Mastering Bitcoin by
Chapter 4. Keys, Addresses, Wallets
Ownership of bitcoin is established through digital keys, bitcoin addresses, and digital signatures. The digital keys are not actually stored in the network, but are instead created and stored by users in a file, or simple database, called a wallet. The digital keys in a user’s wallet are completely independent of the bitcoin protocol and can be generated and managed by the user’s wallet software without reference to the blockchain or access to the Internet. Keys enable many of the interesting properties of bitcoin, including decentralized trust and control, ownership attestation, and the cryptographicproof security model.
Every bitcoin transaction requires a valid signature to be included in the blockchain, which can only be generated with valid digital keys; therefore, anyone with a copy of those keys has control of the bitcoin in that account. Keys come in pairs consisting of a private (secret) key and a public key. Think of the public key as similar to a bank account number and the private key as similar to the secret PIN, or signature on a check that provides control over the account. These digital keys are very rarely seen by the users of bitcoin. For the most part, they are stored inside the wallet file and managed by the bitcoin wallet software.
In the payment portion of a bitcoin transaction, the recipient’s public key is represented by its digital fingerprint, called abitcoin address, which is used in the same way as the beneficiary name on a check (i.e., “Pay to the order of”). In most cases, a bitcoin address is generated from and corresponds to a public key. However, not all bitcoin addresses represent public keys; they can also represent other beneficiaries such as scripts, as we will see later in this chapter. This way, bitcoin addresses abstract the recipient of funds, making transaction destinations flexible, similar to paper checks: a single payment instrument that can be used to pay into people’s accounts, pay into company accounts, pay for bills, or pay to cash. The bitcoin address is the only representation of the keys that users will routinely see, because this is the part they need to share with the world.
In this chapter we will introduce wallets, which contain cryptographic keys. We will look at how keys are generated, stored, and managed. We will review the various encoding formats used to represent private and public keys, addresses, and script addresses. Finally, we will look at special uses of keys: to sign messages, to prove ownership, and to create vanity addresses and paper wallets.
Public Key Cryptography and Cryptocurrency
Public key cryptography was invented in the 1970s and is a mathematical foundation for computer and information security.
Since the invention of public key cryptography, several suitable mathematical functions, such as prime number exponentiation and elliptic curve multiplication, have been discovered. These mathematical functions are practically irreversible, meaning that they are easy to calculate in one direction and infeasible to calculate in the opposite direction. Based on these mathematical functions, cryptography enables the creation of digital secrets and unforgeable digital signatures. Bitcoin uses elliptic curve multiplication as the basis for its public key cryptography.
In bitcoin, we use public key cryptography to create a key pair that controls access to bitcoins. The key pair consists of a private key and—derived from it—a unique public key. The public key is used to receive bitcoins, and the private key is used to sign transactions to spend those bitcoins.
There is a mathematical relationship between the public and the private key that allows the private key to be used to generate signatures on messages. This signature can be validated against the public key without revealing the private key.
When spending bitcoins, the current bitcoin owner presents her public key and a signature (different each time, but created from the same private key) in a transaction to spend those bitcoins. Through the presentation of the public key and signature, everyone in the bitcoin network can verify and accept the transaction as valid, confirming that the person transferring the bitcoins owned them at the time of the transfer.
Tip
In most wallet implementations, the private and public keys are stored together as a key pair for convenience. However, the public key can be calculated from the private key, so storing only the private key is also possible.
A bitcoin wallet contains a collection of key pairs, each consisting of a private key and a public key. The private key (k) is a number, usually picked at random. From the private key, we use elliptic curve multiplication, a oneway cryptographic function, to generate a public key (K). From the public key (K), we use a oneway cryptographic hash function to generate a bitcoin address (A). In this section, we will start with generating the private key, look at the elliptic curve math that is used to turn that into a public key, and finally, generate a bitcoin address from the public key. The relationship between private key, public key, and bitcoin address is shown in Figure 41.
A private key is simply a number, picked at random. Ownership and control over the private key is the root of user control over all funds associated with the corresponding bitcoin address. The private key is used to create signatures that are required to spend bitcoins by proving ownership of funds used in a transaction. The private key must remain secret at all times, because revealing it to third parties is equivalent to giving them control over the bitcoins secured by that key. The private key must also be backed up and protected from accidental loss, because if it’s lost it cannot be recovered and the funds secured by it are forever lost, too.
Tip
The bitcoin private key is just a number. You can pick your private keys randomly using just a coin, pencil, and paper: toss a coin 256 times and you have the binary digits of a random private key you can use in a bitcoin wallet. The public key can then be generated from the private key.
Generating a private key from a random number
The first and most important step in generating keys is to find a secure source of entropy, or randomness. Creating a bitcoin key is essentially the same as “Pick a number between 1 and 2^{256}.” The exact method you use to pick that number does not matter as long as it is not predictable or repeatable. Bitcoin software uses the underlying operating system’s random number generators to produce 256 bits of entropy (randomness). Usually, the OS random number generator is initialized by a human source of randomness, which is why you may be asked to wiggle your mouse around for a few seconds. For the truly paranoid, nothing beats dice, pencil, and paper.
More accurately, the private key can be any number between and , where n is a constant (n = 1.158 * 10^{77}, slightly less than 2^{256}) defined as the order of the elliptic curve used in bitcoin (see Elliptic Curve Cryptography Explained). To create such a key, we randomly pick a 256bit number and check that it is less than . In programming terms, this is usually achieved by feeding a larger string of random bits, collected from a cryptographically secure source of randomness, into the SHA256 hash algorithm that will conveniently produce a 256bit number. If the result is less than , we have a suitable private key. Otherwise, we simply try again with another random number.
Tip
Do not write your own code to create a random number or use a “simple” random number generator offered by your programming language. Use a cryptographically secure pseudorandom number generator (CSPRNG) with a seed from a source of sufficient entropy. Study the documentation of the random number generator library you choose to make sure it is cryptographically secure. Correct implementation of the CSPRNG is critical to the security of the keys.
The following is a randomly generated private key (k) shown in hexadecimal format (256 binary digits shown as 64 hexadecimal digits, each 4 bits):
1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDDTip
The size of bitcoin’s private key space, 2^{256} is an unfathomably large number. It is approximately 10^{77} in decimal. The visible universe is estimated to contain 10^{80} atoms.
To generate a new key with the Bitcoin Core client (see Chapter 3), use the command. For security reasons it displays the public key only, not the private key. To ask bitcoind to expose the private key, use the command. The command shows the private key in a Base58 checksumencoded format called the Wallet Import Format (WIF), which we will examine in more detail in Private key formats. Here’s an example of generating and displaying a private key using these two commands:
$ bitcoind getnewaddress 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy $ bitcoind dumpprivkey 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJThe command opens the wallet and extracts the private key that was generated by the command. It is not otherwise possible for bitcoind to know the private key from the public key, unless they are both stored in the wallet.
Tip
The command is not generating a private key from a public key, as this is impossible. The command simply reveals the private key that is already known to the wallet and which was generated by the getnewaddress command.
You can also use the commandline sx tools (see Libbitcoin and sx Tools) to generate and display private keys with the sx command :
$ sx newkey 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1JcnThe public key is calculated from the private key using elliptic curve multiplication, which is irreversible: where k is the private key, G is a constant point called the generator point and K is the resulting public key. The reverse operation, known as “finding the discrete logarithm”—calculating k if you know K—is as difficult as trying all possible values of , i.e., a bruteforce search. Before we demonstrate how to generate a public key from a private key, let’s look at elliptic curve cryptography in a bit more detail.
Elliptic Curve Cryptography Explained
Elliptic curve cryptography is a type of asymmetric or publickey cryptography based on the discrete logarithm problem as expressed by addition and multiplication on the points of an elliptic curve.
Figure 42 is an example of an elliptic curve, similar to that used by bitcoin.
Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a standard called, established by the National Institute of Standards and Technology (NIST). The curve is defined by the following function, which produces an elliptic curve:
or
The mod p (modulo prime number p) indicates that this curve is over a finite field of prime order p, also written as , where p = 2^{256} – 2^{32} – 2^{9} – 2^{8} – 2^{7} – 2^{6} – 2^{4} – 1, a very large prime number.
Because this curve is defined over a finite field of prime order instead of over the real numbers, it looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize. However, the math is identical as that of an elliptic curve over the real numbers. As an example, Figure 43 shows the same elliptic curve over a much smaller finite field of prime order 17, showing a pattern of dots on a grid. The bitcoin elliptic curve can be thought of as a much more complex pattern of dots on a unfathomably large grid.
So, for example, the following is a point P with coordinates (x,y) that is a point on the curve. You can check this yourself using Python:
P = (55066263022277343669578718895168534326250603453777594175500187360389116729240, 32670510020758816978083085130507043184471273380659243275938904335757337482424)In elliptic curve math, there is a point called the “point at infinity,” which roughly corresponds to the role of 0 in addition. On computers, it’s sometimes represented by x = y = 0 (which doesn’t satisfy the elliptic curve equation, but it’s an easy separate case that can be checked).
There is also a + operator, called “addition,” which has some properties similar to the traditional addition of real numbers that grade school children learn. Given two points P_{1} and P_{2} on the elliptic curve, there is a third point P_{3} = P_{1} + P_{2}, also on the elliptic curve.
Geometrically, this third point P_{3} is calculated by drawing a line between P_{1} and P_{2}. This line will intersect the elliptic curve in exactly one additional place. Call this point P_{3}' = (x, y). Then reflect in the xaxis to get P_{3} = (x, –y).
There are a couple of special cases that explain the need for the “point at infinity.”
If P_{1} and P_{2} are the same point, the line “between” P_{1} and P_{2} should extend to be the tangent on the curve at this point P_{1}. This tangent will intersect the curve in exactly one new point. You can use techniques from calculus to determine the slope of the tangent line. These techniques curiously work, even though we are restricting our interest to points on the curve with two integer coordinates!
In some cases (i.e., if P_{1} and P_{2} have the same x values but different y values), the tangent line will be exactly vertical, in which case P3 = “point at infinity.”
If P_{1} is the “point at infinity,” then the sum P_{1} + P_{2} = P_{2}. Similary, if P_{2} is the point at infinity, then P_{1} + P_{2} = P_{1}. This shows how the point at infinity plays the role of 0.
It turns out that + is associative, which means that (A+B)(B+C). That means we can write A+B+C without parentheses without any ambiguity.
Now that we have defined addition, we can define multiplication in the standard way that extends addition. For a point P on the elliptic curve, if k is a whole number, then kP = P + P + P + … + P (k times). Note that k is sometimes confusingly called an “exponent” in this case.
Starting with a private key in the form of a randomly generated number k, we multiply it by a predetermined point on the curve called thegenerator pointG to produce another point somewhere else on the curve, which is the corresponding public key K. The generator point is specified as part of the standard and is always the same for all keys in bitcoin:
where k is the private key, G is the generator point, and K is the resulting public key, a point on the curve. Because the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K. The relationship between k and K is fixed, but can only be calculated in one direction, from k to K. That’s why a bitcoin address (derived from K) can be shared with anyone and does not reveal the user’s private key (k).
Tip
A private key can be converted into a public key, but a public key cannot be converted back into a private key because the math only works one way.
Implementing the elliptic curve multiplication, we take the private key k generated previously and multiply it with the generator point G to find the public key K:
K = 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD * GPublic Key K is defined as a point :
K = (x, y) where, x = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A y = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDBTo visualize multiplication of a point with an integer, we will use the simpler elliptic curve over the real numbers—remember, the math is the same. Our goal is to find the multiple kG of the generator point G. That is the same as adding G to itself, k times in a row. In elliptic curves, adding a point to itself is the equivalent of drawing a tangent line on the point and finding where it intersects the curve again, then reflecting that point on the xaxis.
Figure 44 shows the process for deriving G, 2G, 4G, as a geometric operation on the curve.
Tip
Most bitcoin implementations use theOpenSSL cryptographic library to do the elliptic curve math. For example, to derive the public key, the function is used.
A bitcoin address is a string of digits and characters that can be shared with anyone who wants to send you money. Addresses produced from public keys consist of a string of numbers and letters, beginning with the digit “1”. Here’s an example of a bitcoin address:
1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZyThe bitcoin address is what appears most commonly in a transaction as the “recipient” of the funds. If we were to compare a bitcoin transaction to a paper check, the bitcoin address is the beneficiary, which is what we write on the line after “Pay to the order of.” On a paper check, that beneficiary can sometimes be the name of a bank account holder, but can also include corporations, institutions, or even cash. Because paper checks do not need to specify an account, but rather use an abstract name as the recipient of funds, that makes paper checks very flexible as payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible. A bitcoin address can represent the owner of a private/public key pair, or it can represent something else, such as a payment script, as we will see in PaytoScriptHash (P2SH). For now, let’s examine the simple case, a bitcoin address that represents, and is derived from, a public key.
The bitcoin address is derived from the public key through the use of oneway cryptographic hashing. A “hashing algorithm” or simply “hash algorithm” is a oneway function that produces a fingerprint or “hash” of an arbitrarysized input. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining proofofwork algorithm. The algorithms used to make a bitcoin address from a public key are the Secure Hash Algorithm (SHA) and the RACE Integrity Primitives Evaluation Message Digest (RIPEMD), specifically SHA256 and RIPEMD160.
Starting with the public key K, we compute the SHA256 hash and then compute the RIPEMD160 hash of the result, producing a 160bit (20byte) number:
where K is the public key and A is the resulting bitcoin address.
Tip
A bitcoin address is not the same as a public key. Bitcoin addresses are derived from a public key using a oneway function.
Bitcoin addresses are almost always presented to users in an encoding called “Base58Check” (see Base58 and Base58Check Encoding), which uses 58 characters (a Base58 number system) and a checksum to help human readability, avoid ambiguity, and protect against errors in address transcription and entry. Base58Check is also used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding, and the resulting representations. Figure 45 illustrates the conversion of a public key into a bitcoin address.
Base58 and Base58Check Encoding
In order to represent long numbers in a compact way, using fewer symbols, many computer systems use mixedalphanumeric representations with a base (or radix) higher than 10. For example, whereas the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16, with the letters A through F as the six additional symbols. A number represented in hexadecimal format is shorter than the equivalent decimal representation. Even more compact, Base64 representation uses 26 lowercase letters, 26 capital letters, 10 numerals, and two more characters such as “+” and “/” to transmit binary data over textbased media such as email. Base64 is most commonly used to add binary attachments to email. Base58 is a textbased binaryencoding format developed for use in bitcoin and used in many other cryptocurrencies. It offers a balance between compact representation, readability, and error detection and prevention. Base58 is a subset of Base64, using the upper and lowercase letters and numbers, but omitting some characters that are frequently mistaken for one another and can appear identical when displayed in certain fonts. Specifically, Base58 is Base64 without the 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols “\+” and “/”. Or, more simply, it is a set of lower and capital letters and numbers without the four (0, O, l, I) just mentioned.
To add extra security against typos or transcription errors, Base58Check is a Base58 encoding format, frequently used in bitcoin, which has a builtin errorchecking code. The checksum is an additional four bytes added to the end of the data that is being encoded. The checksum is derived from the hash of the encoded data and can therefore be used to detect and prevent transcription and typing errors. When presented with a Base58Check code, the decoding software will calculate the checksum of the data and compare it to the checksum included in the code. If the two do not match, that indicates that an error has been introduced and the Base58Check data is invalid. For example, this prevents a mistyped bitcoin address from being accepted by the wallet software as a valid destination, an error that would otherwise result in loss of funds.
To convert data (a number) into a Base58Check format, we first add a prefix to the data, called the “version byte,” which serves to easily identify the type of data that is encoded. For example, in the case of a bitcoin address the prefix is zero (0x00 in hex), whereas the prefix used when encoding a private key is 128 (0x80 in hex). A list of common version prefixes is shown in Table 41.
Next, we compute the “doubleSHA” checksum, meaning we apply the SHA256 hashalgorithm twice on the previous result (prefix and data):
checksum = SHA256(SHA256(prefix+data))From the resulting 32byte hash (hashofahash), we take only the first four bytes. These four bytes serve as the errorchecking code, or checksum. The checksum is concatenated (appended) to the end.
The result is composed of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously. Figure 46 illustrates the Base58Check encoding process.
In bitcoin, most of the data presented to the user is Base58Checkencoded to make it compact, easy to read, and easy to detect errors. The version prefix in Base58Check encoding is used to create easily distinguishable formats, which when encoded in Base58 contain specific characters at the beginning of the Base58Checkencoded payload. These characters make it easy for humans to identify the type of data that is encoded and how to use it. This is what differentiates, for example, a Base58Checkencoded bitcoin address that starts with a 1 from a Base58Checkencoded private key WIF format that starts with a 5. Some example version prefixes and the resulting Base58 characters are shown in Table 41.
Type  Version prefix (hex)  Base58 result prefix 
Bitcoin Address  0x00  1 
PaytoScriptHash Address  0x05  3 
Bitcoin Testnet Address  0x6F  m or n 
Private Key WIF  0x80  5, K or L 
BIP38 Encrypted Private Key  0x0142  6P 
BIP32 Extended Public Key  0x0488B21E  xpub 
Let’s look at the complete process of creating a bitcoin address, from a private key, to a public key (a point on the elliptic curve), to a doublehashed address and finally, the Base58Check encoding. The C++ code in Example 42 shows the complete stepbystep process, from private key to Base58Checkencoded bitcoin address. The code example uses the libbitcoin library introduced in Alternative Clients, Libraries, and Toolkits for some helper functions.
The code uses a predefined private key so that it produces the same bitcoin address every time it is run, as shown in Example 43.
Both private and public keys can be represented in a number of different formats. These representations all encode the same number, even though they look different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors.
The private key can be represented in a number of different formats, all of which correspond to the same 256bit number. Table 42 shows three common formats used to represent private keys.
Type  Prefix  Description 
Hex  None  64 hexadecimal digits 
WIF  5  Base58Check encoding: Base58 with version prefix of 128 and 32bit checksum 
WIFcompressed  K or L  As above, with added suffix 0x01 before encoding 
Table 43 shows the private key generated in these three formats.
Format  Private Key 
Hex  1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD 
WIF  5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn 
WIFcompressed  KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ 
All of these representations are different ways of showing the same number, the same private key. They look different, but any one format can easily be converted to any other format.
Decode from Base58Check to hex
The sx tools package (See Libbitcoin and sx Tools) makes it easy to write shell scripts and commandline “pipes” that manipulate bitcoin keys, addresses, and transactions. You can use sx tools to decode the Base58Check format on the command line.
We use the command:
$ sx base58checkdecode 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd 128The result is the hexadecimal key, followed by the Wallet Import Format (WIF) version prefix 128.
Encode from hex to Base58Check
To encode into Base58Check (the opposite of the previous command), we provide the hex private key, followed by the Wallet Import Format (WIF) version prefix 128:
$ sx base58checkencode 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd 128 5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1JcnEncode from hex (compressed key) to Base58Check encoding
To encode into Base58Check as a “compressed” private key (see Compressed private keys), we add the suffix to the end of the hex key and then encode as above:
$ sx base58checkencode 1e99423a4ed27608a15a2616a2b0e9e52ced330ac530edcc32c8ffc6a526aedd01 128 KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJThe resulting WIFcompressed format starts with a “K”. This denotes that the private key within has a suffix of “01” and will be used to produce compressed public keys only (see Compressed public keys).
Public keys are also presented in different ways, most importantly as either compressed or uncompressed public keys.
As we saw previously, the public key is a point on the elliptic curve consisting of a pair of coordinates . It is usually presented with the prefix followed by two 256bit numbers, one for the x coordinate of the point, the other for the y coordinate. The prefix is used to distinguish uncompressed public keys from compressed public keys that begin with a or a .
Here’s the public key generated by the private key we created earlier, shown as the coordinates and :
x = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A y = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDBHere’s the same public key shown as a 520bit number (130 hex digits) with the prefix followed by and then coordinates, as :
K = 04F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A<?pdfcr?>07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDBCompressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database. Most transactions include the public key, required to validate the owner’s credentials and spend the bitcoin. Each public key requires 520 bits (prefix \+ x \+ y), which when multiplied by several hundred transactions per block, or tens of thousands of transactions per day, adds a significant amount of data to the blockchain.
As we saw in the section Public Keys, a public key is a point (x,y) on an elliptic curve. Because the curve expresses a mathematical function, a point on the curve represents a solution to the equation and, therefore, if we know the x coordinate we can calculate the y coordinate by solving the equation y^{2} mod p = (x^{3} + 7) mod p. That allows us to store only the x coordinate of the public key point, omitting the y coordinate and reducing the size of the key and the space required to store it by 256 bits. An almost 50% reduction in size in every transaction adds up to a lot of data saved over time!
Whereas uncompressed public keys have a prefix of , compressed public keys start with either a or a prefix. Let’s look at why there are two possible prefixes: because the left side of the equation is y^{2}, that means the solution for y is a square root, which can have a positive or negative value. Visually, this means that the resulting y coordinate can be above the xaxis or below the xaxis. As you can see from the graph of the elliptic curve in Figure 42, the curve is symmetric, meaning it is reflected like a mirror by the xaxis. So, while we can omit the y coordinate we have to store the sign of y (positive or negative), or in other words, we have to remember if it was above or below the xaxis because each of those options represents a different point and a different public key. When calculating the elliptic curve in binary arithmetic on the finite field of prime order p, the y coordinate is either even or odd, which corresponds to the positive/negative sign as explained earlier. Therefore, to distinguish between the two possible values of y, we store a compressed public key with the prefix if the is even, and if it is odd, allowing the software to correctly deduce the y coordinate from the x coordinate and uncompress the public key to the full coordinates of the point. Public key compression is illustrated in Figure 47.
Here’s the same public key generated previously, shown as a compressed public key stored in 264 bits (66 hex digits) with the prefix indicating the y coordinate is odd:
K = 03F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341AThis compressed public key corresponds to the same private key, meaning that it is generated from the same private key. However, it looks different from the uncompressed public key. More importantly, if we convert this compressed public key to a bitcoin address using the doublehash function () it will produce a different bitcoin address. This can be confusing, because it means that a single private key can produce a public key expressed in two different formats (compressed and uncompressed) that produce two different bitcoin addresses. However, the private key is identical for both bitcoin addresses.
Compressed public keys are gradually becoming the default across bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to account for transactions from older clients that do not support compressed public keys. This is especially important when a wallet application is importing private keys from another bitcoin wallet application, because the new wallet needs to scan the blockchain to find transactions corresponding to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys? Both are valid bitcoin addresses, and can be signed for by the private key, but they are different addresses!
To resolve this issue, when private keys are exported from a wallet, the Wallet Import Format that is used to represent them is implemented differently in newer bitcoin wallets, to indicate that these private keys have been used to produce compressed public keys and therefore compressed bitcoin addresses. This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses corresponding to the uncompressed, or the compressed, public keys, respectively. Let’s look at how this works in more detail, in the next section.
Ironically, the term “compressed private key” is misleading, because when a private key is exported as WIFcompressed it is actually one byte longer than an “uncompressed” private key. That is because it has the added 01 suffix, which signifies it comes from a newer wallet and should only be used to produce compressed public keys. Private keys are not compressed and cannot be compressed. The term “compressed private key” really means “private key from which compressed public keys should be derived,” whereas “uncompressed private key” really means “private key from which uncompressed public keys should be derived.” You should only refer to the export format as “WIFcompressed” or “WIF” and not refer to the private key as “compressed” to avoid further confusion.
Remember, these formats are not used interchangeably. In a newer wallet that implements compressed public keys, the private keys will only ever be exported as WIFcompressed (with a K or L prefix). If the wallet is an older implementation and does not use compressed public keys, the private keys will only ever be exported as WIF (with a 5 prefix). The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses.
If a bitcoin wallet is able to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the Wallet Import Format is modified, with the addition of a onebyte suffix to the private key. The resulting Base58Checkencoded private key is called a “Compressed WIF” and starts with the letter K or L, instead of starting with “5” as is the case with WIFencoded (noncompressed) keys from older wallets.
Table 44 shows the same key, encoded in WIF and WIFcompressed formats.
Format  Private Key 
Hex  1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD 
WIF  5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn 
Hexcompressed  1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD_01_ 
WIFcompressed  KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ 
Tip
“Compressed private keys” is a misnomer! They are not compressed; rather, the WIFcompressed format signifies that they should only be used to derive compressed public keys and their corresponding bitcoin addresses. Ironically, a “WIFcompressed” encoded private key is one byte longer because it has the added 01 suffix to distinguish it from an “uncompressed” one.
Implementing Keys and Addresses in Python
The most comprehensive bitcoin library in Python is pybitcointools by Vitalik Buterin. In Example 44, we use the pybitcointools library (imported as “bitcoin”) to generate and display keys and addresses in various formats.
Example 45 shows the output from running this code.
Example 46is another example, using the Python ECDSA library for the elliptic curve math and without using any specialized bitcoin libraries.
Example 47 shows the output produced by running this script.
Wallets are containers for private keys, usually implemented as structured files or simple databases. Another method for making keys isdeterministic key generation. Here you derive each new private key, using a oneway hash function from a previous private key, linking them in a sequence. As long as you can recreate that sequence, you only need the first key (known as a seed or master key) to generate them all. In this section we will examine the different methods of key generation and the wallet structures that are built around them.
Tip
Bitcoin wallets contain keys, not coins. Each user has a wallet containing keys. Wallets are really keychains containing pairs of private/public keys (see Private and Public Keys). Users sign transactions with the keys, thereby proving they own the transaction outputs (their coins). The coins are stored on the blockchain in the form of transactionouputs (often noted as vout or txout).
Nondeterministic (Random) Wallets
In the first bitcoin clients, wallets were simply collections of randomly generated private keys. This type of wallet is called a Type0 nondeterministic wallet. For example, the Bitcoin Core client pregenerates 100 random private keys when first started and generates more keys as needed, using each key only once. This type of wallet is nicknamed “Just a Bunch Of Keys,” or JBOK, and such wallets are being replaced with deterministic wallets because they are cumbersome to manage, back up, and import. The disadvantage of random keys is that if you generate many of them you must keep copies of all of them, meaning that the wallet must be backed up frequently. Each key must be backed up, or the funds it controls are irrevocably lost if the wallet becomes inaccessible. This conflicts directly with the principle of avoiding address reuse, by using each bitcoin address for only one transaction. Address reuse reduces privacy by associating multiple transactions and addresses with each other. A Type0 nondeterministic wallet is a poor choice of wallet, especially if you want to avoid address reuse because that means managing many keys, which creates the need for frequent backups. Although the Bitcoin Core client includes a Type0 wallet, using this wallet is discouraged by developers of Bitcoin Core. Figure 48 shows a nondeterministic wallet, containing a loose collection of random keys.
Deterministic (Seeded) Wallets
Deterministic, or “seeded” wallets are wallets that contain private keys that are all derived from a common seed, through the use of a oneway hash function. The seed is a randomly generated number that is combined with other data, such as an index number or “chain code” (see Hierarchical Deterministic Wallets (BIP0032/BIP0044)) to derive the private keys. In a deterministic wallet, the seed is sufficient to recover all the derived keys, and therefore a single backup at creation time is sufficient. The seed is also sufficient for a wallet export or import, allowing for easy migration of all the user’s keys between different wallet implementations.
Mnemonic codes are English word sequences that represent (encode) a random number used as a seed to derive a deterministic wallet. The sequence of words is sufficient to recreate the seed and from there recreate the wallet and all the derived keys. A wallet application that implements deterministic wallets with mnemonic code will show the user a sequence of 12 to 24 words when first creating a wallet. That sequence of words is the wallet backup and can be used to recover and recreate all the keys in the same or any compatible wallet application. Mnemonic code words make it easier for users to back up wallets because they are easy to read and correctly transcribe, as compared to a random sequence of numbers.
Mnemonic codes are defined in Bitcoin Improvement Proposal 39 (see [bip0039]), currently in Draft status. Note that BIP0039 is a draft proposal and not a standard. Specifically, there is a different standard, with a different set of words, used by the Electrum wallet and predating BIP0039. BIP0039 is used by the Trezor wallet and a few other wallets but is incompatible with Electrum’s implementation.
BIP0039 defines the creation of a mnemonic code and seed as a follows:
 Create a random sequence (entropy) of 128 to 256 bits.
 Create a checksum of the random sequence by taking the first few bits of its SHA256 hash.
 Add the checksum to the end of the random sequence.
 Divide the sequence into sections of 11 bits, using those to index a dictionary of 2048 predefined words.
 Produce 12 to 24 words representing the mnemonic code.
Table 45 shows the relationship between the size of entropy data and the length of mnemonic codes in words.
Entropy (bits)  Checksum (bits)  Entropy+checksum  Word length 
128  4  132  12 
160  5  165  15 
192  6  198  18 
224  7  231  21 
256  8  264  24 
The mnemonic code represents 128 to 256 bits, which are used to derive a longer (512bit) seed through the use of the keystretching function PBKDF2. The resulting seed is used to create a deterministic wallet and all of its derived keys.
Tables 46 and 47 show some examples of mnemonic codes and the seeds they produce.
Entropy input (128 bits)  0c1e24e5917779d297e14d45f14e1a1a 
Mnemonic (12 words)  army van defense carry jealous true garbage claim echo media make crunch 
Seed (512 bits)  3338a6d2ee71c7f28eb5b882159634cd46a898463e9d2d0980f8e80dfbba5b0fa0291e5fb88 8a599b44b93187be6ee3ab5fd3ead7dd646341b2cdb8d08d13bf7 
