How Public Keys Derive into Addresses
How Public Keys Derive into Addresses
In Bitcoin, you do not publish your raw public key to receive payments. Instead, you share a shortened, secure representation of your key called an address.
An address is a hashed public key containing built-in checksums to prevent typos and human spelling errors.
️ The Cryptographic Derivation Pipeline (P2PKH)
To transform a raw public key into a standard legacy Base58Check address, Bitcoin performs a series of precise cryptographic steps:
┌──────────────────────────────────────┐
│ Public Key Coordinate (K) │ (33-Byte Compressed Key)
└──────────────────┬───────────────────┘
│
▼ [ SHA-256 Hash ]
┌──────────────────────────────────────┐
│ SHA-256 Hash │ (32 Bytes)
└──────────────────┬───────────────────┘
│
▼ [ RIPEMD-160 Hash ]
┌──────────────────────────────────────┐
│ Hash160 │ (20-Byte Payload)
└──────────────────┬───────────────────┘
│
▼ [ Prepend Version Prefix ]
┌──────────────────────────────────────┐
│ Version Prefix + Hash160 │ (21 Bytes)
└──────────────────┬───────────────────┘
├───────────────────────────────────┐
│ ▼ [ Double SHA-256 ]
│ ┌───────────────────────────────────┐
│ │ Double SHA-256 Hash │
│ └─────────────────┬─────────────────┘
│ ▼ [ Take First 4 Bytes ]
│ ┌───────────────────────────────────┐
│ │ 4-Byte Checksum │
│ └─────────────────┬─────────────────┘
│ │
▼ ▼
┌────────────────────────────────────────────────────────────────────────────┐
│ Version Prefix + Hash160 + Checksum │ (25 Bytes)
└──────────────────────────────────┬─────────────────────────────────────────┘
│
▼ [ Base58 Encoding ]
┌────────────────────────────────────────────────────────────────────────────┐
│ Legacy Base58Check Address │ (Starts with "1")
└────────────────────────────────────────────────────────────────────────────┘
Step-by-Step Address Calculation
Let's break down each block of the derivation pipeline:
1. The Hashing Phase (Hash160)
We hash the compressed public key $(K)$ using two different hashing functions:
-
SHA-256: $SHA256(K)$
-
RIPEMD-160: $RIPEMD160(SHA256(K)) \rightarrow \mathbf{Hash160}$
This dual-hash process yields a 20-byte (160-bit) string. RIPEMD-160 is used because it reduces the length of the coordinate data significantly, resulting in a shorter address.
2. Prepended Version Byte
To specify the network and format of the address, a prefix byte is prepended:
-
0x00for Mainnet Legacy P2PKH (starts with "1"). -
0x05for Mainnet Nested P2SH (starts with "3"). -
0x1111(Decimal) formats for various testnets.
3. Creating the 4-Byte Checksum
To protect against typos, we calculate a checksum of the 21-byte payload:
$$Checksum = \text{First 4 bytes of } SHA256(SHA256(\text{Prefix} \parallel \text{Hash160}))$$
We append these 4 bytes to the end of our payload, resulting in a 25-byte serialized array.
4. Base58 Encoding
Finally, we encode the 25 bytes using the Base58 alphabet.
- Preventing Ambiguity: Standard Base64 uses letters like
0(zero),O(capital o),I(capital i), andl(lowercase L). These look identical in many fonts and lead to severe transcription errors. Base58 explicitly removes these four confusing characters, keeping human transcription completely safe!
⚡ The Modern Alternative: Bech32 (SegWit)
While legacy addresses use Base58Check, native SegWit addresses (starting with bc1q) utilize a modern format called Bech32 (defined in BIP 173).
Bech32 provides significant improvements over legacy addresses:
-
Single-Case Alphabet: Bech32 uses lowercase letters and numbers only, making it much easier to dictate or type.
-
Error Correction: Bech32 uses a highly advanced BCH error-correcting code. If a user mistypes 1 or 2 characters in a Bech32 address, the wallet software can mathematically pinpoint exactly where the error occurred and prevent the funds from being lost.
TeachMeBitcoin is an ad-free, open-source educational repository curated by a passionate team of Bitcoin researchers and educators for public benefit. If you found our articles helpful, please consider supporting our hosting and ongoing content updates with a clean donation: