Introduction
Ownership of bitcoin is established through digital keys, bitcoin addresses, and digital signatures. These digital keys are not stored on the network but are instead generated and stored by users in a file or simple database called a wallet. The keys within a user's wallet are entirely independent of the bitcoin protocol and can be managed by wallet software without requiring a blockchain or network connection.
These keys enable many of bitcoin's interesting features, including decentralized trust, ownership authentication, and a security model based on cryptographic proof. Every bitcoin transaction requires a valid signature to be stored on the blockchain, and only valid digital keys can produce valid digital signatures. Essentially, whoever possesses the keys controls the bitcoin.
Understanding Public Key Cryptography
Public key cryptography, invented in the 1970s, forms the mathematical foundation for computer and information security. Bitcoin uses elliptic curve multiplication as its basis for public key cryptography, creating key pairs that control access to bitcoin.
Private and Public Keys
A bitcoin wallet contains a series of key pairs, each consisting of a private key and a public key. The private key (k) is a randomly selected number, while the public key (K) is derived from the private key using elliptic curve multiplication. This process is irreversible—while you can generate a public key from a private key, you cannot derive a private key from a public key.
The mathematical relationship between private and public keys allows the private key to generate signatures for specific messages. These signatures can be verified against the corresponding public key without revealing the private key itself.
Private Key Generation
Generating a private key essentially involves selecting a number between 1 and 2²⁵⁶. The security of this process depends on finding a secure source of entropy (randomness). Bitcoin software typically uses the operating system's underlying random number generator, which is initialized by a human-random source.
For truly secure key generation, it's crucial to use a cryptographically secure pseudo-random number generator (CSPRNG) with sufficient entropy. Proper implementation of this process is critical for key security.
Here's an example of a randomly generated private key in hexadecimal format:
1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDDThe size of the bitcoin private key space is 2²⁵⁶, an astronomically large number that provides immense security against brute-force attacks.
Elliptic Curve Cryptography Explained
Bitcoin uses a specific elliptic curve defined by the secp256k1 standard, established by the National Institute of Standards and Technology (NIST). The curve is defined by the function:
y² = (x³ + 7) over Fₚ
Where Fₚ is a finite field of prime order p, with p being a very large prime number. The elliptic curve mathematics enables the creation of digital keys and unforgeable digital signatures that form bitcoin's security foundation.
Bitcoin Addresses
A bitcoin address is a string of numbers and letters that can be shared with anyone who wants to send you bitcoin. These addresses begin with the number "1" and are generated from public keys through a series of cryptographic transformations.
From Public Key to Bitcoin Address
The process of creating a bitcoin address from a public key involves several steps:
- Start with the public key K
- Compute SHA256(K) to get a 256-bit number
- Compute RIPEMD160(SHA256(K)) to get a 160-bit number
- Encode this result with Base58Check encoding to create the final address
This process creates an address that represents the public key without revealing it directly, adding a layer of security and abstraction.
Base58 and Base58Check Encoding
Base58 is a text-based binary encoding format used in bitcoin and other cryptocurrencies. It was developed to be more human-friendly than Base64 encoding by eliminating similar-looking characters (0, O, I, l) and non-alphanumeric characters (+ and /).
Base58Check is a variant that adds a version prefix and a 4-byte checksum to the encoded data. This allows for easy detection of errors when transcribing or transmitting addresses. The checksum is derived by applying the SHA256 algorithm twice to the version prefix and data, then taking the first 4 bytes of the result.
Different version prefixes are used for various bitcoin data types, as shown in the table below:
| Type | Version Prefix (hex) | Base58 Format |
|---|---|---|
| Bitcoin Address | 0x00 | 1 |
| Pay-to-Script-Hash Address | 0x05 | 3 |
| Bitcoin Testnet Address | 0x6F | m or n |
| Private Key WIF | 0x80 | 5, K or L |
| BIP38 Encrypted Private Key | 0x0142 | 6P |
| BIP32 Extended Public Key | 0x0488B21E | xpub |
Key Formats
Both private and public keys can be represented in multiple encoding formats, all corresponding to the same underlying numerical values.
Private Key Formats
Private keys have three common representation formats:
- Hex: 64 hexadecimal digits
- WIF (Wallet Import Format): Base58Check encoding with version prefix 128
- WIF-compressed: Same as WIF but with added suffix 0x01 before encoding
The same private key represented in these different formats would appear as:
| Format | Representation |
|---|---|
| Hex | 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD |
| WIF | 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn |
| WIF-compressed | KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ |
Public Key Formats
Public keys come in two formats: uncompressed and compressed. The uncompressed format uses the prefix 04 followed by two 256-bit numbers representing the x and y coordinates. Compressed public keys use either 02 or 03 as a prefix followed by only the x coordinate, as the y coordinate can be derived from the x coordinate using the elliptic curve equation.
The compressed format reduces transaction size and saves storage space on nodes maintaining the blockchain database. Most modern bitcoin clients now use compressed public keys by default.
Bitcoin Wallets
A wallet is a container for private keys, typically implemented as an ordered file or simple database. Wallets don't actually store bitcoin; rather, they store the keys that provide control over bitcoin stored on the blockchain.
Types of Wallets
There are several approaches to wallet design:
Non-deterministic (Random) Wallets
These early wallets contained randomly generated private keys. Also known as "Type-0" non-deterministic wallets or "Just a Bunch Of Keys" (JBOK) wallets, they are difficult to manage, back up, and import. Each key must be backed up separately, and the wallet must be backed up frequently with each new key.
Deterministic (Seed) Wallets
These wallets contain private keys generated from a common seed through a one-way hash function. The seed is a randomly generated number that can recreate the entire set of keys, making backup simple—only the seed needs to be secured. Deterministic wallets are easier to back up, restore, export, and import.
HD Wallets (BIP0032/BIP0044)
Hierarchical Deterministic wallets represent the most advanced form of deterministic wallets. They contain keys derived in a tree structure, where parent keys can generate sequences of child keys, which can then generate grandchild keys, and so on indefinitely.
HD wallets offer two major advantages over random keys:
- The tree structure can express additional organizational meaning
- Users can create public key sequences without accessing the corresponding private keys
Mnemonic Code Words
Mnemonic code words are sequences of words that encode the random number used as a seed for deterministic wallets. The word sequence is sufficient to recreate the seed and all derived keys. When first creating a wallet, compatible applications will show the user 12-24 words in sequence, which serve as a backup of the wallet.
The mnemonic code standard is defined in Bitcoin Improvement Proposal 39 (BIP0039), though it's important to note this is still a draft proposal rather than a formal standard.
HD Wallet Key Generation
HD wallets are created from a single root seed, which is a random number of 128-256 bits. All determinism in HD wallets derives from this root seed. Any compatible HD wallet can recreate the entire HD wallet from this root seed, making transfer simple.
The root seed is input into the HMAC-SHA512 algorithm to produce a hash that can create both a master private key (m) and a master chain code. The chain code introduces entropy into the function that creates child keys from parent keys.
Advanced Key and Address Types
Beyond basic keys and addresses, bitcoin supports several advanced formats that offer additional functionality and security.
Encrypted Private Keys (BIP0038)
BIP0038 proposes a common standard for encrypting private keys with a passphrase and encoding them with Base58Check. This allows private keys to be securely stored on backup media, safely transmitted between wallets, and protected against exposure.
The encryption standard uses AES, which is widely used in commercial and military applications. Encrypted keys begin with the prefix "6P" and require a passphrase to convert back to standard WIF format for use in any wallet.
P2SH (Pay-to-Script-Hash) and Multisignature Addresses
Addresses beginning with the number "3" are P2SH addresses, sometimes incorrectly called multisignature or multisig addresses. These addresses specify a script hash as the recipient of a bitcoin transaction rather than a public key owner.
Introduced in BIP0016, P2SH addresses provide increased functionality. While P2SH transactions are commonly used for multisignature addresses, they can represent other types of transaction scripts as well.
Multisignature addresses require multiple signatures to prove ownership and spend funds. An M-N multisignature address requires M signatures from a total of N keys. This enables various security configurations, from joint accounts where either party can spend (1-2) to corporate accounts requiring multiple approvals (2-3 or more).
Vanity Addresses
Vanity addresses contain human-readable messages within valid bitcoin addresses. For example, "1LoveBPzzD72PUXLzCkYAtGFYmK5vYNR33" contains the Base-58 letters "love."
Generating vanity addresses requires generating and testing billions of candidate private keys until one produces a bitcoin address with the desired pattern. While there are optimized algorithms for vanity generation, the process still involves significant computational effort, especially for longer patterns.
Vanity addresses can both enhance and diminish security. A unique address makes it harder for attackers to substitute their own address to deceive customers. However, vanity addresses also make it possible for anyone to create an address resembling a random address or another vanity address, potentially enabling fraud.
Paper Wallets
Paper wallets are bitcoin private keys printed on paper. They often include the corresponding bitcoin address for convenience, though this isn't strictly necessary since the address can be derived from the private key.
Paper wallets provide an effective backup mechanism or offline storage solution (cold storage). As backups, they protect against key loss from hard drive failures, theft, or accidental deletion. As cold storage, if generated offline and never stored on any computer system, they provide security against hacking attacks, keyloggers, and other online threats.
Paper wallets come in various designs with different security features. Some include encrypted private keys (BIP0038), requiring a passphrase known only to the owner. Others incorporate tamper-evident features, multiple copies for disaster recovery, or seasonal themes for gift purposes.
👉 Explore advanced wallet security methods
Frequently Asked Questions
What is the relationship between private keys, public keys, and bitcoin addresses?
Private keys are randomly generated numbers used to create public keys through elliptic curve multiplication. Bitcoin addresses are then derived from public keys using cryptographic hash functions (SHA256 and RIPEMD160). The process is one-way: you can generate addresses from keys but cannot derive keys from addresses.
Why are there different formats for private keys?
Different private key formats (Hex, WIF, WIF-compressed) serve different purposes. Hex format is the raw numerical representation. WIF format adds versioning and checksums for error detection when importing/exporting. WIF-compressed indicates that the private key should be used to generate compressed public keys.
What is the advantage of HD wallets?
HD (Hierarchical Deterministic) wallets allow all keys to be generated from a single seed. This makes backup, restoration, and transfer much easier since you only need to secure the seed rather than individual keys. HD wallets also support organizational structures and can generate public keys without exposing private keys.
Are paper wallets secure?
Paper wallets can be highly secure when properly generated and stored. The keys should be generated on an offline computer, printed without digital storage, and kept in a secure physical location. For additional security, use BIP0038 encryption to require a passphrase to access the funds.
What are multisignature addresses used for?
Multisignature addresses require multiple signatures to spend funds, enabling various security configurations. They're used for joint accounts, corporate funds requiring multiple approvals, escrow services, and enhancing security by distributing signing authority.
How do vanity addresses impact security?
Vanity addresses can both enhance and diminish security. They make address verification easier for users, reducing the risk of address substitution attacks. However, they also make it possible for attackers to generate similar-looking addresses for phishing attempts. Longer vanity patterns provide more security than shorter ones.