Alan loves to respond to these types of posts with in-depth answers, including nicely laid out paragraphs, punctuation, proper grammar, bold and underlined key points, COLORS, and sometimes even pictures. So I'm gonna beat him to the bush with a half assed answer just to frustrate him =P
Haha, well done. I do these elaborate, polished presentations because I feel like most n00bs will gloss right over it unless it's visually quite clear what point is being made. I want to make sure that if they are determined to understand it, that it as clear as possible. Colors and bold help with that. I won't repeat your explanation, but I will correct it... and with some color (I also don't like the multi-letter variables).
a is your private key (a scalar, lowercase)
G is the generator point of the secp256k1 curve (an EC point, upper-case bold)
* is the operator for multiplying a curve point by a scalar
* is the operator for multiplying a scalar by another scalar modulo the size of the curve
Your public key,
Q is:
Q = a
*GThe important property that we leverage with Bitcoin and ECDSA (which wouldn't exist if Bitcoin used any other crypto system) is this: we pick any scalar c. The following equality holds by the property of ECDSA:
(c
* a)
* G =
c
* (a
* G) =
c
* QWhat this shows us is that if you multiply your private key by a scalar c (mod N), you can multiply your public key by the same scalar (EC-scalar-point-multiply) and you get matching keys. Note that (c*a) is a scalar and thus could be used as a private key, and that (c*a)*
G would be the associated public key, but that the equality above shows you can get the same public key without touching the private key... just use the same scalar on the public key. So you can keep multiplying by c (or any deterministic sequence of c-values) and you get chains of private keys from the private root, and matching chain of public keys from the public root.
That's how "type-2" determinsitic wallets work, and the basis of BIP32.