In segment 4.2, we'll talk about hot storage and cold storage. Recall that in 4.1 we talked about how to store bitcoins on your local computer. The equivalent of carrying money around in your wallet or your pocket. Now, the idea of hot and cold storage is that you're going to have some storage which is hot or online, as on your phone or in your local computer. And as we covered before, storing bitcoins in that way is convenient, but it's also somewhat risky. You keep some money in hot storage, and you keep some money in cold storage. Cold storage is offline. It's locked away somewhere, it's not connected to the Internet. And it's archival, it's more secure. It's safer, but of course, it's not as convenient. So this is similar to how you carry some money around on your person, but you don't keep your life savings on your person, you put that somewhere safer. And so when we're using this strategy of hot and cold storage, we're going to have separate keys and separate addresses for the coins, they're stored either on the hot side or the cold side. And so the main topic of discussion here, the main thing we need to go over is how you move coins back and forth between the hot and cold sides, and what the relationship is between the sides. Okay, so obviously you're going to have to have separate secret keys to control the coins on the hot side and the cold side. The whole point of cold storage, is that the coins that are in cold storage are not vulnerable to attack or loss if the hot storage is compromised. And so, you need to have separate private keys for hot versus cold storage. And of course, each side needs to know the addresses that the other side is using. Because you wanna be able to transfer money back and forth between the different sides, between the hot side and the cold side. And so each side knows its own secret keys and it also knows the addresses at which the other side will accept transfers. And that lets you do transfers back and forth. Now, in practice of course the cold storage is not online. And so, the hot storage and the cold storage won't be able to connect to each other across any network. So you can think of the cold storage as being locked up somewhere, while the hot storage is operating. Now the good news here is that even if the cold storage is offline and not connected to anything, the hot storage still knows the addresses at which the cold storage is willing to accept coins. And that means that the hot storage can send coins across to the cold storage even while the cold storage is offline. And that's very nice, at any time if the amount of money in your hot wallet becomes uncomfortably large, you can just transfer a chunk of it over into cold storage. And you don't need to put your cold storage at risk by connecting it, in order to receive that money on the cold side. Next time the cold storage connects, it will be able to receive, from the block chain, information about those transfers to it, and then the cold storage will be able to do what it wants with those coins. Okay, but now we have a little bit of a problem if you think about it, which is how we manage these addresses. On the one hand, as I said in segment 4.1, we want, for privacy reasons and for other reasons, to be able to receive each coin at a separate address. And to be able to manage the different secret keys that are used at that address. And so, whenever we transfer a coin from the hot side to the cold side, we like to use a fresh cold address for that purpose. But because the cold side is not online, we have to have some way for the hot side to find out about these addresses. And that's the problem that we need to solve. Now there's a kind of awkward solution to this which would work, but we'd prefer not to use. And that is this, that we have the cold side generate a big batch of addresses all at once. We transfer those addresses over to the hot side and then we use them up one by one. And the drawback of that is that we're periodically going to have to reconnect the cold side in order to transfer more addresses. And we might worry that while we're out and about, spending our bitcoins in a night on the town, that the hot wallet will run out of these addresses and that could be a problem. So that's an awkward solution, generating them in batches. What's a better solution, a more effective solution, is to use a hierarchical wallet, but that requires a little bit of cryptographic trickery. So let me explain the trick behind hierarchical wallets. So just to review, previously when we talked about key generation, when we talked about digital signatures back in lecture one. We talked about an API operation called generateKeys, which generates a public key and a secret key. The public key in a bitcoin context corresponds to the bitcoin address that can receive coins. And the private key, we still call a private key, and that's the key that allows us to spend or control the coins that are sent to the corresponding address. So this is how things normally would work if we generated keys in the standard way. But with hierarchical key generation we do things a little bit differently. Rather than just doing generateKeys we do a hierarchical key generation operation, and this generates two things. It generates, rather than an address, it generates what well call address generation info. And rather than generating a private key, it generates what we'll call private key generation info. And now we can take this information and generate multiple keys. For example, given the address generation info, we can apply a genAddr operation, and give it the address generation info in some integer i. And that will generate the ith address in a whole series of addresses. And we can do this for any integer i. Any integer i, we can generate the ith address in the sequence given only that integer and the address generation info. Similarly on the private key side, we can take this private key generating info. And use it to generate a key, again using any integer i, and what we get is the ith key in the sequence. Right, now what makes this useful is that it has two important properties. First that the ith address and the ith key match up and correspond to each other, just as if they were generated the old-fashioned way. And what I mean by that is that a coin that's transferred to the ith address, will be spendable and controllable by somebody who knows the ith key. So these behave just like a regular address and a regular key. The other thing that's important is that we have a security property and the security property is this. That the address generation info doesn't leak keys, that is, it doesn't leak any information about what the keys might be. And that means that it's safe to give the address generation info to anybody. And so that anybody can be enabled to generate the ith key. Now, not all digital signature schemes that exist can be modified in a way like this to support hierarchical key generation. Some can and some can't. But the good news is that the digital signature scheme used by bitcoin, which is called ECDSA, does support hierarchical key generation and so we can do this trick. And the reason that this is useful for hot and cold storage is that we can take this operation and split it up between the hot side and cold side of our storage like this. Everything that has a blue background here is done on the cold side and everything that has a red background is done on the hot side. And so what we do, is at the very beginning on the cold side, we do the generateKeys hierarchical operation. We then take the private key generation info that that makes and keep it on the cold side. And we take the address generation info that that makes and pass it across to the hot side. Then once we've done that, the hot side can generate the entire sequence of addresses on its own without needing any further communication with the cold side. We can generate an arbitrarily long string of addresses or at least long enough that we never have to worry about running out. And on the private side, we can generate the corresponding keys. Again, without needing to communicate, we can generate that later. So if we do things this way there's only one passage of information from the cold side to the hot side about keys and addresses. That happens once a the very beginning of the situation. And once that's done, then no further connection is required. And so, this lets us use separate keys and separate addresses for every coin that's passed across to the cold side. But without requiring a lot of back and forth communication and critically, for security, without requiring the cold side to connect to the net or pass information out in any way, except once at the beginning. Okay, so with that in place we can talk about the different ways in which cold information can be stored. I said earlier that information on the cold side, whether it's a key or key generation info or something else, is stored offline. But let's get more specific about exactly how it is stored. The first way we can store it is to store the information in some kind of a device, and just put that device in a safe. It might be a laptop computer, it might be a mobile phone or tablet, or it might just be a thumb drive. But whatever it is, we store the information on that device, we turn the device off, we lock the device up. And now obviously if somebody wants to steal this, they have to get into our locked storage and get that device away from us. The second method we can use is called a brain wallet. In a brain wallet, what we are doing is we are taking the information that we want to protect and we're encrypting it under some kind of passphrase or password that a user remembers. Then in order to get the information back later, we're going to ask the user to give us the passphrase and then we'll be able to decrypt. If we do this and if the crypto is done correctly and if the user picked a good passphrase, then the security of this will be as good as the security of the passphrase. And as long as the user isn't tricked or coerced into giving up the passphrase, and as long as the adversary can't guess the passphrase, then our data is going to be secure. But this of course, is subject to the same kind of attacks that passwords typically are. The third thing we can do to protect information offline is what's called a paper wallet. We can take the information and we can print it out onto paper, and then we can put that paper in some safe or secure place. We can lock it in a safe deposit box or something like that. Now the benefit of doing that, obviously, is that again, just like with a device, the security of this is just as good as the physical security of the paper that we're using. This is a bitcoin paper wallet. They come in different shapes and sizes, but this is one example. What you see over here is the public address, the address of this wallet. And this is shown in two ways. First as a 2D barcode, as a QR code. And then second down here, you see it as a character string in the base 58 notation. Now originally this side over here was sealed, because it has the private key within it, and you don't want to give away the private key too easily. We can open this up, originally we would have broken a seal and we have this stuff here that's designed to frustrate scanners and people looking through and so on. And eventually we open it up and we see over here, this, which is a 2D barcode which contains the private key that controls access to this wallet. Now this particular wallet doesn't have any coins in it. I wouldn't be showing you the private key if it had any coins of mine in it. But this is the experience that you would have. And this is a thing that you can hand out to someone. And in fact this was handed out at a conference as an example. So this shows how you can take a bitcoin wallet and encode it as a paper artifact. You could take this thing, I could seal it up, put it in an envelope, and put it in a safe deposit box, and it would be relatively safe there. >> The fourth way that we can store offline information is to put it in some kind of tamperproof device. >> Some sort of device that resists tampering. The idea is that we either put the key into the device or the device generates the key. And then the device is designed so that there is no way it will output or divulge the key. The device might sign a statement with the key when we say, press a button or give it some kind of password. But the device is designed so that it doesn't give out the key. And the advantage of that is, that again the security of the key is, we hope, as good as the security of the device. And in particular, if we lose the device or it's stolen, we'll know it. Unlike the theft of information about a key, where we might not know that someone has learned our key If the key is built into a device, and the device can never divulge the key. Then if someone has stolen the key they will necessarily have stolen the device and we'll know that the device is missing. So this has some advantages as well. Now in general, people may use a combination of all four of these methods in order to secure their keys. For hot storage, and especially for hot storage holding large amounts of bitcoins, people are willing to work pretty hard and come up with novel security schemes in order to protect them. And we'll talk a little bit about one of those more advanced schemes in the next segment.