Bitcoin Mint Casascius Shut Down By US Regulators
4 stars based on
48 reviews
A method is proposed for encrypting and encoding a passphrase-protected Bitcoin private key record in the form of a character Base58Check-encoded printable string. Encrypted private key records are intended for use on paper wallets and physical Bitcoins.
Each record string contains all the information needed to reconstitute the private key except for a passphrase, and the methodology uses salting and scrypt to resist brute-force attacks. The method provides two encoding methodologies - one permitting any known private key to be encrypted with any passphrase, and another permitting a shared private key generation scheme where the party generating the final key string and its associated Bitcoin address such as a physical bitcoin manufacturer knows only a string derived from the original passphrase, and where the original passphrase is needed in order to actually redeem funds sent to the associated Bitcoin address.
A bit hash of casascius bitcoin address organizational resulting Bitcoin address is encoded in plaintext within each encrypted key, so it can be correlated to a Bitcoin address with reasonable probability by someone not knowing the passphrase.
The complete Bitcoin address can be derived through successful decryption of the key record. The motivation to make this proposal stems from observations of the casascius bitcoin address organizational physical bitcoins and paper wallets are used. An issuer casascius bitcoin address organizational physical bitcoins must be trustworthy and trusted. Even if trustworthy, users are rightful to be skeptical about a third party with theoretical access to take their funds.
A physical bitcoin that cannot be compromised by its issuer is always more intrinsically valuable than one that can. A two-factor physical bitcoin solution is highly useful to individuals and organizations wishing to securely own bitcoins without any risk of electronic theft and without the responsibility of climbing the technological learning curve necessary to produce such casascius bitcoin address organizational environment themselves.
Two-factor physical casascius bitcoin address organizational allow a secure storage solution to be put in a box and sold on the open market, greatly enlarging the number of people who are able to securely store bitcoins.
Existing methodologies for creating two-factor physical bitcoins are limited and cumbersome. At the time of this proposal, a user could create their own private key, submit the public key to the physical bitcoin issuer, and then receive a physical bitcoin that must be kept together with some sort of record of the user-generated private key, and finally, must be redeemed through a tool.
The fact that the physical bitcoin must be kept together with a user-produced private key negates much of the benefit of the physical bitcoin - the user may as well just print and casascius bitcoin address organizational a private key. A standardized password-protected private key format makes acquiring and redeeming two-factor physical bitcoins simpler for the user. Instead of maintaining a private key that cannot be memorized, the user casascius bitcoin address organizational choose a passphrase of their choice.
The passphrase may be much shorter than the length of a typical private key, short enough that they could use a label or engraver to permanently commit their passphrase to their physical Bitcoin piece once they have received it.
By adopting a standard way to encrypt a private key, we maximize the possibility that they'll be able to redeem their funds in the venue of their choice, rather than relying on an executable redemption tool they may not wish to download. Password and passphrase-protected private keys enable new practical use cases for sending bitcoins from person to person. Someone wanting to send bitcoins through postal mail could send a password-protected paper wallet and give the recipient the passphrase over the phone or e-mail, making the transfer safe from interception of either channel.
A user of paper wallets or Bitcoin banknote-style vouchers "cash" could carry funded encrypted private keys while leaving casascius bitcoin address organizational copy at home as an element of protection against accidental loss or casascius bitcoin address organizational. A user of paper wallets who leaves bitcoins in a bank vault or safety deposit box could keep the password at casascius bitcoin address organizational or share it with trusted associates as protection against someone at the bank gaining access casascius bitcoin address organizational the paper wallets and spending from them.
The foreseeable and unforeseeable use cases for password-protected private keys are numerous. It is proposed that the resulting Base58Check-encoded string start with a '6'. The number '6' is intended to represent, from the perspective of the user, "a private key that needs something else to be usable" - an umbrella definition that could be understood in the future to include keys participating in multisig transactions, and was chosen with deference to the existing prefix '5' most commonly observed in Wallet Import Format which denotes an unencrypted private key.
It is proposed that the second character ought to give a hint as to what is needed as a second factor, and for an encrypted key requiring a passphrase, the uppercase letter P is proposed. To keep the size casascius bitcoin address organizational the encrypted key down, no initialization vectors IVs are used in the AES encryption.
Rather, suitable values for IV-like use are derived using scrypt from the passphrase and from casascius bitcoin address organizational a bit hash of the resulting Bitcoin address as salt. Encrypting a private key without the EC multiplication offers the advantage that any known private key can be encrypted. The party performing the encryption must know the passphrase. The encrypted private key is the Base58Check-encoded concatenation of the following, which totals 39 bytes without Base58 checksum:.
Encrypting a private key with EC multiplication offers the ability for someone to generate encrypted keys knowing only an EC point derived from the original passphrase and some salt generated by the passphrase's owner, and without knowing the passphrase itself. Only the person who knows the original passphrase can decrypt the private key. A code known as an intermediate code conveys the information needed to generate such a key without knowledge of the passphrase. This methodology does not offer the ability to encrypt a known private key - this means that the process of creating encrypted keys is also the process of generating new addresses.
On the other hand, this serves a security benefit for someone possessing an address generated this way: The person who knows the passphrase and who is the intended beneficiary of the private keys is called casascius bitcoin address organizational owner. He will generate one or more "intermediate codes", which are the casascius bitcoin address organizational factor of a two-factor redemption system, and casascius bitcoin address organizational give them to someone else we'll call printerwho generates a key pair with an intermediate casascius bitcoin address organizational can know the address and encrypted private key, but cannot decrypt the private key without the original passphrase.
An intermediate code should, but is not required to, embed a printable "lot" and "sequence" number for the benefit of the user. The proposal forces these lot and sequence numbers to be included in any valid private keys generated from them.
An owner who has requested multiple private keys to be generated for him will be advised by applications to ensure that each private key has a unique lot and sequence number consistent with the intermediate codes he generated. The "lot" and "sequence" number are combined into a single 32 bit number. For programs that generate batches of intermediate codes for an ownerit is recommended that lot numbers be chosen at random within the range and that sequence numbers are assigned starting with 1.
Steps performed by owner to generate a single intermediate code, if lot and sequence numbers are being included:. If lot and sequence numbers are not being included, then follow the same procedure with the following changes:. The party generating the Bitcoin address has the option to return a confirmation code back to owner which allows owner to independently verify that he has been given a Bitcoin address that actually depends on his passphrase, and to confirm the lot and sequence numbers if applicable.
This protects owner from being given a Bitcoin address by the second party that is unrelated to the key derivation and possibly spendable by the second party. If a Bitcoin address given to owner can be successfully regenerated through the confirmation process, owner can be reasonably assured that any spending without the passphrase is infeasible. Casascius bitcoin address organizational confirmation code is 75 characters starting with "cfrm38".
To generate it, we need flagbyteownerentropyfactorbderivedhalf1 and derivedhalf2 from the original encryption operation. A confirmation tool, given a passphrase and a confirmation code, can recalculate the address, verify the address hash, and then assert the following: Backwards compatibility is minimally applicable since this is a new standard that at most extends Wallet Import Format.
It is assumed that an casascius bitcoin address organizational point for private key data may also accept existing formats of private keys such as hexadecimal and Wallet Import Format ; this draft uses a key format that cannot be mistaken for any existing one and preserves auto-detection capabilities. If this proposal is accepted into alt-chains, it is requested that the unused flag bytes not be used for denoting that the key belongs to an alt-chain. Alt-chain implementers should exploit the address hash for this purpose.
Since each operation in this proposal involves casascius bitcoin address organizational a text representation of a coin address which for Bitcoin includes the leading '1', an alt-chain can easily be denoted simply by using the alt-chain's preferred format for representing an address.
Alt-chain implementers may also change the prefix such that encrypted addresses do not start with "6P". This proposal leaves the scrypt parameters up in the air. The following items are proposed for consideration:. The main goal of scrypt is to reduce the feasibility of brute force attacks. It must be assumed that an attacker will be able to use an efficient implementation of scrypt.
The parameters should force a highly efficient implementation of scrypt to wait a decent amount of time to slow attacks. On the other hand, casascius bitcoin address organizational unavoidably likely place where scrypt will be implemented is using slow interpreted languages such as javascript.
What might take milliseconds on an casascius bitcoin address organizational scrypt implementation may take seconds in javascript. It is believed, however, that someone using a javascript implementation is probably dealing with codes by hand, one at a time, rather than generating or processing large batches of codes. Thus, a wait time of several seconds is acceptable to a user. A private key redemption process that forces a server to consume several seconds of CPU time would discourage implementation by the server owner, because they would be opening up a denial of service avenue by inviting users to make numerous attempts to invoke the redemption process.
However, it's also feasible for the server owner to implement his redemption process in such a way that the decryption is done by the user's browser, offloading the task from his own server and providing another reason why the chosen scrypt parameters should be tolerant of javascript-based decryptors.
Passphrase-protected private key Authors: Draft Some confusion applies: The announcements casascius bitcoin address organizational this never made it to the list, so it hasn't had public discussion Type: Retrieved from " https: Navigation menu Personal tools English Create account Log in. Views Read View source View history. Navigation Main page Recent changes Random page Help. This page was last edited on 24 Octoberat Privacy policy About Bitcoin.