The Blockchain Chief Bitcoin Book / Part II: How Bitcoin Works
Chapter 03

Cryptography & Keys

Private keys, public keys, ECDSA signatures, SHA-256, RIPEMD-160, and the secp256k1 curve: the cryptographic foundation of Bitcoin.

Crypto at a Glance

Bitcoin's security rests on a handful of cryptographic primitives. Here's why each one matters:

🔑

Private Key

A random 256-bit number. The secret that lets you spend bitcoin. Never leaves your machine.

📢

Public Key

Derived from the private key via elliptic curve multiplication. Shared publicly. Cannot be reversed.

✍️

Digital Signature

Proves you own the private key without revealing it. Created per-transaction. Verified by every node.

#️⃣

Hash Functions

One-way functions that create fixed-size fingerprints. Used for addresses, block headers, Merkle trees.

The secp256k1 Curve

Bitcoin uses the elliptic curve secp256k1, defined by the equation:

y² = x³ + 7  (over a 256-bit prime field)

Key properties:

💡 Why secp256k1?

Unlike the NIST curves, secp256k1's parameters were chosen in a "nothing up my sleeve" manner; they're verifiably non-random, reducing suspicion of backdoors. It's also significantly faster to verify thanks to its efficiently computable endomorphism.

Private Keys: CKey

In Bitcoin Core, private keys are managed by the CKey class:

secure vector keydata 32 bytes of secret key material
bool fCompressed Whether the corresponding public key is compressed
bool fValid Whether the key contains valid data

Key Operations

Memory Security

Private keys use secure_allocator, a custom allocator that:

Public Keys: CPubKey

The CPubKey class represents the public half of a key pair:

unsigned char[65] vch Public key bytes (33 compressed or 65 uncompressed)

Compressed vs. Uncompressed

A public key is a point (x, y) on the secp256k1 curve:

Since the curve equation allows recovering y from x (there are exactly two y values for each x), the compressed format only needs to store x plus a single parity bit (0x02 for even y, 0x03 for odd y). Modern Bitcoin always uses compressed keys; they save space in scripts and transactions.

Key Operations

ECDSA Signing

ECDSA (Elliptic Curve Digital Signature Algorithm) is the original signature scheme used by Bitcoin:

How Signing Works

  1. Hash the message: compute SHA256d(transaction_data) → 32-byte hash h
  2. Pick random nonce k: generate a random value (using RFC 6979 deterministic method)
  3. Compute R: R = k × G, take the x-coordinate as r
  4. Compute s: s = k⁻¹ × (h + r × private_key) mod n
  5. Signature is (r, s): encoded in DER format for Bitcoin

How Verification Works

  1. Parse signature into (r, s)
  2. Compute u₁ = h × s⁻¹ mod n
  3. Compute u₂ = r × s⁻¹ mod n
  4. Compute point R' = u₁ × G + u₂ × PublicKey
  5. Signature is valid if R'.x == r
⚠️ Low-S Rule

Bitcoin Core enforces the "low-S" rule: the s value must be in the lower half of the curve order. If s > n/2, replace it with n - s. This prevents signature malleability (BIP 62 / BIP 146).

Schnorr Signatures (BIP 340)

Taproot (activated November 2021) introduced Schnorr signatures, which have several advantages:

Linearity

Signatures can be aggregated: multiple signers can produce a single 64-byte signature (MuSig2).

Smaller & Faster

64 bytes (vs ~72 for DER-encoded ECDSA). Batch verification is significantly faster.

Provable Security

Security proof under standard assumptions (random oracle model), unlike ECDSA.

Schnorr uses the same secp256k1 curve but a simpler signing equation:

// Schnorr signature (BIP 340)
// 1. Choose random nonce k, compute R = k × G
// 2. e = SHA256(R.x || P.x || message)
// 3. s = k + e × private_key
// Signature = (R.x, s), exactly 64 bytes

Hashing Algorithms

SHA-256

The workhorse of Bitcoin. Used everywhere:

RIPEMD-160

Used in Hash160 = RIPEMD160(SHA256(data)) for:

The two-step hash (SHA-256 first, then RIPEMD-160) provides 160-bit security while protecting against potential weaknesses in either algorithm alone.

Other Hash Functions

Security Measures

Bitcoin Core takes cryptographic security very seriously: