Deterministic paper wallet?

[AliceWonder]

I've read, though I have not really looked at the process but I've read you can use a public key to generate new addresses which can only be spent using the private key that originally produced the public key.

So the thought it - create a paper wallet with private key and import public key into a wallet that generates addresses from it, allowing you to deposit to a new address each time you add money to the paper wallet.

We know someone is sending small amounts of money to random addresses and that got me thinking.

It wouldn't be too hard to look at the blockchain and find public addresses that are quite like a paper wallet. Lots of transactions going in spread over time, no transactions going out.

So once a criminal identifies sizeable paper wallets, criminal then starts doing micropayments to addresses that deposited looking for how they are then spent in hopes of identifying who owns the paper wallet.

Then when they identify who owns the paper wallet, thugs come and extract the private key.

But if the address used to deposit changes every time, it will difficult if not impossible to determine it is a paper wallet or how much is in it.

The issue isn't just random thugs. Maybe John bought something from me and thus already knows who I am, followed the transaction and saw the bitcoins end up in an address that has large quantity of BTC. John comes to my house with a hammer...

Anyway, to work the smoothest it would need client intergration so I could import a public key into client and label it, and anytime I want to deposit I ask to send to the label and it generates new public address based that doesn't have a private key.

Any clients do this?

[1715627343]

1715627343

[1715627343]

1715627343

[1715627343]

1715627343

[DannyHamilton]

I've read, though I have not really looked at the process but I've read you can use a public key to generate new addresses which can only be spent using the private key that originally produced the public key.

So the thought it - create a paper wallet with private key and import public key into a wallet that generates addresses from it, allowing you to deposit to a new address each time you add money to the paper wallet.

We know someone is sending small amounts of money to random addresses and that got me thinking.

It wouldn't be too hard to look at the blockchain and find public addresses that are quite like a paper wallet. Lots of transactions going in spread over time, no transactions going out.

So once a criminal identifies sizeable paper wallets, criminal then starts doing micropayments to addresses that deposited looking for how they are then spent in hopes of identifying who owns the paper wallet.

Then when they identify who owns the paper wallet, thugs come and extract the private key.

But if the address used to deposit changes every time, it will difficult if not impossible to determine it is a paper wallet or how much is in it.

The issue isn't just random thugs. Maybe John bought something from me and thus already knows who I am, followed the transaction and saw the bitcoins end up in an address that has large quantity of BTC. John comes to my house with a hammer...

Anyway, to work the smoothest it would need client intergration so I could import a public key into client and label it, and anytime I want to deposit I ask to send to the label and it generates new public address based that doesn't have a private key.

Any clients do this?

All the deterministic clients allow you to store a single "seed" on paper and generate as many bitcoin addresses as you like from that "seed".  Take a look at Electrum and Armory as examples.

Note, that the seed isn't a private key, and there isn't just one public key.  Each public key results in only one bitcoin address (well, actually two since there is compressed and uncompressed, but that isn't what you're looking for).  You can't "use a public key to generate new addresses".

There is only one public key for each private key, and only one address for each public key.

The deterministic wallets allow you to generate additional "private keys" from the single seed.

[AliceWonder]

Armory though generates private keys in the client from the seed - which is not what I want.

My understanding is you can take a public key (x and y coords) and run a function on them to produce addition public keys which you can later generate private keys for by running the original private key through the function.

e.g. X₀ is private key. Y₀ is public key.

f(Y₀) = Y₁

You then use Y₁ to generate an address and send money to it. When you want to spend, then

f(X₀) = X₁

[AliceWonder]

Here's what I want to do maybe a little bit clearer.

Generate a private and public key offline from a live CD and print them.

Scan public key into client, put paper wallet in safe deposit box.

From public key, as needed create new public addresses I can send bitcoins to w/o ever having generated their private keys, knowing that in the future, I can import the private key from the paper wallet to generate the matching private keys.

[DannyHamilton]

Take a look at the Armory "Watching only" wallet.

It does not generate the private keys.  It only generates the public keys and addresses.

As long as you have the seed, you can generate the private keys at a later date.

[AliceWonder]

Take a look at the Armory "Watching only" wallet.

It does not generate the private keys.  It only generates the public keys and addresses.

As long as you have the seed, you can generate the private keys at a later date.

Does it do this without needing the seed on the system?

I have to fix Armory to look at it. If you have both the bitcoin daemon and bitcoin-qt installed, it tries to start/stop the bitcoin daemon instead of bitcoin-qt - which of course fails because it doesn't have permission. It needs to rely on bitcoin-qt and ignore the bitcoin daemon which is not intended to be started/stopped by a normal user but is intended to run as a system service. I'd think a client that claims security would understand that but it doesn't.

And also on Fedora, it installs a platform specific python file where it shouldn't, it's not multi-lib ready. Not a big issue since it appears broken on 32-bit but still needs to be fixed.

[Abdussamad]

Both Armory and Electrum support watch only wallets.

It's very easy to do with Electrum:

- Boot up to a live CD
- Download and install electrum on your live cd system
- disconnect from the net if you are paranoid
- start electrum and it will create a new wallet for you. It will ask you to note down the seed which you do and then enter it in the next window by reading it off the paper (not copy pasting!) to verify that you got it right.
- Put the seed in a safe place
- Go to wallet > show > master public key (mpk) and save it to a text file on your HDD or USB
- Reboot into your regular system. Start electrum with the -w option to create a new wallet, click restore and enter the MPK you saved earlier.
- Voila you have a watch only wallet with the seed stored safely offline on paper!

[acoindr]

I've read, though I have not really looked at the process but I've read you can use a public key to generate new addresses which can only be spent using the private key that originally produced the public key.

You're talking about a Type 2 Hierarchical Deterministic Wallet. You don't use a public key, but a public seed to generate new public keys which can't be spent because there are no private keys. Here is the video you want:

HD Wallets - Bitcoin 2013 Conference - Pieter Wuille

Type 2 wallet description starts at 6:00. Yes, Electrum and Armory currently do this.

[AliceWonder]

Both Armory and Electrum support watch only wallets.

It's very easy to do with Electrum:
*
- Download and install electrum on your live cd system
*

We really need live media with Electrum already installed. Downloading from a live CD means opening a browser and live CDs don't get updated very often.

[Abdussamad]

There are quite a few of those if you look around the forum. Look in the project development section and the technical discussion section. The problem is can you trust them? It is very hard to verify all parts of something as complex as a linux distro

There is one based on slax with details on how to verify it. But its too much work IMO.

http://dswd.github.io/btcvault/

[kjj]

Take a look at the Armory "Watching only" wallet.

It does not generate the private keys.  It only generates the public keys and addresses.

As long as you have the seed, you can generate the private keys at a later date.

Does it do this without needing the seed on the system?

It does it with a seed, but not the seed.

Basically, it generates a key pair (privkey,pubkey) and a chain code.  The watching wallet only gets the public key and the chain code.

The normal relationship between a privkey and a pubkey is pubkey=G*privkey.  This relationship can be preserved under certain operations.  For example, multiplication: pubkey*chain=(G*privkey)*chain.  And this can then be extended into a sequence, pubkey*chainⁱ=(G*privkey)*chainⁱ.  You will notice that the watching wallet can take the first pubkey and the chain code, and from them create an endless stream of pubkeys, all of which differ only by a factor of G from the corresponding entry in the spending wallet's endless chain of privkeys.  And because division is still hard, the watching wallet is unable to recreate the privkey (the basic security of EC multiplication applies to the sequence).

Note to people finding this thread in a search: There is more to it than what I've described.  Read the BIP at the very least, and the old threads discussing key sequence security.

[Abdussamad]

Oh yes and you don't need to open a browser to download electrum. Just note down the URL and do a wget from the command line.

The other problem is that most live cds use swap partitions if any are found on the hard drive. This is not good for our purposes because we don't want the seed written to the drive by accident.

TailsOs is supposed to not do this sort of thing:

http://tails.boum.org/

[AliceWonder]

The problem is can you trust them? It is very hard to verify all parts of something as complex as a linux distro

rpm --verify

will verify an rpm package against the installed database, and the installed database can be verified against the distro signed packages.

[Abdussamad]

The problem is can you trust them? It is very hard to verify all parts of something as complex as a linux distro

rpm --verify

will verify an rpm package against the installed database, and the installed database can be verified against the distro signed packages.

How do you verify a custom distro? One that comes with electrum already installed. There are no rpm repos for that. It's just the word of some guy on this forum.

[AliceWonder]

HD Wallets - Bitcoin 2013 Conference - Pieter Wuille

Type 2 wallet description starts at 6:00. Yes, Electrum and Armory currently do this.

Thank you! That is exactly what I was talking about.

[AliceWonder]

How do you verify a custom distro? One that comes with electrum already installed. There are no rpm repos for that. It's just the word of some guy on this forum.

Presumably electrum is the only non distro supplied package needed, so you would just need to do a hash of the Electrum installed files.

[cp1]

In armory you generate a private seed offline.  Something like correct horse battery staple.  From that you generate a public seed which you copy to your computer.  You import this into a watching only online wallet.  This generates as many public keys as you want to send BTC to.  If you ever want to spend the BTC you generate an unsigned transaction in your online wallet, transfer it to your offline wallet where you can sign it with the private key generated from the private seed and then transfer it back to the online wallet where you broadcast it.  The online wallet never knows your private keys or seed.