secp256k1: The Mechanism That Secures Bitcoin Signatures
How do you prove control of a UTXO without revealing the secret that protects it?
By mordom
It is one of the most fascinating questions of the entire Bitcoin protocol.
Every time you send a transaction, thousands of nodes must verify that you truly have the right to spend those UTXOs. Yet, no one knows your identity and, above all, no one must ever see your private key.
It seems like a paradox: how can you prove you possess a secret without revealing it?
The answer lies in digital signatures, made possible by an algorithm called ECDSA and a specific elliptic curve known as secp256k1.
To understand how it works, you don’t need to study the mathematics behind it. You just need to follow the path of a transaction from the moment you press “Send” until its verification by the network.
The Problem to Solve
Bitcoin cannot trust what a transaction claims.
Each node must be able to independently verify that whoever is spending certain UTXOs actually has control over them.
The simplest solution would be to ask for the private key, but it would also be the worst.
The private key is the sole element that proves control of the bitcoins: if it were transmitted over the network, anyone could copy it and use it to sign new transactions.
Therefore, Bitcoin had to solve a seemingly impossible problem: proving possession of the private key without ever disclosing it.
This is exactly what a digital signature does.
Asymmetric Cryptography
At the foundation of this mechanism is asymmetric cryptography.
Unlike traditional cryptography, which uses a single key to encrypt and decrypt information, here there are two keys:
- A private key, which must remain secret;
- A public key, which can be shared with anyone.
The two keys are mathematically linked, but only in one direction: it is possible to derive the public key from the private key, while the reverse path is considered computationally infeasible.
This asymmetry is the reason why Bitcoin can verify a signature without knowing the secret that generated it.
The Four Elements of a Digital Signature

Every digital signature involves four elements:
- The private key generates the signature.
- The public key allows it to be verified.
- The transaction is the message to be authorized.
- The digital signature is the cryptographic proof that demonstrates possession of the private key.
The signature does not contain the private key, nor does it replace it.
It is simply the mathematical proof that that specific transaction was authorized by the legitimate owner.
What Happens When You Press “Send”
When you confirm a payment, the wallet builds the transaction with all its elements: inputs, outputs, amounts, and fee.
At this point, it does not sign the transaction directly.
First, it calculates its hash by applying the SHA-256 algorithm twice. The result is a 32-byte value that uniquely represents that transaction.
It is this hash that gets signed via ECDSA, using your private key.
If even a single byte of the transaction were modified—an amount, an output, or even the fee—the hash would change completely, and the signature would no longer be valid.
The wallet then sends three elements: the transaction, the digital signature, and the public key needed to verify it.
From this moment on, control passes to the network nodes.
What Nodes Actually Verify

When you receive bitcoin at a standard address, the blockchain does not directly contain your public key, but rather its hash (HASH160).
When you spend that UTXO, you must instead reveal the public key and attach the digital signature.
At that point, every node performs two verifications:
- The first consists of recalculating the hash of the public key and verifying that it matches the one required by the UTXO’s locking script. In this way, the node ensures that the public key truly belongs to the intended owner.
- The second consists of verifying the digital signature. The node recalculates the hash of the transaction and checks, using the public key, that the signature is valid.
Only if both verifications are successful is the UTXO considered legitimately spent.
At no point does the node need your private key.
Where ECDSA and secp256k1 Come Into Play

At this point, we can name the tools that make all of this possible.
ECDSA (Elliptic Curve Digital Signature Algorithm) is the digital signature algorithm used by Bitcoin. It defines the rules for creating a signature from a private key and verifying it using the corresponding public key.
But ECDSA alone is not enough. To function, it needs a mathematical structure to operate upon. This structure is secp256k1.
Contrary to what is often read, secp256k1 is not an algorithm. It is the name of the elliptic curve chosen by Satoshi Nakamoto as the foundation for Bitcoin’s system of keys and signatures.
A good analogy is this: ECDSA is the rulebook of a chess game, while secp256k1 is the chessboard on which that game is played. The rules do not change, but they need a mathematical environment that makes them possible.
Every digital signature created by a Bitcoin wallet is therefore born from the union of these two elements: ECDSA defines the process, and secp256k1 constitutes its mathematical foundation.
Why This System Is So Secure
Bitcoin’s security does not stem from the verification being difficult. On the contrary, verifying a signature requires a minimal amount of computation.
The hard part is the inverse problem: deriving the private key starting from the public key.
Indeed, the security of secp256k1 is based on a mathematical problem known as the Elliptic Curve Discrete Logarithm Problem (ECDLP).
To grasp the concept, imagine a normal clock. If it is 3 o’clock and you add 8 hours, you immediately know you will arrive at 11 o’clock. The operation is simple.
Now, imagine seeing only the 11 o’clock position and having to reconstruct how many times the clock hands completed a full circle before getting there. It could have been 8 hours, or 20, 32, 44, and so on. The information about the path has been lost.
On elliptic curves, the principle is much more sophisticated, but the idea is similar: obtaining the public key from the private key is a simple operation, while performing the reverse path is considered computationally infeasible.
It is precisely this asymmetry that makes public-key cryptography—and consequently Bitcoin’s digital signatures—possible.
What About Quantum Computers?
Every now and then, you hear that quantum computers will “break Bitcoin.” The reality is more nuanced.
Shor‘s algorithm is theoretically capable of solving the mathematical problem on which ECDSA and secp256k1 are based, making current digital signature schemes vulnerable.
Grover‘s algorithm, on the other hand, concerns hashing algorithms like SHA-256: it does not break them, but it reduces their theoretical security, though still requiring an enormous amount of computation.
Today, there are no quantum computers capable of concretely putting Bitcoin at risk. If this scenario were to draw closer in the future, the protocol would have plenty of time to adopt quantum-resistant signature schemes before the threat becomes real.
Conclusion
Every time you send bitcoin, your wallet proves to the network that it possesses the private key without ever showing it.
The network does not trust the wallet, it does not trust the user, and it does not trust a central authority. It merely verifies a mathematical proof. This is the elegance of Bitcoin’s digital signatures.
ECDSA defines how to create that proof. secp256k1 provides the mathematical foundation that makes it secure.
And thanks to this combination, millions of people can transfer value every day without having to ask anyone for permission and without ever revealing their secret.
Technical Clarifications
In this article, we deliberately simplified two aspects to keep the mental model of digital signatures clear.
1. The Discrete Logarithm and a Real-World Analogy
The clock example serves to intuitively grasp a general idea: some operations are easy forward but hard to reverse.
The actual mathematical problem underpinning the security of ECDSA on secp256k1 is the Elliptic Curve Discrete Logarithm Problem (ECDLP). To bring it closer to something more concrete, we can use a slightly different analogy.
Imagine a very long sequence of mandatory steps, like a series of numbered doors to cross:
- You start at Door 1.
- At each step, you apply a fixed rule that always sends you to the next door in a deterministic way.
If you know the starting point and the number of steps, reaching the final door is simple.
But now, reverse the problem: you find yourself in front of the final door, and you have to figure out how many steps were taken starting from Door 1.
There is no “quick trick” to trace it back; the only general method is to try all possibilities.
In the case of elliptic curves, the “doors” are not numbers but mathematical points, and the step rule is a specific curve operation.
The principle, however, remains the same: going forward is efficient, going backward is not.
This asymmetry is what makes public keys secure in Bitcoin.
2. Is the Public Key Always Revealed?
In the main body of the article, we simplified by saying that the wallet sends the public key along with the signature. This is a good approximation for many common cases, but the actual behavior depends on the script type.
In the most widespread models like P2PKH and P2WPKH, the public key is not visible in the UTXO: it is revealed only when the output is spent, and the node compares it with the hash present in the locking script.
In other cases, such as Taproot (P2TR), the structure is different: the public key is represented in an “x-only” form, and the verification follows slightly different, more compact rules.
These details do not change the central point of the article: the network never needs the private key to verify a signature, regardless of the script used.
These two clarifications serve only to refine the mental model.
In the day-to-day operation of Bitcoin, what matters remains unchanged: a signature can be publicly verified, but only a private key can generate it.
And it is precisely this asymmetry that makes the whole system possible.

