Bitcoin Forum
March 19, 2024, 06:18:07 AM *
News: Latest Bitcoin Core release: 26.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Is anyone working on / has implemented a “two-factor paper wallet”?  (Read 4205 times)
ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
August 02, 2012, 12:32:38 PM
 #1

I just created this wiki page.

I'm coining the term here, I think ... not sure what was it called when discussed on Bitcointalk.

My question is: Has anyone implemented this "2 factor paper wallet"? Is it being worked on?

x-post to SE

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
"Bitcoin: the cutting edge of begging technology." -- Giraffe.BTC
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1710829087
Hero Member
*
Offline Offline

Posts: 1710829087

View Profile Personal Message (Offline)

Ignore
1710829087
Reply with quote  #2

1710829087
Report to moderator
austonst
Member
**
Offline Offline

Activity: 76
Merit: 10



View Profile
August 02, 2012, 01:37:22 PM
 #2

How about a 2-of-2 multisig address? I believe it's in development now.

https://en.bitcoin.it/wiki/BIP_0011
https://en.bitcoin.it/wiki/BIP_0019

ripper234 (OP)
Legendary
*
Offline Offline

Activity: 1358
Merit: 1003


Ron Gross


View Profile WWW
August 02, 2012, 02:05:59 PM
 #3

How about a 2-of-2 multisig address? I believe it's in development now.

https://en.bitcoin.it/wiki/BIP_0011
https://en.bitcoin.it/wiki/BIP_0019

This is Similar.

This proposal doesn't require any protocol change, or in fact any changes to Bitcoin code.
It's just an external service that can be implemented today without much effort.

Please do not pm me, use ron@bitcoin.org.il instead
Mastercoin Executive Director
Co-founder of the Israeli Bitcoin Association
World
Hero Member
*****
Offline Offline

Activity: 743
Merit: 500



View Profile
August 02, 2012, 10:09:25 PM
 #4

https://en.bitcoin.it/wiki/User:Casascius/Base58Check-encoded_objects_proposal

Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
August 02, 2012, 10:30:15 PM
 #5

It's no harder to generate the initial pair yourself as it is to validate that it is correct. If you don't validate it, and it turns out to be defective in any way, your money is forever lost.

Frankly, this seems silly to me. What advantage do you get from splitting the key in this way?

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 02, 2012, 10:46:03 PM
 #6

I just created this wiki page.

I'm coining the term here, I think ... not sure what was it called when discussed on Bitcointalk.

Impeccable timing... I just created this wiki page that takes a stab at addressing the very thing you've asked about.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 02, 2012, 10:48:35 PM
 #7

It's no harder to generate the initial pair yourself as it is to validate that it is correct. If you don't validate it, and it turns out to be defective in any way, your money is forever lost.

Frankly, this seems silly to me. What advantage do you get from splitting the key in this way?


1 - the ability to put your key in 2 different geographically separate places to protect them from snooping/theft.  example, I might put one half in my safety deposit box and keep the other half at home, so someone from the bank who happens to gain access to my safety deposit box doesn't get my bitcoins.

2 - the ability to have 2 separate machines generate a single key, so even if one or both machines is compromised, the resulting key is not.  (Example: Smartphone + Computer). All that matters is that both machines aren't compromised by the same person or someone with the ability to access both halves.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
JoelKatz
Legendary
*
Offline Offline

Activity: 1596
Merit: 1012


Democracy is vulnerable to a 51% attack.


View Profile WWW
August 03, 2012, 01:24:50 AM
 #8

1 - the ability to put your key in 2 different geographically separate places to protect them from snooping/theft.  example, I might put one half in my safety deposit box and keep the other half at home, so someone from the bank who happens to gain access to my safety deposit box doesn't get my bitcoins.
That can be done much simpler ways. For example, you can literally separate the key bits in half. You can also generate a random sequence the same length as the key, and store that along with the key XORed with that.

Quote
2 - the ability to have 2 separate machines generate a single key, so even if one or both machines is compromised, the resulting key is not.  (Example: Smartphone + Computer). All that matters is that both machines aren't compromised by the same person or someone with the ability to access both halves.
Any scheme that doesn't involve storing the private key on a single device has this property.

I am an employee of Ripple. Follow me on Twitter @JoelKatz
1Joe1Katzci1rFcsr9HH7SLuHVnDy2aihZ BM-NBM3FRExVJSJJamV9ccgyWvQfratUHgN
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 03, 2012, 01:32:36 AM
 #9

1 - the ability to put your key in 2 different geographically separate places to protect them from snooping/theft.  example, I might put one half in my safety deposit box and keep the other half at home, so someone from the bank who happens to gain access to my safety deposit box doesn't get my bitcoins.
That can be done much simpler ways. For example, you can literally separate the key bits in half. You can also generate a random sequence the same length as the key, and store that along with the key XORed with that.

Agreed, simpler for the computer.  (though separating the key bits in half definitely works, is simple for the user, and I've done it).

By writing the proposal, I'm hoping it leads to something simple for the user.

Ultimately, the user should just be able to click a button, and get however many codes he wants.  I will probably update my Casascius Bitcoin Utility to generate all of these codes, as well as turn them back into a single standard private key for import.


Quote
2 - the ability to have 2 separate machines generate a single key, so even if one or both machines is compromised, the resulting key is not.  (Example: Smartphone + Computer). All that matters is that both machines aren't compromised by the same person or someone with the ability to access both halves.
Any scheme that doesn't involve storing the private key on a single device has this property.

No single device can generate a single key without storing it in memory, at least temporarily.  And it has to send the key somewhere through some sort of i/o for it to be of any use.  Interception is possible at either point by malware that knows what it's looking for.  Bottom line, I think most would agree that a wallet generator being immune to an unknown compromise is a desirable feature if it is not too complicated or inconvenient to use.

Using EC multiplication rather than XOR has the convenient property that machine 1 can share what it needs with machine 2 in the form of an EC point (like a public key), and neither machine will ever be able to know the complete final private key until the user redeems the wallet.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 330
Merit: 397


View Profile
August 04, 2012, 01:25:24 PM
 #10

For the private key splitting, your approach of storing parts combined with a global XOR seems to be redundant against only one failure. But why not expand the concept to an arbitrary (n,k)-redundant encoding? Here's a quick brainstorm of how a scheme might work:

1. Take your private key and find n values (which we'll call v(1) to v(n)) which meet the following conditions:

i. v(k) <= 2 ^ 256 / (k)^(3*n)
ii. hex(SHA256(k)) starts with '00' - this is the checksum
iii. XOR(v(k) for all k 1 to n) = the original private key

The first condition isn't too important, it's just nice to have if you want all of your pieces to stay within 64 bytes.

Now, for the pieces. Piece k will have the following format (encoded into base 58 of course):

Byte 0 = 0x86 (or whatever)
Byte 1 = k
Byte 2 = string length of the resulting base58
Bytes 3-whatever = v(1) + v(2)*2^k + v(3)*3^k + v(4)*4^k + ...

For example, if you want your private key to require three out of five pieces to reconstitute, the final pieces will be (string lengths will depend on exactly what v(1), v(2) and v(3) are):

0x86 1 45 v(1) + v(2)*2 + v(3)*3
0x86 2 45 v(1) + v(2)*4 + v(3)*9
0x86 3 46 v(1) + v(2)*8 + v(3)*27
0x86 4 46 v(1) + v(2)*16 + v(3)*81
0x86 5 46 v(1) + v(2)*32 + v(3)*243

To reconstitute the private key, simply solve the linear system from any three pieces and XOR all the results. You actually don't have to know what n is because you can simply assume that n is the number of pieces that you have, and if you have too many pieces solving the linear system will simply lead you to discover that the n+1st, n+2nd, etc pieces are all equal to zero.

The scheme can easily be adapted to make the private key the EC product of v(1), v(2), etc rather than an XOR, and even the linear systems can be changed to an multiplicative/exponential equivalent if desired, so it's pretty adaptable.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 04, 2012, 03:04:30 PM
 #11

For the private key splitting, your approach of storing parts combined with a global XOR seems to be redundant against only one failure. But why not expand the concept to an arbitrary (n,k)-redundant encoding? Here's a quick brainstorm of how a scheme might work:

If "why not" is a question, the honest answer is because I don't understand the math well enough to propose such a thing, though I agree that an encoding that allows redundancy against an arbitrary number of failures is more desirable than a scheme that allows redundancy against only one, except perhaps if implementing the scheme is too difficult for developers that they just don't do it.  (Your suggestion on its surface appears to not have this problem).

If "why not" is a suggestion, well then, hell yeah!

Would you be willing to write your suggestion up on the wiki and assume that your reader doesn't understand the math?  For example, when you say "find n values that meet the following conditions", it's not obvious to me how one would go about finding such a value.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
unclemantis
Member
**
Offline Offline

Activity: 98
Merit: 10


(:firstbits => "1mantis")


View Profile
August 05, 2012, 03:41:37 AM
 #12

Watching!

PHP, Ruby, Rails, ASP, JavaScript, SQL
20+ years experience w/ Internet Technologies
Bitcoin OTC | GPG Public Key                                                                               thoughts?
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006

Let's talk governance, lipstick, and pigs.


View Profile
August 05, 2012, 04:47:44 AM
 #13

How about a 2-of-2 multisig address? I believe it's in development now.

https://en.bitcoin.it/wiki/BIP_0011
https://en.bitcoin.it/wiki/BIP_0019
It is actually supported by the protocol now. I talked about it in this thread: https://bitcointalk.org/index.php?topic=94723.msg1047595#msg1047595

Quote
I'm pretty sure this has already been discussed, but am wondering why it isn't done yet:
Here's a spin off the Casascius Coins and Bit Bills. Let's call the website "Rainy Day Savings." Joe creates a key pair and sends the public key to the website and orders a Rainy Day Bill. April at Rainy Day Savings prints a Bill and applies a tamper resistant hologram that conceals a private key. April then generates a 2 of 2 multisig address based on the public key sent to the website and the public key that goes to the hidden private key. That address is printed on the note. April then mails the note to Joe and advises him to carefully write or print the private key paired to the public key that was sent to the website. Joe then sends an amount to the multisig address and writes the value of the note on its face. Joe can then spend the note as physical Bitcoin and because it is multisig signed, nobody has both addresses to spend it until the tamper-proof sticker is removed and both private keys are imported to a wallet.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
Vitalik Buterin
Sr. Member
****
Offline Offline

Activity: 330
Merit: 397


View Profile
August 05, 2012, 12:23:32 PM
 #14

Would you be willing to write your suggestion up on the wiki and assume that your reader doesn't understand the math?  For example, when you say "find n values that meet the following conditions", it's not obvious to me how one would go about finding such a value.

https://en.bitcoin.it/wiki/User:Vbuterin/K_of_N_redundant_offline_private_key_proposal

Fairly technical (hard to avoid that when describing these types of protocols), but here you go.

Argumentum ad lunam: the fallacy that because Bitcoin's price is rising really fast the currency must be a speculative bubble and/or Ponzi scheme.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 06, 2012, 09:22:39 AM
 #15

Would you be willing to write your suggestion up on the wiki and assume that your reader doesn't understand the math?  For example, when you say "find n values that meet the following conditions", it's not obvious to me how one would go about finding such a value.

https://en.bitcoin.it/wiki/User:Vbuterin/K_of_N_redundant_offline_private_key_proposal

Fairly technical (hard to avoid that when describing these types of protocols), but here you go.

Good news!  I got some code working that generates these for any k,n up to 7.

I meant to make it up to 8, but I overflow the amount of space I've given myself when doing an 8 of 8 scheme, so will need to tweak it for that bit to fit. But 7 of 8 won't overflow.

The code totally works!... generating a random key and bitcoin address in n parts, and is able to recreate it with k strings.  I modified your proposal a little bit, and then wrote my code to be consistent with it.

Sample!  Any 7 of the following 8... (as indicated by prefix 6s7, the 7 means how many is needed):
6s755BvvkPDD6VpEZVB8vMbDPDGZSVdEX4BCPGmEdXp1NifbBQ7ALFGnmTN
6s75WdT4MPbeYr43nDjFpq944VqRRJJdNKd1Zv9GioScjbt8tUeBjn1fUzN
6s75x4yCDj15iukjhH51Td9hJWdXzqVtExFVAVkHwfhHWsqGwUyGhvxyhbG
6s76PWVMkSrWktWADeHJDTL743zPbkbXTYNxtWUYbARVVYpTABTr2JwCo88
6s76px1hvUvTZwfzgF2eZb4BcM2pQCzuKjAvAnsf34T6hvtAhq4BGgmWgtn
6s77GPZFG2Twgj1auFPMKYzr4mzckXT4YG5GMZPwqZyjkfqfHGNGnCmuEsf
6s77hqEdScKDWpgZM7u158kSE4L4kxYFRDHXrQZQ7R1dautwg7WugaNruau
6s789Hp6fCk35xAaKpC9qnFdLD2fZjQx6YQ2RYgX4zTnPxYiexY1yfoHCym

Yields the following bitcoin private key and bitcoin address with my test app.  I'm using XOR to combine v(1) thru v(7) once calculated.
5KGysrJEuNxE6aZKytbRi9CYTzPefGBrVEG7cWXrnzXq7jte48B
13AKe4Ha5XAWWsQWwFqM2EwXiPHjJM2t6v

Any 3 of the following 5
6s3CKaXLZf36aRuAprra2RmEG94pQdD2hYWyevKzdkVvZ1DWvY9qAVtmPSo
6s3Cm23U7kL2Rtod4uTYPUMfLq5akewRNhEbPxhUfWDFiuLtMrnWzFuP3qb
6s3DCTZbfzgPzM8FrutYZCwJwjLkrEPfQD1k723bx8Wh1BWLyGBji26PK3G
6s3Ddu5jEf2mGR2BxtGzdgbg5Wp2u9XqfJpM7beyNwLuRbu9vwTTB2313sc
6s3E5LbrpT2StcHXJuUVRjkKkSqNDUnazAP1qgihyRJNtTEBbVUSz9ajDJS

yields this private key and address.
5KELsahJpMfwu7fvMfSMm7rnG5voCTE4P9D6ikR7L6ajeQgpj7U
1PWYZB7kLLjm8Ue3pvAEeHMBJr6KXgdR6K

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006

Let's talk governance, lipstick, and pigs.


View Profile
August 06, 2012, 09:51:51 AM
 #16

Would you be willing to write your suggestion up on the wiki and assume that your reader doesn't understand the math?  For example, when you say "find n values that meet the following conditions", it's not obvious to me how one would go about finding such a value.

https://en.bitcoin.it/wiki/User:Vbuterin/K_of_N_redundant_offline_private_key_proposal

Fairly technical (hard to avoid that when describing these types of protocols), but here you go.
Math isn't my strong suit. Let me get this straight:
m-of-n is when m=n-1
K-of-N is when k=n-2

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 06, 2012, 04:09:38 PM
 #17


Math isn't my strong suit. Let me get this straight:
m-of-n is when m=n-1
K-of-N is when k=n-2

m-of-n and k-of-n are the same... differing only by a letter which was arbitrarily chosen. the only difference is the first proposal I wrote required that m be n-1 (the letters themselves don't matter)... the proposal that Vitalik wrote (which I coded and seems to work) allows m to be as low as 1 and as much as n.  If you substitute k for n, everything is the same, you have merely changed the letter.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
mem
Hero Member
*****
Offline Offline

Activity: 644
Merit: 501


Herp Derp PTY LTD


View Profile
August 06, 2012, 05:12:03 PM
 #18

1 - the ability to put your key in 2 different geographically separate places to protect them from snooping/theft.  example, I might put one half in my safety deposit box and keep the other half at home, so someone from the bank who happens to gain access to my safety deposit box doesn't get my bitcoins.
That can be done much simpler ways. For example, you can literally separate the key bits in half. You can also generate a random sequence the same length as the key, and store that along with the key XORed with that.

Quote
2 - the ability to have 2 separate machines generate a single key, so even if one or both machines is compromised, the resulting key is not.  (Example: Smartphone + Computer). All that matters is that both machines aren't compromised by the same person or someone with the ability to access both halves.
Any scheme that doesn't involve storing the private key on a single device has this property.


simple and freaking ingenious, Im sold Smiley

edit: pull out a pair of scissors ffs and problem solved Tongue

cbeast
Donator
Legendary
*
Offline Offline

Activity: 1736
Merit: 1006

Let's talk governance, lipstick, and pigs.


View Profile
August 06, 2012, 08:21:45 PM
 #19

With a scheme like this, is it possible to create an interdependence of keys where a community has keys that overlap within and between groups? For instance, an apartment building where everyone needs keys from their next door neighbors with 3 of 5 so either side or two on the same side will do. This would create an interdependent web. If this works, it would make for some interesting banking schemes.

Any significantly advanced cryptocurrency is indistinguishable from Ponzi Tulips.
casascius
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1135


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
August 07, 2012, 01:12:40 AM
 #20

OK, I have baked the M-of-N wallet code into my Casascius Bitcoin Utility, just as a proof of concept.  The M-of-N calc is under "Tools".

Source and binaries are included in this ZIP file.  This is for Windows.

https://www.casascius.com/BtcAddressMN.zip

This won't yet print any M-of-N paper wallets - it will simply produce the M-of-N codes (which you can copy and paste away), and recombine any M of them back into a regular private key (if you copy and paste them back in).  It could probably use a lot of scrutiny and testing, but it seems to work like it should.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!