• Hash256
  • Hash160
  • Reverse Bytes
  • Hexadecimal
  • Satoshis

Public Key

A unique number mathematically generated from a private key.

A public key is like an account number that you use to receive bitcoins.

It is created from your private key, which is like a password for that account number.

Try it! - Generate Public Key


How do you generate a public key?

You use your private key (which is just a big random number) to generate a corresponding public key.

You do elliptic curve multiplication using your private key, which will give you a final resting point on the elliptic curve. The x and y coordinate of this point is your public key.

Why is the elliptic curve used?

The use of elliptical curve multiplication gives you a mathematical connection from your private key to your public key. It also has two important properties:

1. It’s not known how to work backwards to get the private key.

You can go forwards using elliptic curve multiplication, but you cannot do mathematics to go backwards.

This means that there is a mathematical connection going from your private key to your public key, but nobody can use your public key to figure out what your private key is.

Therefore you can give out your public key, but also keep your private key a secret.

2. You can prove that you have the private key without giving it away.

Basically, using some more elliptic curve mathematics, you can create a digital signature that proves that you have the corresponding private key for a public key, without ever having to give away your actual private key.

It’s like saying you have the password to an account, but you don’t have to show anyone your actual password to prove it.

This is thanks to the seeming magic of digital signatures, and it’s all made possible through elliptic curve mathematics.

Public Key Format

A public key is just the x and y co-ordinate of a point on the elliptic curve. It’s usually stored in hexadecimal format.

There are two formats for public keys:

1. Uncompressed

This is the old format. It has generally stopped being used in favor of the shorter compressed format.

Bitcoin originally used both the x and y coordinate to store the public key.

In this uncompressed format, you just place the x and y coordinate next to each other, then prefix the whole thing with an 04 to show that it is an uncompressed public key:

Public Key Example (Uncompressed)


2. Compressed

However, because the elliptic curve is symmetrical along its x-axis, each x coordinate will only ever have one of two possible y coordinates.

And here’s the trick…

  • If y is even, it corresponds to one of the points.
  • If y is odd, it corresponds to the other.

So in the compressed public key format, we just store the full x coordinate, along with a prefix that indicates whether the y is even or odd.

We only need to store whether the y coordinate is even or odd.

Public Key Example (Compressed)


This compressed format ultimately allows us to work out the full x and y coordinates, but saves a lot of space on the blockchain (i.e. when we create transactions that lock outputs to specific public keys).

How to decompress a public key.

You can decompress a compressed public key by solving the curve equation y^2 = x^3 + 7.

This will give you the missing possible y values for the uncompressed key. You can then use the prefix from the compressed key to determine which y value to use (because the square root of any number has two possible answers, e.g. 16 = +4 or -4).

# Compressed public key
compressed = "032b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aa"

# Split compressed key in to prefix and x-coordinate
prefix = compressed[0..1]
x      = compressed[2..-1].to_i(16)

# Secp256k1 curve parameters
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f

# Work out y values using the curve equation y^2 = x^3 + 7
y_sq = (x**3 + 7) % p # everything is modulo p

# Secp256k1 is chosen in a special way so that the square root of y is y^((p+1)/4)
y = y_sq.pow((p+1)/4, p) # use modular exponentation

# Use prefix to select the correct value for y
# * 02 prefix = y is even
# * 03 prefix = y is odd 
if (prefix == "02" && y % 2 != 0) # if prefix is 02 and y isn't even, use other y value
    y = (p - y) % p
if (prefix == "03" && y % 2 == 0) # if prefix is 03 and y is even, use other y value
    y = (p - y) % p

# Construct the uncompressed public key
x = x.to_s(16).rjust(64, "0") # convert to hex and make sure it's 32 bytes (64 characters)
y = y.to_s(16).rjust(64, "0")
uncompressed = "04" + x + y

# Result
puts uncompressed #=> 042b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aafb4fe49b2ab85adf45c36166f34313054ef876fdf0c8c2e16734ddea23318cb5

How are public keys used in Bitcoin?

You can give your public key away to people so that they can include it in the the locking script of an output when they create a transaction.

We can give people our public key so that they can send us bitcoins. This is called Pay-To-Pubkey (P2PK)

However, in Bitcoin we now more commonly hash160 our public key before giving it away. The public key is then used only when we come to unlocking the output. (The initial lock will then want to check that the public key hashes correctly first before going on to check it against the signature.)

The Hash160 of our public key now sits in the lock. This is called Pay-To-PubKey-Hash (P2PKH)

Where can you find public keys inside the blockchain?

If your looking through raw blockchain data, public keys can typically be found inside transaction data.

In a standard P2PKH transaction, for example:

  1. The Hash160 of a public key sits within the locking code (scriptPubKey) of an output.

Transaction: 24c1f77de7c580eccd46c41d4c708da4ace04880559ee6bce97a67217466d7f7

Then in the next transaction that spends the bitcoins…

  1. The original public key can be found inside the unlocking code (scriptSig) of the input.

Transaction: 33ab606c34dce6e43673d20c1a72c7b0bce314d9d21e227c04092bbdaf8aaed5

As you can see, the 04 at the start of the public key indicates that it’s an uncompressed public key. This makes it almost twice as long as the compressed public keys typically used today.


To create a public key, all you need is a private key and an elliptic curve library (available in most popular programming languages).

require 'ecdsa' # Use an elliptic curve library

# This private key is just an example. It should be much more secure!
privatekey = 1234

# Elliptic Curve Multiplication
group = ECDSA::Group::Secp256k1 # Select the curve used in Bitcoin
point = group.generator.multiply_by_scalar(privatekey) # Multiply by integer (not hex)

# Compressed Format - Instead of using both x and y co-ordinates, just use the x co-ordinate and whether y is even/odd
prefix = point.y % 2 == 0 ? '02' : '03' # even = 02, odd = 03

# Add the prefix to the x co-ordinate
publickey = prefix + point.x.to_s(16).rjust(64, '0') # Convert to hex (and make sure it is a full 32 bytes (64 characters) in length)

puts publickey


By Greg Walker,

Last Updated: 19 Oct 2020
  • 19 Oct 2020: Added code example for decompressing a public key.
  • 08 Oct 2020: p2pkh link
  • 21 Jul 2020: renamed /guide/ to /technical/
Back to Top

Hey there, it's Greg.

I'll let you know about cool website updates, or if something seriously interesting happens in bitcoin.

Don't worry, it doesn't happen very often.