# ECDSA_secp256k1
Perform ECDSA with the curve secp256k1 (used by Bitcoin, Ethereum, etc).

As excerpted from Standards:

The elliptic curve domain parameters over $F_p$ associated with a Koblitz curve secp256k1 are specified by the sextuple T = $(p,a,b,G,n,h)$ where the finite field $F_p$ is defined by:

- p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
- = $2^{256} - 2^{32} - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1$

The curve $E: y^2 = x^3+ax+b$ over $F_p$ is defined by:

- $a$ = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
- $b$ = 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007

The base point G in compressed form is:

- $G$ = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798

and in uncompressed form is:

- $G$ = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8

Finally the order n of G and the cofactor are:

- $n$ = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
- $h$ = 01

In [1]:
# Define the parameter (p,a,b,G,n,h)
p = 2^256-2^32-2^9-2^8-2^7-2^6-2^4-1  # 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a = 0
b = 7
K = GF(p)
E = EllipticCurve(K, [a,b])
GX = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
GY = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
G = E(GX,GY)
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
h = 1
print (p)
print (n)
print (G.order())

115792089237316195423570985008687907853269984665640564039457584007908834671663
115792089237316195423570985008687907852837564279074904382605163141518161494337
115792089237316195423570985008687907852837564279074904382605163141518161494337


## (a) Let ID be your private key. What is your public key?

In [2]:
# private key 
d = 28244
P = d*G 
key_pub = (p,a,b,n,G,P)
print ('Public key:', key_pub)

Public key: (115792089237316195423570985008687907853269984665640564039457584007908834671663, 0, 7, 115792089237316195423570985008687907852837564279074904382605163141518161494337, (55066263022277343669578718895168534326250603453777594175500187360389116729240 : 32670510020758816978083085130507043184471273380659243275938904335757337482424 : 1), (28454581412217762273367934512142172356589691413478120685102309863620429068249 : 61758745690864210825956316240597802688863283477858052515374659654629288558657 : 1))


## (b)	Use your private key with a random ephemeral key to sign the hash value
4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b
which identifies the transaction of the Genesis of Bitcoin. 

In [3]:
digest = Integer('0x4a5e1e4baab89f3a32518a88c31bc87f618f76673e2cc77ab2127b7afdeda33b')
kE = randint(1, n - 1)
kE_inv = inverse_mod(kE, n)
R = kE*G
(xr, yr) = R.xy()
r = mod(xr, n)
sig = mod(((digest + d*r) * kE_inv), n)
tosend = (digest, (r, sig))
print ('r', r)
print ('digest:', digest)
print ('signature:', (r,sig))
print ('tosend', tosend)

r 14664404033648474741473650548991088579882888756126411964462467668834150446483
digest: 33637443511616323281564667033488455043036536822741741196822500957464973648699
signature: (14664404033648474741473650548991088579882888756126411964462467668834150446483, 69892404166647449199407261984459643825645365187452073353337350828477719695487)
tosend (33637443511616323281564667033488455043036536822741741196822500957464973648699, (14664404033648474741473650548991088579882888756126411964462467668834150446483, 69892404166647449199407261984459643825645365187452073353337350828477719695487))


## (c) Verify the signature with the public key

In [4]:
w = inverse_mod(int(sig), n)
u1 = Integer(mod(w*digest, n))
u2 = Integer(mod(w*r, n))
PP = u1*G + u2*P
(xpp, ypp) = PP.xy()
xp = mod(xpp,n)
print ('xp', xp)
print (xp == r)

xp 14664404033648474741473650548991088579882888756126411964462467668834150446483
True


In [None]:
discrete_log(P,G,operation = '+')