Chapter 5: The secp256k1 Curve | Elementary Bitcoin

We now focus our attention on the specific elliptic curve chosen by Satoshi Nakamoto for Bitcoin: secp256k1. This curve, defined in the "Standards for Efficient Cryptography" (SEC) document, possesses properties that make it both efficient to compute and resistant to known attacks.

Understanding secp256k1 in detail is essential for anyone seeking to comprehend Bitcoin at its deepest level. Every private key, every public key, every digital signature in Bitcoin emerges from operations on this curve.

5.1 The Name Decoded

The cryptic name "secp256k1" encodes several pieces of information:

Figure 5.1: Decoding the secp256k1 name.

On the "k" in secp256k1

The SEC naming convention uses "k" for curves with efficiently computable endomorphisms (enabling the GLV optimization for scalar multiplication). While this is often called a "Koblitz curve" in informal usage, the term has a different, more specific meaning in the mathematical literature: Koblitz curves are defined over binary fields 𝔽₂ₘ (Koblitz, 1991; Hankerson/Menezes/Vanstone, Def. 3.85). secp256k1, defined over a prime field, is not a Koblitz curve in this formal sense. The simplicity of its parameters (a = 0, b = 7) means there is no suspicion of hidden backdoors.

5.2 The Curve Equation

Definition 5.1 (The secp256k1 Curve)

The secp256k1 curve is defined by the equation:

y² = x³ + 7

over the prime field 𝔽ₚ, where:

a = 0, b = 7

The simplicity of this equation—the absence of the ax term—makes certain optimizations possible. It also means that the curve parameters are completely transparent: there are no mysterious constants that might conceal a mathematical trapdoor.

Figure 5.2: The secp256k1 curve over the real numbers. The actual cryptographic curve exists over a finite field.

5.3 The Field Parameters

The curve is defined over a prime field of size approximately 2²⁵⁶. The specific prime was chosen for its special form, which allows efficient modular reduction.

Definition 5.2 (The Field Prime p)

The prime p for secp256k1 is:

p = 2²⁵⁶ − 2³² − 2⁹ − 2⁸ − 2⁷ − 2⁶ − 2⁴ − 1

Or equivalently:

p = 2²⁵⁶ − 2³² − 977

Example 5.1 (The Prime in Various Representations)

Hexadecimal:

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF
    FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

Decimal:

p = 115792089237316195423570985008687907853269984665640564039457584007908834671663

This is a 256-bit number, approximately 1.158 × 10⁷⁷.

Why This Specific Prime?

The form p = 2²⁵⁶ − 2³² − c (where c = 977 is small) enables fast modular reduction. When computing x mod p for a 512-bit number x, we can use the identity:

2²⁵⁶ ≡ 2³² + 977 (mod p)

This allows the high bits of x to be folded back into the low bits with simple additions, avoiding expensive division.

5.4 The Generator Point

Every point operation in Bitcoin begins with a fixed generator point G. This point generates a cyclic subgroup of prime order.

Definition 5.3 (The Generator Point G)

The generator point G = (G_x, G_y) has coordinates:

G_x (hexadecimal):

79BE667E F9DCBBAC 55A06295 CE870B07
029BFCDB 2DCE28D9 59F2815B 16F81798

G_y (hexadecimal):

483ADA77 26A3C465 5DA4FBFC 0E1108A8
FD17B448 A6855419 9C47D08F FB10D4B8

The generator point was chosen such that its order n is a large prime. Starting from G, we can reach any point in the cryptographic subgroup by scalar multiplication.

Figure 5.3: A private key d multiplied by G produces the public key P = dG.

5.5 The Group Order

The order of the generator point G—and hence the size of the cryptographic subgroup—is a prime number slightly less than 2²⁵⁶.

Definition 5.4 (The Group Order n)

The order of G is:

Hexadecimal:

n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE
    BAAEDCE6 AF48A03B BFD25E8C D0364141

Decimal:

n = 115792089237316195423570985008687907852837564279074904382605163141518161494337

This means nG = 𝒪 and n is prime.

The fact that n < p might seem surprising. Hasse's theorem guarantees that |n − (p+1)| ≤ 2√p, but it does not specify whether n is slightly above or below p + 1. For secp256k1, we have n ≈ p − 4.3 × 10³⁸.

Proposition 5.1 (Cofactor)

The cofactor of secp256k1 is h = 1.

This means the entire curve group is cyclic and generated by G:

#E(𝔽ₚ) = n × h = n × 1 = n

Security Implication

A cofactor of 1 is cryptographically ideal. It means there are no "small subgroup" attacks to worry about, and every point on the curve (except 𝒪) has order n.

5.6 Complete Parameter Summary

For reference, here are all the secp256k1 parameters collected together:

Parameter	Symbol	Value
Curve equation	—	y² = x³ + 7
Coefficient a	a	0
Coefficient b	b	7
Field prime	p	2²⁵⁶ − 2³² − 977
Group order	n	≈ 2²⁵⁶ − 4.3 × 10³⁸
Cofactor	h	1
Generator x-coord	G_x	79BE667EF9DCBBAC...
Generator y-coord	G_y	483ADA7726A3C465...
Security level	—	~128 bits

5.7 From Parameters to Keys

With the curve parameters established, the objects at the heart of Bitcoin's cryptography are one step away. A private key is an integer d with 1 ≤ d ≤ n − 1, and the corresponding public key is the point P = dG; these objects, their byte encodings, and the address formats built on them are the subject of Chapter 9. Here we record only what the parameters themselves determine about them.

First, the size of n fixes the size of the key space.

Key Space Size

There are approximately 2²⁵⁶ possible private keys. For comparison:

Atoms in the observable universe: ~10⁸⁰ ≈ 2²⁶⁶
Possible secp256k1 private keys: ~2²⁵⁶
Grains of sand on Earth: ~10¹⁸ ≈ 2⁶⁰

The key space is astronomical. A randomly chosen key has negligible probability of collision with any other key ever generated.

Second, the special form of p has a practical consequence for how public keys can be stored. Since the curve equation is quadratic in y, a point is determined by its x-coordinate together with one bit selecting between the two roots y and p − y (which have opposite parities, as p is odd). Because p ≡ 3 (mod 4), the required square root can be computed by a single exponentiation.

Proposition 5.2 (Point Recovery)

Given x and the parity of y, the full point (x, y) can be recovered:

Compute y² = x³ + 7 mod p
Compute y = (y²)^((p+1)/4) mod p (valid since p ≡ 3 (mod 4))
If the parity of y does not match the required parity, use p − y

Step 2 works by Euler's criterion: a nonzero a is a square mod p exactly when a^((p−1)/2) ≡ 1 (mod p), and when p ≡ 3 (mod 4) the exponent (p+1)/4 is an integer with (a^((p+1)/4))² = a^((p+1)/2) = a · a^((p−1)/2) ≡ a.

This proposition is what makes the compressed public key encoding of Chapter 9 possible: a public key can be transmitted as 33 bytes (the x-coordinate plus a parity prefix) rather than 65, and the receiver recovers y exactly.

5.8 Why Satoshi Chose secp256k1

When Satoshi Nakamoto designed Bitcoin, he chose secp256k1 over the more common NIST curves. Several factors likely influenced this decision:

Advantages of secp256k1

Efficiency: The special form of p and the fact that a = 0 allow for faster field operations. Optimized implementations can be 30% faster than NIST curves.
Transparency: The simple parameters (a = 0, b = 7) are clearly not derived from any hidden structure. There is no suspicion of "nothing up my sleeve" numbers concealing a backdoor.
Cofactor 1: The absence of small subgroups simplifies implementation and removes a class of potential attacks.
Endomorphism: secp256k1 possesses an efficiently computable endomorphism that can accelerate signature verification.

Historical Note

The NIST curves (P-256, etc.) were specified with seed values used to generate their parameters, but these seeds were never fully explained. This has led to speculation about potential NSA influence. secp256k1's verifiable simplicity sidesteps these concerns entirely.

5.9 Security Analysis

The security of secp256k1 has been extensively analyzed. The main conclusion: for well-implemented systems, the curve provides excellent security.

Security Properties of secp256k1

ECDLP hardness: No algorithm better than O(√n) ≈ O(2¹²⁸) is known.
Not anomalous: n ≠ p, so the anomalous curve attack does not apply.
High embedding degree: The curve is not supersingular, so the MOV attack does not apply.
Twist security: The quadratic twist of secp256k1 has a large prime-order subgroup (its order is 3² · 13² · 3319 · 22639 times a 220-bit prime), so an attack via the twist still costs about 2¹¹⁰ operations, providing resistance to twist attacks.

Figure 5.4: secp256k1 provides approximately 128 bits of security.

To put 2¹²⁸ operations in perspective: if every computer on Earth performed one billion operations per second, and they all worked together for the age of the universe, they would still be nowhere close to completing 2¹²⁸ operations.

Exercises

5.1. Verify that the generator point G satisfies the curve equation y² = x³ + 7 over 𝔽ₚ. (You will need to work with large numbers.)

5.2. Explain why compressed public keys are possible. What mathematical property of the curve allows recovery of y from x?

5.3. The prime p satisfies p ≡ 3 (mod 4). Verify this and explain why it enables efficient square root computation (use Euler's criterion from Proposition 5.2's discussion).

5.4. If a private key has 256 bits of entropy, and the group order is slightly less than 2²⁵⁶, what is the probability that a randomly chosen 256-bit number is a valid private key?

5.5. (Research) What is the "GLV endomorphism" on secp256k1 and how does it accelerate scalar multiplication?

5.6. (Computational) Using a big-integer library, implement point addition and scalar multiplication on secp256k1. Verify that 2G has the expected coordinates.

5.7. The prefix byte for compressed public keys is 02 or 03. Explain why the y-coordinate's parity determines which prefix to use.

5.8. (Research) What is the "twist" of an elliptic curve? Why is it important for security that the twist of secp256k1 has a large prime-order subgroup?