# secp256k1 from Scratch — Learning Plan

Building Schnorr signatures on secp256k1 in Go, from first principles.

**Goal:** Understand the math deeply, not just copy formulas. End with a working (non-production) implementation compatible with Bitcoin Taproot and Nostr.

---

## Progress

### Part 1: Foundations
- [x] **Modular arithmetic** — clock math, remainders, finite sets
- [x] **Modular division/inverses** — finding multiplicative inverses
- [x] **What is an elliptic curve** — y² = x³ + 7, points as (x, y) pairs

### Part 2: Curve Operations
- [x] **Point addition** — adding two points geometrically and algebraically
- [x] **Point doubling** — special case when adding a point to itself
- [x] **The point at infinity** — identity element (like zero for addition)
- [x] **Scalar multiplication** — multiplying a point by an integer (repeated addition)

### Part 3: Key Pairs
- [x] **Generator point G** — the "starting point" everyone uses
- [x] **Private key** — just a random big number
- [x] **Public key** — private key × G (scalar multiplication)
- [x] **Why it's hard to reverse** — the discrete log problem

### Part 4: Schnorr Signatures (BIP-340)
- [ ] **X-only public keys** — 32 bytes, implicit even y
- [ ] **The signing algorithm** — nonce, challenge, response
- [ ] **Why random nonce matters** — reuse = leaked private key
- [ ] **The verification equation** — checking without knowing the private key
- [ ] **Tagged hashes** — domain separation for security

### Part 5: Serialization
- [ ] **Bech32 encoding** — human-readable format (npub, nsec)
- [ ] **Hex and bytes** — raw formats

---

## Files

| File | Description |
|------|-------------|
| `field.go` | Modular arithmetic (mod p) |
| `point.go` | Curve points and operations |
| `keys.go` | Private/public key generation |
| `schnorr.go` | Schnorr signing and verification (TODO) |

---

## Compatibility

This implementation targets:
- **Bitcoin Taproot** (BIP-340 Schnorr)
- **Nostr** (NIP-01 uses BIP-340)

Not implemented: ECDSA (used by legacy Bitcoin, Ethereum)

---

## Resources

- [BIP-340: Schnorr Signatures](https://github.com/bitcoin/bips/blob/master/bip-0340.mediawiki)
- secp256k1 parameters: p, n, G coordinates
- Test vectors from BIP-340 for verification

---

## Notes

*Learning project — do not use for real money or keys.*