Using serial numbers on notes for private keys

[Bitcoin Oz]

Has anyone used the serial numbers that are on fiat notes to generate bitcoin addresses ? Then you dont need to remember the passphrase to unlock your coins you just pull a $5 note out of your vault  and redeem it

If you attached $5 worth of bitcoins to a $5 note would that mean you could exchange it for $10 in a bitcoin trade and the other person would then have 50% insurance against a double spend of the coins since they can still spend the cash ?

The next question is are the serial numbers on cash available to the public or are they kept in a  government database only ? My concern is someone writing a script that checks all the known serial numbers 

[edd]

Has anyone used the serial numbers that are on fiat notes to generate bitcoin addresses ? Then you dont need to remember the passphrase to unlock your coins you just pull a $5 note out of your vault  and redeem it

If you attached $5 worth of bitcoins to a $5 note would that mean you could exchange it for $10 in a bitcoin trade and the other person would then have 50% insurance against a double spend of the coins since they can still spend the cash ?

The next question is are the serial numbers on cash available to the public or are they kept in a  government database only ? My concern is someone writing a script that checks all the known serial numbers 

I did check a bunch of new dollar bills I received as change once and the serial numbers were indeed sequential.

But you're talking about addresses, right? Not private keys? In any case, I don't think you could generate enough pairs in a lifetime to match a random serial number exactly.

[jothan]

Yes, serial numbers would be quite silly as a private key. They are predictable, they are sequential and anybody who handles a bill has the serial number and could empty out the bitcoins.

Hence the old mafia movie saying "bills, used, non-sequential".

[BkkCoins]

That's cool. We could replace dollar bills one by one. Convert to Bitcoin and destroy. Kidding.
Don't know about serial #s but you can salt it with some private text to circumvent.

[kayrice]

As others have pointed out the numbers on the bill won't make a good private key without a decent amount of information from another source, which probably destroys any utility this would have. Also there is nothing to stop the Bitcoin wallet from not having $10 later so the relationship between BTC and USD would require upkeep or trust - possible even both.

[unclemantis]

I don't think that is a good idea. One could just brain wallet sequential numbers and check the public key balance against the chain.

BZZZ!!!! Try again!

[unclemantis]

Well for one thing www.bitaddress.org tells me that my passphrase is too short and won't allow a brainwallet to be generated.

LETTER LETTER NUMBER NUMBER NUMBER NUMBER NUMBER NUMBER NUMBER NUMBER LETTER

Try again hippie!

[casascius]

Using a passphrase this short would result in about a 100% probability of being stolen from eventually.

[unclemantis]

I for one think that brain wallets are a recipe for disaster. I still believe AES encrypting a private key and storing the encrypted key in multiple places is far more secure.

I have found a place that charges $15 per line. Depends on the font size and size of the piece of metal that is.

FYI Things Remembered is a fucking rip off, try and find someone local, they all ship it out.

Mike, any thoughts?

[unclemantis]

http://www.onlinemetals.com/merchant.cfm?pid=12626&step=4&showunits=inches&id=322&top_cat=1353

I am trying to find a credit card sized piece of Titanium.

Thoughts folks? Is titanium really needed? Can I get away with several dog tag sized peaces of metal? Hell if there is a fire in one location that i have the key stored in and it melts I still have the key in the other locations, right?

[unclemantis]

I am really sorry for trolling but here is a site that does dogtags. The problem is they don't allow the equal sign, plus they only allow 15 characters a line and 5 lines per dog tag.

The AES code that is generated is 108 characters, and even if i leave off the trailing equal sign that is still too many.

Thoughts folks? Is there an AES code COMPRESSOR? Like Zip is to files?

[unclemantis]

http://stackoverflow.com/questions/93451/does-aes-128-or-256-encryption-expand-the-data-if-so-by-how-much

Looks to me like I would need to compress the private key before encrypting.

How do you compress a private key such as 5Jv2WzF1ZMBWpaVAYZEsRqXCo2zkqDpYkgrHm1AJUm6fiQgU8QU

FYI for you funny people. I have not funded this key.

[casascius]

http://stackoverflow.com/questions/93451/does-aes-128-or-256-encryption-expand-the-data-if-so-by-how-much

Looks to me like I would need to compress the private key before encrypting.

How do you compress a private key such as 5Jv2WzF1ZMBWpaVAYZEsRqXCo2zkqDpYkgrHm1AJUm6fiQgU8QU

FYI for you funny people. I have not funded this key.

I actually have a proposal in the works for doing exactly that.  It avoids expanding the private key by too large a margin (currently adds about 4-5 characters).

I have released a draft Casascius Bitcoin Address Utility that WORKS (in the sense that it will encrypt and decrypt keys), but the spec will be revised to make the passphrase more resistant to brute-forcing, before the specification ever becomes any official part of Bitcoin.  If/when it does, any keys generated by the utility NOW won't work.  The current version generates private keys that start with "6p" and are only a few characters longer than the "5J" one above.

The AES algorithm itself doesn't add any overhead, something in comes out the same size.  But using AES securely requires some random "initialization" bytes to help the cipher start out in a scrambled state - this adds a fixed 16 or 32 bytes of overhead to any usage of it.  And Base64encoding binary data incurs an automatic 25% overhead all by itself, encrypted or not.

I avoid bulking up my encrypted private key while still using AES by taking a shortcut and skipping the initial scrambling bytes (aka an "initialization vector").  I can sort of get away with it because the data to be encrypted is already totally random to begin with, making some attacks (e.g. known plaintext attack) not an issue.  But I'm likely to need to use a much stronger algorithm for converting the password to a key than I'm using now (SHA256) before it will be considered reasonably secure against cracking.

When it's all said and done, the final algorithm will probably produce AES-encrypted Base58-like private keys that are 57 characters in length and also start with "6p".

[BkkCoins]

I am really sorry for trolling but here is a site that does dogtags. The problem is they don't allow the equal sign, plus they only allow 15 characters a line and 5 lines per dog tag.

The AES code that is generated is 108 characters, and even if i leave off the trailing equal sign that is still too many.

Thoughts folks? Is there an AES code COMPRESSOR? Like Zip is to files?

If you're willing to split it on several tags and store in several places then you can use Shamir Secret Encoding. You split the 51 char key into several parts using Shamir (eg. 3 of 4). Put each part on a tag. Now you need 3 out of 4 tags to come together to regain the original key. So if one melts you're ok. Someone wanting to gain your key has to find at least 3 out of 4 tags. (You can use whatever M of N you please). To the best of my knowledge Shamir is provably secure.

[2weiX]

so for the cryptologically impaired:

- if i took 10 1$ bills  (20 5$ bills...)
- chained their serial numbers
- did a magic salt thingy with "holyholydollarbillholdmybitcoinifyouwill"
- and then use that to generate a privkey
- funded that with 10BTC (100 BTC...)
..
..
-put the dollars in my vault
..
..
- take em out, reverse the process above


this could work, yes?

[aq]

so for the cryptologically impaired:

- if i took 10 1$ bills  (20 5$ bills...)
- chained their serial numbers
- did a magic salt thingy with "holyholydollarbillholdmybitcoinifyouwill"
- and then use that to generate a privkey
- funded that with 10BTC (100 BTC...)
..
..
-put the dollars in my vault
..
..
- take em out, reverse the process above


this could work, yes?

Yes, that would work perfectly. I believe that it is not even necessary to use 10 serials.
BTW, it would be way cooler to make this multi-currency. Use a dollar note, a euro note, a pound note, a swiss franc note and, I am sure you still have one, a DM note.
Paranoid mode:
Use some secret chaining text containing symbols in between, like "-!-", otherwise you would end up having only numbers and letters in your pass phrase.
While I like "holyholydollarbillholdmybitcoinifyouwill", you have to come up with something else, as this is now known.

[ElectricMucus]

If you really wanna attach bitcoins to a bank note you can do this:

All banknotes contain UV active security features, from my knowledge these are just a bunch of flakes inside the paper distributed randomly. In order to generate the private key you need to photograph the note and write some software to derive a fingerprint of the note. This fingerprint can then be used to derive a private key.

Alternatively you can take a macro of the note and use the irregularities in the paint and so on. But this can be done with almost any physical object using sufficient resolution.

[mistfpga]

so for the cryptologically impaired:

- if i took 10 1$ bills  (20 5$ bills...)
- chained their serial numbers
- did a magic salt thingy with "holyholydollarbillholdmybitcoinifyouwill"
- and then use that to generate a privkey
- funded that with 10BTC (100 BTC...)
..
..
-put the dollars in my vault
..
..
- take em out, reverse the process above


this could work, yes?

It might work, but why bother? why not just print out the private key and store that?

if you really must over complicate things, you can AES encrypt the key, then your holyholy... would be the passphrase to decrypt the private key.

I am not sure what you are trying to achive, the OP was trying to find a mechanism for hedging against loss of the bitcoins, you are just making things overly complicated for no gain.

re:op,

you would have to have a function (like a hash function) that could be run over the serial number to 'scramble' it.  bcrypt would be a good idea for this, with the key being a part function of the required to caclulate the amount of times to run the algo to encrypt and another part as an 'init' vector, this could be a filter or a keyword. ideally you would like to be able to make both of these public and it still be cost/time prohibitive to brute force all serial numbers.

I quite like the idea, but I am not sure of the pratical application, for safty you are better off storing encrypted private paper wallets. but for the prevention of double spends you would need to demostrate that the funds are there and the wallet can be derived from the serial number, both of these things are non trivial to do properly... you have got me thinking though...

edit: removed an obtuse comment not meant for the reply, i though someone else wrote the reply. sorry about that

[ErebusBat]

One could just brain wallet sequential numbers and check the public key balance against the chain.

For some reason this reminded me of johnny mnemonic where the 'password' was three pictures.

Have a bill that has three images on it that you have to type in.  (like a picture of a rabbit and you have to type in bunny).

[Bitcoin Oz]

I probably wouldnt store my life savings in a $5 note