5
1
In the ECDSA algorithm, the Bitcoin private key is supposedly a point on the graph (or is it?). But the private key is a single integer, and not x,y coordinates. Is the integer, by itself, the x value or the y value? If it is x, then what is y? If it is y, then what is x?
10
The basic elliptic curve operation is addition of points. The operation of applying this addition repeatedly is called the scalar multiplication of a point by an integer.
The private key is the 'scalar', the point being multiplied is the 'Generator' point, the result is the public key.
Scalar multiplication is basically repeated addition. Multiplying the Generator point by 5 means: calculating G+G+G+G+G.
You calculate this by first calculating G2= G+G, then G4=G2+G2, then G5=G4+G.
The formula for the curve used by bitcoin calculations is as follows:
y^2 == x^3 + 7 ( mod p )
where p = 2^256 - 2^32 - 977
a point (x,y) is on the curve if it matches the above equation
Curve addition is best visualized geometrically
image from certicom
Elliptic curve cryptography does not use floating point values for it's coordinates, all calculations are done in integers modulo a large prime ( mentioned above, named p ). But the method of calculating the sum of 2 points remains the same.
Add points P1=(x1,y1) and P2=(x2,y2), resulting in Psum= (xsum, ysum)
slope = (y1-y2)/(x1-x2)
xsum = slope^2 - (x1+x2)
ysum = slope*(x1-xsum)-y1
if P1 and P2 are the same point, the above adding formula would involve a division by zero, so a different formula is needed to calculate P+P
slope = 3 * x^2 / (2*y)
xdbl = slope^2 - 2*x
ydbl = slope *(x-xdbl)-y
For ECDSA a generator point G was chosen.
The private key is just an integer, lets name it k.
The public key is the generator point added to itself k number of times. In other words, multiplied by k.
If you choose your privatekey unwisely, say 1, your public key would equal the generator point, this address: 1EHNa6Q4Jz2uvNExL497mE43ikXhwF6kZm
As you can see, it was even used recently.
What makes ECDSA a useful crypto system, is that it is easy to calculate a public key from a privatekey, but not the other way around. Another way of putting this is that multiplication is easy, but there is no (easy) division algorithm on an elliptic curve.
See this gist for an example in python
All the code and equations I read for the point addition and multiplication require two sets of x and y coordinates (they don't show how to work with just the integer) that result in a 3rd x,y coordinate. Since the private key is supposed to be one of those, how do I convert it into the x,y coordinate? – Mine – 2014-05-19T18:25:02.223
2@Mine - As was explained, the private key is an integer (modulo the prime p). You multiply it by the generator point G to get the public key. Multiplication is repeated addition. For example, if the private key is 9, the public key is G+G+G+G+G+G+G+G+G. You use the point addition formula for that. To make it more efficient you use a variant of "exponentiation by squaring" - you calculate 2G=G+G, 4G=2G+2G, 8G=4G+4G, 9G=8G+G. – Meni Rosenfeld – 2014-05-20T09:22:15.680
...I get that the y1 and x1 are Gx and Gy, but your "addition" section shows two x's and two y's, with no specification of where they came from. At that point in your equation, the only x,y coordinate I can see is the Gx and Gy. – Mine – 2014-05-21T01:24:32.777
@Mine Let's try again. Let's say your private key is the number 3. Your public key is 3G. How do we compute that? First you need to compute 2G. So you use the formula that William describe for point doubling, which only needs one pair (x_1,y_1) as input and produces a new pair (x_2,y_2) as output. The first pair represents G and the second pair represents 2G. Now you use William's addition formula with these two pais as input to produce 2G+G which is 3G, your public key. If your public key is a bigger integer you will have to do this many times, as Meni described. – Felipe Voloch – 2014-05-21T03:53:10.397
I get the doing it multiple times thing, but I can't seem to get the equations right even once. Anyone know of a good online calculator (or heck, a freeware calculator) that can do these things without scientific notation? I've run the equation several times now and I can't even get it right with a private key of 2 or 3. Using web 2.0 scientific calculator but it seems to do odd things including not always selecting the entire number when i'm copying and pasting – Mine – 2014-05-21T07:52:18.817
https://cloud.sagemath.com/ – Felipe Voloch – 2014-05-21T09:27:00.797
@Mine: Maybe what you're having trouble with is that adding a point to itself is a limiting case, which uses a different formula than for adding two different points. Look up the formula for adding a point to itself (doubling the point) for the elliptic curve and you'll be good (this formula appears in Willem's answer). – Meni Rosenfeld – 2014-05-21T09:38:07.513
Actually, you guys may have solved my biggest problem, which was how to apply the point multiplication/point addition equations before I had two x,y coordinates, it was completely messing me up. This inaccuracy of resulting numbers is a new development. – Mine – 2014-05-21T14:24:52.510
@Mine If you are using some calculator that treats numbers as floating point rationals, it is impossible to do arithmetic mod p with that. You need something that handles multiprecision integers and can do modular arithmetic. I suggested "Sage" above. – Felipe Voloch – 2014-05-22T00:29:46.070
@mine: did you nice the python script i linked? it shows exactly how to make the calculations. – Willem Hengeveld – 2014-05-22T12:02:51.710
@Willem Yes, I did. I'm now further confused though (but not necessarily because of that). http://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication doesn't show "inverse" in the equation but your python script does. My goal is to be able to manually do these equations and I've done Point Doubling for bitcoin private key that is simply the number 2. It works! But when I try to get the public keys for private keys 3 and 4, I am not getting the results. Perhaps I misunderstood the application of multiple equations? I'm using the Sagemath website for the calculations.
the inverse() function is to calculate the modular inverse of a number (modulus p), this is like doing a division by multiplying by the reciprocal: a/b = a*(1/b) – Willem Hengeveld – 2014-05-23T07:43:41.790
@Willem But the wiki page doesn't show it as being used and my multiplication worked without it. Or it did for private key 2. How do I apply these equations to get private key 3/4? – Mine – 2014-05-23T07:47:17.747
the wiki page shows how it is done for curves over real numbers, it does not specifically show how the calculation works with modular arithmetic. – Willem Hengeveld – 2014-05-23T08:01:15.663
I updated the gist with more comments, and the results of the calculation for 2, 3 and 4 – Willem Hengeveld – 2014-05-23T08:01:42.220
@Willem tyvm, it will probably take me a few days to go over this thoroughly to ensure I understand it. – Mine – 2014-05-23T08:06:44.850
Minor clarification to @MeniRosenfeld 's comment: the private key is an integer in the range 1, inclusive, to the order of the curve (for the secp256k1 curve of Bitcoin, referred to as n in the SEC 2 document), exclusive. – Chuck Batson – 2014-12-22T18:48:34.463
0
The public key is a point, the private key is a 256 bit integer. We don't actually store the point as x,y as part of the public key though, we store x and the sign of y to save space.
1You mean we store the x and the sign of y in reference to the public key, not the private key, right? – Mine – 2014-05-18T17:06:03.933
Right, I've edited my answer to that effect. The private key is just a 256 bit integer, though some of the upper range is invalid for our curve. – user13413 – 2014-05-19T00:58:54.263
All the equations to find out the public key show the G x,y value being multiplied by an x,y value, not just an integer, any idea how to convert the private key into an x,y value? – Mine – 2014-05-20T01:43:49.357
You mean "x and the sign of y", right? – Nate Eldredge – 2014-05-20T15:00:20.093
in the point multiplication and point addition there are TWO x values and TWO y values that are required to get the public key. how, exactly, do you get the second set of x,y values when all you have is one x,y coordinate (being Gx,Gy) and an integer (private key)? – Mine – 2014-05-21T03:18:52.043
3The public key is a point, the private key is an integer. – Felipe Voloch – 2014-05-16T03:59:54.463
Then what is the "P" (note capital P, not lower case so its not the prime number for modding)? Almost every graph I see showing the conversion of the private key to the public key shows a "P" and a "Q". If P = 9 (just an integer) and Q = 14,5, then how do you get the public key from that or what would it be? I can't seem to find an example that works. – Mine – 2014-05-18T16:56:59.787
1
I've suggested you look at https://www.certicom.com/index.php/ecc-tutorial on another thread. P,Q usually denote points and should have two coordinates.
– Felipe Voloch – 2014-05-18T17:10:17.667