Bitcoin Forum

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad (https://en.wikipedia.org/wiki/One-time_pad). I would like your input if it's a safe way to store a paper wallet?

https://i.imgur.com/LWMzUyt.png

You need to print your paper wallet and the One-time pad and keep them in separate location. That way, a burglar would need to find both the OTP and the paper wallet to steal your Bitcoins. To generate the encrypted private key I only need to iterate on all characters of the private key and the corresponding character in the OTP and do:
charXEncryptedPrivateKey = charXPrivateKey + charXOTP % 58
To decrypt it's simply the opposite:
charXPrivateKey = charXEncryptedPrivateKey - charXOTP % 58

Here is an example :


I like the OTP encryption because I can decrypt the private key manually with pencil and paper if I need to. For convenience and testing I made a simple Perl script to decrypt the private key using the encrypted private key and the OTP.

https://i.imgur.com/tJEL75b.png

Looks interesting. What's your random number source?

1. Since private keys start with 5, you're going to be leaking the first digit of your OTP.
2. Using your OTP more than once can lead to it being compromised. You're lucky that the underlying private key data is random, but you're in trouble if one of your private keys is discovered.

The one-time pad is a randomly generated private key where the beginning "5" is changed for a "1". Because I wanted the encrypted private key to start with a 5 like a regular private key. I will probably change the printed version to only print the encrypted private keys without the corresponding public address. This way a burglar will think this is only a non-funded paper wallet.

I know the first digit of the OTP is leaked. Is a private key really random appart from the first 5? If not the OTP can be compromised.
I know you should never use a OTP more than once but I think it's ok with private keys has long has no unencrypted private key is leaked.

Edit : After rethinking about what you said Insti.  I should generate a different OTP for each private keys. This way I don't have to worry. I also found out that a private key is not completely random. Because of this I will generate the OTP randomly without using another private key.

No, because the checksum won't correspond. The burglar will think the key isn't correctly formatted.

That doesn't make any sense
A number can't be random

If you use the key more than once then it isn't a One-Time Pad. It's one step above a substitution cipher, and if any of your unencrypted private keys ever does leak, so will the encryption key. It's possible that someone more experienced with cryptoanalysis than myself could even derive the encryption key from multiple encrypted private keys. The whole point of a OTP is that you use one bit of unique, never-used-elsewhere entropy to encrypt each bit of the message. The fact that each bit of the pad is unrelated to anything else the attacker might know is what makes an OTP resistant to cryptoanalysis.

Sorry for a bit OT question, but why hasn't been BIP0038 officially implemented into bitaddress.org? In the Github, there is finalized version (2.5 if I recall correctly) for more than month, which works pretty fine.

Also, working from saved HTML on disc with disconnected network is always a bit safer.

I was also wondering the same thing.

I've since implemented my own fork as well using AES encryption with a passphrase/password. Just adds one more level of paranoia security. The fork is heavily customized for own purposes (custom interface) but if anyone else wants to use it too go ahead: Icecap (https://github.com/nieldlr/icecap). I'm going to make it bit more cleaner in the future. (My corresponding blog post (http://niel.delarouviere.com/2013/05/creating-bitcoin-paper-wallet/) if anyone is curious)