is my mew wallet suppose to open when sending coins without

CLICK HERE
 
 

 
https://myetherwallet.com
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Mastering Bitcoin by

 
is my mew wallet suppose to open when sending coins without

What to do if you lose your crypto walletGoogle Cautare de cartiWhat are the Safest Ways to Store Bitcoin?Introduction to the Bitcoin Wallet
 
When you open your wallet, it will catch up to the current status by the idea to not connect to the internet so nobody can steal your coins (or rather. Would the clergyman of the parish the verdict having been given without any in solemnizing marriage between accordingly , and a new jury sworn.

What to do if you lose your crypto wallet

 
Cryptocurrency Wallet Guide: A Step-By-Step TutorialBitcoin Wallet
Ownership of bitcoin is established through digital keys , bitcoin addresses , and digital signatures. The digital keys are not actually stored in the network, but are instead created and stored by users in a file, or simple database, called a wallet. Keys enable many of the interesting properties of bitcoin, including de-centralized trust and control, ownership attestation, and the cryptographic-proof security model. Every bitcoin transaction requires a valid signature to be included in the blockchain, which can only be generated with valid digital keys; therefore, anyone with a copy of those keys has control of the bitcoin in that account. Keys come in pairs consisting of a private secret key and a public key. Think of the public key as similar to a bank account number and the private key as similar to the secret PIN, or signature on a check that provides control over the account. These digital keys are very rarely seen by the users of bitcoin. For the most part, they are stored inside the wallet file and managed by the bitcoin wallet software. In most cases, a bitcoin address is generated from and corresponds to a public key. However, not all bitcoin addresses represent public keys; they can also represent other beneficiaries such as scripts, as we will see later in this chapter. The bitcoin address is the only representation of the keys that users will routinely see, because this is the part they need to share with the world. In this chapter we will introduce wallets, which contain cryptographic keys. We will look at how keys are generated, stored, and managed. We will review the various encoding formats used to represent private and public keys, addresses, and script addresses. Finally, we will look at special uses of keys: to sign messages, to prove ownership, and to create vanity addresses and paper wallets. Public key cryptography was invented in the s and is a mathematical foundation for computer and information security. Since the invention of public key cryptography, several suitable mathematical functions, such as prime number exponentiation and elliptic curve multiplication, have been discovered. These mathematical functions are practically irreversible, meaning that they are easy to calculate in one direction and infeasible to calculate in the opposite direction. Based on these mathematical functions, cryptography enables the creation of digital secrets and unforgeable digital signatures. Bitcoin uses elliptic curve multiplication as the basis for its public key cryptography. In bitcoin, we use public key cryptography to create a key pair that controls access to bitcoins. The key pair consists of a private key and—derived from it—a unique public key. The public key is used to receive bitcoins, and the private key is used to sign transactions to spend those bitcoins. There is a mathematical relationship between the public and the private key that allows the private key to be used to generate signatures on messages. This signature can be validated against the public key without revealing the private key. When spending bitcoins, the current bitcoin owner presents her public key and a signature different each time, but created from the same private key in a transaction to spend those bitcoins. Through the presentation of the public key and signature, everyone in the bitcoin network can verify and accept the transaction as valid, confirming that the person transferring the bitcoins owned them at the time of the transfer. In most wallet implementations, the private and public keys are stored together as a key pair for convenience. However, the public key can be calculated from the private key, so storing only the private key is also possible. A bitcoin wallet contains a collection of key pairs, each consisting of a private key and a public key. The private key k is a number, usually picked at random. From the private key, we use elliptic curve multiplication, a one-way cryptographic function, to generate a public key K. From the public key K , we use a one-way cryptographic hash function to generate a bitcoin address A. In this section, we will start with generating the private key, look at the elliptic curve math that is used to turn that into a public key, and finally, generate a bitcoin address from the public key. The relationship between private key, public key, and bitcoin address is shown in Figure A private key is simply a number, picked at random. Ownership and control over the private key is the root of user control over all funds associated with the corresponding bitcoin address. The private key is used to create signatures that are required to spend bitcoins by proving ownership of funds used in a transaction. The private key must remain secret at all times, because revealing it to third parties is equivalent to giving them control over the bitcoins secured by that key. The bitcoin private key is just a number. You can pick your private keys randomly using just a coin, pencil, and paper: toss a coin times and you have the binary digits of a random private key you can use in a bitcoin wallet. The public key can then be generated from the private key. The first and most important step in generating keys is to find a secure source of entropy, or randomness. Usually, the OS random number generator is initialized by a human source of randomness, which is why you may be asked to wiggle your mouse around for a few seconds. For the truly paranoid, nothing beats dice, pencil, and paper. To create such a key, we randomly pick a bit number and check that it is less than n - 1. In programming terms, this is usually achieved by feeding a larger string of random bits, collected from a cryptographically secure source of randomness, into the SHA hash algorithm that will conveniently produce a bit number. If the result is less than n - 1 , we have a suitable private key. Otherwise, we simply try again with another random number. Study the documentation of the random number generator library you choose to make sure it is cryptographically secure. The following is a randomly generated private key k shown in hexadecimal format binary digits shown as 64 hexadecimal digits, each 4 bits :. It is approximately 10 77 in decimal. The visible universe is estimated to contain 10 80 atoms. To generate a new key with the Bitcoin Core client see Chapter 3 , use the getnewaddress command. For security reasons it displays the public key only, not the private key. To ask bitcoind to expose the private key, use the dumpprivkey command. The dumpprivkey command shows the private key in a Base58 checksum-encoded format called the Wallet Import Format WIF , which we will examine in more detail in Private key formats. The dumpprivkey command opens the wallet and extracts the private key that was generated by the getnewaddress command. It is not otherwise possible for bitcoind to know the private key from the public key, unless they are both stored in the wallet. The dumpprivkey command is not generating a private key from a public key, as this is impossible. The command simply reveals the private key that is already known to the wallet and which was generated by the getnewaddress command. You can also use the command-line sx tools see Libbitcoin and sx Tools to generate and display private keys with the sx command newkey :. The public key is calculated from the private key using elliptic curve multiplication, which is irreversible: where k is the private key, G is a constant point called the generator point and K is the resulting public key. Elliptic curve cryptography is a type of asymmetric or public-key cryptography based on the discrete logarithm problem as expressed by addition and multiplication on the points of an elliptic curve. Figure is an example of an elliptic curve, similar to that used by bitcoin. Bitcoin uses a specific elliptic curve and set of mathematical constants, as defined in a standard called secpk1 , established by the National Institute of Standards and Technology NIST. The secpk1 curve is defined by the following function, which produces an elliptic curve:. Because this curve is defined over a finite field of prime order instead of over the real numbers, it looks like a pattern of dots scattered in two dimensions, which makes it difficult to visualize. However, the math is identical as that of an elliptic curve over the real numbers. As an example, Figure shows the same elliptic curve over a much smaller finite field of prime order 17, showing a pattern of dots on a grid. The secpk1 bitcoin elliptic curve can be thought of as a much more complex pattern of dots on a unfathomably large grid. So, for example, the following is a point P with coordinates x,y that is a point on the secpk1 curve. You can check this yourself using Python:. Geometrically, this third point P 3 is calculated by drawing a line between P 1 and P 2. This line will intersect the elliptic curve in exactly one additional place. This tangent will intersect the curve in exactly one new point. You can use techniques from calculus to determine the slope of the tangent line. These techniques curiously work, even though we are restricting our interest to points on the curve with two integer coordinates! In some cases i. This shows how the point at infinity plays the role of 0. Now that we have defined addition, we can define multiplication in the standard way that extends addition. Starting with a private key in the form of a randomly generated number k , we multiply it by a predetermined point on the curve called the generator point G to produce another point somewhere else on the curve, which is the corresponding public key K. The generator point is specified as part of the secpk1 standard and is always the same for all keys in bitcoin:. Because the generator point is always the same for all bitcoin users, a private key k multiplied with G will always result in the same public key K. The relationship between k and K is fixed, but can only be calculated in one direction, from k to K. A private key can be converted into a public key, but a public key cannot be converted back into a private key because the math only works one way. Implementing the elliptic curve multiplication, we take the private key k generated previously and multiply it with the generator point G to find the public key K:. To visualize multiplication of a point with an integer, we will use the simpler elliptic curve over the real numbers—remember, the math is the same. Our goal is to find the multiple kG of the generator point G. That is the same as adding G to itself, k times in a row. In elliptic curves, adding a point to itself is the equivalent of drawing a tangent line on the point and finding where it intersects the curve again, then reflecting that point on the x-axis. Figure shows the process for deriving G, 2G, 4G, as a geometric operation on the curve. Most bitcoin implementations use the OpenSSL cryptographic library to do the elliptic curve math. A bitcoin address is a string of digits and characters that can be shared with anyone who wants to send you money. Because paper checks do not need to specify an account, but rather use an abstract name as the recipient of funds, that makes paper checks very flexible as payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible. The bitcoin address is derived from the public key through the use of one-way cryptographic hashing. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining proof-of-work algorithm. A bitcoin address is not the same as a public key. Bitcoin addresses are derived from a public key using a one-way function. Base58Check is also used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding, and the resulting representations. Figure illustrates the conversion of a public key into a bitcoin address. In order to represent long numbers in a compact way, using fewer symbols, many computer systems use mixed-alphanumeric representations with a base or radix higher than For example, whereas the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16, with the letters A through F as the six additional symbols. A number represented in hexadecimal format is shorter than the equivalent decimal representation. Base is most commonly used to add binary attachments to email. Base58 is a text-based binary-encoding format developed for use in bitcoin and used in many other cryptocurrencies. It offers a balance between compact representation, readability, and error detection and prevention. Base58 is a subset of Base64, using the upper- and lowercase letters and numbers, but omitting some characters that are frequently mistaken for one another and can appear identical when displayed in certain fonts. Or, more simply, it is a set of lower and capital letters and numbers without the four 0, O, l, I just mentioned. To add extra security against typos or transcription errors, Base58Check is a Base58 encoding format, frequently used in bitcoin, which has a built-in error-checking code. The checksum is an additional four bytes added to the end of the data that is being encoded. The checksum is derived from the hash of the encoded data and can therefore be used to detect and prevent transcription and typing errors. When presented with a Base58Check code, the decoding software will calculate the checksum of the data and compare it to the checksum included in the code. If the two do not match, that indicates that an error has been introduced and the Base58Check data is invalid. For example, this prevents a mistyped bitcoin address from being accepted by the wallet software as a valid destination, an error that would otherwise result in loss of funds. For example, in the case of a bitcoin address the prefix is zero 0x00 in hex , whereas the prefix used when encoding a private key is 0x80 in hex. A list of common version prefixes is shown in Table From the resulting byte hash hash-of-a-hash , we take only the first four bytes. These four bytes serve as the error-checking code, or checksum. The checksum is concatenated appended to the end. The result is composed of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously. Figure illustrates the Base58Check encoding process. In bitcoin, most of the data presented to the user is Base58Check-encoded to make it compact, easy to read, and easy to detect errors. The version prefix in Base58Check encoding is used to create easily distinguishable formats, which when encoded in Base58 contain specific characters at the beginning of the Base58Check-encoded payload. These characters make it easy for humans to identify the type of data that is encoded and how to use it. This is what differentiates, for example, a Base58Check-encoded bitcoin address that starts with a 1 from a Base58Check-encoded private key WIF format that starts with a 5. Some example version prefixes and the resulting Base58 characters are shown in Table The code example uses the libbitcoin library introduced in Alternative Clients, Libraries, and Toolkits for some helper functions. The code uses a predefined private key so that it produces the same bitcoin address every time it is run, as shown in Example Both private and public keys can be represented in a number of different formats. These representations all encode the same number, even though they look different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors. The private key can be represented in a number of different formats, all of which correspond to the same bit number. Table shows three common formats used to represent private keys. Table shows the private key generated in these three formats. All of these representations are different ways of showing the same number, the same private key. They look different, but any one format can easily be converted to any other format. You can use sx tools to decode the Base58Check format on the command line. We use the base58check-decode command:. To encode into Base58Check the opposite of the previous command , we provide the hex private key, followed by the Wallet Import Format WIF version prefix Public keys are also presented in different ways, most importantly as either compressed or uncompressed public keys. As we saw previously, the public key is a point on the elliptic curve consisting of a pair of coordinates x,y. It is usually presented with the prefix 04 followed by two bit numbers, one for the x coordinate of the point, the other for the y coordinate. The prefix 04 is used to distinguish uncompressed public keys from compressed public keys that begin with a 02 or a Compressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database. As we saw in the section Public Keys , a public key is a point x,y on an elliptic curve. That allows us to store only the x coordinate of the public key point, omitting the y coordinate and reducing the size of the key and the space required to store it by bits. Whereas uncompressed public keys have a prefix of 04 , compressed public keys start with either a 02 or a 03 prefix. Visually, this means that the resulting y coordinate can be above the x-axis or below the x-axis. As you can see from the graph of the elliptic curve in Figure , the curve is symmetric, meaning it is reflected like a mirror by the x-axis. So, while we can omit the y coordinate we have to store the sign of y positive or negative , or in other words, we have to remember if it was above or below the x-axis because each of those options represents a different point and a different public key. Therefore, to distinguish between the two possible values of y, we store a compressed public key with the prefix 02 if the y is even, and 03 if it is odd, allowing the software to correctly deduce the y coordinate from the x coordinate and uncompress the public key to the full coordinates of the point. Public key compression is illustrated in Figure This compressed public key corresponds to the same private key, meaning that it is generated from the same private key. However, it looks different from the uncompressed public key. This can be confusing, because it means that a single private key can produce a public key expressed in two different formats compressed and uncompressed that produce two different bitcoin addresses. However, the private key is identical for both bitcoin addresses. Compressed public keys are gradually becoming the default across bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to account for transactions from older clients that do not support compressed public keys. This is especially important when a wallet application is importing private keys from another bitcoin wallet application, because the new wallet needs to scan the blockchain to find transactions corresponding to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys? Both are valid bitcoin addresses, and can be signed for by the private key, but they are different addresses! To resolve this issue, when private keys are exported from a wallet, the Wallet Import Format that is used to represent them is implemented differently in newer bitcoin wallets, to indicate that these private keys have been used to produce compressed public keys and therefore compressed bitcoin addresses. This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses corresponding to the uncompressed, or the compressed, public keys, respectively. That is because it has the added 01 suffix, which signifies it comes from a newer wallet and should only be used to produce compressed public keys. Private keys are not compressed and cannot be compressed. Remember, these formats are not used interchangeably. In a newer wallet that implements compressed public keys, the private keys will only ever be exported as WIF-compressed with a K or L prefix. If the wallet is an older implementation and does not use compressed public keys, the private keys will only ever be exported as WIF with a 5 prefix. The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses. If a bitcoin wallet is able to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the Wallet Import Format is modified, with the addition of a one-byte suffix 01 to the private key. They are not compressed; rather, the WIF-compressed format signifies that they should only be used to derive compressed public keys and their corresponding bitcoin addresses. The most comprehensive bitcoin library in Python is pybitcointools by Vitalik Buterin. Example shows the output from running this code. Example is another example, using the Python ECDSA library for the elliptic curve math and without using any specialized bitcoin libraries. Example shows the output produced by running this script. Wallets are containers for private keys, usually implemented as structured files or simple databases. Another method for making keys is deterministic key generation. Here you derive each new private key, using a one-way hash function from a previous private key, linking them in a sequence. As long as you can re-create that sequence, you only need the first key known as a seed or master key to generate them all. In this section we will examine the different methods of key generation and the wallet structures that are built around them. Bitcoin wallets contain keys, not coins. Each user has a wallet containing keys. Users sign transactions with the keys, thereby proving they own the transaction outputs their coins. The coins are stored on the blockchain in the form of transaction-ouputs often noted as vout or txout. In the first bitcoin clients, wallets were simply collections of randomly generated private keys. This type of wallet is called a Type-0 nondeterministic wallet. For example, the Bitcoin Core client pregenerates random private keys when first started and generates more keys as needed, using each key only once. The disadvantage of random keys is that if you generate many of them you must keep copies of all of them, meaning that the wallet must be backed up frequently. Each key must be backed up, or the funds it controls are irrevocably lost if the wallet becomes inaccessible. This conflicts directly with the principle of avoiding address re-use, by using each bitcoin address for only one transaction. Address re-use reduces privacy by associating multiple transactions and addresses with each other. A Type-0 nondeterministic wallet is a poor choice of wallet, especially if you want to avoid address re-use because that means managing many keys, which creates the need for frequent backups. Although the Bitcoin Core client includes a Type-0 wallet, using this wallet is discouraged by developers of Bitcoin Core. Figure shows a nondeterministic wallet, containing a loose collection of random keys. In a deterministic wallet, the seed is sufficient to recover all the derived keys, and therefore a single backup at creation time is sufficient. Mnemonic codes are English word sequences that represent encode a random number used as a seed to derive a deterministic wallet. The sequence of words is sufficient to re-create the seed and from there re-create the wallet and all the derived keys. A wallet application that implements deterministic wallets with mnemonic code will show the user a sequence of 12 to 24 words when first creating a wallet. That sequence of words is the wallet backup and can be used to recover and re-create all the keys in the same or any compatible wallet application. Mnemonic code words make it easier for users to back up wallets because they are easy to read and correctly transcribe, as compared to a random sequence of numbers. Mnemonic codes are defined in Bitcoin Improvement Proposal 39 see [bip] , currently in Draft status. Note that BIP is a draft proposal and not a standard. Specifically, there is a different standard, with a different set of words, used by the Electrum wallet and predating BIP Table shows the relationship between the size of entropy data and the length of mnemonic codes in words. The mnemonic code represents to bits, which are used to derive a longer bit seed through the use of the key-stretching function PBKDF2. The resulting seed is used to create a deterministic wallet and all of its derived keys. Tables and show some examples of mnemonic codes and the seeds they produce. Hierarchical deterministic wallets contain keys derived in a tree structure, such that a parent key can derive a sequence of children keys, each of which can derive a sequence of grandchildren keys, and so on, to an infinite depth. This tree structure is illustrated in Figure HD wallets offer two major advantages over random nondeterministic keys. First, the tree structure can be used to express additional organizational meaning, such as when a specific branch of subkeys is used to receive incoming payments and a different branch is used to receive change from outgoing payments. Branches of keys can also be used in a corporate setting, allocating different branches to departments, subsidiaries, specific functions, or accounting categories. The second advantage of HD wallets is that users can create a sequence of public keys without having access to the corresponding private keys. This allows HD wallets to be used on an insecure server or in a receive-only capacity, issuing a different public key for each transaction. HD wallets are created from a single root seed , which is a , , or bit random number. Everything else in the HD wallet is deterministically derived from this root seed, which makes it possible to re-create the entire HD wallet from that seed in any compatible HD wallet. This makes it easy to back up, restore, export, and import HD wallets containing thousands or even millions of keys by simply transferring only the root seed. The root seed is most often represented by a mnemonic word sequence , as described in the previous section Mnemonic Code Words , to make it easier for people to transcribe and store it. The process of creating the master keys and master chain code for an HD wallet is shown in Figure The root seed is input into the HMAC-SHA algorithm and the resulting hash is used to create a master private key m and a master chain code. The chain code is used to introduce entropy in the function that creates child keys from parent keys, as we will see in the next section. Hierarchical deterministic wallets use a child key derivation CKD function to derive children keys from parent keys. The chain code is used to introduce seemingly random data to the process, so that the index is not sufficient to derive other child keys. Thus, having a child key does not make it possible to find its siblings, unless you also have the chain code. The initial chain code seed at the root of the tree is made from random data, while subsequent chain codes are derived from each parent chain code. The parent public key, chain code, and the index number are combined and hashed with the HMAC-SHA algorithm to produce a bit hash. The resulting hash is split into two halves. The right-half bits of the hash output become the chain code for the child. The left-half bits of the hash and the index number are added to the parent private key to produce the child private key. Changing the index allows us to extend the parent and create the other children in the sequence, e. Each parent key can have 2 billion children keys. Repeating the process one level down the tree, each child can in turn become a parent and create its own children, in an infinite number of generations. Child private keys are indistinguishable from nondeterministic random keys. Because the derivation function is a one-way function, the child key cannot be used to find the parent key. The child key also cannot be used to find any siblings. Only the parent key and chain code can derive all the children. Without the child chain code, the child key cannot be used to derive any grandchildren either. You need both the child private key and the child chain code to start a new branch and derive grandchildren. So what can the child private key be used for on its own? It can be used to make a public key and a bitcoin address. Then, it can be used to sign transactions to spend anything paid to that address. A child private key, the corresponding public key, and the bitcoin address are all indistinguishable from keys and addresses created randomly. The fact that they are part of a sequence is not visible, outside of the HD wallet function that created them. As we saw earlier, the key derivation function can be used to create children at any level of the tree, based on the three inputs: a key, a chain code, and the index of the desired child. The two essential ingredients are the key and chain code, and combined these are called an extended key. Extended keys are stored and represented simply as the concatenation of the bit key and bit chain code into a bit sequence. There are two types of extended keys. An extended private key is the combination of a private key and chain code and can be used to derive child private keys and from them, child public keys. An extended public key is a public key and chain code, which can be used to create child public keys, as described in Generating a Public Key. Think of an extended key as the root of a branch in the tree structure of the HD wallet. With the root of the branch, you can derive the rest of the branch. The extended private key can create a complete branch, whereas the extended public key can only create a branch of public keys. An extended key consists of a private or public key and chain code. An extended key can create children, generating its own branch in the tree structure. Sharing an extended key gives access to the entire branch. Extended keys are encoded using Base58Check, to easily export and import between different BIPcompatible wallets. Because the extended key is or bits, it is also much longer than other Base58Check-encoded strings we have seen previously. As mentioned previously, a very useful characteristic of hierarchical deterministic wallets is the ability to derive public child keys from public parent keys, without having the private keys. This gives us two ways to derive a child public key: either from the child private key, or directly from the parent public key. An extended public key can be used, therefore, to derive all of the public keys and only the public keys in that branch of the HD wallet structure. This shortcut can be used to create very secure public-key-only deployments where a server or application has a copy of an extended public key and no private keys whatsoever. That kind of deployment can produce an infinite number of public keys and bitcoin addresses, but cannot spend any of the money sent to those addresses. Meanwhile, on another, more secure server, the extended private key can derive all the corresponding private keys to sign transactions and spend the money. One common application of this solution is to install an extended public key on a web server that serves an ecommerce application. The web server can use the public key derivation function to create a new bitcoin address for every transaction e. The web server will not have any private keys that would be vulnerable to theft. Without HD wallets, the only way to do this is to generate thousands of bitcoin addresses on a separate secure server and then preload them on the ecommerce server. Another common application of this solution is for cold-storage or hardware wallets. In that scenario, the extended private key can be stored on a paper wallet or hardware device such as a Trezor hardware wallet , while the extended public key can be kept online. To spend the funds, the user can use the extended private key on an offline signing bitcoin client or sign transactions on the hardware wallet device e. Figure illustrates the mechanism for extending a parent public key to derive child public keys. The ability to derive a branch of public keys from an extended public key is very useful, but it comes with a potential risk. Access to an extended public key does not give access to child private keys. However, because the extended public key contains the chain code, if a child private key is known, or somehow leaked, it can be used with the chain code to derive all the other child private keys. A single leaked child private key, together with a parent chain code, reveals all the private keys of all the children. Worse, the child private key together with a parent chain code can be used to deduce the parent private key. The hardened derivation function uses the parent private key to derive the child chain code, instead of the parent public key. The hardened derivation function looks almost identical to the normal child private key derivation, except that the parent private key is used as input to the hash function, instead of the parent public key, as shown in the diagram in Figure When the hardened private derivation function is used, the resulting child private key and chain code are completely different from what would result from the normal derivation function. In simple terms, if you want to use the convenience of an extended public key to derive branches of public keys, without exposing yourself to the risk of a leaked chain code, you should derive it from a hardened parent, rather than a normal parent. As a best practice, the level-1 children of the master keys are always derived through the hardened derivation, to prevent compromise of the master keys. The index number used in the derivation function is a bit integer. To easily distinguish between keys derived through the normal derivation function versus keys derived through hardened derivation, this index number is split into two ranges. Therefore, if the index number is less than 2 31 , that means the child is normal, whereas if the index number is equal or above 2 31 , the child is hardened. To make the index number easier to read and display, the index number for hardened children is displayed starting from zero, but with a prime symbol. The first normal child key is therefore displayed as 0, whereas the first hardened child index 0x is displayed as 0'. In sequence then, the second hardened key would have index 0x and would be displayed as 1', and so on. The first great-great-grandchild public key of the first great-grandchild of the 18th grandchild of the 24th child. The HD wallet tree structure offers tremendous flexibility. Each parent extended key can have 4 billion children: 2 billion normal children and 2 billion hardened children. Each of those children can have another 4 billion children, and so on. The tree can be as deep as you want, with an infinite number of generations. With all that flexibility, however, it becomes quite difficult to navigate this infinite tree. It is especially difficult to transfer HD wallets between implementations, because the possibilities for internal organization into branches and subbranches are endless. Based on BIP, an HD wallet should use only one level-1 branch of the tree, with the index number identifying the structure and namespace of the rest of the tree by defining its purpose. Each account is the root of its own subtree. Note that whereas the previous levels used hardened derivation, this level uses normal derivation. This is to allow this level of the tree to export extended public keys for use in a nonsecured environment. Table shows a few more examples. Using the command-line tool sx , introduced in Chapter 3 , you can experiment with generating and extending BIP deterministic keys, as well as displaying them in different formats:. In the following sections we will look at advanced forms of keys and addresses, such as encrypted private keys, script and multisignature addresses, vanity addresses, and paper wallets. Private keys must remain secret. The need for confidentiality of the private keys is a truism that is quite difficult to achieve in practice, because it conflicts with the equally important security objective of availability. Keeping the private key private is much harder when you need to store backups of the private key to avoid losing it. A private key stored in a wallet that is encrypted by a password might be secure, but that wallet needs to be backed up. At times, users need to move keys from one wallet to another—to upgrade or replace the wallet software, for example. Private key backups might also be stored on paper see Paper Wallets or on external storage media, such as a USB flash drive. But what if the backup itself is stolen or lost? These conflicting security goals led to the introduction of a portable and convenient standard for encrypting private keys in a way that can be understood by many different wallets and bitcoin clients, standardized by Bitcoin Improvement Proposal 38 or BIP see [bip]. BIP proposes a common standard for encrypting private keys with a passphrase and encoding them with Base58Check so that they can be stored securely on backup media, transported securely between wallets, or kept in any other conditions where the key might be exposed. Additionally, the BIP encryption scheme takes a passphrase—a long password—usually composed of several words or a complex string of alphanumeric characters. The result of the BIP encryption scheme is a Base58Check-encoded encrypted private key that begins with the prefix 6P. If you see a key that starts with 6P , that means it is encrypted and requires a passphrase in order to convert decrypt it back into a WIF-formatted private key prefix 5 that can be used in any wallet. Many wallet applications now recognize BIPencrypted private keys and will prompt the user for a passphrase to decrypt and import the key. Third-party applications, such as the incredibly useful browser-based Bit Address Wallet Details tab , can be used to decrypt BIP keys. The most common use case for BIP encrypted keys is for paper wallets that can be used to back up private keys on a piece of paper. Test the encrypted keys in Table using bitaddress. They designate the beneficiary of a bitcoin transaction as the hash of a script, instead of the owner of a public key. The feature was introduced in January with Bitcoin Improvement Proposal 16, or BIP see [bip] , and is being widely adopted because it provides the opportunity to add functionality to the address itself. The requirements are designated at the time the address is created, within the script, and all inputs to this address will be encumbered with the same requirements. A pay-to-script hash address is created from a transaction script, which defines who can spend a transaction output for more detail, see Pay-to-Script-Hash P2SH. Encoding a pay-to-script hash address involves using the same double-hash function as used during creation of a bitcoin address, only applied on the script instead of the public key:. P2SH is not necessarily the same as a multi-signature standard transaction. A P2SH address most often represents a multi-signature script, but it might also represent a script encoding other types of transactions. Currently, the most common implementation of the P2SH function is the multi-signature address script. As the name implies, the underlying script requires more than one signature to prove ownership and therefore spend funds. For example, Bob the coffee shop owner from Chapter 1 could use a multi-signature address requiring 1-of-2 signatures from a key belonging to him and a key belonging to his spouse, ensuring either of them could sign to spend a transaction output locked to this address. Or Gopesh, the web designer paid by Bob to create a website, might have a 2-of-3 multi-signature address for his business that ensures that no funds can be spent unless at least two of the business partners sign a transaction. We will explore how to create transactions that spend funds from P2SH and multi-signature addresses in Chapter 5. Vanity addresses are valid bitcoin addresses that contain human-readable messages. Vanity addresses require generating and testing billions of candidate private keys, until one derives a bitcoin address with the desired pattern. Although there are some optimizations in the vanity generation algorithm, the process essentially involves picking a private key at random, deriving the public key, deriving the bitcoin address, and checking to see if it matches the desired vanity pattern, repeating billions of times until a match is found. Once a vanity address matching the desired pattern is found, the private key from which it was derived can be used by the owner to spend bitcoins in exactly the same way as any other address. Vanity addresses are no less or more secure than any other address. You can no more easily find the private key of an address starting with a vanity pattern than you can any other address. There are approximately 58 29 approximately 1. Table shows the range of addresses that have the prefix 1Kids. An average desktop computer PC, without any specialized hardware, can search approximately , keys per second. Each additional character increases the difficulty by a factor of Patterns with more than seven characters are usually found by specialized hardware, such as custom-built desktops with multiple graphical processing units GPUs. Another way to find a vanity address is to outsource the work to a pool of vanity miners, such as the pool at Vanity Pool. A pool is a service that allows those with GPU hardware to earn bitcoin searching for vanity addresses for others. For a small payment 0. Generating a vanity address is a brute-force exercise: try a random key, check the resulting address to see if it matches the desired pattern, repeat until successful. The example uses the libbitcoin library, which we introduced in Alternative Clients, Libraries, and Toolkits. The example code must be compiled using a C compiler and linked against the libbitcoin library which must be first installed on that system. Change the search pattern in the source code and see how much longer it takes for four- or five-character patterns! Vanity addresses can be used to enhance and to defeat security measures; they are truly a double-edged sword. Used to improve security, a distinctive address makes it harder for adversaries to substitute their own address and fool your customers into paying them instead of you. Unfortunately, vanity addresses also make it possible for anyone to create an address that resembles any random address, or even another vanity address, thereby fooling your customers. Eugenia could advertise a randomly generated address e. Or, she could generate a vanity address that starts with 1Kids, to make it more distinctive. In both cases, one of the risks of using a single fixed address rather than a separate dynamic address per donor is that a thief might be able to infiltrate your website and replace it with his own address, thereby diverting donations to himself. If you have advertised your donation address in a number of different places, your users may visually inspect the address before making a payment to ensure it is the same one they saw on your website, on your email, and on your flyer. Using a vanity address generator, someone with the intent to steal by substituting a similar-looking address can quickly generate addresses that match the first few characters, as shown in Table So does a vanity address increase security? If Eugenia pays a pool to generate an 8-character vanity address, the attacker would be pushed into the realm of 10 characters, which is infeasible on a personal computer and expensive even with a custom vanity-mining rig or vanity pool. What is affordable for Eugenia becomes unaffordable for the attacker, especially if the potential reward of fraud is not high enough to cover the cost of the vanity address generation. Paper wallets are bitcoin private keys printed on paper. Often the paper wallet also includes the corresponding bitcoin address for convenience, but this is not necessary because it can be derived from the private key. Paper wallets come in many shapes, sizes, and designs, but at a very basic level are just a key and an address printed on paper. Table shows the simplest form of a paper wallet. Paper wallets can be generated easily using a tool such as the client-side JavaScript generator at bitaddress. This page contains all the code necessary to generate keys and paper wallets, even while completely disconnected from the Internet. Disconnect from the Internet and open the file in a browser. Any keys generated with this tool while offline can be printed on a local printer over a USB cable not wirelessly , thereby creating paper wallets whose keys exist only on the paper and have never been stored on any online system. Figure shows a paper wallet generated from the bitaddress. The disadvantage of the simple paper wallet system is that the printed keys are vulnerable to theft. A thief who is able to gain access to the paper can either steal it or photograph the keys and take control of the bitcoins locked with those keys. A more sophisticated paper wallet storage system uses BIP encrypted private keys. The keys printed on the paper wallet are protected by a passphrase that the owner has memorized. Without the passphrase, the encrypted keys are useless. Yet, they still are superior to a passphrase-protected wallet because the keys have never been online and must be physically retrieved from a safe or other physically secured storage. Figure shows a paper wallet with an encrypted private key BIP created on the bitaddress. Although you can deposit funds into a paper wallet several times, you should withdraw all funds only once, spending everything. This is because in the process of unlocking and spending funds, you expose the private key, and because some wallets might generate a change address if you spend less than the whole amount. One way to do this is to withdraw the entire balance stored in the paper wallet and send any remaining funds to a new paper wallet. Paper wallets come in many designs and sizes, with many different features. Others are designed for storage in a bank vault or safe with the private key hidden in some way, either with opaque scratch-off stickers, or folded and sealed with tamper-proof adhesive foil. Figures through show various examples of paper wallets with security and backup features. Other designs feature additional copies of the key and address, in the form of detachable stubs similar to ticket stubs, allowing you to store multiple copies to protect against fire, flood, or other natural disasters. Skip to main content. Start your free trial. Chapter 4. Keys, Addresses, Wallets. Public Key Cryptography and Cryptocurrency. Tip In most wallet implementations, the private and public keys are stored together as a key pair for convenience. Private and Public Keys. Private Keys. Tip The bitcoin private key is just a number. Generating a private key from a random number. Tip The dumpprivkey command is not generating a private key from a public key, as this is impossible. Public Keys. Elliptic Curve Cryptography Explained. Figure Python 3. Generating a Public Key. Tip A private key can be converted into a public key, but a public key cannot be converted back into a private key because the math only works one way. Tip Most bitcoin implementations use the OpenSSL cryptographic library to do the elliptic curve math. Elliptic curve cryptography: Visualizing the multiplication of a point G by an integer k on an elliptic curve. Bitcoin Addresses. Tip A bitcoin address is not the same as a public key. Public key to bitcoin address: conversion of a public key into a bitcoin address. Base58 and Base58Check Encoding. Example Base58Check encoding: a Base58, versioned, and checksummed format for unambiguously encoding bitcoin data. Table Base58Check version prefix and encoded result examples. Creating a Base58Check-encoded bitcoin address from a private key. Compiling and running the addr code. Compile the addr. Key Formats. Private key formats. Private key representations encoding formats. Example: Same key, different formats. Decode from Base58Check to hex. Encode from hex to Base58Check. Encode from hex compressed key to Base58Check encoding. Public key formats. Compressed public keys. Compressed private keys. Implementing Keys and Addresses in Python. Key and address generation and formatting with the pybitcointools library. Running key-to-address-ecc-example. A script demonstrating elliptic curve math used for bitcoin keys. Point curve , point. Tip Bitcoin wallets contain keys, not coins. Nondeterministic Random Wallets. Deterministic Seeded Wallets. Type-0 nondeterministic random wallet: a collection of randomly generated keys. Mnemonic Code Words. Create a random sequence entropy of to bits. Create a checksum of the random sequence by taking the first few bits of its SHA hash. Add the checksum to the end of the random sequence. Divide the sequence into sections of 11 bits, using those to index a dictionary of predefined words. Produce 12 to 24 words representing the mnemonic code. Mnemonic codes: entropy and word length. Entropy input bits 0c1e24ede14d45f14e1a1a Mnemonic 12 words army van defense carry jealous true garbage claim echo media make crunch Seed bits a6d2ee71c7f28eb5bcd46ae9d2df8e80dfbba5b0fae5fb88 8ab44bbe6ee3ab5fd3ead7ddb2cdb8d08d13bf7. Entropy input bits caffd32dfed3ccdde74abcf8c Mnemonic 24 words cake apple borrow silk endorse fitness top denial coil riot stay wolf luggage oxygen faint major edit measure invite love trap field dilemma oblige Seed bits eef75ebe13ac3e29da2cc7ee5fd0afcfbee22 fceafbf7cdeade0dd2c1cbd02f1eeac Type-2 hierarchical deterministic wallet: a tree of keys generated from a seed. HD wallet creation from a seed. Private child key derivation. Using derived child keys. Tip A child private key, the corresponding public key, and the bitcoin address are all indistinguishable from keys and addresses created randomly. Extended keys. Tip An extended key consists of a private or public key and chain code. Public child key derivation. Hardened child key derivation. Hardened derivation of a child key; omits the parent public key. Index numbers for normal and hardened derivation. HD wallet key identifier path. HD wallet path examples. Navigating the HD wallet tree structure. BIP HD wallet structure examples. Experimenting with HD wallets using sx tools. Advanced Keys and Addresses. Example of BIP encrypted private key. Tip P2SH is not necessarily the same as a multi-signature standard transaction. Multi-signature addresses and P2SH. Vanity Addresses. Generating vanity addresses. From 1Kids To 1Kidszzzzzzzzzzzzzzzzzzzzzzzzzzzzz. The frequency of a vanity pattern 1KidsCharity and average time-to-find on a desktop PC. Vanity address miner. A random 32 bytes. Compiling and running the vanity-miner example. Vanity address security. Generating vanity addresses to match a random address. Paper Wallets. Simplest form of a paper wallet—a printout of the bitcoin address and private key. An example of an encrypted paper wallet from bitaddress. Warning Although you can deposit funds into a paper wallet several times, you should withdraw all funds only once, spending everything. An example of a paper wallet from bitcoinpaperwallet. The bitcoinpaperwallet. Pay-to-Script-Hash Address. Bitcoin Testnet Address. Base58Check encoding: Base58 with version prefix of and bit checksum. Entropy input bits. Mnemonic 12 words. Seed bits. Mnemonic 24 words. The first 0 child private key from the master private key m. The third receiving public key for the primary bitcoin account. The fifteenth change-address public key for the fourth bitcoin account. Private Key WIF. Encrypted Key BIP Original Random Address. Vanity 4 character match. Vanity 5 character match. Vanity 6 character match.