Public Keys

What is a public key?

A public key is the counterpart to a private key.

And similar to a private key, it's displayed as a hexadecimal string.

For example:

02df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb52

If we didn't end up shortening this public key to an address, this would be the "account number" that you send bitcoins to when making a transaction.

Anyway, here's the interesting part: your public key is calculated from your private key.

How do you get a public key from a private key?

You insert a private key in to a special mathematical function, and the result is a public key.

What is this function?

It's called elliptic curve multiplication.

This basically involves "bouncing" around the graph of an elliptic curve until you end up at a final set of co-ordinates on the graph, and these resulting co-ordinates are your public key.

It'll be easier if I show you...

What does an elliptic curve look like?

Like this:

A simple graph showing the shape of an elliptic curve.

Furthermore, the elliptic curve used in Bitcoin comes with a specific starting point.

A simple graph showing the generator point on an elliptic curve.

We call this starting point the generator point (G).

And if we were to do some "multiplication" on this curve (e.g. "multiplying" the starting point by 2), we would move around the curve like this.

Diagram showing elliptic curve multiplication.

The fact that we can draw a tangent anywhere on the curve and it intersects one other point on the curve is a special feature of elliptic curves.

And there we have it. We have just "multiplied" the starting co-ordinate G by 2, and found the position of the final co-ordinate 2G.

This is one round of elliptic curve multiplication.

Elliptic curve multiplication

I keep putting "multiplication" inside quotes, because multiplication on elliptic curves is not standard multiplication. For example, if you were to multiply the co-ordinates of G by 2, it would not give you the co-ordinates of 2G (as shown on the graph).

You see, the geniuses who found out that you can move around the curve in this specific way had to call it something, so they to decided refer to this operation as "multiplication". Because, you know, mathematics can never be confusing enough.

So when I say "multiplication" from now on, I mean "elliptic curve multiplication".

How do you create a public key?

In the above example we multiplied G by 2 to get 2G.

To get a public key, we multiply G by our private key.

private key = 3014565d5a2789052bce6a4b062360b71be9e56452e2bfaeb6b66541ca9cbe1e
private key = 21746949740247588464582174233665662679461437709077398188383546305836452986398

public key  = 21746949740247588464582174233665662679461437709077398188383546305836452986398 * G
EC Multiply

Or in other words, "bounce around the elliptic curve private key number of times".

Diagram showing multiplication on an elliptic curve.

The final resting point on the elliptic curve will give you a set of co-ordinates, and these co-ordinates form the public key.

So if these are the co-ordinates we end up with after multiplying G by our private key:

x = 101146325639919895010265101589200403910900380568761154633855409686835821861714
y = 61841003053972934622408872206127128686168589959368900660495044320717704179230

Then all we have to do is convert both to hexadecimal and smush them together...

public key (x) = df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb52
public key (y) = 88b8c470ecbd1576d062cc7de4efc4dbd1ff95c7b66ce64f8a94cbf71dceae1e

public key (x,y) = df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb5288b8c470ecbd1576d062cc7de4efc4dbd1ff95c7b66ce64f8a94cbf71dceae1e
Public Key

And ta da! A public key!

Public key format

This is the old (long) format of public key, which means I've got to put an 04 at the start. Like this:

public key = 04df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb5288b8c470ecbd1576d062cc7de4efc4dbd1ff95c7b66ce64f8a94cbf71dceae1e

To find out why this is the case, I'm afraid you're going to have to read through the section about compressed public keys.

Compressed Public Keys

To save space, public keys (these days) use the full x co-ordinate only.

This is because the elliptic curve is an equation (y^2 = x^3 + 7), which means that if you have the x co-ordinate, you can work out the corresponding y co-ordinate.

However, due to the y^2 part of the equation, the y could be a positive or negative number:

Diagram showing two possible y-coordinates for a given x coordinate on the elliptic curve.

So the only extra information you need to find the correct y co-ordinate is to know whether the y co-ordinate is above or below the x-axis. And due to the way elliptic curves work:

So instead of having to store both the full x and y co-ordinates, you can just store the full x co-ordinate, and whether the y co-ordinate is even or odd.

In Bitcoin, the polarity of the y co-ordinate is represented by a prefix:

Diagram showing how a prefix is used to represent one of two possible y-coordinates on the elliptic curve.

So whereas an old-school uncompressed public key will begin with 04, a compressed public key will begin with either 02 or 03:

public key (uncompressed) = 04df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb5288b8c470ecbd1576d062cc7de4efc4dbd1ff95c7b66ce64f8a94cbf71dceae1e
public key (compressed)   = 02df9ecaa3d48a6ab94b2048a6d538f0e09093aa6c035c03ecf7007a1fb8ecdb52

Much shorter.

This seems like a lot of effort to save on a small amount of data, but because public keys are used within almost all transactions, it does end up saving a lot of space in the blockchain over time.

Why do we use elliptic curve multiplication to make public keys?

Because elliptic curves have two useful properties when creating a private/public key pair.

  1. Elliptic curve multiplication is a "trapdoor function". In other words, you can't go backwards from public key to find out what the private key was.
    A trapdoor function is a function that is easy to compute in one direction, yet difficult to compute in the opposite direction (finding its inverse) without special information, called the "trapdoor".
  2. The public key has a mathematical connection to the private key. As a result, it's possible to prove this connection (with a little more mathematics) without having to reveal your private key.

    So if I gave you my public key (or address), I can prove to you that I "own" it without having to show you my private key.

    This feature is especially handy when making bitcoin transactions. Your public key can be placed in to a transaction when you want to receive bitcoins, and you do not have to reveal the private key directly when you want to spend them later on (see digital signatures). As a result, this means that nobody can acquire the private key and use it to spend bitcoins that have been locked to the same public key.

    When I say prove that I own a public key, I mean "show that I possess the private key that the public key was created from".

How can you prove you own a public key?

This is a whole topic (or two) in itself. But seeing as this is such an annoyingly relevant question, I'll try my best to cover the basics.

As mentioned, there's a mathematical connection between the private key and public key.

As a result:

  1. I can put my private key through some more elliptic curve mathematics to get a new value (called a digital signature).
  2. I can put my public key through some other elliptic curve mathematics to get a new value.
Diagram showing two separate values being calculated from the private key and public key independently.

Now, there will be some small overlap between these new values:

Diagram showing and overlap between the two separate values calculated from the private key and public key independently.

And this overlap is enough to prove that there is a mathematical connection between the public key and private key.

And because nobody is able to recreate this digital signature without the private key, my digital signature it's enough to prove that I "own" the public key.

As a result, I can show you that I own a public key with a digital signature, and you never need to see my private key.

Conclusion

All hail the elliptic curve.