How-to: using Bitcoin key

pairs to for encrypted

messaging
In my previous post, I have described an idea of building
an anonymous messenger for Bitcoin users. Now it is a time to
prove that it will work.
Let’s say, Alice wants to send Bob an encrypted text Greetings form
Alice!. All she needs to know is Bob’s Bitcoin address and her
own WIF (wallet import format) key. Bob will decrypt this text
knowing Alice’s Bitcoin address and his own WIF key.

They will use ECDH algorithm to obtain a shared secret, which

will be used for 256-bit symmetric AES encryption. Note
that ECDH(public key A, private key B) = ECDH(public
key B, private key A) = shared secret.

You may ask how Alice can get Bob’s public key knowing only
his Bitcoin address? That’s very simple. If Bob has ever used his
address for spending money, his public key is stored in the
Blockchain, so it will be quite easy to retrieve it.

Algorithm
1. Alice knows Bob’s Bitcoin address.
2. Alice looks up Bob’s public key in the Blockchain.
3. Alice generates a shared secret based on her private key and
Bob’s public key using ECDH algorithm.
4. Alice encrypts a message using 256-bit symmetric AES
encryption with a shared secret.
5. Alice sends an encrypted message to Bob. She also lets him
know her Bitcoin address.
6. Bob looks up Alice public key in the Blockchain.
7. Bob generates a shared secret based on Alice’s public key and
his own private key using ECDH algorithm.
8. Bobs decrypts a message using 256-bit symmetric AES
encryption with a shared secret.

A shared secret is always the same between two parties. Each

party can compute it independently.

Proof
Let’s go through every step to prove that it will work.
In this example, Alice uses a compressed Bitcoin address
(1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH), while Bob uses a regular
one(1LagHJk2FyCV2VzrNHVqg3gYG4TSYwDV4m). For simplicity, these
addresses were taken from the Bitcoin private key directory.

Encoding:

1. Alice knows Bob’s address: 1LagHJk2FyCV2VzrNHVqg3gYG4TSYwDV4m.

2. Alice looks up his address on Blockchain.info.
3. Alice finds a spending transaction and retrieves Bob’s Public
Key (130 characters,
Hexadecimal): 04C6047F9441ED7D6D3045406E95C07CD85C778E4B8CEF3CA7ABAC
09B95C709EE51AE168FEA63DC339A3C58419466CEAEEF7F632653266D0E1236431A950CF
E52A.
4. Since some transactions can contain multiple public keys,
Alice verifies that she has found a correct public key by
converting it into a Bitcoin address using this service. It
should match Bob’s Bitcoin address.
5. Alice knows her WIF key (compressed,
Base58): KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qYjgd9M7rFU73sVHnoWn.
6. Using this manual and Base58 decoder, Alice converts her
WIF key into a private key
(Hexademical): 00000000000000000000000000000000000000000000000000000
00000000001.
7. Using this Node.js script, which implements ECDH, Alice
finds a shared secret (Hexademical):
c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5.
8. Using another Node.js script, Alice encrypts text Greetings form
Alice!with 256-bit symmetric AES encryption and a shared
secret. Encrypted text (hex)
is: 89a7fa84bf762100ac09049bb7d1dc0d9b477f1632.
9. Alice sends Bob an encrypted text as well as her Bitcoin
address.

Decoding:

1. Bob knows Alice’s Bitcoin

Address: 1BgGZ9tcN4rm9KBzDn7KprQz87SZ26SAMH.
2. Bob looks up her address on Blockchain.info.
3. Bob finds spending transaction and retrieves Alice’s Public
Key (compressed, 66 characters,
Hexadecimal): 0279be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2
815b16f81798.
4. Bob verifies that he has found a correct public key by
converting it into a Bitcoin address using this service. It
should match Alice’s Bitcoin address.
5. Bob knows his WIF key
(Base58): 5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAvUcVfH.
6. Using this manual and Base58 decoder, Bob converts his
WIF key into a private key
(Hexademical): 00000000000000000000000000000000000000000000000000000
00000000002.
7. Using this Node.js script, which implements ECDH, Bob
finds a shared secret (Hexademical):
c6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5.
8. Using another Node.js script, Bob decrypts hex
string 89a7fa84bf762100ac09049bb7d1dc0d9b477f1632 with 256-bit
 symmetric AES encryption and a shared secret. Decrypted
text is: Greetings form Alice!.

So it worked!

Consequences
Using this method we can do many fun things. E.g. we can
create a server (or a distributed system), which will store all
messages sent to all users. This makes possible for Alice to send
a message to Bob, even before he started using a messenger. To
get all messages, Bob does not ever need to sign in into a
messenger. He can just run a simple REST request to get all of
his data.

Another fun thing that could be made is communication

between peers of different cryptocurrencies. For example,
Ethereum is using the same secp256k1 ecliptic curve for
generating keys as Bitcoin is, this means that we can still use
ECDH for establishing a secure connection between Bitcoin and
Ethereum users.

Support
Like an Idea? Make it happen: 135rcdVPUie3g1PXPazALpggZ6E72HVNj1!
How does ECDSA work
in Bitcoin
ECDSA (‘Elliptical Curve Digital Signature Algorithm’) is the
cryptography behind private and public keys used in Bitcoin. It
consists of combining the math behind finite fields and elliptic
curves to create one way equations, meaning you can choose
your private key (some number) and easily calculate your public
key (some other number). However, I can’t take my public key
(or anybody else’s for that matter) and easily calculate their
private key. In fact, for Bitcoin it would take trillions of
computers trillions of years of continuous guessing of different
private keys to figure out which one creates a given public key.

Let’s see how!

Finite Fields:

A finite field is exactly like it sounds, a finite set of numbers. The

real numbers are an infinite set of numbers, but the set (3, 97,
205, 1,678, 17) is a finite set of numbers. A more interesting and
useful set of numbers are the set of integers modulo p, where p
is a prime number.

Modulo is like addition on a clock or remainder math. For

example modulo 12 would be adding around a clock, so (1 + 4)
modulo 12 = 5, but (1+15) modulo 12 = 4. Why? Think about a
clock. 1 + 15 = 16 and 16 is 4 hours after 12. Or think about
remainder math. 16 / 12 = 1 remainder 4 so the remainder is 4.
You can also follow the same logic to do subtraction and
multiplication. Check this out for more examples.

Elliptic Curve:

Elliptic curves are the set of points described by the equation:

The below are examples of elliptic curves:

Elliptic curves are useful because of their various properties.

Firstly, elliptic curves are groups. Groups are defined in
mathematics if they have closure, associativity, an identity
element, and an inverse for each element.

1. Closure: If a and b are in a group G, then a + b is in the group

G
2. Associativity: (a + b) + c = a + (b + c)
3. Identity Element: a + 0 = 0 + a = a
4. For every a there exists b such that a + b = 0
5. For Abelian Groups only, commutativity: a + b = b + a

Further, elliptic curves have some of their own specific group

laws.

1. The identity element is the point at infinity, 0

2. The inverse of the point P is the one symmetric about the x
axis
3. Addition is defined as: given three aligned, non-zero points,
P, Q, and R you have P + Q + R = 0. The order does not
matter for these three points, so P + (Q+R) = 0, (P+Q) + R =
0, (P+R) + Q = 0, etc. This allows us to prove elliptic curves
are both commutative, and associative.
The above equation also gives us an equation to add two points
together and calculate the third point. As stated before, we know
that when a line passes through two points on a curve, it will
pass through a third point. And we know that

P+Q+R=0

so,

P + Q = -R

And we know that -R is just the inverse of the point R reflected

across the x-axis.

What about the case where P is tangent to the curve, such that
there are only two intersecting points.
Since, P is tangent to the curve, you have P = Q and therefore, P
+ P = -R from the equation above. Or, 2P = -R. This is called
point doubling for elliptic curves.

Finite Fields + Elliptic Curves:

When you combine finite fields and elliptic curves you get the
magic of cryptography. The equation for an elliptic curve
transforms to the following:

Basically, we added mod p to the end of the elliptic curve

equations.

And if we plot a finite field over an elliptic curve, we get the

following examples:
Note how the points are symmetric across a certain line,
meaning we can still do point addition P + Q = -R where we
draw a line connecting P, Q, and R and reflect R over the x axis
to find -R. In a finite field, a line looks very different than an
infinite field. It is similar to the game galaxy where you go off
the top of the screen and you end up at the bottom of the screen.
Below you can see P, Q, and R being connected through a line.
And because finite fields over elliptic curves are still in a group,
we retain all of the properties for a mathematical group
described above.

Scalar Multiplication and Order

Recall that a line passing through two points on an elliptic curve

will pass through a third point and the equation to calculate said
third point is P + Q =-R (point addition). Further, if P is tangent
to elliptic curve then P = Q and P + P = -R → or 2P = -R (point
doubling).

Point addition and point doubling allow us to define scalar

multiplication for elliptic curves such that, xP = R where x is a
scalar, P is a point tangent to the curve and R is the resulting
point from adding P on to itself x times. For example:

11P = R

P + 10P = R

P + 2(5P) = R

P + 2(P + 4P) = R

P + 2(P + 2(2P)) = R

In this example, we would take point P and add point P to get

new point F.

P + 2(P + (2F)) = R

Take point F and add F to it to get new point C.

P + 2(P + C) = R

Add P and C together to get point D.

P + 2(D) = R

Add point D to point D to get point E.

P+E=R

Add point P and point E to get R! So you can see how point
addition and point doubling allows us to calculate scalar
multiplication for xP = R.
Elliptic curves over finite fields have the same property. We can
continually add P on to itself creating scalar multiplication.

Think back to the clock image we used for modulo operations.

When adding P to itself over and over, it is similar to moving P
around a clock. Eventually you will get back to where you
started and continually cycle through the same points.

Let’s check out an example using the equation:

and if we choose the point P = (3,6), we can then cycle through

the scalar multiplication of P to understand how many times we
add P to itself to get back to the point (3,6).

We can see that P = (3,6) and it takes 5Ps to get back to the
same point (3,6). That means P = (3,6) and so does 6P, 11P,
16P…etc. Check out this awesome calculator and visual tool
from Andrea Corbellini to verify and to try other examples.

The key point to the above example is calculating the order of a

subgroup generated by point P. The order of P is defined as the
smallest positive integer n such that nP = 0. So in our example,
the order of the subgroup based on point P is 5, meaning 5P = 0.
There is no smaller positive scalar multiplier of point P that will
yield the point 0.

Bringing this all together, our example defines the following:

1. Prime modulo of the finite field = 97

2. The elliptic curve described above where a = 2 and b = 3
3. A random point P = (3,6) — this is called the base point
4. The order of the subgroup (set of cyclic points based on P) =
5

ECDSA and Bitcoin

For Bitcoin, we have the following parameters:

1. Prime modulo: 2²⁵⁶ - 2³² - 2⁹ - 2⁸ - 2⁷ - 2⁶ - 2⁴ - 1 → this is

a really really big number approximately equal to all of the
atoms in the universe. It is also represented in hexadecimal
as: FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFF FFFFFFFE FFFFFC2F
2. Elliptic curve where a = 0 and b = 7
3. Base point P in hexadecimal = 04 79BE667E F9DCBBAC
55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B
16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8
FD17B448 A6855419 9C47D08F FB10D4B8
4. Order in hexadecimal = FFFFFFFF FFFFFFFF FFFFFFFF
FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141

These numbers were not arbitrarily chosen. There is actually a

cryptography standard run by the organization, Standards for
Efficient Cryptography Group (SEC) and Bitcoin follows the
secp256k1 standard.

Therefore, the private key for Bitcoin is just an arbitrarily

chosen number between 1 and the order above. The public key
can easily be derived through scalar multiplication with the
formula:

public key = private key * base point P

This is just performing scalar multiplication on base point P

multiplied by your private key the same way we described scalar
multiplication above with xP = R. The above example we
showed how x = 11 and calculated 11P = R using point doubling
and point addition. The difference between this example and
Bitcoin is that Bitcoin uses extremely large numbers in
hexadecimal form, but the process of using point doubling and
point addition is the same.

Once you choose your private key and multiply it by the base
point P, you get a new point (x,y) in the finite field/elliptic
curve. This is your public key. It is computationally easy to use
your private key and multiply it by the base point to get the
public key, but it is computationally difficult to start with the
public key and work backwards to calculate the private key. The
equation is a one way street.

The private key and public key are now available to create
digital signatures like we discussed in the last post.

For brevity sake, I am leaving out the mathematical proofs for

digital signatures but if you are interested, check it out here.
Special thanks to: