Public-Key Cryptography & secp256k1
Hash functions gave us a one-way fingerprint. Public-key crypto gives us a one-way identity: a pair of numbers where you can hand one to the whole world and keep the other secret forever, and no amount of staring at the public one reveals the secret. That asymmetry is what lets a stranger verify you authorized a spend without you ever showing them your key. This page is about where that asymmetry comes from — and the specific curve, secp256k1, that Bitcoin bets everything on.
The whole idea in one sentence
Section titled “The whole idea in one sentence”A private key is a secret number
d. A public key is a pointQ = d · Gon an elliptic curve. ComputingQfromdis fast; recoveringdfromQis — as far as anyone knows — computationally impossible.
That last clause is the entire foundation. It is not encryption (nothing is hidden and later recovered); it’s a trapdoor: easy one way, ruinously hard the other.
private key d ────── d · G (fast: ~256 doublings) ─────► public key Q ▲ │ └──────── recover d from Q ? (≈ 2¹²⁸ work — infeasible) ◄────┘What an elliptic curve actually is here
Section titled “What an elliptic curve actually is here”secp256k1 is the set of points (x, y) satisfying a single short equation, taken over a giant prime
field (arithmetic done mod p, so there are no decimals — just integers that wrap around):
y² = x³ + 7 (mod p)
p = 2²⁵⁶ − 2³² − 977 = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2FYou can “add” two points on the curve with a geometric rule (draw a line through them; it hits the
curve at a third point; reflect it). Add a point to itself and you get point doubling. Do that
over and over — G + G + … + G, d times — and you have scalar multiplication, written d · G.
A clever trick called double-and-add computes d · G in about 256 steps even when d is a
256-bit number, which is why signing is fast.
The reverse — “I see Q and the public generator G; which d gives d·G = Q?” — is the
Elliptic-Curve Discrete Logarithm Problem (ECDLP). There is no known shortcut; the best general
attack (Pollard’s rho) needs about √n ≈ 2¹²⁸ operations. That’s the trapdoor.
Compressed vs uncompressed public keys
Section titled “Compressed vs uncompressed public keys”A public key is a point — two 256-bit coordinates, (x, y). But the curve equation means that for any
valid x there are only two possible y values (one even, one odd), since y and −y are the
two square roots. So you don’t need to store y at all — just x plus one bit saying which root:
uncompressed : 04 ‖ x (32B) ‖ y (32B) = 65 bytes compressed : 02 or 03 ‖ x (32B) = 33 bytes └─ 02 = y is even, 03 = y is oddCompressed keys (33 bytes) are the modern default — they shrink every transaction that reveals a
public key. The receiver recomputes y from x using the curve equation. (This compressed/
uncompressed choice even changes the resulting address, because the address is a hash of these
exact bytes — see Addresses & Encoding.)
From public key to address (why your address isn’t your key)
Section titled “From public key to address (why your address isn’t your key)”You rarely hand out a raw public key; you hand out a hash of it. The classic pipeline:
pubkey ──SHA-256──► ──RIPEMD-160──► 20-byte "hash160" ──+version, Base58Check──► 1... addressThis is hashing (Part 1’s first primitive) reused for two jobs: it shortens the key to 20 bytes, and it adds a layer of protection — an attacker only sees the hash of your public key until you spend, buying a sliver of quantum-resistance margin. Ownership is proved later, at spend time, with a signature.
Under the hood — why “just try values” and “just solve it” both fail
Section titled “Under the hood — why “just try values” and “just solve it” both fail”Two instincts everyone has, and why each dies:
- Brute force the key. Covered above —
2²⁵⁶is a wall no hardware crosses. - Solve the discrete log algebraically. Over ordinary integers,
d = log(Q)/log(G)would be easy. But this group is finite and cyclic — the points cycle through allnvalues with no order, no “bigger/smaller,” nothing for an algorithm to climb. The structure that makes scalar multiplication well-defined is exactly the structure that erases every gradient an attacker could follow. That is the deep reason the trapdoor holds.
The thread
Section titled “The thread”How does this help untrusting strangers agree on one ledger? It lets the ledger name owners without a registry. There is no database mapping people to accounts that someone must maintain and be trusted to keep honest — an “account” is simply whoever can produce the private key behind a public point, and anyone can check that claim with arithmetic alone. Strangers don’t agree on who you are; they agree on math that only the key-holder can satisfy. Next we see how that satisfaction is demonstrated, in Digital Signatures (ECDSA & Schnorr).
The architect’s lens
Section titled “The architect’s lens”- Why does it exist? To give the ledger a one-way identity: a secret
dand a public pointQ = d·Gwhere computingQis fast (256 double-and-add steps) but recoveringdis the ECDLP (2¹²⁸work) — so you can publish one key and keep the other forever. - What problem does it solve? Ownership without a registry — an “account” is simply whoever can produce the key behind a public point, and any stranger checks that claim with arithmetic alone, no trusted database of who-owns-what.
- What are the trade-offs? Security rests entirely on the ECDLP holding and on
dcarrying genuine 256-bit entropy — the curve is bulletproof but human-chosen keys (brain wallets) get swept in seconds; and every node must hard-code the exact secp256k1 constants (p,G,n, cofactor1) bit-for-bit, or consensus splits. - When would you choose differently? secp256k1 was Satoshi’s bet for speed and being
non-NIST-generated; other goals point elsewhere — Ed25519 for stronger nothing-up-my-sleeve
guarantees, or a post-quantum scheme, since the ECDLP would fall to a large quantum computer (the
hash160address layer only buys a margin). - What breaks if I remove it? There’s no way to name owners or authorize spends —
signatures are built directly on
Q = d·G, so without the trapdoor anyone could derive anyone’s secret and the whole authorization model collapses.
Check your understanding
Section titled “Check your understanding”- State the trapdoor at the heart of public-key crypto in terms of
d,G, andQ. Which direction is fast, and which is infeasible? - The curve is
y² = x³ + 7 (mod p). Given only a validx, how manyyvalues are possible, and how does that fact let a public key compress from 65 bytes to 33? - Roughly how large is Bitcoin’s private-key space, and why does that make brute force pointless rather than merely “slow”?
- Brain wallets used an unbroken curve yet still got drained. What was the actual weakness, and what does that tell you about where Bitcoin’s key security really lives?
- Why do we hand out a hash of the public key (an address) instead of the public key itself?
Show answers
- A private key
dis a secret integer; the public key is the curve pointQ = d · G. ComputingQfromdis fast (~256 double-and-add steps); recoveringdfromQis the ECDLP, needing about2¹²⁸operations — infeasible. Fast forward, impossible backward. - Exactly two
yvalues (one even, one odd — the two square rootsyand−y). So you storexplus a single prefix byte (02even,03odd) and recomputeyfrom the curve equation, shrinking 65 bytes to 33. - About
1.16 × 10⁷⁷keys (the ordern, close to2²⁵⁶). That’s near the count of atoms in the observable universe — so guessing a specific funded key isn’t slow, it’s physically impossible within any timescale or energy budget. - The weakness was entropy: keys derived from memorable phrases have far fewer than 256 bits of
real randomness, so attackers precomputed and swept them. Security lives in the genuine randomness
behind
d, not in the curve. - Hashing shortens the key to 20 bytes and adds protection — only the hash of your public key is public until you spend, so the raw key (and any future attack surface against it) stays hidden longer.