Bitcoin Forum

I want to generate some private keys in an offline computer and I was thinking how do all the different options like bitaddress, multibit, etc compare in terms of generating random private keys offline.

Are they all the same, like using some kind of library?

I think I'm going to install multibit offline and make it generate the private keys for me, so then I can print the private keys to make some sort of paper wallet. What do you think of this approach?

What are your concerns / priorities?

Strong random number generation? For this, my first choice would be Armory. In addition to the OS's random number pool (either /dev/random or CryptGenRandom), it also mixes in (https://github.com/etotheipi/BitcoinArmory/blob/v0.91.2-rc1/ArmoryQt.py#L806):
It's also a deterministic wallet (https://en.bitcoin.it/wiki/Deterministic_wallet) if that matters to you.

Ease of use? For that I'd download a copy of https://bitcoinpaperwallet.com/ (https://bitcoinpaperwallet.com/bitcoinpaperwallet/generate-wallet.html) (download link is in the lower right of the live demo). It's not quite as thorough as Armory, but it does use window.crypto.getRandomValues which should in theory use the OS's random number pool, and it also uses mouse and keypress events. It's easy to use for paper wallet generation, and quite pretty too. :)

https://www.bitaddress.org/ (https://www.bitaddress.org/), while not quite as pretty, uses the same random number techniques as bitcoinpaperwallet (actually I think bitaddress was first, and bitcoinpaperwallet is based in part on bitaddress). It's probably the way to go if you want an easy method of generating a lot of paper wallets all at once.

Edited to add: both bitcoinpaperwallet and bitaddress support brain wallets, and bitcoinpaperwallet gives fairly decent advice on how to use dice or an extremely-well-shuffled deck of cards to generate the random keys, although there's better advice over in this thread (https://bitcointalk.org/index.php?topic=682842.0).

For my own generation of private keys when I make paper wallets I make sure haveged daemon is running and then I use /dev/random (Linux) and take an sha256sum

Then I scramble the resulting hash, so that the resulting key is not a hash of what was in /dev/random but has the same number of each hex digit that was in the resulting hash.

I scamble it between 7 and 20 times (random how many)

I figure in the event there is a bug with generation of /dev/random data - repeated scrambling of the results will probably counter the ability for my key to be guessed.

generation is done in /tmp which is mounted tmpfs - so that none of the data generated is ever written to disk.

generate public key, print it to direct connected printer, wipe the print buffer.

-=-

For keys in my software wallet I just let the wallet do its thing. But I don't like to keep a lot of value in an Internet connected wallet.

If your process is deterministic it adds nothing, and if carried out by a human, its probably introducing a bias. Why not use standard key stretching, like HMAC or PBKDF2?

None of them should be using a "library" as if they were the keys would not be random.

They should use a RNG that randomly chooses a private key and calculates the associated public address to that private key

It really depends on the software. On the programming level you can choose to use the default system libraries for random number generation. Sometimes developers make their own random number generators based on user or signal input, such as mouse movement, camera movement, sound etc. I'm sure multibit uses a Java random number generator.

They all use system libraries. No one is going to reinvent the wheel here. If armory is getting entropy form other sources then it is mixing that in with the entropy it gets via system interfaces. Adding more entropy, even low quality entropy, doesn't hurt.

If that was at me, the process isn't human.

Shell script takes sha256sum of /dev/random - then picks a random number between 7 and 20 and scrambles the characters that many times so that the end result is not a checksum of what was in /dev/random.

Once would probably be enough but 7 to 20 doesn't hurt.

I make a bunch and print them, stick in envelopes. It works, is simple, and is secure. No need to do anything fancier.

If there is a security flaw, it would be because someone had physical access to the envelopes where the private keys are. Or the printer buffer isn't properly cleared.