How Bitcoin Works: Cryptographic Identity

CertiK | Sept 4, 2019

Article's Poster

Series written by Maxwell Foley, Software Engineer at CertiK

Previously, we discussed the basics of the Blockchain structure.

Today, we’re going to tackle the tension of the system — how you can be safe and anonymous, yet transparent and clear.

How can we preserve privacy and do the equivalent of securely “logging into” Bitcoin, when there is no central server to log into? And how can that information be public and clear for the community?

The centralized solution to this is as classic as the lock and key: the username and password system. As with your online banking portfolio, you have a public username and a private password between you and the server.

***

Bitcoin employs cryptography to make this even safer: namely, to create a system where no server is required to check your password — and you never have to share it with anyone in the world. Instead of a password, you have a private key, and instead of a username you have a public key.

Private keys can’t you can tell whomever you want your public key, and your private key will remain secret.

The quality that makes it Bitcoin’s privacy special is that: you can “sign” any piece of data in a way that tells people that only the person who knows the private key that corresponds to a certain public key could have possibly made that signature.

Digital, instant signing gives you maximum security while also allowing the universal transparency that a public ledger requires in a decentralized world.

Let’s illustrate a situation outside of Bitcoin where you might want to use this technology. Imagine that I am the owner of a private cryptocurrency fund — one where I want to both preserve my privacy while being clear and authentic to my investors.

How can I be verified and private?

Twitter’s centralized solution to this is to let you contact a customer relations person who will verify your ID and face and give you a “blue check mark” on your profile. But if you want to be private, this solution is impossible.

What I can do instead is publish my public key somewhere on my marketplace, and then use that public key to certify it. Then I would sign the message with my private key and post the signature along with my message.

The signature is just a long random-looking string of letters and numbers, but you can run it, my message, and my public key together through a “magic” function to prove that it’s valid.

Now anyone can verify my identity as the owner of a certain private key — all while remaining fully anonymous.

Bitcoin uses this exact same principle; it’s just that the messages you’re signing are the transactions you send.

When you want to send or receive Bitcoin, you have to give them your address, and your address is what they specify when submitting a transaction in order to declare who the payment is for.

Also, as a note: while your address is the equivalent of a Bitcoin username, but it’s not simply your public key, but instead your public key ran through a second function called a “hash” which provides an extra layer of security.

Bitcoin addresses, public keys, and private keys look something like this: 1JryTePceSiWVpoNBU8SbwiT7J4ghzijzW.

To an outsider, it might look bizarre and frightening, but this jumble allows us to format a complex number in Base-58 to save space for a deeply complicated address.

So when you’re running the Bitcoin software, you tell it your private key, or if you’re using it for the first time, it will generate a random one for you. Be sure to write it down and store it safely somewhere — if it’s lost, it’s lost!

This private key is then able to scan the blockchain for funds in the address that corresponds to your private key, and thereby display your balance to you. When you send transactions, it broadcasts them signed alongside your public key in order to prove that only you could have spent them.

There are some problems with this system.

The first is that if someone figures out your private key, they can steal all of your funds instantly, and you have absolutely no recourse when it comes to getting them back.

The second is that if you lose or forget your private key, there is no way you will ever be able to access your money again. This happens tragically often — it’s estimated that roughly a quarter of all Bitcoin in existence today have been lost.

Actually, these are not problems with private key cryptography at all. They are problems with the nature of a decentralized network. Since there is no server anywhere storing your private key, there is no one you can ask to give it back to you if you lose it. Since no one can censor, block, or reverse your payments, no one can stop the payments a thief makes from your account either. Removing authority means removing authority — there is no one who is going to come save you if you’re not keeping your funds safe. You must assume that responsibility yourself. All the security and protection that a bank may give your money is entirely on you to provide now.

What if someone guesses your private key?

It won’t happen, assuming you generate your private key randomly and don’t do something idiotic and use a number like 696969696969 or 3. A valid private key is a number between 0 and 2²⁵⁶, which means that the odds of someone randomly guessing your private key are 1 in 115,792,089,237,316,195,423,570,985,008,687,907,853,269,984,665,640,564,039,457,584,007,913,129,639,936.

Calling this “astronomical” odds is appropriate, because it’s roughly on par with the number of atoms in the known universe.

What about if they use a supercomputer to guess your private key?

Well, let’s say this supercomputer can guess and test private keys at a rate of one billion per second. Now, let’s pretend this supercomputer has been existing and running since the Big Bang itself — essentially, it has run through the entire history of time.

That computer would have guessed about 409,968,000,000,000,000,000,000,000 private keys by now.

Let’s quadruple the strength of our computer, just for fun, and then pretend it’s been around for twice as long as all existence — pretend this computer actually runs at the rate of four billion private keys guessed, every second, across the history of all time — and then double it again.

That would give them a 1 in 282,441,774,083,138,672,831,955,140,422,393,718,176,223,472,723,823 chance of having guessed your private key.

The result of all that safety? A more secure and clearer economic system built on the Blockchain — with clarity, transparency and fairness for all who use it.

***

Stay tuned for Part 3 on Blockchain and Mining!