Deriving ECDSA Public Key from Private Key

Question

I was attempting to generate a public ECDSA key from a private key, and I haven't managed to find much help on the internet as to how to do this. Pretty much everything is for generating a public key from a public key spec, and I don't know how to get that. So far, this is what I've put together:

public void setPublic() throws GeneralSecurityException {
    ECNamedCurveParameterSpec params = ECNamedCurveTable.getParameterSpec("secp256k1");
    KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC");
    ECCurve curve = params.getCurve();
    java.security.spec.EllipticCurve ellipticCurve = EC5Util.convertCurve(curve, params.getSeed());
    java.security.spec.ECPoint point = ECPointUtil.decodePoint(ellipticCurve, this.privateKey.getEncoded());
    java.security.spec.ECParameterSpec params2=EC5Util.convertSpec(ellipticCurve, params);
    java.security.spec.ECPublicKeySpec keySpec = new java.security.spec.ECPublicKeySpec(point,params2);
    this.publicKey = fact.generatePublic(keySpec);
}

However, when running, I get the following error:

Exception in thread "main" java.lang.IllegalArgumentException: Invalid point encoding 0x30
at org.bouncycastle.math.ec.ECCurve.decodePoint(Unknown Source)
at org.bouncycastle.jce.ECPointUtil.decodePoint(Unknown Source)
at Wallet.Wallet.setPublic(Wallet.java:125)

What am I doing wrong? Is there a better/easier way to do this?

EDIT: I've managed to get some code to compile, but it does not work correctly:

public void setPublic() throws GeneralSecurityException {
    BigInteger privKey = new BigInteger(getHex(privateKey.getEncoded()),16);
    X9ECParameters ecp = SECNamedCurves.getByName("secp256k1");
    ECPoint curvePt = ecp.getG().multiply(privKey);
    BigInteger x = curvePt.getX().toBigInteger();
    BigInteger y = curvePt.getY().toBigInteger();
    byte[] xBytes = removeSignByte(x.toByteArray());
    byte[] yBytes = removeSignByte(y.toByteArray());
    byte[] pubKeyBytes = new byte[65];
    pubKeyBytes[0] = new Byte("04");
    System.arraycopy(xBytes, 0, pubKeyBytes, 1, xBytes.length);
    System.arraycopy(yBytes, 0, pubKeyBytes, 33, xBytes.length);




    ECNamedCurveParameterSpec params = ECNamedCurveTable.getParameterSpec("secp256k1");
    KeyFactory fact = KeyFactory.getInstance("ECDSA", "BC");
    ECCurve curve = params.getCurve();
    java.security.spec.EllipticCurve ellipticCurve = EC5Util.convertCurve(curve, params.getSeed());
    java.security.spec.ECPoint point = ECPointUtil.decodePoint(ellipticCurve, pubKeyBytes);
    java.security.spec.ECParameterSpec params2 = EC5Util.convertSpec(ellipticCurve, params);
    java.security.spec.ECPublicKeySpec keySpec = new java.security.spec.ECPublicKeySpec(point,params2);
    this.publicKey = fact.generatePublic(keySpec);
}

private byte[] removeSignByte(byte[] arr)
{
    if(arr.length==33)
    {
        byte[] newArr = new byte[32];
        System.arraycopy(arr, 1, newArr, 0, newArr.length);
        return newArr;
    }
    return arr;
}

When I run it, it generates a publicKey, but it's not the same one that the private key corresponds to.

I assume you have read [this](http://www.bouncycastle.org/wiki/display/JA1/Elliptic+Curve+Key+Pair+Generation+and+Key+Factories). — DevilsHnd - 退職した, Mar 10 '18 at 03:37
@DevilsHnd that explains how to generate a Public key from a PublicKeySpec, and the rest of the examples it gives, from what I saw, are generation of a new, random key. I need to recover an existing keypair from an inputted private key in my case. — Lev Knoblock, Mar 10 '18 at 08:07
Perhaps changing the title of the question to "Deriving ECDSA Public Key" would be clearer — Lev Knoblock, Mar 10 '18 at 08:07
There are multiple ways of encoding a public key: you can have an ASN.1 / DER encoded representation, which usually starts with an ASN.1 SEQUENCE byte (0x30) and containns things such as the object identifier identifying the key type / parameters. Or you could have a flat (uncompressed) point format that starts with 04 (not to be confused with the value 0x04 used to encode an ASN.1 OCTET STRING). So you're likely just receiving different encodings. — Maarten Bodewes, Mar 11 '18 at 16:46
@MaartenBodewes Either way, I assume that BouncyCastle has a consistent output format for the code I have, so there's no way for me to be receiving different encodings unless the libary has some issues. — Lev Knoblock, Mar 11 '18 at 22:06
Maybe so, but in the first code segment you even think that the private key consists of a point, which is doesn't. The encoding of the private key consist of a SEQUENCE with many elements; trying to parse that as point is of course nonsense. `removeSignByte` is also not complete: the coordinates x and y could also be smaller than 32 bytes (try and look up I2OSP function also used for RSA). That said, the code should work if normalized. Anyway, you assume a lot, but I'm glad you've got something working now. — Maarten Bodewes, Mar 11 '18 at 22:17
Maybe what you are missing is... The ECDSA private key is a random *integer*. It is usually denoted as `x` in the libraries I work with. The public key is `G ^ x`, where `G` is the base *point*. So exponentiating a point by and integer results in a point. The resulting point from `y = G ^ x` is your public key. The other part you are probably missing is, exponentiation in the group is multiplication (all groups have two operations; usually addition and multiplication). So look for an `exponentiate(...)` or `multiply(...)` method. Share `y`, keep `x` private. — jww, Mar 12 '18 at 01:22

Lev Knoblock · Accepted Answer · 2018-03-13T05:22:52.103

11

So after a while, I figured out a solution and decided to post it in case anyone else has the same issue as me:

KeyFactory keyFactory = KeyFactory.getInstance("ECDSA", "BC");
    ECParameterSpec ecSpec = ECNamedCurveTable.getParameterSpec("secp256k1");

    ECPoint Q = ecSpec.getG().multiply(((org.bouncycastle.jce.interfaces.ECPrivateKey) this.privateKey).getD());

    ECPublicKeySpec pubSpec = new ECPublicKeySpec(Q, ecSpec);
    PublicKey publicKeyGenerated = keyFactory.generatePublic(pubSpec);
    this.publicKey = publicKeyGenerated;

EDIT: Removed the code decoding the ECPoint as per @MaartenBodewes comment.

edited Mar 13 '18 at 05:22

answered Mar 10 '18 at 17:01

Lev Knoblock

611
2
6
20

You should be able to use `Q` directly instead of `point`. If this fails, add a method call `normalize()` to the end of the calculation. – Maarten Bodewes Mar 11 '18 at 16:48

score 3 · Answer 2 · edited May 04 '18 at 06:49

Building on the previous answer one can extend this to the case that all one is given is a private key satisfying BCECPrivateKey interface:

DerivePubKeyFromPrivKey(BCECPrivateKey definingKey, Provider provider) {

    KeyFactory keyFactory = KeyFactory.getInstance("EC", provider);

    BigInteger d = definingKey.getD();
    org.bouncycastle.jce.spec.ECParameterSpec ecSpec = 
    definingKey.getParameters();
    ECPoint Q = definingKey.getParameters().getG().multiply(d);

    org.bouncycastle.jce.spec.ECPublicKeySpec pubSpec = new 
    org.bouncycastle.jce.spec.ECPublicKeySpec(Q, ecSpec);
    PublicKey publicKeyGenerated = keyFactory.generatePublic(pubSpec);
    return publicKeyGenerated;
}

Quuxplusone · Answer 3 · 2020-05-11T21:43:34.063

I came here with the same problem in Kotlin, so, in case it helps anyone, here's how I derived the PublicKey from an ECDSA PrivateKey in Kotlin. This code is based on Lev Knoblock's Java answer and then trial-and-errored until it worked.

In my case I knew that my key used the secp256k1 curve, so I could hard-code that part. I didn't bother to learn how to generalize it to other curves.

import java.security.KeyFactory
import java.security.KeyPair
import java.security.PrivateKey
import java.security.PublicKey
import org.bouncycastle.asn1.pkcs.PrivateKeyInfo
import org.bouncycastle.jce.ECNamedCurveTable
import org.bouncycastle.jce.interfaces.ECPrivateKey
import org.bouncycastle.jce.spec.ECNamedCurveParameterSpec
import org.bouncycastle.jce.spec.ECPublicKeySpec
import org.bouncycastle.math.ec.ECPoint
import org.bouncycastle.openssl.jcajce.JcaPEMKeyConverter
import org.bouncycastle.openssl.PEMParser

fun getECPrivateKeyFromPEM(privatePem: String): ECPrivateKey {
    val pemParser = PEMParser(privatePem.reader())
    val privateKeyInfo = pemParser.readObject() as PrivateKeyInfo
    return JcaPEMKeyConverter().getPrivateKey(privateKeyInfo) as ECPrivateKey
}

fun getKeyPairFromECPrivateKey(privateKey: ECPrivateKey): KeyPair {
    val keyFactory: KeyFactory = KeyFactory.getInstance("ECDSA", "BC")
    val spec: ECNamedCurveParameterSpec = ECNamedCurveTable.getParameterSpec("secp256k1")
    val Q: ECPoint = spec.getG().multiply(privateKey.getD())
    val publicKey: PublicKey = keyFactory.generatePublic(ECPublicKeySpec(Q, spec))
    return KeyPair(publicKey, privateKey)
}

And here's my test harness:

import java.io.StringWriter
import org.bouncycastle.openssl.jcajce.JcaPEMWriter

fun main() {
    val privatePem = """
       |-----BEGIN PRIVATE KEY-----
       |MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg55EMdhNJX+YN/bjN
       |Eof91oKqEqD0QidEsRMhHBwSRjShRANCAARnSFpE0LDugORBWlSJz0Zf9e0mR9s6
       |tlxSeo1Nbd2vv9LDedm+l/CfZpbyYvPm49DAKDhkUHFIVDd2SsiPrRa7
       |-----END PRIVATE KEY-----
    """.trimMargin()
    val privateKey: ECPrivateKey = getECPrivateKeyFromPEM(privatePem)
    val pair: KeyPair = getKeyPairFromECPrivateKey(privateKey)
    val pems: String = StringWriter().use {
        val pemWriter = JcaPEMWriter(it)
        pemWriter.writeObject(pair.getPublic())
        pemWriter.writeObject(pair.getPrivate())
        pemWriter.flush()
        it.toString()
    }
    println(pems)
}

This prints out:

hey there! could you give me a hand to encrypt/decrypt. using private/public pem files? — placplacboom, Jun 19 '20 at 23:12

Deriving ECDSA Public Key from Private Key

3 Answers3

Linked

Related