secp256k1: The Elliptic Curve Behind Bitcoin and Ethereum Keys

secp256k1 is the elliptic curve used by Bitcoin, Ethereum, and many other cryptocurrencies for public-key cryptography. It is a Koblitz curve defined by the equation y² = x³ + 7 — with the simplifying parameters a = 0 and b = 7 — over the prime field of integers modulo p = 2²⁵⁶ − 2³² − 977. It was standardized by Certicom Research in the Standards for Efficient Cryptography (SEC) document, where the "256" denotes the 256-bit field size and the "k" marks it as a Koblitz curve. In practice a private key is just a randomly chosen 256-bit integer d, and the corresponding public key is the curve point Q = d × G, computed by scalar-multiplying a fixed base point G by d. This operation is easy to perform forward but computationally infeasible to reverse (the elliptic-curve discrete logarithm problem), which is what makes the key pair secure. Bitcoin pairs the curve with ECDSA for signing transactions, and the same curve underpins the signing logic in projects like Building a Polymarket CLOB Client in Elixir: Architecture and Cryptography. secp256k1 was chosen for two main reasons. First, its special non-random construction allows unusually efficient computation — often more than 30% faster than comparable curves. Second, its constants were derived in a predictable, transparent way, which sharply reduces the chance that the designer inserted a backdoor. This contrasts with the widely-used NIST P-curves, whose unexplained seed constants have drawn long-standing suspicion of possible NSA influence. A critical caveat: ECDSA on this curve requires a fresh, unpredictable nonce for every signature. Reusing a nonce — or generating it with a weak CSPRNG — lets an attacker algebraically recover the private key, as happened in 2013 when a flaw in Android's SecureRandom exposed real Bitcoin wallets. See CSPRNGs: Why Cryptographically Secure Random Numbers Are Essential for Security for why secure randomness is non-negotiable here.