published on
tags: cryptography eliptic curves bitcoin python

Bitcoin address generation in pure python

Bitcoin address generation can be split in 4 steps listed bellow:

  • Generating a secure private key.
  • Calculate the public key from the private key.
  • Encode the public key as a bitcoin address.
  • Encode the private key in the WIF format.

Step 1: Generate ECDSA Keypair

The very first step is to select a good and secure number, for this example we won’t use one, instead we will simply get the random from the system. An example why is important a good and secure random number is written in this post about cracking some bitcoin private keys, the bug isn’t located in the key generation, but in the random used to sign the transactions, but the point is the same, weak PRNG (Pseudo-random number generators) can put everything in risk.

Using this PRNG can be done with:

    randomBytes = os.urandom(32)

Step 2: Calculate the public key

Since bitcoin uses spec256k1 the only thing that we need to do is multiply it by the initial point in the curve by the private key to obtain the public key.

Next step is to convert the key to a byte array and hash it, first with SHA-256 then with RIPEMD-160. Then we prepend the hashed public key with 0x00 if the target network is the mainnet, if the address generated meant to be used in the testnet 0x6f must be prepended.

SPEC256k1 = Point()
pk = int.from_bytes(privkey, "big")
hash160 = ripemd160(sha256((SPEC256k1 * pk).toBytes()))
address = b"\x00" + hash160

Checksum

Then the only thing left to add in the address it the checksum, it is appended to the address and is the last 4 bytes of the double SHA-256 of the address calculated above.

address = b58(address + sha256(sha256(address))[:4])

Then just encode the key bytes to base58 and you have your Bitcoin address !

Public key compression

When representing the public key as a number is possible to compress it considering that the key is $x$ and $y$ in the eliptic curve and since we have the equation, and given an $x$ value, there is only two values for $y$ possible. So to compress a public key, if $y$ is odd, 0x03 is appended to the $x$ value, else, 0x02 is appended.

Step 4: Encode the private key in the WIF format

To create a WIF () key from the private key bytes is far simples than the previous steps, first prepend the byte 0x80 to the wif, then append the private key bytes. After, append the checksum, that is the last 4 bytes of the double SHA-256 of the partial wif key that we already have calculated.

wif = b"\x80" + privkey
wif = b58(wif + sha256(sha256(wif))[:4])
return wif

Source code

This is a reference script, it depends on Python 3 to run and is self contained, it means no external dependencies are required to run it. One example of its output:

$ ./bitcoin-address-generator.py 
Address: 18jJh1kSPJqbXtMB51SyczgcHL1drkDgxV
Privkey: 5JTEF3GHpDAin1caVqfznHU8T1jscHVVD5SMFALBTC4no2J4DqX
import os
import hashlib


def sha256(data):
    digest = hashlib.new("sha256")
    digest.update(data)
    return digest.digest()


def ripemd160(x):
    d = hashlib.new("ripemd160")
    d.update(x)
    return d.digest()


def b58(data):
    B58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz"

    if data[0] == 0:
        return "1" + b58(data[1:])

    x = sum([v * (256 ** i) for i, v in enumerate(data[::-1])])
    ret = ""
    while x > 0:
        ret = B58[x % 58] + ret
        x = x // 58

    return ret


class Point:
    def __init__(self,
        x=0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
        y=0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8,
        p=2**256 - 2**32 - 2**9 - 2**8 - 2**7 - 2**6 - 2**4 - 1):
        self.x = x
        self.y = y
        self.p = p

    def __add__(self, other):
        return self.__radd__(other)

    def __mul__(self, other):
        return self.__rmul__(other)

    def __rmul__(self, other):
        n = self
        q = None

        for i in range(256):
            if other & (1 << i):
                q = q + n
            n = n + n

        return q

    def __radd__(self, other):
        if other is None:
            return self
        x1 = other.x
        y1 = other.y
        x2 = self.x
        y2 = self.y
        p = self.p

        if self == other:
            l = pow(2 * y2 % p, p-2, p) * (3 * x2 * x2) % p
        else:
            l = pow(x1 - x2, p-2, p) * (y1 - y2) % p

        newX = (l ** 2 - x2 - x1) % p
        newY = (l * x2 - l * newX - y2) % p

        return Point(newX, newY)

    def toBytes(self):
        x = self.x.to_bytes(32, "big")
        y = self.y.to_bytes(32, "big")
        return b"\x04" + x + y


def getPublicKey(privkey):
    SPEC256k1 = Point()
    pk = int.from_bytes(privkey, "big")
    hash160 = ripemd160(sha256((SPEC256k1 * pk).toBytes()))
    address = b"\x00" + hash160

    address = b58(address + sha256(sha256(address))[:4])
    return address


def getWif(privkey):
    wif = b"\x80" + privkey
    wif = b58(wif + sha256(sha256(wif))[:4])
    return wif


if __name__ == "__main__":
    randomBytes = os.urandom(32)
    print("Address: " + getPublicKey(randomBytes))
    print("Privkey: " + getWif(randomBytes))

References