casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) 20 BTC bounty: Javascript implementation of BIP 38 [claimed] January 15, 2013, 06:17:09 PM

Last edit: January 15, 2014, 04:02:15 AM by casascius #1



BIP 38:



I have already written functioning reference code in C#, the flow can be taken verbatim, you may freely take or incorporate any part of the code. This code will run under Windows .NET, as well as under Linux and Mac OS X using Mono. Although the ability to create intermediate codes and addresses would be nice and won't be much work beyond the decryption part, the bounty can be collected in full with just the ability to decrypt all variants of BIP38-encrypted private key.



That reference code I wrote:



The UI can be minimal, just two text boxes, one to take the private key and the other to take the passphrase. When you click a button, the page should either decrypt the private key into some element on the screen, or report that the encrypted private key is invalid (e.g. fails base58 checksum or formatting rules), or that the passphrase is incorrect (if the key is well-formatted but the decryption with the provided passphrase fails to produce a bitcoin address matching the embedded address checksum)



I actually anticipate that this won't be too difficult, and would do it myself other than I think it'll get done sooner if I post a bounty.



The winning solution needs to properly handle the compressed private key flag, as well as the variants of encryption that include and exclude the elliptic curve multiplication step as well as the flag that turns on the presence of a sequence number.



If I were doing it, I'd probably start with much of the code and/or the same dependencies that are used in bitaddress.org, so the basics of handling bitcoin addresses, private keys, base58, elliptic curve points, etc. are already taken care of. Add scrypt and AES, and perhaps support for decompressing EC points if that's not already there.



The GOAL is so that others who currently accept unencrypted private keys, can easily switch to accepting encrypted private keys as well, just by dropping in a couple of .js files and letting the client browser do all the decryption. I would like to offer a 20 BTC bounty for the following: a Javascript implementation of BIP 38 private key decryption, released with an open source license, so anybody can use it on their own web sites.BIP 38: https://en.bitcoin.it/wiki/BIP_0038 I have already written functioning reference code in C#, the flow can be taken verbatim, you may freely take or incorporate any part of the code. This code will run under Windows .NET, as well as under Linux and Mac OS X using Mono. Although the ability to create intermediate codes and addresses would be nice and won't be much work beyond the decryption part, the bounty can be collected in full with just the ability to decrypt all variants of BIP38-encrypted private key.That reference code I wrote: https://github.com/casascius/Bitcoin-Address-Utility The UI can be minimal, just two text boxes, one to take the private key and the other to take the passphrase. When you click a button, the page should either decrypt the private key into some element on the screen, or report that the encrypted private key is invalid (e.g. fails base58 checksum or formatting rules), or that the passphrase is incorrect (if the key is well-formatted but the decryption with the provided passphrase fails to produce a bitcoin address matching the embedded address checksum)I actually anticipate that this won't be too difficult, and would do it myself other than I think it'll get done sooner if I post a bounty.The winning solution needs to properly handle the compressed private key flag, as well as the variants of encryption that include and exclude the elliptic curve multiplication step as well as the flag that turns on the presence of a sequence number.If I were doing it, I'd probably start with much of the code and/or the same dependencies that are used in bitaddress.org, so the basics of handling bitcoin addresses, private keys, base58, elliptic curve points, etc. are already taken care of. Add scrypt and AES, and perhaps support for decompressing EC points if that's not already there.The GOAL is so that others who currently accept unencrypted private keys, can easily switch to accepting encrypted private keys as well, just by dropping in a couple of .js files and letting the client browser do all the decryption. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

bitvientiane



Offline



Activity: 44

Merit: 0







NewbieActivity: 44Merit: 0 Re: 20 BTC bounty: Javascript implementation of BIP 38 January 16, 2013, 01:16:49 PM #3 Quote the bounty can be collected in full with just the ability to decrypt any variant of BIP38-encrypted private key.

Quote The winning solution needs to properly handle the compressed private key flag, as well as the variants of encryption that include and exclude the elliptic curve multiplication step as well as the flag that turns on the presence of a sequence number.

The second section seems to imply you meant every instead of any right?



The second section seems to imply you meant every instead of any right?

bitvientiane



Offline



Activity: 44

Merit: 0







NewbieActivity: 44Merit: 0 Re: 20 BTC bounty: Javascript implementation of BIP 38 January 16, 2013, 02:16:39 PM #5 Quote

here maybe, but it looks like it needs some work: https://github.com/cheongwy/node-scrypt-js

That one only works for node and uses a lot of external modules. I'm trying to follow the coding style and let it work in the browser but it doesn't look too hopeful with my coding skills. That one only works for node and uses a lot of external modules. I'm trying to follow the coding style and let it work in the browser but it doesn't look too hopeful with my coding skills.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: 20 BTC bounty: Javascript implementation of BIP 38 January 16, 2013, 02:17:21 PM #6 Yes, decryption of every mode must be supported. Clarified OP.



In practice, I don't imagine that being the hardest part, especially if you are following my C# code as a template. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

bitvientiane



Offline



Activity: 44

Merit: 0







NewbieActivity: 44Merit: 0 Re: 20 BTC bounty: Javascript implementation of BIP 38 January 17, 2013, 07:16:08 AM #9 Can someone provide the ownersalt used for these test vectors? It appears to be missing or I'm misunderstanding something. I need to test the process until the intermediate code.



EC multiply, no compression

Test 1:

Passphrase: TestingOneTwoThree

Passphrase code: passphrasepxFy57B9v8HtUsszJYKReoNDV6VHjUSGt8EVJmux9n1J3Ltf1gRxyDGXqnf9qm

Encrypted key: 6PfQu77ygVyJLZjfvMLyhLMQbYnu5uguoJJ4kMCLqWwPEdfpwANVS76gTX

Bitcoin address: 1PE6TQi6HTVNz5DLwB1LcpMBALubfuN2z2

Unencrypted private key (WIF): 5K4caxezwjGCGfnoPTZ8tMcJBLB7Jvyjv4xxeacadhq8nLisLR2

Unencrypted private key (hex): A43A940577F4E97F5C4D39EB14FF083A98187C64EA7C99EF7CE460833959A519

Test 2:

Passphrase: Satoshi

Passphrase code: passphraseoRDGAXTWzbp72eVbtUDdn1rwpgPUGjNZEc6CGBo8i5EC1FPW8wcnLdq4ThKzAS

Encrypted key: 6PfLGnQs6VZnrNpmVKfjotbnQuaJK4KZoPFrAjx1JMJUa1Ft8gnf5WxfKd

Bitcoin address: 1CqzrtZC6mXSAhoxtFwVjz8LtwLJjDYU3V

Unencrypted private key (WIF): 5KJ51SgxWaAYR13zd9ReMhJpwrcX47xTJh2D3fGPG9CM8vkv5sH

Unencrypted private key (hex): C2C8036DF268F498099350718C4A3EF3984D2BE84618C2650F5171DCC5EB660A

paybitcoin



Offline



Activity: 85

Merit: 10





1h79nc







MemberActivity: 85Merit: 101h79nc Re: 20 BTC bounty: Javascript implementation of BIP 38 January 17, 2013, 08:31:09 AM #10 ownerentropy (which can be 8 random bytes or derived from a 4-byte random number + lot and sequence #.)



Encrypted Key = base58(0x01 0x43 + flagbyte (1 byte) + addresshash (4 bytes) + ownerentropy (8 bytes) + encryptedpart1[0...7] (8 bytes) + encryptedpart2 (8 bytes)).



Actually looking further into the spec it seems like my BIP 38 cracker is now incompatible with the spec with the addition of prefactor and hashing it with ownersalt to get passfactor. The ownersalt is encoded plaintext in the encrypted key and is handled like an IV. Casascius changed BIP 38 since I last looked at it (boo!) and now it seems to be called(which can be 8 random bytes or derived from a 4-byte random number + lot and sequence #.)Encrypted Key = base58(0x01 0x43 + flagbyte (1 byte) + addresshash (4 bytes) + ownerentropy (8 bytes) + encryptedpart1[0...7] (8 bytes) + encryptedpart2 (8 bytes)).Actually looking further into the spec it seems like my BIP 38 cracker is now incompatible with the spec with the addition of prefactor and hashing it with ownersalt to get passfactor.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: 20 BTC bounty: Javascript implementation of BIP 38 January 17, 2013, 02:14:27 PM #12 The test vectors are still valid.



I did make a recent change but then required both modes to be supported. A bit flag enables that change. It allows someone ordering a batch of paper wallets to ensure his intermediate codes aren't reused by building a batch(lot) and sequence number into the salt. Meanwhile the sha256 step allows the sequence number to be incremented without repeating the scrypt - essential for mobile phone performance generating a batch of codes.



The test vectors don't have that flag but I will add one with the flag when I get a chance. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: 20 BTC bounty: Javascript implementation of BIP 38 January 19, 2013, 11:30:47 PM #14 Here is a test vector for the version with the lot and sequence number. The Wiki seems to be down otherwise I'd update it. The Greek characters should also help test for support of UTF-8, which I intend to specify as the required encoding for non-ASCII characters.



Passphrase: MOΛΩN ΛABE

Intermediate code: passphrased3z9rQJHSyBkNBwTRPkUGNVEVrUAcfAXDyRU1V28ie6hNFbqDwbFBvsTK7yWVK

Encrypted private key: 6PgGWtx25kUg8QWvwuJAgorN6k9FbE25rv5dMRwu5SKMnfpfVe5mar2ngH

Private key hex: CA2759AA4ADB0F96C414F36ABEB8DB59342985BE9FA50FAAC228C8E7D90E3006

Unencrypted private key (WIF): 5KMKKuUmAkiNbA3DazMQiLfDq47qs8MAEThm4yL8R2PhV1ov33D

Bitcoin address: 1Lurmih3KruL4xDB5FmHof38yawNtP9oGf

Confirmation code: cfrm38V8G4qq2ywYEFfWLD5Cc6msj9UwsG2Mj4Z6QdGJAFQpdatZLavkgRd1i4iBMdRngDqDs51 Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

casascius

VIP

Legendary



Offline



Activity: 1386

Merit: 1062





The Casascius 1oz 10BTC Silver Round (w/ Gold B)







Mike CaldwellVIPLegendaryActivity: 1386Merit: 1062The Casascius 1oz 10BTC Silver Round (w/ Gold B) Re: 20 BTC bounty: Javascript implementation of BIP 38 January 20, 2013, 05:20:05 AM #16 I added two test vectors to the wiki page.



I wouldn't worry so much if N=1048576 fails due to resource constraints, it won't be used. Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable. I never believe them. If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins. I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion. Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice. Don't keep coins online. Use paper or hardware wallets instead.

scintill



Offline



Activity: 448

Merit: 250







Sr. MemberActivity: 448Merit: 250 Re: 20 BTC bounty: Javascript implementation of BIP 38 January 20, 2013, 08:29:04 PM #17 Quote from: bitvientiane on January 20, 2013, 03:04:17 AM Crashes for me too. I think I could possibly get it to work but I'm not going to bother since the BIP38 stuff works.



How far along are you on the whole thing?



I think I'm done now. I implemented the lot/sequence number last night, and just sent Casascius the link to my latest code. Something I maybe should have mentioned to him, is that the performance in Firefox is pretty bad (3x slower than Chrome.) I'm not sure if the JS engine is just that much worse, or if I'm doing something dumb that's slowing me down. So maybe performance could use some work, but all test cases are passing. I think I'm done now. I implemented the lot/sequence number last night, and just sent Casascius the link to my latest code. Something I maybe should have mentioned to him, is that the performance in Firefox is pretty bad (3x slower than Chrome.) I'm not sure if the JS engine is just that much worse, or if I'm doing something dumb that's slowing me down. So maybe performance could use some work, but all test cases are passing. 1SCiN5kqkAbxxwesKMsH9GvyWnWP5YK2W | donations