Bitcoin Forum
December 17, 2017, 08:17:07 AM *
News: Latest stable version of Bitcoin Core: 0.15.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: « 1 [2]  All
  Print  
Author Topic: Is anyone working on / has implemented a “two-factor paper wallet”?  (Read 4114 times)
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
August 07, 2012, 01:38:14 PM
 #21

OK, I have baked the M-of-N wallet code into my Casascius Bitcoin Utility, just as a proof of concept.  The M-of-N calc is under "Tools".

Source and binaries are included in this ZIP file.  This is for Windows.

https://www.casascius.com/BtcAddressMN.zip

This won't yet print any M-of-N paper wallets - it will simply produce the M-of-N codes (which you can copy and paste away), and recombine any M of them back into a regular private key (if you copy and paste them back in).  It could probably use a lot of scrutiny and testing, but it seems to work like it should.


Nice!

I'll come up with a cross-platform python utility for this when I have time.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
1513498627
Hero Member
*
Offline Offline

Posts: 1513498627

View Profile Personal Message (Offline)

Ignore
1513498627
Reply with quote  #2

1513498627
Report to moderator
1513498627
Hero Member
*
Offline Offline

Posts: 1513498627

View Profile Personal Message (Offline)

Ignore
1513498627
Reply with quote  #2

1513498627
Report to moderator
1513498627
Hero Member
*
Offline Offline

Posts: 1513498627

View Profile Personal Message (Offline)

Ignore
1513498627
Reply with quote  #2

1513498627
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1513498627
Hero Member
*
Offline Offline

Posts: 1513498627

View Profile Personal Message (Offline)

Ignore
1513498627
Reply with quote  #2

1513498627
Report to moderator
1513498627
Hero Member
*
Offline Offline

Posts: 1513498627

View Profile Personal Message (Offline)

Ignore
1513498627
Reply with quote  #2

1513498627
Report to moderator
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736

Let's talk governance, lipstick, and pigs.


View Profile
August 07, 2012, 02:20:04 PM
 #22

OK, I have baked the M-of-N wallet code into my Casascius Bitcoin Utility, just as a proof of concept.  The M-of-N calc is under "Tools".

Source and binaries are included in this ZIP file.  This is for Windows.

https://www.casascius.com/BtcAddressMN.zip

This won't yet print any M-of-N paper wallets - it will simply produce the M-of-N codes (which you can copy and paste away), and recombine any M of them back into a regular private key (if you copy and paste them back in).  It could probably use a lot of scrutiny and testing, but it seems to work like it should.


Nice!

I'll come up with a cross-platform python utility for this when I have time.
I did not know this was possible. A utility like this combined with with user created m-of-n keys by nesting could create a system where a quorum of individuals could unlock certain amounts of funds depending on how many keys are used. I'm tripping over this.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1372


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 07, 2012, 02:51:25 PM
 #23

Now that I have it working, I am thinking of how it could evolve a bit:

for example, solving m-of-n yields 1 bitcoin address.  But practical use of the scheme might be an "in-case-I-die" safety measure, and I am thinking the keys ought to contain a field to say how many addresses are intended to be used (using the sum as a deterministic wallet seed).

For example if I am going to go to the effort of passing out around key parts, it's going to be a real pain in the ass each time I need to discard the address I'm using, so it would be better if when my loved ones went to restore my coins, the restore utility would know, "aha! this yields 24 addresses" and prints out 3 pages of paper wallets with 8 addresses per page.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736

Let's talk governance, lipstick, and pigs.


View Profile
August 07, 2012, 02:58:11 PM
 #24

The output from several randomly generated k-of-n keys could be the inputs of user defined m-of-n transactions.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
August 07, 2012, 11:31:28 PM
 #25

Now that I have it working, I am thinking of how it could evolve a bit:

for example, solving m-of-n yields 1 bitcoin address.  But practical use of the scheme might be an "in-case-I-die" safety measure, and I am thinking the keys ought to contain a field to say how many addresses are intended to be used (using the sum as a deterministic wallet seed).

For example if I am going to go to the effort of passing out around key parts, it's going to be a real pain in the ass each time I need to discard the address I'm using, so it would be better if when my loved ones went to restore my coins, the restore utility would know, "aha! this yields 24 addresses" and prints out 3 pages of paper wallets with 8 addresses per page.


You could use a key family scheme to generate as many addresses as you want from a single seed - something like this:

http://crypto.stackexchange.com/questions/1534/families-of-public-private-keys-in-elliptic-curve-cryptography

It also has the advantage that you could store some derivative privkeys in a more accessible place (eg. desktop client, blockchain.info) and use them normally without risking your root key being compromised.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736

Let's talk governance, lipstick, and pigs.


View Profile
August 08, 2012, 04:49:32 AM
 #26

These m-of-n transactions (when nested) are starting to look like discrete components and Bitcoin is the energy. Combining different types of transactions could create logic gates of money. The circuit would be traceable by the blockchain, though it would create a lot of transactions. That's something to worry about later. I'm thinking that this could be a way to create community based lending systems that amplify funds for borrowers that meet the criteria of key persons in the circuit. There would be many different functions for different amounts depending on the setup, enough to meet the needs of borrowers of all sorts. Thoughts, or should I just start drinking?

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
JustThinking
Newbie
*
Offline Offline

Activity: 15


View Profile
August 08, 2012, 12:40:35 PM
 #27

Hello,
I just created this wiki page.

I'm coining the term here, I think ... not sure what was it called when discussed on Bitcointalk.

My question is: Has anyone implemented this "2 factor paper wallet"? Is it being worked on?

x-post to SE
Maybe relevant:

I'm working on a "traditional" two factor wallet, called SmartCardWallet. In essence you shall have a physical card in your wallet, that acts something like a normal chipped visa card. Unlike paper based solutions, it is considered a difficult task for an average adversary to copy/attack the contents of a smart card. See https://bitcointalk.org/index.php?topic=94119.0
XertroV
Member
**
Offline Offline

Activity: 88

Max Kaye


View Profile WWW
August 09, 2012, 02:25:38 PM
 #28

for example, solving m-of-n yields 1 bitcoin address.  But practical use of the scheme might be an "in-case-I-die" safety measure

When I read halfway down the first page I realised it was exactly what I needed. I've been thinking about the idea of having a private key to some GPG encrypted information stored in such a way that you only need say 3/5 keys to decrypt the information. That way, you can communicate from inside an absolutely sealed environment and save things like passwords or details of assets and projects and particularly bitcoins, and save all that information with a measure of security but entirely outside of your control. By holding on to one of the keys yourself, perhaps a crucial key, you could ensure nothing could happen while you were alive. I want to experiment with a 2-tiered system, as in you need [3/5 root keys], or [2/5 root and ANY 3 of like 8 secondary keys]; that is that the secondary keys are not particular to the lost root keys.

Anyway, don't mind me.

Subbed.
BkkCoins
Hero Member
*****
Offline Offline

Activity: 784


firstbits:1MinerQ


View Profile WWW
August 10, 2012, 05:42:32 AM
 #29

Is this the same math as Shamir Secret Sharing (using polynomials) or something different? I've used that before to encode my password safe in several places and I'm sure it would work easily for keys too.

Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
August 10, 2012, 02:12:54 PM
 #30

for example, solving m-of-n yields 1 bitcoin address.  But practical use of the scheme might be an "in-case-I-die" safety measure

When I read halfway down the first page I realised it was exactly what I needed. I've been thinking about the idea of having a private key to some GPG encrypted information stored in such a way that you only need say 3/5 keys to decrypt the information. That way, you can communicate from inside an absolutely sealed environment and save things like passwords or details of assets and projects and particularly bitcoins, and save all that information with a measure of security but entirely outside of your control. By holding on to one of the keys yourself, perhaps a crucial key, you could ensure nothing could happen while you were alive. I want to experiment with a 2-tiered system, as in you need [3/5 root keys], or [2/5 root and ANY 3 of like 8 secondary keys]; that is that the secondary keys are not particular to the lost root keys.

Anyway, don't mind me.

Subbed.


Sure, all you need to do for that is to set up a (3,6) system where one of the six outputs is itself stored in the form of a (3,8) system.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
August 14, 2012, 01:58:32 AM
 #31

So, here's my current version of the Python utility:

https://www.dropbox.com/sh/ysbyb3v5zec43pe/Emrn5v2slX/files.zip

The one thing I can't figure out is what it exactly means to take the "SHA256(resulting bitcoin address)". Do I SHA256 the address itself? A bytestring version of it? A bytestring version padded with '\x00'? None of those seems to work. But barring that my utility is decoding Casascius's example correctly.

Another question/concern: why limit it to (8,8)? There is no need whatsoever to do this. All you have to do is keep applying progressively smaller caps to the high-position intermediate k-values and as long as the cap keeps decreasing fast enough there's no problem - I implemented it in my code already. We can limit it to (16,16) and have 8 bytes of error correction in the encoding instead of 9 and everything will work just fine.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
Remember remember the 5th of November
Legendary
*
Offline Offline

Activity: 1610

Reverse engineer from time to time


View Profile
September 04, 2012, 06:24:38 PM
 #32

Does this mean if either part is lost, you lose access to any coins in there?

BTC:1AiCRMxgf1ptVQwx6hDuKMu4f7F27QmJC2
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
September 05, 2012, 10:10:43 AM
 #33

Does this mean if either part is lost, you lose access to any coins in there?

If you have a 1-of-2 split, then either part is fine to get you the key.
If you have a 4-of-5 split, then if any two of the five parts are lost you lose access to the key.
If you have a 8-of-11 split, then if any four of the eleven parts are lost you lose access to the key.

Also, there's a new thread now: https://bitcointalk.org/index.php?topic=104086.msg1139496#msg1139496

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
ribuck
Donator
Legendary
*
Offline Offline

Activity: 826


View Profile
September 05, 2012, 10:50:11 AM
 #34

If you have a 8-of-11 split, then if any three of the eleven parts are lost you lose access to the key.
I think you mean "any four of the eleven".
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 331


View Profile
September 07, 2012, 09:16:01 AM
 #35

I think you mean "any four of the eleven".

Indeed. Fixed.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
Pages: « 1 [2]  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!