An in-depth look at BIP38


Originally published here:

At the heart of Ballet’s wallets is a class Bitcoin standard that unfortunately, is not commonly used in today’s software wallets. However, it is a standard that epitomizes our uniqueness over other cryptocurrency wallets. And that standard, which is echoed throughout our FAQ’s and website, is the Bitcoin Improvement Proposal 38, or BIP38 for short.

The BIP38 standard is what gives way to our innovative patent-pending two-factor key generation manufacturing process, where the two critical private key components are generated in a geographically segregated, multinational private key production process. This manufacturing process ensures the highest level security for our cold storage wallets.

Considering that we have given our rebuttal towards our critics regarding the security of our wallets and the dozens of newly created FAQ’s written on our website, we felt that it would also be fitting to give an in-depth introduction to BIP38 itself (for those who want to venture down the rabbit hole then this is for you). There is a specific reason why BIP38 was chosen to act as the technical foundation for our wallets. We believe this article will shine more of a light as to why.


Before diving into the confusing maze of BIP38’s private key generation, let’s take a look at how and where it started. A BIP, or Bitcoin Improvement Proposal, is a proposal of an idea submitted by any community member to the bitcoin developer’s mailing list to improve the bitcoin network in any facet that may lack optimal performance. The number 38 is just referencing which BIP was submitted. So BIP38 is the 38th BIP proposed out of the current 350 BIPs ever proposed to date.

BIP38 was specifically proposed in November of 2012 by Mike Caldwell and Aaron Voisine with the motivation in improving the way physical bitcoins and paper wallets were being used back in the early days. At the time, having bitcoins in physical form was a novel experiment in allowing new users to FEEL and HOLD a bitcoin. Many outlets, startups, and enthusiasts took that idea to sell bitcoins not only through an on-chain transaction, but also through the handing over of a private key and its public address to the recipient. The BIP38 made it more trustworthy for issuers of such physical bitcoins to standardize a robust methodology of the physical bitcoin creation.

The interesting tidbit here is that the main architect of the BIP38 proposal was Mike Caldwell, who is the creator of the infamous Casascius bitcoins, which were the earliest commercial implementations of physical bitcoins sold to retail investors. Although the production of those Casascius bitcoins have stopped at the end of 2013, the culmination of bitcoin’s popularity and early novelty of the item has made it into a collectible amongst diehard bitcoiners.

Fast forward a few years later, to 2019, comes the creation of Bobby Lee’s Ballet wallets with the pure intent of making crypto wallets easy, safe, and giftable. Bobby has made it clear that the Ballet wallets are an advanced adaptation of Casascius coins.

“We are a great evolution from those Casascius coins” — Bobby Lee

The crux of the production of Casascius coins was that it was made essentially by one person, in one location. Ballet wallets have improved upon that by separating production between two parties, in two different locations across the world (different government jurisdictions). And of course, it is only right to pay homage to those Casascius coins by highlighting the fundamental foundation to our innovative Two Key Factor Generation process, which is based upon Mike Caldwell’s draft of the BIP38 standard.

Breakdown of BIP38

The BIP38 standard actually contains two different usage functions. Both essentially manifest the same idea of using a passphrase in tandem with an encrypted private key to reveal the decrypted private key. But the sequence of deriving the initial private key is a bit different.

Usage A: “Encryption when EC multiply flag is not used”

  • This first usage allows a user to take a previously generated private key (WIF Compressed formatted) and encrypt it using a custom passphrase selected by the user. The resulting encrypted private key is a base58 hexadecimal string starting with ‘6P’. The nuance here is that the user must already have a pre-generated private key to use for the encryption process.
  • This function is actually available on the popular, but you would need to generate a WIF formatted private key first.

Usage B: “Encryption when EC multiply mode is used”

  • This second usage, which is what our 2FKG is based on, allows two parties to partake in the creation of the private keys. The first party starts by creating a randomly generated passphrase and some ‘salt’ to add more entropy to the process, an intermediate_passphrase_string is then derived and handed over to the second party to generate a public address and an encrypted private key. And to stress a key point here is that the intermediate_passphrase_string DOES NOT reveal the original passphrase, which is kept by the first party, and is needed to decrypt the end resulting encrypted private key.
  • A flow chart of the whole majestically crafted process is shown below (the “lot” and “sequence” numbers were excluded in the flow chart for simplicity). Note that the “Owner” is the first party described above, and the “Printer” is the second party described above.

The Detailed Breakdown of Usage B

As shown in the flow chart, the Owner is the one that owns the passphrase (and keeps it secure), which is needed in order to decrypt the encrypted private key. The Printer is the one that takes the intermediate_passphrase_string to output a public address and an encrypted private key. The Owner and the Printer therefore do not have to be in the same location, timezone, or even need to know each other. This is how our innovative 2FKG process works. Our Owner is situated in the United States while our Printer is situated in China.

Step 1: Owner (Ballet’s team in the US) creates a secret passphrase to generate an intermediate code (intermediate_passphrase_string)

  1. Owner generates a randomized ‘ownersalt’ and a random ‘passphrase’.
  2. Both the ‘ownersalt’ and ‘passphrase’ is then run through a key derivation algorithm, Scrypt. The result is a key called ‘passfactor’.
  3. Elliptic curve multiplication is then used to “multiply” elliptic curve point G and ‘passfactor’ resulting in a ‘passpoint’.
  4. The original ‘ownersalt’ and ‘passpoint’ is then shared with the Printer (Ballet’s team in China) in a base58check encoded format known as the intermediate_passphrase_string, or ‘intermediate code’ for short. This string starts with the actual word ‘passphrase’ for readability purposes. (This is also the actual BIP38 intermediate code our customers generate by themselves if they want to order the PRO Series wallets.) An example of this intermediate code they would send to us is shown below:
  5. passphraseq56ehW7gSRMgF6MttNx1bpsPffCe7cKSodv8AaUVKCYZbSLH35MYu6uhXq6KpJ
  6. Even if you use the same passphrase to run through the algorithm again, you will always get a different ‘intermediate code’ due to the other randomized portion stemming from the ‘ownersalt’.

Step 2: The Owner (Ballet’s team in the US) sends over the ‘intermediate code’ to the Printer (Ballet’s team in China) over an encrypted network. The Printer then computes the public address and encrypted private key.

  1. The Printer sets a flagbyte: either 0x20 or 0x04, which indicates how the bitcoin address will be formed.
  2. The Printer then generates a random ‘seedb’, which is then ran through SHA256 twice to generate ‘factorb’.
  3. The ‘passpoint’ is then ECMultiplied by ‘factorb’ which generates the public keys, which is then hashed to generate the bitcoin public address. During this step, the Printer can also generate a confirmation code which allows the final end user, the Owner, of our Ballet wallet to confirm if the given bitcoin address matches the ‘passphrase’.
  4. The ‘ownersalt’ and a hash of the public address is then concatenated as a salt to encrypt ‘seedb’. And another key is derived from the ‘passpoint’ using Scrypt. The result is then split into two 32-byte halves called ‘derivedhalf1’ and ‘derivedhalf2’.
  5. The AES256Encrypt is then used to produce two 16-byte results called ‘encryptedpart1’ and ‘encryptedpart2’.
  6. The base58 check-encoded encrypted private key is then derived from the formula (starting with ‘6P’):
  7. 0x01 0x43 + flagbyte + addresshash + ownersalt + encryptedpart1[0…7] + encryptedpart2
  8. The encrypted private key with its corresponding public address is then given back to the Owner, who has the secret passphrase. The Owner is now able to decrypt the encrypted private key with the passphrase to reveal the decrypted private key (shown as a Wallet Imported Formatted key).


Thanks to the randomness instilled in each part (both parts 1 and 2), if a person runs the initial passphrase again through the BIP38 generator, they will always get a different intermediate code as well as a completely different encrypted private key. Therefore, a passphrase will essentially only ever produce one unique encrypted private key, once. Trying to generate the same encrypted private key from a stolen passphrase is statistically nearly impossible. And trying to guess a passphrase from an existing encrypted private key gets exponentially more difficult to brute-force if the passphrase is long and complex.

We hope this breakdown of the core functionality of our Two Key Factor Generation production process gives you more assurance of our Ballet wallets. And for those who are still skeptical about the robust cryptographic security offered by the BIP38 standard, Bobby Lee has an ongoing challenge for those who want to try and hack into his Ballet wallets. He has put up 2 bitcoins as a prize (worth over USD $120,000 as of this blog’s publication), for you to try and hack his two Ballet wallets. He gives you the encrypted private key for one wallet, and gives you the decryption passphrase for the other wallet. If you can hack or brute force the other critical component, then you can take the prize money.

By using BIP38’s encryption technology, Ballet wallets are cryptographically secure, and Bobby has put his money where his mouth is.

Read more about Bobby’s hacking challenge:

Here’s another website that also summarizes the Ballet hacking challenge, appropriately named Take Bobby’s Bitcoin:


Leave a comment

Please note, comments must be approved before they are published