A public key and a private key are a mathematically linked pair of numbers that together let you receive crypto and prove you own it — without ever sharing a secret. Understanding how they work is the foundation of understanding why cryptocurrency can be both open and secure at the same time.
The core idea: asymmetric cryptography
Most security systems rely on a shared secret — a password both parties know. Crypto takes a different approach called asymmetric cryptography, where the two parties use different keys: one to lock, one to unlock.
The mathematics behind this relies on problems that are easy to do in one direction but computationally impossible to reverse. Multiply two enormous prime numbers together and you get a product in milliseconds. Starting from only that product and working backwards to find the original primes would take more computing time than the age of the universe. Your private key exploits exactly this kind of one-way trap.
What is a private key?
A private key is a randomly generated number — typically 256 bits long for Bitcoin and most blockchains. It looks something like this:
5KJvsngHeMpm884wtkJNzQGaCErckhHJBGFsvd3VyK5qMZXj3hS
That string represents a number so astronomically large that guessing it at random is effectively impossible. Your private key is the master secret from which everything else flows. It lets you:
- Sign transactions — prove to the network that you, and only you, authorized a transfer of funds.
- Derive your public key — the private key is the mathematical starting point from which the public key is calculated.
The private key is the only thing standing between you and permanent loss of your funds. Anyone who has it can spend your crypto. There is no reset, no recovery team, no helpdesk. Protect it accordingly.
Because of this, the private key should never leave your secure environment. It should never be typed into a website, stored in a cloud note, or shared with anyone.
What is a public key?
Your public key is derived from your private key using a one-way mathematical function (based on elliptic curve cryptography in most blockchains). The derivation is a one-way street: knowing the public key tells you nothing useful about the private key.
The public key can be shared with anyone. It serves two purposes:
- Verification — when you sign a transaction with your private key, anyone can check the signature against your public key to confirm it’s genuine without learning anything about the private key itself.
- Address derivation — most blockchains run the public key through a hashing function one more time to produce a shorter, more convenient wallet address.
From private key to wallet address
The journey from a raw private key to the address you share with others follows a predictable pipeline:
| Step | Input | Output | Direction |
|---|---|---|---|
| 1 | Private key (256-bit number) | Public key | One-way (elliptic curve math) |
| 2 | Public key | Raw address (hashed) | One-way (hashing) |
| 3 | Raw address | Formatted address (e.g. checksummed) | Encoding |
The wallet address — the string you hand to someone so they can send you funds — is therefore a derived fingerprint of your public key, which is itself a derived fingerprint of your private key. You can share the address (and the public key) freely, and nobody can work backwards to your private key.
This is why crypto wallets are not really storage containers for coins. The coins live on the blockchain. The wallet is simply software that holds your private key and uses it to sign transactions on your behalf.
How a transaction actually gets authorized
When you send crypto, the process looks like this:
- Your wallet software constructs a transaction message: “Send 0.1 BTC from address A to address B.”
- The wallet uses your private key to produce a digital signature unique to that exact message.
- The signed transaction is broadcast to the network.
- Every node on the network checks: does this signature match the public key associated with address A? If yes, the transaction is valid. If no, it is rejected.
The signature is different every time — even for identical transaction amounts — because it incorporates a random element. This means a signature cannot be reused or replayed by an attacker who intercepts it. For a deeper look at how the math works, see the guide on digital signatures.
What a seed phrase has to do with keys
If a private key is just a number, why do wallets give you a list of English words when you set them up?
The answer is usability. A 256-bit number is hard for humans to write down accurately. A seed phrase (also called a recovery phrase or mnemonic) is a human-readable encoding of a master secret from which an entire tree of private keys can be deterministically generated. One seed phrase can back up dozens or hundreds of keys across multiple blockchains.
The important point: the seed phrase and the private key are functionally equivalent in terms of access. Anyone who obtains your seed phrase can reconstruct your private keys and drain your funds. Treat both with equal caution.
Common mistakes to avoid
Storing keys digitally in unencrypted form. Screenshots, cloud notes, and email drafts are all vulnerable to breaches. If your private key exists as plain text on an internet-connected device, it is at risk.
Entering your private key or seed phrase into a website. Legitimate wallets and exchanges will never ask for your private key. Any site that does is a phishing attempt. See the guide on common crypto scams for more.
Conflating the address with the key. Your wallet address is safe to share — it is the equivalent of a bank account number. Your private key is like the PIN and the master password combined. They are not interchangeable.
Assuming a hardware wallet is immune if the seed phrase is compromised. A hardware wallet protects the private key from online threats, but if someone finds your written seed phrase, the hardware device is irrelevant.
Key takeaways
- A private key is a randomly generated secret number that lets you authorize transactions. It must never be shared.
- A public key is mathematically derived from the private key in a one-way process; it can be shared freely and is used to verify signatures.
- Your wallet address is a further-derived fingerprint of your public key — safe to share, but not the same thing as a key.
- Transactions are authorized by a digital signature that proves private key ownership without revealing the key itself.
- A seed phrase is a human-friendly backup of a master secret that can regenerate all your private keys — it carries the same risk as the keys themselves.
- There is no password reset. Losing your private key (or seed phrase) with no backup means permanent loss of access to those funds.
Next up: Seed Phrases and Backups