Using a One-time Pad to encrypt a paper wallet Private Keys

[dunand]

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?



You need to print your paper wallet and the One-time pad and keep them in separate location. That way, a burglar would need to find both the OTP and the paper wallet to steal your Bitcoins. To generate the encrypted private key I only need to iterate on all characters of the private key and the corresponding character in the OTP and do:
charXEncryptedPrivateKey = charXPrivateKey + charXOTP % 58
To decrypt it's simply the opposite:
charXPrivateKey = charXEncryptedPrivateKey - charXOTP % 58

Here is an example :

Code:

Bitcoin address
13qrqNGow1bo58J8zhhDvB5oWuATAMTBPR
One-time pad
1HzQvNfxF6Xn27cpdKupr1z88b2LJZcs9EtqFmXkhiVcJ1gtSPa
private key
5HqFEfJBuwHy7pqokcKBGPbfphYAtZummUzfh6EhpQqSsv9A8hD
Encrypted private key
5Zpe92x892ok8vScNvDz7PanwHZVB7WduhsVwrkSW7K3Avp3Z5n

I like the OTP encryption because I can decrypt the private key manually with pencil and paper if I need to. For convenience and testing I made a simple Perl script to decrypt the private key using the encrypted private key and the OTP.

[1715209975]

1715209975

[1715209975]

1715209975

[1715209975]

1715209975

[1715209975]

1715209975

[oakpacific]

Looks interesting. What's your random number source?

[Insti]

1. Since private keys start with 5, you're going to be leaking the first digit of your OTP.
2. Using your OTP more than once can lead to it being compromised. You're lucky that the underlying private key data is random, but you're in trouble if one of your private keys is discovered.

[dunand]

Looks interesting. What's your random number source?

The one-time pad is a randomly generated private key where the beginning "5" is changed for a "1". Because I wanted the encrypted private key to start with a 5 like a regular private key. I will probably change the printed version to only print the encrypted private keys without the corresponding public address. This way a burglar will think this is only a non-funded paper wallet.

[dunand]

1. Since private keys start with 5, you're going to be leaking the first digit of your OTP.
2. Using your OTP more than once can lead to it being compromised. You're lucky that the underlying private key data is random, but you're in trouble if one of your private keys is discovered.

I know the first digit of the OTP is leaked. Is a private key really random appart from the first 5? If not the OTP can be compromised.
I know you should never use a OTP more than once but I think it's ok with private keys has long has no unencrypted private key is leaked.

Edit : After rethinking about what you said Insti.  I should generate a different OTP for each private keys. This way I don't have to worry. I also found out that a private key is not completely random. Because of this I will generate the OTP randomly without using another private key.

Nearly every 256-bit number is a valid private key. Specifically, any 256-bit number between 0x1 and 0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141 is a valid private key.

The range of valid private keys is governed by the secp256k1 ECDSA standard used by Bitcoin.

[jackjack]

This way a burglar will think this is only a non-funded paper wallet.

No, because the checksum won't correspond. The burglar will think the key isn't correctly formatted.

I also found out that a private key is not completely random.

That doesn't make any sense
A number can't be random

[nybble41]

I know you should never use a OTP more than once but I think it's ok with private keys has long has no unencrypted private key is leaked.

If you use the key more than once then it isn't a One-Time Pad. It's one step above a substitution cipher, and if any of your unencrypted private keys ever does leak, so will the encryption key. It's possible that someone more experienced with cryptoanalysis than myself could even derive the encryption key from multiple encrypted private keys. The whole point of a OTP is that you use one bit of unique, never-used-elsewhere entropy to encrypt each bit of the message. The fact that each bit of the pad is unrelated to anything else the attacker might know is what makes an OTP resistant to cryptoanalysis.

[Hawkix]

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?

Sorry for a bit OT question, but why hasn't been BIP0038 officially implemented into bitaddress.org? In the Github, there is finalized version (2.5 if I recall correctly) for more than month, which works pretty fine.

Also, working from saved HTML on disc with disconnected network is always a bit safer.

[NielDLR]

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?

Sorry for a bit OT question, but why hasn't been BIP0038 officially implemented into bitaddress.org? In the Github, there is finalized version (2.5 if I recall correctly) for more than month, which works pretty fine.

Also, working from saved HTML on disc with disconnected network is always a bit safer.

I was also wondering the same thing.

I've since implemented my own fork as well using AES encryption with a passphrase/password. Just adds one more level of paranoia security. The fork is heavily customized for own purposes (custom interface) but if anyone else wants to use it too go ahead: Icecap. I'm going to make it bit more cleaner in the future. (My corresponding blog post if anyone is curious)