How ECDSA Signatures Work: The Anchor Guide to Spend Authorization
How ECDSA Signatures Work: The Anchor Guide to Spend Authorization
Executive Summary: The Elliptic Curve Digital Signature Algorithm (ECDSA) is the mechanism that allows Bitcoin users to authorize transactions without ever revealing their private keys. By combining a message hash, a private key, and a one-time "Ephemeral Nonce," ECDSA generates a two-part mathematical proof $(r, s)$. This signature proves to every node on the network that the sender possesses the correct secret key for a specific UTXO, ensuring that only the rightful owner can move funds.
🔍 Why This Module Matters
If private keys are the "Secret" and public keys are the "ID," then the Digital Signature is the "Handshake." It is the most complex part of the Bitcoin transaction lifecycle. Without it, there would be no way to move coins safely across an open network. In this module, we will deconstruct the mathematical "Signing Pipeline," explain the critical role of the Ephemeral Nonce, and show why a single mistake in signature generation can lead to a total loss of funds.
🏛️ The Three Pillars of an ECDSA Signature
To create a signature, a wallet needs three distinct pieces of data:
-
The Private Key (k): Your 256-bit secret.
-
The Message Hash (z): A double-SHA256 hash of the transaction data. This "commits" the signature to a specific set of inputs and outputs—you can't sign a transaction and then have someone change the recipient's address later.
-
The Ephemeral Nonce (k_ep): A one-time random number. This is the most dangerous part of the process. If you ever use the same nonce twice for two different signatures, your private key can be calculated by anyone in seconds.
⚙️ The Signing Pipeline: Step-by-Step
Signature generation follows a rigid algebraic sequence:
Step 1: The Ephemeral Point (R)
The wallet generates the nonce $k_{ep}$ and multiplies it by the Generator Point ($G$). $$R(x, y) = k_{ep} \cdot G$$ The $x$-coordinate of this point becomes the first half of your signature: r.
Step 2: The Signature Equation (s)
The second half, s, is calculated using a modular linear equation that binds all the components together: $$s = k_{ep}^{-1} \cdot (z + r \cdot k) \pmod n$$
-
k_ep^{-1}: The modular inverse of the nonce.
-
z: The message hash (the "what" you are signing).
-
r * k: The link between the signature and your private key.
graph TD A[TX Preimage] --> B[Double SHA-256 Hash z] C[Private Key k] --> D[Signature Equation s] E[Nonce k_ep] --> F[Point Multiplicaton R] F --> G[r = R.x] G --> D B --> D D --> H[Final Sig: r, s]
🛡️ Nonce Security: The Fatal Vulnerability
The "Ephemeral" in Ephemeral Nonce means "lasting for a very short time."
-
The Trap: If an attacker sees two different signatures $(r, s1)$ and $(r, s2)$ with the same $r$ (meaning the same nonce was used), they can perform simple algebra to solve for your private key $k$.
-
The Solution (RFC 6979): Modern professional wallets generate the nonce deterministically by hashing the private key and the message. This ensures the nonce is always unique for every different transaction, even if the user's random number generator is broken.
| Component | Role | Size |
|---|---|---|
| r | Commitment to the random point. | 32 Bytes |
| s | Commitment to the key and message. | 32 Bytes |
| DER Encoding | Formatting for the blockchain. | ~70-72 Bytes |
💎 Signature Verification: The Node's Check
When a node receives your signature, it doesn't "decrypt" it. It performs a Verification Equality.
-
It calculates two points on the curve: $u1 = z \cdot s^{-1}$ and $u2 = r \cdot s^{-1}$.
-
It calculates $P = u1 \cdot G + u2 \cdot K$ (where $K$ is your public key).
-
If the $x$-coordinate of $P$ matches your signature's r, the signature is valid.
-
Privacy: Notice the node never sees your private key $k$. The math "proves" you have it without revealing it.
🎯 Learning Objectives for this Module
By the end of this module, you will be able to:
-
Identify the three mandatory inputs for an ECDSA signature.
-
Explain how the $r$ and $s$ components are derived algebraically.
-
Describe the catastrophic risk of "Nonce Reuse."
-
Understand the role of SHA-256 hashing in creating the "Transaction Preimage."
-
Articulate why signature verification allows for trustless ownership proof.
🗺️ Module Roadmap: What's Next?
Now that we've generated the raw $(r, s)$ integers, we must pack them for the network:
-
DER Serialization: How the integers are formatted as bytes.
-
The off-by-one OP_0 bug: Exploring the history of multisig signature bugs.
-
BIP-66 Strict DER: Why "Low-S" signatures are required for consensus.
-
Schnorr vs ECDSA: How the new Taproot signatures improve on this model.
🎓 Summary
ECDSA signatures are the "Authorization Layer" of the Bitcoin network. They combine the one-way properties of elliptic curves with the integrity of cryptographic hashes to create a spend-proof that is virtually impossible to forge. By mastering the Signing Pipeline, you gain insight into the specific mathematical mechanics that keep your bitcoin secure in the face of a global network of observers.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: