mas.

s62
lecture 6
wallets and SPV
2018-02-26
Tadge Dryja

1
today
wallet operation
coin selection
SPV walkthrough
node types and problems

2
last time: sync
get software, connect
get headers
get blocks
replay history
arrive at utxo set
3
what about my money
how to pay people?
how to get paid?
software that manages this is called
a "wallet"

4
wallet function
send and receive money
simple right?
need to receive money before you can
send, so start with that

5
Receive address
Most output scripts are pay to pubkey
hash (P2PKH)
The opcodes are all the same, with
only the hash changing.
Address standard for hashes in ascii,
e.g:
1F8f12E4uJDiTRLdPy1oze6aoh2o8yJCSJ 6
Receive address
Most output scripts are pay to pubkey
hash (P2PKH)
The opcodes are all the same, with
only the hash changing.
Address standard for hashes in ascii,
e.g:
1F8f12E4uJDiTRLdPy1oze6aoh2o8yJCSJ 7
addresses on servers
keep a bunch of addresses on server
keep private keys offline
list of addresses can run out
pubkey generation without privkey?

8
BIP32 simplified
pubkey P, randomizer r
privkey p

A = P + hash(r,1)*G
a = p + hash(r,1)
9
BIP32 simplified
Can put pubkey and random data on
server
server can make addresses as needed
observers can't link the addresses
revealing P and r would allow linking
addresses but not stealing funds
10
 Request payment
Hey, want this jacket? Send a coin to
1F8f12E...
(Note that Bitcoin does not attempt
to solve the fair exchange problem;
payments are not contingent on
delivery of goods)
atomic swaps, HTLCs, zkCP, etc notwithstanding 11
have I gotten paid?
Add your pubkey hashes to a list
For every transaction, look at every
output script
If the script matches your PKH
script, you got money!

12
wallet utxo list
Keep track of received payments
Save all the utxos to disk
txid:index, amount, which key, height
next, spend them

13
wallet utxo list
you want to send 6 coins somewhere;
find utxos totalling over 6, use them
as inputs, then add outputs
884d:0 1BobAddr2zKLw
(5 coins) amount: 6 coins

b427:1 1AliceChange392
(3 coins) amount: 2 coins
14
coin selection
2 inputs, 2 outputs
what would work better...?
884d:0 1BobAddr2zKLw
(5 coins) amount: 6 coins

b427:1 1AliceChange392
(3 coins) amount: 2 coins
15
coin selection
1 input, 1 output
Half the size, half the fee
a273:3 1BobAddr2zKLw
(6 coins) amount: 6 coins

16
coin selection
A tricky problem (NP-hard) but
heuristics work OK in practice
What are we optimizing for?

17
coin selection
optimize for:
minimize number of inputs used...
easy! Just pick biggest utxos

18
coin selection
optimize for:
minimize number of inputs used...
easy! Just pick biggest utxos
Want to minimize inputs next time as
well; Ideally eliminate change output

19
coin selection
privacy concerns:
Using 2 utxos in the same tx 'links'
them; people can see that it's
probably the same entity
maximum anonymity:

20
coin selection
privacy concerns:
Using 2 utxos in the same tx 'links'
them; people can see that it's
probably the same entity
maximum anonymity:
Always 1 input txs! (tons of txs)
21
losing money
just because you signed a tx doesn't
mean your money's gone
broadcast? got into a block?
Listen for your own utxos getting
spent in every block

22
losing money
just because you signed a tx doesn't
mean your money's gone
broadcast? got into a block?
Listen for your own utxos getting
spent in every block

23
losing money
just because you signed a tx doesn't
mean your money's gone
broadcast? got into a block?
Listen for your own utxos getting
spent in every block
(same wallet on multiple computers)
24
intermission
0xff seconds to walk around, check on
pset miner, etc
note that current pset high scores can be
obtained by

$ nc hubris.media.mit.edu 6299

(seems not to work on MIT wifi)

25
wallets without bitcoin
We've talked about running bitcoin:
syncing headers, checking signatures,
building utxo set
But can you use bitcoin without doing
this?

26
wallets without bitcoin
We've talked about running bitcoin:
syncing headers, checking signatures,
building utxo set
But can you use bitcoin without doing
this?
Get someone else to do it!
27
full node
what was just called bitcoin many
call a "full node"
Also possible are "lite nodes" or
"SPV nodes"

28
SPV
simplified payment verification
mentioned in whitepaper
can verify work without much data

29
SPV howto
connect, get headers, verify
tell node all your addresses
for each header, ask if you gained or
lost utxos
verify merkle proof of response txs
30
SPV howto
connect, get headers, verify
tell node all your addresses
for each header, ask if you gained or
lost utxos
verify merkle proof of response txs
31
SPV howto
connect, get headers, verify
tell node all your addresses
for each header, ask if you gained or
lost utxos
verify merkle proof of response txs
32
SPV howto
connect, get headers, verify
tell node all your addresses
for each header, ask if you gained or
lost utxos
verify merkle proof of response txs
33
Merkle verification
Provide siblings up to top;
my tx must be in there
header

hash hash
0,1 2,3

txid my txid txid

0 tx 2 3
34
SPV problems
connect, get headers, verify

this is the same as for full nodes,

so that's OK

35
SPV problems
tell node all your addresses
wait what?! Tell all your addresses?
Node needs to know what txs to send
you. If they send all, no savings
Bloom filters; poor privacy
Block based filters are better 36
SPV problems
for each header, ask if you gained or
lost utxos
any possible problems here?

37
SPV problems
for each header, ask if you gained or
lost utxos
easy to lie by omission
mitigate by connecting to more nodes
... but then share your addresses with even
more people!
38
SPV howto
verify merkle proof of response txs
merkle proofs are quick
but prove inclusion, not exclusion

39
SPV and beyond
So SPV sounds pretty bad and I think
I'll stick to my full node.
But I gotta ask, is there something
worse than SPV?
... asking for a friend.

40
Not even SPV (NESPV)
Websites, phone wallets
Send all your addresses, ask if you
have utxos
Server responds that you do. Cool.
Build txs, sign, send to server.
41
NESPV issues
Any potential problems?

42
NESPV issues
Any potential problems?
Server can:
say you got paid when you didn't
say you lost money when you didn't
If in browser, even more fun
43
Further
API based wallets sound real bad.
But we can do worse, right?

44
 Someone else's coins
Don't even have keys. Just have a
website where they run a node* /
wallet and owe you money/
Tends to end badly.
Always misses the point.

*
guess which kind. OK maybe don't.
45
 trade offs
Full node SPV API query Hold my
key

network 170GB 50MB 1MB 1MB ?

storage 4GB 50MB 0B 0B

speed hours seconds 1 sec 0

privacy OK poor poor none

security OK medium poor none 46

wallets are fun
still big usability issues
interesting problems all around

Have fun with Ethan on Wednesday,

good luck w/ pset!
47
MIT OpenCourseWare
https://ocw.mit.edu/

MAS.S62 Cryptocurrency Engineering and Design

Spring 2018

For information about citing these materials or our Terms of Use, visit: https://ocw.mit.edu/terms.