Bitcoin Forum
September 24, 2018, 10:41:37 PM *
News: ♦♦ New info! Bitcoin Core users absolutely must upgrade to previously-announced 0.16.3 [Torrent]. All Bitcoin users should temporarily trust confirmations slightly less. More info.
  Home Help Search Donate Login Register  
  Show Posts
Pages: [1]
1  Bitcoin / Development & Technical Discussion / Password-protected private key export format on: August 10, 2011, 04:10:03 PM
Private keys in base-58 export format are great for moving between bitcoin wallets, or for safe keeping outside of wallet.dat.  They are currently used by several 3rd party systems, including BitBills, vanitygen, and pywallet.  However, they are very vulnerable to being leaked or stolen if certain security measures aren't taken.  While the built-in bitcoin wallet.dat encryption is able to encrypt private keys stored in wallet.dat, this protection does not extend to exported keys.  The format proposed here is an extension to the base-58 export format with integrated password protection.

This format uses strong encryption and multi-iteration password-based key derivation to encrypt a bitcoin private key.  As with any format of this type, the password can be cracked.  However, by current standards, it is very difficult, of similar difficulty to cracking passwords for WiFi WPA2-PSK.  Complex passwords with no dictionary words of at least nine characters will require more than three years to crack for a very resourceful attacker.

Updated: The current scheme is as follows.  Thanks go to pixelglow for smart suggestions.

privkey = 32-byte EC private key, big-endian form
param = Parameter descriptor byte.
  • 0: Brief format -- unpadded cipher, 4-byte salt, HMAC-SHA256 password check value
    • pbhash = HMAC-SHA256
    • pbiter = 4096
    • cipher = AES-256-CBC
  • 16: PKCS#7-compliant format -- padded cipher, 8-byte salt
    • pbhash = HMAC-SHA256
    • pbiter = 4096
    • cipher = AES-256-CBC

For Brief format:
salt = 4-byte random value
key = PBKDF2(password, salt, pbhash, iter)
(key is then split into cipherkeyiv and hmackey.  hmackey is 16 bytes long.)
pwcheck = HMAC-SHA256(hmackey, privkey)
protkey = param | cipher(privkey, cipherkeyiv, unpadded) | pwcheck[0:64] | salt
Result is 45 bytes for most ciphers

For PKCS#7-compliant format:
salt = 8-byte random value
cipherkey = PBKDF2(password, salt, pbhash, iter)
protkey = param | cipher(privkey, cipherkey) | salt
Result is 58 bytes for most ciphers

The protkey value then has a data class byte (32 or 79) prefixed to the beginning, and is base-58 encoded as per the bitcoin function EncodeBase58Check().  Below is an example of a private key password-protected using this scheme, with a test password password1:

Address: 1HacknYhLRpttqGAiBew1fQAKRGnMorkxk
Privkey: 5JmsuCoDBDTPT8oBxx1Vv4cy9Fw14456rt7hvMKmvQY1DES2w6z

Protkey: PsQg61gLtNX6bg7PG8Kw9bpdFEfuP8h1Ri8dAoBjRpV1i1rPPx72EYrGgi7CfWWkbutH
Protkey: 2uhT7zkgeGXpVEw4aYTnCyAvTQ9G1hqSGPPNS5EpC4W62J28euHT8o9CQnKrZCqYwhcHgrxBASsWzYT bF3Qcx
(Careful: the long form above has an extra space added by the forum)

The Brief representation makes some specific compromises to maintain a short representation.  In this mode, the block cipher is performed with no PKCS#7 padding at the end.  Since the padding provides a way to verify the correctness of the password, the HMAC value pwcheck is computed and added to the output.  The pwcheck value is computed using the HMAC-SHA256 hash of the plaintext private key, using 16 bytes of key material taken from the PBKDF2 function as the message key.  This saves a few bytes in the final representation.  The salt value is also only four bytes long, shorter than the recommended eight.

This scheme, unless somebody can poke a big hole in it or recommend a useful change, will show up as an optional output format in the next release of vanitygen, along with a password codec.

A JavaScript example of the password codec is available here.  It does run in your browser but does not transmit keys or passwords over the network.

Bounty: I don't have many bitcoins to throw at this, but 5 BTC go to the first person who can remove the protection from the key below:


To sweeten the deal: the password is 14 characters long, with upper and lower case letters only, and contains at least one dictionary word.
2  Bitcoin / Development & Technical Discussion / Vanitygen: Vanity bitcoin address generator/miner [v0.22] on: July 04, 2011, 03:29:50 AM
Vanitygen is a command-line vanity bitcoin address generator.

If you're tired of the random, cryptic addresses generated by regular bitcoin clients, you can use vanitygen to create a more personalized address.  Add unique flair when you tell people to send bitcoins to 1stDownqyMHHqnDPRSfiZ5GXJ8Gk9dbjL.  Alternatively, vanitygen can be used to generate random addresses offline.

Vanitygen accepts as input a pattern, or list of patterns to search for, and produces a list of addresses and private keys.  Vanitygen's search is probabilistic, and the amount of time required to find a given pattern depends on how complex the pattern is, the speed of your computer, and whether you get lucky.

The example below illustrates a session of vanitygen.  It is typical, and took about 10 sec to finish, using my Core 2 Duo E6600 CPU on x86-64 Linux:

$ ./vanitygen 1Boat
Difficulty: 4476342
Pattern: 1Boat                                                                
Address: 1BoatSLRHtKNngkdXEeobR76b53LETtpyT
Privkey: 5J4XJRyLVgzbXEgh8VNi4qovLzxRftzMd8a18KkdXv4EqAwX3tS

Vanitygen includes components to perform address searching on your CPU (vanitygen) and your OpenCL-compatible GPU (oclvanitygen).  Both can be built from source, and both are included in the Windows binary package.  Also included is oclvanityminer, the vanity address mining client.  Oclvanityminer can be used to automatically claim bounties on sites such as ThePiachu's vanity pool.

Current version: 0.22

Windows x86+x64 binaries here.  PGP signature here

Get the source from GitHub.  Includes Makefiles for Linux and Mac OS X.


What types of patterns can vanitygen search for?

Vanitygen can search for simple prefixes or regular expression matches.

Prefixes are exact strings that must appear at the beginning of the address.  When searching for prefixes, vanitygen will ensure that the prefix is possible, and will provide a difficulty estimate.  Exact prefixes are case-sensitive by default, but may be searched case-insensitively using the -i option.

Prefixes are also very fast to search, and a list of thousands of prefixes may be specified with little or no reduction in key search rate.

Regular expressions are programmable pattern filters.  They are very powerful, and can be used to match prefixes, suffixes, varying-length sequences, etc..  For a quick tutorial, see  To enable regular expressions, use the -r command line option.  Unfortunately, regular expressions are very slow, and will have a significant impact on key search rate.  Because of this, regular expressions should only be used if their expressive power is needed.

Oclvanitygen is only effective at searching for prefixes.  Regular expressions will not work effectively with oclvanitygen, as oclvanitygen is currently unable to execute the regular expression on the GPU.

How do I specify a list of patterns?

Vanitygen can accept a list of patterns to search for, either on the command line, or from a file or stdin using the -f option.  File sources should have one pattern per line.

Upon finding a match for a given pattern, vanitygen will stop searching for additional matches for that pattern.  To search for multiple matches for each pattern, use the -k option.

How do I import the private key into bitcoin?

If you wish to spend coins received on a vanity address created by vanitygen, you must import the private key into a bitcoin client.  There are two popular methods of doing this with the standard Satoshi bitcoin client:

  • Use the importprivkey command.  To do this, select Help -> Debug Window, and in the window, on the bottom line, enter importprivkey <privatekey>, e.g.
importprivkey 5J4XJRyLVgzbXEgh8VNi4qovLzxRftzMd8a18KkdXv4EqAwX3tS
  • Jackjack's pywallet script is an all-in-one tool that directly modifies the wallet.dat file.  This works with a normal, unpatched bitcoin client, but does require Python with the bsddb package.

If I stop vanitygen when it reports 60% complete, how do I have it restart where it left off?

You don't need to.  The percentage displayed just shows how probable it is that a match would be found in the session so far.  If it finds your address with 5% on the display, you are extremely lucky.  If it finds your address with 92% on the display, you are unlucky.  If you stop vanitygen with 90% on the display, restart it, and it finds your address with 2% on the display, your first session was unlucky, but your second session was lucky.

When I double-click on vanitygen, a black window appears for a split-second and disappears, what do I do?

Currently, vanitygen only runs on the command line, and does not have a graphical user interface.  To use vanitygen, you need to open a command line window and change to the directory where you extracted the vanitygen program.  An easy way to do this in Windows 7, hold down the shift key, right-click on the folder where you unzipped vanitygen, and select "Open command window here."  Then, you can type the vanitygen command at the prompt.

Can I use vanitygen to find someone else's private key from their bitcoin address?

Yes.  Vanitygen is a cryptographic brute-forcing application, and can be used to search for a complete address.  However, you will be unhappy with the amount of time required for it to find a match.

How do I report a bug?  What do I do if it crashes?

Post to this thread, send me a PM, or send me an email!  Please run vanitygen with the -v flag for verbose output, and please include the console output in your report.

How do I build vanitygen from source?

Please refer to the file INSTALL in the source distribution.

What key search rate can I expect from hardware X?

Detailed list forthcoming.  Some ballpark estimates are listed below.

Dual-core desktop CPUs, 32-bit mode: 100-250 Kkey/s.
Dual-core desktop CPUs, 64-bit mode: 150-450 Kkey/s.
Quad-core desktop CPUs, 32-bit mode: 200-400 Kkey/s.
Quad-core desktop CPUs, 64-bit mode: 300-750 Kkey/s.

As vanitygen performs a lot of large integer arithmetic, running it in 64-bit mode makes a huge difference in key search rate, easily a 50% improvement over 32-bit mode.  If you are using a 64-bit edition of Windows, and not using a GPU, be sure to use vanitygen64.exe.

In custom builds, CPU performance will be less than expected if the OpenSSL library is an older version (<1.0.0d) or is not built with the appropriate optimizations enabled.

General formulas for expected performance on GPUs

NVIDIA GeForce 96xx, 98xx, GT 1xx, GT 2xx, GTX 2xx (G90/GT200):
Key/s = (CUDA Cores) x (Shader MHz) x 17

AMD Radeon 58xx, 59xx, 67xx, 68xx (VLIW5):
Key/s = (Stream Processors) x (Core MHz) x 20.1

AMD Radeon 69xx (VLIW4):
Key/s = (Stream Processors) x (Core MHz) x 13.6

AMD GCN, NVIDIA Fermi/Kepler: Please contribute some numbers!

Unfortunately, AMD VLIW4 does not perform as well as VLIW5 with the same number of cores/clocks.  Oclvanitygen is sensitive to integer multiply throughput, and VLIW5 can multiply concurrently with other operations, whereas multiply consumes all four ALUs in VLIW4.  At similar clocks, a hobbled Radeon 5830 will outperform a Radeon 6970.

I have a lot of compute power, and want to make vanity addresses for others.  How do I do it?

The difficulty with this is convincing your customer that, once you provide them with a vanity address, you do not have a copy of their private key.  Some methods of doing this have been discussed on the forum, and vanitygen currently supports one of them.  To generate an address securely, your customer generates a private key, and provides you with the public key part.  You use this public key as part of the address search, and when you find a match, you provide them with a partial private key.  The customer then adds the partial private key to their private key to get the vanity address.  Because the customer never disclosed their part of the private key, only they have access to the complete private key.

There are many ways to get a key pair, but to do address-for-hire, you need the complete public key in hexadecimal format.  The bitcoin address is not sufficient.  One way to generate one and get this is to use the keyconv utility, keyconv -G, and get the following parts:

$ ./keyconv -G
Pubkey (hex): 041d2e778ae6d9124736df131cd22d3a2483f336c55156d87a84c4bdc6d89f8518e33de85ae0f907a7128c476281bc8cc7742b43a54ccc2c7824dc4c4a438a7fbc
Privkey (hex): 61E00B1C57E7F0D508C7C3795F90C0ACEC1DCAF6A7B82C951D23F728FD53E4BE
Address: 15wRE5VA5uhxs5o6LayZC6imES2SeZeXd4
Privkey: 5JZPftgcsaG5Unp24cf47zP7JZEZkfnSAZzefezAVNRomKHZE8f

The customer saves the privkey part in a secure location, and provides you with the Pubkey (hex) part.

Then, you run vanitygen or oclvanitygen, and specify the customer's public key:

$ ./vanitygen -P 041d2e778ae6d9124736df131cd22d3a2483f336c55156d87a84c4bdc6d89f8518e33de85ae0f907a7128c476281bc8cc7742b43a54ccc2c7824dc4c4a438a7fbc 1Boat
Difficulty: 4476342
Pattern: 1Boat                                                                
Address: 1BoatWxEHyVXkjS78d16LMuj8YMdZ1Kce8
PrivkeyPart: 5KCwog8Ndt64ZicNSGoDBRf4vACBptM2GUtSJCmkbqpieC8idcP

Because a public key was specified, vanitygen now provides a PrivkeyPart rather than a Privkey result, which is useful only to your customer.  The customer then takes the partial private key produced by vanitygen and adds it to their private key.  This can be done using ThePiachu's handy website, or using the keyconv utility:

$ ./keyconv -c 5JZPftgcsaG5Unp24cf47zP7JZEZkfnSAZzefezAVNRomKHZE8f 5KCwog8Ndt64ZicNSGoDBRf4vACBptM2GUtSJCmkbqpieC8idcP
Address: 1BoatWxEHyVXkjS78d16LMuj8YMdZ1Kce8
Privkey: 5J1Jieusaa6vegTQZ7PNG3hMcsM2FjgHPK1BkPjbYyQsWb9k5vj

Here, keyconv is able to recreate the final address found by vanitygen, based on the two private key parts.  It is also able to create the final private key.  This is infeasible for someone who does not have both parts of the private key, and provides your customer with real security.

This process is very complicated.  A simpler way to do it is to use a bounty pool such as vanity pool.

How do I participate in vanity pool?

To do this, use the oclvanityminer program.  Oclvanityminer works much like a familiar bitcoin miner.  It connects to a bounty server, downloads a list of bounties, automatically chooses one, searches for a match, and submits the results back to the server when one is found.  Oclvanityminer periodically reconnects to the bounty server to check if bounties have been claimed, or more profitable bounties have been posted.  An example session:

$ ./oclvanityminer -u -a 1samr7UZxtC6MEAFHqr1h3Kq453xJJbe4
Searching for pattern: "1satoshi" Reward: 0.100000 Value: 0.000007 BTC/MkeyHr
Difficulty: 51529903411245
Searching for pattern: "1Satoshi" Reward: 0.100000 Value: 0.000007 BTC/MkeyHr
Next match difficulty: 25764951705622 (2 prefixes)
[6.14 Mkey/s][total 62914560][Prob 0.0%][50% in 33.6d]

Note that vanitypool and oclvanityminer are currently under development.

How secure are the addresses generated by this program?  Will someone be able to guess the private key and steal my BTC?

Vanitygen uses the OpenSSL random number generator.  This is the same RNG used by bitcoin and a good number of HTTPS servers.  It is regarded as well-scrutinized.  On Linux, the RNG will be seeded from /dev/urandom.  Guessing the private key of an address found by vanitygen will be no easier than guessing a private key created by bitcoin itself.  Nonetheless, if you feel the default RNG is unable to provide numbers that are sufficiently difficult to guess, vanitygen can be directed to seed the RNG from an external file using the -s option.

To speed up address generation, vanitygen uses the RNG to choose a private key, and literally increments the private key in a loop searching for a match.  As long as the starting point is not disclosed, if a match is found, the private key will not be any easier to guess than if every private key tested were taken from the RNG.  Vanitygen will also reload the private key from the RNG after 10,000,000 unsuccessful searches (100M for oclvanitygen), or when a match is found and multiple patterns are being searched for.

What security measures should I take?

  • Secure any systems used to generate addresses.  Don't run web browsers on them.  Keep malware and unauthorized individuals out.
  • Ensure that any private keys reported by vanitygen are stored and transmitted securely.
  • The command line method of importing private keys into bitcoin requires you to enter your private key on the command line.  Bitcoin takes a long time to perform an import, and while it is running, your private key will be visible in the output of "ps," so be careful!  Also, the private key may be leaked to your shell history file.  Kill your shell and shred your shell history file after importing.

What are the other methods of generating vanity addresses?

The original method of generating vanity addresses is a patch to the official bitcoin client created by Gavin Andresen.  Details can be found here.

Forum user Nyhm created an in-browser vanity address generator.

There is a new vanity address generator for Android.
Pages: [1]
Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!