Bitcoin Keys and Addresses

Bitcoin keys and addresses are a string of unique numbers used to send and receive Bitcoin on the network. 

Keys and addresses function like a checking account at a bank similar to your checking account number and account password.

Your public key is your account number. 

Your private key is your account password.  

Your address is like your Venmo or Zelle @handle that functions like your account number that is given to the sender who creates the transaction.

What is a Bitcoin private key?

Your private key is like a password that secures the Bitcoin and is used to sign a transaction which prevents people from sending Bitcoin from your wallet to their address. 

A private key is also called a secret key or (SK-secret key).

Private keys are randomly generated 256-bit numbers generated by a SHA-256 algorithm.  The number ‘256’ in SHA-256 represents the number of hexadecimal characters produced as an output of the algorithm which represents the data that was encrypted.  

Since Bitcoin Core is a computer program run by all nodes, the software must be able to read the information.  Computers like to use Binary, elemental numbers (1s and 0s) to store data in bits.  

In the example below, Hexadecimal (hex) and Decimal numbers can be converted to Binary.  These conversions from one format to another are interchangeable and all represent the same private key.  Note: Never share your private key with anyone!

Your private key is used to sign a Bitcoin transaction on the network and unlock your Bitcoin UTXOs to spend.

If someone has your private key they can drain (sweep) Bitcoin from your account.  

Self-custody of your private key is a fundamental right and responsibility of Bitcoin investors. Non-custodial wallets enable you to become your own bank and serve as an alternative solution to 3rd party custodial wallets, like an exchange, used for private key management. 

If you are using an exchange wallet (Coinbase) or software wallet (MetaMask), then you do not control your private key.  The ‘hot wallet’ provider is acting as the custodian. 

Private keys stored offline in cold storage transfers the custodial risk (hacks, theft, negligence) away from the third party hot wallet provider directly to you.    

Most wallet services (hot and cold) provide a way to backup and restore your private key by providing you with a recovery seed phrase (12-24 words) that represents your 256 bit private key.

How do I generate a Bitcoin private key offline?

Generating a private key is like creating a new bank account to send and receive Bitcoin.  

To create a new bank account at Chase you have to fill out a form, provide ID, and receive permission from the bank before you’re given an account number.  

At any time, for any reason that same bank could freeze or cancel your account preventing access to your funds at the directive of the government or an employee.  

Creating a private key doesn’t require anybody’s permission and effectively creates your own ‘account’ on the Bitcoin Network.  Being your own sovereign bank is liberating and a fundamental right offered by Bitcoin.

You can manually create a private key without a wallet provider simply by generating a 256-bit random number.  

Here are a few examples of how to generate a private key:

1. Flip a Coin 256 times.  SRSLY.  Get a piece of paper, a pen and a coin.  For each flip, if the coin lands on ‘heads’ record a ‘1’ and if the coin lands on ‘tails’ record a ‘0’.

You now have a private key in binary format.  You can follow these technical instructions to create a public key then a corresponding Bitcoin address.  None of these steps require approval by any authority.

2. If you can code, use something like Python’s random number generator which will spit out a private key in decimal which can then be converted to binary and/or hexadecimal.

3. Another option is an online random number generator, like BitAddress, to generate a private key.  If you choose this option, stay alert and do your own research since you risk a bad actor (site owner) saving your private key and draining your wallet.  

4. A software (hot) wallet can create and store your private key.  You will be provided with a backup and recovery seed in case you get locked out of the account or want to transfer services.   

5. A cold storage hardware wallet will also generate, encrypt and store a private key.  Hardware wallets, like Trezor and Ledger,  make the process really simple by providing a backup/recovery seed and an interface to send/receive Bitcoin.  

Yes, if someone happens to generate the same random 256-bit private key, called key collision, they could technically sweep all of the Bitcoin from your account.  

It’s exponentially more probable for someone to have the same fingerprint than it is for a collision event of two people having the same private key.  

You’re far more likely to lose your recovery seed phrase.

Adding a passphrase to your Bitcoin wallet backup adds another layer of security.

If you’re still skeptical about self custody the alternatives include storing BTC on Centralized Custodial Exchanges, like Coinbase, or learning how the Bitcoin ETF works.  

What is a Bitcoin public key?

The public key (PK) is your account number.  

It’s going to be seen by other people.  

For example, in real life when you pay a utility bill (gas, water, electric) the paper check that you mail back lists your bank account number.  Bob, who works in the accounts receivable department at the electric company, opens your check and can see your account number because it’s public. 

When you transact with Bitcoin, your public address is going to be seen by other people or companies who are using a blockchain explorer. 

A public key is cryptographically derived from your private key using SHA-256 and RIPEMD-160 hash functions (algorithms) and stored as a hexadecimal value.

The public key is used during a transaction to programmatically lock the Bitcoin UTXO sent to your public address.

(h3) How can I get the public key from the private key?

Your public key is derived from your private key using a math function, an elliptic curve multiplication (aka – Elliptic Curve Digital Signature Algorithm or ECDSA.)

The public key (PK) is a one-way function of the private key (SK) with a cryptographic ‘trapdoor’ to disallow a private key being derived from the public key. 

Your public key + digital signature proves that you own your Bitcoin without having to disclose your private key to anyone when making a Bitcoin Transaction.

What is a Bitcoin Address?

Your Bitcoin Address is a shortened version of your public key that is easier to interact with. 

It functions like the @handle you share with others on peer-to-peer instant banking systems like Zelle, Venmo, and Paypal.

QR codes are another easy way to share your address and receive Bitcoin:

Your Bitcoin public address is computed from the hash of your public key.  

Bitcoin software uses the two hash functions (algorithms), RIPEMD-160 and SHA-256, to generate the public bitcoin address derived from the public key.

The recipient’s public address receives Bitcoin from the sender’s public address. 

Keys and addresses are used in multiple functions aside from just being identifiers of the senders and receivers.  

For example, 3 technical functions of a Bitcoin Key Pair are:

• GenerateKeys () – you make a key pair by generating a random secret (private) key and a public key which are used to create a wallet and public addresses.
• Sign(secretKey, message) – the holder of a secretKey can sign a message which creates the signature. 
• Verify(publicKey, message, signature) – anyone with a public key can verify the message + signature which returns a boolean response true/valid =(1) or false/not valid (0).

You can verify this with a blockchain explorer and our guide on how to decode a Bitcoin transaction.

H2 Bitcoin Address Formats

Bitcoin addresses come in a variety of different formats which can impact the size of the data required to lock or unlock UTXOs spent and received in a transaction.  

Your wallet address has a direct impact when calculating the size and cost of a transaction.  

• Pay-to-Pubkey-Hash Legacy Address (P2PKH) is the original address and uses the most data.  It’s a hash of the public key from the private key.
  • Example: 1e16hWo7CShMgbAfo9c3Ykj5C7BLq7Hot (starts with 1)
• Pay-to-Script-Hash (P2SH) ~25% smaller than P2PKH conditional spending address because they do not use hash of the public key but a script instead.
  • Example: 35NShWo7CShMgbAfo9c3Ykj5C7BLq7Not (starts with 3)
• Pay-to-Witness-Public-Key-Hash Native SegWit – Bech32 (P2WPKH) addresses use ~38% less data than legacy and most common address because the sig is not within transaction (in the witness token) and a checksum to detect and correct errors.
  • Example: bc1q53lja80elem1anu9q9s4h2n7908re0jax667qdd (starts with bq1q)
• Pay-to-Witness-Script-Hash (P2WSH) – this is the SegWit upgraded version of P2SH and also uses bech32.  Easy to send, complicated and expensive w/ fees for the receiver’s address if it’s P2WSH due to the scripting.  (starts with bq1q)
• Taproot (P2TR): A pay-to-taproot most advanced security, privacy, flexibility and scaling for Bitcoin enabling smart contracts introduced in 2021 to improve privacy and multi-sig.
  • Example: bc1pw508d6qejxtdg4y5r3zarvary0c5xw7kv8f3t4 (starts with bc1p)

You don’t have to memorize all of these wallet types when you’re mastering Bitcoin.  Just like you don’t need to know that a bank wire transfers through SWIFT or that it’s an acronym for Society for Worldwide Interbank Financial Telecommunications.

All bitcoin addresses in a wallet are derived from a seed phrase and you DO NOT need a new seed for each address.

Bitcoin Addresses on Crypto Exchanges

Crypto Exchanges, like Coinbase, are defined as Virtual Asset Service Providers (VASPs) which are Money Service Businesses (MSBs) engaged in government classifications of specific financial activities.   

These definitions are tied to Anti-Money Laundering (AML) and with know-your-customer (KYC) laws based on different jurisdictions.  

When your Bitcoin is kept on-exchange, the exchange manages your keys. 

Coinbase creates different addresses each time you request a new address to receive Bitcoin.   

These addresses are derived from your keys and are managed by the exchange.  

Law enforcement agencies can subpoena the exchange to uncover all of the transactions that took place on the exchange.

Tracing Bitcoin Addresses:

Every time you want to receive Bitcoin on your Coinbase account a new address will be created. 

Let’s say you receive 1 BTC total via 52 weekly transfers from an external wallet of ~0.0192 BTC each.  Each week you generated a unique receiving address totalling 52 unique addresses generated from your Coinbase exchange account. 

If you decide to send your Coinbase balance to an external wallet, you create a transaction with the new wallet’s public address.  The transaction contains 1 input UTXO of 1 BTC, NOT 52 separate inputs because Coinbase is a custodial service.  

When transferring from an exchange to a different wallet address, the general public would not be able to associate your 52 transactions totalling 1 BTC.  However, because you’re using a KYC verified account, Coinbase could be subpoenaed by law enforcement and they would disclose the details of the 52 transactions because they manage your keys.  

The most common ways to increase your on-chain privacy include:

1. Coin mixing – Different jurisdictions approach the legality of coin mixing so you should always DYOR.  Some wallet providers perform this function by batching transactions together creating different outputs that are harder to track. 

2. Multiple Wallets – the more wallets you route your transactions through can increase your privacy as there is no way of knowing that you own all wallets. Hierarchical Deterministic HD Secret wallets using Passphrases create branches of different key sets which can appear disassociated but easily managed and restored by a single recovery seed.

3. Running a Full Node: The Bitcoin Blockchain is a network of nodes and anyone with an internet connection can run a full node of the Bitcoin Core software.  If you run a node, you can create and broadcast your Bitcoin transaction.  Your transaction will be difficult to distinguish from other transactions your node is simultaneously broadcasting thanks to the Bitcoin Core software.

These solutions are examples for educational purposes which may require advanced technical skills and an understanding of the risks involved.

How do I Import my Keys to a New Wallet?

Your recovery seed words are used to verify your ownership of the keys to recreate your wallet on another device or with a different wallet provider.  

There is no cost or fees to do this. 

It’s not uncommon to switch wallet providers until you find one that fits with your Bitcoin security and usability preferences.  

The most common reasons for importing your keys are:

• Switching to a new software wallet provider
• Restoring NEW hardware device due to loss or theft*
• Changing hardware wallet to new model or device provider
• Adding a ‘contingency’ device to your backup and recovery strategy
• Creating a duress wallet or a decoy wallet

*If restoring to a new device due to a security concern like loss, theft or suspected vulnerability, it’s best to restore then transfer your Bitcoin to a NEW wallet with a different recovery seed.

When you switch devices or providers, your keys never move from one wallet to another.  

Your keys are simply replicated on the new device which can be used to send/receive, spend with a merchant, buy more, swap with another coin or just HODL. 

Pro Tip: when you buy Bitcoin on an exchange, you don’t control your keys and there is no recovery seed because the exchange is the custodian of your Bitcoin.

Wallet providers and device manufacturers have detailed instructions for importing keys with your recovery seed.

After successfully importing your keys, be sure to verify account balances and review the wallet providers options to backup and protect your funds. 

Changing wallets or upgrading cold storage devices is a great opportunity to implement a strategy for UTXO management and consolidation.

Note: Stratus does NOT provide investment, legal or tax advice.  All information in this article is for educational purposes and should not be interpreted as investment, legal or tax advice.  The opinions expressed are those of the author for informational purposes and neither Stratus nor the author are liable for any errors, inaccuracies or omissions.  Digital assets, such as cryptocurrencies or decentralized finance, present unique risks for investors.  For investment, legal, tax, or other financial guidance you should consult your own advisor.