Shamir's Secret SharingShamir's Secret Sharing is a mechanism where you split a secret into N pieces and decide for a number K which is less than N. If you have K different pieces of the original N it is trivial to calculate the secret. If you have K-1 pieces the secret is completely undetermined, meaning that any possible value is likely. Details here:
Shamir's Secret Sharing This is actually already possible for N=K using Armory's elliptic curve calculator (meaning that you need all of the pieces of paper to recover it). For instance, you create 3 private keys and use the calculator to multiply them together. The result is the final private key where the money is stored. Then you print off all three keys separately. To recover your wallet, you collect all three, and use the calculator again.
Even better, this can be implemented without any two keys ever touching the same computer! Computer A produces a key, and gives the public key to Computer B. Computer B mulitiplies PublicKey(A) by its own private key to make PublicKey(A*B). Then this is given to computer C which multiplies it by his private key to make PublicKey(A*B*C). This is now a public key which can be converted to an address and funded. The only way to recover the private key, is to collect all three sheets of paper and multiply the private keys together!
I don't promote this as the best solution, but it's one that is already available with Armory 0.55-alpha. In the future, this will all be unnecessary by simply putting all of your funds into a M-of-N multi-signature transaction. If it's a 2-of-3 transaction, you backup all 3 private keys separately, and any two will work. It's a protocol-level implementation of Samir's or Reed-Solomon.
Believe it or not. I was once a consultant on a project where a similar procedure was done (paper shares, stored in various banks in different locations), where as a safety procedure the printer used had to be blown to pieces by the military afterwards. This was a backup for the root key of a CA. I guess they were paranoid of what you can get off a printer roller.
I
totally believe it. A root CA key requires the highest level security, especially if it will be used for military operations. I'm surprised thermite wasn't involved
Brain Wallet will be a killer app. I am choosing multiple encryption methods including mnemonics, music notation, a personally developed cryoptogrphic algorithm, and motor memory. It will be interesting to see how many keys I can create and remember, maybe enough to last a lifetime.
I have considered brain wallets, but I think they are too risky, unless you include extra entropy stored on the computer (which partially defeats the purpose). As mentioned above, too many users use passphrases that are way too simple, and will end up sharing wallets (or make it too easy for an attacker to create the same wallet without ever accessing your computer). When their coins disappear, don't count on the user admitting that they used a weak passphrase. Instead, it will make the protocol/program look insecure.