UNDERSTANDING THE DIFFERENT TYPES OF BITCOIN WALLETS - Bitcoin for the Befuddled (2015)

Bitcoin for the Befuddled (2015)

Chapter 8. UNDERSTANDING THE DIFFERENT TYPES OF BITCOIN WALLETS

In Chapter 2 we recommended using the Bitcoin wallet program Electrum, which is free and open source, runs on most devices, and is ideal for beginners. However, hundreds of other Bitcoin wallet programs are available, ranging from simple to sophisticated, and new ones are being released constantly as developers compete to add new features and slicker interfaces. But beneath the slicker interfaces and occasionally gimmicky features, some fundamental differences between Bitcoin wallet programs exist. The goal of this chapter is to help you understand those differences so you can make an informed choice about the most useful Bitcoin wallet for your needs.

In this chapter, we’ll occasionally use the terms Bitcoin wallet or just wallet to mean Bitcoin wallet program, despite the fact that a Bitcoin wallet normally refers to just a list of addresses and private keys.

Wallet Software Design Fundamentals

At a minimum, a Bitcoin wallet program needs to let a user send and receive bitcoins, as well as keep track of how many bitcoins are available to spend. In other words, a Bitcoin wallet program must be able to (1) create and broadcast transactions to the Bitcoin network, (2) generate new Bitcoin addresses, and (3) scan the blockchain to detect whether you’ve received any bitcoins at those addresses. The major differences between different wallet designs primarily involve these three functions and how they are implemented. The design choices that support these differences are as follows:

1. Offline vs. online transaction signing

2. Random vs. deterministic key generation (versus single key generation)

3. Full vs. simplified payment verification

These design choices have significant consequences for the computational resources required, the security of the stored bitcoins, and even the nature and effectiveness of backups. There are no right choices. Some users are better off using a wallet that requires only a single device and the least amount of computational power, whereas a large enterprise might prefer software that emphasizes security. In the following sections, we explain each design choice in detail so you can make an informed choice.

Offline vs. Online Transaction Signing

Bitcoin wallet programs need private keys in order to sign transactions before they can be broadcast to the Bitcoin network. In the simplest design, these private keys are found in the user’s Bitcoin wallet, which is stored locally on the user’s device in a wallet.dat file. This is the way the first Bitcoin wallet program, Bitcoin-Qt, worked. However, this design is vulnerable to attackers, who could attempt to remotely access the device over the Internet, copy the wallet file, and try to extract the private keys. A more secure design involves splitting the Bitcoin wallet and the software that manages it into two components: one with the private keys and the other without. The component with the private keys is usually stored in a highly secure location and is used for transaction signing. The component without the private keys can be stored anywhere, possibly in many locations at once, and is called a watch-only wallet.

As the name implies, you cannot directly spend money stored in a watch-only wallet. Instead, if you want to make a purchase, you would need to take an extra step to sign your transactions with the private keys. This second step is usually done via a second computer that isn’t connected to the Internet (to prevent hacking attacks) and is used solely to store private keys and sign transactions with them as needed. This security technique, called offline transaction signing, was discussed to some extent in Chapter 3 as a strategy for securely storing large amounts of bitcoins, but it offers other benefits as well.

Watch-only wallets are particularly useful for point-of-sale terminals (i.e., cash registers) where the cashier needs to receive bitcoins from a customer but never needs to (and may not be authorized to) spend them. Importantly, because watch-only wallets do not store any private keys, if a point-of-sale terminal was stolen, the bitcoins it contained would remain secure. In addition, watch-only wallets can be safely installed on mobile phones or run from low-security web servers (requiring only a simple username and login for access) to allow users to monitor their funds without the risk of the wrong person gaining access to them.

Many Bitcoin wallet programs can be run in one of two modes: a full mode (where a single wallet program and computer are used for all steps) or a watch-only mode. If a wallet program advertises a watch-only mode, it typically implies that the same software can also be used for offline transaction signing. Hybrid wallets are also available in which some of the Bitcoin addresses are watch-only, whereas other addresses have their private keys stored on the online device. As a result, the same device can be used for spending from a low-security checking account and for monitoring a more secure savings account.

Depending on how new Bitcoin addresses are generated, watch-only wallets may or may not have to be synchronized with their offline component. Typically, a new Bitcoin address must be generated on the offline computer and then imported into the watch-only wallet (without importing the corresponding private key). However, with deterministic key generation (described in the next section), watch-only wallets can generate new Bitcoin addresses on their own without knowing the private keys that correspond to them.

NOTE
Deterministic key generation is very useful for point-of-sale terminals, because they won’t run out of deposit addresses in situations that involve numerous customers.

Random Key Generation vs. Deterministic Key Generation (vs. Single Key Generation)

All Bitcoin wallet programs provide new users with at least one randomly generated Bitcoin address and private key. How and whether additional addresses are generated is a design choice that can incite very strong opinions among Bitcoin developers. The original Bitcoin wallet program assumed that users would never reuse an address after spending bitcoins from it. Every time a user wanted to spend bitcoins, a certain amount would go to the intended recipient, but the rest would be moved to a new, randomly generated Bitcoin address called the change address. This approach helps protect the privacy of the user, because it is more difficult for an external observer to track an individual’s bitcoins if the person continually changes addresses. It’s not possible to distinguish the transfer of bitcoins to a change address from the transfer of bitcoins from one person to another. Not everyone likes this behavior, though; some think it’s easier to have just one Bitcoin address (like having one email address) and aren’t as concerned about privacy. So some Bitcoin wallet programs provide only a single address that is continuously reused. These single key generation wallet programs allow you to generate additional addresses manually, but the default behavior is to reuse existing addresses.

Among the Bitcoin wallet programs that constantly generate new addresses, differences in implementation exist. Recall that a private key is a 256-bit integer that is usually generated by some random process. From the private key, Bitcoin wallet programs can calculate the associated public key (which is a point on an elliptic curve; see Chapter 7 for the cryptographic details), which in turn can be converted into a Bitcoin address by applying the RIPEMD160 and SHA256 hash functions. To generate a collection of private key/Bitcoin address pairs, many programs use correspondingly as many random numbers. This is known as random key generation. Every time a user needs a new Bitcoin address, a new random number is used as the private key. The drawback to this approach is that backups need to be updated regularly—essentially, every time a new address is created. This is particularly important to keep in mind in the context of change addresses. If you send some of your bitcoins to a friend and the remainder of your balance is sent to a newly generated change address, potentially the majority of your funds are no longer backed up! Some unfortunate incidents have occurred in Bitcoin’s history in which users of random key generation–based wallets deleted or lost their wallets shortly after their funds were sent to a new change address but before they updated their backup.

An alternative approach is deterministic key generation. With this approach, only the first private key is a randomly chosen 256-bit integer, which is known as the master private key, and it has a corresponding master public key. Whenever the user needs a new Bitcoin address, a new private key is chosen that is related to the master private key by a simple mathematical relationship (no randomness is involved). In the simplest implementation, the master private key is simply incremented by 1 to generate a new key (e.g., if the master private key is the number 47, subsequent private keys would be 48, 49, 50, etc.). The advantage of this approach is that a single backup, created when a user first creates a new Bitcoin wallet, is sufficient and never needs to be updated.1 In fact, this is how Electrum works. Recall that in Chapter 2, Electrum prompted you to write down a 12-word mnemonic for backup purposes. That mnemonic was, in fact, a master private key.2 All of the Bitcoin addresses in your Electrum wallet can be derived from this master private key.

Combining Deterministic Key Generation with Watch-Only Wallets

Imagine the following scenario:

• Lisa owns a restaurant that accepts Bitcoin.

• All the waiters in the restaurant have Bitcoin wallets on their phones to accept payments.

• Lisa wants to be the only person who can spend the money sent to these wallets.

Clearly, it would be very convenient if Lisa could set up this system, but it seems like it would be a technical challenge: Every waiter would need the ability to create tons of new Bitcoin addresses on demand in their wallets, yet Lisa still needs to be the only person with access to the private keys that power each wallet.

However, when you combine deterministic key generation with a watch-only wallet, this type of system is actually straightforward: Surprisingly, it is possible for a watch-only wallet (running on every waiter’s phone) to create many new public keys arbitrarily without having any knowledge about the private keys associated with them!

This is all Lisa has to do:

1. Create public and private keys on her computer using deterministic key generation.

2. Give a public key to each waiter along with a program that supports a watch-only feature as well as deterministic keys.

3. Waiters can then accept as many payments with their wallets as they like.

4. Only Lisa can spend the money in these wallets using her computer’s wallet. Her computer is the only computer able to generate the corresponding private keys for all Bitcoin transactions in the restaurant.

Whether you run a restaurant, a bank, or any other business, having a payment mechanism whereby your employees can arbitrarily accept payments from customers but only you, the owner of the business, can unlock the money is a powerful feature.

The Math Behind Deterministic Key Generation with Watch-Only Wallets

So how is it mathematically possible to generate new keys using only public key information? To explain, we’ll refer to the cryptography on how private keys and public keys are mathematically related. In Chapter 7, we explained that given a secret private key, d (let’s call this a master private key), the corresponding (master) public key, Q, is determined by the point multiplication operation:

dG = Q

Recall that both G and Q are points on the elliptic curve, but that G is publicly known to everyone and is a hard-coded constant in the Bitcoin protocol (whereas Q is unique to you). The master Bitcoin address is then derived from Q using several hash functions and other formatting.

The obvious way to deterministically generate a new Bitcoin address is to first choose a new private key, dnew= d + 1, and then calculate the corresponding new public key, Qnew:

dnewG = Qnew

However, this method of generating a new public key requires you to know the master private key. So what if you don’t know the master private key? Could you generate a new Bitcoin address with only the knowledge of a master public key? Yes!

We can rewrite the equation for Qnew as follows:

dnewG = (d + 1)G = dG + G = Qnew

Observe that the term dG can be rewritten as the master public key, Q:

Q + G = Qnew

As a result, we can calculate new public keys using only the knowledge of the master public key and the public constant G. Additional public keys can be generated by adding any number of G points:

Q + 2G = Qtwo

Q + 3G = Qthree

...

Of course, a danger of the deterministic key generation approach is that if your master private key falls into the wrong hands, all of the derived Bitcoin addresses would be compromised. Also, from a privacy standpoint, if someone sees your master public key (which becomes public information once you send bitcoins to the corresponding address), that person can derive your subsequent public keys in an attempt to track your spending.

Although we won’t delve into the mathematical details, deterministic key generation allows for another, even more advanced Bitcoin wallet feature, hierarchical deterministic wallets, that may appeal particularly to large organizations. The master private key can be branched into sub-master keys, which can be further branched into sub-submaster keys and so on. Each has a property that allows any key at one level to access the bitcoins held at every level below it. For example, a bank manager may hold a level-two private key (the level-one key is held by the CEO), and his staff may each hold level-three keys. Everyone shares the same hierarchical wallet, but the manager has access to his own funds and those of his staff, and the staff can access only their own accounts. Hierarchical deterministic wallets might also be useful for families in which the parents want to give their children bitcoins but maintain access as well.

Full vs. Simplified Payment Verification

Bitcoin’s central feature is that you don’t have to trust an individual, third-party, or central institution. However, Bitcoin wallet programs must be able to verify that the transactions they receive are valid. In this context, it is important to distinguish between the blockchain (the immutable public document that correctly lists every valid Bitcoin transaction) and someone’s copy of the blockchain, which is what you have access to. The former is an abstract concept, whereas the latter is the practical reality. When you connect your wallet program to the Bitcoin network, it connects to several nodes that will send your program transaction data, but you cannot assume that data is valid. If you ask a stranger on the Internet to pay you 2 BTC for an expensive watch you are selling, and a node you are connected to indicates you have received 2 BTC shortly thereafter, is it safe to mail the watch? A valid transaction needs to (1) have the correct digital signature and (2) use bitcoins that originated in a mining block reward and have not yet been spent. All Bitcoin wallet programs can verify the first need with complete certainty, but the second concern is addressed with varying degrees of certainty depending on the design of the program.

Bitcoin wallet programs can verify transactions either by keeping their own complete copy of the blockchain, which is referred to as full payment verification, or by using an abridged version, which is called simplified payment verification (SPV).

Full payment verification wallets, also called thick or heavyweight wallets, require a complete copy of the blockchain. They can verify that bitcoins used in a transaction originated from a mined block by scanning backward, transaction by transaction, in the blockchain until their origin is found (and the wallets can check whether those bitcoins were ever double spent). These wallet programs are often active participants in the Bitcoin network in that they not only handle the user’s transactions but they also verify and relay other people’s transactions (in these cases, computers running such programs are called full nodes). All Bitcoin miners are also full nodes (i.e., they need a complete copy of the blockchain to mine).

One problem with full payment verification wallets is that they are very resource-intensive and take a long time to initialize. The blockchain, in its 5th year, was greater than 15GB in size and comprised 35 million transactions (by its 10th birthday, it may likely be 100 times larger). A fresh installation of a full payment verification Bitcoin wallet program can take several days (depending on bandwidth) to download the entire blockchain. Obtaining the blockchain requires connecting to other full nodes and checking to determine whose blockchain has the greatest proof-of-work total (by definition, this is assumed to be the consensus blockchain). For laptops and other home devices, running a full payment verification wallet may be merely inconvenient, but for some mobile phones, it is simply impossible. Fortunately, there is a way to make only a slight compromise in trust but in return achieve more computationally efficient transaction verification.

SPV wallets, also called thin or lightweight wallets, cannot check whether transactions are valid; rather, they can check whether full nodes, specifically miners, have validated them. The goal of a thin wallet is to check that a transaction has been verified by miners and included in some block in the blockchain. It’s similar to having an accountant balance your checkbook instead doing it yourself. This method works reliably as long as miners, who are adding blocks to the blockchain, act honestly and allow only valid transactions to be included (which is a safe assumption as long as no individual miner is in control of more than 51 percent of the hashing power of the network). But without a copy of the blockchain, how does a thin wallet know whether or not a received transaction was included in a block? The transaction can claim it was included in block #24371 on the blockchain, for example, but how would you know whether the claim was true or false? One strategy would be for your wallet program to connect to several full nodes and ask to download block #24371 along with all of its other transactions. Then your wallet can comb through the transactions in that block and identify whether the transaction under investigation is present. However, if your SPV wallet program has to check several hundred transactions a day and each time you need to download an entire block (with all of its transactions), from an efficiency standpoint, this strategy is hardly better than just downloading the entire blockchain.

The ingenuity of SPV rests on its ability to verify, through the magic of hash functions, that a transaction was included in a block without looking at any of the block’s transactions. To do so, SPV wallets need to download the headers of every block in the blockchain. Recall from Chapter 8 that each block in the blockchain contains two parts, a long list of transactions and a short summary of the block’s contents (the header). Importantly, the header contains a hash of all the transactions within that block, structured in such a way that any Bitcoin wallet program can easily check whether a transaction belongs to a particular block by considering its hash value. This hash structure is called a Merkle tree.3 Using this Merkle tree design, thin wallets can safely confirm that transactions they receive have been included in the blockchain without downloading the full blockchain. Downloading just the block headers requires only a fraction of the memory that’s needed for the entire blockchain; therefore, SPV wallets can easily run on your smartphone and other inexpensive mobile devices.

A Bitcoin wallet app that uses SPV can also offer many but not all of the same security guarantees as a full wallet.

Being able to run a resource-hungry Bitcoin wallet on a smartphone is an impressive feat of engineering. SPV wallets use advanced computer science technology but make a few compromises in flexibility. Table 9-1 summarizes how we’d rate SPV wallets and compare them to full wallets using a variety of factors.

Table 9-1: Rating SPV Wallets vs. Full Wallets

Factor

Simplified payment verification wallets

Full payment verification wallets

Speediness of initial installation and network synchronization

image

image

Speed of new payments (zero confirmation transaction)

image

image

Security for new payments

image

image

Security for confirmed payments

image

image

Overall security

image

image

Efficiency of storage use

image

image

Ability to inspect arbitrary Bitcoin addresses

image

image

Ability to import private keys

image

image

Effect on overall health of Bitcoin network

image

image

Let’s examine each feature in this table in more depth:

Speediness of initial installation and network synchronization

After initial installation, SPV wallets and full wallets need to download blockchain data from other nodes on the Bitcoin network. However, an SPV wallet only has to download block headers and some data specific to Bitcoin addresses it’s responsible for maintaining. Hence, an SPV wallet can synchronize and be ready for use in less than an hour, whereas full wallets might take many hours to initialize.

Speed of new payments

For SPV wallets and full wallets, new (but still unconfirmed) transactions made on the network are quickly broadcast to all peers. If someone sends money to an address managed by your wallet, you’ll be notified within a few seconds, no matter your wallet type.

Security for new payments

A full wallet that can access a complete blockchain can quickly validate new transactions, ensuring that it is sending money from a valid and adequately funded source address. An SPV wallet cannot do this and instead relies on its network peers to ensure its transactions are legit. In theory, if someone sends you a payment and is in cahoots with one of the (supposedly) random peers your SPV wallet interacts with, this sender could send you fraudulent payments. A full wallet is immune from this type of attack.

Security of confirmed payments

Even if a transaction is 100 percent valid, just because a transaction is broadcast doesn’t mean it will make it into the blockchain, especially if the spender creates an additional transaction that attempts to doublespend the money to another address. For this reason, it’s best to wait for three to six block confirmations on larger purchases. SPV and full wallets can validate transactions by tracking these confirmations. While a full wallet can directly prove that a transaction that has been mined into a new block is truly valid (i.e., sent from a fully funded address), an SPV wallet cannot. Therefore, if a miner includes a bad transaction in a new block, an SPV wallet could still be fooled. But it is very unlikely a miner would ever do this: Mining blocks is extremely costly, and by design a block with bad transactions would be immediately abandoned by any other full nodes on the network that take the time to perform validation on the block. As a result, a miner would never receive a reward for mining a block containing bad transactions. Hence, a confirmed payment sent to an SPV wallet is quite secure, although the security of a full wallet is still the gold standard.

Overall security

All in all, a properly programmed SPV Bitcoin wallet can offer security for your bitcoins and bitcoin payments that is quite good, though it can never match the security guarantees of a full wallet. If you’re running an SPV wallet on your smartphone and receive a payment, you can rest assured that once this payment has been confirmed by a few blocks, the balance and other information reported in the SPV wallet can be trusted to be accurate.

Efficiency of storage use

As discussed earlier, storing the blockchain of a full wallet consumes many gigabytes of disk space. However, an SPV wallet requires less than a gigabyte of storage and can run efficiently on a modern smartphone.

Ability to inspect arbitrary Bitcoin addresses

Because a full blockchain contains the balances of all Bitcoin addresses in existence, a full wallet lets you easily check balances and other details of any address, even those you don’t own (if the full wallet programmers choose to include this ability in their app). An SPV wallet is completely ignorant of all Bitcoin addresses other than those it is directly responsible for and is unable to provide such information.

Ability to import private keys

If you want to import an existing Bitcoin address (and associated private key) into a full wallet, the full wallet is able to incorporate the address and the funds linked to it within seconds. An SPV wallet has no easy way to import such a key, because it has no information about anyhistorical transactions involving this address. Therefore, if you import a private key into an SPV wallet (given there is an option to do this), you can expect to wait several minutes as the wallet queries its peers for historical data involving the new address.

Effect on overall health of Bitcoin network

For the Bitcoin network to remain healthy, all the participating nodes need to cooperate in validating new transactions and blocks. As discussed previously, SPV wallets are limited in terms of validation capability. Also, SPV wallets usually don’t accept incoming TCP connections and may not participate in broadcasting third-party transactions/blocks to peers. For this reason, having a large percentage of SPV nodes on the Bitcoin network could potentially have repercussions on the overall health of the network. At this time, there is little evidence of any negative effects. But as the blockchain grows year after year, the percentage of nodes that can’t perform full validation may increase, and problems may arise. Nonetheless, improving storage capacity and faster network speeds will likely continue to allow people to cope with the growing blockchain, and definite benefits will be gained by running a full node. Hopefully, this will give many people incentives to run full nodes in the years to come to sustain the health of the network indefinitely.

In short, SPV wallets have some limitations, but as long as you understand these limitations, these wallets are suitable for storing your money. However, if you are storing large amounts of Bitcoin, it may be wiser to use a full wallet, given the additional security guarantees. But for storing some spending cash on your smartphone, SPV wallets are an ideal solution.

Other Common (and Not So Common) Bitcoin Wallet Features

In addition to features dictated by the underlying design of different wallet architectures, some Bitcoin wallets have a variety of other basic and advanced features. Some basic features you should expect to see include password protection, the ability to make backups of your private keys, QR code scanning and generation, and the ability to generate and import paper wallets.4 A somewhat advanced feature that is common to many Bitcoin wallets is the ability to sign messages with your private key. Recall that Chapter 7 discussed how digital signatures are used to sign Bitcoin transactions with your private key. The same digital signatures can be used to sign arbitrary messages, and many Bitcoin wallets make this an easy-to-use feature because it is useful when you need to prove you are the owner of a particular Bitcoin address (for example, if you are trying to get preapproved for a loan from a bank and it wants you to prove you have bitcoins as collateral).5

Other advanced features you might see in some Bitcoin wallet programs include multi-signature transactions, in which multiple private keys are required to spend bitcoins from one Bitcoin address, and a feature called coin control, which provides fine-grained control over which bitcoins you use for making any specific purchase (see “An Advanced Bitcoin Wallet Feature: Coin Control” below). The number of advanced features available is too extensive to list here (and the number of features keeps increasing), but now you understand why so many Bitcoin wallet programs exist!

AN ADVANCED BITCOIN WALLET FEATURE: COIN CONTROL

Imagine you have three nickels in your pocket, and you walk into the Very-Cheap-Candy-Store to buy a chocolate that costs a nickel. Your nickels are fungible, meaning that each of your three nickels is equally valuable and useful as payment for the chocolate. Well, at least you think they are. But perhaps you didn’t notice that each nickel has a different image engraved on the reverse side, and one of them is a 1913 Liberty Head V nickel (of which only five exist in the world and are valued at about $4 million each). When you pay for your chocolate, you use the nickel with the rare image, and the store owner recognizes it! To your alarm, he calls the police because the nickel you gave him once belonged to his friend (Warren Buffet? Richard Branson?) and it was stolen. After several hours of interrogation, you convince the police that you had no idea you were carrying a stolen nickel and explain that you’ve learned a valuable lesson about choosing your coins carefully before paying with them. This short tale is the basis for the coin control feature offered by some Bitcoin wallets.

If you have received bitcoins from multiple sources to the same Bitcoin address, then the bitcoins from each transaction can be distinguished from each other (each group of bitcoins is called an unspent output). With a Bitcoin wallet that supports coin control, when you send a payment from your wallet, you can choose to spend only the bitcoins you received from your employer, rather than the ones your friend gave you, even if the bitcoins are all sitting at the same address.

In most cases, it doesn’t matter which coins you use to pay for something. However, in some situations you are legally obligated to choose a specific funding source for an expense. For instance, in most places in the United States, a landlord is required to place a tenant’s security deposit in a separate bank account to ensure the money is not mishandled and can be spent only in appropriate ways. Someone may have similar obligations when managing Bitcoin funds for other people.

Additionally, because all Bitcoin blockchain information is public, if you receive and send payments from the same pool of Bitcoin addresses that comprise a wallet, your income source and purchases can theoretically be associated surreptitiously. Through the use of coin control, you can choose payment addresses that prevent this association, giving you more privacy.

Future Wallets

Future Bitcoin wallet programs may offer such features as automatic bill payments, cash flow statements, tax reporting, and tighter integration with traditional financial accounting software. Also, continued technical innovation could enable wallets to execute more complicated transactions, such as escrow transactions, or sending bitcoins to accounts that can’t be spent until some external criterion is met (such as the year being greater than 2020). No doubt we will see many of these exciting features in Bitcoin wallets in the next few years.

Which Wallet Is Right for You?

Considering the preceding discussions, which Bitcoin wallet should you use? Well, keep in mind that you can use more than one. In fact, if two different Bitcoin wallets use the same private key, they can both spend the same bitcoins. You can have a lightweight, no-blockchain wallet on your mobile phone and a more sophisticated Bitcoin wallet on your home server, both managing one pool of bitcoins.

However, in practice many users keep distinct pools of Bitcoin in separate Bitcoin wallets (i.e., each wallet has its own set of private keys), because it’s easy to move bitcoins between them.

A common setup that works well for personal use is to store a small number of bitcoins in a lightweight Bitcoin wallet on your phone or laptop, which travels with you, and store your savings in a separate Bitcoin wallet that is more secure (with such features as cold storage and offline transaction signing). In short, keep a few bitcoins in your hot wallet and save the rest in your cold wallet, which is similar to carrying a wallet with spending cash in your pocket and keeping your life savings in a bank account (except Bitcoin lets you be your own secure bank).

Additional Wallet Considerations

So far we’ve discussed Bitcoin wallets in terms of their functionality, features, and underlying design, but other considerations should be taken into account as well: Is the Bitcoin wallet open source? Has it received a security audit? Does it have a large user base? Because Bitcoin wallets manage money, it’s imperative that you be more careful when choosing a wallet than when choosing other apps, such as games or office software. Be sure to research the Bitcoin wallet program you plan to use before storing significant amounts of money in it. Check with friends or colleagues to see whether they have had good experiences with the program.

Additionally, consider merchant integration. If you want to use bitcoins for transactions at certain stores or restaurants, check whether your Bitcoin wallet software is compatible with their point-of-sale systems. Any wallet app or program with a substantial user base will probably work well, but if you want to be the guinea pig for the latest and greatest Bitcoin wallet, expect to run into a few hiccups when you’re trying to make a purchase.

Fortunately, it’s easy to try many different wallets and fund them with a few cents of bitcoins to determine how they work and what features they offer. We suggest you experiment with several before you decide on your favorite.