$ bitcoind getnewaddress

1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy
$ bitcoind dumpprivkey 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy
KxFC1jmwwCoACiCAWZ3eXa96mBM6tb3TYzGmf6YwgdGWZgawvrtJ

The dumpprivkey command opens the wallet and extracts the private key that was gen‐
erated by the getnewaddress command. It is not otherwise possible for bitcoind to know
the private key from the public key, unless they are both stored in the wallet.

The dumpprivkey command is not generating a private key from a

public key, as this is impossible. The command simply reveals the
private key that is already known to the wallet and which was gener‐
ated by the getnewaddress command.

You can also use the command-line sx tools (see “Libbitcoin and sx Tools” on page 56)
to generate and display private keys with the sx command newkey:
$ sx newkey
5J3mBbAH58CpQ3Y5RNJpUKPE62SQ5tfcvU2JpbnkeyhfsYB1Jcn

Public Keys
The public key is calculated from the private key using elliptic curve multiplication,
which is irreversible: K = k * G where k is the private key, G is a constant point called
the generator point and K is the resulting public key. The reverse operation, known as
“finding the discrete logarithm”—calculating k if you know K—is as difficult as trying
all possible values of k, i.e., a brute-force search. Before we demonstrate how to generate
a public key from a private key, let’s look at elliptic curve cryptography in a bit more
detail.

Elliptic Curve Cryptography Explained

Elliptic curve cryptography is a type of asymmetric or public-key cryptography based
on the discrete logarithm problem as expressed by addition and multiplication on the
points of an elliptic curve.
Figure 4-2 is an example of an elliptic curve, similar to that used by bitcoin.

Introduction | 65
Figure 4-2. An elliptic curve

Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a
standard called secp256k1, established by the National Institute of Standards and Tech‐
nology (NIST). The secp256k1 curve is defined by the following function, which pro‐
duces an elliptic curve:

y 2 = ( x 3 + 7) over (� p )

or

y 2 mod p = ( x 3 + 7) mod p

The mod p (modulo prime number p) indicates that this curve is over a finite field of
prime order p, also written as � p , where p = 2256 – 232 – 29 – 28 – 27 – 26 – 24 – 1, a very
large prime number.
Because this curve is defined over a finite field of prime order instead of over the real
numbers, it looks like a pattern of dots scattered in two dimensions, which makes it
difficult to visualize. However, the math is identical as that of an elliptic curve over the
real numbers. As an example, Figure 4-3 shows the same elliptic curve over a much
smaller finite field of prime order 17, showing a pattern of dots on a grid. The secp256k1
bitcoin elliptic curve can be thought of as a much more complex pattern of dots on a
unfathomably large grid.

66 | Chapter 4: Keys, Addresses, Wallets

Figure 4-3. Elliptic curve cryptography: visualizing an elliptic curve over F(p), with
p=17

So, for example, the following is a point P with coordinates (x,y) that is a point on the
secp256k1 curve. You can check this yourself using Python:
P =
(55066263022277343669578718895168534326250603453777594175500187360389116729240,
32670510020758816978083085130507043184471273380659243275938904335757337482424)
Python 3.4.0 (default, Mar 30 2014, 19:23:13)
[GCC 4.2.1 Compatible Apple LLVM 5.1 (clang-503.0.38)] on darwin
Type "help", "copyright", "credits" or "license" for more information.
>>> p =
115792089237316195423570985008687907853269984665640564039457584007908834671663
>>> x =
55066263022277343669578718895168534326250603453777594175500187360389116729240
>>> y =
32670510020758816978083085130507043184471273380659243275938904335757337482424
>>> (x ** 3 + 7 - y**2) % p
0
In elliptic curve math, there is a point called the “point at infinity,” which roughly cor‐
responds to the role of 0 in addition. On computers, it’s sometimes represented by x =

Introduction | 67
y = 0 (which doesn’t satisfy the elliptic curve equation, but it’s an easy separate case that
can be checked).
There is also a + operator, called “addition,” which has some properties similar to the
traditional addition of real numbers that grade school children learn. Given two points
P1 and P2 on the elliptic curve, there is a third point P3 = P1 + P2, also on the elliptic
curve.
Geometrically, this third point P3 is calculated by drawing a line between P1 and P2. This
line will intersect the elliptic curve in exactly one additional place. Call this point P3' =
(x, y). Then reflect in the x-axis to get P3 = (x, –y).
There are a couple of special cases that explain the need for the “point at infinity.”
If P1 and P2 are the same point, the line “between” P1 and P2 should extend to be the
tangent on the curve at this point P1. This tangent will intersect the curve in exactly one
new point. You can use techniques from calculus to determine the slope of the tangent
line. These techniques curiously work, even though we are restricting our interest to
points on the curve with two integer coordinates!
In some cases (i.e., if P1 and P2 have the same x values but different y values), the tangent
line will be exactly vertical, in which case P3 = “point at infinity.”
If P1 is the “point at infinity,” then the sum P1 + P2 = P2. Similary, if P2 is the point at
infinity, then P1 + P2 = P1. This shows how the point at infinity plays the role of 0.
It turns out that + is associative, which means that (A+B)C = A(B+C). That means we
can write A+B+C without parentheses without any ambiguity.
Now that we have defined addition, we can define multiplication in the standard way
that extends addition. For a point P on the elliptic curve, if k is a whole number, then
kP = P + P + P + … + P (k times). Note that k is sometimes confusingly called an
“exponent” in this case.

Generating a Public Key

Starting with a private key in the form of a randomly generated number k, we multiply
it by a predetermined point on the curve called the generator point G to produce another
point somewhere else on the curve, which is the corresponding public key K. The gen‐
erator point is specified as part of the secp256k1 standard and is always the same for all
keys in bitcoin:

K = k *G

where k is the private key, G is the generator point, and K is the resulting public key, a
point on the curve. Because the generator point is always the same for all bitcoin users,

68 | Chapter 4: Keys, Addresses, Wallets

a private key k multiplied with G will always result in the same public key K. The rela‐
tionship between k and K is fixed, but can only be calculated in one direction, from k
to K. That’s why a bitcoin address (derived from K) can be shared with anyone and does
not reveal the user’s private key (k).

A private key can be converted into a public key, but a public key
cannot be converted back into a private key because the math only
works one way.

Implementing the elliptic curve multiplication, we take the private key k generated
previously and multiply it with the generator point G to find the public key K:
K = 1E99423A4ED27608A15A2616A2B0E9E52CED330AC530EDCC32C8FFC6A526AEDD * G

Public Key K is defined as a point K = (x,y):

K = (x, y)

where,

x = F028892BAD7ED57D2FB57BF33081D5CFCF6F9ED3D3D7F159C2E2FFF579DC341A
y = 07CF33DA18BD734C600B96A72BBC4749D5141C90EC8AC328AE52DDFE2E505BDB
To visualize multiplication of a point with an integer, we will use the simpler elliptic
curve over the real numbers—remember, the math is the same. Our goal is to find the
multiple kG of the generator point G. That is the same as adding G to itself, k times in
a row. In elliptic curves, adding a point to itself is the equivalent of drawing a tangent
line on the point and finding where it intersects the curve again, then reflecting that
point on the x-axis.
Figure 4-4 shows the process for deriving G, 2G, 4G, as a geometric operation on the
curve.

Most bitcoin implementations use the OpenSSL cryptographic li‐

brary to do the elliptic curve math. For example, to derive the pub‐
lic key, the function EC_POINT_mul() is used.

Introduction | 69
Figure 4-4. Elliptic curve cryptography: Visualizing the multiplication of a point G by
an integer k on an elliptic curve

Bitcoin Addresses
A bitcoin address is a string of digits and characters that can be shared with anyone who
wants to send you money. Addresses produced from public keys consist of a string of
numbers and letters, beginning with the digit “1”. Here’s an example of a bitcoin address:
1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy
The bitcoin address is what appears most commonly in a transaction as the “recipient”
of the funds. If we were to compare a bitcoin transaction to a paper check, the bitcoin
address is the beneficiary, which is what we write on the line after “Pay to the order of.”
On a paper check, that beneficiary can sometimes be the name of a bank account holder,
but can also include corporations, institutions, or even cash. Because paper checks do
not need to specify an account, but rather use an abstract name as the recipient of funds,
that makes paper checks very flexible as payment instruments. Bitcoin transactions use
a similar abstraction, the bitcoin address, to make them very flexible. A bitcoin address
can represent the owner of a private/public key pair, or it can represent something else,
such as a payment script, as we will see in “Pay-to-Script-Hash (P2SH)” on page 132. For
now, let’s examine the simple case, a bitcoin address that represents, and is derived from,
a public key.

70 | Chapter 4: Keys, Addresses, Wallets

The bitcoin address is derived from the public key through the use of one-way crypto‐
graphic hashing. A “hashing algorithm” or simply “hash algorithm” is a one-way func‐
tion that produces a fingerprint or “hash” of an arbitrary-sized input. Cryptographic
hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses,
and in the mining proof-of-work algorithm. The algorithms used to make a bitcoin
address from a public key are the Secure Hash Algorithm (SHA) and the RACE Integrity
Primitives Evaluation Message Digest (RIPEMD), specifically SHA256 and RI‐
PEMD160.
Starting with the public key K, we compute the SHA256 hash and then compute the
RIPEMD160 hash of the result, producing a 160-bit (20-byte) number:

A = RIPEMD160(SHA256(K ))

where K is the public key and A is the resulting bitcoin address.

A bitcoin address is not the same as a public key. Bitcoin addresses

are derived from a public key using a one-way function.

Bitcoin addresses are almost always presented to users in an encoding called

“Base58Check” (see “Base58 and Base58Check Encoding” on page 72), which uses 58
characters (a Base58 number system) and a checksum to help human readability, avoid
ambiguity, and protect against errors in address transcription and entry. Base58Check
is also used in many other ways in bitcoin, whenever there is a need for a user to read
and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted
key, or a script hash. In the next section we will examine the mechanics of Base58Check
encoding and decoding, and the resulting representations. Figure 4-5 illustrates the
conversion of a public key into a bitcoin address.

Bitcoin Addresses | 71
Figure 4-5. Public key to bitcoin address: conversion of a public key into a bitcoin ad‐
dress

Base58 and Base58Check Encoding

In order to represent long numbers in a compact way, using fewer symbols, many com‐
puter systems use mixed-alphanumeric representations with a base (or radix) higher
than 10. For example, whereas the traditional decimal system uses the 10 numerals 0
through 9, the hexadecimal system uses 16, with the letters A through F as the six
additional symbols. A number represented in hexadecimal format is shorter than the
equivalent decimal representation. Even more compact, Base-64 representation uses 26
lower-case letters, 26 capital letters, 10 numerals, and two more characters such as “+”
and “/” to transmit binary data over text-based media such as email. Base-64 is most
commonly used to add binary attachments to email. Base58 is a text-based binary-

72 | Chapter 4: Keys, Addresses, Wallets

encoding format developed for use in bitcoin and used in many other cryptocurrencies.
It offers a balance between compact representation, readability, and error detection and
prevention. Base58 is a subset of Base64, using the upper- and lowercase letters and
numbers, but omitting some characters that are frequently mistaken for one another
and can appear identical when displayed in certain fonts. Specifically, Base58 is Base64
without the 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols “\
+” and “/”. Or, more simply, it is a set of lower and capital letters and numbers without
the four (0, O, l, I) just mentioned.
Example 4-1. bitcoin’s Base58 alphabet
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz

To add extra security against typos or transcription errors, Base58Check is a Base58

encoding format, frequently used in bitcoin, which has a built-in error-checking code.
The checksum is an additional four bytes added to the end of the data that is being
encoded. The checksum is derived from the hash of the encoded data and can therefore
be used to detect and prevent transcription and typing errors. When presented with a
Base58Check code, the decoding software will calculate the checksum of the data and
compare it to the checksum included in the code. If the two do not match, that indicates
that an error has been introduced and the Base58Check data is invalid. For example,
this prevents a mistyped bitcoin address from being accepted by the wallet software as
a valid destination, an error that would otherwise result in loss of funds.
To convert data (a number) into a Base58Check format, we first add a prefix to the data,
called the “version byte,” which serves to easily identify the type of data that is encoded.
For example, in the case of a bitcoin address the prefix is zero (0x00 in hex), whereas
the prefix used when encoding a private key is 128 (0x80 in hex). A list of common
version prefixes is shown in Table 4-1.
Next, we compute the “double-SHA” checksum, meaning we apply the SHA256 hash-
algorithm twice on the previous result (prefix and data):
checksum = SHA256(SHA256(prefix+data))
From the resulting 32-byte hash (hash-of-a-hash), we take only the first four bytes.
These four bytes serve as the error-checking code, or checksum. The checksum is con‐
catenated (appended) to the end.
The result is composed of three items: a prefix, the data, and a checksum. This result is
encoded using the Base58 alphabet described previously. Figure 4-6 illustrates the
Base58Check encoding process.

Bitcoin Addresses | 73
Figure 4-6. Base58Check encoding: a Base58, versioned, and checksummed format for
unambiguously encoding bitcoin data

In bitcoin, most of the data presented to the user is Base58Check-encoded to make it

compact, easy to read, and easy to detect errors. The version prefix in Base58Check
encoding is used to create easily distinguishable formats, which when encoded in Base58
contain specific characters at the beginning of the Base58Check-encoded payload. These
characters make it easy for humans to identify the type of data that is encoded and how
to use it. This is what differentiates, for example, a Base58Check-encoded bitcoin ad‐
dress that starts with a 1 from a Base58Check-encoded private key WIF format that
starts with a 5. Some example version prefixes and the resulting Base58 characters are
shown in Table 4-1.
Table 4-1. Base58Check version prefix and encoded result examples
Type Version prefix (hex) Base58 result prefix
Bitcoin Address 0x00 1
Pay-to-Script-Hash Address 0x05 3
Bitcoin Testnet Address 0x6F m or n

74 | Chapter 4: Keys, Addresses, Wallets