TeachMeBitcoin

How ECDSA Signatures Work: The Anchor Guide to Spend Authorization

From TeachMeBitcoin, the free encyclopedia Reading time: 5 min

How ECDSA Signatures Work: The Anchor Guide to Spend Authorization

IMPORTANT

Executive Summary: The Elliptic Curve Digital Signature Algorithm (ECDSA) is the mechanism that allows Bitcoin users to authorize transactions without ever revealing their private keys. By combining a message hash, a private key, and a one-time "Ephemeral Nonce," ECDSA generates a two-part mathematical proof $(r, s)$. This signature proves to every node on the network that the sender possesses the correct secret key for a specific UTXO, ensuring that only the rightful owner can move funds.


🔍 Why This Module Matters

If private keys are the "Secret" and public keys are the "ID," then the Digital Signature is the "Handshake." It is the most complex part of the Bitcoin transaction lifecycle. Without it, there would be no way to move coins safely across an open network. In this module, we will deconstruct the mathematical "Signing Pipeline," explain the critical role of the Ephemeral Nonce, and show why a single mistake in signature generation can lead to a total loss of funds.


🏛️ The Three Pillars of an ECDSA Signature

To create a signature, a wallet needs three distinct pieces of data:

  1. The Private Key (k): Your 256-bit secret.

  2. The Message Hash (z): A double-SHA256 hash of the transaction data. This "commits" the signature to a specific set of inputs and outputs—you can't sign a transaction and then have someone change the recipient's address later.

  3. The Ephemeral Nonce (k_ep): A one-time random number. This is the most dangerous part of the process. If you ever use the same nonce twice for two different signatures, your private key can be calculated by anyone in seconds.


⚙️ The Signing Pipeline: Step-by-Step

Signature generation follows a rigid algebraic sequence:

Step 1: The Ephemeral Point (R)

The wallet generates the nonce $k_{ep}$ and multiplies it by the Generator Point ($G$). $$R(x, y) = k_{ep} \cdot G$$ The $x$-coordinate of this point becomes the first half of your signature: r.

Step 2: The Signature Equation (s)

The second half, s, is calculated using a modular linear equation that binds all the components together: $$s = k_{ep}^{-1} \cdot (z + r \cdot k) \pmod n$$

graph TD
 A[TX Preimage] --> B[Double SHA-256 Hash z]
 C[Private Key k] --> D[Signature Equation s]
 E[Nonce k_ep] --> F[Point Multiplicaton R]
 F --> G[r = R.x]
 G --> D
 B --> D
 D --> H[Final Sig: r, s]

🛡️ Nonce Security: The Fatal Vulnerability

The "Ephemeral" in Ephemeral Nonce means "lasting for a very short time."

Component Role Size
r Commitment to the random point. 32 Bytes
s Commitment to the key and message. 32 Bytes
DER Encoding Formatting for the blockchain. ~70-72 Bytes

💎 Signature Verification: The Node's Check

When a node receives your signature, it doesn't "decrypt" it. It performs a Verification Equality.

  1. It calculates two points on the curve: $u1 = z \cdot s^{-1}$ and $u2 = r \cdot s^{-1}$.

  2. It calculates $P = u1 \cdot G + u2 \cdot K$ (where $K$ is your public key).

  3. If the $x$-coordinate of $P$ matches your signature's r, the signature is valid.

  4. Privacy: Notice the node never sees your private key $k$. The math "proves" you have it without revealing it.


🎯 Learning Objectives for this Module

By the end of this module, you will be able to:

  1. Identify the three mandatory inputs for an ECDSA signature.

  2. Explain how the $r$ and $s$ components are derived algebraically.

  3. Describe the catastrophic risk of "Nonce Reuse."

  4. Understand the role of SHA-256 hashing in creating the "Transaction Preimage."

  5. Articulate why signature verification allows for trustless ownership proof.


🗺️ Module Roadmap: What's Next?

Now that we've generated the raw $(r, s)$ integers, we must pack them for the network:

  1. DER Serialization: How the integers are formatted as bytes.

  2. The off-by-one OP_0 bug: Exploring the history of multisig signature bugs.

  3. BIP-66 Strict DER: Why "Low-S" signatures are required for consensus.

  4. Schnorr vs ECDSA: How the new Taproot signatures improve on this model.


🎓 Summary

ECDSA signatures are the "Authorization Layer" of the Bitcoin network. They combine the one-way properties of elliptic curves with the integrity of cryptographic hashes to create a spend-proof that is virtually impossible to forge. By mastering the Signing Pipeline, you gain insight into the specific mathematical mechanics that keep your bitcoin secure in the face of a global network of observers.

☕ Help support TeachMeBitcoin

TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation:

Ethereum: 0x578417C51783663D8A6A811B3544E1f779D39A85
Bitcoin: bc1q77k9e95rn669kpzyjr8ke9w95zhk7pa5s63qzz
Solana: 4ycT2ayqeMucixj3wS8Ay8Tq9NRDYRPKYbj3UGESyQ4J
Address copied to clipboard!