Bitcoin Forum

So I've had this old Android phone laying around for ages and I kept thinking, what could I do with this? I decided one day that a simple app combined with airplane mode would make it an ideal offline brain-wallet, but no such utility seemed to exist. I finally got tired of waiting for someone else to get around to it and built it myself.

I introduce to you, the Android Bitcoin Address Tool (https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress&feature=search_result#?t=W251bGwsMSwxLDEsImNvbS5DSU1TLkJpdGNvaW5BZGRyZXNzIl0.):

http://lh3.ggpht.com/Re2rM7esdbvrgQ_ED6ziY0wAJAI1ZvCGRQJ7fexsvO5sZKHWJ8QJd1Dts7ZpK_XaUBJP  http://lh3.ggpht.com/Cxan6DY5mhiYRV0VDO0KQaBITVGR1wRE9dSqaaONCwhb-91kQzOEtdRw4ScXzk7-mIs

It's pretty basic, but it does exactly what it was built for - it produces a Bitcoin address and associated private key from the an SHA256 hash of a passphrase. I also went to great lengths to ensure that the operations are bit-for-bit compatible with Casascius' already existing Bitcoin Address Utility (https://github.com/casascius/Bitcoin-Address-Utility) as you can see from screenshot #2:

https://lh6.ggpht.com/CozSc3JjNgdncYojQzG6Z8hjsSB6zSlILAzmgcEfqiXvbvK3pnWpUHUN1rLTNOTrOw

Same passphrase, same results.

It should be noted that this is very young code. I've done my best to trap for errors but it should be considered beta and just as with Casascius' utility, no warranty is implied. I also haven't implemented any code to validate Casascius-style SHACodes (Mini Privkey Format), so if you don't type your code correctly, that's on you.  ;D

Want to support the project? Donations of BTC are accepted at the address in my signature, or there's a 99 cent donation version (https://play.google.com/store/apps/details?id=com.CIMS.BitcoinAddress_Donate&feature=search_result#?t=W251bGwsMSwxLDEsImNvbS5DSU1TLkJpdGNvaW5BZGRyZXNzX0RvbmF0ZSJd) available in the marketplace.

Want to peek at the source and make sure I'm not some nasty trojan-planting H4XX0R waiting to steal your wallet? Go grab my code from the GitHub repo (https://github.com/enmaku/Android-BTC-Address-Tool) and poke through it yourself (or wait for / bribe someone else to do it). BitcoinJ et al carry their own licenses of course, but my own code (the stuff in the .java files as opposed to .jar) carries a "do whatever you want with it I really don't care" license.

Questions? Comments? Feature requests? Shoot me a reply or PM and I'll do what I can - or in the case of feature requests, feel free to fork it yourself if you know a little Java.

Reserved for future updates.

Very awesome...

Where to take this next: a two-factor savings wallet generator for average folks - you're already pretty much there!

How that would work:

1. User chooses passphrase in your app.  It generates a keypair just like your screenshot shows.  You add a quick function to send the pubkey to an e-mail address so they can get it on their computer.
2. They do the same thing on their computer, possibly with a web-based application.  They choose a second passphrase and provide the pubkey created in step 1.  The web-based application produces a Bitcoin address, which is associated with two passphrases.  The two pubkeys, of course, are merged by way of ECC multiplication.
3. Ideally the user will want some way to confirm that the produced address was legit. (An idea for how that might work follows)

The user can have a high level of confidence that the Bitcoin address they just created is secure from hackers and malware, and can be recovered simply by providing both passphrases.  A successful attack would require interception of the passphrase/privkey from both devices, which is pretty damn difficult!

User validation that the address creation was legit:
1. The website and phone app could accept the second passphrase to demonstrate its ability to come up with the same Bitcoin address, and then warn the user that they should not use either passphrase for any real money, since the goal is to never let any one machine know both passwords until it's time to spend.

Are you talking about multi-key or multi-signature transactions? I don't know enough about that particular functionality to implement it, even on the PC side, but I can confirm that adding sharing capability to some or all of the information on that screen is on my to-do list. I just wanted to put this in the public's hand ASAP, it'll be refined significantly in the future.

Nope, just exploiting properties of ECC math to create a single key that both sides can agree on, but neither side knows the public key to, unless it has both private keys.

Basically how it works: you are probably aware that to create a public key from a private key, you multiply a number (the private key) by a constant G (which is an ECC point).  This step remains unchanged for the first party.

The first party sends that public key to the second party.  The second party also creates a private key, but instead of multiplying it by G, he multiplies it by the public key received from the first party.  The result is a new composite public key for which neither side knows the private key.

The math works two ways: if second party sends the public key to first party, who uses it in place of G, they will yield the same composite public key.

I believe (someone correct me if I'm wrong), the way to get the private key that corresponds to the composite public key, is to take the two private keys (which are integers), multiply them together, and mod them by some very large constant.  The result (another integer) is the composite private key.

I think I see what you're getting at, and your assumption that I have a fair grasp on ECC is definitely correct (http://codinginmysleep.com/2011/12/rubber-ducking-elliptic-curve-cryptography/), I'm just not entirely sure how to actually implement that functionality in real code. Practically everything ECC-related I've dealt with thus far has been happily encapsulated in simple little libraries - I've never actually had to do the scalar multiplication myself. Perhaps some day when I have the time to do serious digging, I can implement this, but I'll be honest enough to say that I don't have the skillset to start on it just yet.

You don't actually do the ECC multiplication yourself - but you'll notice you call on the library to do it.  Look at whatever line of code takes a private key and turns it to a public key.  Chances are you're calling a "multiply" function out of a library, and you're passing it a constant called G (which came from the same library).

All you do is replace G with something else.  That "something else" is a public key.  G is the same "type" of data as a public key... in fact, the constant G is nothing more than the public key you would get if you used the number "1" (0x00000000000000000000000000000001) as a private key.

I am not sure what you mean by never having done "scalar multiplication" - this is normal multiplication - see, 5*10=50...that's scalar multiplication.  To combine two private keys you just do normal multiplication and division (using a bignum of course, to account for the fact that these numbers will be too big to fit in an int or float or whatever).

This actually doesn't work very well. But a very slight change makes it work perfectly:

1) The first party generates a private key (S1) and a corresponding public key (GxS1). It passes (GxS1) to the second party. It stores S1.

2) The second party generates a private key (S2) and a corresponding public key (GxS2). It stores S2.

3) The public key you use is the sum of the two public keys (GxS1 + GxS2). For OpenSSL, EC_POINT_add does this.

4) When you need the private key, you use (S1+S2) modulo the order.

This works because Gx(S1+S2) = GxS1 + GxS2. Neither party alone can get the needed private key.

Update: Actually, now that I think about it, it might work. But the way I mentioned above is simpler.

Makes sense! Conveniently, I see this in BitcoinJ's implementation of ECKey.java


So now all I have to do is copypasta this over to my codebase, import all the things, then play trial and error for an hour to get it to accept pubkey #1 in place of params.getG() if I'm understanding you correctly. Oh and implement the multiplication and modulo you described for the privkeys, unless you got that math wrong, which should be pretty trivially testable.

interesting...

Even easier then, SpongyCastle (BouncyCastle for Android, because Android lacks a native ECC implementation) has ECPoint.add so all I'd need to do is add S1+S2 % order (is the order typically notated N for ECC or am I thinking of something else?)... I think... God, ECC math makes me feel like I missed an important day in high school algebra...

Could you then present this address as a QR code so a live phone or other device could send coins to it?

Already on the to-do list, I'm currently poking around with the zxing QR code lib and should have something cobbled together soonish!

Pretty sweet!  Thanks for this.

Nice work! Use it to cash in on my Buried Keys! Seriously though, the smartphone/brain wallet combo has so much more potential. This is a great start!

How can you copy the generated priv key or address ? Please, may the answer not be "by hand"  ::)

That could easily be a qr code as well.

At the moment, with your eyes and your fingers, anything else would break the "no communications with the outside world" rule of paper wallets, but I am working on making a QR code as we speak, might not get to finish it today but soon.

Damnit. And if you make it a textbox ? We could easily copy the contents by long pressing it.

EDIT: 1 bitcoin going your way right now if you do it :)

This addition method has a vulnerability that allows the 2nd party to send a rigged public key that appears kosher to party 1 but permits him to steal the funds. Has been discussed in other threads. Multiplication is the only safe way to go.

The vulnerability depends on the fact that ecc addition is reversible. Ecc multiplication is not reversible and breaks the exploit.

This seems like a decent compromise until I can get QR codes working, give me a few and I'll see what I can do for ya.

A few... hours or minutes you mean ? Cause i only have 1 bitcoin atm

To edit this into the code and update on GitHub? Minutes. To export and sign new APKs, upload them to Google and wait for those changes to be pushed via updates, that's up to Google but I can tell you it usually takes an hour + for those changes to show up.

Got it, bitcoin sent so you don't get to think i'm jerking around. Thanks

Tips are always appreciated. Updates have been pushed to both GitHub and Google Play with these changes. No guarantees on how long it'll take for the changes to show up in the latter, but the new code is live on GitHub now. Screenshot in first post has been updated to reflect the change.

QR codes will have to wait until tomorrow  ;D

Do you have a link? Because I have a proof that anything that breaks this algorithm would be a general break of ECDSA. Obviously, if there is such a vulnerability, the proof must be incorrect and I'd love to figure out where it's invalid.

Here's the proof:

Call the honest party's private key H. All the honest party reveals is GxH.

Call the dishonest party's private key D.

The public key of the combined key is GxD + GxH. The private key of the combined key is D+H.

To break the private key, the dishonest party needs D+H.

If the dishonest party can calculate D+H, then he can calculated H by subtraction, since he chose D.

Thus, the dishonest party can calculate H, given only GxH.

Thus the dishonest party has broken ECDSA entirely.

Maybe the vulnerability involves the equivalent of an infinity point? Doesn't multiplication have precisely the same problem with zero?

Honest party chooses key H and gives GxH

Dishonest party should choose key D and give GxD

But instead he gives GxD-GxH

Honest party calculates the sum key by adding GxH to it and sends the funds

GxD-GxH+GxH = GxD

Dishonest party steals them with private key D

This scam is rendered impossible with multiplication as there exists no way for dishonest party to calculate GxD "/" GxH

A telltale sign is dishonest party will never know private key for the pubkey he calculated and gave.  He will not, for example, be able to sign a message with the pubkey he gave, when doing this scam, when otherwise he would.

Thanks enmaku, you rock dude, now i'm able to "whisper" the bitcoins to anyone, by using words  ;D

Casascius keep up the good work man. Have to say I was running around your program for quite some time without really knowing how to use it, but it was there thanks to you.

Well, technically you could do that before, I just made it a bit more portable. ;)

Thanks, though, this has been my first Android project in quite a long time. I've been so busy coding for work that it's been ages since I just wrote something because I felt like it. Here's hoping I don't wait that long to code for my own purposes ever again!

Wow! I didn't mention that the two initial messages in this protocol must be signed. That was really careless of me. Had someone implemented this without that, they would have been vulnerable to precisely this attack!

With the messages signed, he can't give GxD-GxH, since he doesn't know the corresponding private key. His attempt to sign the message giving it would fail. These messages are analogous to certificate requests and must be signed for the same reason.

Nice catch.

By doing that you have doubled the payload that must be exchanged: now you must exchange a pubkey and a signature.  And must validate the signature, etc.

Doing ECC multiplication makes that all unnecessary.  It isn't that much more complicated, you're just calling a different operation in the same library.

The vulnerability wasn't my catch, I just parroted it from another thread when someone else explained it to me (I made the same proposal you did once upon a time).

http://i.qkme.me/3pn2wf.jpg

In all seriousness, though, if someone could take a glance over my code I'm having issues with zxing's QR codes.For some reason it generates these nice aesthetically pleasing QR codes for all the Base58 values - they're large enough to be scannable, they render roughly the same size as the textboxes, it's nice. Then for the hex value it produces what looks like a 30x30 QR code surrounded by a mile of whitespace in its 80x80 box...

So you have an offline Brain Wallet Android device. Cool cool cool! Now how do we get the private key in text or QR to a paper backup without something going online? Is it possible to photocopy the LED display? Maybe use a camera or camcorder, or Polaroid? I'm sure I'm overlooking something.

Isn't that what you don't want to do?  The thing you want to backup is the passphrase... the private key can always be recreated from it.  It is just plain old sha256.  What I figure you'd want to easily export is the bitcoin address / pubkey.

After I got home and tested I realized that the tiny QR codes weren't scannable if you have a device with a very small screen (like my old HTC Eris that I'm using for exactly this purpose).

I've made the tiny QR codes clickable and they pull up a nice large full-screen QR code.

Can you explain how this would go, I'm a bit confused. Getting g*a from one and g*b from the other party you can't multiply those as EC aren't a ring. (note that g is an EC point and a, b are integers)

edit: nevermind, missed your post from earlier.

One party chooses b, calculates g*b and sends that to the other party, which chooses a and sends g*a back. Both parties can calculate the public key (g*a)*b = (g*b)*a, the secret key is a*b. Is this a correct sum-up? (a, b are integers, g is an EC point)

This would basically be an EC version of Diffie-Hellman key exchange (http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman).

Yes. You just have to watch out for the equivalents of 0, 1, and infinity if the two parties don't trust each other. There are no caveats if the two parties interests are aligned in securing the combined key.

And after a long battle with onActivityResults not wanting to fire correctly, I've now added QR scanning capabilities to the "Passphrase" field, so you can scan in SHACodes from coins, bitbills, paper backups, tattoos, etc.

Nice.

Glad you like it! Now if I can just get whoever maintains the blockchain.info app to add QR->WIF import functionality (MtGox's app already has it, but I'm a blockchain.info fan) I'd have a completely functional system without any compromises  ;D

Some suggestions/improvements for security:

- On the newer androids, the screenshot of the last state of the application is saved when switching programs.
 Unfortunately, there might be no way to fix this when a user switches apps.  Providing an exit button would be an option for those that utilize it.

- When scanning the public key, a rogue QR app scanning app (or a third party person) can see the brainwallet passphrase.
Suggestion to display the QR code with a full screen white background.  Additionally, bitaddress.org has a hide/show password for the brainwallet, can add a checkbox to show typed passphrases as ********.

-Lock the screen orientation upon startup, or do not allow a change in screen orientation to exit the QR code on fullscreen.  Again, a rogue QR scanning app, trojan with webcam access, or third party human will see the brainwallet passphrase and privatekey.

Can you consider making one app (or two separate apps) that replicate the features of bitaddress.org and brainwallet.org.

I'm not familiar with android development, but all you need to is package the github html and javascript files and the app is just a no permissions no internet access browser.  You start the app, choose brainwallet or bitaddress.  And voila, an offline version!