# Chapter 1: Private Keys, Public Keys, and Address Encoding

**Reference**: `examples/ch01_keys_and_addresses.py`, `code/chapter01/` ¬∑ **Last Updated**: 2025-12-05

---

Understanding Bitcoin's cryptographic foundation is essential before diving into Taproot. This chapter covers private keys, public keys, and address generation‚Äîthe building blocks of all transactions.

In [None]:
# Chapter environment (load once, reuse in subsequent code cells)
from btcaaron import Key, TapTree
from bitcoinutils.setup import setup
from bitcoinutils.keys import PrivateKey, P2shAddress, P2wpkhAddress
from bitcoinutils.script import Script

## The Cryptographic Hierarchy

Bitcoin's security is built on a one-way chain:

```
Private Key (256-bit) ‚Üí Public Key (ECDSA point) ‚Üí Address (encoded hash)
```

Each layer has a clear purpose:

- **Private keys**: Prove ownership, used for signing
- **Public keys**: Verify signatures, authorize payments
- **Addresses**: Convenient for receiving, while hiding public keys

## Private Keys: The Foundation of Ownership

A Bitcoin private key is a 256-bit random integer used to prove ownership. How large is 2^256? More than all atoms in the observable universe.

### Generating Private Keys

Using `btcaaron` concise API (this book's example library):

In [3]:
# Example 1: Generate private key (btcaaron)
# Reference: examples/ch01_keys_and_addresses.py

alice = Key.from_wif("cPeon9fBsW2BxwJTALj3hGzh9vm8C52Uqsce7MzXGS1iFJkPF4AT")
print(f"Private Key (WIF): {alice.wif}")

Private Key (WIF): cPeon9fBsW2BxwJTALj3hGzh9vm8C52Uqsce7MzXGS1iFJkPF4AT


**Sample output:**

```
Private Key (HEX): e9873d79c6d87dc0fb6a5778633389dfa5c32fa27f99b5199abf2f9848ee0289
Private Key (WIF): L1aW4aubDFB7yfras2S1mN3bqg9w3KmCPSM3Qh4rQG9E1e84n5Bd
```

The hexadecimal representation contains 64 characters (4 bits each), totaling 256 bits or 32 bytes. This format is mathematically precise but not ideal for storage or import/export.

### Wallet Import Format (WIF)

Wallet Import Format (WIF) uses Base58Check encoding to make private keys more practical:

- Adds checksum for error detection
- Eliminates confusing characters (0, O, I, l)
- Standardizes import/export across wallets

The WIF encoding process:

1. **Add version prefix**: `0x80` for mainnet, `0xEF` for testnet
2. **(Optional) Add compression flag**: Append 0x01 if the public key will be compressed; this changes the final Base58 prefix
3. **Calculate checksum**: Apply SHA256(SHA256(data)) and take first 4 bytes
4. **Apply Base58 encoding**: Convert to human-readable string

![WIF ÁºñÁ†ÅÊµÅÁ®ã](../../images/wif-encoding-flow.png)

*Figure 1-1: WIF encoding converts 32-byte private key to Base58Check string*

The resulting WIF string has distinctive prefixes:

- **L** or **K**: Mainnet private keys
- **c**: Testnet private keys

## Public Keys: Cryptographic Verification Points

A public key is a point on the secp256k1 elliptic curve, derived from the private key via elliptic curve multiplication. The math is complex but the code is simple.

### ECDSA and secp256k1

Bitcoin uses the secp256k1 curve for ECDSA. The curve is defined by:

```
y¬≤ = x¬≥ + 7
```

![secp256k1 Ê§≠ÂúÜÊõ≤Á∫ø](../../images/Secp256k1.png)

*Figure 1-2: secp256k1 elliptic curve used by Bitcoin*

Without diving into the math, understand:

- Each private key `k` generates a unique point `(x, y)` on the curve
- This relationship is computationally irreversible
- The curve's mathematical properties ensure security

### Compressed vs Uncompressed Public Keys

Public keys can be represented in two formats:

**Uncompressed format (65 bytes):**

```
04 + x-coordinate (32 bytes) + y-coordinate (32 bytes)
```

**Compressed format (33 bytes):**

```
02/03 + x-coordinate (32 bytes)
```

Why compress? The elliptic curve property: given x-coordinate and y-parity, the full y can be derived:

- `02` prefix: y-coordinate is even
- `03` prefix: y-coordinate is odd

In [9]:
# Example 2: Generate public key + X-only (btcaaron)
# Reference: examples/ch01_keys_and_addresses.py

# Compressed (33 bytes) and x-only (32 bytes) public keys
print(f"Compressed (33 bytes): {alice.pubkey}")
print(f"X-only (32 bytes):     {alice.xonly}")
print(f"Verify: x-only = compressed pubkey minus 02/03 prefix ‚Üí {alice.pubkey[2:]} == {alice.xonly}")

Compressed (33 bytes): 02898711e6bf63f5cbe1b38c05e89d6c391c59e9f8f695da44bf3d20ca674c8519
X-only (32 bytes):     898711e6bf63f5cbe1b38c05e89d6c391c59e9f8f695da44bf3d20ca674c8519
È™åËØÅ: x-only = ÂéãÁº©ÂÖ¨Èí•ÂéªÊéâ 02/03 ÂâçÁºÄ ‚Üí 898711e6bf63f5cbe1b38c05e89d6c391c59e9f8f695da44bf3d20ca674c8519 == 898711e6bf63f5cbe1b38c05e89d6c391c59e9f8f695da44bf3d20ca674c8519


**Sample output:**

```
Compressed:   0250be5fc44ec580c387bf45df275aaa8b27e2d7716af31f10eeed357d126bb4d3
Uncompressed: 0450be5fc44ec580c387bf45df275aaa8b27e2d7716af31f10eeed357d126bb4d3...
```

Modern Bitcoin software uses only compressed public keys‚Äîsmaller and equally secure.

### X-Only Public Keys: Taproot's Innovation

Taproot introduces **x-only public keys**‚Äîonly the x-coordinate (32 bytes), no y-parity. Benefits:

- Smaller transactions
- Faster verification
- Enables key aggregation

In [5]:
# Example 3: Taproot X-Only public key (reusing alice from examples 1/2)
print(f"Taproot X-only public key (32 bytes): {alice.xonly}")

Taproot X-only ÂÖ¨Èí• (32 bytes): 898711e6bf63f5cbe1b38c05e89d6c391c59e9f8f695da44bf3d20ca674c8519


This is key to Taproot's efficiency gains; we'll detail it in later chapters.

## Address Generation: From Public Key to Payment Destination

Bitcoin addresses are **not** public keys‚Äîthey are encoded hashes of public keys. Benefits:

- **Privacy**: Public key hidden until spending
- **Post-quantum resistance**: Hash adds extra protection
- **Error detection**: Encoding includes checksum

### Address Generation Process

Address generation follows a similar pattern:

1. **Hash the public key**: SHA256 then RIPEMD160 (Hash160)
2. **Add version byte**: Indicates address type
3. **Add checksum**: For input error detection
4. **Encode**: To Base58Check or Bech32 string

![‰º†Áªü Bitcoin Âú∞ÂùÄÊµÅÁ®ã](../../images/Bitcoin_address_legacy.png)

*Figure 1-3: Traditional Bitcoin address generation flow*

In [8]:
# Example 4: Generate different address types
# Legacy/SegWit/P2SH: bitcoinutils | Taproot: btcaaron

setup('mainnet')
priv = PrivateKey()
pub = priv.get_public_key()

# Legacy / SegWit / P2SH-P2WPKH (bitcoin-utils)
legacy_address = pub.get_address()
segwit_native = pub.get_segwit_address()
segwit_p2sh = P2shAddress.from_script(segwit_native.to_script_pub_key())

# Taproot: btcaaron one-liner
program = TapTree(internal_key=Key.from_wif(priv.to_wif())).build()

print(f"Legacy (P2PKH):     {legacy_address.to_string()}")
print(f"SegWit Native:      {segwit_native.to_string()}")
print(f"SegWit P2SH:        {segwit_p2sh.to_string()}")
print(f"Taproot (P2TR):     {program.address}")

Legacy (P2PKH):     1C45GpJKoBMpJfHdfVu1uL2zR7CSkjDFCQ
SegWit Native:      bc1q0ylr9w4nu0gth8uv7wd6l5mn22xcyda2l7pntm
SegWit P2SH:        3Ps5zqeRr6jojKxdESWP3FxA5sotUNd8fD
Taproot (P2TR):     bc1pf2jessjqdpzmjm2nkhxqksurq3uf7mst6pn53x0ndwnlwrg5jlcsyllyjw


**Sample output:**

```
Legacy (P2PKH):     1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
SegWit Native:      bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kygt080
SegWit P2SH:        3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy
Taproot (P2TR):     bc1p53ncq9ytax924ps66z6al3wfhy6a29w8h6xfu27xem06t98zkmvsakd43h  (~62 chars)
```

## Address Types and Encoding Formats

### Base58Check Encoding

Base58Check for legacy addresses‚Äîeliminates confusing characters and includes checksum:

**Excluded characters:** `0`ÔºàÈõ∂Ôºâ„ÄÅ`O`ÔºàÂ§ßÂÜô oÔºâ„ÄÅ`I`ÔºàÂ§ßÂÜô iÔºâ„ÄÅ`l`ÔºàÂ∞èÂÜô LÔºâ

**P2PKH (Pay-to-Public-Key-Hash):**

- Prefix: `1`
- Format: Base58Check ÁºñÁ†Å
- Usage: Original Bitcoin address format
- Example: `1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa`

**P2SH (Pay-to-Script-Hash):**

- Prefix: `3`
- Format: Base58Check ÁºñÁ†Å
- Usage: Multi-signature and wrapped SegWit addresses
- Example: `3J98t1WpEZ73CNmQviecrnyiWrnqRhWNLy`

### Bech32 Encoding: SegWit's Innovation

Bech32 was introduced with SegWit‚Äîbetter error detection:

**P2WPKH (Pay-to-Witness-Public-Key-Hash):**

- Prefix: `bc1q`
- Format: Bech32 ÁºñÁ†Å
- Advantages: Lower fees, better error detection
- Example: `bc1qw508d6qejxtdg4y5r3zarvary0c5xw7kygt080`

### Bech32m Encoding: Taproot's Enhancement

Taproot uses Bech32m, an improved Bech32:

**P2TR (Pay-to-Taproot):**

- Prefix: `bc1p`
- Format: Bech32m ÁºñÁ†Å
- Advantages: Enhanced privacy, script flexibility
- Example: `bc1p53ncq9ytax924ps66z6al3wfhy6a29w8h6xfu27xem06t98zkmvsakd43h`(~62 chars)

## Address Format Comparison

| Address Type | Encoding | Data Size | Address Length | Prefix | Primary Use Case |
| --- | --- | --- | --- | --- | --- |
| **P2PKH** | Base58Check | 25 bytes | ~34 chars | `1...` | Legacy payments |
| **P2SH** | Base58Check | 25 bytes | ~34 chars | `3...` | Multi-sig, wrapped SegWit |
| **P2WPKH** | Bech32 | 21 bytes | 42-46 chars | `bc1q...` | SegWit payments |
| **P2TR** | Bech32m | 33 bytes | 58-62 chars | `bc1p...` | Taproot payments |

In [7]:
# Example 5: Verify address formats (brief)
# Reference: code/chapter01/05_verify_addresses.py

setup('mainnet')
priv = PrivateKey()
pub = priv.get_public_key()
legacy = pub.get_address()
segwit = pub.get_segwit_address()
taproot = pub.get_taproot_address()
print(f"P2PKH:  {len(legacy.to_string())} chars | P2WPKH: {len(segwit.to_string())} chars | P2TR: {len(taproot.to_string())} chars")
print(f"P2TR ScriptPubKey: OP_1 + 32B x-only = {len(taproot.to_script_pub_key().to_hex())//2} bytes")


P2PKH:  34 chars | P2WPKH: 42 chars | P2TR: 62 chars
P2TR ScriptPubKey: OP_1 + 32B x-only = 34 bytes


Address encoding has many details‚Äîversion bytes, checksums, different encodings‚Äîbut one core idea:

üëâ Addresses are for humans. They're just friendly representations of locking scripts (scriptPubKey); the protocol doesn't need them.

The prefix (1, 3, bc1q, bc1p) reveals the script. Nodes don't see 'addresses'‚Äîonly scripts.

Later chapters focus on what matters: the scriptPubKey behind each address type. That's where the logic lives‚ÄîBitcoin Script and programmability. Infer the script behind an address to understand how it's spent.

## Derivation Model

Understanding the full derivation from private key to address is important. The diagram shows the flow from private key to on-chain script. Users see addresses; developers must trace each step to understand how Bitcoin verifies ownership and spends.

![ÂØÜÈí•-ÂÖ¨Èí•-Âú∞ÂùÄÂÖ≥Á≥ª](../../images/TheDerivationModel.png)

*Figure 1-4: Full derivation model from private key to address*

```
Private Key (k)
    ‚Üì ECDSA multiplication
Public Key (x, y)
    ‚Üì SHA256 + RIPEMD160
Public Key Hash (20 bytes)
    ‚Üì Version + Checksum + Encoding
Address (Base58/Bech32)
  ‚Üì Decoded by wallet/node
ScriptPubKey (locking script on-chain)
```

**Security properties:**

- **Forward**: Each step is quick to compute
- **Reverse**: Each step is infeasible to reverse
- **Collision resistance**: Different pubkeys producing same address is negligible

## Practical Implications for Taproot

As we'll see, Taproot builds on these foundations:

- **X-only public keys**: Save space, enable key aggregation
- **Bech32m encoding**: Better error detection
- **Unified address appearance**: Multi-sig and single-sig look identical‚Äîbetter privacy

Mastering these encodings and key formats prepares you for Taproot's advanced features‚Äîmultiple spending conditions can hide in one address.

## Chapter Summary

This chapter covered Bitcoin's cryptographic foundation:

- ‚úÖ Private keys are 256-bit random numbers, WIF-encoded for import/export
- ‚úÖ Public keys are elliptic curve points; compressed format is standard
- ‚úÖ Addresses are encoded hashes of public keys, not pubkeys themselves
- ‚úÖ Different address types use different encodings: Base58Check, Bech32, Bech32m
- ‚úÖ Taproot introduces x-only pubkeys and Bech32m for greater efficiency

These components‚Äîkeys, hashes, encodings‚Äîare what Bitcoin Script operates on. Next chapter: how they work with Bitcoin Script‚Äîthe language that defines spending conditions and underpins Taproot.