今天我們進(jìn)入《精通比特幣》第四章第二部分梳虽。這部分把錢包地址什么的,基本上講透了。
本章原文地址
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch04.asciidoc#decode-from-base58check
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch04.asciidoc#generating-vanity-addresses
相關(guān)文章:
《精通比特幣》英文版批注導(dǎo)讀?第2章比特幣工作原理
《精通比特幣》英文版批注導(dǎo)讀?第3-4章比特幣密鑰與地址
Bitcoin Addresses
A bitcoin address is a string of digits and characters that can be shared with anyone who wants to send you money.?Addresses produced from public keys consist of a string of numbers and letters, beginning with the digit "1." Here’s an example of a bitcoin address:
比特幣地址就是一串字符赁遗,其他人通過這個(gè)地址可以給你轉(zhuǎn)錢。地址以1打頭:
1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy
The bitcoin address is what appears most commonly in a transaction as the "recipient" of the funds. If we compare a bitcoin transaction to a paper check, the bitcoin address is the beneficiary, which is what we write on the line after "Pay to the order of." On a paper check, that beneficiary can sometimes be the name of a bank account holder, but can also include corporations, institutions, or even cash. Because paper checks do not need to specify an account, butrather use an abstract name as the recipient of funds,they are very flexible payment instruments. Bitcoin transactions use a similar abstraction, the bitcoin address, to make them very flexible. A bitcoin address can represent theowner of a private/public key pair, or it can represent something else, such as a payment script, as we will see in[p2sh]. For now, let’s examine the simple case, a bitcoin address that represents, and is derived from, a public key.
比特幣的地址不僅可以代表公私鑰對的所有權(quán)寞宫,也可以代表支付腳本等。
The bitcoin address is derived from the public key through the use of one-way cryptographic hashing.?A "hashing algorithm" or simply "hash algorithm" is a one-way function that produces a fingerprint or "hash" of an arbitrary-sized input. Cryptographic hash functions are used extensively in bitcoin: in bitcoin addresses, in script addresses, and in the mining Proof-of-Work algorithm. The algorithms used to make a bitcoin address from a public key are the Secure Hash Algorithm (SHA) and the RACE Integrity Primitives Evaluation Message Digest (RIPEMD), specificallySHA256 and RIPEMD160.
比特幣地址根據(jù)公鑰拉鹃,通過單向哈希函數(shù)生成辈赋,采用的算法是SHA256?和RIPEMD160。具體的過程是膏燕,先做SHA256運(yùn)算钥屈,再把結(jié)果做RIPEMD160運(yùn)算,最后生成一個(gè)20字節(jié)的字符串坝辫。
Starting with the public keyK, we compute the SHA256 hash and then compute the RIPEMD160 hash of the result, producing a 160-bit (20-byte) number:
\[\begin{equation} {A = RIPEMD160(SHA256(K))} \end{equation}\]
whereKis the public key andAis the resulting bitcoin address.
Tip?A bitcoin address is not the same as a public key. Bitcoin addresses are derived from a public key using a one-way function.
注意:比特幣地址并不是比特幣的公鑰篷就,是由公鑰通過單向函數(shù)轉(zhuǎn)換而來。比特幣的地址采用BASE58編碼近忙。除了BASE58編碼竭业,我們還有像BASE64編碼、BASE32編碼等及舍。
Bitcoin addresses are almost always encoded as "Base58Check" (see?Base58 and Base58Check Encoding), which uses 58 characters (a Base58 number system) and a checksum to help human readability, avoid ambiguity, and protect against errors in address transcription and entry. Base58Check is also used in many other ways in bitcoin, whenever there is a need for a user to read and correctly transcribe a number, such as a bitcoin address, a private key, an encrypted key, or a script hash. In the next section we will examine the mechanics of Base58Check encoding and decoding and the resulting representations.Public key to bitcoin address: conversion of a public key into a bitcoin address?illustrates the conversion of a public key into a bitcoin address.
Figure 5. Public key to bitcoin address: conversion of a public key into a bitcoin address
Base58 and Base58Check Encoding
In order to represent long numbers in a compact way, using fewer symbols, many computer systems use mixed-alphanumeric representations with a base (or radix) higher than 10. For example, whereas?the traditional decimal system uses the 10 numerals 0 through 9, the hexadecimal system uses 16,with the letters A through F as the six additional symbols. A number represented in hexadecimal format is shorter than the equivalent decimal representation. Even more compact, Base64 representation uses 26 lowercase letters, 26 capital letters, 10 numerals, and 2 more characters such as “``” and "/" to transmit binary data over text-based media such as email.Base64 is most commonly used to add binary attachments to email.?Base58 is a text-based binary-encoding format developed for use in bitcoin and used in many other cryptocurrencies. It offers a balance between compact representation, readability, and error detection and prevention. Base58 is a subset of Base64, using upper- and lowercase letters and numbers, but omitting some characters that are frequently mistaken for one another and can appear identical when displayed in certain fonts. Specifically, Base58 is Base64 without the 0 (number zero), O (capital o), l (lower L), I (capital i), and the symbols “``” and "/". Or, more simply, it is a set of lowercase and capital letters and numbers without the four (0, O, l, I) just mentioned.Bitcoin’s Base58 alphabet?shows the full Base58 alphabet.
采用不同進(jìn)制的編碼的目的未辆,是為了更加緊湊的表示數(shù)。比如十進(jìn)制锯玛,就會用0-9表示10個(gè)數(shù)咐柜,十六進(jìn)制就會用0-F表示16個(gè)數(shù),BASE64編碼用的是52個(gè)英文大小寫攘残、10個(gè)數(shù)字以及+和/來代表64個(gè)數(shù)拙友。BASE58主要用在加密貨幣中,和BASE64原理差不多歼郭,就是剔除了一些長得很像的字母遗契,比如數(shù)字0和字母O等。
Example 2. Bitcoin’s Base58 alphabet
To add extra security against typos or transcription errors, Base58Check is a Base58 encoding format, frequently used in bitcoin, which has a built-in error-checking code.The checksum is an additional four bytes added to the end of the data that is being encoded.The checksum is derived from the hash of the encoded data and can therefore be used to detect and prevent transcription and typing errors. When presented with Base58Check code, the decoding software will calculate the checksum of the data and compare it to the checksum included in the code. If the two do not match, an error has been introduced and the Base58Check data is invalid.This prevents a mistyped bitcoin address from being accepted by the wallet software as a valid destination, an error that would otherwise result in loss of funds.
另外在轉(zhuǎn)換成比特幣地址的時(shí)候病曾,在BASE58的結(jié)果后會加入校驗(yàn)位牍蜂,這樣在收到的時(shí)候可以檢查一下地址正確性涉瘾,以免把錢轉(zhuǎn)錯(cuò)造成損失。
To convert data (a number) into a Base58Check format, we first add a prefix to the data, called the "version byte," which serves to easily identify the type of data that is encoded. For example, in the case of a bitcoin address the prefix is zero (0x00 in hex), whereas the prefix used when encoding a private key is 128 (0x80 in hex). A list of common version prefixes is shown in?Base58Check version prefix and encoded result examples.
另外捷兰,為了便于識別一串字串是不是BASE58編碼,在字符串前面還要加上前綴负敏,比如比特幣地址前面加上0x00贡茅,私鑰前面加上的是0x80。
Next, we compute the "double-SHA" checksum, meaning we apply the SHA256 hash-algorithm twice on the previous result (prefix and data):
校驗(yàn)碼是通過兩次SHA256計(jì)算的方式得到其做,取結(jié)果的前4個(gè)字節(jié)作為校驗(yàn)碼顶考,附在編碼的最后。于是編碼就分成了三部分妖泄,前綴驹沿、數(shù)據(jù)以及校驗(yàn)和。
From the resulting 32-byte hash (hash-of-a-hash), we take only the first four bytes. These four bytes serve as the error-checking code, or checksum. The checksum is concatenated (appended) to the end.
The result is composed of three items: a prefix, the data, and a checksum. This result is encoded using the Base58 alphabet described previously.?Base58Check encoding: a Base58, versioned, and checksummed format for unambiguously encoding bitcoin data?illustrates the Base58Check encoding process.
Figure 6. Base58Check encoding: a Base58, versioned, and checksummed format for unambiguously encoding bitcoin data
In bitcoin, most of the data presented to the user is Base58Check-encoded to make it compact, easy to read, and easy to detect errors. The version prefix in Base58Check encoding is used to create easily distinguishable formats,which when encoded in Base58 contain specific characters at the beginning of the Base58Check-encoded payload.These characters make it easy for humans to identify the type of data that is encoded and how to use it. This is what differentiates, for example, a Base58Check-encoded bitcoin address that starts with a 1 from a Base58Check-encoded private key WIF that starts with a 5.Some example version prefixes and the resulting Base58 characters are shown inBase58Check version prefix and encoded result examples.
加上了前綴以后蹈胡,就可以比較容易地通過前綴看到地址的類型了渊季。比如比特幣地址是1打頭,私鑰是5打頭罚渐。
Table 1. Base58Check version prefix and encoded result examples
Both private and public keys can be represented in a number of different formats. These representations all encode the same number, even though they look different. These formats are primarily used to make it easy for people to read and transcribe keys without introducing errors.Key Formats
Private key formats
The private key can be represented in a number of different formats, all of which correspond to the same 256-bit number.?Private key representations (encoding formats)shows three common formats used to represent private keys.Different formats are used in different circumstances.?Hexadecimal and raw binary formats are used internally in software and rarely shown to users. The WIF is used for import/export of keys between wallets and often used in QR code (barcode) representations of private keys.
私鑰可以有不同的表示形式却汉,比如最原始的二進(jìn)制表示,十六進(jìn)制表示荷并,WIF等合砂。這些形式間可以相互轉(zhuǎn)換。
Table 2. Private key representations (encoding formats)
Table 3. Example: Same key, different formatsExample: Same key, different formats?shows the private key generated in these three formats.
We use the wif-to-ec command from Bitcoin Explorer (see?[appdx_bx]) to show that both WIF keys represent the same private key:All of these representations are different ways of showing the same number, the same private key.They look different, but any one format can easily be converted to any other format.?Note that the "raw binary" is not shown inExample: Same key, different formats?as any encoding for display here would, by definition, not be raw binary data.
Decode from Base58Check
考慮到篇幅原因源织,編碼轉(zhuǎn)換的代碼案例翩伪,我們不展開論述,原文參見
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch04.asciidoc#decode-from-base58check
Public key formats
Public keys are also presented in different ways, usually as eithercompressedoruncompressedpublic keys.
As we saw previously, the public key is a point on the elliptic curve consisting of a pair of coordinates (x,y). It is usually presented with the prefix 04 followed by two 256-bit numbers:one for thexcoordinate of the point, the other for theycoordinate.The prefix 04 is used to distinguish uncompressed public keys from compressed public keys that begin with a 02 or a 03.
公鑰有兩種表示方式谈息,壓縮版和未壓縮版缘屹。壓縮版的前綴是04,后面有兩個(gè)256位的數(shù)字分別代表x坐標(biāo)值和y坐標(biāo)值侠仇。如果是壓縮版本的公鑰囊颅,則采用02或者03前綴。以下為示例傅瞻。
Here’s the public key generated by the private key we created earlier, shown as the coordinates x and y:
Here’s the same public key shown as a 520-bit number (130 hex digits) with the prefix 04 followed by x and then y coordinates, as 04 x y:
Compressed public keys
Compressed public keys were introduced to bitcoin to reduce the size of transactions and conserve disk space on nodes that store the bitcoin blockchain database.Most transactions include the public key, which is required to validate the owner’s credentials and spend the bitcoin.Each public key requires 520 bits (prefix + x + y), which when multiplied by several hundred transactions per block, or tens of thousands of transactions per day, adds a significant amount of data to the blockchain.
大部分交易需要包含公鑰踢代,用于驗(yàn)證有效性。一枚公鑰需要占據(jù)520位的長度嗅骄,而每一筆交易都存儲一個(gè)公鑰胳挎,那造成的開銷也不小。
As we saw in the section?Public Keys, a public key is a point (x,y) on an elliptic curve. Because the curve expresses a mathematical function, a point on the curve represents a solution to the equation and, therefore, if we knowthexcoordinate we can calculate theycoordinate by solving the equation y2?mod p = (x3?+ 7) mod p. That allows us to store only thexcoordinate of the public key point, omitting theycoordinate and reducing the size of the key and the space required to store it by 256 bits. An almost 50% reduction in size in every transaction adds up to a lot of data saved over time!
但是我們存儲的公鑰其實(shí)是在橢圓曲線上的一個(gè)點(diǎn)溺森,而這個(gè)點(diǎn)的x和y坐標(biāo)值其實(shí)是有公式?jīng)Q定的慕爬。所以其實(shí)存x的值窑眯,然后通過方程算出y的值,其實(shí)也是可以的医窿,這樣還能減少50%的存儲空間磅甩。
Whereas uncompressed public keys have a prefix of 04, compressed public keys start with either a 02 or a 03 prefix. Let’s look at why there are two possible prefixes: because the left side of the equation isy2, the solution foryis a square root, which can have a positive or negative value. Visually, this means that the resultingycoordinate can be above or below the x-axis. As you can see from the graph of the elliptic curve inAn elliptic curve, the curve is symmetric, meaning it is reflected like a mirror by the x-axis. So,while we can omit theycoordinate we have to store thesignofy(positive or negative); or in other words, we have to remember if it was above or below the x-axis because each of those options represents a different point and a different public key. When calculating the elliptic curve in binary arithmetic on the finite field of prime order p, theycoordinate is either even or odd, which corresponds to the positive/negative sign as explained earlier. Therefore, to distinguish between the two possible values ofy, we store a compressed public key with theprefix 02 if theyis even, and 03 if it is odd,allowing the software to correctly deduce theycoordinate from thexcoordinate and uncompress the public key to the full coordinates of the point. Public key compression is illustrated inPublic key compression.
但是有一個(gè)問題,如果你解出方程后姥卢,會有兩個(gè)y值卷要,一正一負(fù),關(guān)于x軸對稱独榴,所以其實(shí)在壓縮的時(shí)候僧叉,就需要有一個(gè)字段存儲一下,到底是正值還是負(fù)值棺榔。在有限域的情況下瓶堕,y的一正一負(fù)對應(yīng)到的是奇數(shù)和偶數(shù)。(比如你解出了a症歇,那另外一個(gè)值就是p-a郎笆,兩個(gè)的奇偶性正好相反。
Figure 7. Public key compression
Here’s the same public key generated previously, shown as a compressed public key stored in 264 bits (66 hex digits) with the prefix 03 indicating theycoordinate is odd:
This compressed public key corresponds to the same private key, meaning it is generated from the same private key. However,it looks different from the uncompressed public key.More importantly, if we convert this compressed public key to a bitcoin address using the double-hash function (RIPEMD160(SHA256(K)))it will produce adifferentbitcoin address.This can be confusing, because it means that a single?private key can produce a public key expressed in two different formats (compressed and uncompressed) that produce two different bitcoin addresses.However, the private key is identical for both bitcoin addresses.
但是我們能注意到忘晤,壓縮版的公鑰與未壓縮版的公鑰長的樣子不同题画,于是根據(jù)不同的公鑰,依照上文的規(guī)則生成的比特幣地址也是不同的德频。但是其實(shí)這個(gè)公鑰又是由一個(gè)私鑰生成的苍息。
Compressed public keys are gradually becoming the default across bitcoin clients, which is having a significant impact on reducing the size of transactions and therefore the blockchain. However, not all clients support compressed public keys yet. Newer clients that support compressed public keys have to account for transactions from older clients that do not support compressed public keys. This is especially important when a wallet application is importing private keys from another bitcoin wallet application, because the new wallet needs to scan the blockchain to find transactions corresponding to these imported keys. Which bitcoin addresses should the bitcoin wallet scan for? The bitcoin addresses produced by uncompressed public keys, or the bitcoin addresses produced by compressed public keys? Both are valid bitcoin addresses, and can be signed for by the private key, but they are different addresses!
盡管目前采用壓縮的比特幣地址已經(jīng)成為默認(rèn)的錢包選擇,這樣可以減少交易的大小壹置。但是當(dāng)遇到不支持壓縮表示的舊版本的錢包竞思,向新的版本錢包遷移私鑰的時(shí)候,新錢包要在區(qū)塊鏈上查找對應(yīng)私鑰對應(yīng)的交易钞护,而這就會有一個(gè)問題盖喷,到底應(yīng)該用哪個(gè)比特幣地址來搜索呢?
To resolve this issue, when private keys are exported from a wallet, the WIF that is used to represent them is implemented differently in newer bitcoin wallets, to indicate thatthese private keys have been used to producecompressedpublic keys and thereforecompressedbitcoin addresses.This allows the importing wallet to distinguish between private keys originating from older or newer wallets and search the blockchain for transactions with bitcoin addresses corresponding to the uncompressed, or the compressed, public keys, respectively. Let’s look at how this works in more detail, in the next section.
解決的辦法就是采用WIF的私鑰數(shù)據(jù)格式难咕,在格式里面表示课梳,這個(gè)私鑰用于生成了壓縮版本的公鑰,還是未壓縮版本的公鑰余佃。
Compressed private keys
Ironically, the term "compressed private key" is a misnomer, because when a private key is exported as WIF-compressed it is actually one bytelongerthan an "uncompressed" private key. That is because the private key has an added one-byte suffix (shown as 01 in hex inExample: Same key, different formats), which signifies that the private key is from a newer wallet and should only be used to produce compressed public keys. Private keys are not themselves compressed and cannot be compressed. The term "compressed private key" really means "private key from which only compressed public keys should be derived," whereas "uncompressed private key" really means "private key from which only uncompressed public keys should be derived."You should only refer to the export format as "WIF-compressed" or "WIF" and not refer to the private key itself as "compressed" to avoid further confusion
但是這里有個(gè)不一致的命名問題:如果采用WIF壓縮格式存儲私鑰暮刃,這個(gè)數(shù)據(jù)其實(shí)要比WIF未壓縮更長。這里說的壓縮爆土,其實(shí)不是私鑰的壓縮椭懊,而是告訴你,私鑰算出來的公鑰步势,用的是壓縮形式氧猬。
Example: Same key, different formats?shows the same key, encoded in WIF and WIF-compressed formats.
Table 4. Example: Same key, different formats
Remember, these formats are?not?used interchangeably. In a newer wallet that implements compressed public keys,the private keys will only ever be exported as WIF-compressed (with aKorLprefix).If the wallet is an older implementation and does not use compressed public keys, the private keys?will only ever be exported as WIF (with a 5 prefix).?The goal here is to signal to the wallet importing these private keys whether it must search the blockchain for compressed or uncompressed public keys and addresses.Notice that the hex-compressed private key format has one extra byte at the end (01 in hex). While the Base58 encoding version prefix is the same (0x80) for both WIF and WIF-compressed formats, the addition of one byte on the end of the number causes the first character of the Base58 encoding to change from a 5 to either aKorL. Think of this as the Base58 equivalent of the decimal encoding difference between the number 100 and the number 99. While 100 is one digit longer than 99, it also has a prefix of 1 instead of a prefix of 9. As the length changes, it affects the prefix. In Base58, the prefix 5 changes to aKorLas the length of the number increases by one byte.
這里的私鑰表示是不能互換的背犯。在新的錢包中,導(dǎo)出的私鑰通常會是K或者L作為前綴盅抚,代表采用的是壓縮的公鑰表示漠魏;而在舊式的錢包中,導(dǎo)出的就是以數(shù)字5作為前綴妄均。
If a bitcoin wallet is able to implement compressed public keys, it will use those in all transactions. The private keys in the wallet will be used to derive the public key points on the curve, which will be compressed. The compressed public keys will be used to produce bitcoin addresses and those will be used in transactions. When exporting private keys from a new wallet that implements compressed public keys, the WIF is modified, with the addition of a one-byte suffix 01 to the private key. The resulting Base58Check-encoded private key is called a "compressed WIF" and starts with the letterKorL, instead of starting with "5" as is the case with WIF-encoded (noncompressed) keys from older wallets.
Tip?"Compressed private keys" is a misnomer! They are not compressed; rather, WIF-compressed signifies that the keys should only be used to derive compressed public keys and their corresponding bitcoin addresses. Ironically, a "WIF-compressed" encoded private key is one byte longer because it has the added 01 suffix to distinguish it from an "uncompressed" one.
Implementing Keys and Addresses in C++
Implementing Keys and Addresses in Python
這兩節(jié)講的是分別采用C++和Python來生成密鑰與地址的案例柱锹,主要是代碼運(yùn)行,所以有興趣的請到原地址閱讀丛晦。
Advanced Keys and Addresses
In the following sections we will look at advanced forms of keys and addresses, such as encrypted private keys, script and multisignature addresses, vanity addresses, and paper wallets.
這一節(jié)講的是比特幣高級的密鑰形式,例如私鑰加密提陶、腳本以及多簽名地址烫沙。
Encrypted Private Keys (BIP-38)
Private keys must remain secret. The need forconfidentialityof the private keys is a truism that is quite difficult to achieve in practice,because it conflicts with the equally important security objective ofavailability.Keeping the private key private is much harder when you need to store backups of the private key to avoid losing it. A private key stored in a wallet that is encrypted by a password might be secure, but that wallet needs to be backed up. At times, users need to move keys from one wallet to another—to upgrade or replace the wallet software, for example. Private key backups might also be stored on paper (seePaper Wallets) or on external storage media, such as a USB flash drive. But what if the backup itself is stolen or lost? These conflicting security goals led to the introduction of a portable and convenient standard for encrypting private keys in a way that can be understood by many different wallets and bitcoin clients, standardized by BIP-38 (see?[appdxbitcoinimpproposals]).
比特幣的私鑰需要保密,然而保密和可用性是矛盾的隙笆。而且為了防止丟失又需要多重備份锌蓄,但是如果備份丟了,又是麻煩事撑柔。針對這些情況瘸爽,有一個(gè)BIP38的標(biāo)準(zhǔn),來協(xié)調(diào)不同的錢包客戶端铅忿。
BIP-38 proposes a common standard for encrypting private keys with apassphrase?and encoding them with Base58Check so that they can be stored securely on backup media, transported securely between wallets, or kept in any other conditions where the key might be exposed. The standard for encryption uses the Advanced Encryption Standard (AES), a standard established by the NIST and used broadly in data encryption implementations for commercial and military applications.
BIP35采用的短語編碼的方式剪决,并采用AES加密的方法來保存密碼。
A BIP-38 encryption scheme takes as input a bitcoin private key, usually encoded in the WIF, as a Base58Check string with the prefix of "5." Additionally, the BIP-38 encryption scheme takes a passphrase—a long password—usually composed of several words or a complex string of alphanumeric characters.The result of the BIP-38 encryption scheme is a Base58Check-encoded encrypted private key that begins with the prefix 6P.If you see a key that starts with 6P, it is encrypted and requires a passphrase in order to convert (decrypt) it back into a WIF-formatted private key (prefix 5) that can be used in any wallet. Many wallet applications now recognize BIP-38-encrypted private keys and will prompt the user for a passphrase to decrypt and import the key. Third-party applications, such as the incredibly useful browser-basedBit Address?(Wallet Details tab), can be used to decrypt BIP-38 keys.
BIP38采用短語編碼加密的方式檀训,也就是如果你要使用私鑰柑潦,你需要再提供一個(gè)短語口令。采用BIP38編碼的數(shù)據(jù)格式峻凫,前綴是6P渗鬼。采用BIP38的方式編碼,可以適用的地方是“冷錢包”荧琼,也就是把私鑰打印出來存儲譬胎。這樣你只要記住一個(gè)“提示語”,就能確保安全性命锄。
The most common use case for BIP-38 encrypted keys is for paper wallets that can be used to back up private keys on a piece of paper. As long as the user selects a strong passphrase,a paper wallet with BIP-38 encrypted private keys is incredibly secure and a great way to create offline bitcoin storage(also known as "cold storage").
Test the encrypted keys in?Example of BIP-38 encrypted private key?using bitaddress.org to see how you can get the decrypted key by entering the passphrase.
Table 5. Example of BIP-38 encrypted private key
As we know, traditional bitcoin addresses begin with the number “1” and are derived from the public key, which is derived from the private key. Although anyone can send bitcoin to a “1” address, that bitcoin can only be spent by presenting the corresponding private key signature and public key hash.Pay-to-Script Hash (P2SH) and Multisig Addresses
Bitcoin addresses that beginwith the number “3” are pay-to-script hash (P2SH) addresses, sometimes erroneously called multisignature or multisig addresses.?They designate the beneficiary of a bitcoin transaction as thehash of a script,instead of the owner of a public key. The feature was introduced in January 2012 with BIP-16 (see[appdxbitcoinimpproposals]), and is being widely adopted because it provides the opportunityto add functionality to the address itself.?Unlike transactions that "send" funds to traditional “1” bitcoin addresses, also known as a pay-to-public-key-hash (P2PKH), funds sent to “3” addresses?require something more than the presentation of one public key hash and one private key signature as proof of ownership.The requirements are designated at the time the address is created, within the script, and all inputs to this address will be encumbered with the same requirements.
傳統(tǒng)的比特幣地址以1打頭堰乔,但是也有以3打頭的腳本哈希地址。這些地址是一段腳本的哈希脐恩,因?yàn)榭梢越o地址增加功能浩考,所以也廣泛采用。在向以3打頭的地址支付的時(shí)候被盈,不僅需要公鑰與復(fù)分解的簽名析孽。但是生成地址的方式其實(shí)和比特幣1打頭的地址是一致的搭伤。
A P2SH address is created from a transaction script, which defines who can spend a transaction output (for more details, see?[p2sh]). Encoding a P2SH address involves using the same double-hash function as used during creation of a bitcoin address, only applied on the script instead of the public key:
The resulting "script hash" is encoded with Base58Check with a version prefix of 5, which results in an encoded address starting with a 3. An example of a P2SH address is 3F6i6kwkevjR7AsAd4te2YB2zZyASEm1HM, which can be derived using the Bitcoin Explorer commands script-encode, sha256, ripemd160, and base58check-encode (see?[appdx_bx]) as follows:
Tip?P2SH is not necessarily the same as a multisignature standard transaction. A P2SH address most often represents a multi-signature script, but it might also represent a script encoding other types of transactions.
Multisignature addresses and P2SH
Currently, the most common implementation of the P2SH function is the multi-signature address script. As the name implies, the underlying script requires more than one signature to prove ownership and therefore spend funds. The bitcoin multi-signature feature is designed to require?M signatures (also known as the “threshold”) from a total of N keys, known as an M-of-N multisig, where M is equal to or less than N.For example, Bob the coffee shop owner from[ch01_intro_what_is_bitcoin]could use a multisignature address requiring 1-of-2 signatures from a key belonging to him and a key belonging to his spouse, ensuring either of them could sign to spend a transaction output locked to this address. This would be similar to a “joint account” as implemented in traditional banking where either spouse can spend with a single signature. Or Gopesh, the web designer paid by Bob to create a website, might have a 2-of-3 multisignature address for his business that ensures that no funds can be spent unless at least two of the business partners sign a transaction.
多簽名地址的意思就是,花錢的時(shí)候袜瞬,要不止一個(gè)人的私鑰簽名怜俐。比如一個(gè)m-n簽名機(jī)制就是,需要n個(gè)人里面至少m個(gè)簽名才能生效邓尤。這種應(yīng)用一般是在聯(lián)合賬戶場景下使用拍鲤。正好上周我和一位做出納的朋友聊天,他手里就管付錢這件事情汞扎,操作一家公司的網(wǎng)銀季稳,但是他個(gè)人要實(shí)現(xiàn)轉(zhuǎn)錢操作,還需要另外兩個(gè)人的核驗(yàn)才能完成澈魄。
We will explore how to create transactions that spend funds from P2SH (and multi-signature) addresses in?[transactions].
Vanity Addresses
Vanity addresses are valid bitcoin addresses that contain human-readable messages. For example, 1LoveBPzzD72PUXLzCkYAtGFYmK5vYNR33 is a valid address that contains the letters forming the word "Love" as the first four Base-58 letters.Vanity addresses require generating and testing billions of candidate private keys, until a bitcoin address with the desired pattern is found.?Although there are some optimizations in the vanity generation algorithm, the process essentially involves picking a private key at random, deriving the public key, deriving the bitcoin address, and checking to see if it matches the desired vanity pattern, repeating billions of times until a match is found.
Vanity在英文中有“虛榮景鼠、浮華”的意思,為了顯得好聽一些痹扇,我把這個(gè)譯成“比特幣靚地址”铛漓,仿照“QQ靚號”的用法。靚地址的意思其實(shí)是鲫构,本來比特幣地址是沒有意義的隨機(jī)字符浓恶,但是現(xiàn)在如果包含了可讀的信息,比如LOVEU什么的结笨,就會顯得有不同的意義包晰。為了實(shí)現(xiàn)這個(gè)效果,就要測試不同的私鑰炕吸,直到試出來想要的結(jié)果杜窄。
Once a vanity address matching the desired pattern is found, the private key from which it was derived can be used by the owner to spend bitcoin in exactly the same way as any other address.Vanity addresses are no less or more secure than any other address.?They depend on the same Elliptic Curve Cryptography (ECC) and SHA as any other address. You can no more easily find the private key of an address starting with a vanity pattern than you can any other address.
一旦找到了這樣的靚地址,就可以和其他地址一樣正常使用算途。從安全性上塞耕,和其他普通類型,并沒有太大的差別嘴瓤。
In?[ch01_intro_what_is_bitcoin], we introduced Eugenia, a children’s charity director operating in the Philippines. Let’s say that Eugenia is organizing a bitcoin fundraising drive and wants to use a vanity bitcoin address to publicize the fundraising. Eugenia will create a vanity address that starts with "1Kids" to promote the children’s charity fundraiser. Let’s see how this vanity address will be created and what it means for the security of Eugenia’s charity.
下面舉了一個(gè)利用比特幣募集給孩子的基金的例子扫外,于是募集者希望有一個(gè)帶有?1Kids的地址。
Generating vanity addresses
It’s important to realize that a bitcoin address is simply a number represented by symbols in the Base58 alphabet.The search for a pattern like "1Kids" can be seen as searching for an address in the range from 1Kids11111111111111111111111111111 to 1Kidszzzzzzzzzzzzzzzzzzzzzzzzzzzzz.?There are approximately 5829?(approximately 1.4 * 1051) addresses in that range, all starting with "1Kids."?The range of vanity addresses starting with "1Kids"?shows the range of addresses that have the prefix 1Kids.
注意廓脆,比特幣的地址本質(zhì)上就是由數(shù)加密出來的筛谚,想要有1Kids打頭的地址,本質(zhì)就是要從1Kids111…111到1Kidszzz…zzz的搜索空間內(nèi)停忿,找到一個(gè)私鑰驾讲,使生成的地址在這個(gè)空間里。
Table 6. The range of vanity addresses starting with "1Kids"
Let’s look at the pattern "1Kids" as a number and see how frequently we might find this pattern in a bitcoin address (see?The frequency of a vanity pattern (1KidsCharity) and average search time on a desktop PC). An average desktop computer PC, without any specialized hardware, can search approximately 100,000 keys per second.
如果以平均的計(jì)算能力為例,下表展示了平均多少個(gè)私鑰中吮铭,會出現(xiàn)一個(gè)符合要求的地址时迫。
Table 7. The frequency of a vanity pattern (1KidsCharity) and average search time on a desktop PC
As you can see, Eugenia won’t be creating the vanity address "1KidsCharity" anytime soon, even if she had access to several thousand computers.?Each additional character increases the difficulty by a factor of 58.?Patterns with more than seven characters are usually found by specialized hardware, such as custom-built desktops with multiple GPUs. These are often repurposed bitcoin mining "rigs" that are no longer profitable for bitcoin mining but can be used to find vanity addresses. Vanity searches on GPU systems are many orders of magnitude faster than on a general-purpose CPU.
從這里可以看到,每增加一位的地址谓晌,就需要多乘以58掠拳,所以這是以指數(shù)的復(fù)雜級數(shù)倍增的。這其實(shí)也是另外一種形式的挖礦纸肉,所以用GPU也是可以加速的溺欧。目前有人專門做給錢幫你找靚地址的生意,給錢就可以柏肪,而且快姐刁。
Another way to find a vanity address is to outsource the work to a pool of vanity miners, such as the pool at?Vanity Pool. A pool is a service that allows those with GPU hardware to earn bitcoin searching for vanity addresses for others. For a small payment (0.01 bitcoin or approximately $5 at the time of this writing), Eugenia can outsource the search for a seven-character pattern vanity address and get results in a few hours instead of having to run a CPU search for months.
Generating a vanity address is a brute-force exercise: try a random key, check the resulting address to see if it matches the desired pattern, repeat until successful.?Vanity address miner?shows an example of a "vanity miner," a program designed to find vanity addresses, written in C++. The example uses the libbitcoin library, which we introduced in?[alt_libraries].
下面作者放了一個(gè)運(yùn)行示例,考慮篇幅烦味,請到鏈接上看原版的代碼聂使。
https://github.com/bitcoinbook/bitcoinbook/blob/develop/ch04.asciidoc#generating-vanity-addresses
Vanity address security
Vanity addresses can be used to enhanceandto defeat security measures;they are truly a double-edged sword. Used to improve security, a distinctive address makes it harder for adversaries to substitute their own address and fool your customers into paying them instead of you. Unfortunately, vanity addresses also make it possible for anyone to create an address thatresemblesany random address,or even another vanity address, thereby fooling your customers.
靚地址其實(shí)是一把雙刃劍,既可以增加安全拐叉,也可以削弱岩遗。因?yàn)榈刂非皫孜皇强勺x的扇商,所以攻擊者就很難把你的地址替換成其他人的地址凤瘦,因?yàn)榭勺x從而有意義,容易辨認(rèn)案铺;但是問題也來自于可讀蔬芥,如果攻擊者也生成一個(gè)前幾位和某個(gè)地址一致的地址,不管是否可讀控汉,這樣就很容易冒充了笔诵。
Eugenia could advertise a randomly generated address (e.g., 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy) to which people can send their donations. Or, she could generate a vanity address that starts with 1Kids, to make it more distinctive.
In both cases,?one of the risks of using a single fixed address (rather than a separate dynamic address per donor) is that a thief might be able to infiltrate your website and replace it with his own address, thereby diverting donations to himself. If you have advertised your donation address in a number of different places, your users may visually inspect the address before making a payment to ensure it is the same one they saw on your website, on your email, and on your flyer. In the case of a random address like 1J7mdg5rbQyUHENYdx39WVWK7fsLpEoXZy, the average user will perhaps inspect the first few characters "1J7mdg" and be satisfied that the address matches. Using a vanity address generator, someone with the intent to stealby substituting a similar-looking address can quickly generate addresses that match the first few characters,?as shown inGenerating vanity addresses to match a random address.
但是另外一個(gè)問題在于,如果你在募捐的時(shí)候姑子,對外公布了你的收款地址乎婿,萬一出現(xiàn)有人把你的地址替換成對方自己的地址,而且因?yàn)榈刂肥请S機(jī)的街佑,人們往往只會看前幾位長得很像就確認(rèn)了谢翎,這樣就會帶來風(fēng)險(xiǎn)。以下的表格就是沐旨,根據(jù)一個(gè)原地址森逮,仿照出來的非常相像的地址。
Table 8. Generating vanity addresses to match a random address
以地址1Kids33q44erFfpeXrmDSz7zEqG2FesZEN為例磁携,假如一般人看到1Kids33褒侧,就會感覺地址是正確的,所以攻擊者要算出一個(gè)高仿的冒充地址,需要比原有的位長多算3364?次(58 × 58)闷供。如果我們把靚地址做到8位長烟央,那要高仿就得算到10位,那這樣對于正常的使用者來說这吻,代價(jià)可以承受吊档,但是對于攻擊者的代價(jià)就很高昂,這是比較合適的唾糯。也就是要找到一個(gè)難度怠硼,使得我們可以承受這個(gè)難度的1倍,但是攻擊者卻無法承受這個(gè)難度的3364倍移怯。
So does a vanity address increase security? If Eugenia generates the vanity address 1Kids33q44erFfpeXrmDSz7zEqG2FesZEN, users are likely to look at the vanity pattern wordand a few characters beyond, for example noticing the "1Kids33" part of the address. That would force an attacker to generate a vanity address matching at least six characters (two more), expending an effort that is 3,364 times (58 × 58) higher than the effort Eugenia expended for her 4-character vanity. Essentially, the effort Eugenia expends (or pays a vanity pool for)"pushes" the attacker into having to produce a longer pattern vanity.?If Eugenia pays a pool to generate an 8-character vanity address, the attacker would be pushed into the realm of 10 characters, which is infeasible on a personal computer and expensive even with a custom vanity-mining rig or vanity pool.What is affordable for Eugenia becomes unaffordable for the attacker, especially if the potential reward of fraud is not high enough to cover the cost of the vanity address generation.
Paper Wallets
Paper wallets are bitcoin private keys printed on paper.Often the paper wallet also includes the corresponding bitcoin address for convenience, but this is not necessary because it can be derived from the private key. Paper wallets are a very effective way to create backups or offline bitcoin storage, also known as?"cold storage."As a backup mechanism, a paper wallet can provide security against the loss of key due to a computer mishap such as a hard-drive failure, theft, or accidental deletion. As a "cold storage" mechanism, if the paper wallet keys are generated offline and never stored on a computer system, they are much more secure against hackers, keyloggers, and other online computer threats.
紙錢包香璃,就是把比特幣的私鑰印在紙上。有時(shí)候紙上也會印公鑰對應(yīng)的比特幣地址舟误,但是鑒于公鑰可以根據(jù)私鑰計(jì)算出來葡秒,所以只存私鑰也是可以的。把私鑰存儲在紙上嵌溢,作為冷存儲眯牧,也可以防止黑客的攻擊,以及其他在線的威脅赖草。
Paper wallets come in many shapes, sizes, and designs, but at a very basic level are just a key and an address printed on paper.?Simplest form of a paper wallet—a printout of the bitcoin address and private key?shows the simplest form of a paper wallet.
Table 9. Simplest form of a paper wallet—a printout of the bitcoin address and private key
Paper wallets can be generated easily using a tool such as the client-side JavaScript generator atbitaddress.org. This page contains all the code necessary to generate keys and paper wallets,even while completely disconnected from the internet.To use it, save the HTML page on your local drive or on an external USB flash drive. Disconnect from the internet and open the file in a browser. Even better, boot your computer using a pristine operating system, such as a CD-ROM bootable Linux OS. Any keys generated with this tool while offline can be printed on a local printer over a USB cable (not wirelessly), thereby creating paper wallets whose keys exist only on the paper and have never been stored on any online system.?Put these paper wallets in a fireproof safe and "send" bitcoin to their bitcoin address, to implement a simple yet highly effective "cold storage" solution.?An example of a simple paper wallet from bitaddress.org?shows a paper wallet generated from the bitaddress.org site.
把地址和需要打印在一張紙上学少,然后確保這個(gè)過程沒有任何數(shù)據(jù)連接在線。將這些紙錢包秧骑,保存在防火的保險(xiǎn)箱中版确,這樣可以實(shí)現(xiàn)一個(gè)簡單但是高效的冷存儲解決方案。
Figure 8. An example of a simple paper wallet from bitaddress.org
但是這樣做仍然有一個(gè)風(fēng)險(xiǎn)乎折,就是一旦有人獲得了這張紙绒疗,通過拍照或者其他的方式就可以獲取私鑰,從而把錢轉(zhuǎn)移骂澄。所以吓蘑,一個(gè)升級的方法就是采用BIP-38協(xié)議,對比特幣私鑰進(jìn)行加密坟冲。如果需要前面還需要輸入一個(gè)短語口令磨镶,于是只要記住這個(gè)短語口令,密碼也不會失竊樱衷。
The disadvantage of a simple paper wallet system is that the printed keys are vulnerable to theft.?A thief who is able to gain access to the paper can either steal it or photograph the keys and take control of the bitcoin locked with those keys.?A more sophisticated paper wallet storage system uses BIP-38 encrypted private keys.?The keys printed on the paper wallet are protected by a passphrase that the owner has memorized. Without the passphrase, the encrypted keys are useless. Yet, they still are superior to a passphrase-protected wallet because the keys have never been online and must be physically retrieved from a safe or other physically secured storage.An example of an encrypted paper wallet from bitaddress.org. The passphrase is "test."?shows a paper wallet with an encrypted private key (BIP-38) created on the bitaddress.org site.
Figure 9. An example of an encrypted paper wallet from bitaddress.org. The passphrase is "test."
Warning?????Although you can deposit funds into a paper wallet several times, you should withdraw all funds only once, spending everything. This is because in the process of unlocking and spending funds some walletsmight generate a change address if you spend less than the whole amount.?Additionally, if the computer you use to sign the transaction is compromised, you risk exposing the private key. By spending the entire balance of a paper wallet only once, you reduce the risk of key compromise. If you need only a small amount, send any remaining funds to a new paper wallet in the same transaction.
注意你可以向一個(gè)錢包里多次轉(zhuǎn)錢棋嘲,但是如果要取錢或者花錢的話,最好一次全部取出矩桂。如果你花的錢比這個(gè)地址上的少的話沸移,有的錢包會生成零錢地址痪伦。如果錢包所在計(jì)算機(jī)或者設(shè)備被入侵,安全性受到威脅雹锣,花剩下的錢网沾,私鑰有可能泄露。如果你沒有花完一張冷錢包上所有的錢蕊爵,就在花錢的時(shí)候辉哥,同時(shí)把剩余的錢,轉(zhuǎn)到一個(gè)新的紙錢包攒射。
Paper wallets come in many designs and sizes, with many different features.Some are intended to be given as gifts and have seasonal themes, such as Christmas and New Year’s themes.?Others are designed for storage in a bank vault or safe with the private key hidden in some way, either with opaque scratch-off stickers, or folded and sealed with tamper-proof adhesive foil. Figures#paper_wallet_bpw?through?#paper_wallet_spw?show various examples of paper wallets with security and backup features.
當(dāng)你把比特幣的私鑰印在紙錢包醋旦,就可以做不同主題的設(shè)計(jì),比如說喜迎圣誕節(jié)或者新年主題的賀卡形式会放。這就和咱們?nèi)粘I钪械膫鹘y(tǒng)的充值卡很像饲齐,所以它也可以成為一個(gè),行賄受賄的好工具咧最。如果比特幣以后真的使用廣泛捂人,紀(jì)委監(jiān)察委就肯定要出手了。
Figure 10. An example of a paper wallet from bitcoinpaperwallet.com with the private key on a folding flap
Figure 11. The bitcoinpaperwallet.com paper wallet with the private key concealed
Other designs feature additional copies of the key and address, in the form of detachable stubs similar to ticket stubs, allowing you to store multiple copies to protect against fire, flood, or other natural disasters.
Figure 12. An example of a paper wallet with additional copies of the keys on a backup "stub"
?
關(guān)于比特幣錢包地址矢沿,公鑰私鑰這部分就結(jié)束了滥搭,感謝你的閱讀,給你自己午飯加個(gè)蛋吧捣鲸。
