Understanding Cryptography in Ethereum

The word “cryptography” originates from Greek, meaning "secret writing." However, cryptography today encompasses much more than just secret writing; it broadly refers to the study and practice of encryption. Encryption allows not only for keeping information secret but also for proving knowledge of a secret without revealing it, such as through digital signatures, or proving the authenticity of data using digital fingerprints called hashes.

Interestingly, no part of the Ethereum protocol involves encryption in the traditional sense. This design choice ensures that all communications on the Ethereum platform are transparent and readable by anyone, enabling every participant to verify updates and reach consensus. This transparency supports Ethereum’s core principles of openness and verifiability.

That said, advances in privacy and cryptographic tools have been integrated on top of Ethereum’s base layer. Technologies like zero-knowledge proofs are used in layer 2 solutions and rollups, allowing transaction data to be proven without revealing the underlying data. These technologies enhance privacy and scalability but do not encrypt the base layer communications or ledger. Some projects offer encrypted transactions and privacy-preserving smart contracts, but these are not part of Ethereum’s mainnet core protocol.

Keys and Addresses in Ethereum

Ethereum accounts come in two types: Externally Owned Accounts (EOAs) and Contracts. Ownership of Ether in EOAs is controlled through private keys, Ethereum addresses, and digital signatures.

• Private keys are secret numbers that should always remain confidential.

• Public keys are derived from private keys and are used to generate Ethereum addresses.

• Digital signatures are cryptographic proofs created using private keys to authorize transactions.

An Ethereum address is derived from the public key, which in turn is mathematically generated from the private key. The private key itself is never stored or used directly on the Ethereum system; only the Ethereum address and digital signatures appear on the blockchain.

Ethereum employs public-key cryptography, also known as asymmetric cryptography, where keys come in pairs: a public key and a private key. The public key functions like a bank account number visible to everyone, while the private key acts like a secret PIN that grants control over the account. The recipient of an Ethereum transaction is identified by their Ethereum address, which is generated from the public key portion of the key pair. Contracts, however, do not have private keys backing them.

How Public-Key Cryptography Works in Ethereum

Public-key cryptography uses mathematical functions with a unique property: they are easy to compute in one direction but practically impossible to invert without a secret piece of information. This is called a trapdoor function.

Ethereum’s cryptography is based on elliptic curve cryptography (ECC), specifically the secp256k1 curve. In this system:

• The private key (a randomly chosen number between 1 and 2²⁵⁶). Private keys are generated by selecting a secure random number within the valid range, Ethereum software typically uses the operating system’s random number generator, seeded by human-generated entropy, to produce a 256-bit random number offline. This process requires no communication with the Ethereum network or any other party.

• The public key is a point on the elliptic curve, represented by two coordinates (x,y)(x,y), calculated from the private key through elliptic curve multiplication:

$$K = k^*G$$

where

• K is the public key.

• k is the private key,

• G is a fixed generator point on the curve, and

• * is the special elliptic curve multiplicator operator.

This calculation is one-way: you can compute the public key from the private key, but not vice versa.

Digital Signatures and Transaction Authorization

The private key controls access to the Ethereum account because it is the unique piece of information needed to create a digital signature. A digital signature is a cryptographic code that proves the authenticity of a transaction or message without revealing the private key itself.

When a transaction is sent to the Ethereum network, whether to move funds or interact with smart contracts, it must be accompanied by a digital signature created using the private key corresponding to the sender’s Ethereum address. This signature verifies that the transaction was authorized by the rightful owner.

Cryptographic Hash Functions

Cryptographic hash functions are fundamental to the security and operation of Ethereum. They act like digital fingerprints, transforming any input data into a fixed-length string of characters, known as a hash. This process is essential not only for generating Ethereum addresses but also for ensuring data integrity and protecting against fraud.

At their core, cryptographic hash functions take data of any size and produce a unique, fixed-size output. Imagine putting a document through a machine that outputs a unique code representing that document; even the smallest change in the original document results in a completely different code. This property makes hash functions invaluable for verifying data authenticity.

A key feature of cryptographic hash functions is their one-way nature. Given the hash, it’s practically impossible to get the original input. The only way to find an input that matches a given hash is through brute force, i.e., trying countless possibilities, which is computationally infeasible due to the vast number of potential inputs.

Ethereum’s Hash Function: Keccak-256

Ethereum uses a specific cryptographic hash function called Keccak-256. This function was the original winner of the SHA-3 competition but differs slightly from the finalized SHA-3 standard due to changes made after Ethereum’s development began. Despite these minor differences, Keccak-256 remains a secure and widely trusted hash function within the Ethereum ecosystem.

From Public Key to Addresses

Ethereum addresses are derived from public keys using the Keccak-256 hash function. Here’s how the process works mathematically

The public key, generated from the private key, is a point on an elliptic curve represented by two coordinates (x, y). For example, a public key might look like this (hexadecimal representation):

K = 6e145ccef1033dea239875dd00dfb4fee6e3348b84985c92f103444683bae07b83b5c38e5e...

Apply the Keccak-256 hash function to the public key:

Keccak256(K) = 2a5bc342ed616b5ba5732269001d3f1ef827552ae1114027bd3ecf1f086ba0f9...

8 bits = 1 byte

4 bits = 1 hex; 2 bytes = 1 hex.
Then you keep only the last 20 bytes (40 hexadecimal characters), which is the least significant bytes, to be the Ethereum address

0x001d3f1ef827552ae1114027bd3ecf1f086ba0f9

Most often, Ethereum addresses are prefixed with 0x, which indicates that they are hexadecimal encoded. This address is what you share with others to receive Ether or interact with smart contracts. The process ensures that each address is unique and securely linked to the underlying public key and private key.

Address Format and Checksums

Unlike Bitcoin, Ethereum addresses do not include a built-in checksum by default. This means errors in typing or copying addresses can lead to lost funds. To mitigate this, Ethereum introduced EIP-55, a checksum mechanism that uses capitalization to encode a checksum within the address itself.

For example, the lowercase address:

0x001d3f1ef827552ae1114027bd3ecf1f086ba0f9

with EIP-55 checksum becomes:

0x001d3F1ef827552Ae1114027BD3ECF1f086bA0F9

Here, certain letters are capitalized based on the hash of the lowercase address, allowing wallets to detect errors with high accuracy.

Alternate Encoding: ICAP

Ethereum also supports the Inter Exchange Client Address Protocol (ICAP), which encodes Ethereum addresses in a format similar to international bank account numbers (IBAN). ICAP provides a checksummed, human-readable format for Ethereum addresses but is not yet widely adopted.

For example, the address above could be represented in ICAP as:

XE60HAMICDXSV5QXVJA7TJW47Q9CHWKJD

where "XE" denotes Ethereum, followed by a checksum and the encoded address.

In Conclusion

Cryptographic hash functions like Keccak-256 are the backbone of Ethereum’s security model. They enable the creation of unique, verifiable Ethereum addresses from public keys while ensuring data integrity and protecting against forgery. The combination of these cryptographic tools keeps Ethereum secure, transparent, and reliable for millions of users worldwide.