Public-Key Cryptography: How Crypto Wallets Work
2026-06-04
A crypto wallet does not "hold" coins. The coins live on the ledger; the wallet holds the keys that authorize moving them. Understanding that one distinction explains why losing a seed phrase is fatal and why "not your keys, not your coins" is more than a slogan.
One Secret, Two Public Faces
Everything starts with a private key: a 256-bit random number. From it, elliptic-curve math derives a public key. The math runs easily in one direction (private to public) and is infeasible to reverse (public back to private). Bitcoin and Ethereum both use the secp256k1 curve for this. Your address is then a hash of the public key, shortened and checksummed so a typo is rejected rather than silently sending funds into the void.
Signing Proves Control Without Revealing the Secret
To spend funds you create a digital signature over the transaction using your private key. Anyone can verify that signature against your public key. The signature is valid only for that exact transaction; change one output and the signature no longer verifies. So the network learns "whoever controls this key approved this exact transfer" without ever seeing the key itself.
This is why nodes never need to trust you and you never need to trust them. The signature is self-proving math.
Seed Phrases and Hierarchical Wallets
Managing one raw key per account would be miserable. Modern wallets use a single random seed, encoded as 12 or 24 BIP-39 words, and deterministically derive an entire tree of key pairs from it (BIP-32/44). That is why writing down those words restores every account in the wallet. The words are not a password to an online account; they are the master secret. Anyone with them has full control, forever, with no reset button.
Why There Is No "Forgot Password"
There is no server holding your balance and checking a login. Authorization is a signature the network verifies mathematically. No company can re-issue your key, reverse a signed transaction, or freeze a self-custodied address. That is the cost of removing trusted intermediaries: the security model is entirely on you.
Where the Risk Concentrates
- Seed phrase exposure: a photo, cloud backup, or phishing site is a total compromise.
- Weak randomness: a poorly generated private key can be guessed; quality entropy is essential.
- Blind signing: approving a transaction you did not read can drain a wallet via a malicious contract.
- Address reuse: harmless to security but corrosive to privacy, since it links your activity.
The Bigger Picture
Public-key cryptography is the reason a global, permissionless ledger can exist at all. No usernames, no passwords, no central registry of who owns what, just key pairs and verifiable signatures. The same primitive underpins logins (passkeys), encrypted messaging, and TLS. Crypto simply made it the basis for owning money. Custody, covered in a later post, is the practical art of protecting that one secret.