Table of contents
foreword
Let’s talk about elliptic curves today. Half of the encryption in cryptocurrencies refers to hashes, and the other half refers to elliptic curves. If you don’t understand elliptic curves, don’t say you understand cryptocurrencies. The elliptic curve is the technical basis for wallet payment and anonymous transactions, and we will thoroughly understand it in one stop. Please pay attention to the gitcoins Douyin channel , we will share interesting, high-quality, cryptocurrency-related videos.
Elliptic Curve Signature Algorithm
In the previous video, we discussed the application scenarios of the asymmetric encryption model. There are many asymmetric encryption algorithms including RSA, DSS, and ECDSA, etc. The elliptic curve digital signature algorithm is used in cryptocurrency.
elliptic curve
A formula like this y² = x³+ax+b is usually drawn as an elliptic curve under the constraint of the relationship between a and b (4a³+27b² ≠ 0). Let’s take a equal to -1 and b equal to 9 as an example, y² = x³ - x + 9 to clarify the elliptic curve, when x is fixed, y is equal to the positive and negative square root sign (y= ± √x³ - x + 9 ), that is to say, any X, there will be two Y , one positive and one negative, so that the equation holds. If this relationship is represented by X on the abscissa and Y on the ordinate, it will be an elliptic curve symmetrical to the X axis.
Elliptic curves require simple high school mathematics knowledge. If you still don’t understand the content just now, please check the information, draw manually on the coordinate system, and a beautiful curve will be presented in front of you. y² = x³ - x + 9 For this elliptic curve, when X is 0, Y gets plus or minus 3, and when X is 1, Y is equal to plus or minus 3. We call (-1,-3) point P, (1,3) point Q, draw a straight line, because it is an elliptic curve, as long as the straight line is not parallel to the Y axis, then they must have a third A point of intersection, we call it point R.
Two points make a straight line
What exactly is the R point? We can determine a straight line through P and Q points. The slope of the straight line is (Y2 - Y1)/(X2 - X1) to get 3, and the focus of the Y axis is negative 3, so the straight line determined by P and Q is Y equal to 3X ( y=3x)
Intersection of Lines and Curves
How many points of intersection are there between this straight line and the elliptic curve?
Substituting the equation of the straight line into the equation of the curve, we get
(3x)² = x³ - x + 9
x³ - 9x² -x + 9 = 0
There are three solutions to this equation
x = 0, 1, 9
Substituting X into the straight line formula
then the point of intersection with the elliptic curve is
P(0, -3) Q(1, 3) R(9, 27)
That is, the third point is (9, 27)
The drive to iterate
Because the elliptic curve is an X-axis symmetric image, there must be a -R(9, -27) point on the elliptic curve. - Point R is connected with point P to form a straight line, and this straight line intersects the elliptic curve at point S. If there is an S point, there must be a negative S point, and the negative S is connected with the P point to form a straight line, and this straight line will intersect the elliptic curve at the T point. Mathematicians define P+Q=-R, -R+P=-S.
How to define is not important, what is important is to find the corresponding point according to this logic. Constantly find new intersection points, constantly find the symmetry points of the intersection points, and continuously connect with point P in a straight line, just like a perpetual motion machine, constantly iterating.
When P and Q are the same point
What does P+P mean? Similarly, the addition of two points represents the tangent of point P on the elliptic curve, that is, after the tangent of point P extends infinitely, the second point Q that intersects with the elliptic curve can be found, then -Q must be on the elliptic curve, we put -R It's called 2P, it doesn't matter what it's called, the key is that you only need to know which point it is. Similarly, we can use the method of continuous iteration, we connect 2P and P into a straight line, find the intersection point of the elliptic curve, and find the symmetric point of the intersection point , get 3P. In the same way we can get 4P, 5P and so on. NP means that it needs to be searched N times.
quick calculation
One advantage of introducing the P+P model is that it can be quickly searched, and the search results are shortened exponentially. Let's take the search for 4P and 8P as an example. When we find 2P, extend the tangent of point 2P infinitely, find the intersection point of the elliptic curve, find the symmetry point of the intersection point, and get 4P. This is the calculation process of 2P+2P. That is to say, we no longer find 4P through the results of 3P. Similarly, 8P can also be formed by adding two 4P, instead of going through the search process from 5P to 6P to 7P. This search method greatly reduces the number of searches.
For example, if we want to calculate 32P, the traditional method needs to be calculated 32 times. We can quickly find a way to calculate 2P and then directly calculate 4P, and then 8P, 16P to 32P, only need 4 calculations. For example, if we calculate 1029P, then we can decompose 1049 into 1024P + 4P + 1P. It takes 10 calculations to get 1024P, and a total of 12 calculations are required to complete the entire calculation. Therefore, the introduction of P+P greatly reduces the number of calculations and improves the search speed.
n•P+r•P = (n+r)•P
x³ - 9x² -x + 9 = 0
210²
2¹⁰ P + 2² P + 2⁰ P
2[ 10 ]
The relationship between iteration and encryption
What is the relationship between the internal power of iteration and encryption algorithm and digital signature? Because this characteristic of the elliptic curve is one-way, after adding P 5 times, I can calculate the position of 5P. However, if we know the point of 5P, then the reverse deduction is made by adding several Ps. There is no direct calculation method for this, so it is called one-way. We can only calculate 2P and compare it with the result to see if it is the same as 5P. If not, continue to compare the results of 3P and 4P until the result is the same, then we will know that the number of times is 5.
What if the number is very large? It takes a long time for us to calculate one by one. In the asymmetric encryption algorithm, a very large number k is used as the private key, and the point kP is used as the public key.
As discussed in the previous asymmetric encryption model, kP is distributed to anyone as a public key, even if it is a hacker, he cannot deduce k. k is firmly in the hands of the person who created the key pair.
Elliptic Curve Algorithms in Bitcoin
The elliptic curve of Bitcoin uses A equal to 0 and B equal to 7
y² = x³+7
The abscissa and ordinate of P are large numbers respectively. In Bitcoin, we call this starting point the generator, which is denoted by G.
_Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798L
_Gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8L
If we create a large random number as the private key
_k = 0x1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD
Then the public key is a point obtained by adding k Gs, which we call the big K point. _k * G the point
_Kx = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A
_Ky = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB
The public key is not described in terms of points in Bitcoin, but starts with 04, and the X coordinate value and the Y coordinate value are connected in series. Expressed as (04 xy)
K = 04F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A-07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB
Then use a simple compression algorithm to keep either X or Y. This starts with 03, followed by the X coordinate value, and this is the last public key people see.
K = 03F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A
We can see that the value of the small K of the private key is very large, so it is difficult to deduce the value of the private key through the information of the public key.
How to implement digital signature
Then how to use the elliptic curve to implement the digital signature algorithm. The previous video discussed the asymmetric encryption algorithm to form a signature with the data and the private key. Because only Alice has her own private key, the document signed with the private key can be proved by BoB after receiving it. issued by Alice. The purpose of the signature is to form a unique imprint through the private key on the basis of the data, and send the imprint to Bob. Bob can use Alice's public key to prove that this imprint is unique to Alice, and it is impossible for others to generate this imprint.
Let's try, how to implement signatures through elliptic curves. Alice sends a message M to Bob,
Alice's private key is small K, and her public key is big K. K = _k * G
Before Alice sends M messages, we multiply the private key by the hash of M as a signature (_s)
(hash(m)*_k) * G = _s *G
Send M and _s to Bob’s
public key K before Alice sends a message to Bob. Point G is a fixed point in the Bitcoin elliptic curve algorithm, and this point is public information.
Bob:
hash(M) * K = X
_s * G = Y
If Y=X, it means that _s contains the information of _k, and _s must be Alice's signature.
Let's see why?
Y = _sG = (hash(m)_k) * G = hash(m) * _k * G = hash(m) * K = X,
In the whole proof process, we start from small S to prove that small K serves as a bridge to prove X=Y. Without small K, it is impossible to prove X=Y. This process shows that _k is the core parameter of _s. If Alice does not have _k _s will not be produced. Alice knows the calculation process, but Bob does not know the calculation process. As long as Bob verifies Y=X, it means that _s must be produced by _k, because only Alice owns _k, then _s must have been made by Alice. This method is that Bob cannot directly know Alice's private key, but Bob can prove that the signature was made with Alice's private key. Just like experts appraising Zhang Daqian's calligraphy and painting, Zhang Daqian himself is the private key, and his painting is his signature. In a world without Zhang Daqian, we can prove that it was Zhang Daqian's painting. But there is still a problem with the solution we tried. Bob can obtain Alice's private key by dividing small S by the hash value of message M, so that Alice's private key is exposed.
For this reason, mathematicians have come up with another way. Introducing R, R is similar to the usage of asymmetric encryption, making R public, and keeping small R in your own hands.
R = _r * G
Alice's signature is:
(hash(m)*_k + _r) * G = _s * G
Send M, R and _s to Bob
Bob:
hash(M) * K + R = X
_s * G = Y
If Y=X, it means that _s contains the information of _k, and _s must be Alice's signature.
Y = _sG = (hash(m)_k + _r) * G = hash(m) * _k * G + _r *G = hash(m) * K + R = X,
In the whole process of proof, we start from the digital signature small S, small K and small R are used as the bridge to prove X=Y, without small K and small R, it is impossible to prove X=Y, if Alice does not have _k and small R _s will not be produced. Alice knows the calculation process, but Bob does not know the calculation process. As long as Bob verifies Y=X, it means that _s must be produced by _k and small R, because only Alice owns _k and small R, then _s must be made by Alice. And this solution is safe, Bob knows the formula _s = hash(m)*_k + _r, this formula knows small S and M, but Bob cannot calculate small K and small R. In this way, mathematicians have found a solution. Alice does not reveal the private key K and R, but allows Bob to prove that the message was sent by Alice through the public key K and other information.
R in Bitcoin
In Bitcoin, the values of X and Y at point G, the value of private key K, and the value of R are all 256-bit numbers. Since the elliptic curve is infinitely extended, the X and Y values of the K point and R point we found may be a very large value, and some are even too large to handle. Therefore, the concept of P is introduced, so that all The points are all within the range of P, and the X and Y values of the found points must be modulo operation (MOD) to ensure that the size does not exceed the value of P. So Bitcoin's elliptic curve is expressed as:
_r = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141L
_p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2FL
y² mod p = (x³ + 7) mod p
conclusion
After listening to all the above content, you must deduce and verify it by yourself, calculate the intersection point of the ellipse and the straight line, and draw a straight line to figure out what P plus Q means. Only by deriving a signature process by hand, can we deeply understand the charm of signatures, and understand the elliptic curve digital signature algorithm according to your way of thinking. Please like and follow the gitcoins Douyin channel , we will continue to share interesting, high-quality, cryptocurrency-related videos.