Part 1.4: Cryptographic Foundations | CBCP

Introduction to Blockchain Cryptography

Cryptography forms the mathematical backbone of blockchain technology. It provides the tools for securing transactions, proving ownership, ensuring data integrity, and maintaining privacy. Understanding these cryptographic primitives is essential for comprehending how blockchains achieve trustless security.

Key Cryptographic Components

Blockchain systems rely on three primary cryptographic tools: hash functions for data integrity and linking blocks, digital signatures for authentication and authorization, and public-key cryptography for secure key exchange and address generation.

Cryptographic Hash Functions

A cryptographic hash function takes an input of any size and produces a fixed-size output (the hash or digest). Hash functions are fundamental to blockchain, used for creating block links, Merkle trees, proof-of-work, and address generation.

Essential Properties

Deterministic: The same input always produces the same output
Fast computation: Computing the hash is efficient
Pre-image resistance: Given a hash, it's infeasible to find the original input
Second pre-image resistance: Given an input, it's infeasible to find another input with the same hash
Collision resistance: It's infeasible to find two different inputs with the same hash
Avalanche effect: Small input changes cause dramatic output changes

SHA-256 Hash Example

Input Message:

Hello, Blockchain!

SHA-256 Hash Output (256 bits / 64 hex characters):

e7d5e36e8d6f3e8a2f4b9c1d0e5f6a7b8c9d0e1f2a3b4c5d6e7f8a9b0c1d2e3f

Avalanche Effect Demonstration

Input 1: "Hello"

185f8db32271fe25f561a6fc938b2e264306ec304eda518007d1764826381969

Input 2: "hello" (only case change)

2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824

Notice how a single character change produces a completely different hash - this is the avalanche effect.

Common Hash Functions in Blockchain

SHA-256: Used by Bitcoin for block hashing and mining (256-bit output)
Keccak-256: Used by Ethereum, differs slightly from SHA-3 (256-bit output)
RIPEMD-160: Used with SHA-256 in Bitcoin addresses (160-bit output)
Blake2: Used by Zcash and other privacy coins (variable output)

Public-Key Cryptography

Public-key cryptography (asymmetric cryptography) uses mathematically related key pairs: a public key that can be shared freely and a private key that must be kept secret. This enables secure communication and digital signatures without pre-shared secrets.

Private Key (Keep Secret!)

e9873d79c6d87dc0fb6a5778633389f4453213303da61f20bd67fc233aa33262

256-bit random number - never share this!

Public Key (Can Share)

04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0fa8722476c7709c02559e3aa73aa03918ba2d492eea75abea235

Derived from private key using elliptic curve math

Elliptic Curve Cryptography (ECC)

Most blockchains use Elliptic Curve Cryptography rather than RSA because ECC provides equivalent security with much smaller key sizes. Bitcoin and Ethereum use the secp256k1 curve, while some systems use Ed25519 for its performance benefits.

The Trapdoor Function

The security of public-key cryptography relies on mathematical "trapdoor" functions: operations that are easy to compute in one direction but computationally infeasible to reverse. In ECC, multiplying a point by a scalar is easy, but finding the scalar given the result (the discrete logarithm problem) is extremely difficult.

Address Generation

Blockchain addresses are derived from public keys through a series of hash operations. This provides a shorter, more user-friendly identifier while adding an extra layer of security.

// Bitcoin Address Generation Process
Generate random 256-bit private key
Derive public key using secp256k1 curve multiplication
Hash public key with SHA-256
Hash result with RIPEMD-160 (produces 160-bit hash)
Add version byte prefix (0x00 for mainnet)
Calculate checksum (double SHA-256, first 4 bytes)
Append checksum and encode in Base58Check

// Result: 1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
            

Digital Signatures

Digital signatures provide authentication (proving who signed), integrity (proving the message wasn't altered), and non-repudiation (the signer cannot deny signing). In blockchain, digital signatures authorize transactions without revealing the private key.

Digital Signature Process

1

Create Transaction

Sender creates transaction data (recipient, amount, etc.)

↓

2

Hash Transaction

Transaction data is hashed to create a fixed-size digest

↓

3

Sign with Private Key

Private key + hash creates the digital signature (r, s values)

↓

4

Broadcast to Network

Transaction + signature sent to network for verification

↓

5

Verify Signature

Nodes use public key to verify signature matches transaction

ECDSA (Elliptic Curve Digital Signature Algorithm)

Bitcoin uses ECDSA for transaction signing. The signature consists of two values (r, s) that together prove the signer knows the private key corresponding to the public key, without revealing the private key itself.

Schnorr Signatures

Schnorr signatures, added to Bitcoin in the Taproot upgrade, offer several advantages over ECDSA:

Linearity: Multiple signatures can be combined into one (signature aggregation)
Smaller size: Single signatures are slightly smaller than ECDSA
Provable security: Security proof under standard assumptions
Non-malleability: Signatures cannot be modified by third parties

Key Management and Wallets

Secure key management is critical in blockchain systems. Since private keys control funds and there's no "forgot password" option, proper key storage and backup procedures are essential.

Hierarchical Deterministic (HD) Wallets

HD wallets (BIP-32/44) generate an entire tree of key pairs from a single seed, typically represented as a mnemonic phrase (12-24 words). This enables:

Single backup: One seed backs up unlimited addresses
Address privacy: New addresses for each transaction
Account organization: Hierarchical structure for multiple accounts
Deterministic recovery: Same seed always generates same keys

BIP-39 Mnemonic Example

abandon ability able about above absent absorb abstract absurd abuse access accident

12 words encode 128 bits of entropy - this seed phrase controls all derived keys

Multi-Signature Schemes

Multi-signature (multisig) requires multiple private keys to authorize a transaction. Common configurations include 2-of-3 (any two of three keyholders must sign) for added security without single points of failure.

Key Takeaways

Hash functions create unique fingerprints of data, enabling tamper detection and efficient data comparison.
Public-key cryptography enables secure transactions without sharing secret keys, using mathematically linked key pairs.
Digital signatures prove ownership and authorize transactions without revealing private keys.
HD wallets simplify key management by deriving unlimited keys from a single seed phrase.
Private key security is paramount - loss means permanent loss of funds, compromise means total loss of security.