What is the key advantage of Ed25519 over ECDSA on secp256k1?

Scalar Multiplication: From Private to Public

All elliptic curve cryptography is built on one operation - **scalar point multiplication**: given a number k (private key) and a point G (generator), compute **Q = k * G** (public key). The result is another point on the curve.

But what does "multiply a number by a point" mean? This requires two basic operations: 1. **Point addition (P + Q)** - geometrically: draw a line through P and Q, it intersects the curve at a third point R', reflect R' over the x-axis → get R = P + Q. 2. **Point doubling (P + P = 2P)** - draw a tangent to the curve at point P, find the second intersection, reflect.

Then k * G is simply G + G + G + ... + G (k times). But if k = 10⁷⁷ (a typical private key), adding a point to itself 10⁷⁷ times is infeasible. This is where the **double-and-add algorithm** helps.

**Key generation in Bitcoin:** 1. Choose a random number k (256 bits) - this is the **private key** 2. Compute Q = k * G - this is the **public key** (a point on the curve) 3. Hash Q via SHA-256 + RIPEMD-160 → **Bitcoin address** The entire operation takes < 1 ms. Recovering k from Q, however, is computationally infeasible.

Private key k = 1,000,000. How many operations does the double-and-add algorithm need to compute k * G?

ECDLP: Why k Cannot Be Found from k*G

We can quickly compute Q = k * G (~256 steps). But can we solve the inverse: given Q and G, find k? This is **ECDLP - the Elliptic Curve Discrete Logarithm Problem** - the problem on which the security of all elliptic curve cryptography rests.

Answer: **practically impossible**. The best known algorithm for solving ECDLP - **Pollard's rho** - requires on the order of $\sqrt{n}$ operations, where n is the group order. For secp256k1 that is $\sqrt{2^{256}} = 2^{128}$ operations.

**ECC vs RSA - strength comparison:**

Security levelECC (key bits)RSA (key bits)Ratio
80 bits16010246.4×
128 bits256307212×
256 bits5121536030×

A 256-bit ECC key provides the same security as a 3072-bit RSA key. Compact keys = less data per transaction = more transactions per block.

Why is ECDLP so hard? In ordinary arithmetic: if 5 * 7 = 35, then 35 / 7 = 5. But on an elliptic curve there is no operation of "dividing a point". G can be added to itself k times, but from the result Q **it is impossible to determine** how many times it was added. Points "shuffle" in an unpredictable way with each addition.

Analogy: mixing paint

Intuitive explanation of ECDLP one-wayness

Yellow + Blue = Green Mixing is easy: take two colors, get a third. Separating back? Impossible. Green won't tell you exactly how much yellow and blue were in it. ECC works analogously: k * G = Q Multiplying (mixing) - fast. Dividing (finding k from Q) - impossible. The only way: try all possible values of k and check if k*G matches Q. For a 256-bit key - that's 2^128 attempts.

**The quantum threat.** Shor's algorithm on a quantum computer solves ECDLP in **polynomial time**. Breaking secp256k1 would require a quantum computer with ~2,500 logical qubits. As of 2025 estimates, this could become reality by 2030–2035. **Preparation is already underway:** - NIST standardized post-quantum algorithms (ML-KEM, ML-DSA) in 2024 - Ethereum is researching lattice-based signatures - The Bitcoin community is discussing migration to hash-based signatures (SPHINCS+)

Quantum computers can already break ECC, so cryptocurrencies are insecure

As of early 2026, the largest quantum computers have ~1,000 physical qubits. Breaking secp256k1 with Shor's algorithm requires ~2,500 **logical** (error-free) qubits, which demands millions of physical ones. The real threat is on the 2030–2035 horizon, and the industry is already preparing: NIST has standardized post-quantum algorithms and blockchain projects are exploring migration paths.

Media often confuse "physical qubits" and "logical qubits". Each logical qubit requires ~1,000 physical qubits for error correction. This creates a gap between news headlines and the real capabilities of quantum computers.

The public key Q and generator G are known. What is the complexity of finding the private key k on secp256k1?

Key Ideas

  • **secp256k1** (y² = x³ + 7) - Bitcoin's curve with transparent parameters. Satoshi chose it over NIST curves because of the absence of suspicious "seed" constants
  • **Curve25519** - Bernstein's curve, designed for security by design. X25519 for key exchange, Ed25519 for signatures - used in Signal, SSH, TLS 1.3
  • **Scalar multiplication** k * G is computed in ~256 steps (double-and-add), turning a private key into a public key in a millisecond
  • **ECDLP** - the inverse problem (finding k from Q = k * G) requires 2¹²⁸ operations classically. It is this asymmetry, embedded in the equation y² = x³ + 7, that lets one millisecond of computation protect a trillion dollars

Related Topics

Elliptic curves are the mathematical foundation for digital signatures, commitment schemes, and advanced cryptography:

  • Digital Signatures — ECDSA (secp256k1) and EdDSA (Ed25519) are built on top of elliptic curve operations
  • Commitment Schemes — Pedersen Commitment uses scalar multiplication on elliptic curves to hide values
  • BLS Signatures — BLS uses pairing-friendly curves (BLS12-381) - the next level of ECC with a pairing operation

Вопросы для размышления

  • If quantum computers can break ECDLP by 2035, what steps must Bitcoin take now? Is it possible to migrate to post-quantum algorithms without a hard fork?
  • Why did Ethereum 2.0 switch from secp256k1 (ECDSA) to BLS12-381 for validators, but kept secp256k1 for user transactions?
  • Designing a new cryptocurrency in 2026 - which curve is the right choice and why: secp256k1, Ed25519, or post-quantum right away?

Связанные уроки

  • bc-06-digital-signatures — ECC provides the mathematical group for ECDSA; signature concepts must be understood first
  • bc-10-bls — BLS signatures use pairing-friendly elliptic curves; ECC is the required foundation
  • bc-13-kzg — KZG polynomial commitments use elliptic curve pairings; ECC math is prerequisite
  • bc-02-hashing — Hash functions and ECC are the two cryptographic primitives used together in almost every blockchain operation
  • crypto-26-ecc-math
  • crypto-02-modular-arithmetic
Elliptic Curves (ECC)

0

1

Sign In