ECDSA standards Standards for Efficient Cryptography Group (SEC)http://www.secg.org/Bitcoin follows the secp256k1 standard.

Public Parameters: PP=(EC=secp256k1, BasePoint=G); Addition operations of points in the Elliptic Curve (EC);BasePoint G is a generator of additive EC Group of points.Let number of points in EC Group is |EC Group|=N; Private Key of EC Cryptosystem (ECC) is PrK ECCS=x>> x=randi(N)

Public Key of ECCS is PuKECCS=A=x•G, where • means x-time additions of points G in EC, i.e. multiplication of G by x.

We use ElGamal type Cryptosystem and their Public Parameters.

Public Parameters: PP=(strongprime=p, generator=g);Multiplication operations mod p of numbers in the group of integersZp={1, 2, 3, ..., p-1} mod p.Let for toy example p has the number of bits |p|=28.Private Key PrK=x. >> x=randi(p-1) % or >> x=randi(2^26) % then x is of length of less than 26 bits.

011_2020_DS Bitcoin-4

011_2020_DS Bitcoin-4 Page 1

>> x=randi(2^26) % then x is of length of less than 26 bits.

Public Key is PuK=a=x•g mod p.

ElGamal Cryptosystem (CS) Elliptic Curve Cryptosystem (CS)

PP=(strongprime=p, generator=g)p=255996887;g=22;

PP=(EC=secp256k1, BasePoint=G)

PrK=x>> x=randi(p-1) % or >> x=randi(2^26)

PrK ECC=x|EC Group|=N>> x=randi(N)

PuK=a=x•g PuKECCS=A=x•G

Alice A:x=1975596;a=210649132;

pb = 1111010000100011001111010111 |p|=28 bits.

0

In our consideration we assume that Bitcoin Public Key is the same as Bitcoin Address for all users, e.g.:PukA=a=210649132=AddrA

Alice received 1200 and 2300 Sat from transactions Tx1 and Tx2 respectively.Alice sends 2100 Sat to Bob and returns to herself change 3500 Sat.

1200 + 2300 = 2100 + 1400 = 3500 Sat.

011_2020_DS Bitcoin-4 Page 2

1200 + 2300 = 2100 + 1400 = 3500 Sat.

Alice A:PrkA=x=1975596;

PukA=a=210649132;AddrA= PukA

Bob B:y= 43440755;b= 10039541;AddrB=PukB

Tx1 TxA TxB

Out1 InA1 OutA1 InB1

HTx1=

=56531970

Sat=1200

PuK1==98982789

AddrA==210649132

Sig1=(s1,t1)=

=(19054509, 47064464)

1200

HTx1=

=56531970

Sat=1200

PuK1==98982789

AddrA=210649132

Sig1=(s1,t1)=

=(19054509, 47064464)

HTxA==2BFC1D9

Sat=2100

PukA=210649132

AddrB=10039541

SigA=(sAh,tAh)=

=(1BC22A4, 521DAEF)

2100

HTxA==2BFC1D9

Sat=2100

PukA=10649132

AddrB=10039541

SigA=(sAh,tAh)=

(1BC22A4, 521DAEF)

Tx2 TxAChange

Out2 InA2 OutA2 InA3

HTx2==67497465

Sat=2300

PuK2== 62556582

AddrA=210649132

Sig2=(s2,t2)=

=( 93914475, 50582226)

2300

HTx1==67497465

Sat=2300

PuK2== 62556582

AddrA=210649132

Sig2=(s2,t2)=

=( 93914475, 50582226)

HTxA==2BFC1D9

Sat=1400

PukA=210649132

AddrA=210649132

SigA=(sAh,tAh)=

(1BC22A4, 521DAEF)

1400

HTxA==2BFC1D9

Sat=1400

PukA=210649132

AddrA==210649132

SigA=(sAh,tAh)=

(1BC22A4, 521DAEF)

TimeStamp=TS= 011_2020_DS Bitcoin-4 Page 3

TimeStamp=TS=

=2020.05.07.17:29:59

PukA=210649132

HIn=H(In1||In2)==CF1FAC2

HOut=H(Out1||Out2)=

BBFEB44

HSigA= H(HIn||HOut||TS||PukA)

= F47C9E1

SignatA(PrKA,HSigA)==SigA=

=(sAh, tAh)=

=(1BC22A4, 521DAEF)

HTxA=H(HSigA||SigA)=

=2BFC1D9

HIn1=h28(‘HTx1=56531970||Sat1=1200||Puk1=98982789’)= C24E70CHIn2=h28(‘HTx2=67497465|Sat2=2300||Puk2=62556582’)= 9D4B065HIn=h28(‘HIn1=C24E70C||HIn2=9D4B065’)= CF1FAC2

HOut1=h28(‘Sat3=2100|| PukA=210649132||AddrB=10039541’)= EA4096FHOut2=h28(‘Sat4=1400|| PukA=210649132||AddrA=210649132’)= 9D1243BHOut= h28(‘HOut1=EA4096F||HOut2=9D1243B’)= BBFEB44

HSigA=h28(‘HIn=CF1FAC2||HOut=BBFEB44||TS=2020.05.07.17:29:59||PukA=210649132’)= F47C9E1

SignatA=(PrKA, HSigA)=SigA=(sAh, tAh)=(1BC22A4, 521DAEF)

HTxA=h28(‘HSigA=F47C9E1||SigA=(1BC22A4, 521DAEF’)= 2BFC1D9

% is a comment in Octave and this string is ignored

>> HIn1=h28('HTx1=56531970||Sat1=1200||PuK1=98982789')HIn1 = C24E70C>> HIn2=h28('HTx2=67497465||Sat2=2300||PuK2=62556582')HIn2 = 9D4B065>> HIn=h28('HIn1=C24E70C||HIn2=9D4B065')HIn = CF1FAC2

>> HOut1=h28('Sat3=2100||PuKA=210649132||AddrB=10039541')

011_2020_DS Bitcoin-4 Page 4

>> HOut1=h28('Sat3=2100||PuKA=210649132||AddrB=10039541')HOut1 = EA4096F>> Hout2=h28('Sat4=1400||PuKA=210649132||AddrA=210649132')Hout2 = 9D1243B>> HOut=h28('HOut1=EA4096F||HOut2=9D1243B')HOut = BBFEB44

>>HSigA=h28('HIn=CF1FAC2||HOut=BBFEB44||TS=2020.05.07.17:29:59||PukA=210649132')HSigA = F47C9E1

% is a comment in Octave and this string is ignored

>> p=255996887 % first public parameter: strong prime numberp = 255996887 % >> p=genstrong(2^28)>> g=22 % second public parameter: generatorg = 22 % g must meet two criterions

>> PrKA=1975596 % Private KeyPrKA = 1975596>> PuKA=210649132PuKA = 210649132 % Public Key

>> mh=HSigA % mh – message in hex format signature mustmh = F47C9E1 % be placed on message in dec format>> m=hex2dec(mh) % m – message to be signed in dec formatm = 256362977

>> k=45931090 % enter k without computing >> k=randi(2^26)k = 45931090 % for the first time for certainty of computations>> tA=mod_exp(g,k,p)tA = 86104815 % the second component of Alice signature tA

>> conc=concat(m,tA) % concatenation of two strings: m and tA

% 25636297786104815conc = 25636297786104815 % m||tA=256362977||86104815=

>> h=hd26(conc) % computation of h-value for computing signature h = 37511075 % on this h-value

>> sA=mod(k+PrKA*h,p-1) % the first component of Alice signature sAsA = 29106852

% signature verification: signature is valid if

% tA•PuKAh mod p = gsA mod p>> aph=mod_exp(PuKA,h,p) aph = 62083210 % PuKAh mod p computation>> tAaph=mod(tA*aph,p)

011_2020_DS Bitcoin-4 Page 5

>> tAaph=mod(tA*aph,p)

tAaph = 60547013 % tA•PuKAh mod p computation>> gps=mod_exp(g,s,p)gps = 60547013 % gsA mod p computation

>> sAh=dec2hex(sA) % first signature computation in hex formatsAh = 1BC22A4>> tAh=dec2hex(tA) % second signature computation in hex formattAh = 521DAEF

% Alice transaction TxA h-value computation HTxA % HTxA is used to include transaction

>> HTxA=h28('HSigA=F47C9E1||sAh=1BC22A4||tAh=521DAEF')HTxA = 2BFC1D9

011_2020_DS Bitcoin-4 Page 6