public key is like an account number that you use to receive bitcoins.
It is created from your
private key, which is like a password for that account number.
Try it! - Generate Public Key
How do you generate a public key?
You use your
private key (which is just a big random number) to generate a corresponding public key.
You do elliptic curve multiplication using your private key, which will give you a final resting point on the elliptic curve. The
y coordinate of this point is your public key.
Why is the elliptic curve used?
The use of elliptical curve multiplication gives you a mathematical connection from your private key to your public key. It also has two important properties:
1. It’s not known how to work backwards to get the private key.
You can go forwards using elliptic curve multiplication, but you cannot do mathematics to go backwards.
This means that there is a mathematical connection going from your private key to your public key, but nobody can use your public key to figure out what your private key is.
Therefore you can give out your public key, but also keep your private key a secret.
2. You can prove that you have the private key without giving it away.
Basically, using some more elliptic curve mathematics, you can create a digital signature that proves that you have the corresponding private key for a public key, without ever having to give away your actual private key.
It’s like saying you have the password to an account, but you don’t have to show anyone your actual password to prove it.
This is thanks to the seeming magic of digital signatures, and it’s all made possible through elliptic curve mathematics.
Public Key Format
A public key is just the
y co-ordinate of a point on the elliptic curve. It’s usually stored in hexadecimal format.
There are two formats for public keys:
This is the old format. It has generally stopped being used in favor of the shorter compressed format.
Bitcoin originally used both the
y coordinate to store the public key.
In this uncompressed format, you just place the
y coordinate next to each other, then prefix the whole thing with an
04 to show that it is an uncompressed public key:
Public Key Example (Uncompressed)
However, because the elliptic curve is symmetrical along its x-axis, each
x coordinate will only ever have one of two possible
And here’s the trick…
- If y is even, it corresponds to one of the points.
- If y is odd, it corresponds to the other.
So in the compressed public key format, we just store the full
x coordinate, along with a prefix that indicates whether the
y is even or odd.
Public Key Example (Compressed)
This compressed format ultimately allows us to work out the full
y coordinates, but saves a lot of space on the blockchain (i.e. when we create transactions that lock outputs to specific public keys).
How to decompress a public key.
You can decompress a compressed public key by solving the curve equation
y^2 = x^3 + 7.
This will give you the missing possible
y values for the uncompressed key. You can then use the prefix from the compressed key to determine which
y value to use (because the square root of any number has two possible answers, e.g.
16 = +4 or -4).
# Compressed public key compressed = "032b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aa" # Split compressed key in to prefix and x-coordinate prefix = compressed[0..1] x = compressed[2..-1].to_i(16) # Secp256k1 curve parameters p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f # Work out y values using the curve equation y^2 = x^3 + 7 y_sq = (x**3 + 7) % p # everything is modulo p # Secp256k1 is chosen in a special way so that the square root of y is y^((p+1)/4) y = y_sq.pow((p+1)/4, p) # use modular exponentation # Use prefix to select the correct value for y # * 02 prefix = y is even # * 03 prefix = y is odd if (prefix == "02" && y % 2 != 0) # if prefix is 02 and y isn't even, use other y value y = (p - y) % p end if (prefix == "03" && y % 2 == 0) # if prefix is 03 and y is even, use other y value y = (p - y) % p end # Construct the uncompressed public key x = x.to_s(16).rjust(64, "0") # convert to hex and make sure it's 32 bytes (64 characters) y = y.to_s(16).rjust(64, "0") uncompressed = "04" + x + y # Result puts uncompressed #=> 042b1ac464eb4676b359c6bee76288dddf1ddbdffc41719ef61ac3f4d6a22296aafb4fe49b2ab85adf45c36166f34313054ef876fdf0c8c2e16734ddea23318cb5
How are public keys used in Bitcoin?
You can give your public key away to people so that they can include it in the the locking script of an output when they create a transaction.
However, in Bitcoin we now more commonly hash160 our public key before giving it away. The public key is then used only when we come to unlocking the output. (The initial lock will then want to check that the public key hashes correctly first before going on to check it against the signature.)
Where can you find public keys inside the blockchain?
In a standard P2PKH transaction, for example:
Then in the next transaction that spends the bitcoins…
- The original public key can be found inside the unlocking code (scriptSig) of the input.
As you can see, the
04 at the start of the public key indicates that it’s an uncompressed public key. This makes it almost twice as long as the compressed public keys typically used today.
To create a public key, all you need is a private key and an elliptic curve library (available in most popular programming languages).
require 'ecdsa' # Use an elliptic curve library # This private key is just an example. It should be much more secure! privatekey = 1234 # Elliptic Curve Multiplication group = ECDSA::Group::Secp256k1 # Select the curve used in Bitcoin point = group.generator.multiply_by_scalar(privatekey) # Multiply by integer (not hex) # Compressed Format - Instead of using both x and y co-ordinates, just use the x co-ordinate and whether y is even/odd prefix = point.y % 2 == 0 ? '02' : '03' # even = 02, odd = 03 # Add the prefix to the x co-ordinate publickey = prefix + point.x.to_s(16).rjust(64, '0') # Convert to hex (and make sure it is a full 32 bytes (64 characters) in length) puts publickey