<?xml version="1.0"?>
<feed xmlns="http://www.w3.org/2005/Atom" xml:lang="en">
	<id>https://en.bitcoin.it/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=T+X</id>
	<title>Bitcoin Wiki - User contributions [en]</title>
	<link rel="self" type="application/atom+xml" href="https://en.bitcoin.it/w/api.php?action=feedcontributions&amp;feedformat=atom&amp;user=T+X"/>
	<link rel="alternate" type="text/html" href="https://en.bitcoin.it/wiki/Special:Contributions/T_X"/>
	<updated>2026-07-01T13:01:29Z</updated>
	<subtitle>User contributions</subtitle>
	<generator>MediaWiki 1.43.8</generator>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=20073</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=20073"/>
		<updated>2011-11-27T20:03:04Z</updated>

		<summary type="html">&lt;p&gt;T X: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The original private key has 256bits of entropy, not 160, hasn&#039;t it? (I don&#039;t know why the current wiki page compares it with 160 bits) --[[User:T X|T X]] 20:03, 27 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Purpose of appending the &#039;?&#039; for determining algorithm? =&lt;br /&gt;
&lt;br /&gt;
At first I was wondering why this should be appended, why not just checking the first byte of SHA256 of the minikey as is. The reason I now could think of is that you don&#039;t want someone to be able to tell whether a bitcoin private key was generated from a minikey. Is that a good or a bad thing? Is that the main reason? Are there any other reasons? Maybe such reasons should be explained on the wiki page? --[[User:T X|T X]] 16:32, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: Adding a Reserved Minikey Version Character? &lt;br /&gt;
&lt;br /&gt;
:: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
::: Hm, after some more thoughts, I think I might be able to partially answer this to myself: If I were receiving a minikey from an untrusted/unknown party, the minikey is pretty much worthless anyway due to not being able to verify that it is a valid minikey until getting access to a computer. As you said before, if it is a known, public party then I can usually get information probably somewhere online about the used algorithm at any time. If it is a trusted but non-public party I want to get a minikey from then the my trusting that the other party chose a good minikey algorithm is marginal compared to my already given trust in the other party that they have generated a valid minikey in general.&lt;br /&gt;
&lt;br /&gt;
::: Now there&#039;s just one scenario left I can come up with: I might have obtained lots of minikeys from trusted, non-public parties which I had all put in my piggy bank at home. Now, five years later some issues came up with certain minikey algorithms which suggests anyone having such minikeys to redeem the value as soon as possible. If only about 5% of the minikeys in my piggy bank were using the broken minikey algorithm, I&#039;d still have to copy and check all of them on my computer.&lt;br /&gt;
&lt;br /&gt;
::: Maybe the conclusion could be that you shouldn&#039;t save &#039;anonymous&#039; minikeys (if any due to the lower entropy). Don&#039;t know. --[[User:T X|T X]] 15:25, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
== HMAC-SHA1 or HMAC-SHA256? ==&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
== Use exponential rounds encoding ==&lt;br /&gt;
&lt;br /&gt;
With the values from 0x0128 to 0x01FF being reserved about another 7.75 Bits (log2 (0xFF - 0x27)) of entropy would be lost. I don&#039;t think that for instance very similar number of rounds are needed. Instead the number of rounds could be encoded exponentially and reserved in less bits. For instance:&lt;br /&gt;
&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0100 -&amp;gt; 4096 rounds&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0101 -&amp;gt; 8192&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0102 -&amp;gt; 16384&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0103 -&amp;gt; 32768&lt;br /&gt;
&lt;br /&gt;
This would only remove about 2 instead of the 7.75Bits of entropy. --[[User:T X|T X]] 16:11, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19983</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19983"/>
		<updated>2011-11-26T16:32:02Z</updated>

		<summary type="html">&lt;p&gt;T X: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Purpose of appending the &#039;?&#039; for determining algorithm? =&lt;br /&gt;
&lt;br /&gt;
At first I was wondering why this should be appended, why not just checking the first byte of SHA256 of the minikey as is. The reason I now could think of is that you don&#039;t want someone to be able to tell whether a bitcoin private key was generated from a minikey. Is that a good or a bad thing? Is that the main reason? Are there any other reasons? Maybe such reasons should be explained on the wiki page? --[[User:T X|T X]] 16:32, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: Adding a Reserved Minikey Version Character? &lt;br /&gt;
&lt;br /&gt;
:: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
::: Hm, after some more thoughts, I think I might be able to partially answer this to myself: If I were receiving a minikey from an untrusted/unknown party, the minikey is pretty much worthless anyway due to not being able to verify that it is a valid minikey until getting access to a computer. As you said before, if it is a known, public party then I can usually get information probably somewhere online about the used algorithm at any time. If it is a trusted but non-public party I want to get a minikey from then the my trusting that the other party chose a good minikey algorithm is marginal compared to my already given trust in the other party that they have generated a valid minikey in general.&lt;br /&gt;
&lt;br /&gt;
::: Now there&#039;s just one scenario left I can come up with: I might have obtained lots of minikeys from trusted, non-public parties which I had all put in my piggy bank at home. Now, five years later some issues came up with certain minikey algorithms which suggests anyone having such minikeys to redeem the value as soon as possible. If only about 5% of the minikeys in my piggy bank were using the broken minikey algorithm, I&#039;d still have to copy and check all of them on my computer.&lt;br /&gt;
&lt;br /&gt;
::: Maybe the conclusion could be that you shouldn&#039;t save &#039;anonymous&#039; minikeys (if any due to the lower entropy). Don&#039;t know. --[[User:T X|T X]] 15:25, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
== HMAC-SHA1 or HMAC-SHA256? ==&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
== Use exponential rounds encoding ==&lt;br /&gt;
&lt;br /&gt;
With the values from 0x0128 to 0x01FF being reserved about another 7.75 Bits (log2 (0xFF - 0x27)) of entropy would be lost. I don&#039;t think that for instance very similar number of rounds are needed. Instead the number of rounds could be encoded exponentially and reserved in less bits. For instance:&lt;br /&gt;
&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0100 -&amp;gt; 4096 rounds&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0101 -&amp;gt; 8192&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0102 -&amp;gt; 16384&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0103 -&amp;gt; 32768&lt;br /&gt;
&lt;br /&gt;
This would only remove about 2 instead of the 7.75Bits of entropy. --[[User:T X|T X]] 16:11, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19982</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19982"/>
		<updated>2011-11-26T16:11:18Z</updated>

		<summary type="html">&lt;p&gt;T X: /* PBKDF2 */ suggestion to only lose ~2 instead of ~7.75 bits for PBKDF2 compared to SHA256&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: Adding a Reserved Minikey Version Character? &lt;br /&gt;
&lt;br /&gt;
:: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
::: Hm, after some more thoughts, I think I might be able to partially answer this to myself: If I were receiving a minikey from an untrusted/unknown party, the minikey is pretty much worthless anyway due to not being able to verify that it is a valid minikey until getting access to a computer. As you said before, if it is a known, public party then I can usually get information probably somewhere online about the used algorithm at any time. If it is a trusted but non-public party I want to get a minikey from then the my trusting that the other party chose a good minikey algorithm is marginal compared to my already given trust in the other party that they have generated a valid minikey in general.&lt;br /&gt;
&lt;br /&gt;
::: Now there&#039;s just one scenario left I can come up with: I might have obtained lots of minikeys from trusted, non-public parties which I had all put in my piggy bank at home. Now, five years later some issues came up with certain minikey algorithms which suggests anyone having such minikeys to redeem the value as soon as possible. If only about 5% of the minikeys in my piggy bank were using the broken minikey algorithm, I&#039;d still have to copy and check all of them on my computer.&lt;br /&gt;
&lt;br /&gt;
::: Maybe the conclusion could be that you shouldn&#039;t save &#039;anonymous&#039; minikeys (if any due to the lower entropy). Don&#039;t know. --[[User:T X|T X]] 15:25, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
== HMAC-SHA1 or HMAC-SHA256? ==&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
== Use exponential rounds encoding ==&lt;br /&gt;
&lt;br /&gt;
With the values from 0x0128 to 0x01FF being reserved about another 7.75 Bits (log2 (0xFF - 0x27)) of entropy would be lost. I don&#039;t think that for instance very similar number of rounds are needed. Instead the number of rounds could be encoded exponentially and reserved in less bits. For instance:&lt;br /&gt;
&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0100 -&amp;gt; 4096 rounds&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0101 -&amp;gt; 8192&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0102 -&amp;gt; 16384&lt;br /&gt;
* (SHA256 &amp;amp; 0xFF03) == 0x0103 -&amp;gt; 32768&lt;br /&gt;
&lt;br /&gt;
This would only remove about 2 instead of the 7.75Bits of entropy. --[[User:T X|T X]] 16:11, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19975</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19975"/>
		<updated>2011-11-26T15:25:10Z</updated>

		<summary type="html">&lt;p&gt;T X: /* Terminology */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: Adding a Reserved Minikey Version Character? &lt;br /&gt;
&lt;br /&gt;
:: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
::: Hm, after some more thoughts, I think I might be able to partially answer this to myself: If I were receiving a minikey from an untrusted/unknown party, the minikey is pretty much worthless anyway due to not being able to verify that it is a valid minikey until getting access to a computer. As you said before, if it is a known, public party then I can usually get information probably somewhere online about the used algorithm at any time. If it is a trusted but non-public party I want to get a minikey from then the my trusting that the other party chose a good minikey algorithm is marginal compared to my already given trust in the other party that they have generated a valid minikey in general.&lt;br /&gt;
&lt;br /&gt;
::: Now there&#039;s just one scenario left I can come up with: I might have obtained lots of minikeys from trusted, non-public parties which I had all put in my piggy bank at home. Now, five years later some issues came up with certain minikey algorithms which suggests anyone having such minikeys to redeem the value as soon as possible. If only about 5% of the minikeys in my piggy bank were using the broken minikey algorithm, I&#039;d still have to copy and check all of them on my computer.&lt;br /&gt;
&lt;br /&gt;
::: Maybe the conclusion could be that you shouldn&#039;t save &#039;anonymous&#039; minikeys (if any due to the lower entropy). Don&#039;t know. --[[User:T X|T X]] 15:25, 26 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19906</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19906"/>
		<updated>2011-11-25T04:21:20Z</updated>

		<summary type="html">&lt;p&gt;T X: /* Terminology */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: Adding a Reserved Minikey Version Character? &lt;br /&gt;
&lt;br /&gt;
:: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19905</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19905"/>
		<updated>2011-11-25T04:19:19Z</updated>

		<summary type="html">&lt;p&gt;T X: /* Terminology */  adding signature&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be: --[[User:T X|T X]] 04:19, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19904</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19904"/>
		<updated>2011-11-25T04:18:39Z</updated>

		<summary type="html">&lt;p&gt;T X: /* PBKDF2 */  adding signature&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be:&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses]. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19903</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19903"/>
		<updated>2011-11-25T04:18:10Z</updated>

		<summary type="html">&lt;p&gt;T X: adding some more thoughts/comments/replies/considerations&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, if a fault in 22-char sha256 keys were to be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: True, that could easily be done through the thing that embeds the minikey if this embedding thing is a fixed product version (like the casacius coins). But what if only the minikey is available without a recognisable product(which could probably easily happen if this format were widely adopted)?&lt;br /&gt;
&lt;br /&gt;
:: But on second thought, even if having two minikey names this problem would still exist. Someone could still just print either minikey version and the user will not know which one that is without doing the first two decoding steps on a computer. So another thought would be:&lt;br /&gt;
&lt;br /&gt;
= Adding a Reserved Minikey Version Character? =&lt;br /&gt;
&lt;br /&gt;
What do you think about sacrificing another character to visibly allow knowing the chosen algorithm of this minikey? E.g. the first &#039;S&#039; will still show that it&#039;s a minikey, but the second letter could note the selected algorithm (for instance &#039;0&#039; for sha256, &#039;1&#039; for PBKDF2-SHA256).&lt;br /&gt;
&lt;br /&gt;
Advantages:&lt;br /&gt;
* Selected algorithm visibility / minikey &#039;strength&#039; visibility&lt;br /&gt;
* Easy Extensibility&lt;br /&gt;
&lt;br /&gt;
For instance if sha256 were at some day considered broken or improvements for the algorithm were coming up, we wouldn&#039;t need to reserve a new letter instead of the &#039;S&#039;, due to the minikey reserved version character in the second character. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:: Oki doki, makes sense for quick prototyping reasons. However for making it a &#039;Standard&#039; probably the best available one today should be chosen, shouldn&#039;t it? Also kind of in the spirit of [http://iang.org/ssl/hn_hypotheses_in_secure_protocol_design.html Ian Grigg&#039;s hypotheses].&lt;br /&gt;
&lt;br /&gt;
= Tagging Stable Versions =&lt;br /&gt;
&lt;br /&gt;
Just as a note and thought: Before including a minikey format in the bitcoin source code and after all questions and considerations have been resolved a fixed version should be tagged so that other people could rely on certain properties of a certain minikey version. Until then the whole thing (including the simple sha256 version?) should be explicitly marked as a draft, stating that any adoption in for instance commercial products should be done on one&#039;s own risk. --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= More specific applications for simple SHA256 minikeys =&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers&amp;quot;&lt;br /&gt;
&lt;br /&gt;
Would you mind explaining a little further in which use cases it might be desireable to compute minikeys on for instance microcontrollers? Are they common? Do they justify the necessity of a weaker minikey version?&lt;br /&gt;
&lt;br /&gt;
If you have a certain product like your &#039;casacius coins&#039;, one possible application area, I guess you probably don&#039;t do this on microcontrollers. You usually have enough space + money for machines with enough computational power generating minikeys in PBKFD2-SHA256 format.&lt;br /&gt;
&lt;br /&gt;
I saw that you, [[User:Casascius|Casascius]], were playing with [[Casascius_Bitcoin_POS_system|POS systems]]: Is that the main application for the SHA256 minikey version you had in mind? Won&#039;t most embedded devices need an internet connection to be useful anyway, just like such a POS system, which will in most use cases allow the outsourcing of computational intensive tasks, like a PBKFD2-SHA256 generation? Is there really a need to be able to calculate minikeys directly on tiny embedded systems? --[[User:T X|T X]] 04:18, 25 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19700</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19700"/>
		<updated>2011-11-20T22:31:58Z</updated>

		<summary type="html">&lt;p&gt;T X: ticked the 717 round sha256 questions from the list&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
:The only concern would be the number of bitcoins stored in low-entropy keys.  The concern expressed by the developers (in #bitcoin-dev at around the same time I made the PBKDF2 edits - you can review the logs) wasn&#039;t whether a few Casascius coins were at risk, but rather, whether a low-entropy format would become popular enough as time goes on to make the constantly increasing reward for a successful attack eventually intersect with the constantly decreasing resource cost to attack it. &lt;br /&gt;
&lt;br /&gt;
:Also the developers noted that QR codes are much more efficient when they are made strictly from the set of uppercase alphanumerics, as it switches to a QR encoding that spends fewer bits per character.  Mixed case QR codes require a full 8-bit character set (IIRC), which takes up significantly more space than the QR alphanumeric encoding which doesn&#039;t support lowercase.  The developers expressed a willingness to entertain an alternate encoding of full Bitcoin private keys that used base36 (or perhaps base44, since that&#039;s how many printable characters in the QR alphanumeric set), which would result in a significantly reduced footprint in QR codes. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I don&#039;t think it will be a major issue.  If there&#039;s a lot of them out there, they could easily be described by the product.  For example, one could name &amp;quot;all Casascius coins with the &#039;casacius&#039; misspelling&amp;quot; and accurately describe the set of affected coins, were a fault in 22-char sha256 keys be found. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: Correct, if a Bitcoin address has 160 bits, then the extra bits in the private key will probably add little or no value. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: I implemented an HMAC-SHA1 on my fork on Github just because the code was readily available.  The developers&#039; response was along the lines of &amp;quot;why should we make use of a hashing algorithm on its way out the door when we don&#039;t have to, it makes us look less sophisticated&amp;quot;.  I tend to agree and would favor HMAC-SHA256, was just a matter of how much time I had to throw at it. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
----&lt;br /&gt;
&lt;br /&gt;
= (Probably) Finished Discussions =&lt;br /&gt;
&lt;br /&gt;
== Python Code ==&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: It was to force all codes to only pass the 717th round checksum, which is computationally intensive in slow interpreted languages like Javascript.  But I would favor scrapping the arbitrary 717th round thing in favor of PBKDF2. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Ok, agreed, also makes sense to me to remove the 717th round sha256 in favour for PBKDF2. I removed it from the python code. --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
&lt;br /&gt;
== 717 round SHA256 ==&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
: The 717 round bit was mostly a proposal, I am not aware of any use in the field.  I did not use them in Casascius Coins.  The PBKDF2 version would be preferred long term. [[User:Casascius|Casascius]] 03:32, 10 November 2011 (GMT)&lt;br /&gt;
:: Oki doki, makes sense (as already said above) --[[User:T X|T X]] 22:31, 20 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Mini_private_key_format&amp;diff=19699</id>
		<title>Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Mini_private_key_format&amp;diff=19699"/>
		<updated>2011-11-20T22:21:00Z</updated>

		<summary type="html">&lt;p&gt;T X: removing 717 round sha256 version (see discussion page)&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;[[Image:QR-privkeys-sidebyside.png|thumb|right|QR codes of the same private key, in mini versus regular private key format.  Both codes have the same dot density and error correction level, but the mini key is 57% of the full code&#039;s size.]]&lt;br /&gt;
The &#039;&#039;&#039;mini private key format&#039;&#039;&#039; is a method of encoding a Bitcoin private key in as few as 22 characters so that it can be embedded in a small space.  This private key format was first used in Casascius physical bitcoins, and is also favorable for use in QR codes.  The fewer characters encoded in a QR code, the lower dot density can be used, as well as more dots allocated to error correction in the same space, significantly improving readability and resistance to damage.  The mini private key format offers its own built-in check code as a small margin of protection against typos.&lt;br /&gt;
&lt;br /&gt;
An example key using this encoding is &#039;&#039;&#039;S4b3N3oGqDqR5jNuxEvDwf&#039;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
==Usage on a physical bitcoin==&lt;br /&gt;
The way it might appear within a physical bitcoin is on a round card printed as follows:&lt;br /&gt;
&lt;br /&gt;
&amp;lt;center&amp;gt;S4b3N&amp;lt;br/&amp;gt;3oGqDq&amp;lt;br/&amp;gt;R5jNux&amp;lt;br/&amp;gt;EvDwf&amp;lt;/center&amp;gt;&lt;br /&gt;
&lt;br /&gt;
==Import==&lt;br /&gt;
To import the minikey in a user-friendly way the browser-wallet [[StrongCoin]] can be used.&lt;br /&gt;
&lt;br /&gt;
Source code for a version of the client that can be compiled to import mini private keys via [[importprivkey]] can be found at github as casascius/bitcoin.&lt;br /&gt;
&lt;br /&gt;
==Decoding==&lt;br /&gt;
The private key encoding consists of 22, 26, or 30 alphanumeric characters from the [[base58]] alphabet used in Bitcoin.  The first of the characters is always the uppercase letter S.&lt;br /&gt;
&lt;br /&gt;
There are two methods to obtain the full 256-bit private key.  One involves SHA256, and the other involves PBKDF2.  A simple test must be performed to determine which method shall be used:&lt;br /&gt;
&lt;br /&gt;
# Add a question mark to the end of the mini private key string.&lt;br /&gt;
# Take the SHA256 hash of the entire string.  However, we will only looking at the first two bytes of the result.&lt;br /&gt;
# If the first byte is 00, then the private key must be computed as simply SHA256(minikey).  The question mark is not part of this computation.&lt;br /&gt;
# If the first byte is 01, then the private key must be computed using PBKDF2.  The second byte determines the iteration count that will be passed into the PBKDF2 function.  The iteration count is determined as follows: 2 ^ (n/4) rounded to the nearest integer, where n is the second byte.  For example, if the second byte is 0x28, then 4096 iterations will be used.  The salt string is &amp;quot;Satoshi Nakamoto&amp;quot;.  The Bitcoin client imposes an upper limit on the value of n, which is currently 0x40, or 65536 iterations, and rejects the key as invalid beyond the limit.&lt;br /&gt;
&lt;br /&gt;
===Example with SHA256===&lt;br /&gt;
Here is an example with the sample private key S4b3N3oGqDqR5jNuxEvDwf.&lt;br /&gt;
&lt;br /&gt;
The string &amp;quot;S4b3N3oGqDqR5jNuxEvDwf?&amp;quot; has a SHA256 value that begins with 00, so it uses SHA256.&lt;br /&gt;
&lt;br /&gt;
To obtain the full 256-bit private key, simply take the SHA256 hash of the entire string.  There is no encoding for breaks in the string even if printed that way - the SHA256 should be taken of exactly twenty-two bytes.&lt;br /&gt;
&lt;br /&gt;
 SHA256(&amp;quot;S4b3N3oGqDqR5jNuxEvDwf&amp;quot;) = 0C28FCA386C7A227600B2FE50B7CAE11EC86D3BF1FBE471BE89827E19D72AA1D&lt;br /&gt;
&lt;br /&gt;
This sample key in [[wallet export format]] is 5HueCGU8rMjxEXxiPuD5BDku4MkFqeZyd4dZ1jvhTVqvbTLvyTJ, and the corresponding [[Bitcoin address]] is 1GAehh7TsJAHuUAeKZcXf5CnwuGuGgyX2S.&lt;br /&gt;
&lt;br /&gt;
===Example with PBKDF2===&lt;br /&gt;
Here is an example with the sample private key SmbM4uRBu2mQymCsuMKkiW.&lt;br /&gt;
&lt;br /&gt;
The string &amp;quot;SmbM4uRBu2mQymCsuMKkiW?&amp;quot; has a SHA256 value that begins with 01 30 (hex), so it will use PBKDF2 with 4096 iterations.&lt;br /&gt;
&lt;br /&gt;
To obtain the full 256-bit private key, evaluate the PBKDF2 function as follows:&lt;br /&gt;
&lt;br /&gt;
 PBKDF2(&amp;quot;SmbM4uRBu2mQymCsuMKkiW&amp;quot;, &amp;quot;Satoshi Nakamoto&amp;quot;, 4096, 32bytes) = &lt;br /&gt;
  80366610e37e56c5125aee358ab51326a15f6586d658b90bb881a6116b06853c&lt;br /&gt;
&lt;br /&gt;
This sample key in [[wallet export format]] is 5Jnkbccxr6hbCkL7d4sufAzrTxqWmeSHTY2tKQp4P1vogQ13g5g, and the corresponding [[Bitcoin address]] is 1ArzEMMcd4EHV3jbWKkpuGRhBG6iV4RCVA.&lt;br /&gt;
&lt;br /&gt;
The PBKDF2 key derivation algorithm is shared by the WPA-PSK encryption method used on WiFi networks.  It also happens to also use 4096 iterations and 32 bytes of key, so a standard WPA key calculator can be used to test and confirm this particular result, simply by entering &amp;quot;Satoshi Nakamoto&amp;quot; as the SSID and &amp;quot;SmbM4uRBu2mQymCsuMKkiW&amp;quot; as the password.&lt;br /&gt;
&lt;br /&gt;
==Check code==&lt;br /&gt;
The mini private key format offers a simple typo check code.  Mini private keys must be generated in a &amp;quot;brute force&amp;quot; fashion, keeping only keys that conform to the format&#039;s rules.  If a key is well-formed (22, 26, or 30 Base58 characters starting with S), but fails the hash check, then it probably contains a typo.&lt;br /&gt;
&lt;br /&gt;
If the SHA256 hash of the string followed by &#039;?&#039; doesn&#039;t result in something that begins with 0x00 or 0x01, the mini private key is not valid.&lt;br /&gt;
&lt;br /&gt;
If it starts with 0x01, but the second byte is higher than the allowed maximum (0x30), the mini private key is invalid.  Note that the maximum is likely to be increased as computing power advances.&lt;br /&gt;
&lt;br /&gt;
==Creating mini private keys==&lt;br /&gt;
Creating mini private keys is relatively simple.  One program which can create such keys is [[Casascius Bitcoin Utility]].&lt;br /&gt;
&lt;br /&gt;
Mini private keys must be created &amp;quot;from scratch&amp;quot;, as the conversion from mini private key to full-size private key is one-way.  In other words, there is no way to convert an existing full-size private key into a mini private key.&lt;br /&gt;
&lt;br /&gt;
To create mini private keys, simply create random strings that satisfy the well-formedness requirement, and then eliminate the ones that do not pass the typo check.  (This means eliminating more than 99% of the candidates.)  Then use the appropriate algorithm to compute the corresponding private key, and in turn, the matching Bitcoin address.  The Bitcoin address can always be computed from just the private key.&lt;br /&gt;
&lt;br /&gt;
It is &#039;&#039;&#039;highly recommended&#039;&#039;&#039; to use the PBKDF2 function and select at least 4096 rounds.  (This means selecting strings as keys whose SHA256(string+&amp;quot;?&amp;quot;) begins with 0x0128).  Mini private keys offer a minimum of entropy, so the more rounds you choose, the stronger your keys will resist advances in technology to do brute-force cracks.&lt;br /&gt;
&lt;br /&gt;
The SHA256 function is provided for the convenience of hardware and software environments that offer very limited computational power, such as microcontrollers.  It provides for the ability to generate a valid mini private key with, on average, 256 operations of SHA256.  However, it also offers the lowest brute force attack resistance.  Such keys are only suitable for situations where a &amp;quot;throwaway&amp;quot; Bitcoin address is needed, such as on a coupon or ticket where the amount will be spent soon, as opposed to an address where bitcoins will be kept long term.  The strongest possible PBKDF2-based keys should always be preferred in any environment where generating them is possible.&lt;br /&gt;
&lt;br /&gt;
In all cases, you &#039;&#039;&#039;must&#039;&#039;&#039; use a secure cryptographic random number generator to eliminate risks of predictability of the random strings.&lt;br /&gt;
&lt;br /&gt;
==Entropy considerations==&lt;br /&gt;
The 22-character mini private key code appears to offer about 123 bits of entropy, determined as log2(58^21).  (Because the first character is fixed, there are 21 symbols which can each have one of 58 values).&lt;br /&gt;
&lt;br /&gt;
The 26-character version offers about 146 bits of entropy by the same calculation.  The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&lt;br /&gt;
&lt;br /&gt;
==Python Code==&lt;br /&gt;
The following code produces sample SHA256-based mini private keys in Python.  For real-world use, &#039;&#039;random&#039;&#039; must be replaced with a better source of entropy, as the Python documentation for &#039;&#039;random&#039;&#039; states the function &#039;&#039;&amp;quot;is completely unsuitable for cryptographic purposes&amp;quot;&#039;&#039;.&lt;br /&gt;
&lt;br /&gt;
&amp;lt;source lang=&amp;quot;python&amp;quot;&amp;gt;&lt;br /&gt;
import random&lt;br /&gt;
import hashlib&lt;br /&gt;
&lt;br /&gt;
BASE58 = &#039;123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz&#039;&lt;br /&gt;
&lt;br /&gt;
def Candidate():&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    Generate a random, well-formed mini private key.&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    return(&#039;%s%s&#039; % (&#039;S&#039;, &#039;&#039;.join(&lt;br /&gt;
        [BASE58[ random.randrange(0,len(BASE58)) ] for i in range(21)])))&lt;br /&gt;
&lt;br /&gt;
def GenerateKeys(numKeys = 10):&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    Generate mini private keys and output the mini key as well as the full&lt;br /&gt;
    private key. numKeys is The number of keys to generate, and &lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    keysGenerated = 0&lt;br /&gt;
    totalCandidates = 0&lt;br /&gt;
    while keysGenerated &amp;lt; numKeys:&lt;br /&gt;
        try:&lt;br /&gt;
            cand = Candidate()&lt;br /&gt;
            # Do typo check&lt;br /&gt;
            t = &#039;%s?&#039; % cand&lt;br /&gt;
            # Take one round of SHA256&lt;br /&gt;
            candHash = hashlib.sha256(t).digest()&lt;br /&gt;
            # Check if the first eight bits of the hash are 0&lt;br /&gt;
            if candHash[0] == &#039;\x00&#039;:&lt;br /&gt;
                privateKey = GetPrivateKey(cand)&lt;br /&gt;
                print(&#039;\n%s\nSHA256( ): %s\nsha256(?): %s&#039; %&lt;br /&gt;
                      (cand, privateKey, candHash.encode(&#039;hex_codec&#039;)))&lt;br /&gt;
                if CheckShortKey(cand):&lt;br /&gt;
                    print(&#039;Validated.&#039;)&lt;br /&gt;
                else:&lt;br /&gt;
                    print(&#039;Invalid!&#039;)&lt;br /&gt;
                keysGenerated += 1&lt;br /&gt;
            totalCandidates += 1&lt;br /&gt;
        except KeyboardInterrupt:&lt;br /&gt;
            break&lt;br /&gt;
    print(&#039;\n%s: %i\n%s: %i\n%s: %r\n%s: %.1f&#039; %&lt;br /&gt;
          (&#039;Keys Generated&#039;, keysGenerated,&lt;br /&gt;
           &#039;Total Candidates&#039;, totalCandidates,&lt;br /&gt;
           &#039;Additional Security&#039;, additionalSecurity,&lt;br /&gt;
           &#039;Reject Percentage&#039;,&lt;br /&gt;
           100*(1.0-keysGenerated/float(totalCandidates))))&lt;br /&gt;
&lt;br /&gt;
def GetPrivateKey(shortKey):&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    Returns the hexadecimal representation of the private key corresponding&lt;br /&gt;
    to the given short key.&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    if CheckShortKey(shortKey):&lt;br /&gt;
        return hashlib.sha256(shortKey).hexdigest()&lt;br /&gt;
    else:&lt;br /&gt;
        print(&#039;Typo detected in private key!&#039;)&lt;br /&gt;
        return None&lt;br /&gt;
&lt;br /&gt;
def CheckShortKey(shortKey):&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    Checks for typos in the short key.&lt;br /&gt;
    &amp;quot;&amp;quot;&amp;quot;&lt;br /&gt;
    if len(shortKey) != 22:&lt;br /&gt;
        return False&lt;br /&gt;
    t = &#039;%s?&#039; % shortKey&lt;br /&gt;
    tHash = hashlib.sha256(t).digest()&lt;br /&gt;
    # Check to see that first byte is \x00&lt;br /&gt;
    if tHash[0] == &#039;\x00&#039;:&lt;br /&gt;
        return True&lt;br /&gt;
    return False&lt;br /&gt;
&amp;lt;/source&amp;gt;&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19105</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19105"/>
		<updated>2011-11-10T01:01:28Z</updated>

		<summary type="html">&lt;p&gt;T X: /* PBKDF2 */&lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Python Code =&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= 717 round SHA256 =&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used? --[[User:T X|T X]] 01:01, 10 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19104</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19104"/>
		<updated>2011-11-10T01:01:05Z</updated>

		<summary type="html">&lt;p&gt;T X: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Python Code =&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= 717 round SHA256 =&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= PBKDF2 =&lt;br /&gt;
&lt;br /&gt;
Is HMAC−SHA1 or HMAC−SHA256 being used?&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
	<entry>
		<id>https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19102</id>
		<title>Talk:Mini private key format</title>
		<link rel="alternate" type="text/html" href="https://en.bitcoin.it/w/index.php?title=Talk:Mini_private_key_format&amp;diff=19102"/>
		<updated>2011-11-10T00:44:06Z</updated>

		<summary type="html">&lt;p&gt;T X: &lt;/p&gt;
&lt;hr /&gt;
&lt;div&gt;I&#039;m not sure I like the idea of encouraging people to use less than the current 160bits of entropy in a private key. [[User:Willphase|Willphase]] 14:15, 25 September 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Python Code =&lt;br /&gt;
&lt;br /&gt;
What was the &amp;quot;additionalSecurity&amp;quot; flag supposed to do? It seems unused. --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Application =&lt;br /&gt;
&lt;br /&gt;
When minikeys should or should not be used is not really obvious to me from reading this article. From reading the introduction I&#039;m especially getting the impression that minikeys should always be prefered.&lt;br /&gt;
&lt;br /&gt;
Any disadvantages of minikeys are not directly mentioned - only indirectly via the entropy section, but this might not be understandable to anyone not that familiar with cryptography.&lt;br /&gt;
&lt;br /&gt;
In forum and github posts I however got the impression, that due to the reduced entropy minikeys should be used for smaller amounts only. Is this the case for the SHA256 or also the PBKDF2 computed version?&lt;br /&gt;
&lt;br /&gt;
Are there any other disadvantages? Would it be problematic if 1M (2M/4M/10M/...) bitcoins were stored in 1 (0.1/0.01/...) BTC mini private keys (via for instance Casascius or Casascius alike coins)? Is it really the case that a minikey is always &amp;quot;favorable for use in QR codes&amp;quot;, under all circumstances? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= 717 round SHA256 =&lt;br /&gt;
&lt;br /&gt;
[https://github.com/bitcoin/bitcoin/pull/220#issuecomment-2185128 &amp;quot;I also got rid of the 717-round stuff. I haven&#039;t used any such codes on physical bitcoins so it can be scrapped right now.&amp;quot;]&lt;br /&gt;
&lt;br /&gt;
Does that mean that the 717 round sha256 version mentioned on this wiki page is deprecated due to a superior PBKDF2 version? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Terminology =&lt;br /&gt;
&lt;br /&gt;
For a non-developer it is not obvious whether a certain minikey is the SHA256 or stronger PBKDF2 version. So for instance if a user got a receipt saying &amp;quot;minikey: ...&amp;quot;, the user does not know whether s/he should hurry to redeem it or not. Maybe two distinct names should be used for the SHA256 and PBKDF2 versions? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;br /&gt;
&lt;br /&gt;
= Entropy Considerations =&lt;br /&gt;
&lt;br /&gt;
The entropy is much lower due to the thrown away candidates, isn&#039;t it? So log2(58^21/2^7)?&lt;br /&gt;
&lt;br /&gt;
&amp;quot;The 30-character version offers over 169 bits, which exceeds the 160-bits found in a Bitcoin address.&amp;quot; But practically this doesn&#039;t make 30-char-minikeys more secure than 160bit bitcoin addresses, as only the 160bit bitcoin addresses are being used within the network anyway, right? --[[User:T X|T X]] 00:44, 10 November 2011 (GMT)&lt;/div&gt;</summary>
		<author><name>T X</name></author>
	</entry>
</feed>