Bitcoin Q&A: What is a Private Key? - YouTube

"How is the private key calculated using the elliptic curve mathematical computation?"

"If transactions are public, why can't someone launch a brute-force [attack] and guess the private key,

knowing the fact that we have quantum computers now?"

Let's start with the first question for Rojit.

Private keys are numbers, that's all they are.

If you wanted to generate a private key, you can do so fairly easily using just pen and paper.

A private key is a number that is 256 bits long. A bit is either 0 or 1. How do we calculate a bit?

The easiest way would be to flip a coin.

Take a big sheet of paper and a coin. Flip [the coin]. If it's heads, write down 1. If it's tails, write down 0.

Repeat this 256 times. Now you have a binary private key, written on your piece of paper, generated randomly.

If somebody else tried to do the same thing,

they would have to try 10 ^ 77 times in order to produce the same private key (on average).

That private key is just a number [like 3 or 7],

[though those would be] very easy to crack, not very random [out of the vast possibilities], but still.

[With] that private key, the elliptic curve mathematics that follow is to take a known point on the elliptic curve.

When I say point, that means an X,Y coordinate on the line drawn by the function.

If you take the elliptic curve function of Bitcoin, and when drawn on a piece of paper it creates a line.

That line is in the form of curve, an elliptic curve, and it looks a bit like a squid.

There is a very specific point on the line of that elliptic curve called the generator point.

It's a set of X,Y coordinates that is pre-defined.

Everybody uses the same one. We write it down as 'G' for generator point.

The public key is simply the point 'G' multiplied by the private key.

If my private key is 3, then my public key is 3 multiplied by 'G.'

You might say, "Well, that's very easy! If I know the public key is 3 multiplied by 'G' and I know what 'G' is,"

"why don't I divide by 'G' and then I know your private key?"

The reason is because you can't do division on the elliptic curve. Division doesn't exist [there].

You know 3 multiplied by 'G' is the public key, but you can't figure out that 3 is the private key,

even though you know what the value of 'G' is.

That's how the elliptic curve computation works.

Now, what does multiplication by a scaler mean on the elliptic curve?

What does it mean to take a point and multiply it by 3? How do you multiply X,Y coordinates by 3?

This has a specific meaning on the elliptic curve.

To add 'G' to itself, to do 'G' plus 'G,' you take the tangent of the [generator] point on the elliptic curve.

The tangent is a specific mathematical construct.

You draw the tangent at the point of 'G' and at some point that tangent will touch the elliptic curve again.

That is one of the properties of elliptic curves.

If you take the tangent of a point on the elliptic curve, the tangent will bisect the elliptic curve at another point.

If you flip that point on the axis, that is '2G.'

Drawing a line between the two points is how you add them up.

You can create a multiple because 3 multiplied by 'G,' is simply 'G' plus 'G' plus 'G.' You can keep adding 'G.'

Essentially, all private to public key computation is that: taking 'G' and adding it to itself, with your private key.

That's the number you generated randomly.

When you do that, you still end up with some X,Y coordinate on the curve.

Every time you add the points, you [end up somewhere on the curve] and that point is your public key.

You know that point, [but] you simply have no idea how you got there.

"Do all private keys start with the number 5?" No, Bill.

Private keys encoded with wallet import format (WIF) start with the number 5.

But those that correspond to compressed public keys can start with the letter 'K' or 'L.'

You will see private keys for wallet import format [that start with a 5].

When they're 'with compressed,' as it's called, they start with a 'K' or 'L' instead of a 5.

"How do you ensure the private key is transmitted securely and privately into the blockchain?"

This is also a point of confusion. The private key is never transmitted anywhere [on the blockchain]."

What you transmit is a signature, which is a number produced from the private key...

by a special equation that anyone can check.

By checking that against your public key, they can confirm you know what the private key is,

but they don't know / cannot know what the private key is.

That little trick ensures that you can sign as many times as you want, transmit as many signatures [as you want],

and people will only be able to verify that you know the private key, but nobody else does.

"Please explain key collision. Also, please give an example of encryption collision."

'Collision' as a word is mostly used for hashes.

Perhaps what you're asking is related to the very next question.

Jason asks, "Is it possible to generate a private key that is already being used?" Yes Jason, it is possible.

It is absolutely improbable, however.

Even if you were trying to do this deliberately, by generating a trillion new private keys every second,

and then recruited a billion people to generate a trillion keys each, all you would do is touch the very surface...

of the absolutely enormous number [of possible] private keys that [could] exist.

This is something that a lot of people have difficulty wrapping their heads around;

the idea that the [number of possible private keys] is so large that you will never ever get through them.

The number of possible private keys is 2 ^ 256. It's not quite, but for rounding purposes it's 2 ^ 256.

The main idea doesn't change, no matter how much you round this.

2 ^ 256 is equivalent in decimal to 10 ^ 77. That's 10 with 77 zeros after it.

Let's say you could generate a billion keys per second. How much is a billion keys? That is 10 ^ 9.

What you're doing now is taking 10 ^ 77 and dividing it by 10 ^ 9, which is a billion keys.

What you're left with is 10 ^ 68. You cut that number from 10 ^ 77 down to 10 ^ 68.

That's 10 with 68 zeroes [after it].

That's how many [possible keys you may still have to generate]...

to [find] a private key that matches somebody else's.

Let's say you take a billion people and they all try a billion keys per second.

Instead of 10 ^ 68, it will now be 10 ^ 59.

It may seem like you're making progress, but not really.

Because a billion seconds would mean that you would be no closer.

You would be down to 10 ^ 50 with a billion people trying a billion keys.

I'm using very big, big numbers here.

Let's say that you were able to do all of that for a year, and then you decided to do it for a billion years.

As you can see, if we take off nine more digits from the end of this [exponent], it doesn't get much smaller.

You're still looking at numbers that are unfathomably large.

At this rate, the amount of time it would take you to run through all private key combinations...

exceeds the total time of the universe's existence.

Which, depending on whether you apply science or not, is either 13.4 billion years or 6,000 years.

"If transactions are public, why can't someone launch a brute-force [attack] and guess the private key,"

"knowing the fact that we have quantum computers available now?"

I already gave you the answer as to why you can't guess the private key by trying [to generate] all possible keys.

You will run out of time. The sun will extinguish, its nuclear fusion reactions will end.

The universe will expand into nothingness. Civilizations will come and go.

And you will still be trying to [guess] private keys. That's the scale of numbers we're talking about.

But what about quantum computers? Does that change the equation? Yes, it does.

With a quantum computer, you could actually work out all possible combinations of a 256-bit number instantly,

as long as you had a quantum computer [with sufficient qubits].

If you follow news about quantum computing, you know we currently have 5 to 10 qubits.

The progress of adding each additional qubit is actually slowing down.

To quote Peter Todd and one of his memorable memes that I really like:

"Quantum computing may be the one area of science that scales worse than blockchains."

Quantum computers are not getting to 256 qubits anytime soon. In fact, you would only need 128 qubits...

to break [the elliptic curve function in Bitcoin], but we are very far from there.

What happens when quantum computers become available? We have to change cryptographic algorithms.

There are algorithms that are better in terms of protecting against quantum computing [attacks].

We don't need to use those algorithms [yet] because there are not quantum computers with enough qubits

to be able to crack Bitcoin's private keys.

The next question comes from Sesame Meow:

"Quantum attacks on Bitcoin and how to protect against them."

"I just listened to an Epicenter podcast about quantum threats to Bitcoin. Here is their paper."

"From what I understand, quantum computing effects would start to kick in, at the earliest, during 2027."

"Attacks on proof-of-work are straightforward to address, but attacks on ECDSA...

for [unconfirmed] transactions are a credible threat."

"I'm aware of the argument that if the ECDSA is broken, we are worried about a lot of other things."

"Focusing on Bitcoin: how easily can Bitcoin incorporate quantum-safe public key signature schemes?"

"Does it require a complete overhaul of the code, a hard fork, or a soft fork? What?"

Sesame Meow, do not fret! Yes, it's it's true that quantum effects could limit the lifetime of the ECDSA.

All cryptographic algorithms have a limited lifetime. The good news is that ECDSA can easily be replaced.

It can be replaced with a very simple soft fork.

One of the important innovations that came with the introduction of Segregated Witness,

was the ability to have a script version number that allows soft fork upgrades

to the scripting language within Bitcoin.

This was introduced and activated on August 1st 2017. It means other signature schemes can be introduced,

by a simple soft fork.

The first of such schemes [will be] Schnorr signatures, [acting] in conjunction with or in addition to ECDSA.

A lot of this isn't about replacing ECDSA, but rather about adding more signature algorithms so that...

people can choose which signature algorithms they want to use and effectively migrate their funds...

to more secure signature algorithms.

Schnorr signatures, which are about to be introduced, have been in testing and development for quite a while.

They are one of the soft fork upgrades that can be done

with the script versioning capability and Segregated Witness.

But they're not the only one. Bitcoin could introduce quantum-safe signature schemes with a soft fork,

just by using the script versioning.

It's actually a very simple soft fork. It's completely optional. It's not mandatory.

It's opt-in. People can choose to use it, if they want to. If they don't, they can continue to what they used before,

which may be ECDSA or something else.

It can be introduced incrementally so that different parts of the system upgrade and [add] support slowly,

just like we've seen with the new bech32 address format for SegWit.

Some wallets support it, some don't. Gradually, the ecosystem is evolving.

Quantum attacks on Bitcoin? Not as scary as you might think. 2027 is a very long way away.

Within the next decade, the number of [security] improvements that could be made to introduce...

quantum-safe digital signatures in Bitcoin, and the ease by which these could be done,

really [makes it] not a problem.

Let's see what other bogeymen and scary thoughts we can banish with all of these questions,

which are showing a high level of anxiety in the Bitcoin space.

Before we continue to the next question, remember:

when engaging in cryptocurrencies, it is important every now and then to take a deep breath.

Realize that there are many things in life that are more important, and the end is not near.

The apocalypse is not coming, Bitcoin is not dead or dying.

It is going to be okay. The roller-coaster is part of the show. Don't worry too much about all of these things.

A lot of the articles and academic papers you read have come out with a sensationalist [title] and they say:

"We've discovered a fatal flaw that will be the end of Bitcoin!"

They mostly address academic edge cases that are very hard to apply and fairly easy to mitigate.

But that's not what they're going to tell you in the sensationalist headline.

They're not going to write a headline that says:

"Edge case discovered; will have minimal impact and be easily mitigated, but we wrote a great paper about it!"

No. They're going to say: "Doom! Gloom! Bitcoin's dead!"

Don't believe it.