**From Bitcoin Wiki:**

secp256k1refers to the parameters of the ECDSA curve used in Bitcoin, and is defined inStandards for Efficient Cryptography (SEC)(Certicom Research, http://www.secg.org/sec2-v2.pdf).As excerpted from

Standards:The elliptic curve domain parameters over F

associated with a Koblitz curve secp256k1 are specified by the sextuple T = (_{p}p,a,b,G,n,h) where the finite field Fis defined by:_{p}

p= FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F- = 2
^{256}– 2^{32}– 2^{9}– 2^{8}– 2^{7}– 2^{6}– 2^{4}– 1The curve

E:yover F^{2}= x^{3}+ax+bis defined by:_{p}

a= 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000b= 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000007The base point G in compressed form is:

G= 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798and in uncompressed form is:

G= 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8Finally the order

nofGand the cofactor are:

n= FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141h= 01

**The above article might be too technical for an average Joe. So, here’s a recap cum simplified version:**

*Let’s take a note of the constants first, then we’ll look at the equations-*

(Finite field F* _{p}*) lets call it p

p = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F

a = 0

b = 7

G is the generator or base point. It’s like a start line and has two components(co-ordinates) x and y. We’ll call the x component G.x and y component G.y

G.x = 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798

G.y = 483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8

n = FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

Now let’s try to understand what these are.

**Basically, G is first point on the curve “secp256k1” defined by the parameters(p,a,b,G,n,h) and the equation y ^{2} = x^{3}+ax+b. As this is the first point, it corresponds to the private key “1”.**

p is the prime field which allows the numbers to wrap around itself when using modulus function. We will be using it to derive the public key from a given private key.

The curve equation is: y^{2} = x^{3}+ax+b where, a = 0 and b = 7. Therefore, the equation can be simplified to: y^{2} = x^{3}+7

Calculating public key for any private key(1 to (n-1)) requires combination of two processes: **point addition and point doubling.**

This is how addition of points in an elliptic curve is done: P + Q = R

Where:

`P = (P`

_{x}, P_{y}); Q = (Q_{x}, Q_{y}); R = (R_{x}, R_{y})

1. Point addition – when P != Q

Let slope be “m”.

`m = (Q`

_{y} - P_{y}) / (Q_{x} - P_{x})

`R`

_{x} = m^{2} - P_{x} - Q_{x}

`R`

_{y} = m (P_{x} - R_{x}) - P_{y}

2. Point doubling – when P == Q

Let slope be “m”.

`m = (3P`

_{x}^{2}) + a / 2P_{y}

But since, `a = 0:`

`m = 3P`

_{x}^{2} / 2P_{y}

`R`

_{x} = m^{2} - P_{x} - Q_{x}

`R`

_{y} = m (P_{x} - R_{x}) - P_{y}

*NOTE: R _{x} and R_{y} equations are same for both, point addition and doubling. Only “m” (slope) value changes.*

Let’s actually try to calculate the public key pair of private key 2 and 3.

We know that the public key of 1 is G

So, Public key of 2 will be G(P) + G(Q) = 2G(R). You can see that the points are in 2nd form (P == Q).

`m = 3G`

NOTE: it’s not regular division expression so we can’t divide it like 6/2 = 3._{x}^{2} / 2G_{y}

It can be rewritten as:

`m = 3G`

_{x}^{2} * (1 / 2G_{y}) where, (1 / 2G_{y}) = modular multiplicative inverse of (2G_{y}, p)

Which means we have to find:

`(1 / 2G`_{y}) such that : (1 / 2G_{y}) is less than p & ((1 / 2G_{y}) * 2G_{y}) % p = 1

Here’s an example from geeksforgeeks where, `a => 2G`

_{y}; m => p; Output(x) => (1 / 2G_{y})

Input: a = 3, m = 11 Output: 4 Since (4*3) mod 11 = 1, 4 is modulo inverse of 3 One might think, 15 also as a valid output as "(15*3) mod 11" is also 1, but 15 is not in ring {0, 1, 2, ... 10}, so not valid. Input: a = 10, m = 17 Output: 12 Since (10*12 = 120) mod 17(17x7 = 119) = 1, 12 is modulo inverse of 10

We can also get the same `x`

by using `a`

^{m-2} % m

A simple method to calculate it is by using `pow(a, m-2, m)`

function of python, which calculates `(a`

efficiently since ^{m-2} % m)`p`

is a very large number

## ACTUAL CALCULATIONS:

#### For R = public key pair of private key “2”

m = 3G_{x}^{2}* ((2G_{y})^{p-2}% p) R_{x}= m^{2}- G_{x}- G_{x}(mod p) R_{y}= m (G_{x}- R_{x}) - G_{y}(mod p)

#### For S = public key pair of private key “3”

m = (R_{y}- G_{y}) * ((R_{x}- G_{x})^{p-2}% p) S_{x}= m^{2}- G_{x}- R_{x}(mod p) S_{y}= m (G_{x}- S_{x}) - G_{y}(mod p)

This is what a python code would look like:

#create a point class to store co-ordinates from collections import namedtuple Point = namedtuple("Point", "x y") O = 'Origin' #assign values to the variables p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 a = 0 b = 7 G = Point(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8) #calculate R m = (3 * G.x**2) * pow((2 * G.y), p-2, p) x = ((m**2) - G.x - G.x) % p y = (m * (G.x - x) - G.y) % p R = Point(x, y) #calculate S m = (R.y - G.y) * pow((R.x - G.x), p-2, p) x = ((m**2) - G.x - R.x) % p y = (m * (G.x - x) - G.y) % p S = Point(x, y)

Output: >>> hex(R.x) '0xc6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5' >>> hex(R.y) '0x1ae168fea63dc339a3c58419466ceaeef7f632653266d0e1236431a950cfe52a' >>> hex(S.x) '0xf9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9' >>> hex(S.y) '0x388f7b0f632de8140fe337e62a37f3566500a99934c2231b6cb9fd7584b8e672'

This article is recreated from my biovolt.in blog : http://www.biovolt.in/bitcoin/secp256k1.html

Hi! I bumped into some intriguing news in the crypto currency sector . Some folks in the crypto community have kindly shared some insider info that a new cryptocurrency is currently undergoing the final stages of its development and, it is spearheaded by a group of reputable law firms including Magic Circle and US law firms :-RRB- Allegedly, it is named LAWesome cryptocurrency coin! I would be most obliged if anybody could share some new real-time info on this coin. I would particularly, like to get this coin and participate in the bounty hunt. However, there is a lack of intel on this LAWesome coin as I suspect that it is a relatively secretive venture. I wonder what motivated the law firms to get in the cryptocurrency area? This step by the law firms will certainly implant a dose of validity and reliability into the cryptocurrency field.