Everything so far secured a financial system that still has banks and authorities at its center. Now the same primitives get rearranged into something with no center at all. This module begins the Bitcoin stack the banking innovation track kept deferring — and it starts exactly where you are strongest: the public and private keys of Module 04 and the digital signatures of Module 05. In Bitcoin there is no account and no bank; there is only a key pair. Your public key becomes an address that receives money; your private key is the sole power to spend it. You will generate a real key pair and watch an address derive from it, sign a transaction to move coins with no bank approving, and confront the stark reality of self-custody — where the private key quite literally is the money.
Every form of money you have met in this course so far is, at bottom, an account with someone. Your bank balance is the bank's promise to you; a card payment moves balances between accounts; even cash is a claim recorded, ultimately, in a central bank's ledger. There is always an institution holding a record of who owns what, and your money is your standing in that record. Bitcoin breaks this completely. There is no account, no bank, no institution holding your balance — and yet ownership is perfectly well-defined. How?
The answer is the single most important idea in this module, and it follows directly from the primitives you already have. In Bitcoin, control of money is control of a private key. The coins are not held by anyone on your behalf; they exist as entries on a shared public ledger (the blockchain, which the next module builds), and an entry can only be spent by whoever can produce a valid digital signature from the matching private key. Owning Bitcoin is not having an account somewhere — it is holding the private key that can authorize moving specific coins. No one can move them without that key, and anyone who has that key can move them. Ownership is key control.
Everything in this module unfolds from that one sentence. Your public key (Module 04) becomes the destination money is sent to. Your private key is the sole power to spend it, exercised through a digital signature (Module 05) that the network verifies. There is no one to ask for permission, no one to verify your identity, no one who can freeze or reverse or restore. The cryptography you already understand is the entire ownership system — which is exactly what makes it so powerful and so unforgiving, as we will see.
In Bitcoin there is no account and no institution holding your balance — control of money is simply control of a private key. Coins exist as entries on a shared public ledger that can only be spent with a valid signature from the matching private key. Your public key receives money; your private key alone can spend it. The cryptography from Modules 04 and 05 is the entire ownership system.
You receive Bitcoin at an address — a string like the ones you have seen, beginning with characters such as bc1. An address is derived directly from your public key, and the derivation reuses a primitive you know well: hashing. In simplified terms, you take your public key and run it through hash functions (Module 02) to produce a shorter, fixed-length value, which is then encoded into the address you share. The address is essentially a fingerprint of your public key.
Why hash the public key rather than just use it directly? Two reasons you can appreciate now. First, it is shorter and more convenient — a hash is a compact fixed size regardless of the key. Second, it adds a layer of protection: because the address reveals only a hash of your public key and not the key itself, it gives an extra cushion against any future weakness in the underlying key mathematics, since an attacker only sees the fingerprint until you actually spend. The chain of derivation runs one way, exactly as hashing always does: private key → public key → address, each step easy to compute forward and effectively impossible to reverse.
Generate a real key pair and watch the address derive from it. The button below creates a genuine elliptic-curve key pair in your browser — the same family of public-key cryptography Bitcoin uses (Module 04 noted that Bitcoin relies on elliptic-curve keys) — then derives an address by hashing the public key. Generate a few and notice: the private key is the secret you must guard, the public key is derived from it, and the address is a hash of the public key, safe to share with anyone who wants to pay you.
A real elliptic-curve key pair, generated in your browser. The address is a hash of the public key. (Shown truncated for readability.)
Three values, one chain of derivation. Notice you cannot run it backward: the address tells no one your public key (only its hash), and the public key tells no one your private key (that is the one-way magic of Module 04). This is why an address is safe to post publicly — handing someone your address lets them send you money, but gives them no power whatsoever to take it. Only the private key at the top of the chain can do that, and it never appears anywhere except in your own keeping.
An address is a hash of your public key, which is itself derived from your private key: private key → public key → address. Each step is easy forward and effectively impossible to reverse. So an address is safe to share — it lets others pay you but gives no power to spend — while the private key, which alone can spend, stays solely in your keeping.
The word "wallet" is one of the most misleading terms in all of cryptocurrency, and clearing it up reveals how the whole system works. A Bitcoin wallet does not contain your coins. It is not like a physical wallet holding cash. A Bitcoin wallet is a keychain: it holds your private keys (and derives your public keys and addresses from them). That is all it is — a manager and protector of keys.
So where are the coins? They are not in the wallet and not in any single place at all. The coins exist only as entries on the shared public ledger — the blockchain — which is replicated across thousands of computers worldwide. The ledger records that the coins at a given address can be spent by whoever controls the matching key. Your "balance" is just the sum of ledger entries your keys can unlock. When you "send Bitcoin," nothing physically leaves your phone; instead your wallet uses your private key to sign an instruction that the network records on the ledger, reassigning those entries to someone else's address. The wallet never held coins; it held the authority to reassign them.
This reframes everything, and two consequences matter enormously. First, because the wallet only holds keys, losing your phone is not losing your coins — as long as you can restore your keys (see the seed phrase, shortly), the coins are still on the ledger, controllable from any wallet that holds the keys. Second, and far more sobering: because the keys are the only control, anyone who obtains your keys obtains your coins instantly and irreversibly, and anyone who loses their keys loses access to coins that remain visible on the ledger forever, unspendable. The coins never move; only control over them does, and control is nothing but the key. A wallet, properly understood, is a thing that guards keys — which is why how those keys are backed up and protected, the subject of the coming sections, is the whole game.
A Bitcoin wallet holds keys, not coins. The coins exist only as entries on the shared ledger, replicated worldwide; your balance is the sum of entries your keys can unlock. Sending coins means signing an instruction to reassign ledger entries — nothing physically leaves your device. So losing the device need not lose the coins (if you can restore the keys), but losing or leaking the keys means losing or surrendering the coins, irreversibly.
Now the payoff: how you actually move money with no bank to approve it. To spend coins, you create a transaction — "move these coins to this address" — and you sign it with your private key, exactly the digital signature of Module 05. You broadcast the signed transaction to the network. Every node verifies, using your public key, that the signature is valid for the coins being spent — that whoever made this transaction controls the key those coins are assigned to. If the signature verifies, the transaction is accepted; if not, it is rejected. No institution approves it. The signature is the authorization.
Try it with the real key pair you generated. Below is a transaction spending from your address. Sign it with your private key and watch the network verify it with your public key and accept it. Then tamper with the amount after signing and watch verification fail — the signature was over the original transaction, and any change breaks it (the integrity property from Module 05). Finally, see the thing that makes ownership real: an attacker, who has a different key pair, tries to spend your coins by signing the transaction with their key — and the network rejects it, because their signature does not match the public key that owns the coins.
Generate a wallet in the demo above first. This signs a real transaction with your private key and verifies it with your public key.
Three lessons in one demo. Signing with your private key authorized the payment with no bank in the loop — the network's only question was "is this signature valid for the coins' owner?", and the math answered it. Tampering broke the signature, so no one can alter your transaction in flight. And the attacker, lacking your private key, simply could not produce a signature your coins would accept — they can see your address and your transaction (everything is public), but seeing is not spending. This is "be your own bank" made literal: the authority a bank normally exercises when it approves your payment is replaced entirely by your private key and a signature the whole network can check but no one can forge.
If your money is your private keys, then backing up and protecting those keys is the entire problem of owning Bitcoin. A modern wallet may control many keys and addresses, and remembering or copying each one would be hopeless. The solution is the seed phrase (also called a recovery phrase or mnemonic): a list of ordinary words — typically 12 or 24 — from which all of your wallet's keys are mathematically derived.
The idea is that a wallet does not generate keys randomly and independently; it generates a single random seed, encodes that seed as a sequence of words you can write down, and then deterministically derives every private key, public key, and address from it. This is why it is called a deterministic wallet: the same seed always regenerates exactly the same keys. The words are just a human-friendly encoding of one big secret number. Below is an illustration of what a seed phrase looks like — note that real wallets use a standardized word list and a cryptographically secure process; this is only to show the shape of the thing:
Illustrative only — not a real wallet seed. It shows how a short word list can stand in for the one secret all your keys derive from.
The power and the peril are the same fact. The seed phrase means you can restore your entire wallet — every key and coin — onto any device, anywhere, just by entering those words; lose your phone and your money is safe as long as you have the phrase. But it also means the phrase is the money, totally and portably. Anyone who photographs, finds, or phishes your twelve words controls everything instantly, from anywhere on earth, with nothing else needed. This is why the universal advice is to write a seed phrase on paper or metal and never store it as a photo, a screenshot, a cloud note, or an email — anything connected to the internet is exposed, and there is no second factor, no account lock, no recovery if those words leak. The convenience of "one backup for everything" is identical to the danger of "one secret for everything."
A seed phrase is a list of words encoding the single secret from which a wallet deterministically derives all its keys. It lets you restore your whole wallet on any device — so losing the device need not lose the coins. But the phrase is the money: anyone who sees it controls everything, and anyone who loses it loses everything, with no recovery. Its great convenience and its great danger are the same property.
We can now state plainly what "being your own bank" actually means, because you have seen the machinery. Holding your own keys — called self-custody — means you, and only you, control your money, with no institution between you and it. That is the promise the banking innovation track celebrated: no one can freeze your account, deny you access, seize your funds, or inflate them away. Permissionless, censorship-resistant, sovereign. The keys are yours; the money is yours; no one can interfere.
But the machinery you just worked through reveals the exact, inseparable cost. A bank, for all the dependence it creates, provides an enormous bundle of services you never think about: it can reset your password, reverse a fraudulent charge, restore access when you lose your card, freeze your account if it is stolen, and insure your deposits if the bank itself fails. Self-custody means giving up every one of those services, because there is no one to provide them. Lose your seed phrase and your money is gone forever — visible on the ledger, unspendable, with no help desk to call. Send to the wrong address and there is no reversal. Get phished out of your keys and there is no fraud department, no chargeback, no insurance. The very absence of an intermediary that makes you sovereign also makes you solely, permanently responsible.
This is the burden that is the flip side of the freedom, and it is not a bug to be fixed but the structural essence of the thing. You cannot have "no one can interfere with my money" and also "someone will help me when I make a mistake" — those are the same intermediary, wanted in one moment and resented in another. Self-custody hands you complete control and, with it, the complete job that banks, payment networks, and insurers normally do on your behalf: security, backup, recovery, fraud prevention, and the consequences of every error. Be your own bank, in full: be your own vault, your own fraud department, your own insurer, your own last line of defense. For some people and some situations that trade is liberating and worth it; for others it is daunting and dangerous. The cryptography is neutral — it simply enforces, without exception or mercy, that the key is the money.
In the evenhanded spirit of the course, the realistic picture is a spectrum, not a binary. Pure self-custody — you alone hold your seed phrase — is one end: maximum sovereignty, maximum responsibility. At the other end, you can hold your coins at a custodial exchange, which keeps the keys for you and gives you an account with a password you can reset and support you can call. And here lies the great irony the banking innovation track flagged: the moment you do that, you have recreated a bank. You are trusting an institution to hold your money, exactly the relationship Bitcoin was designed to remove — only now it is an institution that is often less regulated, uninsured, and historically prone to collapse.
The collapse of major exchanges — most infamously FTX in 2022, where vast sums of customer funds simply vanished — drove the lesson home in the hardest way. Customers who thought they "owned Bitcoin" actually owned a claim against an exchange, and when the exchange failed, the claim was worth little. The crypto maxim that crystallized from these disasters is blunt: "not your keys, not your coins." If someone else holds the private keys, you do not really hold Bitcoin; you hold an IOU from whoever does, and you have taken on bank-like risk without bank-like protections. It is a genuine dilemma with no free answer: true self-custody is sovereign but unforgiving and demands real competence and care; custody is convenient and familiar but reintroduces exactly the trusted intermediary — and its failure modes — that the whole system set out to escape.
So the honest assessment refuses both the cheerleading and the cynicism. Self-custody is a real and remarkable capability — the first time in history individuals can hold bearer-like digital value with no custodian — and it genuinely matters for people facing seizure, censorship, hyperinflation, or exclusion from banking. It is also genuinely hard and dangerous for ordinary users, and most people, sensibly weighing the risk of losing everything to their own mistake, choose some custody and thereby accept some of the very intermediation Bitcoin sought to remove. Both the capability and its difficulty are real. The cryptography gives you the option of absolute control; what it cannot give you is relief from the responsibility that option carries.
You can now generate keys, derive an address, and authorize a payment with a signature that no bank approves — the complete cryptographic basis of owning and spending Bitcoin. But we have leaned the whole time on a phrase we have not yet earned: "entries on a shared public ledger." We said coins are ledger entries that your keys can reassign, and that the ledger is replicated across thousands of computers. Two enormous questions remain unanswered.
First, what is this ledger, and why can no one tamper with it? If the record of who owns what is just data copied across thousands of machines, what stops someone from editing their copy to give themselves more coins? Second, and most fundamental, what stops you from spending the same coin twice? A digital signature proves you authorized a transaction — but nothing in a signature alone stops you from signing two transactions that both spend the same coin, sending it to two different people. Physical cash solves this naturally (you hand over the note and no longer have it), but pure digital signatures do not. This double-spending problem was the great obstacle that stopped digital cash from working for decades.
The answers to both lie in the structure that holds these transactions: the blockchain. It uses the hashing you learned in Module 02 — the tamper-evident chain of fingerprints you actually built and broke in that module's demo — to make the ledger's history practically impossible to rewrite, and it uses a network-wide agreement process (consensus) to settle, once and for all, which transaction spending a coin came first. The next module builds the blockchain itself: how transactions are bundled into blocks, hash-linked into a chain whose past cannot be quietly altered, and why that structure finally solves double-spending without any central authority. The keys gave you ownership; the blockchain gives that ownership a ledger no one controls.
Six questions on keys, addresses, wallets, and self-custody — how ownership works without an account, what a wallet really holds, spending by signing, the seed phrase, and the realities of self-custody. The questions test the concepts you just saw in action.