Get via App Store Read this post in our app!

## How do you get a Bitcoin Public Key from a Private Key

How do I, in extreme specificity, convert a given private bitcoin key into a public bitcoin key (Talk to me like I’m 5 and I have to do this step by step or the evil witch will cook me alive in her oven). NOT where can I find a program that will do this, but if I were to do it myself, what would I do?

supposedly results in the public key:

Others have asked how to get private to public, I haven’t seen a really specific answer, just more general direction, but no answers explain all the variables. I understand this is rather complex and if a given individual thinks its too much work to answer, I totally respect that. Note: I do not care for the Bitcoin Address, just interested in Privatekey to Publickey and the specifics of how.

Variables such as the “a” and “b” in the ECDSA Curve Algorithm are already designated by Bitcoin (according to https://en.bitcoin.it/wiki/Secp256k1). the “base point” aka “G” is also specified on that page. the “private exponent” or “k”, I have yet to find. Some of these variables are supposedly “random” which appears to be false as every generator that you can put a private key into seems to always spit out the same public key. so. all the variables are either already preset or are derived from the private key.

Thanks for any help on this. I’ve been trying to research and understand this for days, but it seems sometimes I don’t understand the terms and or notations, but I think I’ve gotten past that and now am just missing parts of the equation.

This is the previous stated private key in Decimal:

This is the previous stated public key (x and y values) in decimal:

All I want to know is how to go from that private key to the public key. Supposedly it is a simple equation that doesn’t involve bit shifting or xor etc. It may include “point multiplication” (which I don’t see how you can multiply a point defined as having both an x and a y). No one seems to understand the intricacies of this. Do you guys suggest I actually offer some fraction of a bitcoin to whoever explains it clearly?

## 5 Answers

I’ll try answering this again in a different way, using small numbers to keep it readable.

convert the private key to binary representation, so decimal number 105, which is 0x69 in hex, becomes 01101001.

calculate this list of points, by repeatedly doubling the Generator point G:

write the bits of the private key next to this list like this:

now start adding only those points which hava a 1 written next to them.

now you have calculated the public key for privatekey 105 by using only point doubling and point adding operations.

Then some more notes on your question:

- Some older texts used to refer to scalar point multiplication, as exponentiation, that is why sometimes the private key is referred to the private exponent.
- the parameters of the curve were chosen randomly once. meaning that the designers of the secp256k1 curve tried to unsuccessfully convey that there is no specific structure to this curve. Meaning that the NSA could or could not have put a mathematical backdoor in the curve parameters.
- when using this curve and generating your public key, -you- have to choose your private key randomly, in a way that it is impossible for anyone to guess it.

Here’s a self-contained Python script that does the conversion. You can check its work by comparing to entering your private key as the “Secret Exponent” at Brainwallet. I took the script from this Bitcointalk thread and stripped out unnecessary stuff (like the code to use the public key to sign a message and verify that signature).

Converting the Python to instructions for a human is left as an exercise to the reader (although I’d argue that in a scenario like this Python code, with appropriate documentation, is just fine as instructions to a human). Note that it’s entirely possible to compute this with pen and paper, but it could take a while, and you’re likely to make a mistake, due to having to deal with such enormous numbers.

Also note that there are no individual operations here that are much more complicated than you’d learn in primary/elementary school. There’s basic comparisons <, >, == , arithmetic + – * , division where you care about the quotient / , remainder % , or both divmod , and bitwise AND ( &, , which is pretty easy if you work in hex, or can be replicated with arithmetic).

I don’t think a (non-genius) 5 year old could actually do it (sorry, the evil witch wins this round), but I think an average adult with enough patience could learn the math needed in nearly no time (with the Python script as a..well..script, to follow). Actually calculating even one public key without the aid of electronic computing devices could take a very long time, however (at a guess: years).

See also an even-more-stripped-down version written in C#.

I was hoping for an answer like this, and didn’t see it, so here’s mine:

An elliptic curve (“EC”) is a function in which the square of the y coordinate is equal to a third degree polynomial of the x coordinate.

- An interesting property of elliptic curves is that any two points on an EC will define a line that also hits the curve at one more place. The “sum” of the first two points is defined as the mirror image (over the X axis) of that place, so after finding the intersection, just negate the Y coordinate, and you have the point that is the “sum” of the other two.
- To add a point to itself, you use a line that is tangent to the EC. It, too, will intersect the curve somewhere. (You can see why this works if you imagine the two points you’re adding getting closer and closer together on the curve.)
- You have to add the “generation point” (“G”) to itself a number of times equal to the number represented by the private key to find the point that gives you the public key.
- If you do the algebra, you find that the equations for identifying the point on the curve that intersects with the line (either tangent to a point you’re doubling, or passing through two points you’re adding) are the ones implemented in the python script in another answer.**
- To add the point G to itself [private-key] times, you can turn it into a binary number. You can double the point G using the tangent line and intersection as described above to get 2G (a new point), and then again for 4G, 8G, etc, all new points. So now each bit position in your (binary) private key is associated with a point.
- Start with the least significant bit (LSB)’s associated point as your result. For each other bit (to the left of the LSB) in your private key that is 1 (skip the zeroes), calculate the “sum” point as described in step 1 using that bit’s associated point from step 5 and your current result. Repeat this until you’ve done all the bits in your private key. Addition is associative, so you can do them in any order you want.
- Imagine that this curve is graphed in its infinite fullness on an infinitely large transparent plane. Now imagine that the plane is chopped up into squares so that each square is p units on a side, and then all the squares are stacked on top of each other. Thus, all the points with coordinates larger in magnitude than p are laying on top of a point for which both coordinates are less than p. That’s the modulo function at work. In all the math you do in the other 5 steps, when you get an answer that is larger than p, find the answer modulo p.
- You end up with a result that is a point. I guess you concatenate the X and Y coordinates and that is your public key, but I’m not so sure about this last step.

This is how I understand ECC, and it may be inaccurate. I would very much appreciate any corrections or questions so that I can hone this description. Given the other answers here already, I thought this one might help a lot of people.

**It would be neat to see the algebra that shows how to get the tangent of the EC (for doublings) and also for the calculation of the point of intersection between a line defined by two other points and the curve itself.

I took Tim S’s answer and stripped out more stuff until it fitted on a single page for me:

Produces this output:

I can almost understand how it works now. ðŸ™‚

The description of point multiplication on Wikipedia was helpful in understanding where the l values are coming from. l stands for ‘lambda’.

The public key is a point (x, y) on the secp256k1 curve which can be computed by multiplying the base point G with the secret key sk . Here is a self-contained concise python function, which does this: