πŸ” Elliptic Curve Cryptography

How private keys, public keys, signing and verification actually work β€” visualized

What is an Elliptic Curve?

An elliptic curve is defined by a deceptively simple equation. Bitcoin uses secp256k1, which is:

yΒ² = xΒ³ + 7     (over a prime finite field 𝔽p)

In reality the curve lives over a finite field modulo a huge prime p β€” so all coordinates are integers and the "curve" looks like scattered dots. But we visualize it over the real numbers to understand the geometry.

a = 0 b = 7

The equation

yΒ² = xΒ³ + ax + b

For this to be a valid elliptic curve, the discriminant must be non-zero:

4aΒ³ + 27bΒ² β‰  0

This prevents the curve from having cusps or self-intersections.

Key properties

β€’ The curve is symmetric about the x-axis (because yΒ² means Β±y are both solutions)

β€’ Any non-vertical line intersects the curve in at most 3 points

β€’ These two properties enable point addition β€” the foundation of ECC

secp256k1 (Bitcoin/Ethereum)

yΒ² = xΒ³ + 7 (mod p)

p = 2²⁡⁢ βˆ’ 2Β³Β² βˆ’ 977
That's a 78-digit number. The curve has ~2²⁡⁢ points.

Point Addition β€” The Core Operation

You can "add" two points on an elliptic curve using a geometric rule. This operation is the only building block of all ECC operations.

Step 1 of 3

Step 1: Draw the line through P and Q

Given two points P and Q on the curve, draw the line that passes through both.

This line will always intersect the curve at exactly one more point (let's call it βˆ’R).

The formula (over real numbers)

slope Ξ» = (yβ‚‚ - y₁) / (xβ‚‚ - x₁)
x₃ = λ² - x₁ - xβ‚‚
y₃ = Ξ»(x₁ - x₃) - y₁

Then P + Q = (x₃, y₃) β€” the reflected point.

Point Doubling (P + P)

When adding a point to itself, use the tangent line at P:

Ξ» = (3x₁² + a) / (2y₁)

Then apply the same x₃, y₃ formulas. This is called 2P.

Key Generation β€” Private β†’ Public

ECC key generation has just two ingredients: a private key (a random number) and a generator point G baked into the curve specification.

1
Choose a Generator Point G β€” a specific point on the curve defined in the standard (e.g. secp256k1). Everyone using the same curve uses the same G. It's public knowledge. G = (x, y) β€” public, standardised
2
Generate a Private Key k β€” pick a random integer between 1 and the curve's order n (β‰ˆ 2²⁡⁢ for secp256k1). This is your secret. Never share it. k = random integer (256 bits)
3
Compute Public Key Q = k Γ— G β€” this means: start at G, and perform point addition k times. k Γ— G = G + G + G + … (k times) Q = k Γ— G β€” your public key

πŸ”‘ Private Key

Just a random 256-bit integer. That's it. Example (simplified):

k = 42

In reality: a 77-digit random number like
0x9f3d...a7b2

πŸ“œ Public Key

The result of scalar multiplication Q = k Γ— G. It's a point on the curve (x, y) β€” two 256-bit numbers.

Q = k Γ— G = 42 Γ— G = (x, y)

Share this freely β€” it's your identity.

πŸ”’ The One-Way Trap

Given Q and G, finding k requires solving the Elliptic Curve Discrete Logarithm Problem (ECDLP).

With 2²⁡⁢ possible values, no known algorithm can do this in feasible time β€” not even with all computers on Earth running for billions of years.

Interactive Demo (small curve)
k =
Result
Click to compute…

ECDSA Signing β€” Proving You Own the Private Key

Elliptic Curve Digital Signature Algorithm (ECDSA) lets you sign a message using your private key. Anyone with your public key can verify it β€” but only you (with the private key) can create it.

1
Hash the message β€” compute H = hash(message). This gives a fixed-size number representing the message. Even a 1-character change produces a completely different hash. H = SHA-256(message)
2
Pick a random nonce k β€” choose a fresh random integer k (different for every signature!). This is critical: reusing k leaks your private key. (Sony PS3 was hacked this way.) k = random (per-signature secret)
3
Compute R = k Γ— G β€” perform scalar multiplication with the nonce. Take the x-coordinate: r = R.x mod n. r = (k Γ— G).x
4
Compute s = k⁻¹ (H + r Γ— privateKey) mod n β€” combine the hash, the nonce commitment r, and your private key. k⁻¹ is the modular inverse of the nonce. s uses private key πŸ”‘
5
The signature is the pair (r, s) β€” send this with the message. r is a commitment to the nonce point, s is the proof of private key ownership. Signature = (r, s)
Sign a message (demo with small numbers)
Message Hash H
β€”
Nonce k (random, secret)
β€”
Signature r
β€”
Signature s
β€”

Signature Verification β€” Using Only the Public Key

Anyone with your public key Q can verify a signature (r, s) β€” without knowing the private key. This is the magic.

1
Recompute the message hash H β€” hash the received message exactly as the signer did.
2
Compute u₁ = H Γ— s⁻¹ mod n and uβ‚‚ = r Γ— s⁻¹ mod n β€” these are two scalar values derived from the hash, the signature, and the curve order.
3
Compute the check point: X = u₁ Γ— G + uβ‚‚ Γ— Q β€” this combines the generator G and the signer's public key Q. No private key needed! Uses public key only πŸ“œ
4
Verify: X.x mod n == r ? β€” if the x-coordinate of the reconstructed point matches r, the signature is valid. The math guarantees this only works if the signer knew the private key. βœ… Valid if X.x = r

Why does this work? (intuition)

When signing, we computed: s = k⁻¹(H + r·privateKey)

Rearranging: k = s⁻¹·H + s⁻¹·rΒ·privateKey = u₁ + uβ‚‚Β·privateKey

Multiplying both sides by G: kΒ·G = u₁·G + uβ‚‚Β·(privateKeyΒ·G) = u₁·G + uβ‚‚Β·Q

And kΒ·G is exactly the point whose x-coordinate is r β€” so the check X.x = r reconstructs the nonce point without knowing k or the private key.

⚑ The equation balances only if the private key used to sign matches the public key used to verify.

Verify the signature from Step 4
β€”
β€”

Why Is It Hard to Break?

The entire security of ECC rests on one problem: the Elliptic Curve Discrete Logarithm Problem (ECDLP).

Given Q and G, find k such that Q = k Γ— G

The phone book analogy

Imagine a phone book with 2²⁡⁢ entries (more than the number of atoms in the observable universe). You know the address (Q) and the starting address (G). You need to figure out how many steps it took to walk from G to Q.

Going forward (k Γ— G) is fast β€” it takes only ~256 steps using double-and-add. Going backwards (finding k from Q) requires essentially brute force through 2¹²⁸ operations at minimum β€” utterly infeasible.

ECC vs RSA comparison

Security levelRSA key sizeECC key sizeRatio
80-bit1,024 bits160 bits6Γ— smaller
128-bit3,072 bits256 bits12Γ— smaller
192-bit7,680 bits384 bits20Γ— smaller
256-bit15,360 bits521 bits30Γ— smaller

Advantages of ECC

β€’ Smaller keys β€” 256-bit ECC β‰ˆ 3072-bit RSA in security

β€’ Faster operations β€” less computation, better for IoT/mobile

β€’ Smaller certificates β€” important for TLS handshake speed

β€’ Used everywhere β€” TLS 1.3, Bitcoin, Signal, Apple Secure Enclave, SSH keys

⚠️ Quantum threat

Shor's algorithm on a sufficiently powerful quantum computer could break ECDLP β€” same as RSA. Both rely on mathematical hardness problems solvable by quantum algorithms.

This is why NIST is standardising post-quantum cryptography (lattice-based, hash-based) as the next generation β€” independent of elliptic curves.

Famous ECC curves in use today

CurveUsed inKey sizeEquation
secp256k1Bitcoin, Ethereum256-bityΒ² = xΒ³ + 7
P-256 (secp256r1)TLS, FIDO2, Apple256-bityΒ² = xΒ³ βˆ’ 3x + b
P-384NSA Suite B, TLS384-bityΒ² = xΒ³ βˆ’ 3x + b
Curve25519Signal, WireGuard, SSH255-bityΒ² = xΒ³ + 486662xΒ² + x
Ed25519SSH keys, TLS 1.3255-bitEdwards form