Elliptic Curves: One Idea, Different Curves
Why Bitcoin and Ethereum use secp256k1, Monero uses Ed25519, and Zcash adds pairing curves — and how the curve choice follows from each chain's goals.
If hash functions are the connective tissue of a blockchain, elliptic curves are its beating heart. Every mainstream cryptocurrency turns a secret number into a public identity by multiplying a point on an elliptic curve. The idea is universal; the specific curve is a fingerprint. Bitcoin and Ethereum share one curve, Monero deliberately chose another, and Zcash adds a third for its zero-knowledge circuits. Understanding why reveals a lot about each chain's priorities.
What an Elliptic Curve Gives You
An elliptic curve over a finite field is just the set of points (x, y) satisfying a particular equation, plus a "point at infinity" that acts as zero. The magic is a geometric addition law: draw a line through two points and it hits the curve at a predictable third, giving you a way to "add" points. Repeat the addition x times and you get scalar multiplication, x·G. As we saw in the foundations, computing x·G is easy but inverting it (the ECDLP) is hard. A curve gives you that hardness with much smaller keys than older systems like RSA — 256-bit elliptic-curve keys roughly match 3072-bit RSA — which is exactly why blockchains adopted it.
secp256k1: Bitcoin and Ethereum
Both Bitcoin and Ethereum use secp256k1, a short-Weierstrass curve y² = x³ + 7 over the prime field p = 2²⁵⁶ − 2³² − 977. It's a Koblitz curve, chosen partly because its special structure allows some implementation speedups. Its parameters were published by the SECG rather than by NIST, which earned it a reputation for being relatively free of "where did these constants come from?" suspicion. A public key is a point (x, y), usually compressed to the 32-byte x-coordinate plus one parity bit. That a single curve underpins the two largest crypto ecosystems shows how much of this is shared infrastructure rather than per-coin invention.
Curve25519 / Ed25519: Monero
Monero (via CryptoNote) builds on Ed25519, the twisted-Edwards form of Curve25519, over q = 2²⁵⁵ − 19. Its equation is −x² + y² = 1 + d·x²y². This curve was engineered by Daniel Bernstein for a different set of goals than secp256k1:
- Complete, exception-free addition. The Edwards addition formula works for all point pairs with no special cases — a major defense against subtle implementation bugs and side-channel leaks that plague Weierstrass curves.
- Speed and constant-time implementation. It was designed so a careful implementation naturally avoids secret-dependent branches and table lookups.
- Rigid, explainable constants. The parameters are derived from the curve's design goals, reducing "nothing-up-my-sleeve" doubts.
The trade-off Monero accepts is a cofactor of 8: the curve's full group is 8 times the prime-order subgroup it actually uses, so points can carry a small "torsion" component. Ignoring that has caused real bugs elsewhere, and Monero must validate key images against the prime-order subgroup to stay safe — a subtlety transparent chains never face because they don't build key images.
Why Monero Didn't Just Use secp256k1
The choice is not arbitrary. Monero needs more than signatures — it needs ring signatures, key images, and clean hash-to-point maps, all implemented in constant time to avoid leaking which ring member is real. Ed25519's complete addition law and constant-time friendliness make those advanced constructions far safer to build. In other words, Bitcoin picked a curve that's great for ordinary signatures; Monero picked one that's great for privacy primitives. The curve choice is downstream of the privacy goal.
JubJub and the Pairing Curves: Zcash's Extra Layer
Zcash is a useful contrast because it needs two kinds of curves. Its signatures and transparent addresses use secp256k1 like Bitcoin, but its shielded zero-knowledge proofs need special pairing-friendly curves (historically BN254, now BLS12-381) plus an in-circuit curve called JubJub embedded inside the proof system. Pairings enable the zk-SNARKs that hide Zcash's shielded transactions, but they rest on extra hardness assumptions beyond the plain discrete log. Monero pointedly avoids pairings and trusted setup, choosing to get its privacy from clever use of one ordinary curve instead. Same overarching toolbox, very different bet on which assumptions to trust.
The Takeaway
Across Bitcoin, Ethereum, Zcash and Monero, "an elliptic curve secures the keys" is universal; the curve is a design statement. secp256k1 says "fast, conservative signatures." Ed25519 says "safe, constant-time privacy primitives." BLS12-381 says "I'm willing to add pairings to get zero-knowledge." With the curve fixed, the next question is how each chain actually signs with it — and that's where ownership, and the first cracks in privacy, appear.
Comments
Log in or create a free account to comment.
No comments yet — be the first.