Bitcoin Forum
March 29, 2024, 12:47:31 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 [2]  All
  Print  
Author Topic: Idea for Highly Secure Paper Wallet - Using Split Keys  (Read 4932 times)
TTBit
Legendary
*
Offline Offline

Activity: 1136
Merit: 1001


View Profile
September 30, 2012, 01:44:31 AM
 #21

I have been playing with this all day. Very cool.

Question: Why hasn't anyone used this for Escrow? I bet there has to be a page on this somewhere

Example:
* Seller goes to Escrow-BTC.com and signs a message from address 1EwMryEWqFLrfyyK6gTz3HUwgmLsVTFuQr (proves he knows the private key, not on-line wallet)
* Escrow-BTC.com then generates a vanity address with that public key and sends Buyer a PrivkeyPart: 5KiThyF8KKXm51jRT99Yckn63hGXFsBjniQNdYqyqDvhSHvQmEB
* This produces a vanity address: 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5, which buyer sends funds to.
* At this point, no one knows the Private Key to 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5
* Seller has delivered package, buyer can release his PrivkeyPart to seller. Buyer can only not deliver funds out of spite.
* Seller combines his private key with buyer's PrivkeyPart:

Code:
keyconv -c 5KiThyF8KKXm51jRT99Yckn63hGXFsBjniQNdYqyqDvhSHvQmEB 5JuwtSBD2SbnZ8dWgtGiUsd5D14tC7UTvoDeqCsabS5f7KN326D
Address: 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5
Privkey: 5JsNqVXDQstLEKPxCFMN4G4LerFg8AD2fmk8FHhEtRAheiKoeb6

And viola! The seller has access to funds.

good judgment comes from experience, and experience comes from bad judgment
1711673251
Hero Member
*
Offline Offline

Posts: 1711673251

View Profile Personal Message (Offline)

Ignore
1711673251
Reply with quote  #2

1711673251
Report to moderator
1711673251
Hero Member
*
Offline Offline

Posts: 1711673251

View Profile Personal Message (Offline)

Ignore
1711673251
Reply with quote  #2

1711673251
Report to moderator
You can see the statistics of your reports to moderators on the "Report to moderator" pages.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1711673251
Hero Member
*
Offline Offline

Posts: 1711673251

View Profile Personal Message (Offline)

Ignore
1711673251
Reply with quote  #2

1711673251
Report to moderator
1711673251
Hero Member
*
Offline Offline

Posts: 1711673251

View Profile Personal Message (Offline)

Ignore
1711673251
Reply with quote  #2

1711673251
Report to moderator
franky1
Legendary
*
Offline Offline

Activity: 4172
Merit: 4357



View Profile
September 30, 2012, 02:01:38 AM
 #22

I have been playing with this all day. Very cool.

Question: Why hasn't anyone used this for Escrow? I bet there has to be a page on this somewhere

Example:
* Seller goes to Escrow-BTC.com and signs a message from address 1EwMryEWqFLrfyyK6gTz3HUwgmLsVTFuQr (proves he knows the private key, not on-line wallet)
* Escrow-BTC.com then generates a vanity address with that public key and sends Buyer a PrivkeyPart: 5KiThyF8KKXm51jRT99Yckn63hGXFsBjniQNdYqyqDvhSHvQmEB
* This produces a vanity address: 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5, which buyer sends funds to.
* At this point, no one knows the Private Key to 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5
* Seller has delivered package, buyer can release his PrivkeyPart to seller. Buyer can only not deliver funds out of spite.
* Seller combines his private key with buyer's PrivkeyPart:

Code:
keyconv -c 5KiThyF8KKXm51jRT99Yckn63hGXFsBjniQNdYqyqDvhSHvQmEB 5JuwtSBD2SbnZ8dWgtGiUsd5D14tC7UTvoDeqCsabS5f7KN326D
Address: 1ZZZZKnrZRAmCgfVtjpgzZc1f9SkfndF5
Privkey: 5JsNqVXDQstLEKPxCFMN4G4LerFg8AD2fmk8FHhEtRAheiKoeb6

And viola! The seller has access to funds.

paper wallet is the subject. nice idea's but people are still thinking that they need third party services and outsiders.. paper is all you need... oh and a pen. maybe a safety deposit box.

if its not on your computer (restore it) or never been given to any web service.. the only people that can take it. know where u live.

I DO NOT TRADE OR ACT AS ESCROW ON THIS FORUM EVER.
Please do your own research & respect what is written here as both opinion & information gleaned from experience. many people replying with insults but no on-topic content substance, automatically are 'facepalmed' and yawned at
BkkCoins (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
September 30, 2012, 02:05:40 AM
 #23

It could probably be used like that too. I don't think people have given much attention to partial keys yet. It was worked out as part of wanting to use vanitygen without exposing the keys. And as far as my reading on the forum not much else has been done with it. It's a bit complicated for users and the combine functionality isn't in many clients so that's likely why. A simple wrapper has to be built around it so people can use it without running cmd line tools.

I'm a bit curious as well if multiple partials could be used in a similar way. Let's say the result of the first addition was a input key to a second addition such that three keys were needed. I haven't tried it but it seems likely to work.

edit: Just tried it and it does work.  So N-way keys could be created as well. And I just realized this is probably the basis for deterministic wallets.  Roll Eyes

etotheipi
Legendary
*
expert
Offline Offline

Activity: 1428
Merit: 1093


Core Armory Developer


View Profile WWW
September 30, 2012, 02:17:41 AM
 #24

It could probably be used like that too. I don't think people have given much attention to partial keys yet. It was worked out as part of wanting to use vanitygen without exposing the keys. And as far as my reading on the forum not much else has been done with it. It's a bit complicated for users and the combine functionality isn't in many clients so that's likely why. A simple wrapper has to be built around it so people can use it without running cmd line tools.

I'm a bit curious as well if multiple partials could be used in a similar way. Let's say the result of the first addition was a input key to a second addition such that three keys were needed. I haven't tried it but it seems likely to work.

The math works out fine for any number of keys, but the amount of exchanging of information between devices gets annoying:

Private key is A
Public key of A is A'
Public generator point of the Bitcoin elliptic curve is G.

Device 1:  Creates private key A.  Computes public key which is  A*G = A'
Device 2:  Creates private key B.  Computes public key which is  B*G = B'
Device 3:  Creates private key C.  Computes public key which is  C*G = C'

Ultimately, the combined private key will be A*B*C, and the public key will be (A*B*C)*G.   However, in order to do this, Device 3 needs to give device 2 its public key (C' = C*G).  Then Device 2 can produce B*(C*G)=(B*C)*G.  Then you transfer that to device 1 which can then produce A*(B*C)*G = (A*B*C)*G.   No one device has seen any private keys other than its own (so far).  Send coins to the address associated with that public key.

In order to create the private key, you just collect A, B and C onto the same computer and multiply to get (A*B*C).  Import that into a wallet and sign.  If you want to play with this, I recommend downloading Armory and run it in offline mode (because you won't actually use it for your wallet), then go to "Tools->ECDSA Calculator". 

Founder and CEO of Armory Technologies, Inc.
Armory Bitcoin Wallet: Bringing cold storage to the average user!
Only use Armory software signed by the Armory Offline Signing Key (0x98832223)

Please donate to the Armory project by clicking here!    (or donate directly via 1QBDLYTDFHHZAABYSKGKPWKLSXZWCCJQBX -- yes, it's a real address!)
BkkCoins (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
September 30, 2012, 02:22:31 AM
 #25

If you want to play with this, I recommend downloading Armory and run it in offline mode (because you won't actually use it for your wallet), then go to "Tools->ECDSA Calculator". 
Cool, thanks.

pointbiz
Sr. Member
****
Offline Offline

Activity: 437
Merit: 415

1ninja


View Profile
October 09, 2012, 03:35:59 AM
 #26

n1bor's modification to bitaddress.org was mentioned here is the link:
https://raw.github.com/n1bor/bitaddress.org/vanitytab/bitaddress.org.html

I believe it could be used for this Split Key purpose. The tab could possibly change some terminology such that it would be useful for Vanity (Pool) Wallet purposes and Split Key purposes. The missing feature is adding two public keys to get the bitcoin address without bringing the two private keys together in one place first (not a concern for a Vanity Wallet).

Coder of: https://www.bitaddress.org      Thread
Open Source JavaScript Client-Side Bitcoin Wallet Generator
Donations: 1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN   PGP
BkkCoins (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
October 09, 2012, 04:09:25 AM
 #27

n1bor's modification to bitaddress.org was mentioned here is the link:
https://raw.github.com/n1bor/bitaddress.org/vanitytab/bitaddress.org.html

I believe it could be used for this Split Key purpose. The tab could possibly change some terminology such that it would be useful for Vanity (Pool) Wallet purposes and Split Key purposes. The missing feature is adding two public keys to get the bitcoin address without bringing the two private keys together in one place first (not a concern for a Vanity Wallet).
Yes, that's right but also I was thinking of making a web site based off your code that makes it dead simple, and well explained, step-by-step, to do split keys. I even registered paperwallet.info for this purpose but I haven't got around to anything yet.

My main objective would be to re-arrange things to be simple for noobs and a bit more aesthetically pleasing. I'm still working out what to do. Not just creating a wallet but monitoring balance and doing spends too. So it's a paper wallet that has online functionality by taking a paper bill out of your wallet etc.

pointbiz
Sr. Member
****
Offline Offline

Activity: 437
Merit: 415

1ninja


View Profile
October 11, 2012, 01:27:43 PM
 #28

I read in another thread that the same public key can be used to generate more than one private key using key addition.

This would allow for an advanced "split keys" commands section on the bitaddress paper wallet tab for the user to enter a public key. Then all paper wallets generated would output the summed bitcoin address and the partial private key. Therefore, I could conveniently create 1 key pair on my mobile phone (and backup to the cloud) and email the public key to my laptop and generate a secure paper wallet (printing two copies so one can be stored in a safety deposit box) based on that public key.

An alternate version of what I described above would use a brain wallet to generate the public key that would be added to the keys generated by the split key paper wallet. This essentially provides for paper wallet encryption WITHOUT AES!

Coder of: https://www.bitaddress.org      Thread
Open Source JavaScript Client-Side Bitcoin Wallet Generator
Donations: 1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN   PGP
BkkCoins (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
October 11, 2012, 03:45:19 PM
 #29

I read in another thread that the same public key can be used to generate more than one private key using key addition.
On my vanitycoin.com website (which is not yet public) I generate the key pair in the browser from a user-id/pwd ("login key") and send the public key to my server. I generate whatever addresses you submit (1-1000 qty, w/ prefixes) and send the partial keys back to the browser. Then when you select "view results" it recombines the "login key" with each vanity key to give you the final key/address in various list formats for saving, eg. html,csv,sql,json. I've tested that all fully and it works well.

(My server code is all Python and the client JQuery / AJAX data handling. I should throw up a beta version but I need to sort out the IP + SSL stuff as it's too expensive on Amazon.)

An alternate version of what I described above would use a brain wallet to generate the public key that would be added to the keys generated by the split key paper wallet. This essentially provides for paper wallet encryption WITHOUT AES!
There seems to be many possibilities and I haven't fully explored what things can be done along this lines but I'm pretty sure some pretty useful scenarios can be figured out.

thanke
Member
**
Offline Offline

Activity: 104
Merit: 10


View Profile
October 11, 2012, 06:30:57 PM
Last edit: October 12, 2012, 10:26:56 AM by thanke
 #30

Either system could be compromised in any way and as long as the same person/group didn't compromise both then they would never be able to use the partial keys alone.

You are describing how to generate a secure paper wallet on two compromised machines (that are not compromised by the same attacker).

May I ask what is the original purpose for that? If it was for the one paper wallet savings account that you occasionally withdraw from then, in order to sign the withdrawal transaction (which in your proposal is not a multisig), you are still faced with the problem of at least securely booting into a minimal OS (which you could then have used to the generate the paper wallet in the first place). Do I assume rightly that the purpose is to generate many split key paper wallets that you load up with small amounts, so when you come to use one of them then you empty it completely and never reload it?

I want to remark that even assuming that you can boot securely into a minimal OS (which I think you didn't want to assume) there is still a use of your proposed split key paper wallets as savings wallets. Because you can distribute the paper wallet into several locations and design it so that you need simultaneous access to N of these locations to be able to withdraw. Simply taking scissors and cutting a single key into N snippets would not work for N>2 because the key snippets would become too small and be brute-forceable.
  
pointbiz
Sr. Member
****
Offline Offline

Activity: 437
Merit: 415

1ninja


View Profile
December 26, 2012, 08:43:33 PM
 #31

To generate a split key there is a new feature (v2.1) in the Vanity Wallet on bitaddress.org
It requires using two computers that are not compromised by the same hacker. For example using your computer at HOME and one at WORK.

Save the bitaddress.org HTML (get it from github) and check the SHA1 hash.

Open your saved bitaddress on your HOME computer and go to the Vanity Wallet tab. Click generate on Step 1. Print the page. We will call this key pair A (which consists of public key A and private key A). Copy and paste public key A into an email and send it to yourself at WORK.

Open your saved bitaddress on your WORK computer and go to the Vanity Wallet tab. Click generate on Step 1. Print the page. We will call this key pair B. Copy and paste public key B into an input box for Step 2. Then get public key A from the email you sent above and paste it into the other input box for Step 2.

Select Add and click Calculate Vanity Wallet. You will now have a secure Bitcoin address for saving.

When you later go to combine the private keys on one computer to get your coins out of savings then spend the whole balance (aka sweep) and don't use that same address anymore for savings. Consider it compromised.

Coder of: https://www.bitaddress.org      Thread
Open Source JavaScript Client-Side Bitcoin Wallet Generator
Donations: 1NiNja1bUmhSoTXozBRBEtR8LeF9TGbZBN   PGP
BkkCoins (OP)
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1009


firstbits:1MinerQ


View Profile WWW
December 27, 2012, 03:13:24 AM
 #32

Thanks for that. I was hoping you would make that tab useful for more than just the vanity pool idea. I think there's a number of interesting things split keys could be used for.

phillipsjk
Legendary
*
Offline Offline

Activity: 1008
Merit: 1001

Let the chips fall where they may.


View Profile WWW
September 29, 2013, 07:35:03 AM
Last edit: September 29, 2013, 05:47:29 PM by phillipsjk
 #33

Either system could be compromised in any way and as long as the same person/group didn't compromise both then they would never be able to use the partial keys alone.

You are describing how to generate a secure paper wallet on two compromised machines (that are not compromised by the same attacker).

May I ask what is the original purpose for that? If it was for the one paper wallet savings account that you occasionally withdraw from then, in order to sign the withdrawal transaction (which in your proposal is not a multisig), you are still faced with the problem of at least securely booting into a minimal OS (which you could then have used to the generate the paper wallet in the first place).
  

The split keys described here are useful where you (the user) may be one of the attackers. In the traditional banking system, it is typical for institutional checking accounts to have 4 or more signing authorities, where at least 2 are required to authorize a transaction. Using the rules outlined in this thread, it is possible to build an electronic "checkbook" such that 2 of 4 keyholders are required to sign a Bitcoin transaction. The outputs would go to the payee and the next "check" in the checkbook. That is to say, each "check" would be single use (and sequentially numbered to facilitate that).

My concept assumes that this description is correct:
The math works out fine for any number of keys, but the amount of exchanging of information between devices gets annoying:

Private key is A
Public key of A is A'
Public generator point of the Bitcoin elliptic curve is G.

Device 1:  Creates private key A.  Computes public key which is  A*G = A'
Device 2:  Creates private key B.  Computes public key which is  B*G = B'
Device 3:  Creates private key C.  Computes public key which is  C*G = C'

Ultimately, the combined private key will be A*B*C, and the public key will be (A*B*C)*G.   However, in order to do this, Device 3 needs to give device 2 its public key (C' = C*G).  Then Device 2 can produce B*(C*G)=(B*C)*G.  Then you transfer that to device 1 which can then produce A*(B*C)*G = (A*B*C)*G.   No one device has seen any private keys other than its own (so far).  Send coins to the address associated with that public key.

In order to create the private key, you just collect A, B and C onto the same computer and multiply to get (A*B*C).  Import that into a wallet and sign.  If you want to play with this, I recommend downloading Armory and run it in offline mode (because you won't actually use it for your wallet), then go to "Tools->ECDSA Calculator".  


In my example, I want to set up a Bitcoin checkbook such that 2 of 4 signers are required to authorize a transaction. For each 'check­', each person will generate a new, unique private key: that I will designate A, B, C, D. BB code does not support nested formatting, and I want to write in English rather the pseudo-code. That is why I am making it clear here that A, B, C, D are different for each check.

For each check (of which an arbitrary number can be generated ahead of time):
  • Generate a UNIQUE sequence number (stored in 'check')
  • Each person generates a random, private key on their own machines (A, B. C, D)
  • Each person computes their Public key: For example person 1 would; A*G = A'
  • Each person shares their public key with every other person.
  • Each pair of people generate a joint key:
   Person 1 Pairs with person 2: A*B'=(A*B)*G
    Person 1 Pairs with person 3: A*C'=(A*C)*G
    Person 1 Pairs with person 4: A*D'=(A*D)*G
    Person 2 Pairs with person 3: B*C'=(B*C)*G
    Person 2 Pairs with person 4: B*D'=(B*D)*G
    Person 3 Pairs with person 4: C*D'=(C*D)*G
  • Each pair of people now sends their newly computed public key to every person not in their group..
  • Each person encrypts their private key with the public key of every group for which they are not a member.
  • Each of the results from the previous step are stored in the 'check'.
  • The group generates a combined public key:
   Person 3 multiplies their private key with the public key of the first group: C*(A*B)*G=(A*B*C)*G
    Person 3 passes the result to person 4.
    Person 4 multiplies their private key with the previous result: D*(A*B*C)*G=(A*B*C*D)*G
    That result is stored in the 'check'
Edit: as a basic sanity check, Persons 1, 2 may want to do the same thing with the Person 3, 4 joint key. (and compare results)

To spend a 'check'
  • A pair of people share their private keys
  • They use their combined private key to decrypt the individual private keys encrypted with the combined public key
  • They typically generate a transaction with two outputs:
   1. To the recipient of the payment
    2. To the next 'check' in the 'checkbook' (randomizing the order may be wise, but may not do much if this output is always larger).


Notes:
  • Any participant can through malice or error hold all the funds ransom. I stopped trying to think of a work-around when I realized this applies to the two-person case as well. The parties should reasonably trust each other.
  • If I am not mistaken, the data storage requirements grow factorially with the number of participants. Strictly for small groups.
  • If you want to add or remove a signing authority, a new 'checkbook' must be generated. You would then spend the old 'checkbook' to the new one.
  • Because of the complexity and lack of fail-safes, I recommend testing any implementations on testnet first.

James' OpenPGP public key fingerprint: EB14 9E5B F80C 1F2D 3EBE  0A2F B3DE 81FF 7B9D 5160
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!