Bitcoin addresses are implemented using the Base58Check encoding of the hash of either: Pay-to-script-hash (p2sh): payload is: RIPEMD160(SHA256(redeemScript)) where redeemScript is a script the wallet knows how to spend; version 0x05 (these addresses begin with the digit '3') Pay-to-pubkey-hash (p2pkh): payload is RIPEMD160(SHA256(ECDSA_publicKey)) where ECDSA_publicKey is a public key the wallet knows the private key for; version 0x00 (these addresses begin with the digit '1') The resulting hash in both of these cases is always exactly 20 bytes. These are big-endian (most significant byte first). (Beware of bignumber implementations that clip leading 0x00 bytes, or prepend extra 0x00 bytes to indicate sign - your code must handle these cases properly or else you may generate valid-looking addresses which can be sent to, but cannot be spent from - which would lead to the permanent loss of coins.)

Bitcoin addresses are implemented using the Base58Check encoding of the hash of either: Pay-to-script-hash (p2sh): payload is: RIPEMD160(SHA256(redeemScript)) where redeemScript is a script the wallet knows how to spend; version 0x05 (these addresses begin with the digit '3') Pay-to-pubkey-hash (p2pkh): payload is RIPEMD160(SHA256(ECDSA_publicKey)) where ECDSA_publicKey is a public key the wallet knows the private key for; version 0x00 (these addresses begin with the digit '1') The resulting hash in both of these cases is always exactly 20 bytes. These are big-endian (most significant byte first). (Beware of bignumber implementations that clip leading 0x00 bytes, or prepend extra 0x00 bytes to indicate sign - your code must handle these cases properly or else you may generate valid-looking addresses which can be sent to, but cannot be spent from - which would lead to the permanent loss of coins.)

Source: en.bitcoin.it

Whether for economic or moral reasons, the right amount of trust is always less, and the right amount of openness and freedom is always more.

Source: medium.com

Verifiable/source-available software is much better than closed-source, proprietary software because it is transparent. But verifiability is not enough. With software that is verifiable but not free, you’re at the mercy of the whoever licenses it. And to the extent that this verifiable but unfree software defines how your money is stored or what you can do with it, you’re back in the trust trap.

Source: medium.com

Given a hash value h, hash function f(), private key x, group generator G, and public key P=xG, we can generate a Schnorr signature on h as follows: Choose a random nonce k. Let R=Gk, and let s = k - f(h . R . P)x. The Schnorr signature is the pair (R, s). Note that R is a public key, so would require 33 bytes to represent (32 bytes + 1 bit indicating "even" vs "odd"). To check the validity of a signature (R, s) against a public key P, do the following: Note that sG = (k- f(h . R . P)x)G = kG - f(h . R . P)xG = R - f(h . R . P)P. So we simply compare sG + f(h . R . P)P to R to check the signature. An advantage of this method is that, if parties cooperate, we can generate a single signature that validates two or more separate transactions. Choose h1, h2, x1, x2, G, P1=Gx1, P2=Gx2. Each party chooses a nonce yielding k1 and k2, and publicly shares R1=Gk1, R2=Gk2. Let R = R1+R2. Each signer generates an s, s1 = k1 - f(h . R . P)x1, s2 = k2 - f(h . R . P)x2. The signature (R, s) where s = s1 + s2 proves both transactions are signed. Note that sG = (s1 + s2)G = s1G + s2G = (k1 - f(h . R . P)x1)G + (k2 - f(h . R . P)x2)G = k1G - f(h . R . P)x1G + k2G - f(h . R . P)x2G = R1 + R2 - f(h . R . P)(P1 + P2) = R - f(h . R . P)(P1 + P2) To verify, check that sG +f(h . R . P)(P1+P2) is R. This can be easily generalized from 2 to N.

Given a hash value h, hash function f(), private key x, group generator G, and public key P=xG, we can generate a Schnorr signature on h as follows: Choose a random nonce k. Let R=Gk, and let s = k - f(h . R . P)x. The Schnorr signature is the pair (R, s). Note that R is a public key, so would require 33 bytes to represent (32 bytes + 1 bit indicating "even" vs "odd"). To check the validity of a signature (R, s) against a public key P, do the following: Note that sG = (k- f(h . R . P)x)G = kG - f(h . R . P)xG = R - f(h . R . P)P. So we simply compare sG + f(h . R . P)P to R to check the signature. An advantage of this method is that, if parties cooperate, we can generate a single signature that validates two or more separate transactions. Choose h1, h2, x1, x2, G, P1=Gx1, P2=Gx2. Each party chooses a nonce yielding k1 and k2, and publicly shares R1=Gk1, R2=Gk2. Let R = R1+R2. Each signer generates an s, s1 = k1 - f(h . R . P)x1, s2 = k2 - f(h . R . P)x2. The signature (R, s) where s = s1 + s2 proves both transactions are signed. Note that sG = (s1 + s2)G = s1G + s2G = (k1 - f(h . R . P)x1)G + (k2 - f(h . R . P)x2)G = k1G - f(h . R . P)x1G + k2G - f(h . R . P)x2G = R1 + R2 - f(h . R . P)(P1 + P2) = R - f(h . R . P)(P1 + P2) To verify, check that sG +f(h . R . P)(P1+P2) is R. This can be easily generalized from 2 to N.

Source: en.bitcoin.it

Elliptic Curve Digital Signature Algorithm or ECDSA is a cryptographic algorithm used by Bitcoin to ensure that funds can only be spent by their rightful owners. It is dependent on the curve order and hash function used. For bitcoin these are Secp256k1 and SHA256(SHA256()) respectively.

Source: en.bitcoin.it

BIP: 1 Title: BIP Purpose and Guidelines Author: Amir Taaki genjix@riseup.net Comments-Summary: No comments yet. Comments-URI: https://github.com/bitcoin/bips/wiki/Comments:BIP-0001 Status: Replaced Type: Process Created: 2011-09-19 Superseded-By: 2

Source: bips.dev