10 — Cryptography in Cryptocurrencies and Blockchain

An overview focused on cryptographic primitives and protocols. The dedicated blockchain compendium (next) covers architecture, consensus, smart contracts. This file: what cryptographically underpins Bitcoin, Ethereum, and variants.


1. Prehistory: Hashcash, b-money, Bit Gold

Hashcash (Adam Back, 1997)

Anti-spam via proof-of-work in email headers. The client computes a hash with \(N\) leading zeros:

\[H(\text{header} \\\| \text{nonce}) < 2^{256-N}\]

Costs CPU for each email — friction for mass spammers. Basis of Bitcoin's PoW.

b-money (Wei Dai, 1998)

Informal proposal: distributed ledger, anonymous money, contracts in PoW.

Bit Gold (Nick Szabo, 1998–2005)

Concept of a currency based on chains of PoW puzzles. Never implemented.

Satoshi cites Hashcash + b-money in the Bitcoin whitepaper (does not cite Bit Gold but the influence is evident).


2. Bitcoin — primitives

Whitepaper: Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, Oct 31, 2008. Genesis block: Jan 3, 2009.

Hashes

  • Double SHA-256 (HASH256): H(H(x)) — used in block hashing, txid, merkle root.
  • RIPEMD-160 + SHA-256 (HASH160): RIPEMD160(SHA256(x)) — used in addresses (P2PKH).

Reason for double-SHA256: proactive defense against length-extension (although a non-issue in current use; it was caution).

Curves

  • secp256k1 — Bitcoin's ECDSA curve. \(y^2 = x^3 + 7\) over \(\mathbb{F}_p\) with \(p = 2^{256} - 2^{32} - 977\). Non-NIST; no suspicious random characteristics.
  • Schnorr since Taproot (BIP340, activated Nov/2021).

Addresses (forms)

Type Prefix Format
P2PKH (Pay-to-Public-Key-Hash) 1 Base58Check of HASH160(pubkey)
P2SH (Pay-to-Script-Hash) 3 Base58Check of HASH160(script)
Bech32 (SegWit v0) bc1q... BIP-173
Bech32m (Taproot, SegWit v1) bc1p... BIP-350

Base58Check

  • Alphabet: 123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz (no 0, O, I, l to avoid confusion).
  • Checksum: the first 4 bytes of SHA256(SHA256(payload)).

Bech32 / Bech32m

Christopher Allen, Pieter Wuille. BIP-173 / BIP-350. Base32 with a BCH error-correcting code. Detects typos. Bech32m fixes a Bech32 weakness with the final character.

ECDSA

Signing transactions. 256-bit secret key; pubkey is a point on the curve, compressed (33 bytes) or uncompressed (65 bytes).

Historical risk: ECDSA requires a random nonce \(k\); reuse reveals the private key. RFC 6979 (deterministic nonce via HMAC) standardized and adopted.

Schnorr (BIP340)

Adopted in Taproot (Nov/2021):

  • Simpler than ECDSA.
  • Signature aggregation via MuSig2.
  • Adaptor signatures: conditional signing.
  • Single-sig indistinguishable from N-of-N multi-sig (privacy).

Transactions / scripts

  • OP_CHECKSIG: validates ECDSA/Schnorr.
  • OP_CHECKMULTISIG: legacy multi-sig (deprecated in Taproot).
  • OP_CHECKSIGADD: new Taproot primitive.
  • Script: stack-based, intentionally not Turing-complete.

Merkle trees in blocks

  • Block merkle root = root of a tree of SHA256d(txid) of the block's txs.
  • Bloom filters in SPV: header sync without downloading all txs (BIP-37, but obsolete due to privacy issues; modern: Compact Block Filters BIP-157/158).

HD (Hierarchical Deterministic) wallets

  • BIP-32: hierarchical key derivation from a seed. m/0'/0/0 extra derivation paths.
  • BIP-39: mnemonic seeds (1215182124 words from a 2048 wordlist). PBKDF2-HMAC-SHA512 with salt mnemonic[passphrase], 2048 iterations.
  • BIP-44: multi-account coin types. m/44'/coin_type'/account'/change/address_index.

Mining (PoW)

Hash of the block header with 4 zero bytes (adjustable target):

H(version \\\| prev_block_hash \\\| merkle_root \\\| timestamp \\\| bits \\\| nonce) < target

Bitcoin difficulty adjusts every 2016 blocks (~2 weeks). 2026 global hashrate: ~700+ EH/s.


3. Ethereum — primitives

Whitepaper: Vitalik Buterin, Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform, 2013. Mainnet: Jul 30, 2015.

Hashes

  • Keccak-256: not SHA-3-256. Keccak before NIST finalized SHA-3 (which changed padding in 2014). Ethereum kept the original Keccak. Common confusion.

Curves

  • secp256k1 (same as Bitcoin) for EOA (Externally Owned Accounts) signing.
  • BLS12-381 for Ethereum 2.0 consensus (BLS signatures).
  • BN254 legacy in pre-compiles (zk-SNARKs).

Addresses

  • EOA: the last 20 bytes of Keccak-256(pubkey).
  • Contract: derived from keccak256(rlp([sender, nonce])) or, in CREATE2, from keccak256(0xff \\\| sender \\\| salt \\\| keccak256(init_code)).

EIP-155 signature

Includes the chain ID in the signature to prevent replay across chains.

EIP-712: typed structured signing

The schema lets the UI show human-readable fields to the user instead of opaque hex bytes. Adopted in DApps.

EIP-1559

Base fee + tip. The block hash includes the base fee. Not crypto per se but relevant.

Consensus crypto (Ethereum 2.0 / Beacon Chain)

BLS signatures (BLS12-381):

  • Each validator has a BLS keypair.
  • Aggregate signatures: thousands of validators → 1 signature of 96 bytes.
  • DKG (Distributed Key Generation): in pools like Lido, RocketPool.

Random Beacon: RANDAO + VDF (VDF planned, RANDAO delivers).


4. Privacy coins

Monero (XMR) — 2014

  • CryptoNote protocol base (BIP-style anonymous payments).
  • Ring signatures (Fujisaki-Suzuki, 2007): signature indistinguishable among \(N\) keys. Current: MLSAG (Multi-Layered Linkable Spontaneous Anonymous Group), CLSAG (2020), Seraphis (in research).
  • Stealth addresses: each tx generates a one-time address.
  • RingCT (Confidential Transactions): encrypted values, Pedersen commitments + range proofs.
  • Bulletproofs+ (2020): range proofs \(O(\log n)\).

Zcash (ZEC) — 2016

  • zk-SNARKs for shielded transactions:
    • Version 1 (Sprout): BCTV14 (Ben-Sasson-Chiesa-Tromer-Virza), trusted setup ceremony Pi.
    • Version 2 (Sapling, 2018): Groth16, BLS12-381, new TS ceremony Powers of Tau.
    • Version 3 (Orchard, 2022): Halo2 — no trusted setup, recursive proofs. Pasta curves.

Aztec Network, Tornado Cash (sanctioned)

zk-rollups and mixers for privacy on Ethereum. Tornado Cash sanctioned by the US OFAC in 2022 — the smart contract code banned (legally controversial).


5. zk-SNARKs / zk-STARKs in rollups

zk-SNARKs

Succinct Non-interactive Argument of Knowledge.

  • BCTV14, Groth16: small (~200 bytes), constant-time verify, trusted setup (toxic waste).
  • PLONK (2019): universal trusted setup; more flexible.
  • Halo / Halo2: recursive proofs, no trusted setup, Pasta curves (Pallas/Vesta).
  • Nova / SuperNova / HyperNova (2022–2024): folding schemes, very fast recursive accumulation.
  • Plonky2 (Polygon): STARK + PLONK hybrid.

zk-STARKs

Scalable Transparent. No trusted setup. Larger (~50 KB). Post-quantum hash-based.

  • Cairo (StarkWare) — language → STARK proofs.
  • RISC Zero — RISC-V zkVM.
  • Polygon Zero.

L2 zk-rollups (2026)

  • StarkNet — Cairo, Stark proofs.
  • zkSync Era — LLVM-based, ZK-EVM type 4.
  • Polygon zkEVM — type 3 ZK-EVM.
  • Scroll — type 2 ZK-EVM, full EVM compat.
  • Linea (ConsenSys).
  • Taiko — type 1 (bit-perfect).

ZK-EVM types (Vitalik 2022)

Type Compat Performance
Type 1 bit-perfect Ethereum slow
Type 2 EVM-equivalent better
Type 3 EVM-almost-equivalent better
Type 4 Language-level (compile Solidity) best perf, low compat

6. Other consensus crypto

Proof-of-Stake

  • Tendermint / Cosmos: Ed25519 validators, BFT consensus.
  • Algorand: VRF (verifiable random function) based on RFC 9381 chooses the committee.
  • Cardano: VRF (Praos) + KES (Key Evolving Signatures, forward-secure).
  • Solana: Ed25519, PoH (proof-of-history) with sequential SHA-256.
  • Avalanche: avalanche consensus, optional BLS.
  • Polkadot: BABE (block production VRF), GRANDPA (finality, ECVRF + Schnorr).

Proof-of-Spacetime, Proof-of-Replication

  • Filecoin: PoRep + PoSt. Heavy crypto: SNARKs en masse to prove storage.
  • Chia: VDF (proof-of-time) + proof-of-space (plot files).

Proof-of-Authority, Proof-of-Burn, Proof-of-Coverage

Various alts. Less crypto-heavy.


7. DEX / DeFi crypto building blocks

AMMs

Not crypto per se but use blockchain primitives.

Atomic swaps (HTLC)

Hashed Timelock Contract: a contract payable if the receiver reveals \(x\) with \(H(x) = h\), or refundable after a timeout.

Enables trustless cross-chain swaps: both chains accept the same \(h\). Basis of the Lightning Network.

Lightning Network (Bitcoin L2)

  • Channel = a 2-of-2 multi-sig between Alice and Bob.
  • HTLC between channels enables multi-hop payments.
  • Onion routing (Sphinx) for path privacy.
  • Bolt-12 (in dev): offers, fewer privacy leaks.

MEV protection

  • Flashbots — bundle privacy via a private mempool.
  • MEV-Share (Flashbots) — partial reveal.
  • CowSwap — batch auctions with signed off-chain orders.

8. Multisig + threshold

Bitcoin multisig

  • P2SH multisig: m-of-n OP_CHECKMULTISIG.
  • MuSig / MuSig2 (Taproot): aggregated Schnorr; multisig indistinguishable from single-sig on-chain.
  • FROST: Flexible Round-Optimized Schnorr Threshold (Komlo-Goldberg 2020).

Threshold ECDSA

Harder than threshold Schnorr (ECDSA has \(s = k^{-1}(z + r \cdot d)\) which does not compose naturally).

  • Lindell17, GG18/GG20 — interactive protocols with many rounds.
  • CGGMP21 (Canetti-Gennaro-Goldfeder-Makriyannis-Peled) — proactive refresh.
  • Doerner-Kondi-Lee-Shelat (2019/2020) — 2-party ECDSA, fewer rounds.

Used in enterprise custodial wallets (Fireblocks, Anchorage, Coinbase Prime, Sepior, Curv).


9. Stablecoin crypto

Little specific crypto:

  • USDC, USDT — centralized, based on an ERC-20 smart contract.
  • DAI — over-collateralized in ETH/wBTC.
  • FRAX, LUSD — algorithmic / overcollateralized variants.

Privacy stablecoins (Zk2-style) in research.


10. Bitcoin BIP highlights, crypto-relevant

BIP Content
BIP-32 HD wallets
BIP-39 Mnemonic seeds
BIP-44 Multi-account
BIP-66 Strict DER signatures
BIP-141 SegWit
BIP-173 Bech32 addresses
BIP-174 PSBT (Partially Signed Bitcoin Transaction)
BIP-340 Schnorr signatures
BIP-341 Taproot (P2TR)
BIP-342 Tapscript
BIP-350 Bech32m
BIP-374 (proposal) OP_VAULT

11. Ethereum EIPs, crypto-relevant

EIP Content
EIP-155 Replay protection with chain ID
EIP-191 / 712 Typed signed data
EIP-1559 Fee market
EIP-2098 Compact signature (no recovery id in y-coord)
EIP-2718 / 2930 Typed transactions, access lists
EIP-4337 Account Abstraction
EIP-4844 Proto-Danksharding (blobs)
EIP-7691 (proposed) Blob count increase

Account Abstraction (ERC-4337)

Smart contract wallets with:

  • Custom signature schemes (multisig, threshold, social recovery, post-quantum).
  • Paymasters (someone pays gas for the user).
  • Off-chain bundlers.
  • Crypto-flexibility: future schemes (BLS aggregation, PQC) without a hard fork.

12. PQC in blockchain

Biggest concern: HNDL — attackers can collect transactions today, wait for quantum, and spend the coins of anyone who revealed a pubkey (each Bitcoin tx reveals the pubkey when spending).

Solutions discussed

  • OPCHECKSIGPQ Bitcoin BIP draft (Bas Westerbaan, Filippo Valsorda 2024) — optionally add SLH-DSA, FN-DSA.
  • QuBic, QRL (Quantum Resistant Ledger) — PQC-native coins, niche adoption.
  • Ethereum: Vitalik proposed migration via Account Abstraction (each wallet can choose its signature scheme).

Realistic timeline: a PQC hard fork for Bitcoin/Ethereum expected in 2028–2032.


13. Famous incidents

Year Incident Crypto cause
2010 CVE-2010-5139 Bitcoin overflow output value overflow (not crypto)
2013 Android RNG bug Reused \(k\) in ECDSA → wallets drained
2014 Mt. Gox collapse misc. — not a crypto break
2016 The DAO hack reentrancy (not crypto)
2017 Parity multisig wallet bug accidental selfdestruct (not crypto)
2018 Bytom Counterfeit curve confusion bug
2020 KuCoin hack private key extraction (custodial)
2021 Poly Network $611M, returned. Cross-chain bridge bug.
2022 Ronin Bridge $625M. Validator key compromise.
2022 Wintermute profanity vanity address tool weak RNG
2022 Trail of Bits sgx bug in Secret Network enclave secret leak

14. Crypto-focused libraries and tooling

  • libsecp256k1 (Bitcoin Core) — gold standard secp256k1 impl.
  • rust-secp256k1 — bindings.
  • k256 (Rust Crypto) — pure-Rust secp256k1.
  • noble-curves (paulmillr) — pure-JS ECC.
  • arkworks-rs — Rust ZK toolbox (curves, polynomials, snark frameworks).
  • gnark (Consensys) — Go zkSNARK toolkit.
  • Circom + snarkjs — circuit DSL for SNARKs.
  • Cairo / cairo-lang — StarkNet smart contract language.
  • Halo2 + plonky2 — production rust SNARK libs.

15. Summary: what secures blockchain (cryptographically)

Layer Primitive
Address Hash of pubkey
Tx signature ECDSA / Schnorr / BLS / EdDSA / future PQC
Tx integrity Merkle root + block hash
Consensus SHA256d PoW (Bitcoin) or BLS+VRF (PoS)
Privacy Ring sig (Monero), zk-SNARKs (Zcash, rollups), CT
Cross-chain HTLC (atomic swap), bridges with multisig
Wallet HD wallets BIP-32/39, threshold (MPC custodial)
L2 scalability zk-rollups (Stark/Snark) or optimistic rollups (fraud proofs)
Future PQC migration via Account Abstraction (ETH), BIP draft (BTC)

16. Cross-reference

  • Hash primitives (SHA-256, Keccak, BLAKE3): 06-hash-and-mac.md.
  • ECC (secp256k1, BLS12-381, Curve25519): 05-asymmetric.md.
  • PQC migration: 08-post-quantum.md.
  • People (Satoshi, Vitalik, Wuille, Maxwell, Zooko, Bowe, Wesolowski, Komlo): 12-people.md.
  • The dedicated blockchain compendium lives in a separate directory: meta/docs/blockchain/compendium/.