10 — Cryptography in Cryptocurrencies and Blockchain
An overview focused on cryptographic primitives and protocols. The dedicated blockchain compendium (next) covers architecture, consensus, smart contracts. This file: what cryptographically underpins Bitcoin, Ethereum, and variants.
1. Prehistory: Hashcash, b-money, Bit Gold
Hashcash (Adam Back, 1997)
Anti-spam via proof-of-work in email headers. The client computes a hash with \(N\) leading zeros:
Costs CPU for each email — friction for mass spammers. Basis of Bitcoin's PoW.
b-money (Wei Dai, 1998)
Informal proposal: distributed ledger, anonymous money, contracts in PoW.
Bit Gold (Nick Szabo, 1998–2005)
Concept of a currency based on chains of PoW puzzles. Never implemented.
Satoshi cites Hashcash + b-money in the Bitcoin whitepaper (does not cite Bit Gold but the influence is evident).
2. Bitcoin — primitives
Whitepaper: Satoshi Nakamoto, Bitcoin: A Peer-to-Peer Electronic Cash System, Oct 31, 2008. Genesis block: Jan 3, 2009.
Hashes
- Double SHA-256 (HASH256):
H(H(x))— used in block hashing, txid, merkle root. - RIPEMD-160 + SHA-256 (HASH160):
RIPEMD160(SHA256(x))— used in addresses (P2PKH).
Reason for double-SHA256: proactive defense against length-extension (although a non-issue in current use; it was caution).
Curves
- secp256k1 — Bitcoin's ECDSA curve. \(y^2 = x^3 + 7\) over \(\mathbb{F}_p\) with \(p = 2^{256} - 2^{32} - 977\). Non-NIST; no suspicious random characteristics.
- Schnorr since Taproot (BIP340, activated Nov/2021).
Addresses (forms)
| Type | Prefix | Format |
|---|---|---|
| P2PKH (Pay-to-Public-Key-Hash) | 1 |
Base58Check of HASH160(pubkey) |
| P2SH (Pay-to-Script-Hash) | 3 |
Base58Check of HASH160(script) |
| Bech32 (SegWit v0) | bc1q... |
BIP-173 |
| Bech32m (Taproot, SegWit v1) | bc1p... |
BIP-350 |
Base58Check
- Alphabet:
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz(no0,O,I,lto avoid confusion). - Checksum: the first 4 bytes of
SHA256(SHA256(payload)).
Bech32 / Bech32m
Christopher Allen, Pieter Wuille. BIP-173 / BIP-350. Base32 with a BCH error-correcting code. Detects typos. Bech32m fixes a Bech32 weakness with the final character.
ECDSA
Signing transactions. 256-bit secret key; pubkey is a point on the curve, compressed (33 bytes) or uncompressed (65 bytes).
Historical risk: ECDSA requires a random nonce \(k\); reuse reveals the private key. RFC 6979 (deterministic nonce via HMAC) standardized and adopted.
Schnorr (BIP340)
Adopted in Taproot (Nov/2021):
- Simpler than ECDSA.
- Signature aggregation via MuSig2.
- Adaptor signatures: conditional signing.
- Single-sig indistinguishable from N-of-N multi-sig (privacy).
Transactions / scripts
- OP_CHECKSIG: validates ECDSA/Schnorr.
- OP_CHECKMULTISIG: legacy multi-sig (deprecated in Taproot).
- OP_CHECKSIGADD: new Taproot primitive.
- Script: stack-based, intentionally not Turing-complete.
Merkle trees in blocks
- Block merkle root = root of a tree of SHA256d(txid) of the block's txs.
- Bloom filters in SPV: header sync without downloading all txs (BIP-37, but obsolete due to privacy issues; modern: Compact Block Filters BIP-157/158).
HD (Hierarchical Deterministic) wallets
- BIP-32: hierarchical key derivation from a seed.
m/0'/0/0extra derivation paths. - BIP-39: mnemonic seeds (1215182124 words from a 2048 wordlist). PBKDF2-HMAC-SHA512 with salt
mnemonic[passphrase], 2048 iterations. - BIP-44: multi-account coin types.
m/44'/coin_type'/account'/change/address_index.
Mining (PoW)
Hash of the block header with 4 zero bytes (adjustable target):
H(version \\\| prev_block_hash \\\| merkle_root \\\| timestamp \\\| bits \\\| nonce) < targetBitcoin difficulty adjusts every 2016 blocks (~2 weeks). 2026 global hashrate: ~700+ EH/s.
3. Ethereum — primitives
Whitepaper: Vitalik Buterin, Ethereum: A Next-Generation Smart Contract and Decentralized Application Platform, 2013. Mainnet: Jul 30, 2015.
Hashes
- Keccak-256: not SHA-3-256. Keccak before NIST finalized SHA-3 (which changed padding in 2014). Ethereum kept the original Keccak. Common confusion.
Curves
- secp256k1 (same as Bitcoin) for EOA (Externally Owned Accounts) signing.
- BLS12-381 for Ethereum 2.0 consensus (BLS signatures).
- BN254 legacy in pre-compiles (zk-SNARKs).
Addresses
- EOA: the last 20 bytes of Keccak-256(pubkey).
- Contract: derived from
keccak256(rlp([sender, nonce]))or, in CREATE2, fromkeccak256(0xff \\\| sender \\\| salt \\\| keccak256(init_code)).
EIP-155 signature
Includes the chain ID in the signature to prevent replay across chains.
EIP-712: typed structured signing
The schema lets the UI show human-readable fields to the user instead of opaque hex bytes. Adopted in DApps.
EIP-1559
Base fee + tip. The block hash includes the base fee. Not crypto per se but relevant.
Consensus crypto (Ethereum 2.0 / Beacon Chain)
BLS signatures (BLS12-381):
- Each validator has a BLS keypair.
- Aggregate signatures: thousands of validators → 1 signature of 96 bytes.
- DKG (Distributed Key Generation): in pools like Lido, RocketPool.
Random Beacon: RANDAO + VDF (VDF planned, RANDAO delivers).
4. Privacy coins
Monero (XMR) — 2014
- CryptoNote protocol base (BIP-style anonymous payments).
- Ring signatures (Fujisaki-Suzuki, 2007): signature indistinguishable among \(N\) keys. Current: MLSAG (Multi-Layered Linkable Spontaneous Anonymous Group), CLSAG (2020), Seraphis (in research).
- Stealth addresses: each tx generates a one-time address.
- RingCT (Confidential Transactions): encrypted values, Pedersen commitments + range proofs.
- Bulletproofs+ (2020): range proofs \(O(\log n)\).
Zcash (ZEC) — 2016
- zk-SNARKs for shielded transactions:
- Version 1 (Sprout): BCTV14 (Ben-Sasson-Chiesa-Tromer-Virza), trusted setup ceremony Pi.
- Version 2 (Sapling, 2018): Groth16, BLS12-381, new TS ceremony Powers of Tau.
- Version 3 (Orchard, 2022): Halo2 — no trusted setup, recursive proofs. Pasta curves.
Aztec Network, Tornado Cash (sanctioned)
zk-rollups and mixers for privacy on Ethereum. Tornado Cash sanctioned by the US OFAC in 2022 — the smart contract code banned (legally controversial).
5. zk-SNARKs / zk-STARKs in rollups
zk-SNARKs
Succinct Non-interactive Argument of Knowledge.
- BCTV14, Groth16: small (~200 bytes), constant-time verify, trusted setup (toxic waste).
- PLONK (2019): universal trusted setup; more flexible.
- Halo / Halo2: recursive proofs, no trusted setup, Pasta curves (Pallas/Vesta).
- Nova / SuperNova / HyperNova (2022–2024): folding schemes, very fast recursive accumulation.
- Plonky2 (Polygon): STARK + PLONK hybrid.
zk-STARKs
Scalable Transparent. No trusted setup. Larger (~50 KB). Post-quantum hash-based.
- Cairo (StarkWare) — language → STARK proofs.
- RISC Zero — RISC-V zkVM.
- Polygon Zero.
L2 zk-rollups (2026)
- StarkNet — Cairo, Stark proofs.
- zkSync Era — LLVM-based, ZK-EVM type 4.
- Polygon zkEVM — type 3 ZK-EVM.
- Scroll — type 2 ZK-EVM, full EVM compat.
- Linea (ConsenSys).
- Taiko — type 1 (bit-perfect).
ZK-EVM types (Vitalik 2022)
| Type | Compat | Performance |
|---|---|---|
| Type 1 | bit-perfect Ethereum | slow |
| Type 2 | EVM-equivalent | better |
| Type 3 | EVM-almost-equivalent | better |
| Type 4 | Language-level (compile Solidity) | best perf, low compat |
6. Other consensus crypto
Proof-of-Stake
- Tendermint / Cosmos: Ed25519 validators, BFT consensus.
- Algorand: VRF (verifiable random function) based on RFC 9381 chooses the committee.
- Cardano: VRF (Praos) + KES (Key Evolving Signatures, forward-secure).
- Solana: Ed25519, PoH (proof-of-history) with sequential SHA-256.
- Avalanche: avalanche consensus, optional BLS.
- Polkadot: BABE (block production VRF), GRANDPA (finality, ECVRF + Schnorr).
Proof-of-Spacetime, Proof-of-Replication
- Filecoin: PoRep + PoSt. Heavy crypto: SNARKs en masse to prove storage.
- Chia: VDF (proof-of-time) + proof-of-space (plot files).
Proof-of-Authority, Proof-of-Burn, Proof-of-Coverage
Various alts. Less crypto-heavy.
7. DEX / DeFi crypto building blocks
AMMs
Not crypto per se but use blockchain primitives.
Atomic swaps (HTLC)
Hashed Timelock Contract: a contract payable if the receiver reveals \(x\) with \(H(x) = h\), or refundable after a timeout.
Enables trustless cross-chain swaps: both chains accept the same \(h\). Basis of the Lightning Network.
Lightning Network (Bitcoin L2)
- Channel = a 2-of-2 multi-sig between Alice and Bob.
- HTLC between channels enables multi-hop payments.
- Onion routing (Sphinx) for path privacy.
- Bolt-12 (in dev): offers, fewer privacy leaks.
MEV protection
- Flashbots — bundle privacy via a private mempool.
- MEV-Share (Flashbots) — partial reveal.
- CowSwap — batch auctions with signed off-chain orders.
8. Multisig + threshold
Bitcoin multisig
- P2SH multisig:
m-of-n OP_CHECKMULTISIG. - MuSig / MuSig2 (Taproot): aggregated Schnorr; multisig indistinguishable from single-sig on-chain.
- FROST: Flexible Round-Optimized Schnorr Threshold (Komlo-Goldberg 2020).
Threshold ECDSA
Harder than threshold Schnorr (ECDSA has \(s = k^{-1}(z + r \cdot d)\) which does not compose naturally).
- Lindell17, GG18/GG20 — interactive protocols with many rounds.
- CGGMP21 (Canetti-Gennaro-Goldfeder-Makriyannis-Peled) — proactive refresh.
- Doerner-Kondi-Lee-Shelat (2019/2020) — 2-party ECDSA, fewer rounds.
Used in enterprise custodial wallets (Fireblocks, Anchorage, Coinbase Prime, Sepior, Curv).
9. Stablecoin crypto
Little specific crypto:
- USDC, USDT — centralized, based on an ERC-20 smart contract.
- DAI — over-collateralized in ETH/wBTC.
- FRAX, LUSD — algorithmic / overcollateralized variants.
Privacy stablecoins (Zk2-style) in research.
10. Bitcoin BIP highlights, crypto-relevant
| BIP | Content |
|---|---|
| BIP-32 | HD wallets |
| BIP-39 | Mnemonic seeds |
| BIP-44 | Multi-account |
| BIP-66 | Strict DER signatures |
| BIP-141 | SegWit |
| BIP-173 | Bech32 addresses |
| BIP-174 | PSBT (Partially Signed Bitcoin Transaction) |
| BIP-340 | Schnorr signatures |
| BIP-341 | Taproot (P2TR) |
| BIP-342 | Tapscript |
| BIP-350 | Bech32m |
| BIP-374 (proposal) | OP_VAULT |
11. Ethereum EIPs, crypto-relevant
| EIP | Content |
|---|---|
| EIP-155 | Replay protection with chain ID |
| EIP-191 / 712 | Typed signed data |
| EIP-1559 | Fee market |
| EIP-2098 | Compact signature (no recovery id in y-coord) |
| EIP-2718 / 2930 | Typed transactions, access lists |
| EIP-4337 | Account Abstraction |
| EIP-4844 | Proto-Danksharding (blobs) |
| EIP-7691 (proposed) | Blob count increase |
Account Abstraction (ERC-4337)
Smart contract wallets with:
- Custom signature schemes (multisig, threshold, social recovery, post-quantum).
- Paymasters (someone pays gas for the user).
- Off-chain bundlers.
- Crypto-flexibility: future schemes (BLS aggregation, PQC) without a hard fork.
12. PQC in blockchain
Biggest concern: HNDL — attackers can collect transactions today, wait for quantum, and spend the coins of anyone who revealed a pubkey (each Bitcoin tx reveals the pubkey when spending).
Solutions discussed
- OPCHECKSIGPQ Bitcoin BIP draft (Bas Westerbaan, Filippo Valsorda 2024) — optionally add SLH-DSA, FN-DSA.
- QuBic, QRL (Quantum Resistant Ledger) — PQC-native coins, niche adoption.
- Ethereum: Vitalik proposed migration via Account Abstraction (each wallet can choose its signature scheme).
Realistic timeline: a PQC hard fork for Bitcoin/Ethereum expected in 2028–2032.
13. Famous incidents
| Year | Incident | Crypto cause |
|---|---|---|
| 2010 | CVE-2010-5139 Bitcoin overflow | output value overflow (not crypto) |
| 2013 | Android RNG bug | Reused \(k\) in ECDSA → wallets drained |
| 2014 | Mt. Gox collapse | misc. — not a crypto break |
| 2016 | The DAO hack | reentrancy (not crypto) |
| 2017 | Parity multisig wallet bug | accidental selfdestruct (not crypto) |
| 2018 | Bytom Counterfeit | curve confusion bug |
| 2020 | KuCoin hack | private key extraction (custodial) |
| 2021 | Poly Network | $611M, returned. Cross-chain bridge bug. |
| 2022 | Ronin Bridge | $625M. Validator key compromise. |
| 2022 | Wintermute | profanity vanity address tool weak RNG |
| 2022 | Trail of Bits sgx bug in Secret Network | enclave secret leak |
14. Crypto-focused libraries and tooling
- libsecp256k1 (Bitcoin Core) — gold standard secp256k1 impl.
- rust-secp256k1 — bindings.
- k256 (Rust Crypto) — pure-Rust secp256k1.
- noble-curves (paulmillr) — pure-JS ECC.
- arkworks-rs — Rust ZK toolbox (curves, polynomials, snark frameworks).
- gnark (Consensys) — Go zkSNARK toolkit.
- Circom + snarkjs — circuit DSL for SNARKs.
- Cairo / cairo-lang — StarkNet smart contract language.
- Halo2 + plonky2 — production rust SNARK libs.
15. Summary: what secures blockchain (cryptographically)
| Layer | Primitive |
|---|---|
| Address | Hash of pubkey |
| Tx signature | ECDSA / Schnorr / BLS / EdDSA / future PQC |
| Tx integrity | Merkle root + block hash |
| Consensus | SHA256d PoW (Bitcoin) or BLS+VRF (PoS) |
| Privacy | Ring sig (Monero), zk-SNARKs (Zcash, rollups), CT |
| Cross-chain | HTLC (atomic swap), bridges with multisig |
| Wallet | HD wallets BIP-32/39, threshold (MPC custodial) |
| L2 scalability | zk-rollups (Stark/Snark) or optimistic rollups (fraud proofs) |
| Future | PQC migration via Account Abstraction (ETH), BIP draft (BTC) |
16. Cross-reference
- Hash primitives (SHA-256, Keccak, BLAKE3):
06-hash-and-mac.md. - ECC (secp256k1, BLS12-381, Curve25519):
05-asymmetric.md. - PQC migration:
08-post-quantum.md. - People (Satoshi, Vitalik, Wuille, Maxwell, Zooko, Bowe, Wesolowski, Komlo):
12-people.md. - The dedicated blockchain compendium lives in a separate directory:
meta/docs/blockchain/compendium/.