3

Reference: https://en.bitcoin.it/wiki/File:PubKeyToAddr.png and https://en.bitcoin.it/wiki/Secp256k1

Why do we need both X and Y to make a private key?

pinhead
  • 5,144
  • 2
  • 24
  • 43

1 Answers1

8

A private key is just a number modulo the order of the curve.

A public key is the (X,Y) coordinate pair corresponding to that number (the private key) multiplied by the base point (which is a property of the curve used).

If you're talking about public keys: you're almost right. The Y coordinate can indeed be computed from the X coordinate, if you know the sign (given the formula y^2 = x^3 + 7, there are two solutions for Y for every X).

In fact, if you're using a recent version of several wallet clients (bitcoind/bitcoin-qt since 0.6.0 for example), this trick is used. It's called compressed public keys, and it means that when spending a transaction output, the public key stored in the spending script (and thus the block chain) only contains the X coordinate and a marker byte to denote which of both Y coordinates is used. This is slightly slower to validate, but saves space.

In practice, public keys are encoded in the following legal ways:

  • 0x02 + [32-byte X coordinate] (if the Y coordinate is even)
  • 0x03 + [32-byte X coordinate] (if the Y coordinate is odd)
  • 0x04 + [32-byte X coordinate] + [32-byte Y coordinate]

(the two solutions for Y always have different oddness, but as we're talking about a coordinate in a finite field rather than a real number, it does not actually have a 'sign')

Pieter Wuille
  • 105,497
  • 9
  • 194
  • 308
  • Brilliant. Thorough answer! Tanks so much. If you don't mind me asking, what's your education/background? – pinhead Jan 01 '14 at 10:41
  • @Pieter Wuille - can you please answer this question. http://stackoverflow.com/questions/35591559/generating-bitcoin-public-and-private-keys – Karthik Malla Feb 24 '16 at 04:48
  • If it's of the form y^2 = x^3 + a, it might just be better to store the y coordinate. Then you don't need the sign since cube roots are unique (When p is 2 mod 3 that is, but the prime should be 2 mod 3 anyway for a valid ECC curve) – Nicholas Pipitone Nov 20 '18 at 22:50
  • @Nicholas The secp256k1 curve has p = 1 mod 3, so there can be up to 3 valid x coordinates for one y coordinate. – Pieter Wuille Nov 20 '18 at 23:01
  • Ah, that's unfortunate. In my case I was able to encode with y, not that saving a byte is a big deal though (But sizes of powers of two feel nicer for public keys). – Nicholas Pipitone Nov 21 '18 at 00:45