protocol/blockchain/cryptography/keys.md

# Bitcoin Keys

Bitcoin Cash transactions are secured through the use of key-pairs generated by all senders and receivers.
The key-pair is comprised of a **private key**, which is generated randomly and stored securely on a user's device, and a **public key**, which is calculated from the private key but can be sent to others without revealing the private key.
The private key can be used to generate [signatures](/protocol/blockchain/cryptography/signatures), which can then be verified using the public key.

## Private Key Generation

Bitcoin Cash uses [elliptic-curve cryptography (ECC)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography); in particular, the secp256k1 curve with 32-byte (256-bit) private keys.

From [SEC 2, ver. 2.0](https://www.secg.org/sec2-v2.pdf), the curve parameters are as follows:

> The elliptic curve domain parameters over Fp associated with a Koblitz curve secp256k1 are
> specified by the sextuple `T = (p, a, b, G, n, h)` where the finite field `F<sub>p</sub>` is defined by:
> 
> p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F
>  = 2<sup>256</sup> − 2<sup>32</sup> − 2<sup>9</sup> − 2<sup>8</sup> − 2<sup>7</sup> − 2<sup>6</sup> − 2<sup>4</sup> − 1
> 
> The curve E: `y<sup>2</sup> = x<sup>3</sup> + ax + b` over `F<sub>p</sub>` is defined by:
> 
> a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000000
> 
> b = 00000000 00000000 00000000 00000000 00000000 00000000 00000000
> 00000007
> 
> The base point G in compressed form is:
> 
> G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798
> 
> and in uncompressed form is:
> 
> G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9
> 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448
> A6855419 9C47D08F FB10D4B8
> 
> Finally the order n of G and the cofactor are:
> 
> n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141
> 
> h = 01

Private keys are then 256-bit values and can be chosen at [random](https://en.wikipedia.org/wiki/Cryptographically-secure_pseudorandom_number_generator) from the set `[1, n-1]`.

It is important that private keys are stored securely and never revealed to untrusted third-parties.
Anyone with access to a given private key would be able to control any funds secured with that key.

## Public Key Generation

Public keys are created by performing [scalar multiplication of the generator](https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication), G, with the private key.

This means that public keys are a point on the elliptic curve, represented as two 256-bit coordinates, `(x, y)`.
This means that a full public key is 512-bits (64 bytes) in length.
However, since elliptic curves are symmetrical across the x-axis, there are always two y-values that correspond to a given x-value, which can be calculated using the curve function, E.
These are also necessarily negations of each other mod p (i.e. y<sub>1</sub> = p - y<sub>2</sub>).
As a result, public keys are often **compressed** into 33 bytes, 32 bytes for the x-value and an additional bit (generally expanded to a full byte) indicating which y-value should be used.

When included in [scripts](/protocol/blockchain/script), public keys follow one of two formats:

### Uncompressed Public Key Format

| Field | Length | Format | Description |
|--|--|--|--|
| magic number | 1 byte | byte | Always `0x04`, indicating that this is an uncompressed public key. |
| x-value | 32 bytes | bytes | The zero-padded x-value of the public key. |
| y-value | 32 bytes | bytes | The zero-padded y-value of the public key. |

### Compressed Public Key Format

| Field | Length | Format | Description |
|--|--|--|--|
| magic number | 1 byte | byte | `0x02` if the (discarded) y-value was even, `0x03` if it was odd.  This bytes indicates both that this is a compressed public key and which y-value should be used.<br/><br/>NOTE: this works because the y-values are negations of each other (mod p), so it is always that case that one is even and the other odd. |
| x-value | 32 bytes | bytes | The zero-padded x-value of the public key. |
Public/private keys and ECDSA/Schnorr signatures. 2021-05-06 12:32:59 -04:00			`# Bitcoin Keys`

			`Bitcoin Cash transactions are secured through the use of key-pairs generated by all senders and receivers.`
			`The key-pair is comprised of a private key, which is generated randomly and stored securely on a user's device, and a public key, which is calculated from the private key but can be sent to others without revealing the private key.`
			`The private key can be used to generate [signatures](/protocol/blockchain/cryptography/signatures), which can then be verified using the public key.`

			`## Private Key Generation`

			`Bitcoin Cash uses [elliptic-curve cryptography (ECC)](https://en.wikipedia.org/wiki/Elliptic-curve_cryptography); in particular, the secp256k1 curve with 32-byte (256-bit) private keys.`

			`From [SEC 2, ver. 2.0](https://www.secg.org/sec2-v2.pdf), the curve parameters are as follows:`

			`> The elliptic curve domain parameters over Fp associated with a Koblitz curve secp256k1 are`
			> specified by the sextuple `T = (p, a, b, G, n, h)` where the finite field `F<sub>p</sub>` is defined by:
			`>`
			`> p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F`
			`> = 2<sup>256</sup> − 2<sup>32</sup> − 2<sup>9</sup> − 2<sup>8</sup> − 2<sup>7</sup> − 2<sup>6</sup> − 2<sup>4</sup> − 1`
			`>`
			> The curve E: `y<sup>2</sup> = x<sup>3</sup> + ax + b` over `F<sub>p</sub>` is defined by:
			`>`
			`> a = 00000000 00000000 00000000 00000000 00000000 00000000 00000000`
			`> 00000000`
			`>`
			`> b = 00000000 00000000 00000000 00000000 00000000 00000000 00000000`
			`> 00000007`
			`>`
			`> The base point G in compressed form is:`
			`>`
			`> G = 02 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9 59F2815B 16F81798`
			`>`
			`> and in uncompressed form is:`
			`>`
			`> G = 04 79BE667E F9DCBBAC 55A06295 CE870B07 029BFCDB 2DCE28D9`
			`> 59F2815B 16F81798 483ADA77 26A3C465 5DA4FBFC 0E1108A8 FD17B448`
			`> A6855419 9C47D08F FB10D4B8`
			`>`
			`> Finally the order n of G and the cofactor are:`
			`>`
			`> n = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE BAAEDCE6 AF48A03B BFD25E8C D0364141`
			`>`
			`> h = 01`

			Private keys are then 256-bit values and can be chosen at [random](https://en.wikipedia.org/wiki/Cryptographically-secure_pseudorandom_number_generator) from the set `[1, n-1]`.

			`It is important that private keys are stored securely and never revealed to untrusted third-parties.`
			`Anyone with access to a given private key would be able to control any funds secured with that key.`

			`## Public Key Generation`

			`Public keys are created by performing [scalar multiplication of the generator](https://en.wikipedia.org/wiki/Elliptic_curve_point_multiplication), G, with the private key.`

			This means that public keys are a point on the elliptic curve, represented as two 256-bit coordinates, `(x, y)`.
			`This means that a full public key is 512-bits (64 bytes) in length.`
			`However, since elliptic curves are symmetrical across the x-axis, there are always two y-values that correspond to a given x-value, which can be calculated using the curve function, E.`
			`These are also necessarily negations of each other mod p (i.e. y<sub>1</sub> = p - y<sub>2</sub>).`
			`As a result, public keys are often compressed into 33 bytes, 32 bytes for the x-value and an additional bit (generally expanded to a full byte) indicating which y-value should be used.`

			`When included in [scripts](/protocol/blockchain/script), public keys follow one of two formats:`

			`### Uncompressed Public Key Format`

			`\| Field \| Length \| Format \| Description \|`
			`\|--\|--\|--\|--\|`
			\| magic number \| 1 byte \| byte \| Always `0x04`, indicating that this is an uncompressed public key. \|
			`\| x-value \| 32 bytes \| bytes \| The zero-padded x-value of the public key. \|`
			`\| y-value \| 32 bytes \| bytes \| The zero-padded y-value of the public key. \|`

			`### Compressed Public Key Format`

			`\| Field \| Length \| Format \| Description \|`
			`\|--\|--\|--\|--\|`
			\| magic number \| 1 byte \| byte \| `0x02` if the (discarded) y-value was even, `0x03` if it was odd. This bytes indicates both that this is a compressed public key and which y-value should be used.<br/><br/>NOTE: this works because the y-values are negations of each other (mod p), so it is always that case that one is even and the other odd. \|
			`\| x-value \| 32 bytes \| bytes \| The zero-padded x-value of the public key. \|`