Bitcoin Forum
March 24, 2023, 02:10:19 AM *
News: Latest Bitcoin Core release: 24.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Using a One-time Pad to encrypt a paper wallet Private Keys  (Read 2827 times)
dunand (OP)
Hero Member
*****
Offline Offline

Activity: 637
Merit: 502



View Profile
May 21, 2013, 01:14:13 AM
Last edit: May 21, 2013, 02:38:18 AM by dunand
 #1

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?



You need to print your paper wallet and the One-time pad and keep them in separate location. That way, a burglar would need to find both the OTP and the paper wallet to steal your Bitcoins. To generate the encrypted private key I only need to iterate on all characters of the private key and the corresponding character in the OTP and do:
charXEncryptedPrivateKey = charXPrivateKey + charXOTP % 58
To decrypt it's simply the opposite:
charXPrivateKey = charXEncryptedPrivateKey - charXOTP % 58

Here is an example :
Code:
Bitcoin address
13qrqNGow1bo58J8zhhDvB5oWuATAMTBPR
One-time pad
1HzQvNfxF6Xn27cpdKupr1z88b2LJZcs9EtqFmXkhiVcJ1gtSPa
private key
5HqFEfJBuwHy7pqokcKBGPbfphYAtZummUzfh6EhpQqSsv9A8hD
Encrypted private key
5Zpe92x892ok8vScNvDz7PanwHZVB7WduhsVwrkSW7K3Avp3Z5n


I like the OTP encryption because I can decrypt the private key manually with pencil and paper if I need to. For convenience and testing I made a simple Perl script to decrypt the private key using the encrypted private key and the OTP.


1679623819
Hero Member
*
Offline Offline

Posts: 1679623819

View Profile Personal Message (Offline)

Ignore
1679623819
Reply with quote  #2

1679623819
Report to moderator
1679623819
Hero Member
*
Offline Offline

Posts: 1679623819

View Profile Personal Message (Offline)

Ignore
1679623819
Reply with quote  #2

1679623819
Report to moderator
"Bitcoin: mining our own business since 2009" -- Pieter Wuille
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1679623819
Hero Member
*
Offline Offline

Posts: 1679623819

View Profile Personal Message (Offline)

Ignore
1679623819
Reply with quote  #2

1679623819
Report to moderator
oakpacific
Hero Member
*****
Offline Offline

Activity: 784
Merit: 1000


View Profile
May 21, 2013, 06:44:01 AM
 #2

Looks interesting. What's your random number source?

https://tlsnotary.org/ Fraud proofing decentralized fiat-Bitcoin trading.
Insti
Sr. Member
****
Offline Offline

Activity: 294
Merit: 252


Firstbits: 1duzy


View Profile
May 21, 2013, 10:49:52 AM
 #3

1. Since private keys start with 5, you're going to be leaking the first digit of your OTP.
2. Using your OTP more than once can lead to it being compromised. You're lucky that the underlying private key data is random, but you're in trouble if one of your private keys is discovered.


dunand (OP)
Hero Member
*****
Offline Offline

Activity: 637
Merit: 502



View Profile
May 21, 2013, 01:06:39 PM
 #4

Looks interesting. What's your random number source?

The one-time pad is a randomly generated private key where the beginning "5" is changed for a "1". Because I wanted the encrypted private key to start with a 5 like a regular private key. I will probably change the printed version to only print the encrypted private keys without the corresponding public address. This way a burglar will think this is only a non-funded paper wallet.
dunand (OP)
Hero Member
*****
Offline Offline

Activity: 637
Merit: 502



View Profile
May 21, 2013, 01:21:12 PM
Last edit: May 21, 2013, 01:48:09 PM by dunand
 #5

1. Since private keys start with 5, you're going to be leaking the first digit of your OTP.
2. Using your OTP more than once can lead to it being compromised. You're lucky that the underlying private key data is random, but you're in trouble if one of your private keys is discovered.

I know the first digit of the OTP is leaked. Is a private key really random appart from the first 5? If not the OTP can be compromised.
I know you should never use a OTP more than once but I think it's ok with private keys has long has no unencrypted private key is leaked.

Edit : After rethinking about what you said Insti.  I should generate a different OTP for each private keys. This way I don't have to worry. I also found out that a private key is not completely random. Because of this I will generate the OTP randomly without using another private key.

Nearly every 256-bit number is a valid private key. Specifically, any 256-bit number between 0x1 and 0xFFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141 is a valid private key.

The range of valid private keys is governed by the secp256k1 ECDSA standard used by Bitcoin.
jackjack
Legendary
*
Offline Offline

Activity: 1176
Merit: 1185


May Bitcoin be touched by his Noodly Appendage


View Profile
May 21, 2013, 03:46:27 PM
 #6

This way a burglar will think this is only a non-funded paper wallet.
No, because the checksum won't correspond. The burglar will think the key isn't correctly formatted.

I also found out that a private key is not completely random.
That doesn't make any sense
A number can't be random

Own address: 19QkqAza7BHFTuoz9N8UQkryP4E9jHo4N3 - Pywallet support: 1AQDfx22pKGgXnUZFL1e4UKos3QqvRzNh5 - Bitcointalk++ script support: 1Pxeccscj1ygseTdSV1qUqQCanp2B2NMM2
Pywallet: instructions. Encrypted wallet support, export/import keys/addresses, backup wallets, export/import CSV data from/into wallet, merge wallets, delete/import addresses and transactions, recover altcoins sent to bitcoin addresses, sign/verify messages and files with Bitcoin addresses, recover deleted wallets, etc.
nybble41
Full Member
***
Offline Offline

Activity: 152
Merit: 100


View Profile
May 21, 2013, 06:18:41 PM
 #7

I know you should never use a OTP more than once but I think it's ok with private keys has long has no unencrypted private key is leaked.
If you use the key more than once then it isn't a One-Time Pad. It's one step above a substitution cipher, and if any of your unencrypted private keys ever does leak, so will the encryption key. It's possible that someone more experienced with cryptoanalysis than myself could even derive the encryption key from multiple encrypted private keys. The whole point of a OTP is that you use one bit of unique, never-used-elsewhere entropy to encrypt each bit of the message. The fact that each bit of the pad is unrelated to anything else the attacker might know is what makes an OTP resistant to cryptoanalysis.
Hawkix
Hero Member
*****
Offline Offline

Activity: 531
Merit: 505



View Profile WWW
May 21, 2013, 06:26:30 PM
 #8

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?

Sorry for a bit OT question, but why hasn't been BIP0038 officially implemented into bitaddress.org? In the Github, there is finalized version (2.5 if I recall correctly) for more than month, which works pretty fine.

Also, working from saved HTML on disc with disconnected network is always a bit safer.

Donations: 1Hawkix7GHym6SM98ii5vSHHShA3FUgpV6
http://btcportal.net/ - All about Bitcoin - coming soon!
NielDLR
Member
**
Offline Offline

Activity: 95
Merit: 10



View Profile WWW
May 22, 2013, 01:17:58 AM
 #9

I don't like the idea of keeping a paper wallet with all the private keys unencrypted. Until Bip38 is officially implemented on bitaddress.org I made a bitaddress fork to encrypt the private keys of a paper wallet with a One-time pad. I would like your input if it's a safe way to store a paper wallet?

Sorry for a bit OT question, but why hasn't been BIP0038 officially implemented into bitaddress.org? In the Github, there is finalized version (2.5 if I recall correctly) for more than month, which works pretty fine.

Also, working from saved HTML on disc with disconnected network is always a bit safer.

I was also wondering the same thing.

I've since implemented my own fork as well using AES encryption with a passphrase/password. Just adds one more level of paranoia security. The fork is heavily customized for own purposes (custom interface) but if anyone else wants to use it too go ahead: Icecap. I'm going to make it bit more cleaner in the future. (My corresponding blog post if anyone is curious)

The Cypherfunks - A decentralized band and cryptocurrency. The first cryptocollective.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!