Bitcoin Forum

I've got a conundrum:
What's the best way to generate bitcoin notes securely, assuming that I don't trust myself?
I've read the https://www.casascius.com/controls.aspx (https://www.casascius.com/controls.aspx) "Statement of Controls" as a starting point, but as a matter of pedantry, I don't want to see the private key.

To create the notes, I do the following, which I don't consider to be an issue for the purposes of this discussion:

• On an offline PC, generate bitcoin notes using the Bitcoin Address Utility.
• Print them to paper.
• Export list of bitcoin addresses (not private keys) to USB
• Secure Erase hard drive

However, the issue is the next few steps:

• I guillotine each note, face up so I can see where to cut - The private key is facing me during the slicing.
• Take the list of bitcoin addresses, and mail-merge onto Avery Sticky Labels with human readable and QT Code.
• For each note, I place between a piece of black folded card. (So that it can fit into a DL Sized Windowed Envelope)
• Find the appropriate label for each note, and adhere to window position on card above  -Private key can be glanced
• Put folded card, containing note into windowed envelope, so address/QT code are visible from the outside.
• Adhere a tamper-evident security hologram (with individual serial number) across envelope seal

As you can see, there are a number of stages above I can view the private key!

Is there a way to mitigate this problem?
For example, is there secure note generator which can create a single bitcoin note on an entire sheet of A4, A5 etc...), with all the private details are on one side, and the address on the other, and when folded, it will be visible through the envelope window?

>I guillotine each note, face up so I can see where to cut - The private key is facing me during the slicing.
you can print the paper double sided. one side has the keys, and the other has the cut lines

Split the work into a 2 man process? Use BIP 38 and have the note itself contain two individually sealed parts, one for each person's information (the encrypted key and the password).

If the private key is "a", public key is A = a*G.

Now you want to order some printed coins and limit trust in people who print them. You generate two pairs of keys:

Secret a, public A and secret b, public B (A = a*G, B = b*G)

To three different companies you send 3 orders (1 order per company):

To company 1: print private key "a"
To company 2: print private key "b"
To company 3: print address RIPEMD160(SHA256(a*b*G))

When you receive the papers, your complete bill will consist of 3 pieces (individually sealed if you want): private key a, private key b and address. To spend money you need to read both private keys and multiply them (a*b).

You can extend this idea to using random number of keys: from 10 to 20 and send those orders independently to the single printing company. If the company is not intentionally dishonest, at every stage no one will see all the keys at once, but even if someone leaks and tries to find matching collections, it should be high-order polynomially slow + good company will prevent all keys from being leaked. At least, a portion of keys will be leaked from a malicious employee, which should be generally not enough to reconstruct the full key. Also, the company may inject extra "honeypot" keys for its employees with small amounts and later cryptographically prove they the only way the money was spent from those keys is because particular employee has leaked it. From time to time, these amounts can be withdrawn and sent to new honeypot addresses.

Anyone purchasing a physical spendable bit bill knows that a malevolent creator can know the private key data contained in the bill, and there must be trust in the creator. Nothing can make a spendable/redeemable independent store of bitcoin more trustworthy than the trust placed in the creator, since all the secret information enabling spending must be known by the creator to create the bills. "Being able to glance at the key" is not a concern for the purchaser, as they know you can do so.

To earn such trust, you must have procedures to effectively remove the private keys from anywhere they were used except the printed bill. I see a few problems in your original post:

1. USB/flash memory is not reliably erasable, you should only trust rotating hard drives supporting the SATA secure erase feature (and know how to use it (http://cmrr.ucsd.edu/people/Hughes/SecureErase.shtml)).

2. Private key data should not be stored anywhere but the securely erasable media.

3. Access to private key data should not be extended to any printing company or any individuals other than the trusted person.

4. You must make detection of the private key more difficult than a note in an envelope (unless you are making your envelopes out of sheet metal). Anything that circulates as currency must not allow even the most determined man-in-the-middle to observe the private key or create a facsimile of an unredeemed note after obtaining it's key.

To solve this exact problem, I am making an open source kit for secure paper wallets.

It solves quite a few of these issues for you:

- Pre-printed sheets on high-quality paper, with nice design, BUT NO KEYS
- You feed sheets and print keys, using an offline generator
- PERFORATED so you can cut easily
- Kit comes with security stickers. These are opaque coatings, over transparent tamper proof sticker. Once it's on it cannot be removed without destroying. Or scratch-off to reveal the code
- Paper note has an optional tear-off stub with duplicated area for backup keys. You can print two copies of the keys, and store the tear-off stub in a second location

The whole thing will be open. You can buy it online as a kit, or you can use the same suppliers and print it yourself, or you can make a franchise and re-sell the kits.

Interested?