Public and private keys are one of the pivotal technologies that make cryptocurrencies possible by allowing users to transact without the need for a third party to verify the transaction. This in turn is necessary to facilitate the decentralized, trustless architecture that has made blockchain and web3 such a revolutionary technology.
Anyone hoping to have an understanding of web3 security will need to have an understanding of public and private keys, both in terms of how they work together, and also of the various web3 security risks that they entail.
Some form of private keys have been present from the beginning of cryptography, which was led by academic and military personnel seeking ways to encode messages which were then decoded using a secret phrase. This phrase could be used to first encrypt, then decrypt the message. Whilst useful, there was a major weakness in this design in that the same phrase was used to both encrypt and decrypt the message, meaning that if the phrase were to be compromised, an unauthorized person could both access the information, and also impersonate the person sending the message.
This earlier process of encryption is called ‘symmetric encryption’ as both sides of the process used the same phrase. In the 1970s cryptographers developed ‘asymmetric cryptography, which resolved the problems of the prior art by splitting the process in two to create a ‘public’ and a ‘private’ key.
In this new system, the private key is a long, random prime number that can be used as a unique ID that can encrypt and decrypt a message. Out of this private key, a public key can then be generated through a mathematical function known as “elliptic curve multiplication”. ‘Elliptic Curve Cryptography’ is one of the main technologies that enables cryptocurrencies. Crucially, a public key can be derived from a private key, but not the other way round.
In cryptocurrency, a private key functions in the same way as a pin number for a credit card– it allows the owner to access their funds and make transactions, and, like a pin number, it is vital that it doesn’t fall into the wrong hands.
Understandably, the importance of keeping a private key private is of vital importance for web3 security. For users who opt to store their funds on custodial wallets and centralized exchanges, they are essentially handing responsibility for protecting your private keys over to them, much like you would trust a bank with protecting your money. Alternatively, opting for a non-custodial wallet means that users are responsible for their private keys, which typically come in the form of a ‘seed phrase’, a sequence of words that encodes your private keys.
In either case, hackers will try and gain access to your private key, often in the form of phishing attacks, which attempt to dupe users into sharing their sensitive information. Because of this, one of the foundational rules of web3 security is to never share your private key or seed phrase with anyone. Legitimate institutions or projects will never ask you to share this information, so if someone is asking for it, proceed with extreme caution.
A public key is a long numerical sequence that is derived from and paired with a private key, and that allows for funds and assets to be sent to the address. It functions much like the address in the real world in that it allows anyone with the address to send a letter at any time, except in this case, the letter takes the form of a web3 asset such as a cryptocurrency or NFT.
In designing how blockchain transactions would function, bitcoin founder Satoshi Nakamoto detailed how public and private keys enable transactions through a process of digital signatures. In their now famous whitepaper, Nakamoto writes how ‘Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin.’ Through this process, Nakamoto describes how an electronic coin exists as a chain of ‘digital signatures’, which is the process of using a private key to authenticate the transaction. The bitcoin whitepaper provides the below diagram explaining the process:
Public keys have an important role in the functioning of blockchain as an anonymous yet transparent architecture– a pair of qualities that has often led to confusion amongst newcomers to the web3 space.
Firstly, the ‘privacy’ that public keys afford is that they are not directly tied to their owner’s identity. To return to the comparison with an address in the real world, it's as if that address held no identifying information on who is receiving the letter, nor any information that could lead to them being physically contacted.
Instead, the only ‘location’ that the address leads to is on the blockchain. This is where the ‘transparency’ element of blockchains come in. Although not tied to any identity, all of the funds and transactions that are associated with the public key can be viewed on the blockchain through the use of a blockchain explorer.
Writing on the need for both privacy and transparency, Nakamoto writes that ‘privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending an amount to someone else, but without information linking the transaction to anyone.’
It is by virtue of this transparency that web3 security tools, such as blockchain analytics services Skynet and SkyTrace, help projects keep track of the activity that occurs on-chain. This is essential for web3 security as, in the event of a hack, it is vital to know what events led to the attack, where the lost funds have gone, and what steps can be taken to mitigate the damage.
CertiK’s SkyTrace in particular uses public keys to trace and visualize the flow of funds between wallets. This in turn provides projects with a route to tracking the stolen funds in the hopes that they will lead to the hacker’s identity.
Similarly, CertiK’s Skynet actively monitors on-chain activity and generates in-time insights based on a project’s liquidity, the distribution of its tokens, and any unusual or anomalous transactions. All of this is only possible through the availability of data provided by the transparency of public keys.
Given how public keys are generated out of private keys, it is possible for a new address to be created for each time a person sends or receives a transaction. This in turn helps users with another aspect of web3 security, privacy. Whilst the transparency afforded by public keys does have its advantages for web3 security, it also provides hackers with a useful tool for casing potential targets. Because of this, some platforms such as Coinbase will generate a new address for a user for each time they transact with their wallet so that a third party cannot view all other transactions associated with your account simply by using a blockchain explorer.
Understanding private and public keys and how they interact is one of the foundational elements to understanding the web3 space. Getting a grip on how they work provides a useful way into understanding a wide range of the subsequent web3 technology, and their implications for web3 security. For readers simply looking for practical measures on how to maintain safety around their public and private keys, two things are vital to remember. First, never give away your private key, as this allows anyone to access your funds and assets. Secondly, do your own research around whether you want to hold your private keys yourself, or hand responsibility for them to a custodial wallet. Both have their advantages and disadvantages, so be sure to look into them thoroughly before making a decision.