Verify ownership of keys for paper wallet

[apogio]

Hello. I have seen many people (mainly early bitcoiners) that own keys in the form of paper wallets.

Most paper wallet generators provide the user with a private key and an address.

For educational purposes I have developed an app in java that generates  paper wallets. I have run it multiple times offline and I have tested it in Bitcoin's testnet. The way I tested it was just sending test money to the address and then recovering the wallet in Electrum, Sparrow and BlueWallet using the private key.

Although I am happy with what I have done, I needed to recover my wallet and be connected to the internet. Before sending REAL money to the generated address, I need to verify I can access it using my private key. But how can I do it in a safe and private way? Preferably offline.

[OmegaStarScream]

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

Or.. if the goal is to test whether your software is generating addresses/private keys the correct way, then it doesn't really matter. You could just use an online device to check, then go ahead and regenerate another address (offline) to send funds to.

[1] https://github.com/pointbiz/bitaddress.org

[ranochigo]

There are different ways of doing it.  

1) Since you've already sent the small amount of Bitcoins, you can create a transaction that spend a small amount of Bitcoin to your address. You can spend a fraction of that with a small fee, the confirmation doesn't matter. So long as you can see the transaction on blockexplorer, it's fine.

2) Sign a message with the address. If you can verify it, then it would be fine.

3) Import it into an offline wallet. So long as the wallet allows it to be imported, it should be valid and its perfectly safe. Which is what you've done. Well-known and working wallet have sanity checks on your private key which prevents those which aren't working to be imported.

[LoyceV]

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

For peace of mind, I (would) do this every time when I create any offline wallet (before funding it). It doesn't hurt to make sure you can recover your backups.

[apogio]

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

For peace of mind, I (would) do this every time when I create any offline wallet (before funding it). It doesn't hurt to make sure you can recover your backups.

Ok, so if I get it right, you mean I should re-run my own code, to see whether the private key generates the address. And, I must do it offline. Correct?

There are different ways of doing it. 

1) Since you've already sent the small amount of Bitcoins, you can create a transaction that spend a small amount of Bitcoin to your address. You can spend a fraction of that with a small fee, the confirmation doesn't matter. So long as you can see the transaction on blockexplorer, it's fine.

2) Sign a message with the address. If you can verify it, then it would be fine.

3) Import it into an offline wallet. So long as the wallet allows it to be imported, it should be valid and its perfectly safe. Which is what you've done. Well-known and working wallet have sanity checks on your private key which prevents those which aren't working to be imported.

Thanks for the options. The second one seems somewhat sophisticated. I ll check it out, but it looks tricky to do it totally offline, since I don't know which tools I must use.

[LoyceV]

Ok, so if I get it right, you mean I should re-run my own code, to see whether the private key generates the address.

No. Use other software to verify you get the same result (from the private key).

And, I must do it offline. Correct?

Correct.

[ranochigo]

Thanks for the options. The second one seems somewhat sophisticated. I ll check it out, but it looks tricky to do it totally offline, since I don't know which tools I must use.

Not exactly. Any wallet would be able to sign a transaction. Electrum, or most of the mainstream wallets that we have should be able to do so just fine.

As I've mentioned, if you're able to import the address into a well-known wallet, it should be fine. They are unlikely to allow you to import a private key that cannot be spent. The first one would be the best, if you can do so. It doesn't affect the security nor the privacy of your paper wallet so long as you spend the coins back to yourself.

[pooya87]

For educational purposes I have developed an app in java that generates  paper wallets. I have run it multiple times offline and I have tested it in Bitcoin's testnet.

Keep this educational and don't create any serious addresses using this. Most importantly is that you won't find bugs by just testing it a couple of times with random cases, there are a lot of edge cases that you may not know of and may not face in your "random tests" but can encounter in a real scenario.
Off the top of my head since you mentioned Java and are probably using the BigInteger class,is that you may forget the necessary padding for the public key and use a smaller than 32 byte x/y coordinate in the pubkey for your hash and end up with coins that can never be spent.

The best real life example I can think of that is similar to what I explained here is the bitcore-lib by Bitpay written in Javascript that had a similar bug with lack of padding. https://github.com/bitpay/bitcore-lib/issues/47

I would also say that generating a serious key (to send actual funds to) using your own code is not a good idea even if you verify the correctness of the key->address using a secondary tool. Because there can be other vulnerabilities in your code like your RNG being weak.

[apogio]

Keep this educational and don't create any serious addresses using this. Most importantly is that you won't find bugs by just testing it a couple of times with random cases, there are a lot of edge cases that you may not know of and may not face in your "random tests" but can encounter in a real scenario.
Off the top of my head since you mentioned Java and are probably using the BigInteger class,is that you may forget the necessary padding for the public key and use a smaller than 32 byte x/y coordinate in the pubkey for your hash and end up with coins that can never be spent.

The best real life example I can think of that is similar to what I explained here is the bitcore-lib by Bitpay written in Javascript that had a similar bug with lack of padding. https://github.com/bitpay/bitcore-lib/issues/47

I would also say that generating a serious key (to send actual funds to) using your own code is not a good idea even if you verify the correctness of the key->address using a secondary tool. Because there can be other vulnerabilities in your code like your RNG being weak.

Thanks. As I said it's for educational purposes only. Btw I have used BitcoinJ which provided me with some classes that were kind of plug-and-play.

As I've mentioned, if you're able to import the address into a well-known wallet, it should be fine. They are unlikely to allow you to import a private key that cannot be spent. The first one would be the best, if you can do so. It doesn't affect the security nor the privacy of your paper wallet so long as you spend the coins back to yourself.

But in order to broadcast the transaction you will need to use the internet. So this requires importing the private key to an application that's connected to the internet. Therefore your wallet immediately becomes hot.

[ranochigo]

But in order to broadcast the transaction you will need to use the internet. So this requires importing the private key to an application that's connected to the internet. Therefore your wallet immediately becomes hot.

Nope, you don't have to. You can create a transaction and sign it offline. Regardless, the security of the paper wallet is compromised even if you were to only expose your private key when you're spending. If you want to be safe, you should not expose your private key to a computer that is connected to the internet at any point in time.

If you have a synchronized Bitcoin Core instance, you can get the raw transaction and use testmempoolaccept to test if it is valid without broadcasting.

[apogio]

If you have a synchronized Bitcoin Core instance, you can get the raw transaction and use testmempoolaccept to test if it is valid without broadcasting.

This is perfect. Thanks

[JohanM]

Because there can be other vulnerabilities in your code like your RNG being weak.

If you're using SecureRandom in JAVA that is as strong as it's going to get.
Creating a secure private key is as simple as calling nextBytes on a 32 byte byte[].
The only edge case here is that you have to check for the upper limit of the key.

Creating P2PKH or P2SH bitcoin addresses is NOT that difficult and the number of edge cases is limited.

I believe a self-written, properly tested paper wallet generator is MUCH safer that using whatever you can find on the internet now.

[JohanM]

If you have Bitcoin-QT installed you could also simply:
- create a new empty wallet
- import your self-made WIF key
- take a look at the corresponding public key it calculates. easiest way is to enable coinControl features and start a send_transaction to see the list of all public keys.

[pooya87]

I believe a self-written, properly tested paper wallet generator is MUCH safer that using whatever you can find on the internet now.

Compared to "whatever you can find", sure it can be safer but the choice is not between your own code and random code on github. There are other options such as well reviewed and well tested wallets such as bitcoin core and electrum that can be used to generate a key or mnemonic respectively then printing that on a paper which is way safer than your own code.

[apogio]

This is the repo where I have implemented the wallet generator:

 https://github.com/apogio/old-school-bitcoin

I am using SecureRandom to produce entropy, since I was unable to think of a better way.

Feel free to give me feedback.

Edit:
Running my code offline, doesn't necessarily solve every issue regarding privacy and safety. Furthermore, I did it for educational purposes and I don't encourage you to use it for real use.

[dzungmobile]

You could do the same thing you've been doing to recover the wallet on Electrum or maybe Bitaddress[1] (download the source code first), you should just make sure that the device you're using is offline and safe.

[Guide] How to Safely Download and Verify Electrum

Because OP is a tech guy and serious about security, it's applicable for him to verify Electrum wallet before using it (offline or online, should be offline).