Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: brenzi on December 31, 2013, 01:39:24 PM


Title: Solution for 2-of-3 paper wallets without multisig feature
Post by: brenzi on December 31, 2013, 01:39:24 PM
As the multisig feature is not yet supported by any bitcoin client (at least not for spending the coins) I was thinking about another way to get a 2-of-3 paper wallet.

edit: You can directly jump to the improved version (https://bitcointalk.org/index.php?topic=393159.msg4332270#msg4332270)

The basic idea is:
  • split private key in two files
  • use parchive (http://parchive.sourceforge.net) to generate a recovery file
  • generate qr codes for the three files

now you only need two of those three QR codes to recover your private key.

I tried this with the following detailed procedure:

Private Key: 5JYTix96fp8JtwWF1Vq3gBaM5p31GyYK94K5ezLdUaF3VBZkJ7G

file testprivkey1
Code:
5JYTix96fp8JtwWF1Vq3gBa

file testprivkey2
Code:
M5p31GyYK94K5ezLdUaF3VBZkJ7G


generate PAR recovery file
Code:
parchive a -n1 test.par testprivkey1 testprivkey2

you get an index file test.par and a recovery file test.p01. You don't need to keep the index file, it's only used for checksum validation

generate QR codes
Code:
cat testprivkey1 | qrencode -o testprivkey1.png
cat testprivkey2 | qrencode -o testprivkey2.png
uuencode test.p01 test.p01 > test.p01.uue
cat test.p01.uue | qrencode -8 -o test.p01.uue.png

print it. make sure you mark which code stands for which file

To decode with only testprivkey1 and test.p01:
Code:
zbarimg --raw testprivkey1.png > testprivkey1  
zbarimg --raw testp01.uue.png > back_test.p01.uue
cat back_test.p01.uue | uudecode
parchive r testprivkey1 test.p01

now you just need to concatenate the two sides. done.


The only question that remains is: Can I be sure that the private key cannot be recovered from only the recovery file itself? Not with parchive tool itself, but as parchive is not designed to make this impossible (quite the opposite) I would apprechiate educated comments on my proposal

One approach to make sure the recovery file is not sufficient to recover the private key could be to add random data to the files testprivkey1&2.
The amount of random data would be limited by reasonable QR code size. The recovery file should then have the same size as the input files

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: cbeast on December 31, 2013, 04:20:36 PM
BIP38 is supported by http://www.bit2factor.org/
It can be saved and run offline.

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: empoweoqwj on January 01, 2014, 02:37:03 AM
Quote from: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.

yep - armory has the most advanced wallet features out there.

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: brenzi on January 01, 2014, 09:56:22 AM
Quote from: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.
Great, thanks. But it seems this is not yet an official, mature feature (and currently everybody's waiting for the next release including important fixes anyway). And I would prefer a very simple solution that could be run from a liveCD. Your hint leads me to the following:

Code:
cat testprivkey | ssss-split -t 2 -n 3 -w testkey -q

This seems like a very elegant solution to me, as it is very easy to reproduce. One could even print the necessary bash script next to the QR code on the paper wallet.

And there's more: This solution can be applied to any altcoin as well

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: empoweoqwj on January 01, 2014, 10:55:06 AM
Quote from: brenzi on January 01, 2014, 09:56:22 AM
Quote from: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.

And there's more: This solution can be applied to any altcoin as well

Well considering most altcoins are clones or near clones of bitcoin, that's not really much of a surprise ;)

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: prezbo on January 01, 2014, 11:29:35 AM
Quote from: empoweoqwj on January 01, 2014, 10:55:06 AM
Quote from: brenzi on January 01, 2014, 09:56:22 AM
Quote from: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.

And there's more: This solution can be applied to any altcoin as well

Well considering most altcoins are clones or near clones of bitcoin, that's not really much of a surprise ;)
Since sss works on data of any kind there's really no limitations on where it can be used, altcoin or not :)

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: brenzi on January 01, 2014, 12:22:53 PM
Quote from: empoweoqwj on January 01, 2014, 10:55:06 AM
Quote from: brenzi on January 01, 2014, 09:56:22 AM
Quote from: prezbo on December 31, 2013, 04:11:00 PM
I think armory already implemented m-of-n backups based on shamir's secret sharing algorithm (http://en.wikipedia.org/wiki/Shamir's_Secret_Sharing). Check the armory subforum for details.

And there's more: This solution can be applied to any altcoin as well

Well considering most altcoins are clones or near clones of bitcoin, that's not really much of a surprise ;)

No, not a surprise. But adapting armory for altcoins is out of reach for me. So I'm looking for a solution that solves my problem for any coin (or any secret)

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: brenzi on January 01, 2014, 12:35:19 PM
Here's an improved version of the OP: edit: See next post for further improved version

To generate the QR codes for the private key in file testprivkey
Code:
#!/bin/bash
CTR=1
# generate 2 of 3 secret
cat testprivkey | ssss-split -t 2 -n 3 -w testkey -q | while read -r line; do 
	echo $line | qrencode -o "testsplit.part$CTR.png"
	CTR=$[CTR+1]
done

To recover the private key:
Code:
#!/bin/bash
zbarimg --raw testsplit.part1.png  | tr -s '\n' > testjoin.part1
zbarimg --raw testsplit.part2.png  | tr -s '\n' > testjoin.part2
cat testjoin.part1 testjoin.part2 | ssss-combine -t 2

I will give this a go and probably add some comfort to the scripts

Unfortunately, not all tools used are on standard ubuntu liveCD. You need to
Code:
sudo apt-get install ssss qrencode zbar-tools
But anyway, I'd prefer to use the satoshi client to generate the bitcoin address (minimum trust)

Title: Re: Idea for 2-of-3 paper wallets without multisig feature
Post by: brenzi on January 05, 2014, 09:04:28 PM
Ok, so here's the script that I use to generate 2-of-3 paper wallets (can easily be modified for N-of-M). Hopefully some people can use this until the time when bitcoin clients support multisig transactions.
It generates a html file with three parts of one paper wallet.

I've tested it for bitcoin and peercoin. Whatever vanitygen can generate is supported.
Linux Dependencies: vanitygen ssss qrencode (zbar-tools)

Code:
#!/bin/bash
CTR=1
# generate 2 of 3 secret

#remove old keys if file exists
echo "" > paperwallet.keys

#generate new bitcoin address
vanitygen -q -o paperwallet.keys 1 
#generate new peercoin address
#vanitygen -X 55 -q -o paperwallet.keys P

#generate QR code for bitcoin address
echo "bitcoin:" > paperwallet.pub
cat paperwallet.keys | sed '4d' | sed '1,2d'  | sed 's/^Address: //' >> paperwallet.pub 
cat paperwallet.pub | tr -d '\n'| qrencode -o "paperwallet.pub.png"

#start html output
echo "<html>" > paperwallet.html
echo "<header><style>" >> paperwallet.html
echo "		table {border-collapse:collapse; table-layout:fixed; width:800px}" >> paperwallet.html
echo "		table td {border:solid 1px #fab; width:400px; word-wrap:break-word;}"  >> paperwallet.html
echo "</style></header><body>" >> paperwallet.html

#split private key into 3 keys
cat paperwallet.keys | sed '1,3d' | sed 's/^Privkey: //' | ssss-split -t 2 -n 3 -w privatekeypart -q | while read -r line; do 
	echo $line | qrencode -o "paperwallet.priv.part$CTR.png"

	echo "This is <b>part $CTR</b> of a bitcoin paper wallet. two of three parts are needed to recover the original secret<br>" >> paperwallet.html
	echo "<table><tr><td>Public Key: " >> paperwallet.html
	cat paperwallet.pub >> paperwallet.html	
	echo "</td><td>" >> paperwallet.html
	echo "Private Key (one among three): " >> paperwallet.html
	echo $line >> paperwallet.html
	echo "</td></tr><tr><td>" >> paperwallet.html
	echo "<img src=paperwallet.pub.png width=150>" >> paperwallet.html
	echo "</td><td>" >> paperwallet.html
	echo "<img src=paperwallet.priv.part$CTR.png width=200>" >> paperwallet.html
	echo "</td></tr></table>" >> paperwallet.html
	echo "use linux command <i>ssss-combine -t 2</i> to recover original private key from two paper wallets<br><hr>" >> paperwallet.html
	CTR=$[CTR+1]
done

echo "</body></html>" >> paperwallet.html

use the following lines to test recovery

Code:
zbarimg --raw -q paperwallet.priv.part1.png | tr -s '\n' > testjoin.part1
zbarimg --raw -q paperwallet.priv.part2.png | tr -s '\n' > testjoin.part2
cat testjoin.part1 testjoin.part2 | ssss-combine -q -t 2

be aware that the files generated contain your private key and are not cleaned up by this script. Only generate paper wallets on an offline computer running LiveCD.


Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines