How do paper wallets work?

[coinchase]

I'm interested in learning how a private key/ public key pair can be created independent from internet access, and still correspond correctly while being safe from being figured out if someone else knows the public key.

What is actually going on with a key pair? How can there be an association between the two addresses without there being an equation to decipher the private key using the public key?

I'm posting this in the newbie forum because I don't know where else this question would be appropriate.

Thanks!

[8bitPunk]

The best article I've read on the topic was written by Coding In My Sleep: http://codinginmysleep.com/bitcoin-cold-storage-in-plain-english/

What is actually going on with a key pair? How can there be an association between the two addresses without there being an equation to decipher the private key using the public key?

To directly answer your question, offline webpages are a convenient way to generate a private/public key pair without a trace:

First, bitaddress.org is an excellent and accessible tool. Despite looking like a normal web page with multiple tabs, the whole thing is written in such a way that once it’s loaded it never needs internet access again. You can go to the page, completely disconnect your computer from the net and it will still work.

I recommend reading the whole article. Hope this helps.

[mandelmus]

I had the same question, thanks for the link

[coinchase]

That's a good article. I didn't realize bitaddress.org doesn't need internet access to work. That's good to know. But I still can't quite wrap my mind around how a public/private pairing works.

Here's my question:

Suppose I am offline, with a computer that loaded bitaddress.org but have no access to the internet at all. I generate/print a public/private key pair. Then, on another computer, I send 1 BTC to the public address. At this point I have "loaded" my paper wallet correct? That 1 BTC is now in that public address.

My question is, where/how is that public address associated with my private key besides on the piece of paper I printed? How can me entering in the private key possibly grant me access to the public address if the associated key pair is created separate from the bitcoin network? (I obviously do not have a full grasp on how the blockchain/confirmation system works, but I do want to understand this concept)

[odolvlobo]

That's a good article. I didn't realize bitaddress.org doesn't need internet access to work. That's good to know. But I still can't quite wrap my mind around how a public/private pairing works.

Here's my question:

Suppose I am offline, with a computer that loaded bitaddress.org but have no access to the internet at all. I generate/print a public/private key pair. Then, on another computer, I send 1 BTC to the public address. At this point I have "loaded" my paper wallet correct? That 1 BTC is now in that public address.

My question is, where/how is that public address associated with my private key besides on the piece of paper I printed? How can me entering in the private key possibly grant me access to the public address if the associated key pair is created separate from the bitcoin network? (I obviously do not have a full grasp on how the blockchain/confirmation system works, but I do want to understand this concept)

The public key is derived from the private key. If you know the private key, you can figure out the public key, but not the other way around. If you have a private key, you can prove that you control the public key, and that is what allows you to spend the money at that address.

[rumbitla]

1. Throw a coin 256 times, to get the private key, one side represents 1, the other coin's side represents 0. This will give you highly random 256bit key in binary format. Example: 1000111100110100010100010100011011100100100010100000111110000010110011000010010 1111100111101010011011111011100110010011001001011101101011110000011101101100010 1001110011110110010001100111010110001010100000010000001001110111011111111101100 1000110000011000001

2. Turn this binary into hex format:
1000 = 8
1111 = F
0011 = 3
0100 = 4
and so on...
You get: 8F345146E48A0F82CC25F3D4DF73264BB5E0ED8A73D919D62A0409DDFF6460C1

3. Turn hex format into base58 format:
5JuMYZ24eYPvjdXNWdDDz4eA9MC3ekgwHMUwpK41J5ANd2t2LE1
Address: 1KxKa6tGYJNUgHLQbDiT9PXAJcYhm7PC76


There you have your mega secure coin randomized offline paper wallet Bitcoin key and address.

[sacko]

1. Throw a coin 256 times, to get the private key, one side represents 1, the other coin's side represents 0. This will give you highly random 256bit key in binary format. Example: 1000111100110100010100010100011011100100100010100000111110000010110011000010010 1111100111101010011011111011100110010011001001011101101011110000011101101100010 1001110011110110010001100111010110001010100000010000001001110111011111111101100 1000110000011000001

2. Turn this binary into hex format:
1000 = 8
1111 = F
0011 = 3
0100 = 4
and so on...
You get: 8F345146E48A0F82CC25F3D4DF73264BB5E0ED8A73D919D62A0409DDFF6460C1

3. Turn hex format into base58 format:
5JuMYZ24eYPvjdXNWdDDz4eA9MC3ekgwHMUwpK41J5ANd2t2LE1
Address: 1KxKa6tGYJNUgHLQbDiT9PXAJcYhm7PC76

There you have your mega secure coin randomized offline paper wallet Bitcoin key and address.

Thanks, nice explanation

[J35st3r]

And you can plug the address into blockexplorer (or blockinfo.org) to check the transaction history and balance ...

http://blockexplorer.com/address/1KxKa6tGYJNUgHLQbDiT9PXAJcYhm7PC76

You can save bitaddress.org to a file (or just download it from github), so your offline computer does not even need to be temporarily connected to the internet. Also a LiveCD linux boot disk is recommended so you do not leave any trace. Alternatively a VM like VirtualBox or VMWare can be used on your normal computer (though with a slightly greater risk of malware sniffing your keys).

Another useful toy is vanitygen, which does exactly the same job but lets you select the firstbits (see my sig for example). You can plug the generated private key address into the wallet details tab of bitaddress to get the full details of the key pair (eg public key address for signing).

Paper wallets are a bit trickier to use for spending as you need to import the private key into a wallet, one of the online ones is probably easiest to use. But be sure to send the entire balance to a new paper wallet after your transaction as your private key has now been exposed to the wallet provider (or a keylogger if you tediously typed it in) and will be at risk of theft. There is also the matter of "change" as some wallets (eg bitcoin_qt) send this to a NEW address within the wallet, not back to your original paper wallet. So if you don't know for sure how it works you may even lose all your bitcoin if you lose access to that wallet. I recommend you get familiar with the entire process first (using small amounts of coin that you can afford to lose) before committing your life savings 

[8bitPunk]

My question is, where/how is that public address associated with my private key besides on the piece of paper I printed?

This is really the heart of cryptography - As demonstrated by rumbilita, the random input (step 1) is used as a basis for your private key (step 2) and this is used as a basis for the public key (step 3). There is a consistent method to produce the private key, which will consistently match to the public key. It is not possible for anyone else to reverse the method to produce the private key, so your private key alone is sufficient to grant access to the bitcoin wallet.

The only trap (as mentioned in the article) is if you don't use a unique input to produce the private key. Aside from that, there are very slim chances that another person could produce the same private/public key pair.

Suppose I am offline, with a computer that loaded bitaddress.org but have no access to the internet at all. I generate/print a public/private key pair. Then, on another computer, I send 1 BTC to the public address. At this point I have "loaded" my paper wallet correct? That 1 BTC is now in that public address.

Correct, at that point the bitcoin blockchain has recorded a transaction of 1 BTC to the public address. At any time in the future, you can submit another transaction to send that 1 BTC to another public address, and all that is required to authorize the transaction is your private key. That is why protecting your private key is imperative, if someone gets your private key the first thing they will do is send all the bitcoins out of your wallet to a public address they control.

[bitleif]

Suppose I am offline, with a computer that loaded bitaddress.org but have no access to the internet at all. I generate/print a public/private key pair. Then, on another computer, I send 1 BTC to the public address. At this point I have "loaded" my paper wallet correct? That 1 BTC is now in that public address.

You have not really "loaded" anything - there IS no connection with your private key or your wallet, yet. All that has happened is that the 1 BTC has been registered as "belonging" to that public key in the blockchain. This just tells everyone on the network that this money can't be reused until someone shows up with a private key that's able to generate the same public key. IOW, the money is now "locked" from further use.

And that's the deal. ANYONE who shows up with a private key matching that public key are now allowed to spend that money. However, you are the only person able to do that, because you generated the keys in the first place. The way the system works makes it mathematically very very difficult for anyone else to create a matching private key.

You may also want to check out http://en.wikipedia.org/wiki/Public-key_cryptography.

[b!z]

Great explanation, thanks.

[awsww]

I think it's using cryptography + printer to save the keys... 

[BlIiTtZz]

Thanks so much for sharing; I've wondered about this for a while and the article from Perry looks great.

Best read in conjunction with the other posts here though! [:

[NoBit]

1. Throw a coin 256 times, to get the private key, one side represents 1, the other coin's side represents 0. This will give you highly random 256bit key in binary format. Example: 1000111100110100010100010100011011100100100010100000111110000010110011000010010 1111100111101010011011111011100110010011001001011101101011110000011101101100010 1001110011110110010001100111010110001010100000010000001001110111011111111101100 1000110000011000001

2. Turn this binary into hex format:
1000 = 8
1111 = F
0011 = 3
0100 = 4
and so on...
You get: 8F345146E48A0F82CC25F3D4DF73264BB5E0ED8A73D919D62A0409DDFF6460C1

3. Turn hex format into base58 format:
5JuMYZ24eYPvjdXNWdDDz4eA9MC3ekgwHMUwpK41J5ANd2t2LE1
Address: 1KxKa6tGYJNUgHLQbDiT9PXAJcYhm7PC76


There you have your mega secure coin randomized offline paper wallet Bitcoin key and address.

is this really going to work? how do you get an offline address after having the private key?

[J35st3r]

is this really going to work? how do you get an offline address after having the private key?

Well you wouldn't do it by hand (like tossing a coin 256 times), though this would work and give you a valid private key.

You use bitaddress.org or vanitygen, which generates the random private key, does all the conversions and also (the step rumbitla left out), creates the address from the private key using some tricksy math.

Or if you did do all that coin tossing, just plug the hex value (64 hex characters) into the wallet details tab of bitaddress.org to do the conversions for you.

[Bitcoin Merchant]

Paper wallets can be USB to

[NoBit]

is this really going to work? how do you get an offline address after having the private key?

Well you wouldn't do it by hand (like tossing a coin 256 times), though this would work and give you a valid private key.

You use bitaddress.org or vanitygen, which generates the random private key, does all the conversions and also (the step rumbitla left out), creates the address from the private key using some tricksy math.

Or if you did do all that coin tossing, just plug the hex value (64 hex characters) into the wallet details tab of bitaddress.org to do the conversions for you.

let's just say I don't trust bit address.org, do I have other alternatives except vanitygen?

[J35st3r]

let's just say I don't trust bit address.org, do I have other alternatives except vanitygen?

OK, but it is fully opensource. Download it from the github https://github.com/pointbiz/bitaddress.org -as for getting the code audited, well I guess someone would have noticed anything seriously wrong by now, but it is a risk, as is the case with vanitygen or any other open source software. But the risk is much greater with proprietary software.

Anyway, no I don't know of any alternatives, but you could try asking on the development forum https://bitcointalk.org/index.php?board=6.0

[rumbitla]

let's just say I don't trust bit address.org, do I have other alternatives except vanitygen?

You can take a random photo, and calculate the sha256 of that file.

For example this photo:



gives you a sha256 value of: 3FB87FD7F7BA0A99FE57BFEEE53ED702B960A4722C28911E9C0FBFF0F124ED43

convert to base58 format: 5JJMEwwis8xEE94RhAEYwL1C7NS2nBPjZSqpKBzZReKmvtqR5j8
which is your standard format private key.

calculate corresponding Bitcoin address: 1D3GRn91KXWwMkpCkzw7j1f286kk6SyRPW


DO NOT use photos you found on the internet like I did in this example, but choose a random photo taken with your digital camera. This gives you a highly random key if you do not trust bitaddress.org or vanitygen.

[NoBit]

let's just say I don't trust bit address.org, do I have other alternatives except vanitygen?

calculate corresponding Bitcoin address: 1D3GRn91KXWwMkpCkzw7j1f286kk6SyRPW


DO NOT use photos you found on the internet like I did in this example, but choose a random photo taken with your digital camera. This gives you a highly random key if you do not trust bitaddress.org or vanitygen.

How did you calculate the corresponding Bitcoin Address?