Finally, a Paper Bitcoin Wallet

[casascius]

I have come up with a simple way to keep your BTC safe from all kinds of threats.  It's impossible to delete, or to get hacked, and requires no skills or training to set up.  Meet my

Paper Bitcoin Wallet

For sale at http://casascius.com

Sample Here: http://166.70.147.8/btc/PaperWalletSample.pdf

Instructions:

1. Buy my Paper Bitcoin Wallet via PayPal, including your mailing address in the order.  It's $5, my PayPal is mcaldwell at mc2cs.com.  (Each sheet is unique, of course).
2. When you receive it, have your Bitcoins sent to any of the addresses printed on the page.
3. When ready to spend your Bitcoins, redeem exactly the same way you would a BitBill.

Q. How many addresses do I get?

A. The sheet for $5 has 9 Bitcoin addresses and their corresponding keys.  For $10, you can get four sheets (36 addresses).  Worldwide letter-mail postage is included.

Q. How does it work?

A. Generating addresses requires no contact with the network.  An address is a public and private key.  In this case, I am merely providing you both keys on a piece of paper.

Q. Do you keep a copy of my keys?

A. No.  I am not keeping a copy of anything - neither the public nor private keys.  Once I mail it, it's gone.

Q. Don't I have to trust you?

A. Yes, because anyone who knows the private key can spend the coins sent to the matching bitcoin address. However, anytime you send bitcoins to a website, you're trusting the owner of that website.  You are also trusting them not to get hacked.  I have a good reputation on the forums and on OTC, and my paper wallet is unhackable.  And I am willing to hand-sign and include an actual physical fingerprint on each page I send out, as well as on the envelope.  (That protects me too, in case someone else were to make paper wallets just like me).  I am providing this service because I believe many people would rather trust me than trust that the Bitcoins on their computer won't get lost, hacked, stolen, corrupted, or otherwise destroyed.  I promise I am not out to scam you.  I am not keeping a copy of your keys.

Q. How can you be so sure they are hackproof?

A. I have followed a very specific safe procedure to produce these.  I have generated these addresses into a brand new wallet using Bitcoin on a computer booted from a Linux Live CD with no internet connection, saved the export to a flash drive using Sipa's import/export patch, formatted them into a report with Microsoft Access, and printed them on a directly-connected printer following a fresh install of Windows and Access.  After production, I used Linux to overwrite the entire Windows hard drive, and then destroyed the USB flash drive with a hammer.  At no point did any of this equipment ever connect to the Internet, and I keep the remaining sheets locked in a safe.  Each address is sequentially numbered so I can be sure there are no duplicate pages, etc.  Only one person can possibly screw it up - ME - and I promise I'm doing this right.

Q. Couldn't I just do this myself?

A. Of course.  The easiest way is to install Sipa's patched version, generate a fresh wallet, use the "walletdump" RPC command to spit all the keys to a text file, and then print it.  Do this with the network unplugged, and delete it when you're done, to keep the possibility of a hacker getting at it as close to zero as possible.  By buying my sheet, I am saving you the hassle.

Q. Why are you taking PayPal and not BTC?  We hate PayPal!

A. This is to help newcomers get up to speed.  Sure, I'll take BTC, just e-mail me, but I expect many people interested in a paper wallet may not yet have BTC and are looking for a safe place to keep it.

Q. Why would anybody want a paper wallet?

A. With all the hacking lately, as well as scares and losses due to computer crashes or malfunctions, a paper wallet is a very effective way to limit one's exposure.  They already exist - a BitBill is an example of a paper wallet which just happens to be designed in a way that requires you to tear apart the card to see the private key.  I expect that offline paper wallets will become more common for average users as these threats become stronger, and that Bitcoin clients to come will make it easy both to import them and to easily print new ones.

Q. How do I know the balance of funds on each address?

A. Look it up on BlockExplorer.com.

Q. How do I redeem them?

A. The procedure is exactly the same for redeeming BitBills (except that you don't have to scan anything with your cell phone).  Presently, you need to run a patched version of Bitcoin to import the private key.  I am anticipating that at least one major exchange site will soon offer the ability to make BTC deposits by providing a private key.  Be aware that until then, re-importing Bitcoins into a digital wallet is not easy enough for Grandma, so this is a better "savings" wallet than a "checking" wallet.

Q. How many times can I use each address?

A. You can use it for receiving as many times as you want, but once you divulge the private key, you can no longer be certain that you are the only person who knows it.  Once you type the private key into a computer, use a new address.

EDIT: added link to info page at casascius.com, changed addresses per sheet to 9

[1714626137]

1714626137

[1714626137]

1714626137

[1714626137]

1714626137

[1714626137]

1714626137

[done]

interesting concept. a bank of sorts. i wish you the best of luck in this complex business.

[casascius]

interesting concept. a bank of sorts. i wish you the best of luck in this complex business.

I'm not storing any balances or handling any funds - I am printing randomly generated numbers on paper, mailing them out, and forgetting about them, promising not to keep a copy.  Once I send out a sheet, it's completely out of my hands.

[tymothy]

This is interesting, but still too complicated and messy for the average Joe.

[TheVirus]

interesting concept. a bank of sorts. i wish you the best of luck in this complex business.

I'm not storing any balances or handling any funds - I am printing randomly generated numbers on paper, mailing them out, and forgetting about them, promising not to keep a copy.  Once I send out a sheet, it's completely out of my hands.

We're to trust you not to keep them? Nope, not going to happen. No one in their right mind would trust an unknown 3rd party with full access. No offense, but this seems like a clear money-grab since the keys are a one-time use. Furthermore, this concept is not simple-for-grandma. A grandma isn't going to know what a private key is, how to use BlockExplorer, or know how to spend the money.

[MiningBuddy]

interesting concept. a bank of sorts. i wish you the best of luck in this complex business.

I'm not storing any balances or handling any funds - I am printing randomly generated numbers on paper, mailing them out, and forgetting about them, promising not to keep a copy.  Once I send out a sheet, it's completely out of my hands.

We're to trust you not to keep them? Nope, not going to happen. No one in their right mind would trust an unknown 3rd party with full access. No offense, but this seems like a clear money-grab since the keys are a one-time use. Furthermore, this concept is not simple-for-grandma. A grandma isn't going to know what a private key is, how to use BlockExplorer, or know how to spend the money.

Or the modified bitcoin client.
Just seems like a half baked idea stolen from bitbills.

[casascius]

We're to trust you not to keep them? Nope, not going to happen. No one in their right mind would trust an unknown 3rd party with full access.

I take it you don't use any trading websites, and are part of the unbanked population.  And you probably have no interest in BitBills for the same reason.  Sure, if you know nothing about me and have no reason to trust me, that's a fair assessment, but others do know enough about me and consider knowing my real identity a positive factor in favor of trusting me, and...

No offense, but this seems like a clear money-grab since the keys are a one-time use.

...please avoid calling me a thief based on this sloppy non-sequitur.  What does one-time-use have to do with your assumption that this is an attempt to steal?  How many people in this community have I done business with, and how many have I stolen from?

Or the modified bitcoin client.
Just seems like a half baked idea stolen from bitbills.

Ahh, the notion that I'm stealing something.  What, exactly?  By the way, Bitbills are a great product, if you are willing to wait 3 months to order some.  And Bitbills are a legit product too - I have bought some, and redeemed most of them, and can attest that every Bitbill I redeemed contains exactly the balance it said it did.  I trust Bitbills enough that I am holding a significant balance on one and not my computer (1QEk8SCapWttMxSjes5gWm3MtL3MSZcSAN).  Now how exactly am I stealing from Bitbills?  Doug (@bitbills)?  Am I stealing from you?

The only other noteworthy difference is that your cost per address is lower with my offering than on a Bitbill, which probably is related to the fact that Bitbills - given that they're meant to be durable and protect the private key from snooping - take much more to produce.

[Serge]

interesting idea
just want to point out, there is a discrepancy in OP, at one time you said you'll destroy all tracks of private keys on the other hand you said you're keeping copy of private keys in a safe.    

[Nescio]

Silly idea You expect grandmas not just to type in 160 bit random case hashes but also private keys (and patch a client). Does the client even validate these against eachother? And what if grandma makes a typo just using an address (before any validation)? Poof, balance gone.

You also replaced a) security of one system by a) security of another, b) the postal network the sheets are sent over and c) trust in a third party. Doesn't sound like an improvement to me.

[Bunghole]

interesting idea
just want to point out, there is a discrepancy in OP, at one time you said you'll destroy all tracks of private keys on the other hand you said you're keeping copy of private keys in a safe.    

He said he's keeping the "remaining sheets" in his safe - i.e. the ones that haven't been sold yet.

[casascius]

Silly idea You expect grandmas not just to type in 160 bit random case hashes but also private keys (and patch a client).

No, as previously noted, I expect one of the major exchanges to offer a place to type these in, so Grandma doesn't have to.  Inevitably the bitcoin client will offer the same thing.  Same thing is needed for BitBills.

Does the client even validate these against eachother? And what if grandma makes a typo just using an address (before any validation)? Poof, balance gone.

There is validation built in.  Just like Bitcoin addresses, 32 of the bits are a SHA256-based check code.  The odds of the client accepting a typo are 4-billion-to-one, and that's assuming the address is still well-formed after the typo.

The client doesn't have to validate the public key against the private one.  Only the private key actually needs to be entered, the bitcoin client automatically calculates the public address from the private key.

You also replaced a) security of one system by a) security of another, b) the postal network the sheets are sent over and c) trust in a third party. Doesn't sound like an improvement to me.

If you think that the likelihood of a letter carrier knowing your envelope contained Bitcoin keys, reading your keys through a security envelope, importing them into his bitcoin wallet, and spending them, is greater than the likelihood of you encountering malware on your system anytime soon that emails your wallet.dat, keylogs any encryption passwords you use, and provides remote control of your computer to a hacker, then you have a well-founded concern.

[Bunghole]

It seems to me that the average person is not going to use Bitcoins until some large publicly-trusted entity, like Amazon or Apple, starts offering accounts.  We all have to realize how different our perspective, experience, and skills are from the average person, who can barely do email, Skype, and online shopping.  And encryption?  Fuggedaboutit.

[royalecraig]

Fire !!!!!!

[kwukduck]

It will be easier for grandma if the key import/export feature would finally be pushed to the main client
Then everybody can do this in a second.

[Nescio]

No, as previously noted, I expect one of the major exchanges to offer a place to type these in, so Grandma doesn't have to.

I haven't seen a mention of that, but you only add another party to trust to the mix with it. Grandma is better off going to a (Bitcoin) bank and having nothing to do with any of the underlying technology whatsoever. If she needs to pay for something in Bitcoin, banks offer APIs to merchants for integration of the bank's own payment environment with which customers are already familiar (customer only selects bank she uses on the merchant's site). This system has been in use for half a decade, that I know of.

There is validation built in.  Just like Bitcoin addresses, 32 of the bits are a SHA256-based check code.

Good, I didn't know that. I presume that means the regular client rejects randomly typed (but well formed) addresses.

The client doesn't have to validate the public key against the private one.  Only the private key actually needs to be entered, the bitcoin client automatically calculates the public address from the private key.

Ok, so the customer does the validation by visual comparison of the resulting address and the client rejects the private key with a confidence of 4 billion to 1. That's sufficient. My gripe for this point shrinks to it being too much hassle, still a major point for grandma I think (those with elderly family determined to learn the difference between left and right mouse button know what I'm talking about ).

If you think that the likelihood of a letter carrier knowing your envelope contained Bitcoin keys, reading your keys through a security envelope, importing them into his bitcoin wallet, and spending them, is greater than the likelihood of you encountering malware on your system anytime soon that emails your wallet.dat, keylogs any encryption passwords you use, and provides remote control of your computer to a hacker, then you have a well-founded concern.

The likelihood of actually having a compromised system (50%) compared to the possibility of having a compromised system ('100%') is also lower, but it doesn't mean it doesn't exist. Why 100%? The private key relies on security by obscurity, which can by definition never be fully guaranteed. If you're unlucky, some corrupt postal worker might happen upon one of your letters and scan all of your outgoing mail afterwards. This risk is not mitigated by a simple security envelope. Adding any links to the chain means lowering the chain's security.

[elggawf]

It will be easier for grandma if the key import/export feature would finally be pushed to the main client
Then everybody can do this in a second.

... and if it printed QR codes as well, with the ability to load them into a wallet in an automated fashion.

Trusting someone else to print you out wallet private keys is just insane - even if the OP of this thread is trustworthy, it sets a dangerous precedent allowing any asshole scammer to come along and repeat the trick.

[casascius]

Trusting someone else to print you out wallet private keys is just insane - even if the OP of this thread is trustworthy, it sets a dangerous precedent allowing any asshole scammer to come along and repeat the trick.

I have added a means to verify that my sheets are genuine, I'm stamping them with my own fingerprint.  See http://casascius.com for a reference fingerprint.

By doing so, at least I have raised the bar upon any asshole scammer.  I at least have a real life identity to put on the line!... something scammers are rarely willing to offer.

[Shinobi]

I can't even begin to understand how you could think that this would be a viable business.

[unk]

Trusting someone else to print you out wallet private keys is just insane - even if the OP of this thread is trustworthy, it sets a dangerous precedent allowing any asshole scammer to come along and repeat the trick.

I have added a means to verify that my sheets are genuine, I'm stamping them with my own fingerprint.  See http://casascius.com for a reference fingerprint.

By doing so, at least I have raised the bar upon any asshole scammer.  I at least have a real life identity to put on the line!... something scammers are rarely willing to offer.

but now, anyone else can include your fingerprint on their own sheets.

since trust isn't needed for a product in this niche, it's unfortunate to require it. for example, you might just package and sell an open-source version of grondilu's script (or write your own simple front-end to openssl) connected to some small additional code that generates a pdf from the output. on a system with the right tools, it's a ten-line shell script. of course, your customers might copy it to their friends without a license from you, but that risk seems easier to price than the risk that you'd retain clients' keys forever and, some time far from now, simply steal bitcoins untraceably.

alternatively, given the nature of ecdsa keys, you could let customers construct something printable on a website while provably not having access to their private keys. see gavin's 'split private keys' discussion in the development forum, from which you can extrapolate what you need. (being out of practice with the mathematical rather than the systems-related features of cryptosystems, i did not initially realise myself how easy it was to do this, but it's quite straightforward.)

[casascius]

but now, anyone else can include your fingerprint on their own sheets.

5 BTC bounty to the maker of a convincing spoof.

I actually smudge ink on the paper to do this.  It's not as though I'm printing "fingerprint.jpg" on the document.  The print is real.

since trust isn't needed for a product in this niche, it's unfortunate to require it. for example, you might just package and sell an open-source version of grondilu's script (or write your own simple front-end to openssl) connected to some small additional code that generates a pdf from the output.

I could, but that raises the bar well above the target audience.  Lots of people without technical interest want bitcoins.  Running scripts sounds easy for me, but many people interested in Bitcoins can't be bothered to have to deal with installing the client, and are scared to swim in deep waters after hearing that hackers and viruses are after their wallet.dat's.  But most people can manage "buy now with paypal", as well as deal with a credible and provable assertion that the one guy who made their hacker proof wallet isn't going to stiff them.