Relationship with private keys, public keys and addresses

[Alexander_123]

Good morning!

So I have been looking into the relationship between private keys, public keys and addresses. Now I know this has been covered many times before, however I wanted to provide how I believe the relationships are to make sure I have not missed something...so here we go.

A Bitcoin Wallet contains a copy of your private key and public key.

Private Key

- A private key is a binary number consisting of 256 bits. (Which can also be shown as a 64 hexadecimal digit)
- This binary number can be split into 24 groups that by using a binary to decimal converter and the BIP39 word list will give you your recovery seed



Public Key
- A public key uses the coordinates of the private key(x,y) and multiplies this by the Generator point on the elliptical curve (y^2=x^3+7) multiplication; K=k*G (where G is always the same point on the curve for all Bitcoin )
- To arrive at the public key, another way to look at it is we have to multiple the Generator point by the 'private key number of times' as it bounces around the elliptical curve.
- This ensures you can only go one way and you cannot derive a private key from a public key without significant computing power (AKA Asymmetric Encryption)

Bitcoin Address
- The public key is then hashed with SHA256 and RIPEMD160 (or double hashed) to give you a public key hash (160-bit)
- This public key is then encoded as Base58check which uses 58 character, which then uses a 1 or 3 as a prefix to give you your final Bitcoin Address


Assuming the above is more or less accurate I have a couple of questions on the above, and apologies if the above has been covered elsewhere
1) What are the coordinates of the Generator point on the elliptical curve?
2) The multiplication of the generator point and the private key x times is what confuses me a little...so if you have the generator point with coordinates (a,b) , you would then multiple this by the 256 bit private key...so 2G...3G.....256G?
3) The Bitcoin address would then be 160 bit or 40 Hex character long address with a pre-fix of a 1 or 3....
4) How does a Wallet produce multiple addresses?

Hopefully the above does not have too many errors of my understanding, thanks in advance

[1715556650]

1715556650

[pooya87]

Private Key
- A private key is a binary number consisting of 256 bits. (Which can also be shown as a 64 hexadecimal digit)
- This binary number can be split into 24 groups that by using a binary to decimal converter and the BIP39 word list will give you your recovery seed

These are two different topics.
Your private key is a random number between 1 and the elliptic curve's order which is slightly less than 2²⁵⁶.
What we use in BIP39 is an entropy (random bit stream) that can have a size between 128 and 256. Its integral value is not important (in other words, your entropy can be equal to 2²⁵⁶ whereas your private key can not). Then we use this entropy to derive private keys.

- A public key uses the coordinates of the private key(x,y)

Private key is an integer, so it doesn't have coordinate. The public key is a point on (x,y) so it has coordinates.
We multiply generator point by this number.

- This public key is then encoded as Base58check which uses 58 character, which then uses a 1 or 3 as a prefix to give you your final Bitcoin Address

To be clear we only add a single byte at the beginning of the hash then encode that to get 1 or 3 automatically.
Also this is the process of creating legacy addresses. The new addresses known as Bech32 use a different encoding algorithm of the same name.

Assuming the above is more or less accurate

It was only unclear about some details.

1) What are the coordinates of the Generator point on the elliptical curve?

It can be found here and is called G: https://en.bitcoin.it/wiki/Secp256k1

2) The multiplication of the generator point and the private key x times is what confuses me a little...so if you have the generator point with coordinates (a,b) , you would then multiple this by the 256 bit private key...so 2G...3G.....256G?

Technically we have to compute k*G meaning if your private key is equal to 5 then we compute 5*G.
There are simpler ways of computing this multiplication which are explained here: https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication
You can also read this to understand ECC better: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/

3) The Bitcoin address would then be 160 bit or 40 Hex character long address with a pre-fix of a 1 or 3....

You forgot to ask the question.

4) How does a Wallet produce multiple addresses?

Initially they were just creating random keys using the cryptography random generator the programming language and operating system offered. So each time you created a new key it would be random.
Then due to some issues associated with RNGs and issues with creating backup every time, wallets moved on to being "deterministic" meaning when you create the wallet for the first time it calls the RNG and creates a "seed" then every time you want a new key it deterministically produces one for you using that seed.
This makes the process reproducible (so you only need to created a backup once) and you only call RNG once.
You can read about the process here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki

[NotATether]

- A private key is a binary number consisting of 256 bits. (Which can also be shown as a 64 hexadecimal digit)
- This binary number can be split into 24 groups that by using a binary to decimal converter and the BIP39 word list will give you your recovery seed

You are correct that a private key is a 256-bit number. But this private key is not related to the list of words we call a mnemonic phrase (also called by some people as a seed phrase).

A mnemonic phrase is, as you probably figured out, a group of 12 or 24 words which encode some entropy. The length of the entropy depends on the number of words. So for example, 12 words encode 128 bits of entropy and 24 words encode 256 bits. Also, the number of words can be a multiple of 3, but this is extremely rare to see in practice so I'll just ignore it here.

This entropy is hashed using HMAC-SHA512 (NOT HMAC-SHA256) to get the master private key.

The master private key is the root of a tree of addresses/private keys. A set of cryptographic operations, including hashing, is performed to derive a branch (also called extended key) from the root (master private key). This master private key resembles any other private key and as such you can compute the public key for it in the same way, which is called the master public key.


Most wallets will create 1 to 4 branches before creating the "leaf" keys which are your actual private keys and public key/addresses. Actually, calling it a leaf is misleading because even these keys can derive more "branches" of private keys too, using the same process.

This image from the BIP32 specification should make matters clearer:

Bitcoin Address
- The public key is then hashed with SHA256 and RIPEMD160 (or double hashed) to give you a public key hash (160-bit)
- This public key is then encoded as Base58check which uses 58 character, which then uses a 1 or 3 as a prefix to give you your final Bitcoin Address

Segwit addresses beginning with bc1 are encoded using Bech32 instead of Base58check.

1) What are the coordinates of the Generator point on the elliptical curve?

Their coordinates in hex form are:

79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 (x)
483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 (y)

2) The multiplication of the generator point and the private key x times is what confuses me a little...so if you have the generator point with coordinates (a,b) , you would then multiple this by the 256 bit private key...so 2G...3G.....256G?

It confused me too when I was learning. But the multiplier before the G is a 256-bit number (well actually, a tiny little smaller than 256 bits but that will make things confusing). So your private key - which by the way is still a number, remember that - can be used as the factor to multiply G with.

For example

if your private key was


21492362582632841231294160590348628345891189  (hex)

Then you multiply this number by G to get your public key.

3) The Bitcoin address would then be 160 bit or 40 Hex character long address with a pre-fix of a 1 or 3....

Only the address hash is 160 bits long. Remember you encode the address using Base58check or Bech32 so the final length in characters becomes much smaller.

4) How does a Wallet produce multiple addresses?

Using seed phrases, the entropy inside them, and the generated master private key, a very large number of keys can be derived from it (and even more keys derived from the children etc...) as I explained above.

[edit - pooya87 posted most of this stuff but due to lag I did not notice]

[Alexander_123]

Private Key
- A private key is a binary number consisting of 256 bits. (Which can also be shown as a 64 hexadecimal digit)
- This binary number can be split into 24 groups that by using a binary to decimal converter and the BIP39 word list will give you your recovery seed

These are two different topics.
Your private key is a random number between 1 and the elliptic curve's order which is slightly less than 2²⁵⁶.
What we use in BIP39 is an entropy (random bit stream) that can have a size between 128 and 256. Its integral value is not important (in other words, your entropy can be equal to 2²⁵⁶ whereas your private key can not). Then we use this entropy to derive private keys.
So my understanding is that the private key is something like 0100111000111 etc. which has to be less than 2^256 and is between 128 to 256 in length?
The private key 010011etc. is then split up into certain character lengths which can then be matched to the BIP39 library? Do you know where I can get a copy of this library?

- A public key uses the coordinates of the private key(x,y)

Private key is an integer, so it doesn't have coordinate. The public key is a point on (x,y) so it has coordinates.
We multiply generator point by this number.
ok so we multiple the 0100111100etc. from above by the Generator Point...so y^2 = X^3 + 7....X=private key long number?

- This public key is then encoded as Base58check which uses 58 character, which then uses a 1 or 3 as a prefix to give you your final Bitcoin Address

To be clear we only add a single byte at the beginning of the hash then encode that to get 1 or 3 automatically.
Also this is the process of creating legacy addresses. The new addresses known as Bech32 use a different encoding algorithm of the same name.
So moving forward all new addresses are generated using Bech32?

Assuming the above is more or less accurate

It was only unclear about some details.

1) What are the coordinates of the Generator point on the elliptical curve?

It can be found here and is called G: https://en.bitcoin.it/wiki/Secp256k1
Thanks, but the above has different characters and not just numbers, hence how can it fit onto an x-y graph?

2) The multiplication of the generator point and the private key x times is what confuses me a little...so if you have the generator point with coordinates (a,b) , you would then multiple this by the 256 bit private key...so 2G...3G.....256G?

Technically we have to compute k*G meaning if your private key is equal to 5 then we compute 5*G. got it so we would multiple it by our private key 010011 etc.
There are simpler ways of computing this multiplication which are explained here: https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication
You can also read this to understand ECC better: https://blog.cloudflare.com/a-relatively-easy-to-understand-primer-on-elliptic-curve-cryptography/ thanks!

3) The Bitcoin address would then be 160 bit or 40 Hex character long address with a pre-fix of a 1 or 3....

You forgot to ask the question.

4) How does a Wallet produce multiple addresses?

Initially they were just creating random keys using the cryptography random generator the programming language and operating system offered. So each time you created a new key it would be random.
Then due to some issues associated with RNGs and issues with creating backup every time, wallets moved on to being "deterministic" meaning when you create the wallet for the first time it calls the RNG and creates a "seed" then every time you want a new key it deterministically produces one for you using that seed.
This makes the process reproducible (so you only need to created a backup once) and you only call RNG once.
You can read about the process here: https://github.com/bitcoin/bips/blob/master/bip-0032.mediawiki ok let me read up on that!

Thank you again for guiding me through this

[NotATether]

So my understanding is that the private key is something like 0100111000111 etc. which has to be less than 2^256 and is between 128 to 256 in length?
The private key 010011etc. is then split up into certain character lengths which can then be matched to the BIP39 library? Do you know where I can get a copy of this library?

Private keys do not have a minimum length and can be as small as 1 (but not 0). I think you got it confused with seed phrase entropy - that has nothing to do with private keys, and can be between 128 (= 12 seed words) bits and 512 (= 48 seed words) bits long, but this passes through HMAC SHA512 (I incorrectly wrote HMAC SHA256 above) to make the master private key.

There are a few python libraries on Github which exist that convert seed phrase entropy (again, not private keys) to words. A quick search should reveal them as I don't know any off the top of my head at the moment.

ok so we multiple the 0100111100etc. from above by the Generator Point...so y^2 = X^3 + 7....X=private key long number?

Yes.

So moving forward all new addresses are generated using Bech32?

All newer types of address will use Bech32. Obviously, the old 1- and 3- addresses still need to use Base58 for compatibility reasons.

Thanks, but the above has different characters and not just numbers, hence how can it fit onto an x-y graph?

That's because the number is in hexadecimal. In decimal, the coordinates would be

55066263022277343669578718895168534326250603453777594175500187360389116729240 (x)
and
32670510020758816978083085130507043184471273380659243275938904335757337482424 (y)

[Alexander_123]

- A private key is a binary number consisting of 256 bits. (Which can also be shown as a 64 hexadecimal digit)
- This binary number can be split into 24 groups that by using a binary to decimal converter and the BIP39 word list will give you your recovery seed

You are correct that a private key is a 256-bit number. But this private key is not related to the list of words we call a mnemonic phrase (also called by some people as a seed phrase).

A mnemonic phrase is, as you probably figured out, a group of 12 or 24 words which encode some entropy. The length of the entropy depends on the number of words. So for example, 12 words encode 128 bits of entropy and 24 words encode 256 bits. Also, the number of words can be a multiple of 3, but this is extremely rare to see in practice so I'll just ignore it here.

This entropy is hashed using HMAC-SHA256 to get the master private key. ok you lost me here...I thought the numbers of the private key were grouped together and an equivalent word using the Bip39 list was used for all 256 numbers so the first group of 01001110011 equals a certain word and so forth

The master private key is the root of a tree of addresses/private keys. A set of cryptographic operations, including hashing, is performed to derive a branch (also called extended key) from the root (master private key). This master private key resembles any other private key and as such you can compute the public key for it in the same way, which is called the master public key.


Most wallets will create 1 to 4 branches before creating the "leaf" keys which are your actual private keys and public key/addresses. Actually, calling it a leaf is misleading because even these keys can derive more "branches" of private keys too, using the same process.

This image from the BIP32 specification should make matters clearer:

https://raw.githubusercontent.com/bitcoin/bips/master/bip-0032/derivation.png ok makes sense

Bitcoin Address
- The public key is then hashed with SHA256 and RIPEMD160 (or double hashed) to give you a public key hash (160-bit)
- This public key is then encoded as Base58check which uses 58 character, which then uses a 1 or 3 as a prefix to give you your final Bitcoin Address

Segwit addresses beginning with bc1 are encoded using Bech32 instead of Base58check. got it, is there a good guide for how this works in concept? I was reading Mastering Bitcoin but they talk mainly about Base58check

1) What are the coordinates of the Generator point on the elliptical curve?

Their coordinates in hex form are:

79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 (x)
483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 (y)
How would you convert this back to real X,Y coordinates? You would need to uncompressed them?

2) The multiplication of the generator point and the private key x times is what confuses me a little...so if you have the generator point with coordinates (a,b) , you would then multiple this by the 256 bit private key...so 2G...3G.....256G?

It confused me too when I was learning. But the multiplier before the G is a 256-bit number (well actually, a tiny little smaller than 256 bits but that will make things confusing). So your private key - which by the way is still a number, remember that - can be used as the factor to multiply G with.

For example

if your private key was


21492362582632841231294160590348628345891189  (hex)

Then you multiply this number by G to get your public key. just to confirm the above hex number is a hex from the original private key? Sorry how is that generated

3) The Bitcoin address would then be 160 bit or 40 Hex character long address with a pre-fix of a 1 or 3....

Only the address hash is 160 bits long. Remember you encode the address using Base58check or Bech32 so the final length in characters becomes much smaller.OK got it, is the final length always the same or does it vary?

4) How does a Wallet produce multiple addresses?

Using seed phrases, the entropy inside them, and the generated master private key, a very large number of keys can be derived from it (and even more keys derived from the children etc...) as I explained above.Got it...however how does say Ledger only give you one seed...does it then split your public addresses up from there?

[edit - pooya87 posted most of this stuff but due to lag I did not notice] Thanks anyway I still have questions though Thanks again it is really helpful

[garlonicon]

ok so we multiple the 0100111100etc. from above by the Generator Point...so y^2 = X^3 + 7....X=private key long number?

Yes.

Erm, not exactly. If you have a private key equal to one, your public key is not x=1. It is G. And then, if you have a private key "d", then your public key is "d*G".

Their coordinates in hex form are:

79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798 (x)
483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448 A6855419 9C47D08F FB10D4B8 (y)
How would you convert this back to real X,Y coordinates? You would need to uncompressed them?

Those numbers are "real" X,Y coordinates. They are just written in base16, so you have 16 "digits" from "0123456789ABCDEF", instead of 10 digits from 0 to 9.

just to confirm the above hex number is a hex from the original private key? Sorry how is that generated

Yes, it is hex number. It is random, the exact way of getting random numbers depends on Random Number Generator (RNG).

OK got it, is the final length always the same or does it vary?

The same type of address has always the same length, if you think about bits. It may be different under base58, just because this base is not aligned with base2 (binary 0,1). For base32, it is aligned, because 2^5=32, so each bech32 address of the same type has the same number of characters.

Got it...however how does say Ledger only give you one seed...does it then split your public addresses up from there?

One seed is enough to get a lot of addresses. If you have one random seed and one non-random algorithm of getting new addresses, you just backup your seed. If you have a wallet where all addresses are random and there is no seed, then you have to backup all addresses.

[Alexander_123]

Thanks all for your feedback I have a bit more reading to do before bringing this all together...I will be back

[tranthidung]

• Check this chapter, Key Addresses from Mastering Bitcoin, second edition
• You can add this graphic to support one point in your OP.

[o_e_l_e_o]

Just to fill in answers to the two questions which haven't been answered yet:

ok you lost me here...I thought the numbers of the private key were grouped together and an equivalent word using the Bip39 list was used for all 256 numbers so the first group of 01001110011 equals a certain word and so forth

The numbers from your entropy are grouped together in to 11 bit sections and then encoded in to words to give you a seed phrase as you say.
This seed phrase is then passed in to a series of hash functions to generate all the private keys in your wallet.
The private keys themselves are not encoded in to words like this, and are instead expressed as strings of characters in various formats.

got it, is there a good guide for how this works in concept? I was reading Mastering Bitcoin but they talk mainly about Base58check

There is a good step by step guide for this process in this thread by user Coding Enthusiast: Step by step guide to go from public key to a Bech32 encoded address