BCA Addresses

What a Bitcoin-Certified Address is, how it's constructed, and why it has 89-bit security for under 1ms of work.

The address

A BCA address is a standard 128-bit IPv6 address. Any router, firewall, or switch treats it like any other IPv6 address. The difference is in how the last 64 bits — the interface identifier — are generated.

In a conventional IPv6 address, the interface identifier is either random (privacy extensions) or derived from the MAC address. In a BCA address, it's the leftmost 64 bits of a SHA-256 hash called Hash1.

Hash1 — the core formula

Hash1 = SHA-256(modifier || block_header || subnet_prefix || collision_count || transaction)

Five inputs:

• modifier — 16 random bytes. Different modifiers produce unlinkable addresses from the same registration.
• block_header — the 80-byte Bitcoin block header that mined the anchor transaction. This is where the proof-of-work lives.
• subnet_prefix — the /64 IPv6 prefix of the network the device is on.
• collision_count — 0, 1, or 2. Used only if a rare hash collision requires it (BCA gets up to 3 chances per address).
• transaction — the full Bitcoin anchor transaction (typically ~250 bytes).

The output is 32 bytes. The first 8 bytes become the interface identifier (with sec, u, and g bits set per the paper).

BCA Parameters — the ~1.2KB proof

To verify an address, a peer needs the BCA Parameters. Eight fields:

modifier         16 bytes   // privacy + variant selection
publicKey        33 bytes   // device's compressed pubkey
transaction      ~250 bytes // the Bitcoin anchor tx
blockHeader      80 bytes   // the block that mined the tx
subnetPrefix     8 bytes    // /64 network prefix
collisionCount   1 byte     // 0, 1, or 2
merkleProofTx    ~320 bytes // proof tx is in the block
merkleProofMod   ~160 bytes // proof modifier is in the tx's OP_RETURN

Total: about 1.2KB. This is everything needed to verify the address. No other data required.

Why 89-bit security

The attacker's work is to find a BCA address matching a registered device's parameters that they don't actually control. This reduces to finding a Bitcoin block header matching certain properties — which is what mining itself does.

At sec = 2 (the paper's parameter tied to block difficulty), the attack requires approximately 2⁸⁹ hash operations. That's the entire Bitcoin network's work for weeks. In dollar terms, millions of dollars of electricity.

For comparison, practical CGA implementations achieve 59–73 bits. Each bit doubles the attack cost. IronIP's 89-bit is 16× to 1024× stronger than the CGA a device can realistically generate on its own.

Up to 32 addresses per registration

A single Bitcoin anchor creates 32 modifiers (stored in a Merkle tree, root in OP_RETURN). Each modifier yields a unique address, and each address can use collision counts 0/1/2 — so up to 96 addresses per registration. Privacy extensions come for free: cycle modifiers, addresses look unrelated to observers.

See also

• 8-Step Verification — the full verification algorithm
• Bitcoin as Infrastructure — why Bitcoin, not something else
• Paper Notes — the Ducroux paper annotated