Can public key be derived from private key?

[_act_]

This is coming from a guy that thinks he can correct anyone on this forum as if he knows it all. He is posting that private key can be derived from public key. I will quote him for you not to misunderstand my post, you will read what he posted instead.

I bold everything he posted and I bold one in red.

I voted no because I see it as a pointless warning because that's not how Bitcoin security should be viewed.

Incorrect approach to security by you. Address re-use was always warned against by anyone who approached security correctly.

The way I see it is that if there is even a small possibility of reversing a public key to get the private key, and we still haven't migrated to a resistant protocol (a hard fork), then Bitcoin will have had become obsolete!
That means the warning you are talking about is either pointless (meaning it is impossible to reverse pubkey and reusing your address doesn't put you at any risk) or it is not a warning (bitcoin is already over and you shouldn't even be using it anymore).

It was always possible and it will always be possible to get a private key from a public key, however low the possibility. Therefore your point is invalid.

There aren't any quantum resistance signatures available in Bitcoin yet, why would you warn users about a threat they can't avoid?

The reason you aren't supposed to reuse your Bitcoin address for receiving payments is because of privacy, not security.

Wrong. It is about security too. If you don't spend from an address, then your public key is safe behind SHA256. There is no risk to SHA256 from quantum computers as far as we know today.

I am referring to Satofan44.

When I corrected him, this is what he posted:

I voted no because I see it as a pointless warning because that's not how Bitcoin security should be viewed.

Incorrect approach to security by you. Address re-use was always warned against by anyone who approached security correctly.

You are very wrong. Address reuse is advised for privacy so far quantum computers are not yet a threat. It is quantum computers that will later let it be of security concern. Your manner of approach is disgusting by correcting someone that is right and saying directly that the person is wrong when you are the one that is very wrong.

Nope, you know very little about Bitcoin. Don't respond to my posts, get back to signature farming in other sections.

This is absolutely false information from you Satofan44. Please do not post incorrect information to mislead people. I hope you have changed from giving people negative feedback because you think they are wrong, just because their posts is against yours.

Negative tagged for posting false information and trolling. You can derive a private key from any public key, it will just take a very long time  . It is called computationally infeasible, not mathematically impossible. Anyhow a person like you won't know what these words mean anyway.   Kid just shut up already and let the grown ups talk. Next time ask ChatGPT for help as your brain is just a vacuum.

I remember he gave someone a negative feedback because of what he is doing right now which is false information that he is spreading.

He is not referring to quantum computers but just how bitcoin is now.

[Sticky Bomb]

The solution is very simple, he should be made to prove the rubbish he's sprouting. Throw a challenge to him, give him a public key and let him derive the private key from it. If he can prove it, then he's a hero, else he should remain quiet.

AFAIK, it's not possible, the reverse is the case, public keys are derived from private keys

[stwenhao]

Can public key be derived from private key?

Yes. For example, see this topic: https://bitcointalk.org/index.php?topic=5459153.0

When you have any elliptic curve, then usually you can get p-value and n-value. The former can tell you, what is the range of each (x,y) coordinates. The latter can tell you, how many points are on this curve. In secp256k1, these values are somewhere around 2^256, so going from public to private key is hard.

However, each and every public key, can be uniquely mapped to a private key, relatively to the picked generator. Here is another topic, which can show you, how it can be done on top of very small elliptic curve: https://bitcointalk.org/index.php?topic=5460766.0

See? Every public key can be mapped to a matching private key, and that mapping is bijective, and unique, for a given curve parameters. Which means, that the private key equal to one is always assigned to the generator, no matter what. And the private key, equal to "n-1", is always assigned to the generator with negated y-value.

So, to sum up, secp256k1, and other curves with similar construction, allow us to always map any public key, to some matching private key. It is always possible, but if you go into the world of big numbers, then it is just hard. It is difficult, it requires a lot of computing power, or cryptographical breakthrough. But you can prove, mathematically, that it is always possible.

And the same is true in other public key cryptography, for example RSA, when you can always factor a composite number (public key) into a pair of prime numbers (private key).

Edit: Here is yet another example, if you are not convinced: https://bitcointalk.org/index.php?topic=5373858

Edit:

AFAIK, it's not possible, the reverse is the case, public keys are derived from private keys

It works in both ways. And you can explore smaller elliptic curves, to observe it directly, how each and every public key can be mapped uniquely to some private key. Also, you can check, what happens, when you change the curve generator. Then, that mapping changes in a strictly specific way, depending on the way how you change it.

You can also explore my toy example, which I started writing some time ago: https://github.com/stwenhao/small_curves

For bigger curves, used in practice, all math behind it is identical, just numbers are bigger, so more optimizations are needed, to compute things in reasonable time. And for breaking keys, more advanced algorithms are needed, which we don't know about yet, which is the only reason, why secp256k1 is still safe.

In general, if secp256k1 will be fully broken, then OP_CHECKSIG will be just some 256-bit calculator, with built-in addition and multiplication.

[Satofan44]

Possible is not the same as probable. It is always possible to derive a private key from a public key, however improbable it is. Learn the basics of scientific communication.

The solution is very simple, he should be made to prove the rubbish he's sprouting. Throw a challenge to him, give him a public key and let him derive the private key from it. If he can prove it, then he's a hero, else he should remain quiet.

AFAIK, it's not possible, the reverse is the case, public keys are derived from private keys

Another campaign shitposter posting lies?  

It works in both ways.

Very good post stwenhao, but you are wasting it on people who won't understand or read it.  

It is always possible, but if you go into the world of big numbers, then it is just hard. It is difficult, it requires a lot of computing power, or cryptographical breakthrough. But you can prove, mathematically, that it is always possible.

It is called computationally infeasible, not mathematically impossible.

Case closed. Topic author walk away with some dignity.

[stwenhao]

Throw a challenge to him, give him a public key and let him derive the private key from it. If he can prove it, then he's a hero, else he should remain quiet.

Then tell me, what is the private key to 0214368623b6bab515c1f9218381e37ff7ae8dac54132bc7f2072dc55fa55db6c7? I don't know that. Only Satoshi knows. And the same trick can be done on any public key, by abusing SIGHASH_SINGLE bug, and public key recovery for legacy transactions. You can give me any public key, then I can put it as R-value in a signature, add any s-value I would like, and sweep coins from some legacy P2PK output, where I wouldn't know the private key, but where k-value will be equal to any private key you pick.

So, do you think, that I am Satoshi? Or would you rather believe, that every valid public key has a matching private key, which is demonstrated in my testnet4 transaction: 1c6aa1f6bb20409e0fa3b34e559b55aa05d6ac5506747455d23799cca539546c

Case closed. Walk away with some dignity.

Well, it's not my fault, that programmers and tech-savvy users understand Bitcoin better, than the rest of the community. Maybe I have too much patience, but usually I try to explain things in baby steps, even if I feel like some people don't deserve it.

[kTimesG]

As noted above already, there is a unique mapping between every possible private key and every possible public key, so yes, technically it is 100% possible to "derive" the private key of any (valid) public key, since the mapping is bijective. This uniqueness property is even a basic requirement in order for Bitcoin to actually be able to prove actual ownership.

Even better, unlike hashing, it's not even a brute-force problem to reverse the initial bijective (which was: pub from private). It's simply the discrete log problem, which has known optimal algorithms (and it's still an open question whether it's even that difficult to solve anyway), That's why Bitcoin's security is not even close to 256 bits. It's more around 124 bits or so, given the endomorphism property of the curve, and Pollard's rho algorithm.

So, possible? 100% guaranteed. Feasible? It depends on how much compute power you throw at it, and whatever other details you have (like, a range subset, known bits, etc).

[mr.mister]

Everyone here is partly right, but the disagreement is mostly semantic, not technical.

Yes, a private key can theoretically be derived from a public key. That’s basic math. The mapping is bijective — for every valid public key, there's exactly one corresponding private key, based on the elliptic curve parameters.

But — the process is computationally infeasible with today’s hardware and known algorithms. That’s the foundation of Bitcoin’s security. The elliptic curve discrete logarithm problem (ECDLP) is not mathematically impossible to reverse — it's just so hard that even a trillion computers working together for a billion years wouldn’t crack a single key.

So:

 Yes — possible in theory (mathematically speaking).

 No — not feasible in practice (computationally speaking).

This is why we say Bitcoin is secure. Not because it's unbreakable in the abstract, but because it’s practically unbreakable without a major cryptographic or quantum breakthrough.

Let’s not confuse “possible” with “realistic.”

[Satofan44]

Everyone here is partly right, but the disagreement is mostly semantic, not technical.

Yes, a private key can theoretically be derived from a public key. That’s basic math. The mapping is bijective — for every valid public key, there's exactly one corresponding private key, based on the elliptic curve parameters.

But — the process is computationally infeasible with today’s hardware and known algorithms. That’s the foundation of Bitcoin’s security. The elliptic curve discrete logarithm problem (ECDLP) is not mathematically impossible to reverse — it's just so hard that even a trillion computers working together for a billion years wouldn’t crack a single key.

So:

 Yes — possible in theory (mathematically speaking).

 No — not feasible in practice (computationally speaking).

This is why we say Bitcoin is secure. Not because it's unbreakable in the abstract, but because it’s practically unbreakable without a major cryptographic or quantum breakthrough.

Let’s not confuse “possible” with “realistic.”

Which is what I precisely wrote, is it not? People with superficial knowledge and no touch with science tend to communicate badly. They confuse even simple stuff like correlation with causation.

It is called computationally infeasible, not mathematically impossible.

It is possible.

Case closed. Walk away with some dignity.

Well, it's not my fault, that programmers and tech-savvy users understand Bitcoin better, than the rest of the community. Maybe I have too much patience, but usually I try to explain things in baby steps, even if I feel like some people don't deserve it.

Your patience is your strongest asset, much more so than your technical knowledge. Cheers to you, keep it that way.  I don't have such a resource at my disposal, especially not with brainless signature spammers.

[NotATether]

If you somehow manage to solve ECDLP (elliptic curve discrete logarithm problem), then yes, you can find (not derive) the private key from the public key. Otherwise no.

You can solve ECDLP for small curves, but not for any of the practical large curves.

[mindrust]

You two aren’t talking from the same level.

If we follow satofan’s logic, it is possible to destroy the sun too. We just need a yuuge nuclear missile that has enough range to arrive there.

Deriving a private key from a public address is possible yes. The probability? Very low as long as SHA256 is not cracked.

[Satofan44]

You two aren’t talking from the same level.

If we follow satofan’s logic, it is possible to destroy the sun too. We just need a yuuge nuclear missile that has enough range to arrive there.

Deriving a private key from a public address is possible yes. The probability? Very low as long as SHA256 is not cracked.

Deriving the private key from a public key has nothing to do with SHA256. Anyhow even the title of this thread is wrong as the shitposter wrote it in a hurried matter. It is best to close this thread now and leave the topic behind with some specks of remaining dignity.

[mindrust]

You two aren’t talking from the same level.

If we follow satofan’s logic, it is possible to destroy the sun too. We just need a yuuge nuclear missile that has enough range to arrive there.

Deriving a private key from a public address is possible yes. The probability? Very low as long as SHA256 is not cracked.

Deriving the private key from a public key has nothing to do with SHA256. Anyhow even the title of this thread is wrong as the shitposter wrote it in a hurried matter. It is best to close this thread now and leave the topic behind with some specks of remaining dignity.

How so? I somehow thought cracking SHA256 would let us learn every private/public key combination there is without any effort. I mean isn’t that the whole point of cracking it? If cracking SHA256 isn’t going to let us learn the private keys of satoshi, then why all the fuss about quantum stuff?

Maybe you and I are not talking from the same level as well.

[RockBitNBlock]

Yes, it makes sense that a public key can be derived from a private key, as the private key is the foundation of the cryptography. If it were the other way around if we could derive a private key from a public one it would compromise the entire system's security.It would be like being able to guess the private key from the publicly available information (the public key), which would allow control over the Bitcoin.That would be a huge flaw, as it would break the fundamental principle of security.

[Satofan44]

You two aren’t talking from the same level.

If we follow satofan’s logic, it is possible to destroy the sun too. We just need a yuuge nuclear missile that has enough range to arrive there.

Deriving a private key from a public address is possible yes. The probability? Very low as long as SHA256 is not cracked.

Deriving the private key from a public key has nothing to do with SHA256. Anyhow even the title of this thread is wrong as the shitposter wrote it in a hurried matter. It is best to close this thread now and leave the topic behind with some specks of remaining dignity.

How so? I somehow thought cracking SHA256 would let us learn every private/public key combination there is without any effort. I mean isn’t that the whole point of cracking it? If cracking SHA256 isn’t going to let us learn the private keys of satoshi, then why all the fuss about quantum stuff?

You got the order of things reverse and are confusing the topic on multiple levels. SHA256 is used both in mining and in the address generation. It is useful to learn how an address is created, I'm writing a high level overview which may have differences in detail of the application and I am removing things that are not relevant to the discussion.
1. Generate ECDSA private key.
2. Generate matching public key.
3. Hash the public key.
3.1 Using SHA256.
3.2 Using RIPEMD-160.

The primary risk of quantum computers is not to SHA256 but to the signature algorithm (ECDSA). The public key of an address is only exposed when an address has been used, which means that it has made a sending transaction. If you don't spend from an address, the public key stays unknown and the risk is much lower. If ECDSA is broken by quantum computers then for any public key I can find the corresponding private key and steal the funds.

If SHA256 is cracked:
1. All public keys can be revealed regardless of whether an address was used or not.
2. Attacks on mining that are not relevant to this thread.

So no, the risk of quantum computers has different directions depending on what we are talking about (ECDSA or SHA256). If in the extremely unlikely scenario only SHA256 is compromised and not ECDSA, then there will be no issue spending Bitcoin or a risk of private key compromise. Instead all addresses will just be treated like they are already re-used. However, there are risk to mining depending on the specifics of the compromise. A speedup by Grover’s algorithm does not have the same implications as a complete compromise of the hash function. Anyhow, based on the state of current research a complete breakdown of SHA256 is unlikely so we are left only with a world with a somewhat of a weakening of the security with Grover's.

The risk to satoshi's Bitcoin comes from ECDSA, not SHA256.

Maybe you and I are not talking from the same level as well.

I'm sorry but you have no idea what you are talking about. There's a huge difference between talking on different levels and confusing everything about the basics.

[mindrust]

You two aren’t talking from the same level.

If we follow satofan’s logic, it is possible to destroy the sun too. We just need a yuuge nuclear missile that has enough range to arrive there.

Deriving a private key from a public address is possible yes. The probability? Very low as long as SHA256 is not cracked.

Deriving the private key from a public key has nothing to do with SHA256. Anyhow even the title of this thread is wrong as the shitposter wrote it in a hurried matter. It is best to close this thread now and leave the topic behind with some specks of remaining dignity.

How so? I somehow thought cracking SHA256 would let us learn every private/public key combination there is without any effort. I mean isn’t that the whole point of cracking it? If cracking SHA256 isn’t going to let us learn the private keys of satoshi, then why all the fuss about quantum stuff?

You got the order of things reverse and are confusing the topic on multiple levels. SHA256 is used both in mining and in the address generation. It is useful to learn how an address is created, I'm writing a high level overview which may have differences in detail of the application and I am removing things that are not relevant to the discussion.
1. Generate ECDSA private key.
2. Generate matching public key.
3. Hash the public key.
3.1 Using SHA256.
3.2 Using RIPEMD-160.

The primary risk of quantum computers is not to SHA256 but to the signature algorithm (ECDSA). The public key of a an address is only exposed when an address has been used, which means that it has made a sending transaction. If you don't spend from an address, the public key stays unknown and the risk is much lower. If ECDSA is broken by quantum computers then for any public key I can find the corresponding private key and steal the funds.

If SHA256 is cracked:
1. All public keys can be revealed regardless of whether an address was used or not.
2. Attacks on mining that are not related here.

So no, the risk of quantum computers has different directions depending on what we are talking about (ECDSA or SHA256). If in the extremely unlikely scenario where only SHA256 is compromised and not ECDSA then there will be no issue spending Bitcoin or a risk of private key compromise. Instead all addresses will just be treated like they are already re-used. However, there is risk to mining depending on the specifics of the compromise. A speedup by Grover’s algorithm does not have the same implications as a complete compromise of the hash function. Anyhow, based on the state of current research a complete breakdown of SHA256 is unlikely so we are left only with a world with a somewhat of a weakening of the security with Grover's.

The risk to satoshi's Bitcoin comes from ECDSA, not SHA256.

Maybe you and I are not talking from the same level as well.

I'm sorry but you have no idea what you are talking about. There's a huge difference between talking on different levels and confusing everything about the basics.

OK you clearly know it better than me. (I never claimed myself to be the expert) But when I say "if SHA256 gets cracked" I didn't mean it only. If they manage to crack SHA256, don't you think they will also crack the related algorithms as well? In this case it is ECDSA.

When quantum computers start cracking these algos like cracking walnuts, what'll happen to ECDSA?

Anyway I am not here to argue with you. Just wondering what will happen to my stash and trying to find answers.

[stwenhao]

If they manage to crack SHA256, don't you think they will also crack the related algorithms as well? In this case it is ECDSA.

By breaking SHA-256, re-hashing the whole chain will be needed. And also, re-hashing every single signature in existence, because SHA-256 is used everywhere, including every use of OP_CHECKSIG or its equivalent. Each quantum proposal does not assume, that SHA-256 will be broken, because if you assume it, then you assume, that the whole Internet will be disrupted at least (and broken Bitcoin would be the least important problem). Many different assumptions can be made, but using "everyone will die" as a starting point, would simply lead us nowhere.

Currently, we have canaries for hash function collisions: https://bitcointalk.org/index.php?topic=293382.0

If you are not sure, that there is enough incentive, then you can put more coins in, or invent a better canary.

When quantum computers start cracking these algos like cracking walnuts, what'll happen to ECDSA?

Each ECDSA signature uses z-value as a SHA-256 hash of some message. If you can fully control SHA-256 output, then you can start from a fake ECDSA signature, which would give you some random z-value, and then, you can prepare a message, which would hash into exactly this value.

But currently, we are far from that, and you can observe it simply by tracking the current chainwork. It is very unlikely, that there is some network outside Bitcoin, which grinds SHA-256 faster, and produces more partial preimages.

And also note, that even when SHA-1 was broken, then it was not the end of the world. Many software, including for example Git, simply switched to "hardened SHA-1", which was strictly based on the found weaknesses, and didn't protect everyone from all possible collisions. And the same could happen here: if something is broken, then the fastest applied fix is directly related to the way how practical attacks are made. And first fixes can prevent just that, and not much more than that. Stronger fixes, and switches to other algorithms happen much later, if at all (people are still using hardened SHA-1, instead of switching to SHA-256 or anything else, because of backward compatibility).

Another thing is that for SHA-1, or even MD5, we still have only collisions. Making actual preimages is still extremely hard, even if you can make collisions in seconds on just a CPU for MD5. And fully breaking ECDSA, by breaking SHA-256, will require preimages. In the famous N-bit puzzle, 130-bit public key is currently solved, and 135-bit key is ongoing (which is still quite far from 256-bit keys; but unfortunately, keys from 161-256 range were moved, so public key security is never checked beyond 160-bit keys in this puzzle).

Just wondering what will happen to my stash and trying to find answers.

Nobody knows for sure. But so far, many canaries are still unsolved, so many discussions are theoretical, at least for now. And also, current classical computers can achieve much better results, than current quantum prototypes, so don't worry too much (because even in the worst case, classical Proof of Work can be replaced by quantum Proof of Work, although now, classical computers are much better at it, so it is quite unlikely scenario).

[Satofan44]

OK you clearly know it better than me. (I never claimed myself to be the expert) But when I say "if SHA256 gets cracked" I didn't mean it only. If they manage to crack SHA256, don't you think they will also crack the related algorithms as well? In this case it is ECDSA.

There are only 3 possibilities, and I have explained what happens in 2 out of them. I summarize again.

• ECDSA is compromised, which would make Bitcoin broken.
• SHA256 is compromised, which may make Bitcoin broken depending on the type of compromise.
• Both are compromised, which I didn't address because if ECDSA is broken Bitcoin is already broken anyway.

When quantum computers start cracking these algos like cracking walnuts, what'll happen to ECDSA?

As for this, claiming that quantum computers will start cracking these algos is like saying that curing cancer will soon unlock faster than light travel. Both are complex scientific problems but they operate entirely in different domains with unrelated mechanisms. The same is true for ECDSA and SHA256, even though both are algorithms they could not be more different from each other. If one is ends up being broken that doesn't guarantee that the other one will be broken soon or ever, and vice versa. You even call them related, but they are not. They are only related in the sense that they are used together in practice in this case.

Just wondering what will happen to my stash and trying to find answers.

The solution right now for the user is just to wait. Do not believe any FUD but also don't believe anyone who is selling quantum secure solutions just yet.
I believe it would be worthwhile to add a small explanation of collisions and preimages. For the rest of the explanation into the details I leave it to the post of stwenhao which is great.

• Collision attack: This occurs when you can find at least two inputs that produce the same hash. Hash (a) == Hash (b). More random.
• Preimage attack: You have the ability to take a hash and derive the input that produced it. Targeted attack and more dangerous.