# Public Key

A unique number mathematically generated from a private key.

A `public key`

is like an **account number** that you use to receive bitcoins.

It is created from your `private key`

, which is like a *password* for that account number.

#### Try it! - Generate Public Key

Uncompressed

## How do you generate a public key?

You use your `private key`

(which is just a big random number) to generate a corresponding public key.

You do **elliptic curve multiplication** using your private key, which will give you a final resting point on the elliptic curve. The `x`

and `y`

coordinate of this point is your public key.

## Why is the elliptic curve used?

The use of elliptical curve multiplication gives you a **mathematical connection** from your private key to your public key. It also has two important properties:

### 1. It’s not known how to work backwards to get the private key.

You can go forwards using elliptic curve multiplication, but you cannot do mathematics to go backwards.

This means that there is a mathematical connection going from your private key to your public key, but nobody can use your public key to figure out what your private key is.

Therefore you can give out your public key, but also keep your private key a secret.

### 2. You can prove that you have the private key without giving it away.

Basically, using some more elliptic curve mathematics, you can create a digital signature that proves that you have the corresponding private key for a public key, without ever having to give away your actual private key.

It’s like saying you have the password to an account, but you don’t have to show anyone your actual password to prove it.

This is thanks to the seeming magic of digital signatures, and it’s all made possible through elliptic curve mathematics.

## Public Key Format

A public key is just the `x`

and `y`

co-ordinate of a point on the elliptic curve. It’s usually stored in hexadecimal format.

There are two formats for public keys:

### 1. Uncompressed

This is the old format. It has generally stopped being used in favor of the shorter compressed format.

Bitcoin originally used *both* the `x`

and `y`

coordinate to store the public key.

In this uncompressed format, you just place the `x`

and `y`

coordinate next to each other, then prefix the whole thing with an `04`

to show that it is an uncompressed public key:

## Public Key Example (Uncompressed)

`04fe53c78e36b86aae8082484a4007b706d5678cabb92d178fc95020d4d8dc41ef44cfbb8dfa7a593c7910a5b6f94d079061a7766cbeed73e24ee4f654f1e51904`

### 2. Compressed

However, because the elliptic curve is symmetrical along its x-axis, each `x`

coordinate will only ever have one of two possible `y`

coordinates.

And here’s the trick…

- If y is even, it corresponds to one of the points.
- If y is odd, it corresponds to the other.

So in the compressed public key format, we just store the full `x`

coordinate, along with a prefix that indicates whether the `y`

is *even* or *odd*.

## Public Key Example (Compressed)

`03df51984d6b8b8b1cc693e239491f77a36c9e9dfe4a486e9972a18e03610a0d22`

This compressed format ultimately allows us to work out the full `x`

and `y`

coordinates, but saves a lot of space on the blockchain (i.e. when we create transactions that lock outputs to specific public keys).

### How to decompress a public key.

You can decompress a compressed public key by solving the curve equation `y^2 = x^3 + 7`

.

This will give you the missing possible `y`

values for the *uncompressed* key. You can then use the prefix from the compressed key to determine which `y`

value to use (because the square root of any number has two possible answers, e.g. `16 = +4 or -4`

).

```
# Compressed public key
compressed = "032b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aa"
# Split compressed key in to prefix and x-coordinate
prefix = compressed[0..1]
x = compressed[2..-1].to_i(16)
# Secp256k1 curve parameters
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
# Work out y values using the curve equation y^2 = x^3 + 7
y_sq = (x**3 + 7) % p # everything is modulo p
# Secp256k1 is chosen in a special way so that the square root of y is y^((p+1)/4)
y = y_sq.pow((p+1)/4, p) # use modular exponentation
# Use prefix to select the correct value for y
# * 02 prefix = y is even
# * 03 prefix = y is odd
if (prefix == "02" && y % 2 != 0) # if prefix is 02 and y isn't even, use other y value
y = (p - y) % p
end
if (prefix == "03" && y % 2 == 0) # if prefix is 03 and y is even, use other y value
y = (p - y) % p
end
# Construct the uncompressed public key
x = x.to_s(16).rjust(64, "0") # convert to hex and make sure it's 32 bytes (64 characters)
y = y.to_s(16).rjust(64, "0")
uncompressed = "04" + x + y
# Result
puts uncompressed #=> 042b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aafb4fe49b2ab85adf45c36166f34313054ef876fdf0c8c2e16734ddea23318cb5
```

## How are public keys used in Bitcoin?

You can give your public key away to people so that they can include it in the the locking script of an output when they create a transaction.

However, in Bitcoin we now more commonly hash160 our public key before giving it away. The public key is then used only when we come to unlocking the output. (The initial lock will then want to check that the public key hashes correctly first before going on to check it against the signature.)

## Where can you find public keys inside the blockchain?

If your looking through raw blockchain data, public keys can typically be found inside transaction data.

In a standard P2PKH transaction, for example:

- The
**Hash160 of a public key**sits within the locking code (scriptPubKey) of an output.

01000000017dc9d3eaa91ef9886e48929285243d945a20be621a7483d5442872c2f4bbf432000000004a493046022100ea5812a1cbcf9c8c49fdfb4ed7ef89c05d9d11a5df941fd76546e9031fefbef5022100f5458675ebd56db5517510527afa5ff7c98e08d7ed83a8b180f7ac841531a3ac01ffffffff0100f2052a010000001976a914fc50c5907d86fed474ba5ce8b12a66e0a4c139d888ac00000000

Transaction: `24c1f77de7c580eccd46c41d4c708da4ace04880559ee6bce97a67217466d7f7`

Then in the next transaction that spends the bitcoins…

- The original
**public key**can be found inside the unlocking code (scriptSig) of the input.

0100000000100000001f7d7667421677ae9bce69e558048e0aca48d704c1dc446cdec80c5e77df7c124000000008b483045022100b92b0d78a1a72b25179260e96a15efe95f98962622fb232f92d6c6ef20e15e9b022061c946c3f976339e370eabd256d91aa4711bb9985330f7d18ee77987b0ca24300141046c04c02f1138f440e8c5e9099db938bfba93d0389528bb7f6bf423ae203a2edcfba133f0409023d7ea13ac01c5aeedaf0bbfbeb8b82e9b48410d93a296da5b0cffffffff0100f2052a010000001976a914e6a874331cddf113e6f424f547aa93c10755d5e688ac00000000

Transaction: `33ab606c34dce6e43673d20c1a72c7b0bce314d9d21e227c04092bbdaf8aaed5`

As you can see, the `04`

at the start of the public key indicates that it’s an *uncompressed* public key. This makes it almost twice as long as the *compressed* public keys typically used today.

## Code

To create a public key, all you need is a **private key** and an **elliptic curve library** (available in most popular programming languages).

```
require 'ecdsa' # Use an elliptic curve library
# This private key is just an example. It should be much more secure!
privatekey = 1234
# Elliptic Curve Multiplication
group = ECDSA::Group::Secp256k1 # Select the curve used in Bitcoin
point = group.generator.multiply_by_scalar(privatekey) # Multiply by integer (not hex)
# Compressed Format - Instead of using both x and y co-ordinates, just use the x co-ordinate and whether y is even/odd
prefix = point.y % 2 == 0 ? '02' : '03' # even = 02, odd = 03
# Add the prefix to the x co-ordinate
publickey = prefix + point.x.to_s(16).rjust(64, '0') # Convert to hex (and make sure it is a full 32 bytes (64 characters) in length)
puts publickey
```