How do you know your public key from a private key?

In my understanding, when you create a public-private key pair, first, you create a pair of complementary keys by using cryptographic software. Then you give one key the name public key, and give the other key the name private key. You keep the private key for yourself and give your public key to everyone else.

Then I was reading Mastering Bitcoin, I found this sentence:

Paper wallets are bitcoin private keys printed on paper. Often the paper wallet also includes the corresponding bitcoin address for convenience, but this is not necessary because it can be derived from the private key.

I don’t understand how it is possible to derive the corresponding bitcoin address(the hash of a public key) from the private key.

If the public key can really be derived from the private key, isn’t the opposite true? I mean, we can choose whichever is the private key when we generate them.

sflow

Posted 2018-05-10T07:42:28.487

Reputation: 199

Answers

If the public key can really be derived from the private key, isn’t the opposite true?

Nope, thats the wonder of asymmetric key cryptography! You can easily derive the public key from the private key, but going the opposite direction is equivalent to brute-force guessing you way through an impossibly large set of numbers (ie, impossible). So the public key and private key are mathematically related, but this relationship is "one-way", so to speak. This is why you can share your public key with other people, but you should never, ever share the private key!

Once someone has a private key, they can use it to derive the public key and bitcoin address easily. But having a public key gives them no knowledge of the private key, since the math doesn't work the same both ways.

In bitcoin, the public key is derived using the Elliptic Curve Digital Signature Algorithm (ECDSA).

Then you give one key the name public key, and give the other key the name private key

...

I mean, we can choose whichever is the private key when we generate them.

I think this is where your misunderstanding comes from, the distinction of 'public' or 'private' is not arbitrarily chosen. One is derived from the other, their relationship is mathematically defined.

chytrik

Posted 2018-05-10T07:42:28.487

Reputation: 10 276

In my understanding, when you create a public-private key pair, first, you create a pair of complementary keys by using cryptographic software. Then you give one key the name public key, and give the other key the name private key.

This is the case with RSA but not with ECDSA. In RSA both keys are integer pairs and are interchangeable, i.e you can encrypt with one and decrypt with the other. In ECDSA the private key is an integer and the public key is a point on a curve (2 coordinates) derived from the private key. In ECDSA you can only sign with the private key and verify with the public key not the other way around.

Mike D

Posted 2018-05-10T07:42:28.487

Reputation: 1 571

Be aware that in most RSA implementations e is NOT picked to be difficult to guess, furthermore most private key formats store more than (d,pq). So while you could theoretically build a RSA cryptosystem where public and private keys are interchangable it's not the done thing. – Peter Green – 2019-08-08T13:13:23.887

Then my question about the RSA is how it is almost impossible to guess the private key from the public key when it’s randomly chosen. Would you elaborate? – sflow – 2018-05-21T01:17:31.973

1@sflow it goes like this: pick two prime numbers p, q. pick another number e that is coprime with (p-1)(q-1). Calculate d. Then you have two keys (d, pq) and (e, pq). You label one of them private and the other public. Then you throw away p and q. If you have p, q and e you can recreate both keys. But from the one key you cant get to the other (unless you can find the prime factors of p*q) – Mike D – 2018-05-21T08:50:32.180