## Elliptic Curve Signatures

Let's dig into when, where, and how Bitcoin uses Elliptic curve signatures in transactions. This chapter covers the importance of signatures to transactions, the three purposes these signatures serve, and how they are applied.

### Digital Signatures (ECDSA)

#### ECDSA Math

As mentioned previously, signatures are created by a mathematical function *F*_{sig} that produces a signature composed of two values *R* and *S*. In this section we look at the function *F*_{sig} in more detail.

The signature algorithm first generates an *ephemeral* (temporary) private public key pair. This temporary key pair is used in the calculation of the *R* and *S* values, after a transformation involving the signing private key and the transaction hash.

The temporary key pair is based on a random number *k*, which is used as the temporary private key. From *k*, we generate the corresponding temporary public key *P* (calculated as *P = k*G*, in the same way bitcoin public keys are derived. The *R* value of the digital signature is then the x coordinate of the ephemeral public key *P*.

From there, the algorithm calculates the *S* value of the signature, such that:

*S* = *k*^{-1} (*Hash*(*m*) + *dA***R*)mod* n*

where:

*k*is the ephemeral private key*R*is the x coordinate of the ephemeral public key*dA*is the signing private key*m*is the transaction data*n*is the prime order of the elliptic curve

Verification is the inverse of the signature generation function, using the *R*, *S* values and the public key to calculate a value *P*, which is a point on the elliptic curve (the ephemeral public key used in signature creation):

*P* = *S*^{-1}**Hash*(*m*) **G*+*S*^{-1}**R***Qa*

where:

*R*and*S*are the signature values*Qa*is Alice's public key*m*is the transaction data that was signed*G*is the elliptic curve generator point

If the x coordinate of the calculated point *P* is equal to *R*, then the verifier can conclude that the signature is valid.

Note that in verifying the signature, the private key is neither known nor revealed.

*Tip: ECDSA is necessarily a fairly complicated piece of math; a full explanation is beyond the scope of this book. A number of great guides online take you through it step by step: search for "ECDSA explained" or try this one: https://bit.ly/2r0HhGB.*