a SIMPLE 2-out-of-3 private key

[vernell]

I am looking for a simple way to generate a private key made out of 3 parts, such that any 2 parts are enough to reconstruct the key.

This is what I came up with:

a = random 256 bit number
b = random 256 bit number
c = a xor b

And now:

private key = sha256(sha256(a) xor sha256(b) xor sha256(c))
public address = bitcoin_address(private key)

I will fund the address and keep a, b and c in three separate physical locations.

In my opinion, the benefit of using this method over multi-sig transactions or secret sharing schemes is that it is much simpler. It can be done in a shell script with common sha256 and xor utilities. No need to write multi-sig transactions by hand or use specialized tools. Of course it is slightly less flexible - its not clear how to emulate 2-out-of-4 multi-sig for example, but 2-out-of-3 is sufficient for me.

What do you think? Is there some security issue I am overlooking?

[Abdussamad]

You could create a multi-sig address instead:

https://en.bitcoin.it/wiki/Address#Multi-signature_addresses
https://gist.github.com/gavinandresen/3966071

[vernell]

You could create a multi-sig address instead:

https://en.bitcoin.it/wiki/Address#Multi-signature_addresses
https://gist.github.com/gavinandresen/3966071

I know I can. Please read my post again. I am trying to avoid raw transactions and complex tools.

[cbeast]

Armory does this. http://www.bitescrow.org/ too. Casascius had a tool once that could create M of N where N<=8 as a Shamir's Secret Sharing tool.

[gmaxwell]

You cannot sign without putting all your key parts in one place. If that one place is compromised they will be stolen or subverted to sign a different transaction. If that place is completely secure you can just put a single key there and dispense with the fancy footwork.

[vernell]

Armory does this. http://www.bitescrow.org/ too. Casascius had a tool once that could create M of N where N<=8 as a Shamir's Secret Sharing tool.

Thanks. I am actually aware of all these tools. However I am looking for something simple that can be implemented in a shell script and I know exactly how it works. A minimal solution with as few points of failure as possible.

[vernell]

You cannot sign without putting all your key parts in one place. If that one place is compromised they will be stolen or subverted to sign a different transaction. If that place is completely secure you can just put a single key there and dispense with the fancy footwork.

Yes but don't multi-sig or secret sharing suffer from the same problem? I still need to collect all the parts in one place when I want to spend my coins.

The generating of the private key and the recombining will all be done on an offline computer. I could just keep one key on the offline computer, but if its stolen I'm screwed, whereas 2-out-of-3 gives me backup.

[Crowex]

generate 3 keys a,b,c
Calculate abcG which is the public key corresponding to your bitcoin address
Destroy all calculations but keep the public key and corresponding address
Store a and b in one location
Store b and c in another location
store a and c in a third location

Use the information from any two locations to reconstruct private key abc

[gmaxwell]

Yes but don't multi-sig or secret sharing suffer from the same problem? I still need to collect all the parts in one place when I want to spend my coins.

No.  You author a transaction and move a partially completed transaction, which is just non-private data, around. You do not collect all the private data in one place as that would defeat the point.

[vernell]

Crowex: Nice! I like that.

gmaxwell: I see what you are saying. I just wish there was a nice tool (gui or command line) to easily generate multi-sig transactions. AFAIK there isn't.

What do you guys think about the algorithm in my original post? Is there anything else bad beyond the need to put all parts in one place on spend time?

[Bitalo_Maciej]

Crowex: Nice! I like that.

gmaxwell: I see what you are saying. I just wish there was a nice tool (gui or command line) to easily generate multi-sig transactions. AFAIK there isn't.

What do you guys think about the algorithm in my original post? Is there anything else bad beyond the need to put all parts in one place on spend time?

As gmaxwell pointed out, multi-sig protocol has a big advantage over what you're proposing because it doesn't need you to transmit all keys into one place to create a signature. Also, writing your own cryptographic functions/protocols is considered a bad practice, because there are many subtle details you have to know, and having only one of them wrong can defeat your whole system.

There is one service I'm aware of that lets you create, sign and verify multi-sig transactions without command line: https://coinb.in/multisig/ . I personally didn't check it, so use it at your own risk.

Also, creating multisig transactions in command line is relatively easy when you know what you're doing. You need bitcoind or other Bitcoin software for that, but I guess there's no point in running from dependencies when they do their job correctly.

[waxwing]

Also, creating multisig transactions in command line is relatively easy when you know what you're doing. You need bitcoind or other Bitcoin software for that, but I guess there's no point in running from dependencies when they do their job correctly.

It may be worth mentioning to the OP that as well as bitcoind, there are tools like pybitcointools and sx which can give you a relatively simple path to setting up multisig transactions. Assuming you come at it from a developer angle.

On the other hand, from a non-developer angle then perhaps, as well as bitcoind, you could look at coinb.in (already mentioned) and perhaps Electrum (? I seem to recall they were setting up a command line multisig option).

And yes, clearly secret sharing != multi-signature.