Bitcoin Forum

I just released some of the magic that goes into physical bitcoins: a generator for those little round key circles I put in my coins.

How it works:
1 - download latest Casascius Bitcoin Address Utility (either on github, or https://casascius.com/btcaddress-alpha.zip)
2 - generate some keys
3 - print physical bitcoin inserts!

I made it so you can generate key circles with Minikeys, regular keys, or two-factor Encrypted Private Keys.  Minikeys are 30 characters and fit in a single circle.  Regular keys are 51 characters and two-factor encrypted ones are 58 characters, these print on a two-circle shape that you fold in half.

Each sheet gives you 8 keys, and gives you a QR code for the bitcoin address.

I added one more thing, and that's something called "confirmation codes".  A confirmation code lets someone who ordered a two-factor passphrase physical bitcoin verify that the address they were given is really protected by their passphrase, without giving them access to the funds.  So... I can sell a two-factor physical bitcoin with YOUR passphrase, and also give you back a "confirmation code" that allows you to independently calculate the bitcoin address that went inside your product.  It allows you to prove that I didn't just give you an address of my own.

Of course, with this generator, the genie is out of the bottle, and you could create your own physical bitcoins yourself.

Nice. Thank you.

Yay! Your roll-your-own coins just got a bit more valuable... Not that I don't trust you, but I prefer not needing to ;)

Mike, this is perfect. I'm speechless about the impact you have had on bitcoin. So many more people are learning about bitcoin from the coins I have been buying from you. The light just turns on for them when I whip one of them out!

Thank you for releasing this, now I feel silly for asking for more of the private key circles.

Important thing I should add: for cutting out circles you really want is a hole punch meant for train tickets that punches the right diameter of holes (about 10mm)

I searched high and low in the US and a company called M C Mieth Manufacturing had one.  That was long ago before I gained access to a laser machine that I now use to just bulk cut keys by the thousands.  If you are just doing a few for fun, then scissors will work fine.

EDIT: here is a link: http://ticketpunch.net/index.php/vmchk/Large-Die-Punch/Large-Round-Holes-up-to-1/2.html - I bought the 3/8" version and it fits all of my coins and bars.  You do NOT want the reservoir option - it will get in the way of aiming the tool at the text on the key.

http://ticketpunch.net/components/com_virtuemart/shop_image/product/Large_Round_Hole_4dec93060fcbf.gif


No problem!  The key circle you print yourself is inherently a better one anyway.

Now I will have to make a report that prints more than 8 of them to a page, but that'll come later, it's my bed time.

I will probably up my minimum order quantity of the roll-your-owns and decrease the price...

Just pushed a couple quick bug fixes, including fixing an inability to print more than 1 page worth of keys at a time

Downloaded, Unzipped, Clicked "wallet generator" and it crashed...

What's the error you get?  Does it say?

Also what version of Windows, and what country and language edition (if not English)?  I have seen instances where the Microsoft crypto routines refuse to run because they don't like what country you're in or what edition of Windows you're running.  I have removed many references from Microsoft crypto in favor of Bouncy Castle to prevent this nanny sitting, but there are plenty of spots that still refer to the MS crypto.

Also, where is "Wallet Generator"? this is something I had on a much earlier version of this utility, but currently I don't believe I expose access to the screen named that, since I made a better one.  What do you see when it runs?  One big white empty box, or a bunch of little text boxes and arrow buttons?

Its working fine for me. Windows 7 64-bit.

Cheers casascius, you the man :)

OK - I figured it out - largely with this helpful reply.  I had put "source.zip" at the download link instead of "btcaddress.zip"

"source.zip" is the inner zip file that contains the source code, but also apparently contains an older version of the binary and none of the dependencies.  It made it into the source directory as I was a while ago experimenting with compiling from the command line using the stripped down compiler that comes with the runtime, instead of the whole toolchain.  "btcaddress.zip" contains the binary, dependencies, and source.zip within it.

Try again.

In a nutshell:  Alice and Bob.  Alice wants a 2-factor physical bitcoin, and Bob is going to make it for her.  Alice doesn't want there to be a way for Bob to steal her money.

Alice picks a passphrase.  She uses the "Intermediate Code Generator", enters the passphrase, and generates an intermediate code.  An example of an intermediate code is: passphraseoRryVSRbiHXimnSbXSgh7fsq3u3tx1vgZPs9myhhuVUDftcLBVSGxGZY99JwbW (passphrase for this example was ''Fizzie Gullbits'')

She gives this to Bob.

Bob goes to the Generate Addresses screen, and generates some addresses using the intermediate code as the passphrase.  The utility automatically acknowledges this is an intermediate code (important!).  It generates some addresses and encrypted private keys.  Bob can see the Bitcoin address, but importantly, can't get the private keys or spend the funds without Alice's passphrase.

Bob prints key circles and confirmation codes (they come out on the same page).  Bob cuts out the key circles and inserts them into the physical bitcoin product.  He sends the product and the confirmation code to Alice.

Alice has the option of entering the confirmation code into the Confirmation Code Validator.  She doesn't have to, but if she does, she can confirm that the bitcoin address Bob gave her is really encumbered by her password.  (This prevents Bob from giving her his own bitcoin address and running with the money).  She has to trust that Bob really put the right private key inside the physical bitcoin product and didn't commit a "fail" in doing so, but at least she can be assured that there is no way Bob can take the money she sends to the physical bitcoin's address.

A confirmation code example is cfrm38V5qFs3BhUVjxeGnxwV3LH63oyaqRwm8Q9P8CsFchFKDaknBGyUMExvhNm4FCL9XJC8bsN - when verified with the password "Fizzie Gullbits", Alice can see a bitcoin address and know that, for all practical purposes, this bitcoin address could not have been generated without this passphrase.

In this example the combined bitcoin address was 1NKABYfNEDc7xXLYKyyWNYyYvdHuxKWEcd.  Alice and Bob can both independently verify it.

Thanks, I will give it a go.
I do have a question, it is not probably new, to Bitcoin, if 1000 people are generating addresses at the same time what stops the your system from making 2 identical addresses on alternate systems?

Same thing which prevents 2 random bitcoin users on the planet from making the same address.

The simple version is 2^256 is much much much larger than you think.   A billion users, each generating a billion keys a year for a billion years has a ~0% chance of producing a duplicate.

Sharing is caring. Though I'll go ahead and order 50 from you for friends and family for buy random material things day.

This assumes that all users are using a method that generates adequately random keys.  If they use some deterministic method and use the same starting point for their determination, then they will have a 100% change of producing duplicates. As an example, if I use

echo "Danny" |shasum -a 256

on my Mac to produce my private key, and someone else named Danny comes up with the same idea, we will both have access to the same bitcoins.

Well this program does the private key generation for you doesn't it?

True, as long as Casascius has used a reasonable source for randomness then using the Bitcoin Address Utility should have a ~0% chance of an address collision.

Very cool, thanks man.

I will be using this to give away as gifts to people for the holidays.

Not being much of a programmer, could someone explain it to me (like I'm 10 years old) the randomness of the algorithm?

How likely is it that someone can analyze the code and predict what keys will be generated?

I mean, are we looking at this:

http://imgs.xkcd.com/comics/random_number.png

(lifted from here http://xkcd.com/221/ (http://xkcd.com/221/))

Mike, you're awesome.  I've already used the two factor in your newest utility to do an escrow transaction with somebody.  This is awesome.

I have been doing a mix of the following (working on making it more consistent)

1 - Using SecureRandom from the BouncyCastle dependency
2 - Using SecureRandom from .NET's System.Security.Cryptography
3 - Doing both of the above while XORing the bytes with "extra entropy", formed mainly from hashing a buffer that grows when the app receives events (mouse moves, timer ticks, etc. cause the system tick count to be appended to the buffer) and gets chopped down when it gets too big, by being replaced with a hash of itself.

How did that work?  I am guessing you sent funds to an address neither of you had access to, until one of you ceded your key material to the other?

Just curious, did your deal involve checking the confirmation code to verify the address was indeed encumbered?

Started to post exactly this myself. You're too fast for me mike!

Pretty cool.

There seems to be a bug, but im not sure:

I start the program, enter an (encrypted) key: 6PfRj9PLSPfGW9z5iKKyaVyKFvWScDhxvYjhtghhi9dVk8vAUngZD9RL6V
I click for details: the address utility opens.
I enter the passphrase "topsecret", and it calculates the hex/hash
Everything ok so far.
Now i click "Print Banknote" an i get an error message    
The same when i try to safe the "Address List" i get the message: Address not available

I don't know what the word "encumbered" means in this sense.  We both just verified that we did indeed got the same public address, then I sent funds to that address.  He performed agreed upon service.  Then I sent him the private key for my address (a throwaway created just for that transaction).

I still don't know the private key for the "escrow" address, but the money was moved out of it, so I know he got it.

Edit:  Oh, we used the Key Combiner, not the confirmation thingy.

Edit 2: oohhh I was using an old version.  this confirmation code thing is super awesome.

Edit 3:  Is there a way to get the confirmation code without printing the physical coin insert?  I can't find any other way.

This is a bug in the sense that I'm mishandling what to do when this happens, but there's a fundamental problem: the key is encrypted and the program doesn't know the address.

Despite you decrypting it in the address utility, the program doesn't hold on to the password for the benefit of the printing part.  The print utility does not know the address of an encrypted private key unless you actually generated it within the program.  I would either have to add a prompt to collect that from you, or refuse to print at least the address.

By this, I just mean that the funds themselves are unmovable until the restriction is satisfied.  I might have been more clear had I just said "restricted".

I suppose it's confidence building for the sending side to be able to have something tell him, in green bold print, "yes this address is safe and is half yours".  The "intermediate" and "confirmation" are little more than the same operations of the multiplying key combiner itself, wrapped in a pretty container with salt, some encryption, and some self-defense against typos. 

Is there an easy way to get the confirmation code or do I just have to print the insert?

I will have to add one, now that I'm aware of this as a suitable application.  There isn't any way currently exposed other than that.

As a stop gap, if you're able to print to PDF, do that.  But I'm sure it'll get added soon enough.

Yeah, that's exactly what I did, PDF then just text copy.  Worked just fine, just a minor pain.  Still, friggin awesome!!!!!

I'd like to import my (encrypted) keys and print them with the utility. Will you add this option to the next release?

This is ridiculously cool crypto! Some requests:

* help | about, version

* a viewable dir index showing all previous versions and a symlink from btcaddress.zip to the latest version.

* some way to automate notifications of all future updates: rss blog feed, official forum thread, etc.

* a bitcoin donation address 8D

Will there ever be support for these functions in linux, either gui or text?

    I'd like to import my (encrypted) keys and print them with the utility. Will you add this option to the next release?

(Thanks a lot for that useful utility. Donation is coming)

This is very generous, Casascius.  Thanks!

I'm not seeing a license file anywhere. What license is the source code released under?

GPLv3

It will run with Mono or Parallels

Is it generally possible to generate the corresponding namecoin public key from a bitcoin public key?

I assume you mean namecoin address vs Bitcoin address (public keys are the same for both)

Use my Utility, the Address Utility screen

Put the Bitcoin address in the bottom box and hit the up arrow to get the Hash160

Then switch the selection dropdown from Bitcoin to Namecoin. Then hit the opposite arrow to go from hash160 to address and you will get the namecoin address.

sweet! works like a charm. Had played with your tool just today but did not realize it was so easy.

The reason why I am asking is a sendbtctoname function for namecoin using a shared key. Should be easy to implement.
Found an alternative in the meantime, through sendbtctoalias: https://bitcointalk.org/index.php?topic=83793.msg1500895#msg1500895