Must get some sleep.    Too exciting to sleep.    Four spaces between sentences for Satoshi!

As others have said, www.bitcoinpaperwallet.com is great for having an encrypted Private Key that needs to be unscrambled.

However, if you want a really trustless system, then I would suggest you go to www.bit2factor.org and use the Two-Party Escrow tool. Your friend would use a passphrase that only they know to create an Intermediate Code which they send you.  You would use that a intermediate Code to create an Address, an Encrypted Private Key, and a Confirmation Code, all of which you send back to your friend.  (You can print the Address and Encrypted Private Key on any paper wallet design that is out there.). Your friend can check that the Confirmation Code matches the Address and Encrypted Private Key with their passphrase. Finally, when they want to import their Private Key, they would use their passphrase to de-crypt the Encrypted Private Key.

This already exists. A brainwallet based on a truly random and memorized 160+ bits of entropy passphrase.

Macbook already replaced with Pixel Chromebook.
iPhone already replaced with Android phone.
Next week I'm dumping the iPad and replacing it with a Nexus 7.

Apple, it's been nice.  But now you are mean and I don't want to be your friend any more.

I did some deep testing of generating a bunch of encrypted private keys and compared it to another multi-step process that I know that works.  All results were identical!  Well done!

I don't understand this comment.

How about "finn"
Nice and short.

Are you sure you are not looking at the cold storage transactions?  I had a similar feeling of dread until I realized what was going on.  At the top of the banner, it shows your total account balance, and that should be correct.  The actual addresses and their balances reflect the cold storage situation (I think).

This aspect does not concern me as much as it should, but I understand the point.


Agreed, this is a risk.  However, I would not plan on keeping much BTC in Coinbase's system -- I would only use it for transactional activity.  The rest I would put in cold storage in paper wallets.  Coinbase does allow proof of ownership by signing a message.  (I have never done it, but I do see that option in the "addresses" screen.)

Thanks

I'm contemplating obtaining a physical bitcoin QR code address such as this idea:
http://imgur.com/a/dHSCB
or this commercially available process:
http://www.plaquemaker.com/Titanium/Titanium-Tags.html

Before I pull the trigger on one of these kinds of solutions, I need to better understand how to use the address correctly.  My understanding is that when BTC is used from an address, then the address should not be used anymore for security reasons.  If that is the case, then using a single address to receive funds is confusing to me.

I prefer to use Coinbase to handle my spending BTCs.  If I use a single address to receive funds within Coinbase, and that money is spent later, will the original address still be safe to use?  Will Coinbase automatically handle that address safety?

Are there any other considerations I should understand before I spend money making a physical QR code address?

Thanks

I'm struggling searching this.  Any more hint at specifically what I'm looking for?
Thanks.


Very excellent point.  Well said.

I have already put 0.025 BTC in a brainwallet using a variation of my theme a couple of months ago, and it is still safely there.  I'll monitor it for a while.

I appreciate all the good advice from everyone.  I think I will stay away from this approach, even though I still find it hard to believe that anyone would have ever discovered my brainwallet passphrases.

Since I won't be using this technique, I might as well disclose the actual approach I was going to use.  When it is clear how I was obscuring the passphrase, I'd love to get comments with honest thoughts on whether there was a chance that someone would find the passhphrase.

First, I only planned on using one chess game (yes, I was using the chess structure).  It was a long game, with lots of moves to work with.  It was Nikolic v. Arsovic in 1989 in Belgrade.  Since I was only going to use this one game for all my passphrases, I only needed to remember a 4-digit PIN for the clue to generate my passphrase.  This allowed me to use memorable PINs in my life as the starting point.

For this example, my PIN is 1110, which means that I will start at move #11, and record 10 moves.  For my first obfuscation, I don't record sequential moves, but rather start at move #11, and index the moves by the Fibonacci sequence.  So, the 10 moves that are recorded are: 11, 13, 16, 21, 29, 42, 63, 97, 152, 241.  I first record the moves alternating white, black, etc.  Then I repeat the moves but do the opposite alternating sequence (black, white, etc.).  That results in the intermediate result:

Rb1g5c5Qe8Ne3Rc3Kg3Rh2Rc2Rd8f5b4g4Kh1Re8Be2Rb6Ke2Kd6Bc4

My final obfuscation is to take the intermediate result, and adjust each character at a Finonacci position.  If the character is alphabetic, then I change its case.  If it is numeric, I replace the digit with the symbol on the same key of my keyboard.  (i.e. a "3" becomes a "#").  This final obfuscation becomes the final brainwallet passphrase:

rB!g%c5qe8Ne#Rc3Kg3RH2Rc2Rd8f5b4g$Kh1Re8Be2Rb6Ke2Kd6Bc$

It generated a 55 character passphrase which has an apparent 322 bits of entropy.  I realize that this seems so very complicated, but I assure you that it is firmly implanted in my memory.  And I was going to leave very detailed instructions for my family in a TrueCrypt container that they would have access to.

Do you really think anyone would have ever generated this passphrase with a cracking approach?

52, and only two months into this wild new ride.

You may be right, but I thought that all combinations of both passphrases would be necessary to break the encrypted private key.  So I would think that the full entropy of both are additive.

In any case, I appreciate all the good input for consideration.  My intuition tells me that if an underlying structure high enough entropy, and some human convoluted obfuscation is applied, the resulting passphrase output will be safe.  But as you point out, the sophistication of the development of cracking techniques will keep getting better.


Very good points here.  However, our whole bitcoin set of processes and methodologies are quite complex and convoluted in themselves.  My biggest fear is irrevocably losing my few BTCs.  I am very intrigued by encrypted private keys and brainwallets -- so this has been an interesting exploration for me.  Besides my small test, I don't know if I will leverage my approach for real.

Agreed.  I just want the thing to remember to be easy to remember, and also safe to record openly if necessary.

I'm not in agreement with this assessment.  (But you've got me thinking!)

First, a minor part of the disagreement is that if I were to use the chess approach, I would select a much, much more obscure game to use for the passphrase data.  With easily up to a million recorded games, that adds another 20 bits of entropy to my BrainSeed.  And I think there is more obfuscation possible.  But let's say that the BrainSeed has 75 bits of entropy.  In normal BrainWallet cracking efforts, the target is to try derived addresses and check if there is BTC there.  However, here the target is to find a passphrase that has to be used in conjunction with another passphrase.  So really there is another 75 bits of entropy to deal with.  And then the iterative process adds a lot of time delay between each cycle.

Second, my real desire here is to create a Brainwallet passphrase with high enough entropy that the standard cracking efforts won't uncover.  And with BIP38, they would have to crack another high entropy passphrase to get at the encrypted private key.

You've got me thinking hard about how realistic it is to figure out the obscurity of the overall approach.  I guess the real lesson is to make the underlying structure highly obscure.  (I'm quite confident that my own underlying structure is highly obscure.)

One of the objectives is to create encrypted private keys with BIP38, so I need to do the intermediate steps of having private keys to encrypt.


My other objective was in being able to have nothing recorded anywhere.  I would create a set of encrypted private keys. Then populate the addresses with BTC.  Then delete all traces of everything (except for the address, which I can keep handy to include in a watch list.)  This is a long term cold storage brainwallet.  The only thing I would record in plain sight is a clue to myself about how to recreate everything.  Using the chess example from ablove, that would be something like: 1) MindHash c1-0308 & c1-0708; 2) Create 50 encrpted PKs.

So, to finish the thought and close the loop with the first post:

I use the MindHash process to generate two high-entropy passphrases.  I then use the process in the original post to create a series of encrypted private keys.

Since this can all be created from scratch repeatedly, there is really no reason to have to record anything in hidden ways.  And if you have a catastrophic loss of records, it can all be re-created easily.

kjj,

I don't know the HD Wallet spec.  Is it available in a HTML format like bitaddress.org is to generate keys?  And does it allow for encrypted private keys?

Regarding the passphrase with high entropy.  It is possible to memorize things that large; when I was in highschool I could recite 200+ digits of Pi.  But my approach is designed to help me generate the high entropy passphrase reliably without having to memorize things.  I’ve had some folk ask me specifically what I mean by a MindHash.  It is a method of reliably and repeatedly generating the passphrase from a very simple coded seed.  I am not going to share the specific variant that I personally use since that would render my private keys (possibly) discoverable, but I will share with you a completely different example that is in the same general spirit of my process.

It starts with something that you are very familiar with that already has a high level of complexity to build from.  This “something” is the underlying structure that has some high degree of complexity, and it is also something you are aware of and know how to easily access.  You then do some manipulation of the information you have to create the passphrase.  You also encode what you need to know to recreate it.  This final encoded clue is what I call the BrainSeed.  From the simple BrainSeed, you can recreate the complex passphrase.

For this example, the simple BrainSeed that you have to remember is:

c1-0520

That simple BrainSeed reliably generates this passphrase:
Nf3Be2H30-0Be3cxD4a3Nc3NB5Ne5!QxE2Rac1BG5Bxf6NC4!Nxb6!RFd1Qe3!d5!rxd5

It is a 69-character passphrase with an apparent 452 bits of entropy.  
All this from a BrainSeed of c1-0520.

So how does this convoluted MindHash work?  I’ll tell you.  “c1” represents my favorite chess match, which happens to be Game 1 of Deep Blue versus Kasparov in 1996.  “05” means to start at Move 5 of that game, and “20” means to record the next 20 Moves.  I just record the moves in standard chess notation.  This example MindHash also only records the White moves.  And one further convolution is that the “05” also instructs me to change the case of every 5th alphabetic character.  (Every 5th character become upper-case if it is already lower-case, and it becomes lower-case if it is already upper-case.)

So, an another example from the same game, a code of c1-0710 would generate this passphrase:
h30-0Be3cxd4A3Nc3Nb5Ne5!qxe2Rac1

It is a 32-character passphrase with an apparent 209 bits of entropy.

In the example, the only reason for “c1” is in case you may want to generate other passphrases from other favorite chess games, such as c2 or c3, etc.  However, if you only want to use one game and will always remember that your MindHash is always using c1, you can just use a 4-digit PIN to create a repeatable high entropy passphrase. So, “1209” becomes: Nc3Nb5Ne5!Qxe2RaC1Bg5Bxf6Nc4!Nxb6!

There you have it.  Sorry if I have messed up the chess usage for the underlying structure.  However, if you still like the chess staring point, you can convolute the MindHash however you want, as long as you can remember it.

I still am interest in hearing feedback on the overall process of generating encrypted deterministic brainwallets.

Edit: Spelling error

The transaction fee is 0.001 BTC at MtGox.  It is near the end of the press release.
https://www.mtgox.com/press_release_20131120.html