Bitcoin Forum
June 24, 2024, 05:26:47 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: a SIMPLE 2-out-of-3 private key  (Read 837 times)
vernell (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 13, 2014, 04:24:40 AM
Last edit: March 13, 2014, 05:56:16 AM by vernell
 #1

I am looking for a simple way to generate a private key made out of 3 parts, such that any 2 parts are enough to reconstruct the key.

This is what I came up with:

a = random 256 bit number
b = random 256 bit number
c = a xor b

And now:

private key = sha256(sha256(a) xor sha256(b) xor sha256(c))
public address = bitcoin_address(private key)

I will fund the address and keep a, b and c in three separate physical locations.

In my opinion, the benefit of using this method over multi-sig transactions or secret sharing schemes is that it is much simpler. It can be done in a shell script with common sha256 and xor utilities. No need to write multi-sig transactions by hand or use specialized tools. Of course it is slightly less flexible - its not clear how to emulate 2-out-of-4 multi-sig for example, but 2-out-of-3 is sufficient for me.

What do you think? Is there some security issue I am overlooking?
Abdussamad
Legendary
*
Offline Offline

Activity: 3640
Merit: 1571



View Profile
March 13, 2014, 05:28:20 AM
 #2

You could create a multi-sig address instead:

https://en.bitcoin.it/wiki/Address#Multi-signature_addresses
https://gist.github.com/gavinandresen/3966071
vernell (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 13, 2014, 05:53:51 AM
 #3


I know I can. Please read my post again. I am trying to avoid raw transactions and complex tools.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006

Let's talk governance, lipstick, and pigs.


View Profile
March 13, 2014, 06:01:58 AM
 #4

Armory does this. http://www.bitescrow.org/ too. Casascius had a tool once that could create M of N where N<=8 as a Shamir's Secret Sharing tool.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4200
Merit: 8441



View Profile WWW
March 13, 2014, 06:16:53 AM
 #5

You cannot sign without putting all your key parts in one place. If that one place is compromised they will be stolen or subverted to sign a different transaction. If that place is completely secure you can just put a single key there and dispense with the fancy footwork.
vernell (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 13, 2014, 06:25:32 AM
 #6

Armory does this. http://www.bitescrow.org/ too. Casascius had a tool once that could create M of N where N<=8 as a Shamir's Secret Sharing tool.

Thanks. I am actually aware of all these tools. However I am looking for something simple that can be implemented in a shell script and I know exactly how it works. A minimal solution with as few points of failure as possible.
vernell (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 13, 2014, 06:32:22 AM
 #7

You cannot sign without putting all your key parts in one place. If that one place is compromised they will be stolen or subverted to sign a different transaction. If that place is completely secure you can just put a single key there and dispense with the fancy footwork.

Yes but don't multi-sig or secret sharing suffer from the same problem? I still need to collect all the parts in one place when I want to spend my coins.

The generating of the private key and the recombining will all be done on an offline computer. I could just keep one key on the offline computer, but if its stolen I'm screwed, whereas 2-out-of-3 gives me backup.
Crowex
Member
**
Offline Offline

Activity: 111
Merit: 10


View Profile
March 13, 2014, 06:42:15 AM
 #8

generate 3 keys a,b,c
Calculate abcG which is the public key corresponding to your bitcoin address
Destroy all calculations but keep the public key and corresponding address
Store a and b in one location
Store b and c in another location
store a and c in a third location

Use the information from any two locations to reconstruct private key abc
gmaxwell
Moderator
Legendary
*
expert
Offline Offline

Activity: 4200
Merit: 8441



View Profile WWW
March 13, 2014, 06:54:39 AM
 #9

Yes but don't multi-sig or secret sharing suffer from the same problem? I still need to collect all the parts in one place when I want to spend my coins.
No.  You author a transaction and move a partially completed transaction, which is just non-private data, around. You do not collect all the private data in one place as that would defeat the point. Smiley
vernell (OP)
Newbie
*
Offline Offline

Activity: 8
Merit: 0


View Profile
March 13, 2014, 07:07:53 AM
 #10

Crowex: Nice! I like that.

gmaxwell: I see what you are saying. I just wish there was a nice tool (gui or command line) to easily generate multi-sig transactions. AFAIK there isn't.

What do you guys think about the algorithm in my original post? Is there anything else bad beyond the need to put all parts in one place on spend time?
Bitalo_Maciej
Member
**
Offline Offline

Activity: 80
Merit: 10


Lead developer


View Profile WWW
March 13, 2014, 09:25:07 AM
 #11

Crowex: Nice! I like that.

gmaxwell: I see what you are saying. I just wish there was a nice tool (gui or command line) to easily generate multi-sig transactions. AFAIK there isn't.

What do you guys think about the algorithm in my original post? Is there anything else bad beyond the need to put all parts in one place on spend time?

As gmaxwell pointed out, multi-sig protocol has a big advantage over what you're proposing because it doesn't need you to transmit all keys into one place to create a signature. Also, writing your own cryptographic functions/protocols is considered a bad practice, because there are many subtle details you have to know, and having only one of them wrong can defeat your whole system.

There is one service I'm aware of that lets you create, sign and verify multi-sig transactions without command line: https://coinb.in/multisig/ . I personally didn't check it, so use it at your own risk.

Also, creating multisig transactions in command line is relatively easy when you know what you're doing. You need bitcoind or other Bitcoin software for that, but I guess there's no point in running from dependencies when they do their job correctly.

Web wallets get hacked all the time. Computer wallets get hacked all the time as well.
Solution? Hybrid P2SH wallets - safer than your online and offline wallets combined. Check it out, store and trade your Bitcoins with ease of mind!
waxwing
Sr. Member
****
Offline Offline

Activity: 469
Merit: 253


View Profile
March 13, 2014, 07:31:37 PM
 #12


Also, creating multisig transactions in command line is relatively easy when you know what you're doing. You need bitcoind or other Bitcoin software for that, but I guess there's no point in running from dependencies when they do their job correctly.

It may be worth mentioning to the OP that as well as bitcoind, there are tools like pybitcointools and sx which can give you a relatively simple path to setting up multisig transactions. Assuming you come at it from a developer angle.

On the other hand, from a non-developer angle then perhaps, as well as bitcoind, you could look at coinb.in (already mentioned) and perhaps Electrum (? I seem to recall they were setting up a command line multisig option).

And yes, clearly secret sharing != multi-signature.

PGP fingerprint 2B6FC204D9BF332D062B 461A141001A1AF77F20B (use email to contact)
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!