Public key cryptography is the mathematical system that allows Bitcoin to prove ownership and authorize transactions without sharing the key that controls the funds.

Every Bitcoin transaction relies on it, and understanding it explains why the private key never needs to leave the signing device.

What is Public Key Cryptography?

Public key cryptography separates the ability to create a proof from the ability to verify a proof. A useful analogy is that of a notary seal. Only the notary holds the stamp needed to notarize, but anyone who receives a notarized document can confirm the seal is genuine. In Bitcoin, the private key produces the proof, while the public key lets anyone verify it. Holding the verification standard gives no one the ability to reproduce the seal.

In public key cryptography, you have two mathematically related keys: a private key and a public key. The private key stays private, while the public key can be shared openly. Anyone can use the public key to verify that you authorized a transaction signed with the private key, but no one can use a public key to recreate the private key.

This relationship between private and public keys is asymmetric and one-way. Deriving the public key from the private key is a fast computation, taking milliseconds. Running that process in reverse (recovering the private key from the public key) is so computationally difficult that it would require more computation than any existing hardware could perform before the sun burns out.

This is why Bitcoin ownership can be proved to anyone on the network without ever disclosing the private key. The network verifies the proof. The key stays hidden.

What Does a Bitcoin Public Key Look Like?

A Bitcoin public key is a point on an elliptic curve, which is explained in greater detail below. In the form most wallets use, it is stored as 33 bytes and displayed as a 66-character hexadecimal string that begins with either 02 or 03. A key in this format might look like this:

02a1b2c3d4e5f6a5b8c9d0e1f2a3b4c5d6e2f1a9b0c1d2e3f4a5a6c7d8e9f0a1b2

FOR ILLUSTRATION ONLY. The above is not a real public key.

The 02 or 03 prefix encodes one piece of information about where on the curve this point sits, specifically whether the y-coordinate is even or odd. The x-coordinate plus that one-bit flag is enough to reconstruct the full point. Modern wallets have used compressed keys since around 2012. An older uncompressed format exists, beginning with 04 and running 65 bytes, but it is now rare.

Public keys have five properties worth understanding clearly:

1. Deterministic. The same private key always produces the same public key. This reproducibility is what makes wallet recovery work. A wallet restored from seed always generates the same keys.
2. One-way. The derivation cannot be reversed. Given a public key, recovering the private key requires solving the elliptic curve discrete logarithm problem, an operation with no known efficient algorithm.
3. Curve-specific. Every Bitcoin public key is a point on secp256k1, the specific curve Bitcoin uses. The format is not interchangeable with public keys from other cryptographic systems. Wallet software, signing devices, and the Bitcoin network all have to agree on the same curve for signatures to be valid.
4. Safe to share. The public key reveals nothing about the private key. Sharing it does not confer any spending capability and does not compromise the private key.
5. Verifiable. Anyone with the public key can independently verify a digital signature produced by the corresponding private key, without needing any private information.

Each of these five properties is a consequence of how Bitcoin derives public keys from private keys using elliptic curve mathematics.

How Does Elliptic Curve Cryptography Work in Bitcoin?

An "elliptic curve" is a specific class of mathematical equation that produces a curve with properties useful for cryptography. Points on the curve can be added together in a well-defined way, and that addition operation is hard to reverse.

Bitcoin uses a specific elliptic curve called secp256k1. It is defined by a set of shared parameters (a field prime, a curve equation, a base point, and a curve order) that are the same for every Bitcoin key pair in existence. When your wallet generates a key pair, it uses these exact parameters.Deriving a public key from a private key works through an operation called point multiplication.

The Clock Analogy

One way to picture it is to imagine a clock hand fixed at a starting position, like 6 o'clock, and rotated by a number of hours equal to the private key. Where it lands is the public key. Unlike a real clock with 12 positions, the curve has approximately 10⁷⁷ possible points, and the "hours" (steps) are abstract mathematical operations rather than discrete ticks. Knowing the starting position and the destination gives no practical way to determine how many steps were taken, just like how starting and ending at 6 o'clock gives you understanding of how many rotations the clock may have cycled.

The actual mathematics is considerably more complex, but the one-way property holds throughout. The wallet starts with a known base point on the curve and multiplies it by the private key. The result is another point on the curve. That point is the public key.

The one-way property of this operation is what makes the system secure. Given a starting point and a resulting point, recovering the scalar multiplier is the elliptic curve discrete logarithm problem. No efficient algorithm for solving it is known. With secp256k1's parameters, an attacker would need to attempt on the order of 2¹²⁸ operations to recover a private key from its public key, a number so large it is beyond any realistic computational attack.

The practical result is that a 256-bit private key produces a 33-byte compressed public key (or a 65-byte uncompressed one). Anyone who receives the public key can verify signatures produced by the private key. No one who receives the public key can work backwards to find it.

The private key's one-way relationship to the public key is what makes digital signatures possible.

What is a Digital Signature?

Think of a digital signature like a wax seal on a letter, except the seal is mathematically unforgeable and uniquely tied to the exact content of the letter. If even one word changes, the seal no longer matches.

More precisely, a digital signature is a piece of data produced by combining a private key with the specific content being signed. In Bitcoin's case, that content is a transaction. The signature proves that the holder of a specific private key authorized this specific transaction, without revealing what the private key is.

What a signature proves and what it does not reveal are both important. It proves the private key was used to sign this specific transaction, while revealing nothing about what that key is. The signature is mathematically derived from the private key and the transaction data, but neither can be extracted from the result.

Signatures are One-Time Use

The signature cannot be reused or applied to new transactions. Signing a different transaction with the same key produces a completely different signature, so a signature cannot be reapplied to another transaction, copied to a different input, or transferred to a different address. Each signing operation produces a unique result.

Verification of signatures is open and simple. Anyone with the public key and the transaction data can verify that the signature is valid in a quick and easy process. They apply a verification algorithm using only the public key, and the algorithm either confirms or rejects the signature.

What this means in practice is that a signing device can prove to every node on the Bitcoin network that it holds the private key, without ever transmitting that key. The key stays inside the device. The proof travels across the network. The two never have to be in the same place.

How Does Bitcoin Use Signatures to Verify Transactions?

When you send bitcoin, the transaction goes through a defined sequence. The wallet constructs the transaction, the private key signs it, and the signature is included in the transaction data that gets broadcast to the network.

Every node on the network that receives the transaction independently verifies the signature before accepting it. The process is the same at every node. Extract the public key from the transaction, apply the verification algorithm to the signature and the transaction data, and accept or reject based on the result.

This is how Bitcoin enforces ownership without any central authority. Every node on the network is running compatible software and applies the same cryptographic verification to reach the same conclusion. A valid signature means a valid transaction and an invalid signature means the transaction is rejected.

At the protocol level, every unspent transaction output has a condition attached to it. To spend it, the spending transaction must include a valid signature matching the specified public key. The signature satisfies the condition. Most transactions today use P2WPKH (SegWit) or P2TR (Taproot) formats. What is a Bitcoin address? covers how these address types are structured.

What is Schnorr Signing and Why Does it Matter?

Bitcoin used a signing algorithm called ECDSA from its launch until November 2021. ECDSA worked well, but it had limitations. ECDSA signatures are relatively large, each signing operation is independent, and a multisignature transaction is visibly distinguishable on-chain from a single-key transaction. Sophisticated observers can tell when a transaction required multiple signers.

The Taproot upgrade introduced Schnorr signatures as an alternative, specified in BIP340. Schnorr signatures are smaller and have a property ECDSA lacks: they aggregate linearly. Multiple keys can combine their signing operations into a single signature that looks, on-chain, the same as a single-key signature.

For multisignature setups, this matters in two ways.

1. Efficiency. For a 2-of-3 multisig transaction, the participants can combine their contributions into one signature before broadcasting.
2. privacy. The resulting transaction is indistinguishable from a single-key spend, meaning that on-chain indications do not reveal that multiple keys were involved.

Taproot addresses begin with "bc1p" and use the P2TR format. Taproot transactions use Schnorr signing. ECDSA transactions continue to work for older address types, so both algorithms remain valid.