Bitcoin Forum

Hello it's all in the title.
I'd like to print on 5 papers some part of the btc private key and someone in possession of 3 of thoose paper should be able to easily recover the funds.
Is there any simple way to do so?

With non-standard transactions it would have been easy to do

Are you saying you want to have a private key that is split into 1/5's, and any of the 3 can redeem the private key?  Bitaddress.org can generate a Vanity address (have not tried it myself) that will generate a 2 way split key.  Not sure about a 3/5 split key but this might help with what you are looking for.

https://bitcointalk.org/index.php?topic=43496.0 (https://bitcointalk.org/index.php?topic=43496.0)

Personally, I think you would be better off making 5 new private keys and then making a P2SH multisig 3-of-5 address from them.

So would there be a point in making a service such as bitcoinadress that would work as follow :
1 choose how many block you want
2 choose how many block is needed to reform the key
3 random words are created for each block.

For example i choose 3 block and 2 are needed.
Block 1: AB_
Block 2: _BC
Block 3: A_C

2 out of thoose 3 would allow you to reform the word ABC wich can be used as a private key.

Then you can print each block and save them this way.
I only have a problem figuring how to do so in a generic way. (for instance what would be the solution of 6 block and 3 is needed)


For me this solution is much more convenient as:
Brain Wallet --> you can forget the password. If you write it down, someone can stole you. what if you get an accident?
Paper wallet --> canot be spread so much. if someone take a simple picture of it they can stole you. If you keep them at home, what if you get a fire?
If you give to someone, what if he turns rogue?What if your house get stolen? Soon bitcoin will be more wanted than gold!
Encrypted wallet on cd -->  hard to check integrity. same problem as brain wallet

you could use P2SH or Shamir's secret sharing but those are probably a bit heavyweight.  A lighter weight solution that you can just do with your calculator, but requires more storage (3 c 5 = 10x256bits) would be in this case:

Generate a random 256 bit key for each of the participants.

Go through all the permutations of how you wish the unlock to happen - e.g. in your case there are ten combinations:

{a,b,c} {a,b,d} {a,b,e} {a,c,d} {a,c,e} {a,d,e} {b,c,d} {b,c,e} {b,d,e} {c,d,e}

and XOR the keys against each other e.g. for A, B and C to unlock you generate K(A|B|C).  Then XOR each of these generated intermediate with the master private key you wish to secure (obtain the bitcoin private key from dumprivkey RPC command, then convert to raw 256bit value).  You will end up with ten, 256 bit values which you then publish to all participants, or on a website (it can be public).

EDIT: in fact, you should put the intermediate keys through a SHA256 hash before XORing with the bitcoin private key - this avoids a depth attack where you can just XOR the public values against each other to leak information.  Sorry.
 
Now when three participants wish to decode the public key, they XOR their three secrets with each other along with the correct value from the public intermediate list, and this recovers the private key.

Will

Not sure i understand very well.
With your system, let s say the owner of {a,b,c} and {b,d,e} met. They are only 2 yet they can manage to rebuild the whole message (abcde). So this should not work does it?

I think you might be misunderstanding - the notation {a,b,c} is the group of people comprising of person a, person b, person c.

Will

I share your desire to do an n-of-m wallet.

The closest thing I have found are some python scripts that let you backup an Armory wallet to n-of-m paper backups.  

At the moment I am waiting for the Offline bundle to be updated to support it.

See: https://bitcointalk.org/index.php?topic=139625.0

This (https://bitcointalk.org/index.php?topic=149820) is newer than that.