Крипто Телеканал. Национальные проекты. Дискуссионный клуб. Кредитные рейтинги. Продажа бизнеса.

В ней нет течение 1-3 рабочих дней после подтверждения. Сроки и время средств на наш Москве и Санкт-Петербургу. Сроки и время доставки Доставка по Москве и Санкт-Петербургу осуществляется с пн указанному адресу.

Ownership and control over the private key is the root of user control over all funds associated with the corresponding bitcoin address. The private key is used to create signatures that are required to spend bitcoin by proving ownership of funds used in a transaction.

The private key must remain secret at all times, because revealing it to third parties is equivalent to giving them control over the bitcoin secured by that key. The bitcoin private key is just a number. You can pick your private keys randomly using just a coin, pencil, and paper: toss a coin times and you have the binary digits of a random private key you can use in a bitcoin wallet.

The public key can then be generated from the private key. The first and most important step in generating keys is to find a secure source of entropy, or randomness. Usually, the OS random number generator is initialized by a human source of randomness, which is why you may be asked to wiggle your mouse around for a few seconds.

To create such a key, we randomly pick a bit number and check that it is less than n. In programming terms, this is usually achieved by feeding a larger string of random bits, collected from a cryptographically secure source of randomness, into the SHA hash algorithm, which will conveniently produce a bit number.

If the result is less than n , we have a suitable private key. Otherwise, we simply try again with another random number. Study the documentation of the random number generator library you choose to make sure it is cryptographically secure. The following is a randomly generated private key k shown in hexadecimal format bits shown as 64 hexadecimal digits, each 4 bits :. It is approximately 10 77 in decimal. For comparison, the visible universe is estimated to contain 10 80 atoms.

To generate a new key with the Bitcoin Core client see Chapter 3 , use the getnewaddress command. For security reasons it displays the public key only, not the private key. To ask bitcoind to expose the private key, use the dumpprivkey command. The dumpprivkey command opens the wallet and extracts the private key that was generated by the getnewaddress command. It is not possible for bitcoind to know the private key from the public key unless they are both stored in the wallet.

The dumpprivkey command does not generate a private key from a public key, as this is impossible. The command simply reveals the private key that is already known to the wallet and which was generated by the getnewaddress command. You can also use the Bitcoin Explorer command-line tool see Appendix F to generate and display private keys with the commands seed , ec-new , and ec-to-wif :.

The owner of the private key can easily create the public key and then share it with the world knowing that no one can reverse the function and calculate the private key from the public key. This mathematical trick becomes the basis for unforgeable and secure digital signatures that prove ownership of bitcoin funds. Elliptic curve cryptography is a type of asymmetric or public key cryptography based on the discrete logarithm problem as expressed by addition and multiplication on the points of an elliptic curve.

Figure is an example of an elliptic curve, similar to that used by bitcoin. Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a standard called secpk1 , established by the National Institute of Standards and Technology NIST. The secpk1 curve is defined by the following function, which produces an elliptic curve:. Because this curve is defined over a finite field of prime order instead of over the real numbers, it looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize.

However, the math is identical to that of an elliptic curve over real numbers. As an example, Figure shows the same elliptic curve over a much smaller finite field of prime order 17, showing a pattern of dots on a grid. The secpk1 bitcoin elliptic curve can be thought of as a much more complex pattern of dots on a unfathomably large grid.

So, for example, the following is a point P with coordinates x,y that is a point on the secpk1 curve:. Example shows how you can check this yourself using Python:. Geometrically, this third point P 3 is calculated by drawing a line between P 1 and P 2. This line will intersect the elliptic curve in exactly one additional place. This tangent will intersect the curve in exactly one new point. You can use techniques from calculus to determine the slope of the tangent line.

These techniques curiously work, even though we are restricting our interest to points on the curve with two integer coordinates! In some cases i. This shows how the point at infinity plays the role of zero. Now that we have defined addition, we can define multiplication in the standard way that extends addition. Starting with a private key in the form of a randomly generated number k , we multiply it by a predetermined point on the curve called the generator point G to produce another point somewhere else on the curve, which is the corresponding public key K.

The generator point is specified as part of the secpk1 standard and is always the same for all keys in bitcoin:. Because the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K. The relationship between k and K is fixed, but can only be calculated in one direction, from k to K. A private key can be converted into a public key, but a public key cannot be converted back into a private key because the math only works one way.

Implementing the elliptic curve multiplication, we take the private key k generated previously and multiply it with the generator point G to find the public key K :. To visualize multiplication of a point with an integer, we will use the simpler elliptic curve over real numbers—remember, the math is the same.

Our goal is to find the multiple kG of the generator point G , which is the same as adding G to itself, k times in a row. In elliptic curves, adding a point to itself is the equivalent of drawing a tangent line on the point and finding where it intersects the curve again, then reflecting that point on the x-axis.

Figure shows the process for deriving G , 2G , 4G , as a geometric operation on the curve. Most bitcoin implementations use the OpenSSL cryptographic library to do the elliptic curve math. A bitcoin address is a string of digits and characters that can be shared with anyone who wants to send you money.

Because paper checks do not need to specify an account, but rather use an abstract name as the recipient of funds, they are very flexible payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible.

The bitcoin address is derived from the public key through the use of one-way cryptographic hashing. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining Proof-of-Work algorithm.

A bitcoin address is not the same as a public key. Bitcoin addresses are derived from a public key using a one-way function. Base58Check is also used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding and the resulting representations.

Figure illustrates the conversion of a public key into a bitcoin address. In order to represent long numbers in a compact way, using fewer symbols, many computer systems use mixed-alphanumeric representations with a base or radix higher than For example, whereas the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16, with the letters A through F as the six additional symbols. A number represented in hexadecimal format is shorter than the equivalent decimal representation.

Base64 is most commonly used to add binary attachments to email. Base58 is a text-based binary-encoding format developed for use in bitcoin and used in many other cryptocurrencies. It offers a balance between compact representation, readability, and error detection and prevention. Base58 is a subset of Base64, using upper- and lowercase letters and numbers, but omitting some characters that are frequently mistaken for one another and can appear identical when displayed in certain fonts.

Or, more simply, it is a set of lowercase and capital letters and numbers without the four 0, O, l, I just mentioned. Example shows the full Base58 alphabet. To add extra security against typos or transcription errors, Base58Check is a Base58 encoding format, frequently used in bitcoin, which has a built-in error-checking code.

The checksum is an additional four bytes added to the end of the data that is being encoded. The checksum is derived from the hash of the encoded data and can therefore be used to detect and prevent transcription and typing errors. When presented with Base58Check code, the decoding software will calculate the checksum of the data and compare it to the checksum included in the code. If the two do not match, an error has been introduced and the Base58Check data is invalid.

This prevents a mistyped bitcoin address from being accepted by the wallet software as a valid destination, an error that would otherwise result in loss of funds. For example, in the case of a bitcoin address the prefix is zero 0x00 in hex , whereas the prefix used when encoding a private key is 0x80 in hex. A list of common version prefixes is shown in Table From the resulting byte hash hash-of-a-hash , we take only the first four bytes.

These four bytes serve as the error-checking code, or checksum. The checksum is concatenated appended to the end. The result is composed of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously. Figure illustrates the Base58Check encoding process. In bitcoin, most of the data presented to the user is Base58Check-encoded to make it compact, easy to read, and easy to detect errors.

The version prefix in Base58Check encoding is used to create easily distinguishable formats, which when encoded in Base58 contain specific characters at the beginning of the Base58Check-encoded payload. These characters make it easy for humans to identify the type of data that is encoded and how to use it.

This is what differentiates, for example, a Base58Check-encoded bitcoin address that starts with a 1 from a Base58Check-encoded private key WIF that starts with a 5. Some example version prefixes and the resulting Base58 characters are shown in Table Both private and public keys can be represented in a number of different formats. These representations all encode the same number, even though they look different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors.

The private key can be represented in a number of different formats, all of which correspond to the same bit number. Table shows three common formats used to represent private keys. Different formats are used in different circumstances. Hexadecimal and raw binary formats are used internally in software and rarely shown to users.

Table shows the private key generated in these three formats. All of these representations are different ways of showing the same number, the same private key. They look different, but any one format can easily be converted to any other format. You can use Bitcoin Explorer to decode the Base58Check format on the command line.

To encode into Base58Check the opposite of the previous command , we use the base58check-encode command from Bitcoin Explorer see Appendix F and provide the hex private key, followed by the WIF version prefix Public keys are also presented in different ways, usually as either compressed or uncompressed public keys.

As we saw previously, the public key is a point on the elliptic curve consisting of a pair of coordinates x,y. It is usually presented with the prefix 04 followed by two bit numbers: one for the x coordinate of the point, the other for the y coordinate. The prefix 04 is used to distinguish uncompressed public keys from compressed public keys that begin with a 02 or a Compressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database.

That allows us to store only the x coordinate of the public key point, omitting the y coordinate and reducing the size of the key and the space required to store it by bits. Whereas uncompressed public keys have a prefix of 04 , compressed public keys start with either a 02 or a 03 prefix. Visually, this means that the resulting y coordinate can be above or below the x-axis. As you can see from the graph of the elliptic curve in Figure , the curve is symmetric, meaning it is reflected like a mirror by the x-axis.

So, while we can omit the y coordinate we have to store the sign of y positive or negative ; or in other words, we have to remember if it was above or below the x-axis because each of those options represents a different point and a different public key. Therefore, to distinguish between the two possible values of y , we store a compressed public key with the prefix 02 if the y is even, and 03 if it is odd, allowing the software to correctly deduce the y coordinate from the x coordinate and uncompress the public key to the full coordinates of the point.

Public key compression is illustrated in Figure This compressed public key corresponds to the same private key, meaning it is generated from the same private key. However, it looks different from the uncompressed public key. This can be confusing, because it means that a single private key can produce a public key expressed in two different formats compressed and uncompressed that produce two different bitcoin addresses. However, the private key is identical for both bitcoin addresses.

Compressed public keys are gradually becoming the default across bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to account for transactions from older clients that do not support compressed public keys.

This is especially important when a wallet application is importing private keys from another bitcoin wallet application, because the new wallet needs to scan the blockchain to find transactions corresponding to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys?

Both are valid bitcoin addresses, and can be signed for by the private key, but they are different addresses! To resolve this issue, when private keys are exported from a wallet, the WIF that is used to represent them is implemented differently in newer bitcoin wallets, to indicate that these private keys have been used to produce compressed public keys and therefore compressed bitcoin addresses.

This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses corresponding to the uncompressed, or the compressed, public keys, respectively.

That is because the private key has an added one-byte suffix shown as 01 in hex in Table , which signifies that the private key is from a newer wallet and should only be used to produce compressed public keys. Private keys are not themselves compressed and cannot be compressed. Notice that the hex-compressed private key format has one extra byte at the end 01 in hex. While the Base58 encoding version prefix is the same 0x80 for both WIF and WIF-compressed formats, the addition of one byte on the end of the number causes the first character of the Base58 encoding to change from a 5 to either a K or L.

Think of this as the Base58 equivalent of the decimal encoding difference between the number and the number While is one digit longer than 99, it also has a prefix of 1 instead of a prefix of 9. As the length changes, it affects the prefix. In Base58, the prefix 5 changes to a K or L as the length of the number increases by one byte.

Remember, these formats are not used interchangeably. In a newer wallet that implements compressed public keys, the private keys will only ever be exported as WIF-compressed with a K or L prefix. If the wallet is an older implementation and does not use compressed public keys, the private keys will only ever be exported as WIF with a 5 prefix. The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses.

If a bitcoin wallet is able to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the WIF is modified, with the addition of a one-byte suffix 01 to the private key.

They are not compressed; rather, WIF-compressed signifies that the keys should only be used to derive compressed public keys and their corresponding bitcoin addresses. The code uses a predefined private key to produce the same bitcoin address every time it is run, as shown in Example If you used the uncompressed public key instead, it would produce a different bitcoin address 14K1y….

The most comprehensive bitcoin library in Python is pybitcointools by Vitalik Buterin. Example shows the output from running this code. Example is another example, using the Python ECDSA library for the elliptic curve math and without using any specialized bitcoin libraries.

Example shows the output produced by running this script. Example uses os. Caution: Depending on the OS, os. In the following sections we will look at advanced forms of keys and addresses, such as encrypted private keys, script and multisignature addresses, vanity addresses, and paper wallets. Private keys must remain secret. The need for confidentiality of the private keys is a truism that is quite difficult to achieve in practice, because it conflicts with the equally important security objective of availability.

Keeping the private key private is much harder when you need to store backups of the private key to avoid losing it. A private key stored in a wallet that is encrypted by a password might be secure, but that wallet needs to be backed up. At times, users need to move keys from one wallet to another—to upgrade or replace the wallet software, for example.

But what if the backup itself is stolen or lost? These conflicting security goals led to the introduction of a portable and convenient standard for encrypting private keys in a way that can be understood by many different wallets and bitcoin clients, standardized by BIP see Appendix C. Usually, this is a set of randomly generated numbers and symbols, the number of which varies, which makes it difficult to hack.

A public key aka a public address is your unique Bitcoin address, which is used for blockchain transactions. Every participant of the network can see it. It usually consists of symbols — random numbers and letters — and generated on the basis of your private key. It identifies the sender and receiver of money.

The combination of public and private keys works to safely store cryptocurrency. The public key is the address of your wallet and the private key works as a password. The public key is tied to a single private key or set of private keys in case of multisig and vise versa. The private key has two main functions for your Bitcoin wallet. It is the main element that gives you ownership and control over your wallet and funds. A private key grants access to funds.

Whoever owns the key has access to the money in question and full control over it. A Bitcoin private key cannot be restored or retrieved again if it is lost; with it will go access to your funds. The second function of the private key is as a digital signature for transactions. When you make a transaction, the network checks if your public key corresponds to your private key. As soon as the necessary number of approvals is received, the money will be made available to the payee.

If you use a web, desktop or mobile wallet the private key is generated automatically. The only thing you need to do is find a way to store it. One of the safest ways to store your private keys is offline on cold storage:. On a piece of paper or metal — this method is familiar to people with paper wallets, however anyone can store their key this way by copying it on a piece of paper. This method is not really secure enough as you can simply lose it, paper can wear, etc.

For better protection, you can laminate it or make a copy on a metal plate. You need to use a new flash drive without viruses and perform transactions offline. You can keep your keys there as a text document or a file in wallet. Should you do this, your files should be password protected. Hardware wallet — it is a special offline wallet for storing Bitcoin and other cryptocurrencies. It keeps your private keys offline on a special Flash-Drive look-alike device. Any time you want to make an operation with your coins you have connect this device to your computer.

Today, a hardware wallet is the safest way to store Bitcoin and other cryptocurrency assets. What makes it so safe? Firstly, the device comes with preinstalled software and works like a USB device, which creates a new layer of security.

Secondly, the capabilities of the hardware wallet are much richer, and multi-signature is quite an essential feature. Most wallets have a special recovery phrase. It is a set of random words that you should memorize or save to recover your Bitcoin wallet. Unfortunately, if you lose this phrase too you will lose your money forever.

Many users forget or lose their recovery seed phrase without a chance to get their money back. So here comes Freewallet. How is it possible? Freewallet uses a cold storage system to keep user money safe and protected from hackers. To make your experience convenient we combined cold storages with an online wallet, so you can access and manage your money using a mobile phone or desktop wherever and whenever you want.

When crypto appears on an online wallet it gets transferred to offline cold storage and vice-versa.

The command simply reveals the private key that is already known to the wallet and which was generated by the getnewaddress command. You can also use the Bitcoin Explorer command-line tool see Appendix F to generate and display private keys with the commands seed , ec-new , and ec-to-wif :. The owner of the private key can easily create the public key and then share it with the world knowing that no one can reverse the function and calculate the private key from the public key.

This mathematical trick becomes the basis for unforgeable and secure digital signatures that prove ownership of bitcoin funds. Elliptic curve cryptography is a type of asymmetric or public key cryptography based on the discrete logarithm problem as expressed by addition and multiplication on the points of an elliptic curve. Figure is an example of an elliptic curve, similar to that used by bitcoin.

Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a standard called secpk1 , established by the National Institute of Standards and Technology NIST. The secpk1 curve is defined by the following function, which produces an elliptic curve:. Because this curve is defined over a finite field of prime order instead of over the real numbers, it looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize.

However, the math is identical to that of an elliptic curve over real numbers. As an example, Figure shows the same elliptic curve over a much smaller finite field of prime order 17, showing a pattern of dots on a grid. The secpk1 bitcoin elliptic curve can be thought of as a much more complex pattern of dots on a unfathomably large grid. So, for example, the following is a point P with coordinates x,y that is a point on the secpk1 curve:. Example shows how you can check this yourself using Python:.

Geometrically, this third point P 3 is calculated by drawing a line between P 1 and P 2. This line will intersect the elliptic curve in exactly one additional place. This tangent will intersect the curve in exactly one new point. You can use techniques from calculus to determine the slope of the tangent line. These techniques curiously work, even though we are restricting our interest to points on the curve with two integer coordinates! In some cases i.

This shows how the point at infinity plays the role of zero. Now that we have defined addition, we can define multiplication in the standard way that extends addition. Starting with a private key in the form of a randomly generated number k , we multiply it by a predetermined point on the curve called the generator point G to produce another point somewhere else on the curve, which is the corresponding public key K.

The generator point is specified as part of the secpk1 standard and is always the same for all keys in bitcoin:. Because the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K. The relationship between k and K is fixed, but can only be calculated in one direction, from k to K. A private key can be converted into a public key, but a public key cannot be converted back into a private key because the math only works one way.

Implementing the elliptic curve multiplication, we take the private key k generated previously and multiply it with the generator point G to find the public key K :. To visualize multiplication of a point with an integer, we will use the simpler elliptic curve over real numbers—remember, the math is the same. Our goal is to find the multiple kG of the generator point G , which is the same as adding G to itself, k times in a row.

In elliptic curves, adding a point to itself is the equivalent of drawing a tangent line on the point and finding where it intersects the curve again, then reflecting that point on the x-axis. Figure shows the process for deriving G , 2G , 4G , as a geometric operation on the curve. Most bitcoin implementations use the OpenSSL cryptographic library to do the elliptic curve math. A bitcoin address is a string of digits and characters that can be shared with anyone who wants to send you money.

Because paper checks do not need to specify an account, but rather use an abstract name as the recipient of funds, they are very flexible payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible.

The bitcoin address is derived from the public key through the use of one-way cryptographic hashing. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining Proof-of-Work algorithm. A bitcoin address is not the same as a public key. Bitcoin addresses are derived from a public key using a one-way function.

Base58Check is also used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding and the resulting representations. Figure illustrates the conversion of a public key into a bitcoin address. In order to represent long numbers in a compact way, using fewer symbols, many computer systems use mixed-alphanumeric representations with a base or radix higher than For example, whereas the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16, with the letters A through F as the six additional symbols.

A number represented in hexadecimal format is shorter than the equivalent decimal representation. Base64 is most commonly used to add binary attachments to email. Base58 is a text-based binary-encoding format developed for use in bitcoin and used in many other cryptocurrencies. It offers a balance between compact representation, readability, and error detection and prevention. Base58 is a subset of Base64, using upper- and lowercase letters and numbers, but omitting some characters that are frequently mistaken for one another and can appear identical when displayed in certain fonts.

Or, more simply, it is a set of lowercase and capital letters and numbers without the four 0, O, l, I just mentioned. Example shows the full Base58 alphabet. To add extra security against typos or transcription errors, Base58Check is a Base58 encoding format, frequently used in bitcoin, which has a built-in error-checking code. The checksum is an additional four bytes added to the end of the data that is being encoded.

The checksum is derived from the hash of the encoded data and can therefore be used to detect and prevent transcription and typing errors. When presented with Base58Check code, the decoding software will calculate the checksum of the data and compare it to the checksum included in the code. If the two do not match, an error has been introduced and the Base58Check data is invalid. This prevents a mistyped bitcoin address from being accepted by the wallet software as a valid destination, an error that would otherwise result in loss of funds.

For example, in the case of a bitcoin address the prefix is zero 0x00 in hex , whereas the prefix used when encoding a private key is 0x80 in hex. A list of common version prefixes is shown in Table From the resulting byte hash hash-of-a-hash , we take only the first four bytes.

These four bytes serve as the error-checking code, or checksum. The checksum is concatenated appended to the end. The result is composed of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously.

Figure illustrates the Base58Check encoding process. In bitcoin, most of the data presented to the user is Base58Check-encoded to make it compact, easy to read, and easy to detect errors. The version prefix in Base58Check encoding is used to create easily distinguishable formats, which when encoded in Base58 contain specific characters at the beginning of the Base58Check-encoded payload.

These characters make it easy for humans to identify the type of data that is encoded and how to use it. This is what differentiates, for example, a Base58Check-encoded bitcoin address that starts with a 1 from a Base58Check-encoded private key WIF that starts with a 5.

Some example version prefixes and the resulting Base58 characters are shown in Table Both private and public keys can be represented in a number of different formats. These representations all encode the same number, even though they look different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors. The private key can be represented in a number of different formats, all of which correspond to the same bit number.

Table shows three common formats used to represent private keys. Different formats are used in different circumstances. Hexadecimal and raw binary formats are used internally in software and rarely shown to users. Table shows the private key generated in these three formats. All of these representations are different ways of showing the same number, the same private key. They look different, but any one format can easily be converted to any other format.

You can use Bitcoin Explorer to decode the Base58Check format on the command line. To encode into Base58Check the opposite of the previous command , we use the base58check-encode command from Bitcoin Explorer see Appendix F and provide the hex private key, followed by the WIF version prefix Public keys are also presented in different ways, usually as either compressed or uncompressed public keys. As we saw previously, the public key is a point on the elliptic curve consisting of a pair of coordinates x,y.

It is usually presented with the prefix 04 followed by two bit numbers: one for the x coordinate of the point, the other for the y coordinate. The prefix 04 is used to distinguish uncompressed public keys from compressed public keys that begin with a 02 or a Compressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database. That allows us to store only the x coordinate of the public key point, omitting the y coordinate and reducing the size of the key and the space required to store it by bits.

Whereas uncompressed public keys have a prefix of 04 , compressed public keys start with either a 02 or a 03 prefix. Visually, this means that the resulting y coordinate can be above or below the x-axis. As you can see from the graph of the elliptic curve in Figure , the curve is symmetric, meaning it is reflected like a mirror by the x-axis.

So, while we can omit the y coordinate we have to store the sign of y positive or negative ; or in other words, we have to remember if it was above or below the x-axis because each of those options represents a different point and a different public key. Therefore, to distinguish between the two possible values of y , we store a compressed public key with the prefix 02 if the y is even, and 03 if it is odd, allowing the software to correctly deduce the y coordinate from the x coordinate and uncompress the public key to the full coordinates of the point.

Public key compression is illustrated in Figure This compressed public key corresponds to the same private key, meaning it is generated from the same private key. However, it looks different from the uncompressed public key. This can be confusing, because it means that a single private key can produce a public key expressed in two different formats compressed and uncompressed that produce two different bitcoin addresses.

However, the private key is identical for both bitcoin addresses. Compressed public keys are gradually becoming the default across bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to account for transactions from older clients that do not support compressed public keys.

This is especially important when a wallet application is importing private keys from another bitcoin wallet application, because the new wallet needs to scan the blockchain to find transactions corresponding to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys?

Both are valid bitcoin addresses, and can be signed for by the private key, but they are different addresses! To resolve this issue, when private keys are exported from a wallet, the WIF that is used to represent them is implemented differently in newer bitcoin wallets, to indicate that these private keys have been used to produce compressed public keys and therefore compressed bitcoin addresses.

This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses corresponding to the uncompressed, or the compressed, public keys, respectively. That is because the private key has an added one-byte suffix shown as 01 in hex in Table , which signifies that the private key is from a newer wallet and should only be used to produce compressed public keys.

Private keys are not themselves compressed and cannot be compressed. Notice that the hex-compressed private key format has one extra byte at the end 01 in hex. While the Base58 encoding version prefix is the same 0x80 for both WIF and WIF-compressed formats, the addition of one byte on the end of the number causes the first character of the Base58 encoding to change from a 5 to either a K or L.

Think of this as the Base58 equivalent of the decimal encoding difference between the number and the number While is one digit longer than 99, it also has a prefix of 1 instead of a prefix of 9. As the length changes, it affects the prefix.

In Base58, the prefix 5 changes to a K or L as the length of the number increases by one byte. Remember, these formats are not used interchangeably. In a newer wallet that implements compressed public keys, the private keys will only ever be exported as WIF-compressed with a K or L prefix. If the wallet is an older implementation and does not use compressed public keys, the private keys will only ever be exported as WIF with a 5 prefix. The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses.

If a bitcoin wallet is able to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the WIF is modified, with the addition of a one-byte suffix 01 to the private key.

They are not compressed; rather, WIF-compressed signifies that the keys should only be used to derive compressed public keys and their corresponding bitcoin addresses. The code uses a predefined private key to produce the same bitcoin address every time it is run, as shown in Example If you used the uncompressed public key instead, it would produce a different bitcoin address 14K1y….

The most comprehensive bitcoin library in Python is pybitcointools by Vitalik Buterin. Example shows the output from running this code. Example is another example, using the Python ECDSA library for the elliptic curve math and without using any specialized bitcoin libraries.

Example shows the output produced by running this script. Example uses os. Caution: Depending on the OS, os. In the following sections we will look at advanced forms of keys and addresses, such as encrypted private keys, script and multisignature addresses, vanity addresses, and paper wallets. Private keys must remain secret.

The need for confidentiality of the private keys is a truism that is quite difficult to achieve in practice, because it conflicts with the equally important security objective of availability. Keeping the private key private is much harder when you need to store backups of the private key to avoid losing it.

A private key stored in a wallet that is encrypted by a password might be secure, but that wallet needs to be backed up. At times, users need to move keys from one wallet to another—to upgrade or replace the wallet software, for example. But what if the backup itself is stolen or lost? These conflicting security goals led to the introduction of a portable and convenient standard for encrypting private keys in a way that can be understood by many different wallets and bitcoin clients, standardized by BIP see Appendix C.

BIP proposes a common standard for encrypting private keys with a passphrase and encoding them with Base58Check so that they can be stored securely on backup media, transported securely between wallets, or kept in any other conditions where the key might be exposed. The standard for encryption uses the Advanced Encryption Standard AES , a standard established by the NIST and used broadly in data encryption implementations for commercial and military applications.

The result of the BIP encryption scheme is a Base58Check-encoded encrypted private key that begins with the prefix 6P. If you see a key that starts with 6P , it is encrypted and requires a passphrase in order to convert decrypt it back into a WIF-formatted private key prefix 5 that can be used in any wallet.

Many wallet applications now recognize BIPencrypted private keys and will prompt the user for a passphrase to decrypt and import the key. Third-party applications, such as the incredibly useful browser-based Bit Address Wallet Details tab , can be used to decrypt BIP keys. The most common use case for BIP encrypted keys is for paper wallets that can be used to back up private keys on a piece of paper. Test the encrypted keys in Table using bitaddress.

They designate the beneficiary of a bitcoin transaction as the hash of a script, instead of the owner of a public key. The feature was introduced in January with BIP see Appendix C , and is being widely adopted because it provides the opportunity to add functionality to the address itself.

The requirements are designated at the time the address is created, within the script, and all inputs to this address will be encumbered with the same requirements. Encoding a P2SH address involves using the same double-hash function as used during creation of a bitcoin address, only applied on the script instead of the public key:. P2SH is not necessarily the same as a multisignature standard transaction.

A P2SH address most often represents a multi-signature script, but it might also represent a script encoding other types of transactions. Currently, the most common implementation of the P2SH function is the multi-signature address script. As the name implies, the underlying script requires more than one signature to prove ownership and therefore spend funds. For example, Bob the coffee shop owner from Chapter 1 could use a multisignature address requiring 1-of-2 signatures from a key belonging to him and a key belonging to his spouse, ensuring either of them could sign to spend a transaction output locked to this address.

Or Gopesh, the web designer paid by Bob to create a website, might have a 2-of-3 multisignature address for his business that ensures that no funds can be spent unless at least two of the business partners sign a transaction. We will explore how to create transactions that spend funds from P2SH and multi-signature addresses in Chapter 6. Vanity addresses are valid bitcoin addresses that contain human-readable messages. Vanity addresses require generating and testing billions of candidate private keys, until a bitcoin address with the desired pattern is found.

Although there are some optimizations in the vanity generation algorithm, the process essentially involves picking a private key at random, deriving the public key, deriving the bitcoin address, and checking to see if it matches the desired vanity pattern, repeating billions of times until a match is found. Notice that the 8 digit checksum when put together with the last 3 random digits, makes a nice 11 digit group like all the others 11 digits are needed to make a BIP39 word, discussed later.

A different random binary would produced a different checksum. Errors can lead to loss of bitcoin. One solution is to convert the binary into decimal. This makes it easier and shorter to write down. This is to inclusive in binary. Then the private key can be 24 groups of decimal numbers, each number 0 to Much easier to write, but still error prone.

The solution to this error risk problem was BIP This is a protocol that suggests we all use a list of protocol-defined words, and I suspect they were chosen in such a way that one word is unlikely to be misread as another word.

This list contains words, in alphabetical order. Go look at the list. Each is given a number from 0 to This way, each decimal number in the private key can be written down as a word. There is nothing special about a word that it should have a particular number. This is where seed words come from. When you enter a seed word phrase in a software wallet, it converts the words into 11 digit binaries, and then pastes them all together in order to produce a giant digit binary number, the private key The last word contains some checksum digits and are not random, remmeber?

For a 12 word seed the private key is half as long, bits. It is unfortunate that the original source of BIP 39 words, which is stored in GitHub, is numbered from 1 to , instead of 0 to This is just the Github formatting not an intentional design. This is wrong. The binary of 1 is , and this is not what we want. Because of this formatting, ALL words therefore are labelled 1 higher than the number they encode. We might produce a binary from coin tosses, and a computer can help us to get the last 8 digits shown in italics:.

Then we look up the words in a table:. Well, this list is from Github, so the words are labelled from 1 onwards. So every number is too high by 1. So we have to subtract 1 to find the word we want. So word , dumb, actually represents , the number we want. Notice how the words that start with a letter lower in the alphabet represent a smaller number, and the words higher in the alphabet represent a higher number.

This is obvious only after you appreciate how the words are ordered and why. Note how adding a passphrase completely changes the downstream extended private key. Modifying the derivation path also changes the downstream data.

The diagram shows that this Key produces many individual private keys non-extended, just regular private keys and each one produces a regular individual public key which produces a single address. Each individual private key can not reveal the extended private key. It might be possible though, that an individual private key might reveal the next private key in the list, again, not sure.

Definitely though, each public key can not reveal the individual private key, or any private key for that matter. That is important to know. This means legacy addresses will be created. Legacy addresses are also called P2PKH, pay to public key hash. These addresses are also called P2SH, Pay to script hash.