How ECDSA Signatures Work: The Signing Pipeline

In Bitcoin, a digital signature proves that the sender authorized a transaction without exposing their secret private key. Bitcoin uses the Elliptic Curve Digital Signature Algorithm (ECDSA) over the secp256k1 curve.

To sign a transaction, a wallet executes a strict mathematical pipeline that combines the message hash, a private key, and a randomly generated ephemeral number.

---

🔑 The Core Cryptographic Inputs

An ECDSA signature requires three inputs:

1. The Private Key ($k$): The secret 256-bit scalar integer.
2. The Message Hash ($z$): The transaction preimage. To prevent transaction data from being manipulated, the raw serialized transaction is hashed twice using SHA-256:

$$z = \text{First 32 bytes of } SHA256(SHA256(\text{Transaction Data}))$$

1. The Ephemeral Key (Nonce, $k_{\text{ephemeral}}$): A secret, cryptographically strong random number generated on-the-fly for this specific signature. It must be strictly bounded within the curve order:

$$1 \le k_{\text{ephemeral}} < n$$

---

🧮 The Step-by-Step Signing Pipeline

┌──────────────────────────────────────┐
│       1. Generate Ephemeral Nonce    │ (k_ephemeral)
└──────────────────┬───────────────────┘
                   │
                   ▼ [ Elliptic Curve Point Multiplication ]
┌──────────────────────────────────────┐
│      Ephemeral Point R = k_ep * G     │ (x_R, y_R)
└──────────────────┬───────────────────┘
                   │
                   ▼ [ Take X-Coordinate Modulo n ]
┌──────────────────────────────────────┐
│           Signature Component r      │ (r = x_R mod n)
└──────────────────┬───────────────────┘
                   │
                   ▼ [ Compute Modular Multiplicative Inverse ]
┌──────────────────────────────────────┐
│            k_ephemeral^(-1)          │
└──────────────────┬───────────────────┘
                   │
                   ▼ [ Compute Signature Equation ]
┌──────────────────────────────────────┐
│           Signature Component s      │ (s = k_ep^(-1) * (z + r * k) mod n)
└──────────────────┬───────────────────┘
                   │
                   ▼
┌──────────────────────────────────────┐
│       Final Signature Tuple (r, s)   │
└──────────────────────────────────────┘

---

⚙️ Mathematical Execution

To compute the signature tuple $(r, s)$:

Step 1: Calculate the Ephemeral Point

The wallet multiplies the ephemeral nonce $k_{\text{ephemeral}}$ by the standard generator point $G$ to yield a coordinate point $R$ on the elliptic curve:

$$R(x_R, y_R) = k_{\text{ephemeral}} \cdot G$$

Step 2: Compute the $r$ Component

The first part of our signature, $r$, is simply the $x$-coordinate of the ephemeral point $R$, taken modulo the curve order $n$:

$$r = x_R \pmod n$$

• Boundary Exception: If $r = 0$, the wallet must discard $k_{\text{ephemeral}}$ and generate a new one.

Step 3: Compute the $s$ Component

The second part of our signature, $s$, binds the message hash $z$, the private key $k$, the $r$ component, and the ephemeral nonce together:

$$s = k_{\text{ephemeral}}^{-1} \cdot (z + r \cdot k) \pmod n$$

• Boundary Exception: If $s = 0$, the wallet must discard the nonce and start over.
• Modular Multiplicative Inverse: $k_{\text{ephemeral}}^{-1}$ is the unique integer satisfying:

$$k_{\text{ephemeral}}^{-1} \cdot k_{\text{ephemeral}} \equiv 1 \pmod n$$

---

🎨 The Signature Output

The final signature is exported as the integer pair:

$$\text{Signature} = (r, s)$$

Because $r$ and $s$ are elements of a finite field bounded by the curve order $n$, both are 256-bit (32-byte) integers. When combined, they form a 64-byte cryptographic proof of spend authorization.