Storing bitcoins

2018-01-11T23:32:34Z

Proofer: /* Paper wallets */ newbs to use -> beginners ||| unweildy -> unwieldy ||| printers -> printers, ||| arrived, users -> arrived. Users ||| to achieve the job that -> accomplish what

This page is a discussion of the different ways of storing bitcoins, whether for [[Bitcoin as an investment|investment purposes]] or as a [[Bitcoin as a medium of exchange|medium of exchange]].

As bitcoin is a digital asset, it can be very un-intuitive to store safely. Historically many people have lost their coins but with proper understanding the risks can be eliminated. If your bitcoins do end up lost or stolen then there's almost certainly nothing that can be done to get them back.

tl;dr The best way to store bitcoin is to either buy a [[hardware wallet]] or install a [[Multisignature|multisignature wallet]]. Have your wallet create a [[Mnemonic phrase|mnemonic recovery phrase]], write it down on paper and store it in a safe place. The wallet should be backed by your own [[full node]].

== Introduction ==

Storage of bitcoin can be broken down in a few independent goals:

* Protection against accidental loss
* Verification that the bitcoins are genuine
* Privacy / protection against spying
* Protection against theft
* Easy access for spending or moving bitcoins

The art and science of storing bitcoins is about keeping your private keys safe, yet them still being easily available to you when you want to transact with them. It also requires verifying that your recieved bitcoins are real, and stopping an adversary from spying on you.

[[File:Mnemonic-seed-still-life.jpg|300px|thumb|alt=An example mnemonic phrase written on paper|Example mnemonic phrase on paper.]]

=== Protection from accidental loss ===

In the past many people have accidentally lost bitcoins because of failed backups, forgotten hard drives or corrupted SSD devices. Through bitter experience it was found that one of the most practical storage mediums is '''pencil and paper'''. The private keys of a bitcoin wallet are encoded into [[Mnemonic phrase|random words from a dictionary]] which can be written down. If the your hard drive crashes you can find the paper with the [[mnemonic phrase]] and restore the entire wallet. All good wallet software ask their users to write down the [[Mnemonic phrase|mnemonic recovery phrase]] of the wallet. It is worthwhile to keep copies in several locations so that even if your home burns down and nothing remains you can still recover the bitcoins.

=== Verification and privacy ===

Storing a [[mnemonic phrase]] only stores [[Private key|private keys]], it cannot tell you if you have actually received bitcoins and in what quantity. For that you need wallet software.

If you received cash banknotes or gold coins to be stored, you wouldn't accept them without verifying that the banknotes were genuine and that the gold was real. The same is true with bitcoin, payments must be genuine or else you may be slipped counterfeit bitcoins and be left out of pocket. The most secure kind of wallet is one which verifies all the rules of bitcoin, known as a [[full node]]. For recieving large volumes it is essential to use wallet software backed by a [[full node]]. If bitcoin is digital gold, then a [[full node]] is your own person goldsmith who checks that received bitcoin payments are actually real. Lightweight wallets which don't check all of bitcoin's rules are only appropriate for receiving smaller amounts or when you trust the sender. See the article about [[full node|full nodes]].

Your wallet software will also need to learn the history and balance of its wallet. For a lightweight wallet this usually involves querying a third-party server which leads to a privacy problem as that server can spy on you by seeing your entire balance, all your transactions and usually linking it with your IP address. Using a [[full node]] avoids this problem because the software connects directly to the bitcoin p2p network and downloads the entire [[blockchain]], so any adversary will find it much harder to obtain information. See also: [[Anonymity]]

So for verification and privacy, a good storage solution should be backed by a [[full node]] under your own control for use when recieving payments. Note that the [[full node]] wallet on an online computer can be a watch-only wallet that does not have the ability to actually spend or steal the bitcoins.

=== Protection from theft ===

Possession of bitcoins comes from keep your ability to keep the private keys under your exclusive control. Any malware or hackers who learn what your private keys are can create a valid bitcoin transaction sending your coins to themselves, effectively stealing your bitcoins. The average person's computer is usually vulnerable to malware so that must be taken into account when deciding on storage solutions.

[[Mnemonic phrase]]s can store any amount of bitcoins. It's a weird idea to possibly have enough money to purchase the entire building just sitting on a sheet of paper without any protection. For this reason many wallets make it possible to encrypt a mnemonic phrase with a password. See [[Mnemonic phrase#Two-Factor_Mnemonic_Phrases]]

=== Easy access ===

Some users may not need to actually move their bitcoins very often, especially if they [[Bitcoin as an investment|own bitcoin as an investment]]. Other users will want to be able to quickly and easily move their coins.

== Discussion of wallet solutions ==

=== Hardware wallets ===

[[Hardware wallet]]s are special purpose security-hardened devices for storing Bitcoins on a peripheral that is trusted to generate wallet keys and sign transactions.

A [[hardware wallet]] typically holds the private keys in its internal storage and is designed to be malware resistant. The device signs the transactions internally and only transmits the signed transactions to the computer. The separation of the private keys from the vulnerable environment allows the user to spend bitcoins on an untrustworthy computer with reduced risk. Hardware wallets can be very user friend and are a top solution for holding private keys.

Unfortunately as of November 2017 no hardware wallet on the market can be easily connected to a [[full node]], so using them usually involves a lightweight wallet, therefore not verifying the rules of bitcoin and querying a third-party server which can spy on you. Hardware wallets are also physical objects that can be found and which prove that you probably own bitcoins, this is worth considering when for example crossing borders. They also cost more than software wallets.

Main article: [[Hardware wallet]]

=== Multisignature wallets ===

A multisignature wallet is one where multiple private keys are required to move the bitcoins instead of a single key, avoiding a single point of failure. These private keys can be spread across multiple machines in various locations with the rationale that malware and hackers are unlikely to infect all of them. The multisig wallet can be of the m-of-n type where any m private keys out of a possible n are required to move the money. For example a 2-of-3 multisig wallet might have your private keys spread across a desktop, laptop and smartphone; any two are required to move the money but the loss of any one does not result in loss of money especially because they can be restored from paper backup.

Multisignature wallets have the advantage of being cheaper than hardware wallets since they are implemented in software and can be downloaded for free, as well as being convenient as all keys are online and the wallet user interfaces are typically easy to use. Wallet software [[Electrum]] and [[Armory]] can create multisig wallets. Hardware and multisignature wallets can be combined by having a multisignature wallet with the private keys held on hardware wallets; after all a single hardware wallet is still a single point of failure. Cold storage and multisignature can also be combined, by having the multisignature wallet with the private keys held in cold storage to avoid them being kept online.

Main article: [[Multisignature]]

=== Cold storage wallets ===

A cold wallet generates and stores private wallet keys offline on a clean, newly-installed [https://en.wikipedia.org/wiki/Air_gap_(networking) air-gapped] computer. Payments are received online with a watch-only wallet. Unsigned transactions are generated online, transferred offline for signing, and the signed transaction is transferred online to be broadcast to the Bitcoin network.

This allows funds to be managed offline in [[Cold storage]]. Used correctly a cold wallet is protected against online threats, such as viruses and hackers. Cold wallets are similar to hardware wallets, except that a general purpose computing device is used instead of a special purpose peripheral. The downside is that the transferring of transactions to and fro can be fiddly and unweilding, and less practical for carrying around like a hardware wallet.

Main article: [[Cold storage]]

=== Hot wallets ===

A hot wallet refers to keeping single-signature wallets with private keys kept on an online computer. Most bitcoin wallet software out there is a hot wallet. The bitcoins are easy to spend but are maximally vulnerable to malware or hackers. Hot wallets may be appropriate for small amounts and day-to-day spending.

Main article: [[Hot wallet]]

== Bad wallet ideas ==

=== Custodial wallets ===

Custodial wallets are where an exchange, broker or other third party holds your bitcoins in trust.

The number one rule to storing bitcoin is this: if you don’t hold the private keys, you don’t actually own the assets. There are many many historical examples of loss due to custodial wallets: Bitcoinica, Silk Road, Bitfloor, [[Collapse of Mt. Gox|MTGOX]], Sheep Marketplace, BTC-e, Bitstamp, Bitfinex, Bithumb, Cryptsy, Bter, Mintpal and many more<ref>https://bitcointalk.org/index.php?topic=576337</ref>

==== "Isn't it just like keeping your money in a bank?" ====

:There are trade offs with everything, but let me explain why trusting Coinbase with Bitcoin is ''not'' the same as trusting a bank with dollars:

:Suppose 5 people are needed to access the funds, within Coinbase, e.g. the CEO, the lead engineer, 3 others, whatever. Suppose one day they wake up and decide to be evil and move all the Bitcoin to some private account of theirs, and perhaps make up a story in the press about how they've been "hacked". You have a serious problem, as you might find there is a protracted legal battle (see MtGox), but you can't actually retrieve the funds unless in some way the company is re-stocked with Bitcoin, or perhaps an equivalent in fiat.

:If on the other hand you controlled the funds with a majority of keys in a multisig, then it would always effectively be your bitcoin. But it also means that if you get hacked, you lose.

:Now, if your bank gets hacked similarly - 5 key operatives in the bank decide to swipe your money and pretend it was external hackers - SWIFT transfers are made to accounts in Russia and China; here it will always ultimately be at the discretion of legal agencies whether you "actually" still have the money that is stolen. Because dollars are not real, they can be created at a whim, and while reversing international transfers is not ''quite'' so simple, very often that reversal can be achieved (e.g. recent SWIFT hank at bangladesh<ref>https://www.wired.com/2016/05/insane-81m-bangladesh-bank-heist-heres-know/</ref><ref>https://en.wikipedia.org/wiki/Bangladesh_Bank_robbery</ref> bank; $1 billion stolen, all but $80 million "recovered" (just means wire transfers reversed)). Added to that consider insurance, so even when transfers can't be reversed, the money can be "found". If too many banks get hacked all at once the Federal Reserve and the govt together can make up some "fund" that magically reassigns balances any time they like, with sufficient political will (that's essentially what was happening in 2008 TARP etc).

:So far no insurance company has ever paid out on a Bitcoin company's claim. Worth considering also.

:You might say, since it's risky both ways, why not trust Coinbase? Aren't they more competent in security than me?

:Almost certainly, but this argument has two massive holes in it: (1) because they ''concentrate'' funds they are a massive target for hackers, while you are not - at all. (2) they are a ''trusted third party'' so the situation is strictly worse - not only do you have to trust their security skills, but you also have to trust them not to steal (modulo multisig, as mentioned above) (edited to add: as well as literal stealing, there is things like political confiscation, don't forget).<ref>https://www.reddit.com/r/Bitcoin/comments/5py495/brian_armstrong_controlling_your_own_wealth_as_a/dcve9xx/?context=3</ref>

=== Web wallets ===

Web wallets have all the downsides of custodial wallets along with all the downsides of hot wallets (exposed private keys), as well as all the downsides of lightweight wallets (not verifying bitcoin's rules, someone could send you a billion bitcoins and under certain conditions the dumb web wallet would happily accept it)

=== Paper wallets ===

So-called [[paper wallets]] are an obsolete and unsafe method of storing bitcoin which should not be recommended to beginners. They simply store a single private/public keypair on paper. They promote [[address reuse]] and require unwieldy and complicated live OS system boots to be safe, they risk theft by printers, and typically rely on [[Javascript cryptography]].

Paper wallets also do not provide any method of displaying to the user when money has arrived. Users are typically driven to use third-party blockchain explorers which can lie to them and spy on them.

A much better way accomplish what paper wallets do is to use [[mnemonic phrase|mnemonic phrases]] instead.

Main article: [[Paper wallets]]

=== Cloud storage ===

This means storing your encrypted (or not) wallet file on a cloud storage solution such as Dropbox.

=== Removable media ===

This refers to storing wallet files on removable media like SSD or hard drives.

Refer to the warnings from these two links:

* https://www.reddit.com/r/Bitcoin/comments/6nj0eb/reminder_beware_of_data_rot_always_make_paper/

* https://tedjonesweb.blogspot.co.uk/2017/08/do-not-use-flash-memory-ssd-drives.html

Those articles recommend using GPG for encryption or a printer, instead a better solution is [[mnemonic phrase|mnemonic phrases]].

== Other ideas ==

=== Time-locked wallets ===

An interesting unconventional solution. The idea is to use [[Timelock|time-lock contracts]] to create a wallet which cannot be spent from until a certain date. One possible use-case might be by a gambling addict who locks up money for paying bills for a month, after a month has passed and their time-lock wallet is opened they use that money for paying bills instead of gambling.

Time lock wallets don't exist yet except for simple [https://coinb.in/#newTimeLocked javascript pages] which rely on [[Javascript cryptography]] and are therefore not safe.

=== Consulting ===

If you intend to store a very large amount of bitcoins, for example in a business, you should consider paying for security consulting.

== The 5 dollar wrench attack ==

[[File:Security.png|400px|none|alt=xkcd comic on the 5 dollar wrench attack.]]

It's sometimes said that all this security is worthless because the $5 wrench attack can be used.

Stored bitcoins are not secured by [[mnemonic phrase]]s, [[hardware wallet]]s, [[multisignature]], passwords, hash functions or anything like that; they are secured by ''people''.

Technology is never the root of system security. Technology is a tool to help people secure what they value. Security requires people to act. A server cannot be secured by a firewall if there is no lock on the door to the server room, and a lock cannot secure the server room without a guard to monitor the door, and a guard cannot secure the door without risk of personal harm.<ref>[https://github.com/libbitcoin/libbitcoin/wiki/Risk-Sharing-Principle Libbitcoin wiki Risk Sharing Principle]</ref>.

Bitcoin is no different. The technology discussed on this page is only a tool to tip the scales in the defender's favour. Following from this principle, the way to beat the $5 wrench attack is to bear arms. Either your own, or employ guards, or rely on the police forces and army; or whatever may be appropriate and proportionate in your situation. Because if someone completely physically overpowers you then no technology on Earth can save your bitcoins.

See Also: [https://twitter.com/i/moments/942083114385281024 Guns + Bitcoin Hardware Wallets]

== Further reading ==

* https://medium.com/@lopp/thoughts-on-secure-storage-of-bitcoins-and-other-crypto-assets-210cadabb53d

* https://medium.com/@michaelflaxman/how-should-i-store-my-bitcoin-43874ac208e4

* Two-factor authentication on custodial wallets doesn't work as well as you might think https://medium.com/@CodyBrown/how-to-lose-8k-worth-of-bitcoin-in-15-minutes-with-verizon-and-coinbase-com-ba75fb8d0bac

* https://bitzuma.com/posts/a-gentle-introduction-to-bitcoin-cold-storage/

==References==
<references />

[[Category:Security]]

Transaction malleability

2014-02-11T15:11:30Z

Proofer: in "because the latter transactions will depend on the previous transactions": latter -> later

While transactions are signed, the signature does not currently cover all the data in a transaction that is hashed to create the transaction hash. Thus while uncommon it is possible for a node on the network to change a transaction you send in such a way that the hash is invalidated. Note that this just changes the hash, the output of the transaction remains the same and the bitcoins will go to their intended recipient. However this does mean that, for instance, it is not safe to accept a chain of unconfirmed transactions under any circumstance because the later transactions will depend on the hashes of the previous transactions, and those hashes can be changed until they are confirmed in a block. (and potentially even after a confirmation if the block chain is reorganized) In addition clients must always actively scan for transactions to them; assuming a txout exists because the client created it previously is unsafe.

== Signature Malleability ==

The first form of malleability is in the signatures themselves. Each signature has exactly one DER-encoded ASN.1 octet representation, but openssl does not enforce this, and as long as a signature isn't horribly malformed, it will be accepted.<ref>https://bitcointalk.org/index.php?topic=8392.msg122410#msg122410</ref> In addition for every ECDSA signature (r,s), the signature (r, -s (mod N)) is a valid signature of the same message.<ref>https://bitcointalk.org/index.php?topic=8392.msg1245898#msg1245898</ref>

Efforts are underway to first make Bitcoin nodes not relay non-standard signatures, and eventually disallow them from being included in new blocks entirely.

== scriptSig Malleability ==

The [[OP_CHECKSIG|signature algorithm]] used in Bitcoin does not sign any of the scriptSig to create the signature. While signing the whole scriptSig would be impossible - the signature would be signing itself - this does mean that additional data can be added such that it will be pushed on the stack prior to the required signatures and public keys. Similarly OP_DROP can be added to leave the stack exactly as before prior to scriptPubKey execution.

Preventing scriptSig malleability is being considered as well. Currently transactions with anything other than data push operations in their scriptSig are considered non-standard and are not relayed, and eventually this rule may extend to enforcing that the stack have exactly one item after execution. However doing that may interfere with later extensions to Bitcoin.

==References==
<references/>

[[Category:Technical]]
[[Category:Developer]]

Bitcoin Wiki - User contributions [en]

Storing bitcoins

Transaction malleability