You have 6.35977462 BTC @
Address: 17oYuaq5LYp4aEgx7ShnLk94PhV3WM1qLS
https://blockchain.info/tx/96d59c9a52d2931bcba954354c763eec5a66835f617a2830fe3a7cddedb7120e
txid: 96d59c9a52d2931bcba954354c763eec5a66835f617a2830fe3a7cddedb7120e
Output index 0

You have 0.28966627 BTC @
Address: 1kS4YvpoEz3PSoL4uqCSZhHyzTkMZ618n
https://blockchain.info/tx/b3381d7534cddd0c33d341a738d0002379eb6e1c14837928e842c7779362f9f4
txid: b3381d7534cddd0c33d341a738d0002379eb6e1c14837928e842c7779362f9f4
Output index 0

You have 9.24199431 BTC @
Address: 1PzGwvF95UpA12a9ac7KAaR4C2BzsL5Ush
https://blockchain.info/tx/fccdd481d31ed559f44507625e1fc9974b67e3c733e6e31df34fee313f08d331
txid: fccdd481d31ed559f44507625e1fc9974b67e3c733e6e31df34fee313f08d331
Output index 0


Total comes out to 15.8914352 BTC.

That is exactly what your balance said BEFORE the erroneous transaction, AND all three of the above inputs show on blockchain.info, blockr.io, AND insight as being "Unspent"

Your coins are there. Just tell MyTrezor to "forget my device" and then reconnect your Trezor. It should re-scan the blockchain for transactions and this time it WON'T find your erroneous transaction.

Edit: Please make sure you have your phrase written down as a backup.

1. Assuming you keep a record of which index you gave to whom, I see no problem.

2. 2,147,483,648 keys per MPK (remember, in HD wallets, any pubkey can be turned into an MPK... so basically limitless... but for 1 single MPK, you're limited to a little over 2 billion keys.

3. Depends on exactly what you want to do with the addresses. Giving out for simple payments, fine... just NEVER GIVE OUT A SINGLE PRIVATE KEY TO ANY OF THOSE ADDRESSES. (Remember: 1 MPK + 1 private key of an address generated from it = the Master Private Key for that MPK can be calculated.)

5karartma1karatma2karartma3karartma4karartma5karart

This is an invalid WIF private key.

"spend from cold storage" is only the first time.

Each successive time is "spend from storage you think is cold unless you have some vulnerability in your phone that some hacker is logging your RAM with, in which case it's such a hot wallet that the sun don't got anything on it."

If you want to spend from cold, you need to look into Bither, where the cold storage is an offline phone/tablet device.

delete the folder.

Just make sure you have your seed backed up.

Two factor wallet != a single master pubkey.

You created a watch-only wallet WITHOUT two factor auth... it only makes sense that the hot wallet will ALSO not have two factor auth.

Restore your hot wallet as a standard wallet (no two factor) and it should generate your addresses (assuming the watch-only wallet is the corresponding master public key)

breadwallet is compatible with Hive-JS (their web interface which stores keys locally in your browser encrypted.) or Hive-iOS.

Hive for Android and Hive for MAC OSX are not HD.

ggutoski>

https://gist.github.com/dabura667/875bb2c159b219c18885

What about something like this?

Using convention, 2 keys are all that is needed to prevent leakage from a nearly unlimited amount of leaked keys.

Please give me any feedback. I am currently working on implementing in Python.

Another "problem"?

The iOS xRandom process is insanely short.

On Android It takes about a minute (could be my Android is slow) to grab all the entropy...

iOS takes less than a second. The animation of xRandom opens, then shows the camera and transparent icons, then closes almost immediately. I am worried my Hot HDM is weak.


My specs:

iPhone 5
iOS 8.1.3

I gave all permissions to Bither when it asked for them. (right before running xRandom first time)

I tried setting up my iOS HDM with a Cold HDM on Android and it tells me the signed Server QR is incorrect even though I input the correct password on my Android and it gives me the signed challenge QR fine.

My Cold HDM Android is already registered as HDM Cold with another Hot Android HDM.


I am thinking my problem is either:
1. Using the same Cold HDM for multiple HDM setups is not allowed, causing the error.
         - There should be an error message explaining that this is not allowed.
or
2. iOS and Android HDM wallets are not compatible with each other.
         - I think they should be compatible, as many people might have an old Android but not an old iOS >7.0 device.

Edit: The problem was #1. If I wiped my Cold Bither and reset the Cold to a new Cold HDM, the pairing worked.

It's gone.

The only hope you have now is to send the disk of the old phone to a forensics lab to try and recover the keys... however, since bitWallet is closed source... no one can tell you where to look except for the company that made the app.

For future reference: iCloud backups do not store identifying account data for apps... you should have noticed how after an iCloud backup restore he had to log in to everything again, and the only stuff that came over was mail accounts with iPhone's stock Mail app. Only local encrypted backups store login credentials for apps and secret data. (You have to perform a backup with your computer via USB and check the encrypt backup box.)

Lesson learned: backup now. not later.

No need for pseudo code, the actual formulas only require simple algebra to show.

A signature is made using the private key 'd' and a unique private number generated just for the signature which is called 'k'.
These are used to generate 2 values, r and s. A signature is simply an r value and an s value, and it can be combined with the PUBLIC key to verify the private key was actually used to generate r and s.
(G = generator point of the curve (constant);
 n = order of the curve;
 z = digest of the message (aka the message being signed's hash turned into an integer))
 [All capitol letters represent points on the Elliptic curve and lower case letters are big integers]

R = k*G
r = x value of point R modded by n
    (now we have r)

s = k^-1(z + dr) mod n


So now we have r and s.

Now given the public key corresponding to d which we will say is Q.
We will calculate intemediate values w, u₁ and u₂ because we need to mod the integers by n along the way.

w = s^-1 mod n
u₁ = zw mod n
u₂ = rw mod n

Now we calculate the curve point C

C = u₁*G + u₂*Q
The signature is valid if r = x value of C modded by n, and invalid otherwise.

The reason why C = u₁*G + u₂*Q proves this is:

C = u₁*G + u₂*Q

Since Q = d*G we can replace:

C = u₁*G + u₂*d*G

Grouping like terms:

C = (u₁ + u₂*d)*G

Expand the u values to their components that we calculated earlier:

C = (z*s^-1 + r*d*s^-1)*G

grouping the s^-1 and remove from the parenthesis:

C = (z + rd)*s^-1*G

Insert the definition of s (remembering it is to the power of -1:

C = (z + rd)*(z + rd)^-1*(k^-1)^-1*G

(z + rd) crosses out and k flips to power of 1:

C = k*G

Since R also is k*G, you can be certain that if the C point has the same x value as the R point, that the private key was used to generate that s value.


Simple algebra, crossing like terms, grouping things... only tricky parts are when you ACTUALLY TRY TO COMPUTE IT, and include modular arithmetic and EC math.

But tbh as long as you understand that EC addition and multiplication are distributive, so they can be grouped like normal variables and you understand that modular arithmetic is a one way function, then it should be intuitive to anyone who understands algebra.

I don't really understand how you are perceiving multi-sig. Your post doesn't make sense to me... except maybe the last part about the buttons is probably hinting at multi-sig is ALWAYS and ONLY for escrow???... (which is not true)

What I can answer, though, is where the transactions live in the incomplete state:

They are encrypted in a way that only the other signers can decrypt them, and they are stored on multiple Electrum servers (which can be run by anyone, and consists of mostly volunteers).

No.

which block explorer did you use to check the address?

Most sane implementations of reliable multi-sig involve storing the extended public keys for HD chains for all parties, and using methods like BIP45 to deterministically generate and order the pubkeys.

Otherwise you'll just be storing tons of pubkeys.

As for specialized pubkey storage vendors... I don't think there's much of a use case, thus not much of a market.

Sucks being an innovator...

The same code should work with BitcoinJ. .getFromAddress() will return P2SH if the ScriptSig is P2SH

BIP70 supports the wallet returning a "refund address" along with the signed transaction to the vendor.

I would assume it would be possible for the flow to work like this:

1. User clicks BIP70 enabled link.
2. Site sends signed request to a null output. "00" or something arbitrary.
3. This value should indicate that the wallet client just return an empty reply (no transaction) with just a return address.

It's primitive, but rather than try to create a new BIP, using existing BIPs that can provide the functionality would be easier.

This is not true. Electrum 2.0 uses BIP39 wordlists, but seed generation is non-standard, so it is not technically BIP39 compliant.

You will not be able to import BIP39 mnemonics into Electrum.

Thanks for the "Low" fee setting. I will keep it in mind when you guys get multisig running on iPhone.

One more suggestion: Allow for an "independent cold HD" option.

So your cold device can serve 2 purposes:
1. backup key and bitID key for HDM
2. cold key for HD derived single use addresses (start with 1)

Of course, you will want the derivation paths for 1 and 2 to be different. (m/.../x/... for one and m/.../y/... for the other, for example)
But since you will be keeping it cold anyways, you might as well use it for cold storage address generation (with easy backup!) AND backup key for HDM.

I think Bither can be a good wallet for users of all skill levels, however, I think maybe a few things could be smoothed out or hidden from user by default to create more smooth user interface for beginners.

Maybe default it into a "simple mode" similar to breadwallet with just a QR to receive and a button to read clipboard or start QR scanner... then add option to revert to old GUI with all options all over everything.

Anywho, just spouting out ideas.

Can't wait for iPhone. Thanks guys!