Possible to generate public key without private key ?

[PietCoin97]

Hello

Is it possible to generate a public key on vulnerable area of the graph of an elliptic curve without a priv key ?

[1714838878]

1714838878

[1714838878]

1714838878

[1714838878]

1714838878

[1714838878]

1714838878

[HeRetiK]

Define "vulnerable area of the graph"?

There's no public key without a private key; the public key is derived from the private key:

Alice creates a key pair, consisting of a private key integer d_A, randomly selected in the interval [ 1 , n − 1 ]; and a public key curve point Q_A = d_A × G.

ie. you can't calculate a public key without knowing the corresponding private key.


Why would want to generate a public key without a private key anyway?

[jackg]

What are your intentions for this, maybe you need to look at how public key and private key signing functions actually work before asking questions like this one.

It's impossible to generate a public key without a private key with a useful intent and a private key will always be needed to sign a public key and send funds from it. If you're trying to burn your funds, why not just send the coins to someone random?

[PietCoin97]

ok thanks i am newbie sry.

[jackg]

If you want a bit of description about what happens in your/any bitcoin wallet.

A 256 bit private key is generated which is a random key that is 256 bits in length.
A public key is then generated from this private key using the specifications of the ecdsa algorithm.
Your bitcoin address is a version of this public key with a few other things done to it to make it harder to bruteforce.
The idea with bitcoin is that a private key is only owned by you and a public key is visible to anyone so that only you can sign something with it.

With the SSL process that takes place (https) this is similar.
1. The server first sends you a certificate which tells you the encryption algorithms and hashing algorithms it can understand (a hashing algorithm is something that takes data of any size and computes a number based on that that is of a fixed size). This certificate also includes the awarding agency and the public key that they are using.
2. You return the servers certificate with a password of 128/256 bits in length that is encrypted with the servers public key.
3. The server then sends you an encrypted from of the website based on what you have asked from it. It may also sign a hash of the page to prove that it was the origional transmitter.

In Bitcoin:
1. You give someone a hash of your public key.
2. They use the bitcoin network and their private key to send you a transaction.
3. You receive this transaction to your public key hash and the blockchain accepts or rejects it (if it's a proper transaction, it can be confirmed).
[The signing process]
4. To send this coin, you must state the tx inputs you want to sign along with the public key that was paid (so that the miners can confirm you were paid) and where the money will be sent to,
5. You then sign this transaction in using your private key that is personal to you.
6. You can then broadcast this transaction to the network.

[pooya87]

it is not impossible to create a public key without a private key. it is just a pointless thing to do!
a public key is a X and Y coordinate of a point on an elliptic curve. so it is easy to find (x,y) that is located on this curve, you just have to select a random X value and then calculate its Y from the EC equation (y²≡x³+ax+b (mod p))
not all X values are valid though, so you may need to test multiple times to find one. here is a random one i just created:
<45009742619328706989209721481469356495466089759340121731212924137964964827830><55658394098303987375017676168753804827844976155954353767074160408101272378468>

here is another X that fails because it is invalid (can't find square root modulo P of it)
51410043668478994359633259752192489159154639417244457446419652830244474644848

[hatshepsut93]

In deterministic wallets master public key can generate all public keys and you don't need to know any private keys to do it. This is how watch-only wallets work in Electrum.

Read more here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

[jackg]

it is not impossible to create a public key without a private key. it is just a pointless thing to do!

I was thinking this but isn't there a small fraction of public keys that can't be generated because they're private keys aren't accepted or is that something to do with the graph? As in that there's slightly less than 2^256 private keys, although it wasn't necessarily specified to be to do with the bitcoin protocol?

Do the other numbers not exist on the graph, or have I got something wrong?

[aplistir]

it is not impossible to create a public key without a private key. it is just a pointless thing to do!

I was thinking this but isn't there a small fraction of public keys that can't be generated because they're private keys aren't accepted or is that something to do with the graph? As in that there's slightly less than 2^256 private keys, although it wasn't necessarily specified to be to do with the bitcoin protocol?

There are less private keys than 2^256. That is because the order (= number of points) of the curve bitcoin uses is less than 2^256

2^256=
115792089237316195423570985008687907853269984665640564039457584007913129639936
order n=
115792089237316195423570985008687907852837564279074904382605163141518161494337

So there are 2^256 - n = 432420386565659656852420866394968145599 less points than 2^256

But you CAN choose any of the 2^256 numbers to be your private key and you will get a valid public key from it.
If you choose a number bigger than the max value (no matter how much bigger), the max value will automatically be subtracted from your number, until your chosen number will be smaller than the max value.

PS. remember that there are only 2^160 bitcoin addresses, which is a lot less than 2^256, which means there are many public keys, that will produce same address

Do the other numbers not exist on the graph, or have I got something wrong?

The graph is continuous, And all the numbers exist in the graph, the limiting factor is P=2^256-2^32-2^9-2^8-2^7-2^6-2^4-1
that is chosen for curve secp256k1, which is what bitcoin uses.

[HeRetiK]

But you CAN choose any of the 2^256 numbers to be your private key and you will get a valid public key from it.
If you choose a number bigger than the max value (no matter how much bigger), the max value will automatically be subtracted from your number, until your chosen number will be smaller than the max value.

Do you happen to know whether each point on secp256k1 -- viewed as a public key -- has a corresponding private key that also lies on secp256k1? That is, does the inverse of Q_A = d_A × G necessarily lead to a point on the same curve? I'm thinking along the line that e.g. each integer has a square that's also an integer, but not every integer has a square root that's also an integer.

Makes little difference for the sake of OP as any point on secp256k1 would look like a valid public key regardless, but I'm still curious.

[pooya87]

@jackg raised a pretty interesting question.
the answer is no, not all the points correspond to a private key. here is how things work (as far as my understanding of elliptic curves go):
when we have a curve over F_p where p is a prime, it consists of p number of points. and that is denoted by #E(F_p).
Now when we choose a point on the curve we are practically creating a "sub group" of those points. so if for example our curve is over prime=11 and we have (y²≡x³-7 (mod 11)) that creates 11 points for us:
{ (2,9), (2,3), (3,1), (3,10), (4,4), (4,7), (5,0), (6,5), (6,6), (7,3), (7,8) } and point at infinity

if we choose one point from this group like (6,5) as the generator then dG can only produce the following points:
{ (3,1), (3,10), (5,0), (6,5), (6,6)} and point at infinity
so we practically are creating only 5 out of 11 points on curve with our generator.

and 'n' which is order of the base point is showing how many points it can generate. so when n is smaller than p so is the number of points that G can generate.

[jackg]

@pooya I'm not sure I entirely understand you on this one. How ere I was thinking that the private key to public key function will resemble a secure hash function otherwise it would be really easy just to crack.

@aplistir the hash160 doesn't mean there are leads public keys avaliable as you still need to sign your own public key and not your public key hash..

[pooya87]

@pooya I'm not sure I entirely understand you on this one. How ere I was thinking that the private key to public key function will resemble a secure hash function otherwise it would be really easy just to crack.

what i explained above does not change that.
what happens to ECC is that we already have all those points (the points on the curve which are forming the group) and numbers (from 1 to n-1 which are the private keys) and we know that if we multiply each numbers with the generator point we get another point that is  among the points that we already have. what makes it secure is not about knowing what the points are, it is about not knowing what number was multiplied by the generator to get to that point. again point being the public key and number being the private key.

i don't know why you mention the term "secure hash function" but the "multiplication" is purely math, think of it as a one way math that you can solve in one direction with fast speed but it is impossible to solve in reverse. in other words in above example it is super easy to multiply G=(6,5) with d=2 and get to point=(3,1) but if you have (3,1) it is hard to calculate what d was.
of course it case of p=11 (1 bit) the solution is easy but p in reality is 256 bit for bitcoin curve so it is impossible.