 Thank you very much for the invitation. The opportunity to talk here. So that's the title of the talk. Groups, Elliptic Curves and Bitcoin. I'm gonna start with Bitcoin and then move on to the Mathematics, you know, I assume people heard about Bitcoin, you know I'm not gonna explain a lot, but I'm gonna try to explain the connection with math and they know there's all this other aspects of Bitcoin that I'm not gonna get into and Okay, so that's the abstract I'm gonna talk a little bit about Bitcoin and then I'll explain what I mean I don't know if I'm gonna get deeply into Elliptic Curves, but say a little bit about Elliptic Curves and how they give us groups and then groups are Important gadgets for cryptography and in general and in particular that they used in the security of Bitcoin Let me say a few words in general about Cryptography so this is a Very important new technology or maybe old technology now is I don't know 40 Public key cryptography is of love 40 40 years old. Yes, and You know, it's it's what makes the internet tick I mean you can't buy stuff on the internet if it weren't for public cryptography you wouldn't be able to access secure websites or Idea you like people are to see what you're doing if you don't want them to see what you're doing and so Online shopping secure connections. These are all has to do with encryption So you have messages that you want to send and you want to hide them from unintended people who are not that intended Recipient should not be able to read what you're sending and so how you do that From a distance from you know without priorly meeting a person That's what's called public key cryptography you you make you interact with this person over an insecure channel So people are seeing the data that you're transmitting, but if your data is encrypted they won't be able to read what you That this is a big topic. I'm not gonna get much into Encryption part, but I wanted to talk so one thing I'm gonna talk about is which is also Bitcoin is also on software updates So what happens when you have software updates you receive a you know, you know Windows for example bugs you all the time sending you new software updates and and all sorts of other programs that you use I mean with the Mac as well Sends you know the company that makes the software sends updates every time there is a reason to make an update How does your computer recognize that this update is? Valid that is updated really comes from From the company that that is sending it, you know, if some some bad guy wants to send some some some Virus to your computer and and and it pretends is sending it from Microsoft You know, you may end up with the virus on your computer So you want your computer has to make sure that it's coming from the right place and the way this is done is The software is digitally signed So there is a process which we're gonna talk a little bit about that that appends a little piece of data to The information information is not encrypted, you know the software that comes is not encrypted It's just a piece of software and and but there is an extra bit of information not a bit But extra set amount of information that serves as a digital signature for the software and and that's sort of Only that the person who said so you have some information on your computer computer that allows you to verify that only the person who actually sent Who really are supposed to send you the stuff actually sent it if the verification fails your computer should not accept the software update And it's the same thing with Bitcoin. So Bitcoin the way Cryptographic techniques are used in Bitcoin is for signing transactions. So we're gonna get that to death in a moment is There's a transaction. There's a You know, it's like a document and you want to make sure that the person that this document is real It was really made by the person who was supposed to have made it. Okay, so Bitcoin so Bitcoin is supposed to be a currency. So, you know a Bitcoin is a form of money I don't know. I mean, you know, you may argue that, you know, it's worthless or whatever, you know You know, it's a matter of decision of people whether there's all there's all Sociological aspect of Bitcoin that I don't want to get into into it very in detail but once you accept that, you know, we want to Use it, then how does it work? So there are three basic concepts Addresses so an address is like your bank account. So an address is the number that identifies a Bitcoin account and it holds a balance. So to each address there's an associated amount, which is how much in bitcoins that address holds and We'll see how the addresses are created and how, you know Bitcoins are added to an address Well, the way that That bitcoins get transferred from one address to another address Which is what you really want to do is via transactions. A transaction is a set of instructions that say, you know Transfer These many bitcoins from this address to that address Transfer these many bitcoins from this address to this address and so on Of course, a transaction needs to be only be made By somebody who is authorized to spend those bitcoins. So the Addresses from which the bitcoins are coming from Have to You know the per the transaction has to be made by somebody who is authorized to Operate with these addresses and we'll see how that is done. And finally there is a baby is the biggest innovation in Bitcoin is This idea of this blockchain which is a ledger. So it's a list of all the transactions that have occurred in the past so There is this database That contains every single transaction so transaction that says up there and they all listed there and you can go and look and You can go on the internet and there are Websites where that allows you to interface with this blockchain and read off, you know Which addresses contain which money and then who sent money to who I mean the only People say bitcoins anonymous bitcoins is not anonymous bitcoins pseudonymous So you don't know who owns this gave an address But if you know the address you know how much Bitcoin is that on that address Which transactions were made to and from this address? They're all listed on this blockchain And and and this called blockchain because it's organized in blocks and the way it's produced You know via these blocks is is to ensure that that is it doesn't get tampered with because if the blockchain gets tampered with Then you can change, you know who owns what right? So so a very important aspect of the blockchain is Immutability, you know, it can't be changed Okay, so let's start with the blockchain sort of the Like I was saying is a list of all the transactions and it's Distributed zone is in the cloud So there are many computers that maintain this blockchain They have copies of this blockchain multiple copies of this blockchain and they have to agree on what's the real copy and the way they agree is that You know, there's the history of the blocks and you can go back and if somebody says well This is not a valid block then the other people say no it is a valid one so the blocks are So so every time so so The the people who are men maintaining the blockchain they they receive transactions So how are new block? How is the new block created? They receive a bunch transaction So if you want to make a transaction broadcast a transaction on the internet and eventually I'm one of these people They're called miners because they mine bitcoins if you like He receives the transaction and then he collects a bunch of transactions once he The the miner has enough transactions. He tries to create a block the way he tries to create a block is by so first of all there is a important thing which is an Information that comes from the previous block. So it's a hash So it is a bit of data that can't be faked that it can only be produced From the data from the previous block So this has to be on the next block this data that identifies the previous block Then transactions TXTXX are a bunch of transactions and then there is a number that you have to Put in there just a random number and you want the the the And you then you have you have your hash all this data in the hopes that the hash comes out to be a number with lots of zeros and if you succeed then you Done the work of verifying that all these transactions are valid and and you collected all this information Then you broadcast that and then it becomes part of the blockchain. So a miner So it's a kind of a total this thing of this hash is to is to create a lottery. So the miners are competing to Produce the next block and one of them one of them succeeds he gets a reward in Bitcoin that the software automatically awards to the miner a certain amount of bitcoins and Which right now is 25 bitcoins and and so the miner is happy because he got paid for the work and And he created a new block that goes in a blockchain and you can go, you know, and you cannot change a block in the Past because if you change a block in the past it will change this hashes this information from one block to the next and then you see that the The blockchain doesn't match. So it says this linear Description of the blocks that maintains the integrity each block has information about the previous block and and if you change If somehow the previous block that changed the next block has to be changed accordingly So you cannot change just one block you have to change all the blocks and and of course since there are many computers Maintaining this one person cannot change a block because it's somebody else is gonna say well, this is wrong That doesn't match on my computer. So There's a sort of a majority rule that guarantee that enforces the integrity of the whole blockchain Transaction so what's a transaction a Transaction is like a check. So this is a picture of a check supposed to be a check signed by Abraham Lincoln I found it on this picture on the internet. It says, you know, I pay a hundred What is it 46? Whatever it is 100 and whatever it is, you know, it's not an amount to somebody right from my bank account to his bank account Here's a check. This is I mean, I don't know young people don't see checks this day They don't use checks anymore, but maybe some of you that are a little older have used checks You know, maybe the young people have seen the check, you know, it's just you just write the information It's right. How much it's who is the check to how much money you're gonna be giving this person and you sign and you date it Right, that's what a check is and that and a Bitcoin transaction is exactly that He has the information of where I has more information because it's not just heavy formation carries the information where does the money come from so when you transfer money from you to somebody else you have to Put in the transaction where you got the money from There's an extra bit of information. Just say well, I got this this bitcoins were previously from from these transactions that are on the Block chain and I want to take this this bitcoins and transfer to this other person or other persons You could put many outputs on the transaction. So you list the inputs and outputs and then you sign So the digital signature where we're gonna get to later ensures that first of all you Really you that you're not faking it. That's you or somebody else and also, you know People I guess can say, you know, this is an Abraham Lincoln's handwriting, right? So I guess there are there are handwriting experts that can declare that this is Abraham Lincoln's handwriting. So when you write when we have a written check like that, not just the signature is tempo proof, but the Information here is also tempo proof as you have to to change is you have to erase something or you have to fake it And and it's difficult And that's the same idea in Bitcoin transactions You're gonna make difficult or virtually impossible to fake the information So there's gonna be a signing process, which is What might the math that I want to explain will come in that It explains how you ensure that the transaction is valid so the next piece of the Bitcoin Next bit of information that let that next Next concept that I want to describe is that of addresses So like I explained in the beginning an address, you know, it's like a bank account It holds a balance So you have an address is a number and and and to this number is Assigned a balance on the blockchain that gets changed every time there's a transaction that affects that number How so how do you produce this address? So this is an important thing So you produce this address by by first of all choosing a secret number called the private key Which is a very large number random in some range so it's between roughly between one and So the secret key is a number With 256 bits. So it's a number of this size. So lots of numbers they had to choose More than the number of atoms in the universe for the physicists here So you choose a random number that's your public key you have to keep it secret You cannot tell it to everybody if you if you reveal it your bitcoins are gone and that is true I mean it happens all the time on the internet. Somehow people are Less than careful with the with the private keys and they lose their bitcoins The private key is turned into a public key. I'm gonna explain how it is later But an important aspect is that this arrow cannot be reversed It's one directional. You cannot, you know, it's very it's not impossible in the sort of theoretical sense Well, it but it's because it's actually a bijection, but it's In the practical sense is impossible the computational effort to go back from the public key to the private key is so huge that There's no not enough time You know the Sun will go go supernova before Before you finish this, you know, it's just that you know Suppose with current with current technology and current Knowledge it's gonna take Forever to to reverse this arrow and then there's the public key You're gonna use it when you when you transfer money, but if you want to just want to receive money you all you need to do is is Make public your address and their address is again It is a different process, but it's again as a one dimension one directional arrow so the from the public key to the address is one of these irreversible calculations and So you start with the private key you can compute the public key from the public key you compute the address No, so the public key is a point on an elliptic curve And I'm gonna explain later what it what that it means and and how it's calculated and the address is Well, it's a string of Symbols I'm gonna show an address right now So you're gonna see an address in just a minute So if you want to receive bitcoins all you need is an address So in fact you can make addresses without So the address has to conform to a certain standard and you can create addresses without going through this process so they don't correspond to any public key or Any private key that that is known and these addresses completely useless. So there are addresses that you know That people if you want to burn bitcoins destroy bitcoins you can set it in the address because nobody holds the private key to that address and Therefore nobody can retrieve Those bitcoins so that they sit there This is an address called one Bitcoin eater You can make it can make addresses Addresses can even have little sentences in them if you search hard enough you find addresses with little sentences in it Okay, so let me show you an address So here's an address The address is the string of numbers over here. They usually start with a one There's a meaning for that that you know Tells you some information and then the other the most of the stuff is whatever random stuff comes out of the calculation And there's a some check digits at the end So you cannot put any random collection of letters and numbers in here That's not kind of validate but the last half a dozen or so Symbols there Is though is a way of validating the whole address So this is an address and and and this barcode just as a standard 2d barcode that your phone can read and it's gonna read this If you want to send some bitcoins to this address, I'll be very happy because I created this address specifically for this this Talk but it's it's it's I know the private key to this address if you send bitcoins to this address, I'll get it My my phone is gonna go badding Okay, so that's that's that's the format of an address. That's that's how an address looks like. All right, so the process of creating The public key from the private key Consists of taking a number. So that's the private key and from this number making a point on the curve. So the public So the public key is a point on the curve is a point is a point Point on a curve have a little picture here, which is perhaps misleading is not how it's done It's just a metaphor for for the process of generating a point from a number and Imagine that this is your curve is you know, I just drew it with Wack on a Wackham tablet on a computer and it's a sort of messy curve And what you do is you start at the at the some starting point here and you go a certain distance along the curve and If you do that You land at some point somewhere in the middle Right, and then you can say well that's gonna be my public key the public key is the coordinates of the point on the curve Yes Yes, it is. There's a process that from the private key produces a public key Once and for all it's so it's Once you're done you're done So if you want to and if you want if you need a new public key you have to select a new private key So, you know, there's many numbers that you can choose from each of them give you a Different public key. Yes The elliptic curve is fixed. Yes for everyone. Yes, I'll tell you what it is in a moment. Yes anyway, so, you know if you You know if you're not a mathematician and you don't want to to be bothered with the intricacies of elliptic curves You can think of it as this terms you you you think of it as a the private key as a distance that you that you go along This curve until you reach a certain point that you you travel that distance And if you if you fix if your initial point is fixed then, you know, it doesn't matter I say there's only one way to go and you're gonna get to a certain endpoint once you you know If you say you know go 50 kilometers You got you know is a one directional thing so you're gonna end up somewhere and that's that's your public key It's the coordinates of this point Yeah, in a way, I mean it's more to that. I mean, this is a metaphor You shouldn't take this picture too seriously, but you know at least you know it is a way of remembering What it is about so I'm gonna get to the actual details. So What's the curve the curves are elliptic curves, so it doesn't look anything like the you know That I've looked like a mess this one looks like a beautiful symmetric Pretty object, okay, so this is my elliptic curve So he was asking what's the elliptic curve for Bitcoin is this one why square equals x cube plus seven? Okay, but but but you know, there's more. There's more. There's more. So but to begin with that's the equation There's a prime. There's a prime that's gonna show up But for now that's the curve why square equals x cube plus seven So that's a drawing of what that equation gives over the real numbers Okay, and and I'm putting this as a As an illustration because so here's what you do I want to to tell you something about you get something you can do on the elliptic curves elliptic curves Equations of that shape is not just that one. It could be why square equals x cube plus ax plus b Or why square equals any cubic an ax will give you an elliptic curve, you know, unless there's a singularity Well, that's not worry about that But so what what is the one thing that you can do if you have two points on this elliptic curve? You can well if you have two points on any curve, you can draw the line joining these two points But because it's an elliptic curve That's the important property of elliptic curves this line will meet the curve in one other point Just one other point a third point Now so I have a process that given two points on the curve gives me a third one Draw the line to the two points and see where it meets and because it's an elliptic curve This process will give you a well-defined point. It's not that's not going to be many points I mean if you have a more complicated curve, you draw the line It could meet the the line in many points, but for an elliptic curve, you know If you have two points, you have a point here a point here Maybe the line is going to be a bit more slanted, but it meets here now I want the third point, but I don't like this point here. So there's a process that you you you flip it you you just Reflect it onto on the x-axis and you get this this point down here below so it's curved because it's y squared equal something You know, there's a there's a symmetry y to minus y So if you have a point above you have a point below So the the process that I'm going to call adding two points on the elliptic curve and this is not vector addition I'm using plus here, but you know, it's not meant to be vector addition This is not a different way of combining points in the plane But not any points in the plane two points that happen to land on this curve So if you have two points on this curve draw the line joining them See where the line meets the curve again Flip it over the x-axis and you get the point Also, and this is what I'm going to call P plus Q That's my definition. That's That's what I want to do with the elliptic curves and elliptic curves allows you to do that You have two points you produce a third one point and you call it P plus Q The reason you do this is because it has nice algebraic properties And I'll get to that in a moment, but that's the process Okay, so you can do that in this picture. Now one thing that is important is that in fact You can do this calculation algebraically. So if you Write down the equation of the line Plug into the equation of the curve Solve for the third solution So you so you so this this this lambda here is the slope of the line So you have the point x1 y1 and the point x2 y2 you can draw the line going through X1 o1 x2 y2 it has this slope You write down the line is a sort of little, you know Elementary high school mathematics you write down plug it into the equation of the curve and so for the third point And this is what you get so this formula is here tell you What's the expression of the third point in terms of the first two so that's so this is the plus that that I defined in the picture before and And the and that these are the formulas for the x and the y of the third point in terms of the x and y the first of the second point and the important thing is that this is this is a completely It's an algebraic formula. It's written right there So you can you don't need the picture you don't need to draw lines You can just write this on a computer program one line computer program and and then you can plug in values And get the get the output so you know how to compute points on the elliptic curve now This allows you to so the previous picture Was a picture over the real numbers so I drew a curve in the Cartesian plane And so x and y are real numbers and they satisfy that equation, but I can look at this equation in other Realms in other situations where I can do arithmetic and I'm a number theorist So I like to do a arithmetic modulo p where p is a prime number. So what does it mean? It means that instead of adding numbers in the usual way You you add integers. So you look at whole numbers you add them and then you Divide by p and just keep the remainder so This is a way of adding numbers that that is called addition mod p multiplication what you can do multiplication also You can operate mod p like for example You know that if you add one let's take p equals two So if you add two odd numbers you get an even number you don't need to know what the numbers are right some of two odd numbers is even The product of two odd numbers is odd The sum of a V even number plus an odd number is odd. So you know this, you know, they'll know this from elementary school So you can manipulate the so if you can manipulate the symbols even odd And you can add and multiply these symbols without knowing which number it is, right? So you just keep a record of what whether the number is even or odd and you can do operation So if you have a big algebraic expression and you plug in a bunch of numbers that are either even or odd Then you know what they are that you know the output is going to be even or odd depending on you know Which doesn't depend on the particular numbers that you chose as long as you keep it in the same class So an even number plus an odd number is odd So I don't want to do this modular too because two is a very small prime number. I want to do this Modular large prime. So I add two numbers I multiply two numbers and I keep only the remainder on the visual by p So I start with numbers less than p between 0 and p minus 1 And I add and multiply them and I take the remainder so that I go back to numbers between 0 and p minus 1 And I can do Algebra, ah, so it's very clear what I mean when I when I talk about additional multiplication and Subtraction, but perhaps it's not so clear what you do how you do division in this in this realm And That's why I need to have a prime number Because if you if you have a prime number and you have a number that is not divisible by prime the prime number So if you call if you have an x That is not a visible by p you can find a y such that x times y is is equal to one module of p So x times y have a remainder of one and divided by p So I can call this y to be one over x so dividing by x means multiplying by this one so that's why pride numbers are good because You know in the language of pure mathematics the integers modular p form a field Okay, so that's what I need So if you know what a field is that's what I need to To work with this equation so any time I have an elliptic curve over a field the coefficients in a field and I look at coordinates Which come from from that field I get an operation using this formulas So this formulas make sense in any field and I want to take the field of integers module a big prime number so here's an example so Just just as a picture. So the way things change so much when you Change from the real numbers to the integers mod p. So I picked a thousand and nine because there's a Reason besides pride is not too small that things you don't see anything is not too big that I'm gonna fill the whole box with Dots so so what does it mean? I'm looking at numbers x and y between zero and a thousand and eight Such that the left-hand side of equation minus the right-hand side is divisible by a thousand and nine So that's what I want y squared minus x cubed minus seven divisible by a thousand and nine So and I plotted the points And that's what you get It's a collection of points that satisfies this equation module or thousand and nine so That the question is not satisfied on the nose is satisfied satisfied only up to multiples of a thousand and nine And I get this collection of points and In this collection of points I can perform this operation And so if I take two points so these are the formulas right if I take two points in this constellation of points I Can use that those formulas to produce the third point on this constellation So the set of points have this addition law. So if you have two points on this Jumbola points there I can always Mine mine a factor a new point. Okay, so So a group is exactly is exactly this is a set that has an operation That that that satisfies some of the rules of algebra that we used to you know, they're there three axioms to define a group I don't I don't need all of them actually all I need is what's called a monoid. I need the that is rule Which I had on the elliptic curve that give you two points P and Q who I produce P plus Q It has this associativity property if I combine P and Q and then combine the result with R It's the same thing as if I combine first Q and R and then combine the result with P so This is not an immediate thing to check You know, you have to work a little to check that for elliptic curves, but it is true So I'm gonna use it that elliptic curves have this property the addition that there's this composition Process on elliptic curves have this associativity property Okay, so I'm gonna use that and now Because of this associativity you can sort of unambiguously write to P is gonna be whatever you get when you add P Plus P now P plus P has a subtlety because when I define P plus Q I Drew the line between P and Q and if Q is P, which line do I choose? Well, I choose the tangent line Okay, so P P plus P you need to use the tangent line and then what is the tangent line? I mean you use calculus to find the equation of the tangent line And then you if you look at the formulas you get you realize that the formulas to get the tangent light There's also algebraic, so they make sense it over any field and So there'll be an additional set of formulas to do P plus P But 2p is P plus P then 3p is 2p plus P 4p is 3p plus P and 5p is 4p plus P and so on so you define n times P for any integer n so given up If you start with one point P and a number n a positive integer n you can make sense of n times P It's just P plus P plus P plus P and times Now Since I'm going to be dealing with very large numbers I don't want to add P plus P plus P plus P plus P plus P plus P and times if n is an enormous number I Need a shortcut and there is a there's a very clever shortcut Which is the following if you want to compute 4p you don't need to do Or you know P plus P plus P plus P four times you can double 2p That gives you 4p because of the associativity law so that's a little easier way of computing 4p and If you want to compute 8p you don't have to start all over again into P plus P plus P plus P plus P times You can just double 4p So these are shortcuts that get better and better as as the numbers get bigger and bigger So you can you can produce the powers of two times P So you can do 8p 16p 32p 64p and so on just by doubling success Successively doubling and then if you have an arbitrary number n you can write this number n in binary and Use the the powers of two that occur in the binary expansion to Produce these guys and then you assemble things together So use the binary expansion of the number n to get a shortcut to compute np and this is very important because It allows you to compute so if you even if you have a huge number like that The numbers even this big You can compute K times P Not in K steps, but it about log K steps So even a number this huge you're only gonna need 256 steps So maybe twice as many because I have to do some additions about 500 steps to compute K times P If K is a huge number like that So it's a very feasible thing to compute np given P and N Even if n is huge Okay, so here's my elliptic curve the actual elliptic curve from Bitcoin So this is there as I said before the equation is y squared over s 2 plus 7 mod p where p is the prime p is this prime It's a little smaller than 256 256 is this number and there it is in all its glory The elliptic curve the number of solutions to this equation is this other number here Okay, this is something that you know, it's a non-trivial thing to compute But it can be done. There are interesting algorithms to do this computation I Hear something interesting. So if you stare at those two numbers, what do you notice? Are they the same? They start the same right about one one five seven nine two zero blah, blah, blah But if you look at the other end, they are different, right? They're not the same number They start the same, but if you look at it carefully, you're gonna see that they change about halfway The half left half of the digits are the same the right half are completely different A lot of art gave a talk Sometime ago here. They apparently was being very successful on YouTube talking about the vaconjectures This is a manifestation of the vaconjectures that the number of points on elliptic curve is about Mod p is about is close to p is within square root of p of p and and then you see it right here. So this is a Manifestation of the vaconjectures that has a bound for the number points on elliptic curve And here's a point which I'm gonna call g And one interesting thing about this elliptic curve is that this number q Turns out to be prime. That's important for the security of the of this curve That's part of the reason why these numbers were chosen this way. So that this number q is also prime This number q was not prime. It wasn't be so you know wouldn't be so useful And then Nothing checking the prime is very quickly you can you know paris does it in microseconds? It's a little takes a little walk to find the you know find the Well find the point number of points of replica to find an elliptic curve with a prime number of points It takes a little checking that the numbers prime is very quick and This this is a point that satisfies this equation. So this this g is a point on the elliptic curve if you Square this huge number here, and then you cube the second huge number here and add seven and Subtract one one from the other you get something divisible by this monster So you have here's my elliptic curve So this is the parameters that so that that was the question that was on earlier Bitcoin everybody uses this curve This is the equation. This is the prime. This is the number of points, and this is a fixed Point on the curve that is called the generator that is everybody's gonna use and Now this curve came from a Standards from the US government that was probably produced by the NSA. So now, you know Should we worry about this? I don't know I The question right, I don't know, but that's that's what it's used and that's That's it. All right, okay, so Okay, so now let's go back to Bitcoin. So Remember Bitcoin you have a you produce a transaction which gives some information about transferring bitcoins from A to B Right and the person who is sending the bitcoins need to sign this transaction is to put their signature on the transaction to prove that It is them who did it and also Ensure that this transaction cannot be altered That so that the signature is not just to verify that you are the person but it's like your your handwriting So you're gonna produce the transaction with your handwriting so nobody can modify it Okay, so how do you do this? so Remember the person you when you want to create the Bitcoin address you select Secret key K on that interval there. That's your secret that you don't you don't tell anybody and the public key Is K times G where G is? this this point here on This curve here. So this thing all of this is fixed now and Okay, so Q is your public key K is your private key Q is your public key, which is K times G and The tier of elliptic curves, you know as far as we know it's very difficult that given Q. We can recover K I explain how to get from K to Q is that this thing you're using the binary expansion allows you to go quickly from K to Q But there's no corresponding way of reversing this process process. So Knowing Q does not review K Okay, so now there's a message. There's the transaction is a number, you know, you just write that You know, the it's computer code. So you turns into zeros and ones and you you think of this set collection of zeros and one as as The bit representation of some big number. So the message is some number Yes, this is this is the group operation. So it is there is case G plus G plus G plus J K times. Yes. So here is the group operation this this K. Thank you So here's my message is my public key. This is my this is my private key. He's my public key now I I also choose a another number which is is going to change for every transaction. It's called the FM ephemeral key Just choose another number and compute The multiplication on the elliptic curve. So this is G plus G plus G plus G E times and you get another point on the Liptic curve, which I'm going to represent record this X1 Y1 and remember X1 I want a computed module of P So you get some number module of P. But now I'm going to do something that mathematicians might find a little odd I'm going to take this number, which is a number module of P and Think of it module of Q But Q is the number of points on the elliptic curve is the second big number Okay, so I can do that. You know, I just take this number between 0 and P minus 1 and look at it Mod Q and that's going to be I'm going to call it R is part of my signature So my signature has R and so M is the message Q is the public key That you have you have so this is a transaction This is the public key of the person making the transaction and and the signature I have two extra numbers R and S and R is just the the X coordinate of the E times G where is is a femoral key Viewed as a number module little Q and then S is computed by this formula here also module of Q So is the femoral key goes here M is the message R is this guy and K is the secret key. So the secret key goes in here. The secret key appears in here added sort of Masked by the you know masked by this R and added to M They combine all the information you get in R and S and So if you are signing the transaction few know all those numbers you can compute this This is a calculation that the person signing the transaction the person who the person who really owns the bitcoins And therefore knows the secret key K can do this calculation and then They publish this now it turns out that nobody knows How to from the public information which is those four now four objects here? Reverse so you that's that's what the security should be is that from this information alone You cannot obtain K or E So you cannot fake things but Which I'm going to show in my next slide this information allows you to verify that all that that that you know That these numbers match so these numbers could only be produced by this process because If you are a verifier you you have you have M You have R and S and you have Q so you can compute this S inverse M mod Q So S inverse is whatever number multiplied with S gives me one mod Q But I compute this number I can multiply by M. I can compute this number again and multiply by R So I have I had RS and M so I can compute those numbers mod Q and then I can do this calculation on an elliptic curve So this is a number right so I can do g however many times this number on the elliptic curve and G is the generators the fixed point that was fixed right at the beginning and Q is the Public key and so you compute this and If it has x coordinate R the signature validates and here's a calculation Why is that so this thing is set up so that you know if you compute in fact this point that you compute on an elliptic curve is the age That you generated with the ephemeral key, so we go back Back here, so here's the age When you start an ephemeral key you compute this age and you use that the value from age to compute this all the things and and if you Use this this information you can verify so anybody who receives the signed transaction can check Do a calculation and Hopefully check that you know if this calculation gives the right answer then the person can be Certain that this transaction is valid. Well Yes, it's not transmitted. No, the female the female key is not transmitted No, the calculation is this this doesn't use the ephemeral key This is this is this here is just proving that what you get is what I'm saying you get So the this guy has x coordinate R. That's that's what the the the verifier needs to verify the verifier is gonna compute this So the first line is the computation that the verifier does Okay, that's all they the verifier can do because there's all the information that the verifier has is in the first line Now here is what the verifier needs to find the verifier needs to find that this point here has x coordinate R Which was given to the verifier. Okay, so once the the verifier verifies this Considered a signature validated now this last line here is just to explain why why it is that you know If everything is done correctly, that's what he's supposed to get so this is a proof Yes Was that it came to your address. So the the transaction says, you know, I have to you know You have an address and that's public The address is is put there on the internet now you made your address with your private key Okay, so I only need your so my transaction says I'm gonna give a Bitcoin to you and I'm gonna sign with my private key and now it's on the blockchain Deformation that I transfer that Bitcoin to you Now you have the private key to our address so you can now say you're gonna transfer it to her So you guys I'm gonna transfer my Bitcoin to her. So you make a transaction with your private key Referring to the transaction that I made to you which is in the blockchain Right. So, you know is in the public record that I transfer the Bitcoin to you So you have this Bitcoin now you can sign a transaction say I'm gonna transfer my Bitcoin to her And you sign it with your key you're at and then a bit coin now There's a new to new transaction on the blockchain that says that you transfer your money to her and if you try to do it again No, I'm gonna send it to him Then of course it else the miner is gonna receive this new transaction and check When so you're gonna have to say where the money comes from and the money comes from me But you already use my money to give it to her so I cannot give it to him because it's on on the public record That you've already spent that money. So you cannot spend it twice Okay, that makes sense Yeah, the Q is the number of points on the elliptic curve No, no, so No, P is this guy and Q is this guy It turns out to be a prime number. Yes No, it looks completely random. I don't know why they chose this point You know, this is you know, it was randomly chosen as far as like, I know that there's no rhyme or reason why at this point So this is a funny thing that curves Has the point with x coordinate equal to 1 If a plug in x equals 1 But 1 plus 7 is 8 8 turns out to be a square mod p. So there's some huge number Which when you square square and subtract 8 you get is a visible by p So there is a number there's a point with x coordinate 1 on this elliptic curve and it could could could just you know We could have used that number at that point Would be just as good There's no particular, you know, all the points on this elliptic curve look the same If from from the group theoretic point of view, I mean it's a group of prime order So except for the zero point every other point is the same is the same has the same algebraic properties Why this one? I don't know. So this is the how you sign and this is how you verify and And so I'm gonna stop here. Thank you Interior yes, but there's software that does that for you and But it's not it's not it's not It's fast it somehow it's fast the way the box is organized. It's fairly quick That is true. Yes. So so that they yeah, so that there are some ideas in how to prune the blockchain. So maybe just keep You know, just keep that the most recent the most relevant transactions and forget Everything that you know, you don't need to know all the chain of I mean I guess if you're auditing if you might want to know all the chain at the back But you know what what's really important is the last few transactions. What why you have the money? So there are attempts to do that, but that hasn't been done yet. So for now The whole blockchain has to be looked at and I just look this up is the currently is it sits at about a hundred gigabytes Not something that you want to transfer all the time on the internet, but it fits easily on your laptops Hard drive. No the mining becomes more difficult because they the more people are mining and the faster the mining that the harder it gets because There's a pace you don't want to you know, they they try to keep the The blocks coming at the rate of about one every ten minutes You don't want to you know, you don't want to because if the blocks are coming too fast Then then you run the risk of losing the linear order Right. So, you know, you can't match them, you know, they have to be in order So that the block so there's a there's a the way this is enforced is that if there are more people mining It's harder to mine the block because I have to do this calculation and come up with with the hash of a certain kind And this is adjusts depending on how fast the mining is going Yeah, I built in the adjustment as a deliberately decision. Yes. Yeah. Yeah Yeah, yeah, just a condition. Yeah, it's enforced by the software. So You know things can be changed I mean To change things you have to so the miners are all running the software, right? If they decide to run a different software Then they could you know that they could keep the blockchain and just switch to a different software change the rules But then you have to have agreement, right? Because it half half of them will do one thing and the other half do another thing then you don't know which one is valid It's called forking the board and then that forks you up. So you don't want to do that But but if you have consensus then you can change the software and then you know, whatever, you know People can decide what they want. But it requires a consensus. Yes Yes, so this is called the elliptic curve digital signature algorithm Yes. Yeah, so this is this is one stuff So there's a standard thing called DSA that is older which is done with Exponentiation the multiplicative group and this is the elliptic curve DSA which is yeah, it's existed a long before Bitcoin I mean the guy who created Bitcoin just went and picked a some existing piece of mathematics that was standardized Which is called which is this one And it doesn't have to be that elliptic curve You can do that with any elliptic curve. So first of all elliptic I had a picture of an elliptic curve over the real numbers was that wobbly thing like that You can also because the elliptic curve is an algebraic object that can be Considered over any field you can consider it over the field of complex numbers Right, so you can look at the equations that satisfy the points that satisfy that equation X and Y with X and Y complex numbers and you get a Surface you get something with complex dimension once or real dimension two and and if you plot it and if you study it you get a torus So this is the this is why there is a torus here and and this person is John Tate who is a very distinguished mathematician who Was very influential in the theory of elliptic curves He was one of the main contributors to the theory of elliptic curve and and here's a picture of him holding an elliptic curve but and he was a Mentor for both Fernando and I and we're colleagues for many years in Texas So Some guy that we don't I mean it's so who invented it. So some guy that Goes by the name of Satoshi Nakamoto, which is probably a pseudonym Because nobody knows who he is nobody's you know, there's nobody who knows it in real life But he part he interacted with all the people on the internet He published you know wrote a paper explaining his ideas send it to a mailing list of people who are interested in this kind of thing He produced the software share the software to all the people and a few people that were interested in what he was doing agreed to start running the software and Then the software started to run and you know and very slowly at the beginning But then later more and more all the people got interested and started using it This was around 2009 Then around 2011 he disappeared He stopped interacting with other people the software was already installed in many computers and running and he kept running So what the miners when they mine when they verify the blocks? If they if every time they verify a block yet they get a reward in bitcoins So that's how bitcoins are produced bitcoins are produced by the mining process the software New bitcoins that the pro the software produces new bitcoins every time a block is mine. So Yes, if mining stops then then then the Yeah, so if the mining stops the no transactions get verified no money get transferred nothing happens right now $615 I checked today Yeah 615 It started being worth nothing three years ago was worth over a thousand dollars and then it crashed down to a hundred or two hundred And now it's back up to six hundred. It's very volatile. So don't use it as an investment because you don't know yes Yes, yes, they cost more if you if you don't if you don't have the Specialized hardware that he cost more than in electricity that you get what you get no It's not illegal. I mean The legality of Bitcoin has been discussed in many countries. So okay So first of all the and the answer is dependent on which country of course, right different countries have different laws So in Russia, they don't look at it very Favorably in the United States. There's been discussion in Congress. They decided not to act so for that for the moment is legal You know, and then there's even some discussion. How do you declare it in your income taxes and so on and Yeah, if you sell I mean if you sell and you make profit you have to declare it So there is there are regulations on how you do it. So in the United States, it is legal in Russia, I think it's illegal, but a lot of people use it You know also some countries, you know, what's in the law is different from what is in the practice, right? You know that very well and And in Italy, I don't know. I mean if somebody might be better informed than I am I think it's legal because I know there is a there is a bar in downtown Trieste that has a Bitcoin ATM I found this on the internet this week because I was looking for Bitcoin Trieste Just in case somebody asked this also. I assume it's legal because you can go to this bar and Buy bitcoins there I don't remember it's it's not very far from your house. You can probably walk there No, I mean, but it's a choice of eBay right if eBay wanted to sell you things on Bitcoin They they could know they can you can have fractions of you don't have to use one Bitcoin You can use 0.3 bitcoins. Oh, you know 0.1. I mean There's a limit of how do I mean is 10 to the minus 6? I mean you can you can work with 10 to the minus 6