Notes and analysis from Programming Bitcoin by Jimmy Song
In the previous post we described the Elliptic curve group as a continuous curve over the real numbers. We defined a way to generate points from other points using a geometrical method we called “point addition”. There is still one more operation we will need for cryptographic purposes.
This operation is defined using repeated point addition. Recall that adding distinct points requires finding a third collinear point whereas adding a point to itself requires finding the point collinear to the tangent. If we want to add a point, G, to itself 10 times we can write 10G instead of G+G+G+…, 10 times. This is called scalar multiplication.
To calculate 10G we can first simplify by using a combination of distinct and double point additions:
In the picture below you can see graphically how to compute 8G from G, which also finds 2G.
The final step (not pictured) is to add 8G and 2G together to get 10G, i.e. the negation of the third point collinear to 8G and 2G. It should be off the screen in the upper right hand quadrant.
What’s interesting about scalar multiplication is that it enumerates points on the curve in a way which is unique to that generator point, G. Keep that in mind for later
Another interesting thing about this scalar multiplication is that the function is nonlinear; the output point can be anywhere with respect to the input points (left, right or inbetween), there’s no good way to predict the answer generally. Furthermore, going backwards (e.g. finding P provided kP, for some integer k) is more difficult. Take for example some point 2P, you are asked to find P. For this you have to find a point whose tangent line crosses the negation of 2P, there may be multiple such points, see diagram below. So the inverse calculation requires guessing at each round of point doubling so for large scalar products it’s virtually impossible. For these reasons we call scalar multiplication a one-way function.
This irreversibility property of one-way functions turns out to be very important. It forms the basis of asymmetric cryptography, i.e. public/private keypair cryptography. With scalar multiplication the scalar itself, k, acts as the private key and the resulting product, kP, is the public key. The generator point is assumed to be well known to all parties.
To see how this works imagine a sender and receiver. The sender picks a random integer as the private key then computes the resulting public key kP and shares it with the receiver knowing that there is no efficient way to deduce k from P and kP.
We don’t actually know that no one will ever find a way to reverse the function. After all, it’s hard to prove the non-existence of something. Nevertheless mathematicians have identified several functions where no efficient method of computing inverses is known. More precisely these functions are “hard” to solve because a randomly chosen input has a negligible probability (effectively zero chance) of generating the correct output, or stated differently the average-case asymptotic complexity grows faster than polynomial time.
There is one remaining issue preventing us from using point addition as a crypto system, numerical stability. It turns out that the same property, non-linearity, that enables strong security also makes it sensitive to small changes.
Our scalar multiplication example, finding 10G from G, required a sequence of chained point doublings. Under the real number field these calculations lose precision each round. With careful numerical analysis we could figure out how many rounds we can go before losing all precision, but it’s not clear how often we would encounter that situation for arbitrary points. In this way using real numbers limits our capacity to harden the cryptosystem by using large values. Check out this post for more analysis of ECC over the real numbers.
So how do we avoid numerical precision issues? Is there a way to use integers instead of floating point numbers? Take a look at the equations from the last post, there were 4 cases:
Notice that we only use basic calculator functions: addition, subtraction, multiplication, division. There are no irrational values like square roots, logarithms, or trigonometric functions, which would force us to use the real numbers. This suggests that point addition does not necessarily require the real numbers, in fact any field will work.
To use a different field over the elliptic curve, the coefficients a and b (from: y²=x³+ax+b) must also be members of that field. As mentioned previously scalar multiplication requires a generator point. With these steps taken we can use any number field we want. There are a few different options: rational numbers, complex numbers and finite fields. Of those, only finite fields allow us to know the exact precision needed for all possible values since the number of elements is finite and known exactly. We described finite fields in the first post here. As described there we redefine the four arithmetic operations by taking the remainder mod p, for some prime p.
Let’s think about what this means graphically. Each point in the finite field represents all the numbers congruent mod p to that number, (.., x-2p, x-p, x, x+p, x+2p, ..), but in both the x and y dimension. The curve over the reals is half positive and half negative in the y axis, the negative values mod p get shifted up by p so we get the same vertical symmetry about the middle of the range of values.
Here are some example finite fields for different values of p.
Unlike the elliptic curve over the real numbers, these “curves” do not connect together into a smooth path. Nevertheless they are connected to each other via scalar multiplication.
Earlier in this post we mentioned that scalar multiplication enumerates points on the curve starting from a generator point. For the real numbers this sequence continues forever but for finite fields the same cannot be true, it’s finite after all. For finite fields the whole sequence repeats eventually, which is why it’s called a cyclic group. We know this cyclic group can’t be more than p elements since that’s the size of the field. The question remains how long is the sequence before it repeats?
As an example take the curve: y² = x³ + 2x + 3 mod 97 with generator point G=(3,6).
0*G = (infinity)
1*G = (3,6)
2*G = (80,10)
3*G = (80,87)
4*G = (3,91)
5*G = (infinity)
6*G = (3,6)
7*G = …
The order of this cyclic group is 5, much less than 97. The points have been partitioned into separate cyclic groups, all of the same size. The number of such groups is called the cofactor, denoted h below. Additionally the size of the subgroups, denoted r, multiplied by the number of such groups is the total number of points on the curve also called the order of the curve, or n for short. Be aware that the order the curve, n, is not the same as the order of the finite field p, in fact n is bounded above by p, n < p.
Another trick to keep in mind is that any time the prime order p mod 4 equals 3 we know that the cofactors is 1. In other words all points on the curve are in one big cyclic group maximizing security properties of the curve. The size and composition of these elliptic curve groups is an active area of research, you can learn more about it here.
Bitcoin uses the following curve: y²=x³+7 mod 2²⁵⁶-2³²-977, so a=0 and b=7 according to the generic form. The prime was chosen to fit inside 32 bytes by being less than 2²⁵⁶ and susceptible to additional optimizations that I won’t go into. These parameters result in a curve order of:
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
With initial point:
Note that the bitcoin prime, 2²⁵⁶ – 2³² – 977, has a cofactor of 1 so all the points are in a single cyclic group! One of the ramifications of this is that every point on the curve generates the same set of points (but in a different order), which means any choice for G will work.
This is an almost unfathomably large number, by the way, approximately ~10⁷⁷, is just shy of the number of atoms in the whole universe (10⁸⁰). A slightly closer approximation is the number of atoms in 10 billion galaxies, since there are about ~10⁶⁷ atoms in this galaxy you would need 10¹⁰ (10 billion) of those to get to the same order of magnitude (10¹⁰10⁶⁷=10⁷⁷).
Signing and Verifying messages
As mentioned above the curve is characterized by the well-known parameters (a, b, p, n and G). Additionally we will need a well-known hash function that produces positive numbers less than p, HASH(m)=z, that takes as input our plain text message and outputs a hexadecimal string of fixed size which we treat as a number. This allows anyone to sign and verify messages consistently.
Now assume Alice wants to send Bob a message. Alice has message m, e.g. “Hello World”, and a keypair (e, P), where eG=P. To calculate the signature multiply the secret key by the hash of the message: s = ze
Alice transmits message m and signature s to Bob. Bob then validates that Alice sent the message by multiplying message hash, z, by Alice’s public key P and compares that to signature s times the base point G:
Unfortunately there are a couple problems with this approach:
- Replay attacks: Imagine sending money to someone in a message and having an attacker replay that message effectively forcing you to over pay by 100% each time they replay the message. Of course this can’t actually happen in Bitcoin for other reasons but it illustrates the point.
- Private key leak: This one is rather devastating, an attacker can derive the secret key by calculating the inverse of the hash: s/z = sz^(p-2) = e, (remember Fermat’s little theorem?).
To fix these issues we need to add something to our calculation that changes every time we generate a signature. This is similar to a nonce (number used once) or a password salt.
Let Alice instead generate a separate one-time keypair kG = R. Alice will share both R and s as her signature. Now instead of hashing the message, m, Alice hashes m and R concatenated together, HASH(m,R) = z’.
Now to compute the signature we need to combine the two private keys with the hash in a way that can be validated by Bob. This turns out to be the following: s = k – z’e. To verify, Bob computes points sG and z’A and takes their sum. The resulting point should be equal to R. To see why this works take the definition of s, multiply both sides by G and simplify
If you didn’t know k or e and you wanted to forge a signature for some message you would be thwarted because you:
- Can’t make up k and solve for s and R because you don’t know e.
- Can’t make up s and solve for R because R can’t be extracted from z’.
Although if you reuse the one-time keypair (k,R) there is a method to extract e, as was famously done with the PlayStation 3 hack.
Now you should have a pretty good idea of what the bitcoin elliptic curve is. We learned about the associated cyclic group, how it’s formed from the one-way function scalar multiplication and how that is used as an asymmetric cryptosystem to digitally sign messages.
I’ll leave you with Jimmy Song’s closing words from this chapter:
Even if you don’t read another page in this book, you’ve learned to implement what was once considered “weapons-grade munitions”
How did Bitcoin lending become so popular?
The rising valuation of Bitcoin witnessed the growth of several sectors involved with the digital asset. The crypto lending market has exhibited extraordinary growth as institutions-focused Genesis registered a 245% growth in their outstanding loans in 2020.
While the BTC lending market is young, its swift adoption has created a billion-dollar industry, which is one of the benchmarks of development for the current Bitcoin ecosystem.
Total Bitcoin collateral grew by 1170%
According to Arcane Research’s recent Banking on Bitcoin report, the total active collateral in the BTC lending market has increased to ~$25 billion from $2 billion in 12 months. It was estimated that the number of Bitcoin used for collateral at the moment is around 420,000 BTC, however, this estimation is based on a modest evaluation that only 50% of the active loans are backed by Bitcoin collateral, whereas various industry experts believe it could be close to 70-80%.
While there are various Bitcoin lending companies in the current market, the impact of the institutional lending organization such as BlockFI and Genesis have been vital.
As mentioned earlier, Genesis’ active loans outstanding improved from $649 million in Q1 2020 to a whopping $3,821 million in Q4 2020. From Q3 to Q4, the growth was roughly 80%.
BlockFi registered similar impressive numbers, with a 50x increase in retail loans BTC collateral from Q4 2018 to Q4 2020; from $10 million to $500 million.
Bitcoin lending’s popularity grows
There are multiple factors that played into the expansion of the BTC collateral market. Over the past 12 months, the asset has received significant recognition after recovering at a rapid rate following the March 2020 crash. However, some of the most common reasons include leveraging on an existing position, arbitrage plays, and covering operation costs without selling any crypto holdings.
Some of its innate properties have improved over the few months. Bitcoin’s market has a 24/7 availability, which can be traded all year round and it is easily updated. Other assets such as Gold are only trading during the working days of the week, which is close to 30% less than Bitcoin.
Its store-of-value credentials have also improved drastically, with 75% of Bitcoin remaining in profit throughout its history.
However, one of the major reasons involves the ease at which BTC loans can be processed. Traditional loan methods require a certain amount of credit score, a tediously long process, and a lot of paperwork.
With Bitcoin, users do not need to establish a relationship with their banks to get a loan and they can easily lend from the emerging borderless Bitcoin lending market.
Sign Up For Our Newsletter
OLB Group enables crypto payments for thousands of US merchants
OLB Group (OLB), a New York-based e-commerce merchant service provider, is making it easier for businesses to accept cryptocurrency payments.
OLB’s more than 8,500 merchants are now able to accept Bitcoin (BTC), Ethereum (ETH), USDC and DAI at the point-of-sale through the company’s OmniSoft business management platform. Customers wishing to pay with cryptocurrency in-store or through their mobile phones can simply elect to do so with their cryptocurrency wallets. All payments are processed through SecurePay, a payment gateway that authenticates the transaction, converts the cryptocurrency to U.S. dollars and approves the final sale.
The decision to integrate cryptocurrency payments was partly driven by the growth of contactless and online orders during the Covid-19 pandemic. With the OmniSoft platform already providing merchants with several options to facilitate payments, cryptocurrencies were the next logical step.
Ronny Yakov, OLB Group’s CEO, says the payment gateway and point-of-sale architecture are “familiar territory for merchants,” which makes integrating cryptocurrencies through such channels easy.
On the topic of cryptocurrency payments – a promising but underutilized use case for the industry – Yakov believes we are still in the very early stages of adoption.
“It’s very early in crypto-as-a-payment adoption, but we see increasing interest from merchants exploring this payment option as a means to meet their customers however and wherever they prefer,” Yakov tells Cointelegraph.
He also believes certain industries are more likely to adopt crypto payments before others:
“We anticipate that adoption will happen more quickly in higher-ticket transactions such as jewelry, B2B billing and real estate because the transaction fees for cryptocurrency processing are lower – often half of typical credit card fees.”
Cryptocurrencies like Bitcoin have struggled to become a viable medium of exchange, inviting criticism about their utility. Charlie Munger, the billionaire investor and Berkshire Hathaway vice chairman, recently criticizedBitcoin for being “too volatile to serve well as a medium of exchange.”
With development work on scaling and sidechains still in progress, it remains to be seen whether cryptoassets will ever function efficiently as payment systems. In the meantime, assets like Bitcoin and Ethereum are valued for their store-of-value and development capabilities, respectively.
Litecoin, Monero, Dash Price Analysis: 28 February
Litecoin witnessed a downwards breakout from a parallel channel and moved to its support at $156.75. Monero was projected to move sideways as trading volumes and buying activity was suppressed. Lastly, a descending triangle emerged on Dash’s chart but a breakout largely depended on the direction of the broader market.
On the hourly timeframe, Litecoin broke below its parallel channel and moved to another region of support at $157.5. The On Balance Volume dipped as the price broke below the bottom trendline, but the index was recovering at the time of writing. A bullish crossover in the Stochastic RSI added some more optimism as LTC picked up from the $157 support line.
However, it was hard to overlook LTC’s bear market and stronger cues could be needed to back a move above the immediate overhead resistance. A spike in the 24-hour trading volumes could be one such signal that could project an upwards breakout on the charts.
The 24-hour trading volumes on Monero were muted as the cryptocurrency failed to break out from the $224.5 and $196.3 range. The Bollinger Bands showed that volatility remained on the lower side as the bands were compressed. This also meant that massive movements were unlikely and XMR could continue to trade within its current channel over the next few sessions.
A bullish twin peak setup on the Awesome Oscillator was negated as momentum tilted in the favor of the sellers at the time of writing.
Dash formed a descending triangle on its 4-hour chart as the price formed lower highs since snapping a local high at over $330. The On Balance Volume also steadily declined as the sell-off was heightened by a correction in the broader market. The Stochastic RSI continued its southbound trajectory after reversing from the overbought region.
Further weakness in market leaders BTC and ETH could continue to have a negative impact on Dash, and support levels at $166.8 and $135.3 could be tested in the event of a downwards breakout. On the flip side, Dash’s pattern could be invalidated if the price moves north on the back of a broader market rally.
Sign Up For Our Newsletter
Gemini collaborates with The Giving Block and others, adds donations option
Optimized Ethereum Mining Settings for Nvidia RTX 3060 Ti, RTX 3070, RTX 3080 and RTX 3090 GPUs
NextGen Blockchain Platforms Self-Organize to Win Government Contracts
Crypto Lending Explained 2021
Traditional Banks get serious about enabling crypto-related services
BitMEX adding six new perpetual contacts: ADA, DOT, EOS, YFI, UNI, and XLM
Kraken Reacts to Market Selloff
Trailing Take Profit Explained
What Coinbase Going Public Could Do For Crypto
Crypto Investment Fund to Sell $750M in Bitcoin for Cardano and Polkadot
DeFi Orion Protocol Launches Staking Calculator
World’s First Bitcoin ETF Records Stellar Growth, AUM Crosses Half A Billion Dollars
MicroStrategy Completes Another $1 Billion Bitcoin Buy
All of the Federal Reserve’s wire and ACH systems are down
Traders remain bullish even as DeFi’s TVL falls to $54.4 billion
This was avoidable – The lost Bitcoin fortunes
Sam Bankman-Fried: The crypto whale who wants to give billions away
ZelaaPayAE deploys Pundi X’s merchant crypto payment solutions for UAE
Economist warns of dystopia if ‘Bitcoin Aristocrats’ become reality
Craig Wright Sues Bitcoin Developers Over Stolen BTC Worth $5 Billion
Blockchain6 days ago
Ankr adds Eth2 futures (fETH) to its staking system
Blockchain3 days ago
Gemini collaborates with The Giving Block and others, adds donations option
Blockchain7 days ago
Ripple now registered as a Wyoming business
Blockchain6 days ago
Peter Schiff Now Discusses Bitcoin More Often Than His Beloved Gold
Blockchain7 days ago
Former BoE, BoC Governor Mark Carney joins Stripe board of directors
Blockchain1 week ago
Gene Simmons says he’s added $300K of Cardano to his bags
Blockchain1 week ago
Are Bitcoin’s long-term hodlers entering the seller’s market?
Blockchain1 week ago
Elon Musk Explains to Peter Schiff What Money Is