Why do keys need both X and Y coordinates, if X can be solved for Y using the curve equation?

3

1

Reference: https://en.bitcoin.it/wiki/File:PubKeyToAddr.png and https://en.bitcoin.it/wiki/Secp256k1

Why do we need both X and Y to make a private key?

pinhead

Posted 2014-01-01T05:49:16.140

Reputation: 2 356

Answers

8

A private key is just a number modulo the order of the curve.

A public key is the (X,Y) coordinate pair corresponding to that number (the private key) multiplied by the base point (which is a property of the curve used).

If you're talking about public keys: you're almost right. The Y coordinate can indeed be computed from the X coordinate, if you know the sign (given the formula y^2 = x^3 + 7, there are two solutions for Y for every X).

In fact, if you're using a recent version of several wallet clients (bitcoind/bitcoin-qt since 0.6.0 for example), this trick is used. It's called compressed public keys, and it means that when spending a transaction output, the public key stored in the spending script (and thus the block chain) only contains the X coordinate and a marker byte to denote which of both Y coordinates is used. This is slightly slower to validate, but saves space.

In practice, public keys are encoded in the following legal ways:

  • 0x02 + [32-byte X coordinate] (if the Y coordinate is even)
  • 0x03 + [32-byte X coordinate] (if the Y coordinate is odd)
  • 0x04 + [32-byte X coordinate] + [32-byte Y coordinate]

(the two solutions for Y always have different oddness, but as we're talking about a coordinate in a finite field rather than a real number, it does not actually have a 'sign')

Pieter Wuille

Posted 2014-01-01T05:49:16.140

Reputation: 54 032

Brilliant. Thorough answer! Tanks so much. If you don't mind me asking, what's your education/background?pinhead 2014-01-01T10:41:13.357

@Pieter Wuille - can you please answer this question. http://stackoverflow.com/questions/35591559/generating-bitcoin-public-and-private-keys

lock 2016-02-24T04:48:32.547

If it's of the form y^2 = x^3 + a, it might just be better to store the y coordinate. Then you don't need the sign since cube roots are unique (When p is 2 mod 3 that is, but the prime should be 2 mod 3 anyway for a valid ECC curve)Nicholas Pipitone 2018-11-20T22:50:53.663

@Nicholas The secp256k1 curve has p = 1 mod 3, so there can be up to 3 valid x coordinates for one y coordinate.Pieter Wuille 2018-11-20T23:01:12.047

Ah, that's unfortunate. In my case I was able to encode with y, not that saving a byte is a big deal though (But sizes of powers of two feel nicer for public keys).Nicholas Pipitone 2018-11-21T00:45:59.203