Bitcoin address generation can be split in 4 steps listed bellow:
- Generating a secure private key.
- Calculate the public key from the private key.
- Encode the public key as a bitcoin address.
- Encode the private key in the WIF format.
Step 1: Generate ECDSA Keypair
The very first step is to select a good and secure number, for this example we won’t use one, instead we will simply get the random from the system. An example why is important a good and secure random number is written in this post about cracking some bitcoin private keys, the bug isn’t located in the key generation, but in the random used to sign the transactions, but the point is the same, weak PRNG (Pseudo-random number generators) can put everything in risk.
Using this PRNG can be done with:
randomBytes = os.urandom(32)
Step 2: Calculate the public key
Since bitcoin uses spec256k1 the only thing that we need to do is multiply it by the initial point in the curve by the private key to obtain the public key.
Next step is to convert the key to a byte array and hash it, first with
SHA-256 then with RIPEMD-160. Then we prepend the hashed public key with
0x00 if the target network is the mainnet, if the address generated meant to
be used in the testnet
0x6f must be prepended.
SPEC256k1 = Point() pk = int.from_bytes(privkey, "big") hash160 = ripemd160(sha256((SPEC256k1 * pk).toBytes())) address = b"\x00" + hash160
Then the only thing left to add in the address it the checksum, it is appended to the address and is the last 4 bytes of the double SHA-256 of the address calculated above.
address = b58(address + sha256(sha256(address))[:4])
Then just encode the key bytes to base58 and you have your Bitcoin address !
Public key compression
When representing the public key as a number is possible to compress it
considering that the key is $x$ and $y$ in the eliptic curve and since we have
the equation, and given an $x$ value, there is only two values for $y$ possible.
So to compress a public key, if $y$ is odd,
0x03 is appended to the $x$ value,
0x02 is appended.
Step 4: Encode the private key in the WIF format
To create a WIF () key from the private key bytes is far simples than the
previous steps, first prepend the byte
0x80 to the wif, then append the
private key bytes. After, append the checksum, that is the last 4 bytes of the
double SHA-256 of the partial wif key that we already have calculated.
wif = b"\x80" + privkey wif = b58(wif + sha256(sha256(wif))[:4]) return wif
This is a reference script, it depends on Python 3 to run and is self contained, it means no external dependencies are required to run it. One example of its output:
$ ./bitcoin-address-generator.py Address: 18jJh1kSPJqbXtMB51SyczgcHL1drkDgxV Privkey: 5JTEF3GHpDAin1caVqfznHU8T1jscHVVD5SMFALBTC4no2J4DqX
import os import hashlib def sha256(data): digest = hashlib.new("sha256") digest.update(data) return digest.digest() def ripemd160(x): d = hashlib.new("ripemd160") d.update(x) return d.digest() def b58(data): B58 = "123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz" if data == 0: return "1" + b58(data[1:]) x = sum([v * (256 ** i) for i, v in enumerate(data[::-1])]) ret = "" while x > 0: ret = B58[x % 58] + ret x = x // 58 return ret class Point: def __init__(self, x=0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798, y=0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8, p=2**256 - 2**32 - 2**9 - 2**8 - 2**7 - 2**6 - 2**4 - 1): self.x = x self.y = y self.p = p def __add__(self, other): return self.__radd__(other) def __mul__(self, other): return self.__rmul__(other) def __rmul__(self, other): n = self q = None for i in range(256): if other & (1 << i): q = q + n n = n + n return q def __radd__(self, other): if other is None: return self x1 = other.x y1 = other.y x2 = self.x y2 = self.y p = self.p if self == other: l = pow(2 * y2 % p, p-2, p) * (3 * x2 * x2) % p else: l = pow(x1 - x2, p-2, p) * (y1 - y2) % p newX = (l ** 2 - x2 - x1) % p newY = (l * x2 - l * newX - y2) % p return Point(newX, newY) def toBytes(self): x = self.x.to_bytes(32, "big") y = self.y.to_bytes(32, "big") return b"\x04" + x + y def getPublicKey(privkey): SPEC256k1 = Point() pk = int.from_bytes(privkey, "big") hash160 = ripemd160(sha256((SPEC256k1 * pk).toBytes())) address = b"\x00" + hash160 address = b58(address + sha256(sha256(address))[:4]) return address def getWif(privkey): wif = b"\x80" + privkey wif = b58(wif + sha256(sha256(wif))[:4]) return wif if __name__ == "__main__": randomBytes = os.urandom(32) print("Address: " + getPublicKey(randomBytes)) print("Privkey: " + getWif(randomBytes))