Generate an address

[gravitate]

Hi Basically I would like to open my own savings wallets without worrying about it.  These will be cold storage with the private key written in code that only myself or family know.
I only have a mac laptop that I have used for many many things that I could not trust 100% in order to generate an address on. Without actually buying a new laptop and using an off line www.bitaddress.org to generate an address please can someone tell me the most secure way of generating an address and private key for cold storage please?

[Rannasha]

Hi Basically I would like to open my own savings wallets without worrying about it.  These will be cold storage with the private key written in code that only myself or family know.
I only have a mac laptop that I have used for many many things that I could not trust 100% in order to generate an address on. Without actually buying a new laptop and using an off line www.bitaddress.org to generate an address please can someone tell me the most secure way of generating an address and private key for cold storage please?

Create a bootable Linux USB stick, use that to boot your laptop, open bitaddress.org, disconnect from the internet, generate the address and write it down / print it in whatever way you want.

[gravitate]

Rannesha I would have to wipe my os on my mac then right? Maybe I could do this with my pi

[Rannasha]

Rannesha I would have to wipe my os on my mac then right? Maybe I could do this with my pi

You don't need to wipe your Mac. Linux USB installations allow you to boot and run the full operating system from a USB stick. The harddisk with your Mac installation on it isn't touched (and any malware on it isn't started). Once you're done, restart the machine, remove the USB stick and it'll boot right back to your regular OS.

Of course, using a RPi works just as well.

[pc]

Well, you seem to want hardware you can trust, but say that you don't trust any of your hardware. So, you need to get your hardware into a state where you trust it, or you need to acquire new hardware that you do trust. Something like a Raspberry Pi may be great for this sort of thing, though on "embedded" kinds of devices you want to make sure that your random number generator has enough entropy to work with.

Or to be completely offline, you can flip a coin 256 times to make the private key and have a calculator and pencil and paper to calculate the public key and address. I want to do it one of these days just to show that it's possible.

[gravitate]

Wow doing it with a coin is fascinating! Can you post a guide on this? It will give everyone a greater understanding of bitcoins too! Wow that really is intriguing

[pc]

Wow doing it with a coin is fascinating! Can you post a guide on this? It will give everyone a greater understanding of bitcoins too! Wow that really is intriguing

A private key is just a 256-bit random number. (Well, a number between 1 and hex value FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141.) All your computer does to make a new address is pick a new random number, and then do some math that calculates the public key from that number. There isn't any magic to it; it's just math. So, any way that randomly picks 256 bits will work. Computers tend to use fancy cryptographic libraries that find good sources of randomness from the information available to a computer, since they tend to be poor at flipping literal coins.

My comment was a probably-too-long offhand remark that you need some technology that you trust to keep your private key private. Sometimes simple technology is best, since you can see how it works and if it's sending your data elsewhere easily. But even if you were to literally flip coins, you'd want to make sure there wasn't a camera or somebody watching you that would compromise your random number generation. Really it's an analogy for what you need your key generating computer to be doing: picking good-quality random numbers that nobody else can end up knowing.

[jackjack]

Or to be completely offline, you can flip a coin 256 times to make the private key and have a calculator and pencil and paper to calculate the public key and address. I want to do it one of these days just to show that it's possible.

Calculating the public key would require a crazy amount of motivation
Calculating the address is impossible

https://bitcointalk.org/index.php?topic=286534.0

[pc]

Or to be completely offline, you can flip a coin 256 times to make the private key and have a calculator and pencil and paper to calculate the public key and address. I want to do it one of these days just to show that it's possible.

Calculating the public key would require a crazy amount of motivation
Calculating the address is impossible

https://bitcointalk.org/index.php?topic=286534.0

Heh, I hadn't realized it was a recent topic on the forum.
I did say one could use "a calculator". Presumably, one could balance it being fancy enough to be able to handle EC math, while not being fancy enough that one had to worry about it storing ones key for a long time or getting compromised in some fashion.
And one would probably be more willing to enter one's public key on a "real" computer to hash to generate the address, though you'd probably want to use multiple systems to make extra sure that the address one generated actually corresponded to the public key. The network allows payments straight to public keys instead of addresses just fine, though I don't know of any wallet software that makes doing so simple.

[J35st3r]

I did say one could use "a calculator". Presumably, one could balance it being fancy enough to be able to handle EC math, while not being fancy enough that one had to worry about it storing ones key for a long time or getting compromised in some fashion.

The EC algorithm is actually fairly simple (see JackJack's pywallet for an implementation), but relies on bigints (arbitary percision integers) which may or may not be available on a stand-alone "calculator". As has been said elsewhere, this is an ideal application for a raspberry pi. You don't even need to connect it to the internet. Just download bitaddress.org from the github, transfer it to the pi via a memory stick (or load it onto the boot partition of the OS SD card) and you're good to go. Attach a printer, and your key has never been exposed to the outside world. You should reflash the SD card afterwards, to be sure nothing remains that can be exposed later, destroy it if you're paranoid, and the printer too, you never know what's stored inside the modern ones, but an ancient text-only line printer should be safe 

[gravitate]

I managed to use VMware free trial to run ubuntu withough having to boot from a usb. Then erased application and wiped my free space.
Will I be safe?

[J35st3r]

I managed to use VMware free trial to run ubuntu withough having to boot from a usb. Then erased application and wiped my free space.
Will I be safe?

If you ran it as a live-CD (no disk image) you should be fine, otherwise you need to secure-delete the disk image (use sdelete from SysInternals ... EDIT OOPS that's Microsoft, mac must have an equivalent utility).

There may be some residual data in your pagefile, so probably best to reboot your mac too (not hibernate as this just makes it worse).

[/paranoia_mode]

[gravitate]

lol thanks

[Abdussamad]

I managed to use VMware free trial to run ubuntu withough having to boot from a usb. Then erased application and wiped my free space.
Will I be safe?

Running linux in a VM is pointless if your are worried about the safety of your host system. If someone has access to your host system they have access to everything you are running on it including VMs. You should boot from a live USB or DVD.

[BurtW]

A private key is just a 256-bit random number. (Well, a number between 1 and hex value FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141.)

Where did you get that God awful number?  The actual value of p for secp256k1 is:

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

   = 2²⁵⁶ - 2³² - 2⁹ - 2⁸ - 2⁷ -2⁶ - 2⁴ - 1

Oh, I see, that is the order n of G.  You just copied the wrong number.

So yes, you could flip a coin 256 times and copy down the results into a 256 bit number and as long as your number is less than the (prime) number p shown above it is a valid private key.

[grue]

So yes, you could flip a coin 256 times and copy down the results into a 256 bit number and as long as your number is less than the (prime) number p shown above it is a valid private key.

A coin is a really bad source of entropy though.

[Zeek_W]

So yes, you could flip a coin 256 times and copy down the results into a 256 bit number and as long as your number is less than the (prime) number p shown above it is a valid private key.

A coin is a really bad source of entropy though.

Use 512 coins, and drop them from a height. Unleash a dog/kid into the room to scatter and or lose some coins. Then pick up 256 coins randomly 

[BurtW]

So yes, you could flip a coin 256 times and copy down the results into a 256 bit number and as long as your number is less than the (prime) number p shown above it is a valid private key.

A coin is a really bad source of entropy though.

Use 512 coins, and drop them from a height. Unleash a dog/kid into the room to scatter and or lose some coins. Then pick up 256 coins randomly  

I did say "valid", not "good" or "random" or "secure".

Still, flipping a coin 256 times and then directly using the value obtained would be much better than using "stfu!" as your pass phrase to a brain wallet

[DannyHamilton]

So yes, you could flip a coin 256 times and copy down the results into a 256 bit number and as long as your number is less than the (prime) number p shown above it is a valid private key.

A coin is a really bad source of entropy though.

You're suggesting that a typical coin is not "fair" and will tend to land on one side more often than the other?

I would think there would be enough events adding entropy to the action (flip rotation speed, flip initial height, maximum height, resting height, air flow around the coin, initial side up, axis of rotation, horizontal velocity, etc) that the bias in the coin would have to be pretty significant to have a discernible effect in 256 trials.

Is there a better source of entropy available to the average person that could be used to mechanically generate a private key?

[pc]

A private key is just a 256-bit random number. (Well, a number between 1 and hex value FFFF FFFF FFFF FFFF FFFF FFFF FFFF FFFE BAAE DCE6 AF48 A03B BFD2 5E8C D036 4141.)

Where did you get that God awful number?  The actual value of p for secp256k1 is:

p = FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F

I got it from the Private Key page on the Bitcoin wiki. I don't know whether the number is right or wrong, but feel free to update the wiki (perhaps it should have a citation, even?) if the value there is wrong. I apologize for not checking my sources more thoroughly, or at least citing where I was getting my info from.

In any event, it's rather unlikely that a random 256-bit number won't be in the range. If somebody gets heads a ton of times in a row, they may want to double-check the upper bound before using it. (Or, perhaps more likely, check that their coin is fair…)