I had a conversation recently with someone that made me wonder if there is a lot of confusion about the relation between public keys and Bitcoin addresses, so I thought I'd make a brief post explaining for interested parties this difference.
As most people know public key cryptography, particularly the Elliptic Curve Digital Signature Algorithm (ECDSA), is important to Bitcoin. In this cryptographic scheme an asymmetric key-pair is generated, a public key, which can be shared with anyone, and a private key which should be known by only you. In Bitcoin, with ECDSA, your private key is used to sign a transaction, confirming that it was in fact you, the rightful owner of a given UTXO or some set of UTXOs who is sending them off to some other address. Any arbitrary person (miners, people running validation nodes or SPV wallets) can confirm that it was you who sent the transaction because included in the transaction is your public key. Your public key will revert the cryptographic transformation done by your private key, thus allowing people to verify that the transaction being signed is in fact the one under consideration, and that it originates from the holder of the private key corresponding to this public key.
Missing from my explanation above is how transaction validators know the public key for a given Bitcoin address. A natural assumption might be that Bitcoin addresses are ECDSA public keys. This assumption is natural, but incorrect. Bitcoin Address are hashes of public keys (pubkey hashes). With this scheme, your public key is only ever exposed when you transact with Bitcoin. Validators verify that a public key you provide for a transaction is correct for your Bitcoin address by hashing that public key and making sure that the hash of the public key is equivalent with the pubkey hash.
Some corollaries of using the pubkey hash instead of the public key for Bitcoin Addresses are:
- Compression. Bitcoin Public Keys are 256 bits and pubkey hashes are 160 bits (128 bits for the hash of the public key and 32 bits for the checksum)
- Quantum resistance
Expanding on the second point, suppose tomorrow a Quantum Computer came out with enough qubits to solve the currently intractable discrete logarithm problem of determining an ECDSA private key from a public key. If you had been following the Bitcoin best practice of not re-using addresses when you transact your Bitcoin, then the only window of opportunity for a thief would be the time before your Bitcoin gets added to a block when you were transacting with it.
Unlike public key cryptography, cryptographic hashes themselves are not particularly vulnerable to the advent of quantum computing.
No comments:
Post a Comment