How wallets manage addresses and UTXOs

December 2021. Kevmate.

Wallets keep the money in addresses.

Why do I have lots of addresses?

There are lots of wallets in the Crypto-World which only have one address. This makes things simple, the address doesn't change and it's easy to see the balance, trace the history on a blockchain explorer, and tell people it when you want money. Clearly you hold the private key for the address, so it seems better to keep it simple. After all, you won't lose your money if it comes to that address; it's tried and tested.

But it is better to have more addresses for privacy. Everyone knows that blockchains are not private because every transaction is published for all to see. It isn't obvious who an address belongs to, but if you receive some Ada into an address the person who sent it might know who you are. If you receive more Ada into the same address they can see that as well. As you send Ada from that address they can see the spends and might want to guess what you are buying and why.

Some people instinctively need privacy, others feel they have nothing to hide, but not many people would think it a good idea to publish their bank statement. An eye on privacy is a good thing.

So, to reduce visibility and traceability Ada wallets will often generate a new address for every receipt.

If you have a private key you can generate an address from it, or you can use a slightly different rule to generate a completely different address. This way you can have as many addresses as you like all generated from the same private key. The wallet can easily add up the balance to show the total as long as it can re-generate all the original addresses.

Everyone uses the same rules for generating addresses from keys.

I might be interested how that works, because I like techno-jargon

Right, well I will avoid describing eliptic curve crytography for now, because it gets a bit long winded, and just say that while one important feature is that you can't get back to the private key from the public key, another is that a tiny change to the private key will cause a completely different public key to be generated. Unrecognisable in every way.

So, if you just added 1 to the private key a million times, you would generate a million separate public keys. All different. And still no clues as to what the private key is. Very clever.

But if you are building on a protocol as clever as that, and you are super clever, you might go further.

Ok, you are now ready for an introduction to the wonderful "Hierarchical Deterministic Wallets", a term which is often shortened to "HD". This was first introduced as BIP-32 for Bitcoin and has become a standard for generating addresses from keys. This is a Bitcoin standard rather than a Cardano one, and it's not obligatory, but it's a well established and useful way to do it. Yoroi is an HD wallet, as are many other wallets across the world.

The idea is that the private key is used to generate an extended public key, which has enough information in it to create more addresses without knowing the private key. Each of these addresses can also be used, along with the seed key, to generate a child key, and then that child key can be used to generate it's own list of addresses. In this way child keys can create more children so that a tree-like structure is built. From the key at the root of the tree a wallet can use the rules to re-generate any key and so sign any transaction, but one of the child keys can only sign for it's own generated addresses and their children.

To describe which key is being used the nodes on the tree are defined so that 'm' is the master key, the first child is 'm/0', the second is 'm/1', etc. 'm/0/0' would be the first child of the first child, 'm/0/1' the second child of the first child, and so on. I'm sure you get the idea.

The advantages of this are, first, the wallet can generate new addresses using an extended public key without knowing a private key. Second, it is possible to store a child key which has access to some of the money, but not all of it.

Cardano is an eUTXO blockchain.

Can I have a quick reminder about the eUTXO model please?

The money in a UTXO model is not stored in the address. It is stored in the received transactions for that address, until they are spent. So if you receive some Ada, then some more, then some more, you have three unspent transactions against addresses and you can sign them to spend them. When you want to send some Ada you have to select a list of unspent transactions adding up to a number equal to or greater than the required amount. You can't select half a transaction, it's all or nothing.

The e in eUTXO stands for Extended. This just means a bit of extra space has been added to allow some data to be stored for use in Smart Contracts. I won't cover all the detail here, because it is part of a different story, but in we need to bear in mind that the extended bit might add some complications later.

So think of the wallet as holding a list of unspent transactions (UTXOs), each against an address that we know how to sign for. When we want to send Ada we need to select a list of UTXOs and sign for them using the key for the address they were sent to so that they can be included in a new transaction.

Selecting UTXOs.

Choosing the UTXOs sounds easy.

If you were paying for an item in a shop with cash you might start by looking through your small change trying to get the right amount, then through the notes from the smaller ones first, until you had it covered. You might be a bit embarrassed if that meant handing over a large bag of tiny value coins to buy something expensive, but you would try to keep the amount of small change you are carrying down. This is the problem the wallet faces, but the ideal approach is a little different.

The reasons for this are:

1. My change: With Ada, unlike cash, you can generate a transaction which specifies what change you want paid and to where. This means you can organise things so that the value of the change is optimised. You don't really want to generate the smallest possible amount of change because small UTXOs are less useful later. They are called dust and they make future transactions bigger.
2. Spending the dust: If you spend all the lowest value UTXOs in your wallet first you end up with the fewest possible number of remaining UTXOs, with the highest possible unit value. Having fewer UTXOs holding your wallet value reduces your privacy because each has the shortest possible life and becomes more traceable.
3. Keeping your big ones: Leaving your wallet with fewer UTXOs in it waiting to be spent reduces your ability to carry out two spends at once. You have to wait until the transaction completes to get the change before you can spend it. If you have lots of UTXOs to choose from you can spend different ones concurrently.
4. Keeping your little ones: Picking all the lowest value UTXOs maximises the transaction size (like handing over a huge pile of coins), so sometimes the transaction might be above the size limit, or more expensive than is needed.

Instead of choosing all the smallest value UTXOs, then, we could choose the highest value ones. But this method also can have drawbacks. It tends to leave low value UTXOs unspent for a long time, which build up and eventually become difficult to spend. You don't want to end up with a pocket full of Dust.

The best way to select UTXOs.

So, after a bit of thought...

The solution which has been developed for Cardano is the Random-Improve method. To pick UTXOs from the list you just choose randomly, and keep going until you get over double the amount you want. When you submit your transaction you will be asking for change which is just over the value you are spending.

Over time, the effect on the wallet is:

1. Typical UXTO size: A lot of the UTXOs are about the value that you usually tend to spend in a typical transaction.
2. No dust: Dust doesn't tend to build up, because if it did start building the likelyhood of dust UTXOs being chosen grows, which limits them.
3. Better privacy: Privacy is improved, since incoming transactions tend to get used after a random period and in an unpredicatable way.
4. UTXO management: After a bit of use, the number of UTXOs remaining in the wallet and their expected value is manageable and sufficient to support concurrent spends of useful amounts.

Of course, you might need a fallback. You might not have enough money to ask for that much change, or you might run into the transaction size limit so that you need to go back and pick a smaller number of higher value UTXOs.

Addresses are disposable.

Do the source addresses matter?

Well, the transaction can be built from any list of UTXOs for which you have the keys, so it shouldn't matter which addresses they were paid into. And if new addresses are generated frequently there might be a lot. However, building a new transaction with two addresses in it links them together for anyone scanning the blockchain. For this reason there is an advantage to choosing UTXOs from fewer addresses when building a transaction.

You would think this wouldn't apply because you might use a new address for every receipt, but in fact it is common to repeatedly receive cash from the same source to the same address in some circumstances. As a result attempting to select a list of UTXOs from the same address before selecting from other addresses is also a good idea.

NFTs work differently.

What about NFTs? Wouldn't they get accidently spent?

An NFT is a Non-Fungeable Token. It's a simple idea. As I mentioned above, it is possible to add a bit of data to the transaction which gets stored in the UTXO. This means that all the transactions are not equal, and the data (normally called meta-data) can specify a smart contract and a reference which makes it special. Usually, the amount of ADA in an NFT transaction is 1 Lovelace, or 0.000001 ADA, so it doesn't have much value. The value comes from the fact that it has been generated by a smart contract which people care about, and that contract includes rules which limit the number which can be created. Copies of that contract are not the same, because the original has a unique identifier generated when it is released onto the blockchain.

So, the wallet needs to be aware of this. NFTs need to be kept out of the list when sending money, and consciously selected when being traded. A wallet will not take on the job of trading an NFT. Instead it is able to hold it as a UTXO and keep it out of normal transactions, then include a feature to allow it to be sent deliberately when required.

Wallets which act as a plug-in to a web browser will support an option to let the web page see the list of UTXOs held and generate new transactions which can be signed. This allows the website to render the NFTs properly, help the user to verify their source, and trade them intelligently. All of this is done by the website rather than the wallet.

Wallets which are not browser plug-ins simply keep the NFT aside, then allow them to be selectively sent on demand.

Smart Contracts.

Of course, to do the really clever stuff, you need to apply rules.

This is a page about wallets, so I won't go into detail on smart contracts here. But you might be wondering how they fit in, and whether you need to worry about them when you think about how your wallet works.

A few general points on how smart contracts execute:

On-chain code: The software needs to apply rules which control the way the money gets moved, held, and released. These rules are applied on the blockchain by the stakepools.
Off-chain code: Smart Contracts also include code which stores information to help show the user what is going on. This code gets executed locally, usually by a web server.
Inputs, Outputs, and Scripts: We have discussed the way Inputs are selected to generate the Ouputs, but we didn't mention the Scripts. Scripts can be included with a transaction along with the defined inputs and outputs. The script defines the rules. When a script is generated it is frozen as a unique transaction hash and can't be changed after that.
Locking the funds: If a wallet is going to execute a script it will first lock the inputs to the script. It will then execute the script by supplying a "redeemer" transaction with supplies fees and a key which can unlock the funds. The script is executed on the blockchain according to it's rules, which are frozen.
Talking to the user: Part of the process is showing the user what is going on, and getting their approval, which needs a bit of trust. There may be more than one point where approval is needed so software which shows the user what is happening and allows steps in the process to be approved needs to run, usually as a web page, and get permission from the wallet, which might be a plug-in.

There is a good technical walkthough available for developers in the Cardano docs.


This website was created by Kevmate. Its all my own work. Contact me by emailing me at