Bitcoin uses a particular digital signature scheme known as the Elliptic

Curve Digital Signature

Algorithm (ECDSA). ECDSA is a U.S. government standard, an update
of the earlier DSA algorithm adapted to use elliptic curves.
An elliptic curve is an algebraic cubic curve over a field, which can be
defined by the following equation.

The curve is non-singular, which means that it has no cusps or self-

intersections. It has two variables a and b, as well as a point of infinity.
Here, a and b are integers whose values are elements of the field on
which the elliptic curve is defined. Elliptic curves can be defined over real
numbers, rational numbers, complex numbers, or finite fields.

For cryptographic purposes, an elliptic curve over prime finite fields is

used instead of real numbers. Additionally, the prime should be greater
than 3.

Different curves can be generated by varying the value of a and/or b.

The most prominently used cryptosystems based on elliptic curves are
the Elliptic Curve Digital Signature.

Elliptic Curve Cryptography

Elliptic Curve Cryptography (ECC) is based on the discrete logarithm
problem founded upon elliptic curves over finite fields (Galois fields).
The main benefit of ECC over other types of public key algorithms is that
it requires a smaller key size while providing the same level of security
as, ex: RSA
Two notable schemes that originate from ECC are ECDH for key
exchange and ECDSA for digital signatures.
ECC can also be used for encryption, but it is not usually used for this
purpose in practice. Instead, it is used for key exchange and digital
signatures commonly.
As ECC needs less space to operate, it is becoming very popular on
embedded platforms and in systems where storage resources are
limited.
By comparison, the same level of security can be achieved with ECC
only using 256-bit operands as compared to 3072-bits in RSA.
Mathematics behind ECC
To understand ECC, a basic introduction to the underlying mathematics
is necessary. An elliptic curve is basically a type of polynomial equation
known as the Weierstrass equation, which generates a curve over a
finite field. The most commonly-used field is where all the arithmetic
operations are performed modulo a prime p. Elliptic curve groups consist
of points on the curve over a finite field.
An elliptic curve is defined in the following equation:
2
y =(x ¿¿ 3+ax +b)mod p ¿

Here a and b belong to a finite field Zp or Fp ( prime finite field) along

with a special value called the point of infinity.
The point of inifinity is used to provide identity operations for points on
the curve.
First the group elements are identified as a set of points that satisfy the
previous equation. After this group operations need to be defined on
these points.
Group operations on elliptic curves are point addition and point doubling.
Point Addition:
It is a process where two different points are added
Point doubling:
It is a process where the same point is added to itself.
Point addition
Point addition is shown in the following diagram. This is a geometric
representation of point addition on elliptic curves.

In this method, a diagonal line is drawn through the curve that intersects
the curve at two points P and Q, which yields a third point between the
curve and the line. This point is mirrored as P+Q, representing the
addition's result as R.
This is shown as P+Q in the following diagram:
Elliptic curves are a family of curves which have the formula
2
y =(x ¿¿ 3+ax +b)¿
Depending on what value of a and b you pick, you’ll get a curve that
looks like some of the following:

A point on an elliptic curve is an (x, y) pair that satisfies

y² = x³ + ax + b for a given a and b.

For example, the point (3, 6) is in the curve y² = x³ + 9 because

it 6² = 3³ + 9. In group theoretic terms, (3, 6) is a member of the
set defined by y² = x³ + 9. Since we are dealing with real
numbers, the set has infinite cardinality.
The idea here is we can take two points from this set, do a
binary operator, and we will get another point that is also in the
set. That is, it is an (x, y) pair that also lies on the curve.
Formula for addition
Using some algebra, and given two points
P₁=(x₁,y₁)
P₂=(x₂,y₂)

One can derive how to compute P₃ = (x₃, y₃) where P₃ = P₁ ⊕

P₂ using the following formula.

Point doubling
It is a fundamental operation in elliptic curve cryptography (ECC) used to
efficiently compute the scalar multiplication of a point on an elliptic curve
by an integer. Given a point PP on an elliptic curve and an integer nn,
point doubling calculates
Q=nP
The point-doubling operation is based on the geometric properties of
elliptic curves.
In brief, the process involves finding the tangent line to the curve at the
given point PP and then finding the point of intersection of this tangent
line with the curve. This resulting point of intersection is then reflected
across the x-axis to obtain QQ.
The mathematical steps involved in point doubling are as follows:
1. Find the tangent line: Given the point P=(x1,y1) on the curve
y2=x3+ax+b, the slope of the tangent line at PP is calculated as:
2
3 x 1+ a
m=
y1

2. Find the point of intersection: Substitute the point PP and the

slope mm into the equation of the line:
y-y1=m(x−x1)
 Solve this equation with the elliptic curve equation to find the
intersection points. The resulting point is Q=(x3,y3).
3. Reflect the point: Reflect the point Q across the x-axis to obtain Q
′=(x3,−y3).
EXAMPLE:

Point doubling is particularly efficient compared to point addition in ECC,

especially for repeated scalar multiplications, which are at the heart of
many ECC-based cryptographic algorithms like ECDSA (Elliptic Curve
Digital Signature Algorithm) and ECDH (Elliptic Curve Diffie-Hellman).

Elliptic Curve Digital Signature Algorithm:

In order to sign and verify using the ECDSA scheme, first key pair needs
to be generated:
1. First, define an elliptic curve E:
 With modulus P
 Coefficients a and b\
 Generator point A that forms a cyclic group of prime
order q
2. An integer d is chosen randomly so that 0 < d < q.
3. Calculate public key B so that B = d A.
The public key is the sextuple in the form shown here:
Kpb = (p,a,b,q,A,B)
The private key, d is randomly chosen in step 2:
Kpr = d
Now the signature can be generated using the private and public
key.
4. First, an ephemeral key Ke is chosen, where 0 < Ke < q. It should
be ensured that Ke is truly random and that no two signatures
have the same key; otherwise, the private key can be calculated.
 5. Another value R is calculated using R = KeA; that is, by multiplying
A (the generator point) and the random ephemeral key.
6. Initialize a variable r with the x coordinate value of point R so that
r = xR.
7. The signature can be calculated as follows:
s= ( h ( m )+ dr ) K e modq
−1

Here, m is the message for which the signature is being computed, and
h(m) is the hash of the message m.
Signature verification is carried out by following this process:
1. Auxiliary value w is calculated as w = s-1 mod q.
2. Auxiliary value u1 = w. h(m) mod q.
3. Auxiliary value u2 = w. r mod q.
4. Calculate point P, P = u1A + u2B.

Verification is carried out as follows:

r, s is accepted as a valid signature if the x-coordinate of point P
calculated in step 4 has the same value as the signature
parameter r mod q that is:
Xp = r mod q means valid signature
Xp != r mod q means invalid signature

ECDSA can technically only sign messages 256 bits long, this is not a
problem: messages are always hashed before being signed, so
effectively any size message can be efficiently signed.