Elliptic Curve — Technical

TECHNICAL_DOC // CRYPTOGRAPHY / ELLIPTIC-CURVE

ELLIPTIC
CURVE

Bitcoin uses the secp256k1 elliptic curve for all key generation and digital signatures. An elliptic curve is a set of points satisfying y² = x³ + ax + b over a finite field. The security of Bitcoin's cryptography rests on the Elliptic Curve Discrete Logarithm Problem (ECDLP): given a point Q = k×G, computing k is computationally infeasible for 256-bit curves.

SECP256K1_PARAMETERS

SECP256K1 CURVE DEFINITION

Curve equation: y² = x³ + 7 (mod p) (a = 0, b = 7 — Koblitz curve, efficient computation) Prime field: p = 2²⁵⁶ − 2³² − 2⁹ − 2⁸ − 2⁷ − 2⁶ − 2⁴ − 1 p = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F Generator point G (compressed): Gx = 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 Gy = 483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8 Curve order (number of points): n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 Private key range: 1 to n-1 Group size: n ≈ 1.158 × 10^77 points

Point Operations

MATHEMATICS

Two operations are defined on elliptic curve points: point addition (P + Q) and scalar multiplication (k×P). Scalar multiplication is the one-way function securing Bitcoin.

Point addition (P ≠ Q): slope m = (Qy - Py) / (Qx - Px) mod p Rx = m² - Px - Qx mod p Ry = m(Px - Rx) - Py mod p Point doubling (P = Q): slope m = (3 × Px²) / (2 × Py) mod p (using modular inverse for division) Scalar multiplication: k × G = G + G + G + ... (k times) Computed efficiently via double-and-add algorithm k = 256-bit private key → 256 iterations max Public key: P = privkey × G privkey → P: fast (milliseconds) P → privkey: computationally infeasible (ECDLP)

The "×" in k×G is not ordinary multiplication — it's repeated point addition on the curve, which has no known reverse operation.

TERMINOLOGY_INDEX

secp256k1

The specific elliptic curve used by Bitcoin. Defined by y² = x³ + 7 over a 256-bit prime field.

Generator Point G

A standardized base point on secp256k1. Private key k maps to public key k×G.

ECDLP

Elliptic Curve Discrete Logarithm Problem. Given P = k×G, finding k is computationally infeasible.

Curve Order n

The number of valid points on secp256k1. Private keys must be in the range [1, n-1].

Finite Field

Arithmetic modulo prime p. All point coordinates are in this field — no floating point, exact arithmetic.

INTERACTIVE — TRY IT YOURSELF

CRYPTOGRAPHY / KEYS

Elliptic Curve Cryptography

Bitcoin's security rests on a single hard problem: given the public key K = k·G, find k. Here k is your private key (a 256-bit integer), G is the secp256k1 generator point, and · is elliptic curve point multiplication — an operation easy to compute in one direction and computationally infeasible to reverse. Understanding point arithmetic reveals exactly why this asymmetry exists.

THE CURVE — y² = x³ + 7 (mod p)

Bitcoin uses the secp256k1 curve defined by y² ≡ x³ + 7 (mod p) where p is a 256-bit prime just below 2²⁵⁶. Over the integers this curve looks like a smooth wave; over a finite field it becomes a scattered set of discrete points — but the same algebraic rules apply.

CURVE VISUALIZER — y² = x³ + 7 OVER SMALL FIELDillustrative finite field, not secp256k1 scale

FIELD SIZE p =

y² ≡ x³ + 7 (mod p)

      ● valid curve points  
      ● generator G  
      ● result of k·G
    

SCALAR MULTIPLICATION — k·G STEP BY STEP

Point multiplication is repeated point addition. To compute k·G, use the double-and-add algorithm: represent k in binary, start with the point at infinity, then for each bit from MSB to LSB: double the accumulator, and if the bit is 1 add G. This takes O(log k) steps — about 256 doublings and ~128 additions for a 256-bit key.

POINT MULTIPLICATION ON SMALL FIELDslide to change k

SCALAR k (private key analogue)

POINT ADDITION — GEOMETRIC INTUITION

Adding two distinct points P and Q: draw a line through them, find the third intersection with the curve, reflect over the x-axis — that's P+Q. Point doubling (P+P): use the tangent line at P. The point at infinity (written ∞ or 𝒪) acts as the additive identity — adding ∞ to any point returns that point.

POINT ADDITION CALCULATOR (mod p)integer arithmetic on small field

POINT P — x POINT P — y

POINT Q — x POINT Q — y

secp256k1 PARAMETERS

Bitcoin uses specific domain parameters that were chosen for efficiency and lack of known backdoors. The generator point G has a known x,y coordinate. The order n is the number of valid non-zero scalars — your private key must be in [1, n-1].

SECP256K1 DOMAIN PARAMETERS

CURVE	y² ≡ x³ + 7 (mod p)
p (field prime)	0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F = 2²⁵⁶ − 2³² − 2⁹ − 2⁸ − 2⁷ − 2⁶ − 2⁴ − 1
a	0 (no x term — simplifies doubling)
b	7
Gx	0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
Gy	0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
n (order)	0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
h (cofactor)	1 (every finite-field point is on the subgroup)

PRIVATE KEY → PUBLIC KEY → COMPRESSED PUBKEY

A private key is just a 256-bit integer. The public key is the EC point k·G — two 256-bit coordinates (x, y). The compressed form encodes only x plus a 1-bit parity of y using the prefix 02 (even y) or 03 (odd y). Since y² = x³+7 mod p is deterministic, the full y can always be recovered.

PRIVATE KEY → PUBLIC KEY DERIVATIONuses real secp256k1 via WebCrypto

PRIVATE KEY (32 bytes hex)

The discrete logarithm problem: Given K = k·G, finding k requires trying every possible scalar from 1 to n−1. With n ≈ 1.16 × 10⁷⁷, brute force would take longer than the age of the universe even with all computing hardware ever built. The best known algorithms (Pollard's rho) reduce this to O(√n) ≈ 10³⁸ operations — still impossible. This is Bitcoin's core security assumption.