How to Create a Bitcoin Receive Address from a Coin Flip

[hexafraction]

*** You cannot use the Brainwallet BIN to HEX converter due to the fact that Brianwallet adds a “0” place holder to every 4 bit BIN sequence. e.g. “1111” converted to HEX is “F” but Brainwallet converts it as “0F” ***

Yes, you can. Just don't add spaces to the binary.

Also, don't use random.org at all. Use a physical coin, or a known-good physical RNG, preferably one that is designed to be unbiased, truly random using physical noise, and separate from a computer.

[R2D221]

Random.org is for trivial stuff.

Generating a Bitcoin private key and its corresponding address is not trivial at all.

[fasbit]

I will argue that 256 coin flips from random.org is the best random number possibility available.  And assuming that you push the results through an offline computer using brainwallet offline, you will have a VERY SAFE, VERY RANDOM private key.

LOL.  A "VERY SAFE" number which is trivially known to a third party.  Is someone at "random.org" paying you to encourage people to have them generate their private keys, or did you come by this cluelessness naturally?

I haven't looked recently but last I checked random.org methods were secret and not peer reviewed. So not only may the results be trivially maliciously logged (by the site operators or anyone whos compromised their system; or the operators of the VPSes they use (rackspace cloud)), they're probably more likely to be accidentally flawed because their methods are not reviewed.

A. Attacking an idea or postulate is a great thing.  Attacking a person and calling them "clueless" is ad hominem and is below your status as a moderator of this board.
B. Random.org is peer reviewed here https://www.random.org/media As well as tested by third party orgs like http://www.ecogra.org/  Their methods are not secret but they are not public either.
C. So lets examine your logic:  Since random.org (peer reviewed, certified and in business since 1998) creates a buffer in advance full of billions of ones and zeroes and since it uses https, someone could log the front end usage of these ones and zeros after they leave the buffer and before they hit the https (side note on magnitude: these ones and zeroes from the buffer are used for ALOT of different applications on the site other than coin flips), track the usage by ip, collect and then echo the data once an ip pulls precisely 256 bits of data, run the bits through a key generator, (also try various combinations of the 256bit sequence like only look at the last 256 bits, since the first x bits could have been a test), create a database to collect all of these new bitcoin address and repeatedly query the entire blockchain to see if any of the addresses are extant. If any one address is extant and holds bitcoins, import the corresponding key into a wallet and steal the bitcoins.  OK... I will concede.  This may be possible. Its not likely considering the high level access, the subterfuge necessary, and the high number of bitcoin addresses to generate & query; not probable, but maybe possible.  

So to test your theory I am going to publish a bitcoin address that I created using random.org, leave some BTC there and see if they evaporate.  If they magically walk away, then we will know that someone at random.org is malicious.  If nothing happens, then Im going to stick with my "SAFE" comment.  I will however add a note of caution to the thread warning people that 1) They could get struck by lightning today 2) Earth could get destroyed by a meteor in the next 5 minutes AND 3) Somebody at random.org might guess your intent out of the millions of possible intents by those who use this service, parse through the data looking for precisely 256 bits of interesting target data turn them into a bitcoin key and steal your BTC.

Dear Mythical Hacker at Random.Org:  I created this address with the coin flip service on 02/07/2015.  I flipped 8 coins at once using Polish Zloties.  I pulled precisely 256 bits of data from the buffer to make it easy on you.  Please steal my bitcoins.
Here is the address: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA

[fasbit]

*** You cannot use the Brainwallet BIN to HEX converter due to the fact that Brianwallet adds a “0” place holder to every 4 bit BIN sequence. e.g. “1111” converted to HEX is “F” but Brainwallet converts it as “0F” ***

Yes, you can. Just don't add spaces to the binary.

Also, don't use random.org at all. Use a physical coin, or a known-good physical RNG, preferably one that is designed to be unbiased, truly random using physical noise, and separate from a computer.

Ahhh... you are correct!  I fixed the note.

[redsn0w]

Oh fantastic, thanks for the info. I surely will try!

[hhanh00]

This thread reminds me of [Calvin & Hobbes](http://www.gocomics.com/calvinandhobbes/2012/11/07)

[doof]

Please please please do not do this. The cryptosystem which Bitcoin keys and addresses are part of assumes for its security that its private keys are uniformly random numbers. Flipping coins by hand will definitely not give uniformly random numbers, and is probably so biased (depending on your hand, the coin, what side you pick it up from, the surface it lands on, etc, etc) that you can measure it yourself by just flipping a coin and counting the zeroes and ones.

If you swap out one component of a cryptosystem for another you have constructed a new cryptosystem and need to argue its security. And I guarantee you won't find a good security argument for "Bitcoin script with biased randomness".

To add to the presumption of insecurity that should be applied to all new cryptosystems, let me point out that much of this one is gibberish:

Every Public Address corresponds to exactly one Private Key and vice-versa.

This is simply false.

Are you talking about possible collisions?

[coinableS]

Please please please do not do this. The cryptosystem which Bitcoin keys and addresses are part of assumes for its security that its private keys are uniformly random numbers. Flipping coins by hand will definitely not give uniformly random numbers, and is probably so biased (depending on your hand, the coin, what side you pick it up from, the surface it lands on, etc, etc) that you can measure it yourself by just flipping a coin and counting the zeroes and ones.

If you swap out one component of a cryptosystem for another you have constructed a new cryptosystem and need to argue its security. And I guarantee you won't find a good security argument for "Bitcoin script with biased randomness".

To add to the presumption of insecurity that should be applied to all new cryptosystems, let me point out that much of this one is gibberish:

Every Public Address corresponds to exactly one Private Key and vice-versa.

This is simply false.

Are you talking about possible collisions?

I believe he is referring to this:  https://bitcointalk.org/index.php?topic=24268.0

So there are 2^160 public keys but only 2^96 private keys? Ho does that add up?
Are there private keys than unlock more than one public key?

There are just under 2^256 private keys, just under 2^256 public keys, and 2^160 addresses. There are some addresses that have more than one corresponding public key and thus more than one corresponding private key.

[coinpr0n]

Cool idea. So decentralized ...

[xDan]

It's a nice idea, but if you are doing coin flipping as a way to have "perfect" randomness, then you are rather spoiling the effort by having it touch any online computer system. I would rather just use bitcoin core on a linux livecd which I'd trust way more than any of the sites you linked.

i.e. suggesting mathisisfun.com website. Hey hackers, go compromise mathisfun.com, a fun little side project for you, maybe you'll find yourself some private keys.

Or maybe OP is the hacker who has already done so. Clever!

I would definitely be interested in seeing a tiny little script with no external dependencies that can be run on an offline system.

(Or excel/open office equations that I can copy+paste myself).

[fasbit]

It's a nice idea, but if you are doing coin flipping as a way to have "perfect" randomness, then you are rather spoiling the effort by having it touch any online computer system. I would rather just use bitcoin core on a linux livecd which I'd trust way more than any of the sites you linked.

i.e. suggesting mathisisfun.com website. Hey hackers, go compromise mathisfun.com, a fun little side project for you, maybe you'll find yourself some private keys.

Or maybe OP is the hacker who has already done so. Clever!

I would definitely be interested in seeing a tiny little script with no external dependencies that can be run on an offline system.

(Or excel/open office equations that I can copy+paste myself).

• I'm working on the excel.  I have the sha256 and base58 working in excel, just hung up on RIPEMD-160...but i'm close
• Also all of the links I suggested have "offline" capability.

[NewLiberty]

For the Hex Dice, I'd like to see them in happy homes:

BTC0.05 for a pair will get me off my butt to get them shipped to you in the USA, for international, probably a bit more.  Let me know where you are and I'll let you know how much more.

[spin]

I will argue that 256 coin flips from random.org is the best random number possibility available.  And assuming that you push the results through an offline computer using brainwallet offline, you will have a VERY SAFE, VERY RANDOM private key.

LOL.  A "VERY SAFE" number which is trivially known to a third party.  Is someone at "random.org" paying you to encourage people to have them generate their private keys, or did you come by this cluelessness naturally?

I haven't looked recently but last I checked random.org methods were secret and not peer reviewed. So not only may the results be trivially maliciously logged (by the site operators or anyone whos compromised their system; or the operators of the VPSes they use (rackspace cloud)), they're probably more likely to be accidentally flawed because their methods are not reviewed.

A. Attacking an idea or postulate is a great thing.  Attacking a person and calling them "clueless" is ad hominem and is below your status as a moderator of this board.
B. Random.org is peer reviewed here https://www.random.org/media As well as tested by third party orgs like http://www.ecogra.org/  Their methods are not secret but they are not public either.
C. So lets examine your logic:  Since random.org (peer reviewed, certified and in business since 1998) creates a buffer in advance full of billions of ones and zeroes and since it uses https, someone could log the front end usage of these ones and zeros after they leave the buffer and before they hit the https (side note on magnitude: these ones and zeroes from the buffer are used for ALOT of different applications on the site other than coin flips), track the usage by ip, collect and then echo the data once an ip pulls precisely 256 bits of data, run the bits through a key generator, (also try various combinations of the 256bit sequence like only look at the last 256 bits, since the first x bits could have been a test), create a database to collect all of these new bitcoin address and repeatedly query the entire blockchain to see if any of the addresses are extant. If any one address is extant and holds bitcoins, import the corresponding key into a wallet and steal the bitcoins.  OK... I will concede.  This may be possible. Its not likely considering the high level access, the subterfuge necessary, and the high number of bitcoin addresses to generate & query; not probable, but maybe possible.  

So to test your theory I am going to publish a bitcoin address that I created using random.org, leave some BTC there and see if they evaporate.  If they magically walk away, then we will know that someone at random.org is malicious.  If nothing happens, then Im going to stick with my "SAFE" comment.  I will however add a note of caution to the thread warning people that 1) They could get struck by lightning today 2) Earth could get destroyed by a meteor in the next 5 minutes AND 3) Somebody at random.org might guess your intent out of the millions of possible intents by those who use this service, parse through the data looking for precisely 256 bits of interesting target data turn them into a bitcoin key and steal your BTC.

Dear Mythical Hacker at Random.Org:  I created this address with the coin flip service on 02/07/2015.  I flipped 8 coins at once using Polish Zloties.  I pulled precisely 256 bits of data from the buffer to make it easy on you.  Please steal my bitcoins.
Here is the address: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA

A.  He may have been a little harsh, but you need to understand cryptography for some of these things.  And you can't simply claim something is secure.  I am trying to learn about cryptography, and all I've really learned thus far is that there is a lot out there and one can quickly do a lot of damage.
B.  Those are random citations that don't any really appear to be peer review of the methods. For random.org to be tested their methods should be fully disclosed.  They have a question covering this in their FAQ: https://www.random.org/faq/#Q2.2  It talks about gaming and gambling.  Being verified for that is NOT the same as being verified for cryptographic purposes.  Also see https://www.random.org/faq/#Q1.2  Standard security practice before using something in cryptography is that it's open to inspection and that a lot of people have looked at it.  The code they use is not available so how do you know it's right. 
C. In theory the whoever can access the machines they use can get to the random numbers generated.  These include the hosting company, the site owners, hackers with access etc.  gmaxwell did point out that the most likely source of error was a accidentally poor implementation of the random number generator process.  The point is you cannot know because it's all closed source and not reviewed. So do you want to use something that is well reviewed random generator or something that may or may not be random?

A poor random generator may make it possible to solve private keys for 1 in 1000 or 1 in a 1000 000 generated using the site.  The point is even 1 in 1bn is a lot (and I mean a LOT) less secure than other methods used to generate private keys.  So your test address is probably safe, but how safe you won't know, because it's all closed up.  Now if lots of people start using the service (like when someone start recommending them) the odds start looking a lot better for an attacker.

This is my lay understanding of the issues around something like this.

[NewLiberty]

I will argue that 256 coin flips from random.org is the best random number possibility available.  And assuming that you push the results through an offline computer using brainwallet offline, you will have a VERY SAFE, VERY RANDOM private key.

LOL.  A "VERY SAFE" number which is trivially known to a third party.  Is someone at "random.org" paying you to encourage people to have them generate their private keys, or did you come by this cluelessness naturally?

I haven't looked recently but last I checked random.org methods were secret and not peer reviewed. So not only may the results be trivially maliciously logged (by the site operators or anyone whos compromised their system; or the operators of the VPSes they use (rackspace cloud)), they're probably more likely to be accidentally flawed because their methods are not reviewed.

A. Attacking an idea or postulate is a great thing.  Attacking a person and calling them "clueless" is ad hominem and is below your status as a moderator of this board.
B. Random.org is peer reviewed here https://www.random.org/media As well as tested by third party orgs like http://www.ecogra.org/  Their methods are not secret but they are not public either.
C. So lets examine your logic:  Since random.org (peer reviewed, certified and in business since 1998) creates a buffer in advance full of billions of ones and zeroes and since it uses https, someone could log the front end usage of these ones and zeros after they leave the buffer and before they hit the https (side note on magnitude: these ones and zeroes from the buffer are used for ALOT of different applications on the site other than coin flips), track the usage by ip, collect and then echo the data once an ip pulls precisely 256 bits of data, run the bits through a key generator, (also try various combinations of the 256bit sequence like only look at the last 256 bits, since the first x bits could have been a test), create a database to collect all of these new bitcoin address and repeatedly query the entire blockchain to see if any of the addresses are extant. If any one address is extant and holds bitcoins, import the corresponding key into a wallet and steal the bitcoins.  OK... I will concede.  This may be possible. Its not likely considering the high level access, the subterfuge necessary, and the high number of bitcoin addresses to generate & query; not probable, but maybe possible.  

So to test your theory I am going to publish a bitcoin address that I created using random.org, leave some BTC there and see if they evaporate.  If they magically walk away, then we will know that someone at random.org is malicious.  If nothing happens, then Im going to stick with my "SAFE" comment.  I will however add a note of caution to the thread warning people that 1) They could get struck by lightning today 2) Earth could get destroyed by a meteor in the next 5 minutes AND 3) Somebody at random.org might guess your intent out of the millions of possible intents by those who use this service, parse through the data looking for precisely 256 bits of interesting target data turn them into a bitcoin key and steal your BTC.

Dear Mythical Hacker at Random.Org:  I created this address with the coin flip service on 02/07/2015.  I flipped 8 coins at once using Polish Zloties.  I pulled precisely 256 bits of data from the buffer to make it easy on you.  Please steal my bitcoins.
Here is the address: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA

A.  He may have been a little harsh, but you need to understand cryptography for some of these things.  And you can't simply claim something is secure.  I am trying to learn about cryptography, and all I've really learned thus far is that there is a lot out there and one can quickly do a lot of damage.
B.  Those are random citations that don't any really appear to be peer review of the methods. For random.org to be tested their methods should be fully disclosed.  They have a question covering this in their FAQ: https://www.random.org/faq/#Q2.2  It talks about gaming and gambling.  Being verified for that is NOT the same as being verified for cryptographic purposes.  Also see https://www.random.org/faq/#Q1.2  Standard security practice before using something in cryptography is that it's open to inspection and that a lot of people have looked at it.  The code they use is not available so how do you know it's right. 
C. In theory the whoever can access the machines they use can get to the random numbers generated.  These include the hosting company, the site owners, hackers with access etc.  gmaxwell did point out that the most likely source of error was a accidentally poor implementation of the random number generator process.  The point is you cannot know because it's all closed source and not reviewed. So do you want to use something that is well reviewed random generator or something that may or may not be random?

A poor random generator may make it possible to solve private keys for 1 in 1000 or 1 in a 1000 000 generated using the site.  The point is even 1 in 1bn is a lot (and I mean a LOT) less secure than other methods used to generate private keys.  So your test address is probably safe, but how safe you won't know, because it's all closed up.  Now if lots of people start using the service (like when someone start recommending them) the odds start looking a lot better for an attacker.

This is my lay understanding of the issues around something like this.

GMaxwell writes from a development point of view.
Make it provably safe therefore trustless (not requiring unusual trust).
I appreciate that view point in a developer, because it makes the code useful for very large values.

The "test" is one which uses very small bait: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA has 0.05 XBT.
It is not a very valid test.  It will not entice someone with an exploit to go after those coins.

[e1ghtSpace]

Since we only generate 256 1's or 0's does that mean that there are only 256^2 possibilities?
Wow, it should be 2^256

[hexafraction]

Since we only generate 256 1's or 0's does that mean that there are only 256^2 possibilities?
Wow, it should be 2^256

No, generating 256 bits means there are 2^256 possibilities. For example, 1 coin flip has 2^1 possibilities, 2 coin flips have 2^2, 3 flips has 2^3, etc. The number of possibilities for n flips is the number of possibilities of n-1 flips times the number of possibilities of that nth flip, hence 2^n.

[fasbit]

I will argue that 256 coin flips from random.org is the best random number possibility available.  And assuming that you push the results through an offline computer using brainwallet offline, you will have a VERY SAFE, VERY RANDOM private key.

LOL.  A "VERY SAFE" number which is trivially known to a third party.  Is someone at "random.org" paying you to encourage people to have them generate their private keys, or did you come by this cluelessness naturally?

I haven't looked recently but last I checked random.org methods were secret and not peer reviewed. So not only may the results be trivially maliciously logged (by the site operators or anyone whos compromised their system; or the operators of the VPSes they use (rackspace cloud)), they're probably more likely to be accidentally flawed because their methods are not reviewed.

A. Attacking an idea or postulate is a great thing.  Attacking a person and calling them "clueless" is ad hominem and is below your status as a moderator of this board.
B. Random.org is peer reviewed here https://www.random.org/media As well as tested by third party orgs like http://www.ecogra.org/  Their methods are not secret but they are not public either.
C. So lets examine your logic:  Since random.org (peer reviewed, certified and in business since 1998) creates a buffer in advance full of billions of ones and zeroes and since it uses https, someone could log the front end usage of these ones and zeros after they leave the buffer and before they hit the https (side note on magnitude: these ones and zeroes from the buffer are used for ALOT of different applications on the site other than coin flips), track the usage by ip, collect and then echo the data once an ip pulls precisely 256 bits of data, run the bits through a key generator, (also try various combinations of the 256bit sequence like only look at the last 256 bits, since the first x bits could have been a test), create a database to collect all of these new bitcoin address and repeatedly query the entire blockchain to see if any of the addresses are extant. If any one address is extant and holds bitcoins, import the corresponding key into a wallet and steal the bitcoins.  OK... I will concede.  This may be possible. Its not likely considering the high level access, the subterfuge necessary, and the high number of bitcoin addresses to generate & query; not probable, but maybe possible.  

So to test your theory I am going to publish a bitcoin address that I created using random.org, leave some BTC there and see if they evaporate.  If they magically walk away, then we will know that someone at random.org is malicious.  If nothing happens, then Im going to stick with my "SAFE" comment.  I will however add a note of caution to the thread warning people that 1) They could get struck by lightning today 2) Earth could get destroyed by a meteor in the next 5 minutes AND 3) Somebody at random.org might guess your intent out of the millions of possible intents by those who use this service, parse through the data looking for precisely 256 bits of interesting target data turn them into a bitcoin key and steal your BTC.

Dear Mythical Hacker at Random.Org:  I created this address with the coin flip service on 02/07/2015.  I flipped 8 coins at once using Polish Zloties.  I pulled precisely 256 bits of data from the buffer to make it easy on you.  Please steal my bitcoins.
Here is the address: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA

A.  He may have been a little harsh, but you need to understand cryptography for some of these things.  And you can't simply claim something is secure.  I am trying to learn about cryptography, and all I've really learned thus far is that there is a lot out there and one can quickly do a lot of damage.
B.  Those are random citations that don't any really appear to be peer review of the methods. For random.org to be tested their methods should be fully disclosed.  They have a question covering this in their FAQ: https://www.random.org/faq/#Q2.2  It talks about gaming and gambling.  Being verified for that is NOT the same as being verified for cryptographic purposes.  Also see https://www.random.org/faq/#Q1.2  Standard security practice before using something in cryptography is that it's open to inspection and that a lot of people have looked at it.  The code they use is not available so how do you know it's right. 
C. In theory the whoever can access the machines they use can get to the random numbers generated.  These include the hosting company, the site owners, hackers with access etc.  gmaxwell did point out that the most likely source of error was a accidentally poor implementation of the random number generator process.  The point is you cannot know because it's all closed source and not reviewed. So do you want to use something that is well reviewed random generator or something that may or may not be random?

A poor random generator may make it possible to solve private keys for 1 in 1000 or 1 in a 1000 000 generated using the site.  The point is even 1 in 1bn is a lot (and I mean a LOT) less secure than other methods used to generate private keys.  So your test address is probably safe, but how safe you won't know, because it's all closed up.  Now if lots of people start using the service (like when someone start recommending them) the odds start looking a lot better for an attacker.

This is my lay understanding of the issues around something like this.

GMaxwell writes from a development point of view.
Make it provably safe therefore trustless (not requiring unusual trust).
I appreciate that view point in a developer, because it makes the code useful for very large values.

The "test" is one which uses very small bait: 1DcS5pEgjnLGJ43h7znVxdcxMfx6pfaZvA has 0.05 XBT.
It is not a very valid test.  It will not entice someone with an exploit to go after those coins.

1. I agree that my measly .05 BTC of bait is not a real enticement.  But it would demonstrate if someone had maliciously swiped the code and was using the site to swipe private keys no matter the balance.
2. I appreciate gmaxwell's point and I added warnings based on his point.  This thread is however, about creating the private key with a coin flip not a web site.  Using a site like random.org is ancillary to the thread and I marked it "educational only."
3. The only thing I claim is safe is: 1) its done offline, 2) its done randomly, and 3) no one can know the method of creation.  I will stick by that maxim. < this is the essence of the thread

[jl2012]

EXTRA SPEED:  .....

Punch your keyboard and take SHA256 of the results. It's way much better than using an online third party RNG.

[NewLiberty]

1. I agree that my measly .05 BTC of bait is not a real enticement.  But it would demonstrate if someone had maliciously swiped the code and was using the site to swipe private keys no matter the balance.
2. I appreciate gmaxwell's point and I added warnings based on his point.  This thread is however, about creating the private key with a coin flip not a web site.  Using a site like random.org is ancillary to the thread and I marked it "educational only."
3. The only thing I claim is safe is: 1) its done offline, 2) its done randomly, and 3) no one can know the method of creation.  I will stick by that maxim. < this is the essence of the thread

Agree with all of this and with the recent revelations:
http://www.cbc.ca/news/technology/nsa-hid-spying-software-in-hard-drive-firmware-report-says-1.2959252
the method is very attractive, still I'd stick with the 64 hex dice rolls over the 256 coin flips.

[teukon]

The only thing I claim is safe is: 1) its done offline, 2) its done randomly, and 3) no one can know the method of creation.  I will stick by that maxim. < this is the essence of the thread

I don't see the need for (3).  Indeed, if (3) is at all useful to your security then I'd claim that you're not introducing enough entropy at step (2) and are being forced to rely on the extra entropy of your method being one among many plausible alternatives.

Certainly, 256 coin flips provides sufficient entropy.  I believe 128 coin-flips is enough for critical cold storage even with the method known but I'm not a cryptographer.