Author: SJORS PROVOOST

Source: https://sprovoost.nl/2022/11/10/what-is-a-bitcoin-address/

A Bitcoin address is not part of the Bitcoin blockchain, but is a token that Bitcoin (wallet) software uses to communicate where to send Bitcoin: either to a public key (P2PK), a hash of a public key (P2PKH), a hash of a script (P2SH), a hash of a Segregated Witness public key (P2WPKH), or a hash of a Segregated Witness script (P2WSH). The address also contains some metadata about its type.

(Translator's note: Bitcoin's address types will continue to increase as the Bitcoin network is upgraded and script writing methods are standardized. In fact, except for P2PK and P2PKH, the address types mentioned above appeared with the initial release of Bitcoin, the rest appeared later. Now, due to the activation of the Taproot upgrade in 2021, Bitcoin has added another address type "P2TR".)

Bitcoin addresses use a unique numbering system to represent these payments. This article will explain each of these different numbering systems and take a closer look at the advantages of regular Bitcoin addresses and bech32 addresses. We will also explain where the (less serious) vulnerability in the first version of bech32 addresses came from and how it was solved. Finally, we touch on the impact of quantum computing.

- This article is excerpted from my new book "Bitcoin: Unfinished Research" -

History background

When you send someone bitcoin, you are actually creating a transaction with multiple inputs and at least one output. The output specifies who can spend the output through built-in constraints (called encumbrances in legal terms, which restrict the transfer of ownership of an asset).

The most trivial burden is to allow anyone to spend the bitcoin. This is not a good idea because the bitcoin will be stolen quickly. Therefore, in the early days of Bitcoin, the vast majority of bitcoins on the blockchain can only use two constraints: Pay-to-Public-Key (P2PK) or Pay-to-Public-Key-Hash (P2PKH). The former can be understood as "only the person who holds the private key corresponding to public key X can spend the bitcoin", and the latter can be understood as "only the person who holds the private key corresponding to the (secret) public key (with hash value X) can spend the bitcoin".

At the time, we could also send Bitcoin to the recipient's IP address, but this feature was disabled in 2012. To use it, you need to connect to the recipient's IP address, request the recipient's public key, and the recipient will give you the public key1. Then, your wallet will create Bitcoin with a P2PK script.

This workflow may seem strange today,2 but it fits the common pattern of peer-to-peer applications such as Napster and Kazaa at the time, where you connect directly to other people and download things from them. Nowadays, you most likely don’t know your friends’ IP addresses, and if they are using mobile devices, their IP addresses may change all the time. While you can instruct your Bitcoin node to connect specifically to your friends’ nodes, it will usually just connect to random nodes, as described in Chapter 2.

The more common transaction method is similar to a bank transfer. The recipient gives you an address, and you send Bitcoin to this address, just like you send money to a bank account. Initially, we all used P2PKH as the address (see the explanation below for the meaning of P2PKH).

In this way, the transaction is not sent directly to the recipient, but broadcasted through all nodes in the network, and finally discovered and packaged into the block by the mining node. Your counterparty's node may see the transaction from the peer node or receive the block in which the transaction is located.

The third transaction method is mining, sending the block rewards obtained from mining to yourself. Initially, the mining software was built into the Bitcoin software. Therefore, as long as you downloaded the Bitcoin software, your Bitcoin software would start mining and then send the Bitcoin to your wallet, in this case without exchanging addresses. These Bitcoins are all subject to P2PK constraints3.

What is the address?

An address is a convenient way to indicate which script needs to go into the blockchain. As we explained above, the purpose of a script is to impose restrictions on bitcoins, allowing only the recipient to spend them4. The address itself does not exist on the blockchain, and the address does not even contain the entire script.

As for the two most commonly used scripts, addresses are only used for Pay-to-Public-Key-Hash (P2PKH). When a wallet sees this address, it generates a script that requires the person who spends the bitcoins in it to have the public key corresponding to the hash value (the real script is provided in Chapter 10). Only the hash value is made public, and the public key is kept secret until the recipient spends the bitcoins.

A P2PKH address starts with the number 1, followed by the hash of the public key. The address is encoded using base58, as shown in the following example:

1HLoFgMiDL3hvACAfbkDUjcP9r9veUcqAF

What is the Base system?

To understand base58, we must first understand the basic principles of the base system.

For example, think of base10 as your 10 fingers. So if you want to represent the number 115 (1, 1, 5), you can use your hands to make three gestures corresponding to 1, 1, 5. Since humans invented clay tablets and paper, you can also write these numbers with a pen, which is much more convenient than using your fingers. Therefore, base10 is a decimal system that uses 10 different symbols, and various combinations of these 10 symbols can be used to represent any number (whole number).

There are many different base systems out there. For example, the ancient Babylonians used base60. To read machine code, we usually use hexadecimal, which is base16 - using 16 characters for the numbers 0 to 9 and the letters A to F. Meanwhile, computers tend to use base2 (a binary number system) because transistors only have two states, on and off. This means you only need two numbers, 0 and 1, to do everything, and you can use them to represent any number.

Satoshi Nakamoto introduced the base58 system, which uses 58 different symbols: the numbers 0 to 9 and most lowercase and uppercase letters of the alphabet. However, some letters and numbers that are easily confused and misidentified by users are not included - for example, the number 0 and the uppercase letter O, the uppercase letter I and the lowercase letter l.

Have you ever seen the source code of an email attachment? A bunch of weird numbers. That's base64, and base58 was born on the basis of bas64. However, base64 contains characters such as underscores, plus signs, equal signs, and slashes. Base58 removes these characters, making it easier to check with the naked eye and can be effectively used in URLs.

Base58 和 Pay-to-Public-Key-Hash

How does this relate to P2PKH? A P2PKH address starts with 1, followed by the base58-encoded public key hash.

This is what you send to someone when you want to receive Bitcoin from them. You can also just send them 0x005 and your public key. Maybe they can translate 0x00, but they probably can't.

In theory, you can send someone a Bitcoin script written in hexadecimal (the format used on the blockchain) because Bitcoin script is binary information. On the blockchain, such a Bitcoin script would say, “If this person has the correct public key hash and the corresponding public key, you can spend this amount of bitcoin.” If you want to learn more about how Bitcoin script works, see Chapter 10.

Although there are so many representations to choose from, people usually choose a standardized address format. This explains why all traditional Bitcoin addresses start with 1 and are of similar length.

In addition to being used to send Bitcoin addresses, base58 can also be used to transfer private keys. In this case, the first symbol is 5 (representing 128, as the version byte), followed by the private key.

In the past, users used paper wallets that could be printed out. If they were securely generated without a backdoor, one side of the paper would have a string starting with "1" and the other side would have a string starting with "5" and a note stating that only the Bitcoin address could be shown and the private key should not be shared.

There are also addresses that start with "3", which means that the bitcoins are locked in the script hash instead of the public key hash. We will introduce Pay to Script Hash (P2SH) in Chapter 10. This type of address is usually a multi-signature address, but it can also be a SegWit address6.

While base58 addresses perform well, there is room for improvement. Hence, bech32.

bech32 is here

In March 2017, Pieter Wuille talked about a new address format, bech32. Since the successful activation of SegWit, bech32 has been used until now. As the name suggests, bech32 is a base32 system. That is, you can use almost all letters and all numbers, except for a few numbers and letters that are easily confused.

Explanation video: https://youtu.be/NqiN9VFE4CU

The biggest difference between bech32 and base58 is that uppercase and lowercase letters are not mixed. Each letter appears only once (either all uppercase or all lowercase), so it is much easier to pronounce. The exact mapping between each letter or number and its corresponding value is fixed, but it is quite arbitrary: Q means 0, P means 1, and there is no deep meaning behind it.

- bech32 mapping table. For example, q represents 0, 3 represents 17 (1+16) -

A bech327 address consists of two parts separated by a "1", for example, bc1q9kdcd08adkhg35r4g6nwu8ae4nkmsgp9vy00gf.

The first half is intentionally human-readable, for example, "bc" (for Bitcoin) or "Inbc" (for Lightning Network on Bitcoin). The values ​​represented by the letters "b" and "c" don't have any meaning. They're there just for human identification: "Got it, if the address starts with 'bc', it refers to the cryptocurrency Bitcoin." However, wallets check to see if these values ​​exist as a plausibility check, and they are also included in the checksum.

The "1" is just a separator character and does not represent any value. If you look at the mapping table for bech32, you will find that "1" is not included, which means "skip it".

The second half begins with the SegWit version number. Version 0 is represented by Q (bc1q…) (see Chapter 3). Version 1 is what we call Taproot (see Part 4 of this book), represented by “P” (bc1p…). In the case of version 0 SegWit, the version number is followed by 20 or 32 bytes, representing the public key hash or script hash, respectively. The difference in length is because SegWit uses the SHA256 hash of the script (32 bytes) instead of the RIPEMD160 hash of the script (20 bytes).

In base58, the script hash is the same length as the public key hash. But in SegWit, they are different lengths. So just by looking at the length of the address, you can immediately tell whether you are paying to the script or the public key hash. By the way, Taproot eliminates this length difference, further improving privacy.

So bench32 is not much different from base58 except that it uses only 32 characters in the second half of the address. When you see this feature, you will understand: "Aha, this is a P2PKH address." In this case, Pay-to-Witness-Public-Key-Hash (P2WPKH), where "Witness" refers to SegWit, but the core idea remains the same: allowing people and computers to recognize the type of address based on a short prefix followed by the hash of the public key or script.

32 Dimensional Dart Game

However, simplicity is not the only advantage. Another advantage is error correction, or at least error detection.

If you enter the wrong address, the worst-case scenario is that you send bitcoins to the wrong public key hash. When the recipient tries to spend the bitcoins, they will find that the hash of their public key does not match the blockchain requirements because the sender entered the wrong address before. The bitcoins can never be recovered.

Luckily, base58 addresses have a checksum at the end. So if you mistype the address, the checksum at the end of the address will fail. Your wallet will warn you and refuse to send the transaction (the blockchain won't protect you, but your wallet will). However, if you're really unlucky, you may get the checksum right even if you mistyped it.

Bech32 is designed to avoid such extreme coincidences. In addition, Bech32 will not only tell you that you made a mistake, but also tell you where you made the mistake. The specific method is to take all the bytes of the address and hash them using some complicated mathematical formula. Even if you make 4 mistakes, Bech32 will still know where you made the mistake and what the actual value is. If you make more than 4 mistakes, Bech32 will be helpless.

Let's use an analogy to explain: you draw a bunch of non-overlapping circles on a wall. The bullseye of each circle represents a correct value, and the other dots inside the circle represent input errors. If you are a skilled dart player, most of the time you will hit the bullseye, which means you entered the right value. If you miss the bullseye slightly, but still land inside the circle, it means that the value you entered is slightly wrong. Error detection is knowing that you missed the bullseye. Error correction is moving the dart to the nearest bullseye.

The idea is that you want to make the circle as big as possible to accommodate the most careless dart player, but you don’t want to waste too much space. In the same way, we don’t want Bitcoin addresses to be hundreds of characters long. This is a mathematician’s favorite optimization problem.

Instead of a 2D wall, bech32 is like a 32D wall with a 32D hypersphere. When you enter your address, there is a slight deviation somewhere in this 32D space, but no matter how it looks, you are still inside the hypersphere. In this case, your wallet knows where the error is, which can effectively prevent the problem of losing bitcoins due to sending to the wrong address8.

bech32 Vulnerabilities

In 2019, it was discovered that if a bech32 address ends with a P, and you accidentally enter one or more Qs after it, it will still pass the checksum verification and you will not receive a warning that the input was incorrect. Your wallet software will think the address is entered correctly and allow you to send Bitcoin to the wrong address, making the Bitcoin unspendable, as we explained above.

The good news is that bech32 is only used for SegWit, and SegWit addresses have a length limit - they can only be 20 bytes or 32 bytes. Fortunately, if you enter an extra Q after an address of 20 or 32 bytes, the address you entered will be invalid because it exceeds the length limit. Your wallet will notice this and refuse to send the bitcoin. People originally considered introducing similar address length limits for Taproot, but the solution described below eliminates the need for this. Flexible address length will help us improve Taproot in the future.

bech32m is born

To fix the bech32 vulnerability, a new standard called bech32m was proposed9. bech32m is actually a very simple change: an extra number is added to the bech32 checksum formula to ensure that any additional characters will generate an invalid checksum.

This new standard only applies to Taproot addresses and future addresses. For SegWit addresses, nothing changes, as they are already protected by 20 or 32 byte length limits. At the time of writing, most wallet software supports the new bech32m standard.

What made me get rid of anxiety and fall in love with quantum computing?

By the way, Pay-to-Public-Key-Hash (P2PKH) is considered more resistant to quantum attacks because you don’t need to reveal your public key. The downside is that the hash takes up more space — but this was not a problem at the time because the blocks were nowhere near full.

Many people worry that quantum computers will eventually undermine the security of Bitcoin cryptography, allowing quantum hackers who want to steal Bitcoin to take advantage of it. If they succeed in stealing millions of Bitcoins, it may even cause the market to crash.

The problem is that despite widespread adoption of P2PKH, the public keys for 5-10 million bitcoins have been made public. Ironically, given that so many bitcoins are vulnerable to quantum hacking, there is little point in trying to protect the remaining bitcoins. Even if your bitcoins are protected from being stolen because they use P2PKH, they will inevitably become worthless due to a price crash.

Physicist Stepan Snigirev and mathematician Andrew Poelstra explain the likelihood of a quantum attack with devastating consequences in the short term and possible countermeasures in a two-part podcast titled What Bitcoin Did.

Block space is now very scarce, so not having to store public key hashes in precious block space can help users save fees. This is why in the new Taproot soft fork (see Part 4 of this book), Bitcoin addresses are P2PK10 again. Please note that using Taproot addresses is not mandatory, so if you don't agree with the above reasoning, you can choose not to use Taproot.

Footnotes

1. To satisfy the curiosity of code "archaeology" enthusiasts: the sender node will have a UI dialog box prompting the transfer amount and IP address. Function StartTransfer() creates a blank check transaction, and the checkorder on the receiving node inserts a P2PK script (as scriptPubKey) into it. Subsequently, OnReply2() inserts the amount, signs the transaction, returns the transaction to the recipient and broadcasts it. Source code. ↩

2. And it is unsafe, which Satoshi Nakamoto also admitted. ↩

3. Why did Satoshi's original release support both P2PK and P2PKH? We are not sure of the specific reason. P2PK payment methods are actually only used to pay IP addresses and pay block rewards to miners. Neither requires human interaction. In scenarios involving human interaction, users use P2PKH. Using addresses refers to P2PKH rather than P2PK. Automated systems do not need the concept of addresses because they can also process scripts, so they do not need concepts like P2PK addresses. ↩

4. So far, scripts have been similar to bank accounts. We will learn in Chapter 10 that scripts can do much more than just hold funds for their owners. ↩

5. A pair of hexadecimal digits prefixed with 0x is usually used to represent a byte, which can represent 16 × 16 = 256 different values. Therefore, 0x00 represents a byte and its value is 0. ↩

6. As explained in Chapter 3, SegWit usually uses bech32 addresses. However, it took a long time for all wallets and exchanges to support payments to bech32 addresses. In order to continue to take advantage of some of the benefits of SegWit, we introduced a type of address that looks like a normal P2SH from the sender's perspective, but contains the magic of SegWit behind the scenes. This type of address is called a P2SH-P2WPKH address. ↩

7. bech32 was proposed by BIP173. ↩

8. Early Ethereum wallets did not use error detection because their address standards lacked checksums. Although EIP55 introduced checksums in 2016, not all wallets perform error detection. Even as late as late 2017, people were still losing ether due to mistyped addresses. ↩

9. bech32m was proposed by BIP 350. ↩

10. See the comments in BIP 341 for the specific reasons. ↩