Keeping Your Crypto Safe — Solving The Private Key Paradox

1. The Core Of A Blockchain Wallet

In a previous blog post, we wrote that:

“Every crypto wallet consists of two things: a private key and a public key. You can consider the public key as your “address” or “account” on the blockchain. When you request a payment to someone, they will send the funds to your public key. The private key on the other hand, is the secret cryptographic password that grants the party who knows the value of the key, complete ownership of any funds on the associated public key. So if you have crypto on one or more public keys, it is imperative that you protect the associated private keys as much as possible.”

But so why is that private key so important? And can we quantify it?

2. The Private Key Paradox

At NGRAVE, we call the issue at hand the “Private Key Paradox”. The private key or secret cryptographic access key to your crypto wallet is the reason why your crypto is so secure: if I don’t know your private key, I can’t break it or brute force it with the existing computer power available. Therefore, I cannot steal the funds you have on your public key: the address on which you have your crypto. It’s interesting to know that the public key and thus your so to speak “account number” is actually cryptographically derived from your private key in the form of a one-way hash function. This basically means that while you can calculate your address from your private key, it is near impossible to do the reverse calculation, i.e. calculate your private key from your public key. So, yes, the private key is a crucial pillar in blockchain wallets. It’s also the Achilles Heel. If I can simply look over your shoulder (e.g. when you have your key stored somewhere online) and see your key, it’s game over. I can steal your funds. Also, if you lose your private key yourself, there is no way of getting access again to your crypto. The morale: above all, generate your private keys out of sight, and keep your private keys out of sight!

Let’s have a look at the numbers.

3. Quantifying The Difficulty Of Guessing Your Private Key

The first thing you see on this graph is that winning the Lottery suddenly doesn’t seem such a big feat. Obviously you know better. And it gives a great perspective on how difficult it actually is to guess my private key and get access to all 0.01BTC on my account. Whereas winning the Euro Millions is an odd of about 1: 1.39 x 10⁸(or 1 in a hundred and thirty nine million), it’s nothing compared to guessing one of the richest men one Earth’s bank account number, PIN code, and two factor authentication code, which stands at 1: 1.18 x 10^21, or over a trillion times more implausible than winning the Lottery. Next, I dare you to guess just ANY private key out there that has a balance greater than zero. The latter is of a difficulty of 1: 1.96 x 10⁶⁹, which is billions of billions of times harder to achieve. That finally brings us to you guessing the private key of my Bitcoin address, which is of an order of magnitude of 256 bits, basically equal to you trying to guess which atom I am thinking about right now, of all the atoms in the universe.

4. Implications

So…THAT’s why if you don’t know my private key, you cannot brute force it. The computational requirements simply don’t exist today. Now imagine that you generate your private key offline, and never need to expose it when signing transactions (or any other kind of wallet management for that matter). How can a remote attacker then possibly break into your account?

Now, here is where it becomes tricky. OK, your private key needs to be generated offline. But this generation process itself has to adhere to some crucial conditions. It has to be able to generate the whole range of 2^256 possible keys. For example, if it were to generate only one of two values all the time, you still would have a private key but it would be easy to guess it. So the generation process itself must ensure that it can generate a key that is statistically unique and unbreakable (the process needs to be able to generate a gigantic range of keys), it needs to be unpredictable (i.e. random, so that nobody could ever just implement the same process and calculate your key from it anyway), and of course it needs to be offline.

5. The Solution

And that’s exactly where NGRAVE comes in. We have developed a product suite that not only generates strong private keys 100% offline, but also keeps them unexposed at all times.

Find out more about NGRAVE’s most advanced key generation process available in the market, in this post!