3
1
Reference: https://en.bitcoin.it/wiki/File:PubKeyToAddr.png and https://en.bitcoin.it/wiki/Secp256k1
Why do we need both X and Y to make a private key?
3
1
Reference: https://en.bitcoin.it/wiki/File:PubKeyToAddr.png and https://en.bitcoin.it/wiki/Secp256k1
Why do we need both X and Y to make a private key?
8
A private key is just a number modulo the order of the curve.
A public key is the (X,Y) coordinate pair corresponding to that number (the private key) multiplied by the base point (which is a property of the curve used).
If you're talking about public keys: you're almost right. The Y coordinate can indeed be computed from the X coordinate, if you know the sign (given the formula y^2 = x^3 + 7, there are two solutions for Y for every X).
In fact, if you're using a recent version of several wallet clients (bitcoind/bitcoin-qt since 0.6.0 for example), this trick is used. It's called compressed public keys, and it means that when spending a transaction output, the public key stored in the spending script (and thus the block chain) only contains the X coordinate and a marker byte to denote which of both Y coordinates is used. This is slightly slower to validate, but saves space.
In practice, public keys are encoded in the following legal ways:
(the two solutions for Y always have different oddness, but as we're talking about a coordinate in a finite field rather than a real number, it does not actually have a 'sign')
Brilliant. Thorough answer! Tanks so much. If you don't mind me asking, what's your education/background? – pinhead – 2014-01-01T10:41:13.357
@Pieter Wuille - can you please answer this question. http://stackoverflow.com/questions/35591559/generating-bitcoin-public-and-private-keys
– lock – 2016-02-24T04:48:32.547If it's of the form y^2 = x^3 + a, it might just be better to store the y coordinate. Then you don't need the sign since cube roots are unique (When p is 2 mod 3 that is, but the prime should be 2 mod 3 anyway for a valid ECC curve) – Nicholas Pipitone – 2018-11-20T22:50:53.663
@Nicholas The secp256k1 curve has p = 1 mod 3, so there can be up to 3 valid x coordinates for one y coordinate. – Pieter Wuille – 2018-11-20T23:01:12.047
Ah, that's unfortunate. In my case I was able to encode with y, not that saving a byte is a big deal though (But sizes of powers of two feel nicer for public keys). – Nicholas Pipitone – 2018-11-21T00:45:59.203