The previous lesson introduced the idea of a key pair without explaining how such a thing is possible. Two keys, mathematically linked, where knowing one tells you nothing useful about the other. This lesson is about what makes that work, what specific schemes blockchains use, and why this single mathematical trick is the foundation for almost everything cryptographic that the chain actually relies on.

You need a way to prove to anyone in the world that you are who you say you are, without revealing the secret that makes you "you."

That sentence is doing a lot of work. Unpack it:

• "Prove to anyone" means the proof has to be public-verifiable. No trusted middleman who knows your secret.
• "Anyone in the world" means people you've never met, and people who will exist long after you stop being able to answer questions.
• "Without revealing the secret" means the act of proving cannot leak the proof material itself. If proving costs you the secret, you can only prove once.

A password doesn't work for this. Showing your password to a verifier means they now have your password. A traditional shared key doesn't work either. You'd need to share it with every party in advance.

What you need is something asymmetric. A pair of values, mathematically linked, with these properties:

1. One value (the secret) generates the other (the public proof token) easily.
2. The reverse direction (recovering the secret from the public token) is computationally infeasible.
3. The secret can be used to "sign" or "decrypt" things in a way only the holder of the secret could do.
4. The public token can be used by anyone to verify the work without ever holding the secret.

For most of cryptographic history, no such construction was known. In the 1970s a sequence of breakthroughs (Diffie–Hellman 1976, RSA 1977) showed that it could be done, using carefully chosen mathematical operations where the forward direction is fast and the reverse direction is astronomically slow. This is the entire foundation of modern cryptography on the internet, and it is the entire foundation of identity on a blockchain.

The mathematical idea underneath every key pair is a one-way function. Easy to compute in one direction, infeasible to reverse.

A useful intuition: mixing paint. Given two paint colors, you can easily produce the mixture. Given the mixture, separating it back into the two original colors is hopeless. The forward operation is trivial. The reverse operation is intractable.

The forward operation in public-key cryptography is some mathematical computation that takes the private key as input and produces the public key as output. Doing it is fast: any device can compute it in microseconds. Reversing it requires an attacker to try enormous numbers of possibilities, and the schemes are designed so that even the largest computer clusters humanity has built would not finish reversing one in the lifetime of the universe.

The strength of a key pair depends entirely on how steep that asymmetry is. A weak scheme might take a determined attacker a few years to reverse. A strong scheme would take longer than the heat death of the universe.

Two specific elliptic-curve schemes do almost all the public-key heavy lifting in the chains you'll encounter.

secp256k1. An elliptic curve standardised in the early 2000s. Used by Bitcoin, Ethereum, and most of the chain families that followed them. The "256" is the key size in bits: 32 bytes of private key material produce a public key on the curve. The "k1" is a parameter designation distinguishing it from a closely related curve (secp256r1) that some cryptographers were nervous about.

Ed25519. A newer elliptic-curve scheme published in 2011. Cleaner mathematics, faster operations, smaller keys with equivalent security to secp256k1. Used by Solana and a growing number of newer chains. Also used outside blockchain in modern systems like SSH and Signal.

For this course you don't need to be able to do elliptic-curve arithmetic by hand. You need to be able to:

• Recognise the names. When a wallet or library mentions secp256k1 or Ed25519, you know what category of object you're looking at.
• Know the key sizes. 32 bytes for the private key in both. The public key is roughly the same size for Ed25519 and a bit larger for secp256k1 depending on a compression option.
• Understand the asymmetry. Computing the public key from the private key is one fast operation. Going the other way is the entire definition of "secure" in this context.

Both schemes are believed to be secure against any classical computer. Both are vulnerable to a sufficiently large quantum computer running Shor's algorithm.

The private key is just a random 32-byte number. Cryptographically random, generated by an entropy source rather than picked by a human. A human-chosen private key is a guessable private key, and the entire security of the scheme depends on the secret being indistinguishable from random noise to anyone who doesn't have it.

private_key = 32 random bytes from a secure entropy source
public_key  = curve_multiply(private_key, generator_point)

That's the entire key-generation process at the conceptual level. One call to a cryptographic random number generator. One curve operation, the "easy direction" of the one-way function. Done.

The reason this is so short is that all the difficulty lives in two places. First, in the curve mathematics that makes curve_multiply a true one-way function: the result is a point on the curve that anyone with the public key can verify is legitimate, but only computable by someone who knew the private key. Second, in the entropy source: a private key with predictable bytes is no private key at all. Most wallet compromises in history are not breaks of the curve. They are weak entropy.

The playground below has a node that does this generation. Click and you'll see a freshly-derived public key appear in microseconds. Change the private-key bytes and watch the public key change completely. The avalanche-like property you saw with hash functions carries over here.

Three different operations can be built on top of the priv/pub pair, each using the same mathematical machinery in a different direction.

Encryption to a public key. Already covered in the previous lesson. Anyone takes your public key, encrypts a message, and only your private key decrypts. This is used at the edges of blockchain systems but is not how on-chain data is protected.

Digital signatures. Use the private key to produce a short value that anyone can verify against the message and the public key. The signature proves that the message was approved by whoever holds the private key, and cannot be forged without it. This is the primitive that authorises every blockchain transaction. The next-but-one lesson takes this apart properly.

Identity. Your public key is your address. The chain doesn't know your name, your country, or your email. It knows the public key that goes with the private key you control. Possession of the private key is the entire definition of "you" from the chain's perspective. Lose it and there is no recovery. Steal it and there is no insurance.

That last point is the one that surprises every developer who comes from a system with password resets and customer support. There is no customer support. The private key, and only the private key, is the identity. The next lesson covers exactly how that key gets generated, stored, and recovered.