Auditable paper wallet
An auditable paper wallet is a paper wallet that includes an Audit Private Key for the purpose of guaranteeing to the user that the paper wallet includes sufficient entropy, in a manner that can be easily verified by the user.
The purpose of the auditing is to alleviate the concern that a program, Live CD, or paper wallet printer appliance offered to help people produce safe paper wallets might contain a flawed or predictable random number generator that could result in theft.
An auditable paper wallet provides a means for the user to introduce their own entropy through the keyboard, and then to confirm that the paper wallets actually include the user's entropy.
How it works
An auditable paper wallet generator first asks the user to enter a long string of their choice, between 20 and 40 characters. A suggested string is a simple mash of the keyboard, e.g. "as;dlfkjguwhaief;lkjsdvmnasdfkjh". The user should be reminded that the chosen string should be meant to be forgotten, should not be memorable, and the user should required to enter a string on the keyboard; no default or auto-generated string should ever be offered to the user.
Afterward, the paper wallet generator should guarantee that it generates private keys consisting solely of SHA256(USER_ENTROPY + PROGRAM_ENTROPY), where USER_ENTROPY is the string entered by the user, PROGRAM_ENTROPY is some sort of randomly generated string generated by the software, and + means concatenation. The string USER_ENTROPY + PROGRAM_ENTROPY should be offered to the user as the "Audit Private Key".
The program should offer the ability to display the Audit Private Key, to copy it to the system clipboard, and to show a QR code on screen, but should discourage (while not necessarily prohibiting) the Audit Private Key from being printed on the paper wallet itself. If the program offers the ability to print the Audit Private Key on the printed copy, it should be offered as a QR code, to enable the possibility of rapid auditing with a barcode scanner.
What is an audit
An audit is simply the process of verifying that the hash of the Audit Private Key equals the private key on the paper wallet, and that the Bitcoin address corresponds to that private key.
An audit allows the user to visually guarantee that the entropy he provided himself has been incorporated into the private key of the paper wallet. The premise is that the maker of a Live CD or appliance that generates paper wallets cannot predict USER_ENTROPY, and so as long as the user is diligent in supplying an unpredictable string that has sufficient entropy, a successful audit guarantees the unpredictability of the private key.
User enters string: drgow3u4hgy984hreuahiouioehirfnadsfjsjkd Program provides a random GUID: 1ee147fb-9416-4081-9dcb-60f5836d8822 Audit private key: 1ee147fb-9416-4081-9dcb-60f5836d8822drgow3u4hgy984hreuahiouioehirfnadsfjsjkd Private key (which is SHA256 of Audit private key): 5JpkQkz2Gg9NFSTVKLcBJdG8R2WdbB8hXFwPZ3G1Apbp29M1ap3 Bitcoin address: 1FRDyKZkCUVPjTXQkNbPohgyWiAgEM5mDe
Printing the Audit Private Key should be discouraged on paper wallets that are likely to be given to others who have no need to audit the paper wallet, particularly if the same USER_ENTROPY is used to batch-print multiple paper wallets. The disclosure of USER_ENTROPY on one paper wallet could weaken the security of other paper wallets with identical USER_ENTROPY.
Users who might print the Audit Private Key should be made fully aware that the Audit Private Key can be used to regenerate the Private Key and that its disclosure could result in the theft of funds. Printing the Audit Private Key should be discouraged by default.
Users should be made aware that steps undertaken to audit the paper wallet might result in the disclosure of the private key. For example, if a user uses a website or a compromised computer to audit a paper wallet, the auditing process may result in the wallet being compromised and the funds stolen. A good recommendation would be to only audit a random sample from a batch, and to not use the audited paper wallets for Bitcoin storage.
An audit only protects a user against predictability. It does not protect a user from disclosure risks, such as a Live CD or program that finds an internet connection and leaks key material, or one that can write to a file system or other storage to trigger a future leak if that storage later comes into contact with internet access. It also does not protect a user from a compromised printer, or one that stores material from print jobs.