 How is the private key calculated using the elliptic curve mathematical computation? Two, if transactions are public, why can't someone launch a brute force and guess the private key... knowing the fact that we have quantum computers now? Let's start with the first question for Rohit. Private keys are numbers. That's all they are. If you wanted to generate a private key, you can do so fairly easily using just pen and paper. A private key is a number that is 256 bits long. A bit is either zero or one. How do we calculate a bit? The easiest way would be to flip a coin. If it's heads, we write down one. If it's tails, we write down zero. Take a big sheet of paper, take a coin, flip it. If it's heads, write down one. If it's tails, write down zero. Repeat this 256 times, and you have a binary private key written down on your piece of paper. It's generated completely randomly. If somebody else tried to do the same thing, they would have to try 10 to the 77 times... in order to produce the same private key on average. If you take that private key, which is just a number, and three is a good private key, seven is a good private key, very easy to crack, not very random out of that totally vast number. If you take that private key, the elliptic curve mathematics that follows is to take a known point on the elliptic curve. When I say point, what that means is an x-y coordinate that is on the line drawn by the function. If you take the elliptic curve function of Bitcoin, that elliptic curve, when drawn on a piece of paper, creates a line. That line is in the form of a curved line. It's an elliptic curve, and it looks a bit like a squid. You take that elliptic curve, and there is a very specific point on the line called the generator point. It's a set of x-y coordinates, and that set of x-y coordinates is predefined. Everybody uses the same one, and we write it down as capital G for generator point. The public key is simply the point capital G multiplied by the private key. If my private key is three, then my public key is three times G. You say, well, that's very easy. If I already know that my public key is three times G, and I know what G is, why don't I just divide by G, and then I have the three, and I know your private key? The reason is because you can't do division on the elliptic curve, so division doesn't exist. You know three G is the public key, and you can't figure out that three is the private key, even though you know what the value of G is. That's how the elliptic curve computation works. What does multiplication by a scalar mean on the elliptic curve? What does it mean to take a point and multiply it by three? How do you multiply x-y coordinates by three? This has a specific meaning on the elliptic curve. To add G to itself, to do G plus G, what you do is take the tangent of the point on the elliptic curve. The tangent is a specific mathematical construct, right? You take the tangent at the point of G, and you draw that tangent. At some point, that tangent will touch the elliptic curve again. That is one of the properties of elliptic curves. If you take the tangent of a point on the elliptic curve, that tangent will bisect the elliptic curve at another point. If you flip that point on the axis, that is two G. By adding up two points, and then drawing a line between them is how you add them up, you can create a multiple, because three times G is simply G plus G plus G. You can keep adding G, and essentially all private to public key computation is that. It is taking G and adding it to itself as many times as your private key. That is the number that you generate randomly. When you do that, you end up somewhere on the curve. You are still at some point, some x, y-coordinate on the curve. Every time you add the points, you bounce around the curve, and you end up somewhere. That point is your public key. If you know that point, you have no idea how you got there. You simply don't know how you got there. Do all private keys start with the number five? No, Bill. Private keys encoded with wallet import format start with the number five. But those that correspond to compressed public keys can start with the letter K or the letter L. You will see private keys for a wallet import format, or when they are with compressed, they start with a K or L instead of a five. How do you ensure the private key is transmitted securely and privately into the blockchain? This is also a point of confusion. The private key is never transmitted anywhere. What you transmit is a signature, which is a number produced by a special equation. Anyone can check, and by checking that against your public key, they can confirm you know what the private key is, but they don't know what the private key is. They cannot know what the private key is. That little trick ensures that you can sign as many times as you want. No matter how many times you sign, no matter how many of your signatures you transmit, people will only be able to verify that you know the private key, but nobody else does. Please explain key collision. Also, please give an example of encryption collision. Collision as a word is mostly used for hashes, but perhaps what you're asking is related to the very next question. Jason asks, is it possible to generate a private key that is already being used? Yes, Jason. It is possible. It is so absolutely improbable, however, that even if you were trying to do this deliberately, by generating a trillion new private keys every second, and you then recruited a billion people to all generate a trillion keys each, all you would do is touch the very surface of the absolutely enormous number of private keys that exist. This is something that a lot of people have difficulty wrapping their heads around. The idea that these numbers are so impossibly large that you will never, ever, ever get through them. But the number of possible private keys is, let's say two to the 256, it's not quite, but for rounding purposes, because the main idea doesn't change no matter how much you round this. Two to the 256 is equivalent in decimal to ten to the 77. That's ten with 77 zeros after it. Now, let's say you could generate a billion keys a second. How much is a billion keys? Oh, that's ten to the nine. So what you're doing now is you're taking ten to the 77 and dividing it by ten to the nine, which is a billion keys per second. And what you're going to be left with is ten to the 65. So you cut down that number from ten to the 77 down to ten to the 65. That's ten with 65 zeros behind it. And that's how many seconds it's going to take you to figure out a private key that matches somebody else's. Now let's say you take a billion people, and they all try a billion keys per second. So instead of ten to the 65 seconds, it's now going to take you ten to the 54 seconds. It may seem like you're making progress, but not really. Because a billion seconds would mean that you would be no closer. You'd be down to ten to the 43 billions of seconds with a billion people trying a billion keys. And I'm using very big, big numbers here. Now let's say that you were able to do all of that for a year, and then you decided to do it for a billion years. As you can see, if we take off nine more digits from the end of this number, it doesn't get much smaller. You're still looking at numbers that are unfathomly large. In fact, at this rate, the amount of time it would take you to run through all private key combinations exceeds the total time of the universe's existence, which, depending on whether you apply science or not, is either 13.4 billion years or 6,000 years. If transactions are public, why can't someone launch a brute force and guess the private key, knowing the fact that we have quantum computers available now? I already gave you the answer as to why you can't simply guess the private key by trying all possible private keys. You will run out of time, the sun will extinguish, its fusion reaction will end, the universe will expand into nothingness, civilizations will come and go, and you'll still be trying to count private keys. That's the scale of numbers we're talking about. But what about quantum computers? Does that change the equation? Yes, it does. With a quantum computer, you could actually work out all possible combinations of a 256-bit number, instantaneously, as long as you had a 256-bit quantum computer. If you follow the news about quantum computing, you'll know that we're talking about five, six, seven, eight qubits, ten qubits, and the progress of adding each additional qubit is actually slowing down. To quote Peter Todd in one of his memorable memes that I really like, quantum computing may be the one area of science that scales worse than blockchains. Quantum computers are not getting to 256 qubits anytime soon. In fact, you'd only need 128 qubits to break this, but again, we are very, very, very far from there. What happens when quantum computers become available? We have to change the algorithm for cryptography in Bitcoin. There are algorithms that are better in terms of protecting against quantum computers. We don't need to use those algorithms because there are not quantum computers fast enough, or with enough qubits, to be able to crack Bitcoin's private keys. The next question comes from Sesame Miao. Quantum attacks on Bitcoin and how to protect against them. I just listened to an epicenter TV podcast about quantum threats to Bitcoin. Here is their paper. From what I understand, quantum computing effects would start to kick in in the earliest 2027. Attacks on proof-of-work are straightforward to address, but attacks on ECDSA for unprocessed transactions are a credible threat. I am aware of the argument that if the ECDSA is broken, we are worried about a lot of other things. But focusing just on Bitcoin, how easily can Bitcoin incorporate quantum-safe public key signature schemes? Does it require a complete overhaul of the code, hard fork, soft fork, what? Sesame Miao, do not fret. Yes, it is true that quantum effects could limit the lifetime of ECDSA. All cryptographic algorithms have a limited lifetime. The good news is that ECDSA can easily be replaced, and it can be replaced with a very simple soft fork. One of the important innovations that came with the introduction of segregated witness, and the way it was introduced, was the ability to have a script version number that allows soft fork upgrades to the scripting language within Bitcoin. This was introduced and activated on August 1st of 2017. That means that other signature schemes can be introduced by a simple soft fork. The first of such schemes to be introduced is Schnorr signatures, which will act in conjunction with ECDSA, or in addition to ECDSA. A lot of this isn't about replacing ECDSA, but rather about adding more signature algorithms so that people can choose which signature algorithms they want to use. They can migrate their funds to more secure signature algorithms. Schnorr signatures, which are about to be introduced and have been in testing and development for quite a while now, are one of the soft fork upgrades that can be done with the script versioning capability and segregated witness. They are not the only ones. Bitcoin could introduce quantum-safe signature schemes with a soft fork just by using the script version. It's actually a very simple soft fork. It's completely optional, it's not mandatory, it's opt-in. People can choose to use it if they want to. If they don't, they can continue to use what they used before, which may be ECDSA or something else. It can be introduced incrementally so that different parts of the system upgrade and introduce support slowly. Just like we've seen with the new Bech32 address scheme for Segwit, some wallet support it, some don't, and gradually the ecosystem is evolving. Quantum attacks on Bitcoin, not as scary as you might think, by the time 2027 is a very, very long way away. Within the next decades, the number of improvements that could be made to introduce quantum-safe digital signatures in Bitcoin, and the ease by which these could be done, really, really not a problem. Let's see what other bogeymen and scary thoughts we can banish with all of these questions, which are showing a high level of anxiety in the Bitcoin space. Before we continue to the next question, remember, when engaging in cryptocurrencies, it is important every now and then to take a deep breath and realize that there are many things in life that are more important, and that the end is not near, and the apocalypse is not coming, and Bitcoin is not dead before dying. It's going to be okay. The rollercoaster is part of the show, and don't worry too much about all of these things. A lot of the articles you read, a lot of the academic papers you read that have come out with a sensationalist article, and they say, we've discovered a fatal flaw that will be the end of Bitcoin. They mostly address academic edge cases that are very hard to apply and fairly easy to mitigate, but that's not what they're going to tell you in the sensational headline. They're not going to write a headline that says, edge case discovered that will have minimal impact and will be easily mitigated, but we wrote a great academic paper about it. No, they're going to say, doom, gloom, and Bitcoin is dead. Don't believe it.