<a href="https://colab.research.google.com/github/crudolphMQU/programmingbitcoin/blob/master/code-ch03/Chapter3.ipynb" target="_parent"><img src="https://colab.research.google.com/assets/colab-badge.svg" alt="Open In Colab"/></a>

# How to use colab with 'Programming Bitcoin'

## Notes on saving files to GitHub via Colab

Saving to GitHub from Colab **only saves the notebook**, not any additional files.

When you edit the `ecc.py` file in your Colab instance, you should **also update it directly in your GitHub repository**. Editing it in Colab allows you to continue working in the same session, but if you start a new runtime later, those changes will not persist unless they are committed to GitHub.

You should **edit the file directly in the appropriate folder of your repository on GitHub**.

After deleting the runtime and restarting the notebook, you'll get the most up-to-date version of `ecc.py` from GitHub. If you don't update it properly, you may encounter errors when running the notebook in a new runtime.

Whenever you make changes to `ecc.py`, reload it using the following code:

```python
import importlib
import ecc
import importlib.reload(ecc)
```

When saving a copy of your notebook to GitHub via Colab, make sure to **specify the correct folder path**. For example, for this chapter:

```
File > Save a copy in GitHub > Choose your repository > Filepath: code-ch02/Chapter2.ipynb
```



## ✅ Step-by-step instructions: Saving files to GitHub via Colab

### 1️⃣ Understand what gets saved

- When you use **File → Save a copy in GitHub**, only the notebook file (`.ipynb`) is saved.
- Other files you edit in Colab (like `ecc.py`) **do not get automatically saved to GitHub**.

---

### 2️⃣ Update `ecc.py` manually

- If you edit `ecc.py` in Colab, you **must also update it directly in your GitHub repository**.
- You can do this by:
  - Editing the file directly on GitHub (recommended), or
  - Uploading via the GitHub web interface (make sure to place it in the correct folder).

---

### 3️⃣ Check the correct file path when saving notebooks

- When saving your notebook to GitHub, always specify the correct path.
- Example:


# Set up

In [1]:
!git clone https://github.com/crudolphMQU/programmingbitcoin

fatal: destination path 'programmingbitcoin' already exists and is not an empty directory.


In [2]:
ls

[0m[01;34mprogrammingbitcoin[0m/  [01;34msample_data[0m/


In [3]:
cd programmingbitcoin/code-ch03

/content/programmingbitcoin/code-ch03


In [4]:
try:
    import virtualenv
except ImportError:
  !pip install virtualenv==20.17.1

In [5]:
!pip install -q -r /content/programmingbitcoin/requirements.txt

[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m12.3/12.3 MB[0m [31m99.8 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m69.4/69.4 kB[0m [31m4.1 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m386.9/386.9 kB[0m [31m23.1 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m133.5/133.5 kB[0m [31m8.7 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m59.7/59.7 kB[0m [31m3.7 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m1.6/1.6 MB[0m [31m46.9 MB/s[0m eta [36m0:00:00[0m
[2K   [90m━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━[0m [32m66.4/66.4 kB[0m [31m4.4 MB/s[0m eta [36m0:00:00[0m
[?25h

In [6]:
try:
    import helper
except ImportError:
  !pip install helper

# Imports

In [7]:
############## PLEASE RUN THIS CELL FIRST! ###################

# import everything and define a test runner function
from importlib import reload
from helper import run
import ecc
import helper

from ecc import FieldElement, Point

# Elliptic Curve Cryptography

We learned finite fields and elliptic curves.

We're going to build the fundamentals needed to sign and verify messages, the heart of Bitcoin

# 📘 Properties of Real Numbers

---

## 🔢 1. Closure Properties

Real numbers are **closed** under addition and multiplication:

- **Addition**: If $a, b \in \mathbb{R}$, then $a + b \in \mathbb{R}$  
  Example: $2.5 + 3.1 = 5.6$

- **Multiplication**: If $a, b \in \mathbb{R}$, then $ab \in \mathbb{R}$  
  Example: $2 \cdot (-4) = -8$

---

## 🔄 2. Commutative Properties

Changing the order does not change the result:

- **Addition**: $a + b = b + a$  
  Example: $3 + 7 = 7 + 3$

- **Multiplication**: $ab = ba$  
  Example: $5 \cdot 2 = 2 \cdot 5$

---

## 🔁 3. Associative Properties

Changing grouping does not change the result:

- **Addition**: $(a + b) + c = a + (b + c)$  
  Example: $(1 + 2) + 3 = 1 + (2 + 3)$

- **Multiplication**: $(ab)c = a(bc)$  
  Example: $(2 \cdot 3) \cdot 4 = 2 \cdot (3 \cdot 4)$

---

## 🔢 4. Distributive Property

Links multiplication and addition:

$$
a(b + c) = ab + ac
$$

Example:  
$$
2(3 + 4) = 2 \cdot 3 + 2 \cdot 4 = 6 + 8 = 14
$$

---

## 🔁 5. Identity Properties

Identity elements do not change the value:

- **Additive Identity**: $a + 0 = a$

(Identity = 0)

- **Multiplicative Identity**: $a \cdot 1 = a$

(Identity = 1)

---

## 🔄 6. Inverse Properties

Every number has an inverse:

- **Additive Inverse**: $a + (-a) = 0$

- **Multiplicative Inverse**:  
  $a \cdot \frac{1}{a} = 1$, for $a \ne 0$

---

## 🌐 7. Order Properties

The set of real numbers $ \mathbb{R} $ is **ordered**:

- For any $a, b \in \mathbb{R}$, exactly one is true:  
  $a < b$, $a = b$, or $a > b$

- If $a < b$, then $a + c < b + c$

- If $a < b$ and $c > 0$, then $ac < bc$

---

Point addition equations we saw previously can be used over any field.

**Elliptic curves over finite fields.**

Point (17,64)

$y^2 = x^3 +7 $ over $ F_{103}$

$y^2 = 64^2 \% 103 = 79$

$x^3 + 7 = (17^3 +7)\%103 = 79$

Using finite field math we've found the point is on the curve.

### Exercise 1

Note, the elliptic curve equation of general form:

$y^2 = x^3 + ax +b$

Evaluate whether these points are on the curve \\(y^{2}\\)=\\(x^{3}\\)+7 over \\(F_{223}\\)

Where a = 0, b = 7

(192,105), (17,56), (200,119), (1,193), (42,99)

In [8]:
# Exercise 1

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)

# (192,105), (17,56), (200,119), (1,193), (42,99)

x = FieldElement(192, 223)
y = FieldElement(105, 223)
y**2 == x**3 + b

True

We can automate this by creating a function using vibe coding


In [9]:
def on_curve(x,y):
  return y**2 == x**3 + b

In [10]:
x1, y1 = FieldElement(192, prime), FieldElement(105, prime)
x2, y2 = FieldElement(17, prime), FieldElement(56, prime)
x3, y3 = FieldElement(200, prime), FieldElement(119, prime)
x4, y4 = FieldElement(1, prime), FieldElement(193, prime)
x5, y5 = FieldElement(42, prime), FieldElement(99, prime)

In [11]:
print(f"Point P1: ({x1}, {y1}) → on curve? {on_curve(x1, y1)}")
print(f"Point P2: ({x2}, {y2}) → on curve? {on_curve(x2, y2)}")
print(f"Point P3: ({x3}, {y3}) → on curve? {on_curve(x3, y3)}")
print(f"Point P4: ({x4}, {y4}) → on curve? {on_curve(x4, y4)}")
print(f"Point P5: ({x5}, {y5}) → on curve? {on_curve(x5, y5)}")

Point P1: (FieldElement_223(192), FieldElement_223(105)) → on curve? True
Point P2: (FieldElement_223(17), FieldElement_223(56)) → on curve? True
Point P3: (FieldElement_223(200), FieldElement_223(119)) → on curve? False
Point P4: (FieldElement_223(1), FieldElement_223(193)) → on curve? True
Point P5: (FieldElement_223(42), FieldElement_223(99)) → on curve? False


In [12]:
def on_curve(x, y):
    return y**2 == x**3 + b

# Define points
points = [
    (FieldElement(192, prime), FieldElement(105, prime)),
    (FieldElement(17, prime), FieldElement(56, prime)),
    (FieldElement(200, prime), FieldElement(119, prime)),
    (FieldElement(1, prime), FieldElement(193, prime)),
    (FieldElement(42, prime), FieldElement(99, prime))
]

# Loop through and check
for i, (x, y) in enumerate(points, start=1):
    print(f"Point P{i}: ({x}, {y}) → on curve? {on_curve(x, y)}")


Point P1: (FieldElement_223(192), FieldElement_223(105)) → on curve? True
Point P2: (FieldElement_223(17), FieldElement_223(56)) → on curve? True
Point P3: (FieldElement_223(200), FieldElement_223(119)) → on curve? False
Point P4: (FieldElement_223(1), FieldElement_223(193)) → on curve? True
Point P5: (FieldElement_223(42), FieldElement_223(99)) → on curve? False


Elliptic curve points over a finite field

In [13]:
from ecc import FieldElement, Point
a = FieldElement(num=0, prime=223)
b = FieldElement(num=7, prime=223)
x = FieldElement(num=192, prime=223)
y = FieldElement(num=105, prime=223)
p1 = Point(x, y, a, b)
print(p1)

Point(192,105)_0_7 FieldElement(223)


We use the *Finite field* defined methods (arithmetic operators) for the same equations  to construct elliptic curve cryptography library.

Checking our work with a testsuite:

In [14]:
import ecc
from helper import run
reload(ecc)
run(ecc.ECCTest('test_on_curve'))

.
----------------------------------------------------------------------
Ran 1 test in 0.002s

OK


This test used the FieldElement objects in the *Point* class for initialisation, making sure all the methods we've defined in the `ecc` file have done their job correctly.

**Point addition over Finite Fields.**

Line over a finite field looks different to what we expect (fig 3-3).

All elliptic curve equations work over finite fields, so, point addition also works over finite fields.

As a result, we can initialise the *Point* class with *FieldElement* Objects, seen below:

In [15]:
from ecc import FieldElement, Point
prime = 223
a = FieldElement(num=0, prime=prime)
b = FieldElement(num=7, prime=prime)
x1 = FieldElement(num=192, prime=prime)
y1 = FieldElement(num=105, prime=prime)
x2 = FieldElement(num=17, prime=prime)
y2 = FieldElement(num=56, prime=prime)
p1 = Point(x1, y1, a, b) # the Point class being initialised by Fieldelements, x1,y1...
p2 = Point(x2, y2, a, b)
print(p1+p2)

Point(170,142)_0_7 FieldElement(223)


### Exercise 2



For the curve \\(y^{2}\\)=\\(x^{3}\\)+7 over \\(F_{223}\\), find:

* (170,142) + (60,139)
* (47,71) + (17,56)
* (143,98) + (76,66)

In [16]:
# Exercise 2
from ecc import FieldElement, Point

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)

# (170,142) + (60,139)
# (47,71) + (17,56)
# (143,98) + (76,66)

x1, y1 = FieldElement(170, prime), FieldElement(142, prime)
x2, y2 = FieldElement(60, prime), FieldElement(139, prime)
x3, y3 = FieldElement(47, prime), FieldElement(71, prime)
x4, y4 = FieldElement(17, prime), FieldElement(56, prime)
x5, y5 = FieldElement(143, prime), FieldElement(98, prime)
x6, y6 = FieldElement(76, prime), FieldElement(66, prime)

Note, a field element is an integer between 0 (inclusive) and the base of the finite field (exclusive).

A point is not on the curve over a finite field if its coordinates (x,y), although valid field elements, do not satisfy the curve equation when evaluated modulo the prime.

In [17]:
def on_curve(x, y, a, b):
    return y**2 == x**3 + b

In [18]:
p1 = Point(x1, y1, a, b)
p2 = Point(x2, y2, a, b)
p3 = Point(x3, y3, a, b)
p4 = Point(x4, y4, a, b)
p5 = Point(x5, y5, a, b)
p6 = Point(x6, y6, a, b)

print(p1+p2)
print(p3+p4)
print(p5+p6)

Point(220,181)_0_7 FieldElement(223)
Point(215,68)_0_7 FieldElement(223)
Point(47,71)_0_7 FieldElement(223)


### Exercise 3

Extend `ECCTest` to test for the additions from the previous exercise. Call this `test_add`.

**Make [this test](/edit/code-ch03/ecc.py) pass: `ecc.py:ECCTest:test_add`**

In [19]:
x1, y1, x2, y2, x3, y3 = FieldElement(192, prime), FieldElement(105, prime), FieldElement(17, prime), FieldElement(56, prime), FieldElement(170, prime), FieldElement(142, prime)

p1 = Point(x1, y1, a, b)
p2 = Point(x2, y2, a, b)
p3 = Point(x3, y3, a, b)
print(p1+p2==p3)

True


In [20]:
additions = (
            # (x1, y1, x2, y2, x3, y3)
            (192, 105, 17, 56, 170, 142),
            (47, 71, 117, 141, 60, 139),
            (143, 98, 76, 66, 47, 71),
        )

In [21]:
for x1, y1, x2, y2, x3, y3 in additions:
    p1 = Point(FieldElement(x1, prime), FieldElement(y1, prime), a, b)
    p2 = Point(FieldElement(x2, prime), FieldElement(y2, prime), a, b)
    p3 = Point(FieldElement(x3, prime), FieldElement(y3, prime), a, b)
    print(p1+p2==p3)

True
True
True


In [22]:
# Exercise 3

reload(ecc)
run(ecc.ECCTest("test_add"))

.
----------------------------------------------------------------------
Ran 1 test in 0.012s

OK


### Exercise 4

**Scalar Multiplication for elliptic curves**

We can now add points, now we introduce new notation for adding a point to itself, using scalar multiplication.

Opposite of scalar multiplication, point division, is also called *the discrete log problem*; it is the basis of elliptic curve cryptography.

Scalar multiplication of a certain multiple approaches zero.

A finite cyclic group when the multiple is finite.

Scalar multiplication is easy to do in one direction, but difficult in the other direction, this is what we need for elliptic curve cryptography.

**Discrete Log Problem**

we've used point 'addition', but we can also say point 'operation'. This operator is denoted by the dot ($\cdot$):

$P_1 \cdot P_2 = P_3$


Performing many multiplication is same as exponentiation. 'Point multiplication' becomes scalar exponentiation.

$P^7 = Q$

Reversing this operation is the discrete log problem:

$\log_PQ = 7$

The LHS has no known formula to provide the answer generally.

___



For the curve \\(y^{2}\\)=\\(x^{3}\\)+7 over \\(F_{223}\\), find:

* 2⋅(192,105)
* 2⋅(143,98)
* 2⋅(47,71)
* 4⋅(47,71)
* 8⋅(47,71)
* 21⋅(47,71)

In [23]:
# Exercise 4
from ecc import FieldElement, Point

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)

# 2*(192, 105)
# 2*(143, 98)
# 2*(47, 71)
# 4*(47, 71)
# 8*(47, 71)
# 21*(47, 71)

# create a product variable
# add the point to the product n times
# print the product

In [24]:
x1, y1 = FieldElement(192, prime), FieldElement(105, prime)
x2, y2 = FieldElement(143, prime), FieldElement(98, prime)
x3, y3 = FieldElement(47, prime), FieldElement(71, prime)

In [25]:
p1 = Point(x1, y1, a, b)
p2 = Point(x2, y2, a, b)
p3 = Point(x3, y3, a, b)

In [26]:
p1+p1 == 2*p1

True

In [27]:
p1+p1

Point(49,71)_0_7 FieldElement(223)

In [28]:
print(2*p2)
print(2*p3)
print(4*p3)
print(8*p3)
print(21*p3)

Point(64,168)_0_7 FieldElement(223)
Point(36,111)_0_7 FieldElement(223)
Point(194,51)_0_7 FieldElement(223)
Point(116,55)_0_7 FieldElement(223)
Point(infinity)


If we investigate the resulting points from the incremental multiples, we won't see any pattern in the result.

**Assymmetric problem** is easy to do in one direction but difficult in the other.

We can calcuate the following easily,

$12 \cdot (47, 71)$

However, using the result of this, performing the reverse is difficult when solving for s and when we have a large *group*:

$s \cdot (47,71) = (194, 172)$

In [29]:
from ecc import FieldElement, Point
prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)
x = FieldElement(47, prime)
y = FieldElement(71, prime)
p = Point(x, y, a, b)
for s in range(1,21):
    result = s*p
    print('{}*(47,71)=({},{})'.format(s,result.x.num,result.y.num))

1*(47,71)=(47,71)
2*(47,71)=(36,111)
3*(47,71)=(15,137)
4*(47,71)=(194,51)
5*(47,71)=(126,96)
6*(47,71)=(139,137)
7*(47,71)=(92,47)
8*(47,71)=(116,55)
9*(47,71)=(69,86)
10*(47,71)=(154,150)
11*(47,71)=(154,73)
12*(47,71)=(69,137)
13*(47,71)=(116,168)
14*(47,71)=(92,176)
15*(47,71)=(139,86)
16*(47,71)=(126,127)
17*(47,71)=(194,172)
18*(47,71)=(15,86)
19*(47,71)=(36,112)
20*(47,71)=(47,152)


### Exercise 5



For the curve \\(y^{2}\\)=\\(x^{3}\\)+7 over \\(F_{223}\\), find the order of the group generated by (15,86)

In [30]:
# Exercise 5

prime = 223
a = FieldElement(0, prime)
b = FieldElement(7, prime)
x = FieldElement(15, prime)
y = FieldElement(86, prime)
p = Point(x, y, a, b)
inf = Point(None, None, a, b)
#
# create a product variable
# create a counter variable
# loop until the product is the point at infinity
# add the point to the product and increment counter
# print the counter when exited from loop

In [31]:
counter = 1

while counter*p != inf:
    counter += 1
print(f'order of the group is {counter}')

order of the group is 7


In [32]:
counter*p

Point(infinity)

**Coding scalar multiplication**

looping through large coefficients can take a long time. We can use the technique *binary expansion*.

For example: 1 trillion is 40 bits in binary, so we only have to loop 40 times.The counter in the loop will be in 2.

**Defining the Curve for Bitcoin**

Security of elliptic curve cryptography depends on the computer not being able to go through an appreciable fraction of the group.

The security relies on the difficulty to solve the *discrete log problem*.

**The elliptic curve for public key cryptography is defined:**

- *a*, *b* of the elliptic curve is specified.

- the prime of the finie field is specified.

- *x*, *y* coordinates of the generator point ,*G* are specified.

- The order, *n*, of the group generated by G is specified.

Bitcoin uses the cryptographyic curve **secp256k1**. These are the parameters:

$a=0, b=7$

$p=2^{256} - 2^{32} - 977$

$G_x = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798$

$g_y = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8$

The `0x` tells python that the number is hexadecimal.

$n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141$

____

The number $2^{256}$ is huge, but it can still be stored in 32 bytes (little data), and so private keys can be stored relatively easy.

Check if the point G is on the secp256k1 curve:

In [33]:
gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
p = 2**256 - 2**32 - 977
print(gy**2 % p == (gx**3 + 7) % p)

True


Checking if the Generator point, *G*, has order *n*

In [34]:
from ecc import FieldElement, Point
gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
p = 2**256 - 2**32 - 977
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
x = FieldElement(gx, p)
y = FieldElement(gy, p)
seven = FieldElement(7, p)
zero = FieldElement(0, p)
G = Point(x, y, zero, seven)
print(n*G)

Point(infinity)


Multiplying the base point *G* by the order of the group *𝑛* results in the point at infinity. As scalar multiples of *G* increase and eventually each *n*, the resulting point "wraps around" and returns to the identity element of the group — the point at infinity.

In [35]:
from ecc import G, N
print(N*G)

S256Point(infinity)


**Signing and Verification**

10 people want to verify you can hit their target to prove youre a good archer. Difference between Shooting 10 separately chosen targets versus 10 people watching you shoot one target, they may think yuo are good at hitting that one target rather than hitting any target at that range.

If we inscribe the arrow as we shoot for the target we want to hit, the observers will see the inscription and see that it hits the target, veriying we are good archers.

So, when we do bitcoin transactions, we want to prove our possession of the bitcoin with a secret number. We want to prove we know the secret without revealing the secret.

**Inscribing the target**

The secret is *e* satisfying the following:

$eG= p$

*P* is the public key and *e* is the private key.

The target, $R$, is a random number ,*k*:

$kG = R$

We only care about $R_x$ or $r$.

The following is equivalent to the *discrete log problem*

$uG +vP = kG$

$k$ is chosen randomly.

$u$ & $v$ can be chosen by the signer,

$G$ and $P$ are known.

$\therefore uG +vP = kG \rightarrow vP = (k - u)G$

$P = ((k-u)/v)G$

If we know $e$,

$eG = ((k-u )/v)G$ or

$e =(k-u)/v$

**What does it mean that $u,v$ are chosen by the signer?**
____

**Inscribing the arrow tip**

The *signature hash*, *z*, is incorporated into our $uG + vP$.

$u = z/s$,

$v = r/s$

To find *s*,

$uG + vP = R = kG$

$uG + veG = kG$

$u + ve = k$

$z/s + re/s = k$

$(z+ re)/s =k $

$s = (z+re)/k$

 If $R_x$ equals $r$, the signature is valid.

In [37]:
from ecc import S256Point, G, N
z = 0xbc62d4b80d9e36da29c16c5d4d9f11731f36052c72401a76c23c0fb5a9b74423 #hash of 'the thing being signed'
r = 0x37206a0610995c58074999cb9767b87af4c4978db68c06e8e6e81d282047a7c6 #signature
s = 0x8ca63759c1157ebeaec0d03cecca119fc9a75bf8e6d0fa65c841c8e2738cdaec #signature
px = 0x04519fac3d910ca7e7138f7013706f619fa8f033e6ec6e09370ea38cee6a7574 #x coordinate of public key
py = 0x82b51eab8c27c66e26c858a079bcdf4f1ada34cec420cafc7eac1a42216fb6c4 #y coordinate of public key
point = S256Point(px, py)
s_inv = pow(s, N-2, N) #using 'fermat's little theorem' for 1/s since n is prime.

u = z*s_inv % N
v = r*s_inv % N
print((u*G + v*point).x.num == r)

True


### Exercise 6



Verify whether these signatures are valid:

```
P = (0x887387e452b8eacc4acfde10d9aaf7f6d9a0f975aabb10d006e4da568744d06c,
0x61de6d95231cd89026e286df3b6ae4a894a3378e393e93a0f45b666329a0ae34)

# signature 1
z = 0xec208baa0fc1c19f708a9ca96fdeff3ac3f230bb4a7ba4aede4942ad003c0f60
r = 0xac8d1c87e51d0d441be8b3dd5b05c8795b48875dffe00b7ffcfac23010d3a395
s = 0x68342ceff8935ededd102dd876ffd6ba72d6a427a3edb13d26eb0781cb423c4

# signature 2
z = 0x7c076ff316692a3d7eb3c3bb0f8b1488cf72e1afcd929e29307032997a838a3d
r = 0xeff69ef2b1bd93a66ed5219add4fb51e11a840f404876325a1e8ffe0529a2c
s = 0xc7207fee197d27c618aea621406f6bf5ef6fca38681d82b2f06fddbdce6feab6
```

In [38]:
# Exercise 6
from ecc import S256Point, G, N
point = S256Point(
    0x887387e452b8eacc4acfde10d9aaf7f6d9a0f975aabb10d006e4da568744d06c,
    0x61de6d95231cd89026e286df3b6ae4a894a3378e393e93a0f45b666329a0ae34)

# signature 1
z = 0xec208baa0fc1c19f708a9ca96fdeff3ac3f230bb4a7ba4aede4942ad003c0f60
r = 0xac8d1c87e51d0d441be8b3dd5b05c8795b48875dffe00b7ffcfac23010d3a395
s = 0x68342ceff8935ededd102dd876ffd6ba72d6a427a3edb13d26eb0781cb423c4

s_inv = pow(s, N-2, N)
u = z * s_inv % N
v = r * s_inv % N

print((u*G + v*point).x.num == r)

from ecc import S256Point, G, N
# signature 2
z = 0x7c076ff316692a3d7eb3c3bb0f8b1488cf72e1afcd929e29307032997a838a3d
r = 0xeff69ef2b1bd93a66ed5219add4fb51e11a840f404876325a1e8ffe0529a2c
s = 0xc7207fee197d27c618aea621406f6bf5ef6fca38681d82b2f06fddbdce6feab6

s_inv = pow(s, N-2, N)
u = z * s_inv % N
v = r * s_inv % N

print((u*G + v*point).x.num == r)

True
True


Using the public key that is a point on the `secp256k1` curve and a signature hash, *z*, we can verify whether the signature is valid.

In [39]:
from ecc import S256Point, G, N
from helper import hash256
e = int.from_bytes(hash256(b'my secret'), 'big')
z = int.from_bytes(hash256(b'my message'), 'big')
k = 1234567890
r = (k*G).x.num
k_inv = pow(k, N-2, N)
s = (z+r*e) * k_inv % N
point = e*G
print(point)

print(hex(z))

print(hex(r))

print(hex(s))

S256Point(028d003eab2e428d11983f3e97c3fa0addf3b42740df0d211795ffb3be2f6c52, 0ae987b9ec6ea159c78cb2a937ed89096fb218d9e7594f02b547526d8cd309e2)
0x231c6f3d980a6b0fb7152f85cee7eb52bf92433d9919b9c5218cb08e79cce78
0x2b698a0f0a4041b77e63488ad48c23e8e8838dd1fb7520408b121697b782ef22
0xbb14e602ef9e3f872e25fad328466b34e6734b7a0fcd58b1eb635447ffae8cb9


In [40]:
from ecc import Signature
sig = Signature(r, s)

print(point.verify(z, sig))

True


### Exercise 7



Sign the following message with the secret

```
e = 12345
z = int.from_bytes(hash256('Programming Bitcoin!'), 'big')
```

In [41]:
# Exercise 7
from ecc import S256Point, G, N
from helper import hash256
# Exercise 7

e = 12345
z = int.from_bytes(hash256(b'Programming Bitcoin!'), 'big')

# choose a random k
# calculate r (kG's x-coordinate)
# calculate s ((z+re)/k)
# print the point, z, r and s

k = 39485673409
r = (k*G).x.num
k_inv = pow(k, N-2, N)
s = (z+r*e) * k_inv % N
point = e*G
print(point)

print(hex(z))

print(hex(r))

print(hex(s))

S256Point(f01d6b9018ab421dd410404cb869072065522bf85734008f105cf385a023a80f, 0eba29d0f0c5408ed681984dc525982abefccd9f7ff01dd26da4999cf3f6a295)
0x969f6056aa26f7d2795fd013fe88868d09c9f6aed96965016e1936ae47060d48
0xc8d496763d19d315a13642511222571788300dc48f72307e1eca1083db54448d
0x56faae456034221e1443a6cea95e238491bf7af3fd72884432c3d25a4689f0ed


In [42]:
from ecc import Signature
sig = Signature(r, s)

print(point.verify(z, sig))

True


With our private key *e*, we've hashed (or encoded) the message 'programming bitcoin' using SHA256 to produce a hash message, *z*.

Next we choose a random *k* (nonce or ephemeral key), this is unique and secret for every signature. **what makes it unique? how is it chosen?**

We use known secp256k1 elliptic curve values being the *generator point* or *base point*, *G*, and the order of the generator point, *N*, to find the x coordinate of the point $k\cdot G$.

Next we calculate the modular inverse of *k* modulo the curve order *N* and we can now find the signature component *s* using the ECDSA formula derived previously.

Finally we can output the public key $e\cdot G$, the message hash *z*, and the signature components *r* and *s*.

The signature components can be verified using the public key and message hash via reconstructing the point and equating them, done in the `verify` method.