留学生代考 SHA-256 and compute say 2​iterations of it, multiplying the 20​

Chapter 4: How to Store and Use Bitcoins
This chapter is about how we store and use bitcoins in practice.
4.1 Simple Local Storage
Let’s begin with the simplest way of storing bitcoins, and that is simply putting them on a local device. As a recap, to spend a bitcoin you need to know some public information and some secret information. The public information is what goes on the block chain — the identity of the coin, how much it’s worth, and so on. The secret information is the secret key of the owner of the bitcoin, presumably, that’s you. You don’t need to worry too much about how to store the public information because you can always get it back when you need to. But the secret signing key is something you’d better keep track of. So in practice storing your bitcoins is all about storing and managing your keys.

Copyright By PowCoder代写 加微信 powcoder

Storing bitcoins is really all about storing and managing Bitcoin secret keys.
When figuring out how to store and manage keys, there are three goals to keep in mind. The first is availability: being able to actually spend your coins when you want to. The second is security: making sure that nobody else can spend your coins. If someone gets the power to spend your coins they could just send your coins to themselves, and then you don’t have the coins anymore. The third goal is convenience, that is, key management should be relatively easy to do. As you can imagine, achieving all three simultaneously can be a challenge.
The simplest key management method is storing them on a file on your own local device: your computer, your phone, or some other kind of gadget that you carry, or own, or control. This is great for convenience: having a smartphone app that allows spending coins with the push of a few buttons is hard to beat. But this isn’t great for availability or security — if you lose the device, if the device crashes, and you have to wipe the disc, or if your file gets corrupted, your keys are lost, and so are your coins. Similarly for security: if someone steals or breaks into your device, or it gets infected with malware, they can copy your keys and then they can send all your coins to themselves.
In other words, storing your private keys on a local device, especially a mobile device, is a lot like carrying around money in your wallet or in your purse. It’s useful to have some spending money, but you don’t want to carry around your life savings because you might lose it, or somebody might steal it. So what you typically do is store a little bit of information/a little bit of money in your wallet, and keep most of your money somewhere else.
Different approaches to key management offer different trade-offs between availability, security, and convenience.

Wallets.​If you’re storing your bitcoins locally, you’d typically use wallet software, which is software that keeps track of all your coins, manages all the details of your keys, and makes things convenient with a nice user interface. If you want to send $4.25 worth of bitcoins to your local coffee shop the wallet software would give you some easy way to do that. Wallet software is especially useful because you typically want to use a whole bunch of different addresses with different keys associated with them. As you may remember, creating a new public/private key pair is easy, and you can utilize this to improve your anonymity or privacy. Wallet software gives you a simple interface that tells you how much is in your wallet. When you want to spend bitcoins, it handles the details of which keys to use and how to generate new addresses and so on.
Encoding keys: base 58 and QR codes.​To spend or receive bitcoins, you also need a way to exchange an address with the other party — the address to which bitcoins are to be sent. There are two main ways in which addresses are encoded so that they can be communicated from receiver to spender: as a text string or as a QR code.
To encode an address as a text string, we take the bits of the key and convert it from a binary number to a base 58 number. Then we use a set of 58 characters to encode each digits as a character; this is called base58 notation. Why 58? Because that’s the number we get when we include the upper case letters, lower case letters, as well as digits as characters, but leave out a few that might be confusing or might look like another character. For example, capital letter ‘O’ and zero are both taken out because they look too much alike. This allows encoded addresses to be read out over the phone or read from printed paper and typed in, should that be necessary. Ideally such manual methods of communicating addresses can be avoided through methods such as QR codes, which we now discuss.
F i g u r e 4 . 1 : ​ a ​ Q R c o d e r e p r e s e n t i n g a n a c t u a l B i t c o i n a d d r e s s . ​F e e l f r e e t o s e n d u s s o m e b i t c o i n s . The second method for encoding a Bitcoin address is as a QR code, a simple kind of 2-dimensional
barcode. The advantage of a QR code is that you can take a picture of it with a smartphone and wallet
1A1zP1eP5QGefi2DMPTfTL5SLmv7DivfNa
The address that received the very first Bitcoin block reward in the genesis block, base58 encoded.

software can automatically turn the barcode into the a sequence of bits that represents the corresponding Bitcoin address. This is useful in a store, for example: the check-out system might display a QR code and you can pay with your phone by scanning the code and sending coins to that address. It is also useful for phone-to-phone transfers.
Vanity addresses.​Some individuals or merchants like to have an address that starts with some human-meaningful text. For example, the gambling website Satoshi Bones has users send money to addresses containing the string “bones” in positions 2–6, such as 1bonesEeTcABPjLzAb1VkFgySY6Zqu3sX​(all regular addresses begin with the character 1, indicating pay-to-pubkey-hash.)
We said that addresses are outputs of a hash function, which produces random-looking data, so how did the string “bones” get in there? If Satoshi Bones were simply making up these addresses, lacking the ability to invert hash function, they wouldn’t know the corresponding private keys and hence wouldn’t actually control those addresses. Instead, they repeatedly generated private keys until they g o t l u c k y a n d f o u n d o n e w h i c h h a s h e d t o t h i s p a t t e r n . S u c h a d d r e s s e s a r e c a l l e d v​a n i t y a d d r e s s e s ​a n d there are tools to generate them.
How much work does this take? Since there are 58 possibilities for every character, if you want to find k​
an address which starts with a specific k​-​character string, you’ll need to generate 58​addresses on average until you get lucky. So finding an address starting with “bones” would have required generating over 600 million addresses! This can be done on a normal laptop nowadays. But it gets exponentially harder with each extra character. Finding a 15-character prefix would require an infeasible amount of computation and (without finding a break in the underlying hash function) should be impossible.
Sidebar:​S​peeding up vanity address generation. I​n Bitcoin, if we call the private key x​,​the public x​
k e y i s g​​. T h e e x p o n e n t i a t i o n r e p r e s e n t s w h a t ’ s c a l l e d s c a l a r m u l t i p l i c a t i o n i n a n e l l i p t i c c u r v e x​
group. The address is H​(g​),​the hash of the public key. We won’t get into the details here, but exponentiation is the slow step in address generation.
x​ The naive way to generate vanity addresses would be to pick a pseudorandom x​,​compute H​(g​),​
a n d r e p e a t i f t h a t a d d r e s s d o e s n ’ t w o r k . A m u c h f a s t e r a p p r o a c h i s t o t r y x​+ 1 ​i f t h e f i r s t x​ ​f a i l s , a n d x+1​ x​
continue incrementing instead of picking a fresh x​each time. That’s because g​​ = x g​, and we’ve x​
a l r e a d y c o m p u t e d g​​, s o w e o n l y n e e d a m u l t i p l i c a t i o n o p e r a t i o n f o r e a c h a d d r e s s i n s t e a d o f exponentiation, and that’s much faster. In fact, it speeds up vanity address generation by over two orders of magnitude.
4.2 Hot and Cold Storage
As we just saw, storing bitcoins on your computer is like carrying money around in your wallet or your purse. This is called “hot storage”. It’s convenient but also somewhat risky. On the other hand, “cold

storage” is offline. It’s locked away somewhere. It’s not connected to the internet, and it’s archival. So it’s safer and more secure, but of course, not as convenient. This is similar to how you carry some money around on your person, but put your life’s savings somewhere safer.
To have separate hot and cold storage, obviously you need to have separate secret keys for each — otherwise the coins in cold storage would be vulnerable if the hot storage is compromised. You’ll want to move coins back and forth between the hot side and the cold side, so each side will need to know the other’s addresses, or public keys.
Cold storage is not online, and so the hot storage and the cold storage won’t be able to connect to each other across any network. But the good news is that cold storage doesn’t have to be online to receive coins — since the hot storage knows the cold storage addresses, it can send coins to cold storage at any time. At any time if the amount of money in your hot wallet becomes uncomfortably large, you can transfer a chunk of it over to cold storage, without putting your cold storage at risk by connecting to the network. Next time the cold storage connects it will be able to receive from the block chain information about those transfers to it and then the cold storage will be able to do what it wants with those coins.
But there’s a little problem when it comes to managing cold storage addresses. On the one hand, as we saw earlier, for privacy and other reasons we want to be able to receive each coin at a separate address with different secret keys. So whenever we transfer a coin from the hot side to the cold side we’d like to use a fresh cold address for that purpose. But because the cold side is not online we have to have some way for the hot side to find out about those addresses.
The blunt solution is for the cold side to generate a big batch of addresses all at once and send those over for the hot side to use them up one by one. The drawback is that we have to periodically reconnect the cold side in order to transfer more addresses.
Hierarchical wallets.​A more effective solution is to use a hierarchical wallet. It allows the cold side to use an essentially unbounded number of addresses and the hot side to know about these addresses, but with only a short, one-time communication between the two sides. But it requires a little bit of cryptographic trickery.
To review, previously when we talked about key generation and digital signatures back in chapter 1, we looked at a function called generateKeys that generates a public key (which acts as an address) and a secret key. In a hierarchical wallet, key generation works differently. Instead of generating a single address we generate what we’ll call address generation info, and rather than a private key we generate what we’ll call private key generation info. Given the address generation info, we can generate a sequence of addresses: we apply an address generation function that takes as input the
a d d r e s s g e n e r a t i o n i n f o a n d a n y i n t e g e r i ​ ​a n d g e n e r a t e s t h e i ​’ ​t h a d d r e s s i n t h e s e q u e n c e . S i m i l a r l y w e can generate a sequence of private keys using the private key generation info.

T h e c r y p t o g r a p h i c m a g i c t h a t m a k e s t h i s u s e f u l i s t h a t f o r e v e r y i ​, ​t h e i ​’ ​t h a d d r e s s a n d i ​’ ​t h s e c r e t k e y “ m a t c h u p ” — t h a t i s , t h e i ​’ ​t h s e c r e t k e y c o n t r o l s , a n d c a n b e u s e d t o s p e n d , b i t c o i n s f r o m t h e i ​’ ​t h address just as if the pair were generated the old fashioned way. So it’s as if we have a sequence of regular key pairs.
The other important cryptographic property here is security: the address generation info doesn’t leak any information about the private keys. That means that it’s safe to give the address generation info to anybody, and so that anybody can be enabled to generate the ‘i’th key.
Now, not all digital signature schemes that exist can be modified to support hierarchical key generation. Some can and some can’t, but the good news is that the digital signature scheme used by Bitcoin, ECDSA, does support hierarchical key generation, allowing this trick. That is, the cold side generates arbitrarily many keys and the hot side generates the corresponding addresses.
Figure 4.2: Schema of a hierarchical wallet.​The cold side creates and saves private key generation info and address generation info. It does a one-time transfer of the latter to the hot side. The hot side generates a new address sequentially every time it wants to send coins to the cold side. When the cold side reconnects, it generates addresses sequentially and checks the block chain for transfers to those addresses until it reaches an address that hasn’t received any coins. It can also generate private keys sequentially if it wants to send some coins back to the hot side or spend them some other way.
Here’s how it works. Recall that normally an ECDSA private key is a random number x​and the x​
c o r r e s p o n d i n g p u b l i c k e y i s g​​. F o r h i e r a r c h i c a l k e y g e n e r a t i o n , w e ’ l l n e e d t w o o t h e r r a n d o m v a l u e s k​ a n d y​.​

Private key generation info: th​
x​i​= y + H(k‖ i)
x_i​ H(k‖i)​ y g​= g​ ·g​
x_i​ H(g​)
i​privatekey:
Address generation info:
th​ i​publickey:
th​ i​address:
This has all the properties that we want: each side is able to generate its sequence of keys, and the
c o r r e s p o n d i n g k e y s m a t c h u p b e c a u s e ( b e c a u s e t h e p u b l i c k e y c o r r e s p o n d i n g t o a p r i v a t e k e y x​ ​i s g​​) . It has one other property that we haven’t talked about: when you give out the public keys, those keys won’t be linkable to each other, that is, it won’t be possible to infer that they come from the same wallet. The straw-man solution of having the cold side generate a big batch of addresses does have this property, but we had to take care to preserve it when with the new technique considering that the keys aren’t in fact independently generated. This property is important for privacy and anonymity, which will be the topic of Chapter 6.
Here we have two levels of security, with the hot side being at a lower level. If the hot side is compromised, the unlinkability property that we just discussed will be lost, but the private keys (and the bitcoins) are still safe. In general, this scheme supports arbitrarily many security levels — hence “hierarchical” — although we haven’t seen the details. This can be useful, for instance, when there are multiple levels of delegation within a company.
Now let’s talk about the different ways in which cold information — whether one or more keys, or key-generation info — can be stored. The first way is to store it in some kind of device and put that device in a safe. It might be a laptop computer, a mobile phone or tablet, or a thumb drive. The important thing is to turn the device off and lock it up, so that if somebody wants to steal it they have to break into the locked storage.
Brain wallet.​The second method we can use is called a brain wallet. This is a way to control access to bitcoins using nothing but a secret passphrase. This avoids the need for hard drives, paper, or any other long-term storage mechanism. This property can be particularly useful in situations where you have poor physical security, perhaps when you’re traveling internationally.
The key trick behind a brain wallet is to have a predictable algorithm for turning a passphrase into a public and private key. For example, you could hash the passphrase with a suitable hash function to derive the private key, and given the private key, the public key can be derived in a standard way. Further, combining this with the hierarchical wallet technique we saw earlier, we can generate an entire sequence of addresses and private keys from a passphrase, thus enabling a complete wallet.
However, an adversary can also obtain all private keys in a brain wallet if they can guess the passphrase. As always in computer security, we must assume that the adversary knows the procedure you used to generate keys, and only your passphrase provides security. So the adversary can try various passphrases and generate addresses using them; if he finds any unspent transactions on the block chain at any of those addresses, he can immediately transfer them to himself. The adversary

may never know (or care) who the coins belonged to and the attack doesn’t require breaking into any machines. Guessing brain wallet passphrases is not directed toward specific users, and further, leaves no trace.
Furthermore, unlike the task of guessing your email password which can be r​ate-limited​by your email server (called o​nline guessing)​, with brain wallets the attacker can download the list of addresses with unredeemed coins and try as many potential passphrases as they have the computational capacity to check. Note that the attacker doesn’t need to know which addresses correspond to brain wallets. This i s c a l l e d o ​ f f l i n e g u e s s i n g ​o r p ​ a s s w o r d c r a c k i n g . ​ I t i s m u c h m o r e c h a l l e n g i n g t o c o m e u p w i t h passphrases that are easy to memorize and yet won’t be vulnerable to guessing in this manner. One secure way to generate a passphrase is to have an automatic procedure for picking a random 80-bit number and turning that number into a passphrase in such a way that different numbers result in different passphrases.
Sidebar: generating memorable passphrases.​One passphrase-generation procedure that gives
about 80 bits of entropy is to pick a random sequence of 6 words from among the 10,000 most
common English words (6 ⨉ log​(10000) is roughly 80). Many people find these easier to memorize 2​
than a random string of characters. Here are a couple of passphrases generated this way.
worntillalloyfocusingokayreducing earthdutchfaketireddotoccasions
In practice, it is also wise to use a deliberately slow function to derive the private key from the
passphrase to ensure it takes as long as possible for the attacker to try all possibilities. This is known
as k​ey streching.​To create a deliberately slow key-derivation function, we can take a fast 20​
cryptographic hash function like SHA-256 and compute say 2​iterations of it, multiplying the 20​
attacker’s workload by a factor of 2​. Of course, if we make it too slow it will start to become annoying to the user as their device must re-compute this function any time they want to spend coins from their brain wallet.
If a brain wallet passphrase is inaccessible — say it’s been forgotten, hasn’t been written down, and can’t be guessed — then the coins are lost forever.
Paper wallet.​The third option is what’s called a paper wallet. We can print the key material to paper and then put that paper into a safe or secure place. Obviously, the security of this method is just as good or bad as the physical security of the paper that we’re using. Typical paper wallets encode both the public and private key in two ways: as a 2D barcode and in base 58 notation. Just like with a brain wallet, storing a small amount of key material is sufficient to re-create a wallet.

Figure 4.3: A Bitcoin paper wallet w​ith the public key encoded both as a 2D barcode and in base 58 notation.​O​bserve that the private key is behind a tamper-evident

程序代写 CS代考 加微信: powcoder QQ: 1823890830 Email: powcoder@163.com