Bitcoin Forum
September 17, 2019, 01:32:47 AM *
News: If you like a topic and you see an orange "bump" link, click it. More info.
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Possible to generate public key without private key ?  (Read 220 times)
PietCoin97
Jr. Member
*
Offline Offline

Activity: 60
Merit: 1


View Profile
January 20, 2019, 09:41:43 PM
Last edit: January 20, 2019, 09:55:41 PM by PietCoin97
 #1

Hello

Is it possible to generate a public key on vulnerable area of the graph of an elliptic curve without a priv key ?
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1568683967
Hero Member
*
Offline Offline

Posts: 1568683967

View Profile Personal Message (Offline)

Ignore
1568683967
Reply with quote  #2

1568683967
Report to moderator
1568683967
Hero Member
*
Offline Offline

Posts: 1568683967

View Profile Personal Message (Offline)

Ignore
1568683967
Reply with quote  #2

1568683967
Report to moderator
HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
January 20, 2019, 10:04:34 PM
 #2

Define "vulnerable area of the graph"?

There's no public key without a private key; the public key is derived from the private key:

Alice creates a key pair, consisting of a private key integer dA, randomly selected in the interval [ 1 , n − 1 ]; and a public key curve point QA = dA × G.

ie. you can't calculate a public key without knowing the corresponding private key.


Why would want to generate a public key without a private key anyway?

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1301


https://bit.ly/2FR9nyn - free python tutorials


View Profile
January 20, 2019, 10:16:52 PM
 #3

What are your intentions for this, maybe you need to look at how public key and private key signing functions actually work before asking questions like this one.

It's impossible to generate a public key without a private key with a useful intent and a private key will always be needed to sign a public key and send funds from it. If you're trying to burn your funds, why not just send the coins to someone random?

PietCoin97
Jr. Member
*
Offline Offline

Activity: 60
Merit: 1


View Profile
January 20, 2019, 10:30:31 PM
 #4

ok thanks i am newbie sry.
jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1301


https://bit.ly/2FR9nyn - free python tutorials


View Profile
January 21, 2019, 12:05:34 AM
Merited by joniboini (2), khaled0111 (1)
 #5

If you want a bit of description about what happens in your/any bitcoin wallet.

A 256 bit private key is generated which is a random key that is 256 bits in length.
A public key is then generated from this private key using the specifications of the ecdsa algorithm.
Your bitcoin address is a version of this public key with a few other things done to it to make it harder to bruteforce.
The idea with bitcoin is that a private key is only owned by you and a public key is visible to anyone so that only you can sign something with it.

With the SSL process that takes place (https) this is similar.
1. The server first sends you a certificate which tells you the encryption algorithms and hashing algorithms it can understand (a hashing algorithm is something that takes data of any size and computes a number based on that that is of a fixed size). This certificate also includes the awarding agency and the public key that they are using.
2. You return the servers certificate with a password of 128/256 bits in length that is encrypted with the servers public key.
3. The server then sends you an encrypted from of the website based on what you have asked from it. It may also sign a hash of the page to prove that it was the origional transmitter.

In Bitcoin:
1. You give someone a hash of your public key.
2. They use the bitcoin network and their private key to send you a transaction.
3. You receive this transaction to your public key hash and the blockchain accepts or rejects it (if it's a proper transaction, it can be confirmed).
[The signing process]
4. To send this coin, you must state the tx inputs you want to sign along with the public key that was paid (so that the miners can confirm you were paid) and where the money will be sent to,
5. You then sign this transaction in using your private key that is personal to you.
6. You can then broadcast this transaction to the network.

pooya87
Legendary
*
Offline Offline

Activity: 1764
Merit: 1874


Remember tonight for it's the beginning of forever


View Profile
January 21, 2019, 05:32:13 AM
Merited by ETFbitcoin (1), bones261 (1), HeRetiK (1)
 #6

it is not impossible to create a public key without a private key. it is just a pointless thing to do!
a public key is a X and Y coordinate of a point on an elliptic curve. so it is easy to find (x,y) that is located on this curve, you just have to select a random X value and then calculate its Y from the EC equation (y2≡x3+ax+b (mod p))
not all X values are valid though, so you may need to test multiple times to find one. here is a random one i just created:
<45009742619328706989209721481469356495466089759340121731212924137964964827830><55658394098303987375017676168753804827844976155954353767074160408101272378468>

here is another X that fails because it is invalid (can't find square root modulo P of it)
51410043668478994359633259752192489159154639417244457446419652830244474644848

hatshepsut93
Hero Member
*****
Offline Offline

Activity: 1274
Merit: 855


Bitcoin realist


View Profile
January 21, 2019, 08:43:00 AM
 #7

In deterministic wallets master public key can generate all public keys and you don't need to know any private keys to do it. This is how watch-only wallets work in Electrum.

Read more here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1301


https://bit.ly/2FR9nyn - free python tutorials


View Profile
January 21, 2019, 03:13:13 PM
Merited by pooya87 (2)
 #8

it is not impossible to create a public key without a private key. it is just a pointless thing to do!

I was thinking this but isn't there a small fraction of public keys that can't be generated because they're private keys aren't accepted or is that something to do with the graph? As in that there's slightly less than 2^256 private keys, although it wasn't necessarily specified to be to do with the bitcoin protocol?

Do the other numbers not exist on the graph, or have I got something wrong?

aplistir
Full Member
***
Offline Offline

Activity: 350
Merit: 161



View Profile
January 21, 2019, 06:02:29 PM
Merited by DarkStar_ (4), joniboini (2), ETFbitcoin (1), bones261 (1)
 #9

it is not impossible to create a public key without a private key. it is just a pointless thing to do!

I was thinking this but isn't there a small fraction of public keys that can't be generated because they're private keys aren't accepted or is that something to do with the graph? As in that there's slightly less than 2^256 private keys, although it wasn't necessarily specified to be to do with the bitcoin protocol?

There are less private keys than 2^256. That is because the order (= number of points) of the curve bitcoin uses is less than 2^256

2^256=
115792089237316195423570985008687907853269984665640564039457584007913129639936
order n=
115792089237316195423570985008687907852837564279074904382605163141518161494337

So there are 2^256 - n = 432420386565659656852420866394968145599 less points than 2^256

But you CAN choose any of the 2^256 numbers to be your private key and you will get a valid public key from it.
If you choose a number bigger than the max value (no matter how much bigger), the max value will automatically be subtracted from your number, until your chosen number will be smaller than the max value.

PS. remember that there are only 2^160 bitcoin addresses, which is a lot less than 2^256, which means there are many public keys, that will produce same address
Do the other numbers not exist on the graph, or have I got something wrong?
The graph is continuous, And all the numbers exist in the graph, the limiting factor is P=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1
that is chosen for curve secp256k1, which is what bitcoin uses.

My Address: 121f7zb2U4g9iM4MiJTDhEzqeZGHzq5wLh
HeRetiK
Legendary
*
Offline Offline

Activity: 1232
Merit: 1118


the forkings will continue until morale improves


View Profile
January 21, 2019, 07:20:18 PM
 #10

But you CAN choose any of the 2^256 numbers to be your private key and you will get a valid public key from it.
If you choose a number bigger than the max value (no matter how much bigger), the max value will automatically be subtracted from your number, until your chosen number will be smaller than the max value.

Do you happen to know whether each point on secp256k1 -- viewed as a public key -- has a corresponding private key that also lies on secp256k1? That is, does the inverse of QA = dA × G necessarily lead to a point on the same curve? I'm thinking along the line that e.g. each integer has a square that's also an integer, but not every integer has a square root that's also an integer.

Makes little difference for the sake of OP as any point on secp256k1 would look like a valid public key regardless, but I'm still curious.

pooya87
Legendary
*
Offline Offline

Activity: 1764
Merit: 1874


Remember tonight for it's the beginning of forever


View Profile
January 22, 2019, 05:10:18 AM
Last edit: January 22, 2019, 06:39:06 AM by pooya87
Merited by bones261 (2), joniboini (2)
 #11

@jackg raised a pretty interesting question.
the answer is no, not all the points correspond to a private key. here is how things work (as far as my understanding of elliptic curves go):
when we have a curve over Fp where p is a prime, it consists of p number of points. and that is denoted by #E(Fp).
Now when we choose a point on the curve we are practically creating a "sub group" of those points. so if for example our curve is over prime=11 and we have (y2≡x3-7 (mod 11)) that creates 11 points for us:
{ (2,9), (2,3), (3,1), (3,10), (4,4), (4,7), (5,0), (6,5), (6,6), (7,3), (7,8) } and point at infinity

if we choose one point from this group like (6,5) as the generator then dG can only produce the following points:
{ (3,1), (3,10), (5,0), (6,5), (6,6)} and point at infinity
so we practically are creating only 5 out of 11 points on curve with our generator.

and 'n' which is order of the base point is showing how many points it can generate. so when n is smaller than p so is the number of points that G can generate.

jackg
Copper Member
Legendary
*
Offline Offline

Activity: 1498
Merit: 1301


https://bit.ly/2FR9nyn - free python tutorials


View Profile
January 22, 2019, 01:20:59 PM
 #12

@pooya I'm not sure I entirely understand you on this one. How ere I was thinking that the private key to public key function will resemble a secure hash function otherwise it would be really easy just to crack.

@aplistir the hash160 doesn't mean there are leads public keys avaliable as you still need to sign your own public key and not your public key hash..

pooya87
Legendary
*
Offline Offline

Activity: 1764
Merit: 1874


Remember tonight for it's the beginning of forever


View Profile
January 22, 2019, 03:12:36 PM
Merited by bones261 (1), jackg (1), AdolfinWolf (1)
 #13

@pooya I'm not sure I entirely understand you on this one. How ere I was thinking that the private key to public key function will resemble a secure hash function otherwise it would be really easy just to crack.

what i explained above does not change that.
what happens to ECC is that we already have all those points (the points on the curve which are forming the group) and numbers (from 1 to n-1 which are the private keys) and we know that if we multiply each numbers with the generator point we get another point that is  among the points that we already have. what makes it secure is not about knowing what the points are, it is about not knowing what number was multiplied by the generator to get to that point. again point being the public key and number being the private key.

i don't know why you mention the term "secure hash function" but the "multiplication" is purely math, think of it as a one way math that you can solve in one direction with fast speed but it is impossible to solve in reverse. in other words in above example it is super easy to multiply G=(6,5) with d=2 and get to point=(3,1) but if you have (3,1) it is hard to calculate what d was.
of course it case of p=11 (1 bit) the solution is easy but p in reality is 256 bit for bitcoin curve so it is impossible.

Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!