How to Store and Use

Bitcoins
Simple Local Storage
To spend a Bitcoin, you need to know:
* some info from the public blockchain,
and
* the owner’s secret signing key

So it’s all about key management.

How to Store and Use
Bitcoins
Secret
Keys
Goals

availability: You can spend your coins.

security: Nobody else can spend your coins.

convenience
Simplest approach: store key in a file,
on your computer or phone

Very convenient.
As available as your device.
device lost/wiped ⇒ key lost ⇒ coins lost
As secure as your device.
device compromised ⇒ key leaked ⇒ coins
stolen
Wallet software
Keeps track of your coins, provides nice user
interface.

Nice trick: use a separate address/key for each coin.

benefits privacy (looks like separate owners)
wallet can do the bookkeeping, user needn’t
know
Encoding addresses
Encode as text string: base58 notation
123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrst
uvwxyz

or use QR code
Hot and Cold Storage
Hot Cold
storage storage

online offline

convenient but archival but

risky safer
separate
keys
Hot Cold
storage storage

online offline

hot secret payment cold secret

key(s) s key(s)
cold hot address(es)
address(es)
Hot Cold
storage storage

online

hot secret payment

key(s) s

cold
address(es)
offline
Problem:
Want to use a new address (and key) for each coin sent to
cold
But how can hot wallet learn new addresses if cold wallet is
offline?

Awkward solution:
Generate a big batch of addresses/keys, transfer to hot
beforehand

Better solution:
Hierarchical wallet
Regular key generation:

address

generateKe
ys

private
key
Hierarchical key generation:
i
doesn’t leak
keys
address ith
genAddr
gen address
info

generateKeysHi
er

private ith
genKey
key key
gen info

i
hot
side i

address ith
genAddr
gen address
info

generateKeysHi
er

private ith
genKey
key key
gen info

cold i
How to store cold info
(1) Info stored in device, device locked in a safe
(2) “Brain wallet”
encrypt info under passphrase that user
remembers
(3) Paper wallet
print info on paper,
lock up the paper
(4) In “tamperproof” device
device will sign things for you, but won’t divulge keys
Pape
r
Wall
et
Pape
r
Wall
et
 Lecture 4.3:

Splitting and Sharing Keys

Secret sharing
Idea: split secret into N pieces, such that
given any K pieces, can reconstruct the secret
given fewer than K pieces, don’t learn anything

Example: N=2, K=2 split:

X1 = (S+R) mod P X2 = (S+2R)
P = a large prime mod P
S = secret in [0, P) reconstruct:
R = random in [0, P) (2X1-X2) mod P = S
 y
random slope
R
(4,
S+4R)
(2,
(3,
S+2R)
S+3R)
given any two points,
(1,
can interpolate and
(0, S)
S+R) find S
(do arithmetic modulo large prime
P)
x
Secret sharing
Equation Random Points needed to
parameters recover S
(S + RX) mod P R 2
(S + R1X + R2X2) mod P R1, R2 3

(S + R1X + R2X2 + R3X3) R1, R2, R3 4

mod P
etc.

support K-out-of-N splitting,

for any K, N
Secret sharing
Good: Store shares separately, adversary must
compromise several shares to get the key.

Bad: To sign, need to bring shares together,

reconstruct the key. ⇐ vulnerable
Multi-sig

Lets you keep shares apart, approve transaction

without reconstructing key at any point.
Example
Andrew, Arvind, Ed, and Joseph are co-workers.
Their company has lots of Bitcoins.

Each of the four generates a key-pair,

puts secret key in a safe, private, offline
place.

The company’s cold-stored coins use multi-sig, so

that three of the four keys must sign to release a
 Lecture 4.4:

Online Wallets and Exchanges

Online wallet
like a local wallet
but “in the cloud”

runs in your browser

site sends code
site stores keys
you log in to access wallet
Online wallet tradeoffs
convenient: nothing to install, works on multiple
devices

but security worries

vulnerable if site is malicious or compromised

ideally, site is run by security professionals

Bank-like services
you give the bank money (a “deposit”)
bank promises to pay you back later, on demand

bank doesn’t actually keep your money in the back

room
typically, bank invests the money
keeps some around to meet withdrawals (“fractional
reserve”)
Bitcoin Exchanges
accept deposits of Bitcoins and fiat currency ($, €,
…)
promise to pay back on demand

lets customers:
make and receive Bitcoin payments
buy/sell Bitcoins for fiat currency
typically, match up BTC buyer with BTC seller
What happens when you buy
BTC
suppose my account at Exchange holds $5000 + 3
BTC
I use Exchange to buy 2 BTC for $580 each

result: my account holds $3840 + 5 BTC

note: no BTC transaction appears on the blockchain

only effect: Exchange is making a different promise
now
Exchanges: Pros and Cons
pro: connects BTC economy to fiat currency
economy
easy to transfer value back and forth

con: risk
same kinds of risks as banks
Charle Ponzi
scheme
Click to add text
Bank Regulation
for traditional banks, government typically:
imposes minimum reserve requirements
must hold some fraction of deposits in reserve
regulates behavior, investments
insures depositors against losses
acts as lender of last resort
Proof of Reserve
Bitcoin exchange can prove it has fractional
reserve.
fraction can be 100%

Prove how much reserve you’re holding:

publish valid payment-to-self of that amount
sign a challenge string with the same private
key
 Merkle tree with subtree totals

each hashpointer includes

H( ) total value in its subtree
H( )

H( ) H( )
H( ) H( )

H( ) H( ) H( ) H( )
H( ) H( ) H( ) H( )

user1 user2 user3 user4 user5 user6 user7 user8

acct acct acct acct acct acct acct acct
Checking that you’re represented in the
tree
show O(log n) items
H( )
H( )

H( )
H( )

H( )
H( )

your
acct
Proof of Reserve
Prove that you have at least X amount of reserve
currency

Prove that customers have at most Y amount

deposited

So reserve fraction ≥X/Y

 Lecture 4.5:

Payment Services
Scenario: merchant accepts
BTC
customer wants: to pay with Bitcoin
merchant wants:
* to receive dollars
* simple deployment
* low risk (tech risk, security risk, exchange rate
risk)
HTML for
payment
button
 payment
merchan service
(5) confirm <transID,
t
amount>

n
io
(1 a ct
am ) Pa (4
ct ter
fa b) o ) e n
ou y w r k ( 4 di r n ti
nt i t
> hB so re me
,
TC
p ay sI
D
bu
tto (3
) an
n tr
< <
t ra d
ns ke
ID il c t>
, 2) c o un
( m
a

user
End result
customer: pays Bitcoins
merchant: gets dollars, minus a small percentage
payment service:
gets Bitcoins
pays dollars (keeps small percentage)
absorbs risk: security, exchange rate
needs to exchange Bitcoins for dollars, in
volume
 Lecture 4.6:

Transaction Fees
Recall:
transaction fee = value of inputs - value of
outputs
fee goes to miner who records the transaction

How are transaction fees set today?

Costs resources for
peers to relay your transaction
miner to record your transaction

Transaction fee compensates for (some of) these

costs

Generally, higher fee means transaction will be

forwarded and recorded faster.
Current consensus fees:
No fee if
tx less than 1000 bytes in size,
all outputs are 0.01 BTC or larger, and
priority is large enough
Priority = (sum of inputAge*inputValue) / (trans
size)

Otherwise fee is 0.0001 BTC per 1000 bytes

Approx transaction size: 148 Ninputs+ 34 Noutputs + 10

Most miners enforce the consensus fee structure.

If you don’t pay the consensus fee, your transaction

will
take longer to be recorded.

Miners prioritize transactions based on fees and the

priority formula.
 Lecture 4.7:

Currency Exchange Markets

[Link]
Basic market dynamics

market matches buyer and seller

large, liquid market reaches a consensus price

price set by supply (of BTC) and demand (for BTC)

Supply of Bitcoins

supply = coins in circulation (+ demand deposits?)

coins in circulation: fixed number, currently ~13.1

million

When to include demand deposits?

When they can actually be sold in the market.
Demand for Bitcoins
BTC demanded to mediate fiat-currency
transactions
Alice buys BTC for $ BTC “out of circulation” during this
time
Alice sends BTC to Bob
Bob sells BTC for $

BTC demanded as an investment

if the market thinks demand will go up in
future
Simple model of transaction-demand

T = total transaction value mediated via BTC ($ /

sec)
D = duration that BTC is needed by a transaction
(sec)
SS = supply of BTC (not including BTC held as long-term
Bitcoins become available per
investments)
D Equilibrium
second
:
T TD
Bitcoins needed per second
P P= S