Bitcoin Forum

I'm pleased to announce the creation of the first Casascius 2-factor Physical Bitcoin.

Info about it is on my website.  I am posting in the Bitcoin Discussion topic because I'm interested in discussing the practicality of this as an idea, more so than the existence of this as a "product for sale".  Most people aren't going to buy it - it is priced out of reach for most buyers mainly due to the overhead in customizing each one, but might make a lot of sense for an institutional buyer of bitcoins who needs an idiot-proof way to store a lot of bitcoins in a vault, or someone who wanted to buy a batch of them.

https://en.bitcoin.it/w/images/en/thumb/d/da/Casascius_2factor_savings_bar.jpg/800px-Casascius_2factor_savings_bar.jpg

This is pretty cool!

With all the scams lately, this new two-factor implementation should help return trust to some parts of Bitcoin where it's been lost.

Hmm, why are you doing stuff with EC math directly rather than using OP_CHECKMULTISIG? The latter is much easier to verify as correct.

clickable link: https://www.casascius.com/2factor/

I like it!
The concept is nice, surely with a lot of possibilities!

So, to simplify and sum up:
- You receive the public key pub1 from your customer. He keeps his corresponding private key priv1 secret
- You generate public key pub3, and engrave/laser/print it onto the coin
- You insert the private key priv2 into the coin

- Customer may create the corresponding priv3 which belongs to pub3, if he knows priv1 (which he created) and priv2 (which is in the coin)

So the customer still has to secure a piece of paper (with priv1) somewhere.
What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.
The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

Don't get me wrong, I am still wrapping my mind around this! I see it as a tool, a concept, where many great things can evolve from!

Ente

Can you post a picture front/back of the 10BTC silver coin with 1oz of silver? Who mints the silver?

I downloaded the btcaddress utility but I dont see how to use the keycombiner. There is a source.zip file in the main btcaddress.zip
Do i have to unpack both in the same folder? How to start the combiner?

Is there a way that's easier for the non-technical buyer to verify as correct?  Last time I revisited multisig transactions, they had to be constructed in hexadecimal using bitcoind and RPC calls, but I could be behind the times on this.  The buyer sophisticated enough to do this may well just manage his own wallet - the imagined typical buyer for an item like this is non-technical and prefers to have some sort of legal recourse that it performs as expected and then trust me in that respect.

The non-technical buyer has the option to verify that my public key times his private key also yields the same bitcoin address with my utility.

I agree that multisig is fundamentally better - it adds ways to take away the possibility that he gets scammed by malware while combining his two keys and allows outsourcing of part of the process without compromising security.


This is more a functional proof of concept.

Here might be a perfect prototypical use:  A charity wants to accept bitcoin donations, but the executives or controller don't want to delegate any ability to touch or handle money, but also aren't technically oriented.  They shove a 2-factor physical coin in the safe and publish the address as the "we accept bitcoins" donation address, not wanting to deal with any technical challenges involved in accepting Bitcoins today, but aware that if they start receiving large donations on it, they know they can figure out a way to get them off (even if it's sending it via overnight courier to FastCash4Bitcoins or BitPay and getting money in their bank).  In their mind, they're buying a pre-made bitcoin "account".

If I were to produce a presentation box for this bar (sort of like I have for the silver coins) where the box itself had a slot for the piece of paper, then keeping them together would be much more sensible.  Ditto if I were to make a new version of the piece that fit the profile of an off-the-shelf presentation box (e.g. something in the form factor of my silver coin, but made of cheaper gold-plated metal like my 25BTC coin, where the user could stuff that extra piece of paper into the acrylic capsule).  In such an event, I could provide the utility that pre-printed THEIR private key on a round piece of paper they cut out and shove into the capsule, or try to provide for others to do the same (e.g. get BitAddress to add private QR code to the vanity page so a buyer could cut it out).

Finally there is no reason their private key even has to be a randomly generated key.  It could be a password/passphrase turned into a private key with a very expensive KDF.  Since redeeming the bar is a once-in-a-blue-moon event, the KDF could be chosen to need seconds or minutes to run, providing reasonable security even without requiring brainwallet-quality passphrases.  (the space of potential attackers is pretty small - 1 - me)


It's in btcaddress-alpha.zip.  btcaddress.zip is a more stable release lacking this functionality.  I'd like to do some more testing on it before seriously telling people "go put 1000's of BTC's on an address relying on the output of this mostly untested program".

Maybe the next version can have two spots on the 'physical token' to secure the two halves of the partial key?  Another option would be
to use two physical tokens so they can be separated.  Imagine two similar bars but each one clearly marked a Partial Key A and Partial Key B.  If you want to get fancy it could even have a artistic design spread across both bars.  Put the two bars in separate locations and it would require compromise of both locations for the thief to gain access to funds.  Since each half bar is worthless by itself maybe include a "REWARD IF FOUND - No questions asked Call 1-800-xxx-xxxx for more information" stamped on the back of the token.


Nice to see casascius is still innovating!  Keep up the good work casascius.

maybe, you could make a spot for a second hologram sticker and send this sticker separately (maybe, a 2x5cm stripe). then, the receiver could print and attach the private key by him/her self.

I don't think Casascius would want to provide a second hologram.  The hologram is an assurance that only Casascius had access to the private key.  If you trust the hologram is authentic/untampered and you trust Casascius then you can trust the security of the key.  It should never be affixed to any key that Casascius can't "guarantee".

A scammer could put a fake key (or no key at all) under the hologram and try to resell the brick to an unsuspecting customer.  The combined public key will show the brick is funded but the new customer won't have access to them and the scammer could then ransom the real private key.  

One option would be to leave a standard label height stripe indentation that is long enough for a label with private key to fit.  Customer could then print the second "half-key" on a normal label printer and affix it to the brick.  Technically customer could do this now it would just look a little more professional.

nice work Mike.  great idea!

Here is an example of how I could do it with an existing coin: by laser engraving on the hologram itself.

https://en.bitcoin.it/w/images/en/thumb/3/3d/Casascius_2factor_silver_coin.jpg/450px-Casascius_2factor_silver_coin.jpg

The private key paper would go in the presentation box.  I could tweak my banknote printer to print special artwork for this purpose, and print the pubkey on the left side in place of the bitcoin address.  As you can see in my example, I just put one of my existing printable banknotes in there just as a demonstration.

The inner surfaces of the presentation boxes actually come out, and they are hollow inside, making it very easy to wedge documents in the void spaces.  Also, I can laser-engrave information on the acrylic capsule itself, such as the casascius.com/2factor URL.

This may not make huge sense on a 10 BTC silver coin, but on a 1000 BTC gold coin it makes a LOT of sense, and I'm willing to throw the 2nd factor in to the price (gold coin is already custom work as it is).

bravo!

your products truly are exceptional :)

I just cried a little. That coin is beautiful!

Very nice dude

Is this technically 2-factor?  It seems to me to simply be two of the same factor.

Or am I missing something...

You know those pairs of necklaces where the two pendants fit together to form a heart that says "Best Friends"? Who doesn't love those? I think that should be the model.

Why is this better than me sending you a bitcoin address to send coins to? I still have to keep the privkey

One of the simplest ways I could bring practical 2-factor to the masses is to just start including public keys on paper QR codes with my coins.  

Then, someone could use a 1 BTC coin as the "second factor" for any number of paper wallets they print themselves.

Given a public key, I could also offer to provide (sell) a certificate that gives a bitcoin address and certifies that "your key" plus the key in "this coin" results in the private key for "this address".  (I'd charge for this mainly because I would have to hand-type a pre-printed private key into a computer in order to produce it, before making a coin with it)

I kept the public keys for my series 2 coins on a flash drive (though I'm not entirely sure where, so don't quote me on this yet).  I don't want to publish the public keys for the whole set into the wild, but would entertain requests for public keys for single coins for those who would like to use a coin for this purpose.

(I only have public keys for series 2 coins in my most recent batch where I thought to keep them for this very purpose - the ones that start with 1ca, 1cc, 1cs, 1ag, etc.)

It's better if you're someone who isn't a computer expert and you want to hold some bitcoins but you want to outsource all of the risk management to a neutral third party without leaving them in a position to scam you.

Imagine you're a hedge fund manager and you decide you want to acquire some bitcoins on behalf of your clients but are hesitant because you're not sure how or you're afraid you might lose your clients' funds due to a technical error.  Buying a $50 bitcoin wallet that comes with a warranty and solves all of those problems is a great solution to a person like that.  They would still have to generate a key, but the average person should have no problem visiting a web page, printing it out, stashing it securely, and faxing me the half I need to produce their piece.

I don't understand the math:
Is there a way to prove that the funded address is correct, without having to actually put the two private keys together?

Yes, if I provide the public key corresponding to what's inside the coin, and you combine it with your private key.

Either Public Key + Other Private Key => Combined Public Key and Bitcoin Address

Private Key + Other Private Key => Combined Private Key, Public Key, and Bitcoin Address

Casascius' work is definitely a gain for the community.

But that doesn't prove that the private address under the sticker is the correct one.  For that, you have to place trust in the manufacturing process. 

I would almost say that the codes on the coin should all be viewable such that the person buying them can verify that all of the codes are readable and correct before loading them with funds.  The objective of these coins is that you can secure the coin and the second private key separately (such that it would be worthless for someone possessing one without the other), so I don't think concealing the private key on the coin is important for this use case.  The possessor of the coins would presumably secure these coins themselves (concealing all the information on them) since they aren't really designed for commerce.

Can the second private key be one derived from a memorized password and the public key (or hash of it) on a coin?  You want to mix the password with something from the coin such that the second private key is unique for every coin.  That would make this a true two factor coin where you need a secret that you possess (the private key on the coin) and a secret that you know (the memorized password that can be used with codes on the coin to generate the second private key).

Lastly, I think you may want to consider making these in a different form factor…instead of a coin, use thick card stock where you can print instructions on it.  You could deliver the pre-printed cards with the address and private keys printed on them and easily readable and verifiable by the buyer.  Once verified, the buyer could fold the card, hiding the private key and affix some kind of tamper evident seal.  From that point forward, the buyer has confidence that the codes on the card are correct and that any funds sent to the address can be successfully redeemed.  People might even want to buy multiple copies of each card such that they can store them in multiple locations to mitigate the risk of theft or damage.

For the gold bar, I used a non-windowed sticker, mainly with the thought that I don't want someone accidentally thinking they should send BTC to the visible firstbits.  But then I thought of another idea: if I were to do another one like this, I'd black out the first three characters (so for example instead of seeing "1Cs55Txg" one might see just "55Txg").  This would be enough to identify, at the very least, that I have put the "correct" key circle under the sticker, removing one major human element out of the trust equation, and limiting it to whether the key circles were printed correctly (something I have a very high degree of confidence in, since I produced them with an overkill of caution every step of the way, and I don't lose any sleep over the thought of putting 1000 BTC on one).

If I sold a $50 gold plated brick, part of what is being bought and sold is my assertion and warranty that the private key I say I put under the sticker is really there and corresponds to the public key I say it does, which I could offer in writing.  If sold to an institutional buyer, their interest may not be so much in the ability to verify the bar as correctly produced, but the fact that they have a place to point a finger and an avenue for recourse if anything were to go wrong.


Absolutely.  And it's probably a better way to go, as well as having a little bit looser requirements than a strict brainwallet, since I'm the only possible attacker they need protection from, rather than a whole world's worth of GPU crackers.


In essence, I've just about already done this, with the right price tag to boot: free.  You have described the equivalent of my banknote printer program downloadable at https://casascius.com/btcaddress.zip.  It already supports producing password-protected banknotes.  Simply print on cardstock and add a tamper-evident sticker and you have it now.

Yes, that's all true, but if it's not adding anything to the security or usability, then why introduce this additional bit of counter party risk?  A prudent user of your service would need to factor in the odds that you might screw up a coin as well as the likelihood of recovering the lost funds.  And you would need to place some caps on the liability (what if someone loaded $10 million worth of bitcoins onto a faulty coin?  would you cover that loss?).

Why introduce the risk?  Because it's the product the customer wants to buy, the reason they'd want to spend $50 on something they could print themselves for free with a web browser.  A rational user of my service will consider that given a strong incentive to make sure I produced a functioning piece and no incentive to not do so, the likelihood that I will do so is overwhelmingly high.

I am not worrying that someone loads $10 million on to a faulty bar, because if I'm going to offer a warranty like that, I can choose to be careful enough to make sure the item isn't faulty.  It's just a piece of paper with two numbers on it, one of which is partially visible and can be independently verified.  Unlike an electronic gadget or product that does something, it's not likely to fail in any manner that could be considered my fault.  The only thing I had to be absolutely sure of is that what is printed on the front matches what's printed on the back and that I haven't been sloppy with copies.  I can't warrant that the piece is uncrackable or that it isn't vulnerable to some sort of high-tech imaging or whatever, but I can warrant that I put in it what I said I did and that it was good at the time of delivery.

Of course, I'm more willing to offer that on the series 2 windowed items rather than the ones that are completely covered.  Granted, there's maybe a 1/1000 or 1/5000 chance that despite printing everything in sequential order to keep it as simple as possible, I simply put the wrong private key inside a series 1 coin.  This error could occur simply because the label and key has to be matched by sight and human error rate is never zero, a risk that is still mitigated in practice by the most likely error being a transposition and that the wrong key still has 1 BTC on it.  But on the series 2 coins, that risk doesn't exist, or at least is fully within my control.

Restaurant owners have it worse.  On any given day, some 16-year-old new-hire could decide to play a vicious prank without thinking through the consequences and put something in a taco that turns somebody into a vegetable and runs up $10 million in medical expenses, pain, suffering, attorney bills, negative PR, and lost business.  They are exposed to this risk again and again each day they do business (though naturally they buy insurance for the part of it that they can be billed for).  My exposure was limited to spending 1 day designing and printing less than 100 sheets of paper and hand-inspecting each one to make sure each sheet satisfied a list of criteria to assure me each key was safe to put money on before placing the sheets into a laser cutter and turning them into circles.  The next time I need to print more, I'll probably block off another whole day to do it, just to give myself the means to know I did it right.

EDIT: here is another way to put it, while still acknowledging that the error rate is nonzero (assuming, for example, a cosmic ray could flip a bit in my printer and make it print the wrong thing - or that I could make a mistake no matter how careful I was and how much thought I put into it):

if it's a $50 product, let's assume my profit is half, and the typical clearly-my-fault major error could be a $50,000 liability.  (that's not to discount that $10M is possible, but it's probably on the high end of the spectrum, and quite honestly, someone with a $10M budget for bitcoins will probably do more due diligence than just buying and loading my bar and will probably employ someone to manage them).  That means I would have to sell 2000 bars to absorb the losses of one bad bar.  If I think my risk of making a faulty bar is much less than 2000:1, then selling bars for $50 should be a great bet for me to make.

Meanwhile, I haven't drafted that kind of document that would constitute any such "warranty", but if I were to put a specific dollar amount on it, I'd be limiting my liability at the same time offering some sort of meaningful guarantee.  Bottom line is though, I believe I can produce those bars with enough accuracy that it would be like selling life insurance to the immortal: profitable no matter what price is charged.  It is a guarantee I believe I will never have to pay out on.

This hasn't been answered directly, I think: The benefit is that - as opposed to the situation with the normal coins - casascius has no incentive to keep the private key... in fact he doesn't have it. The only thing he could do to screw the customer over would be to omit the half of the key he generated from the coin (or put a wrong key-half into the coin). The incentive for this is negative: he wouldn't gain access to the funds (as he could with "traditional" coins).

So this coin is more secure against theft by Mike, but less secure against loss by loss of key.

;tldr: benefit of this coin is: casascius can't steal your money.

I have recently improved this by introducing BIP 38 and a working proof-of-concept implementation of it.

https://en.bitcoin.it/wiki/BIP_0038

Instead of keeping a whole private key (51+ characters), you can instead keep just the password/passphrase of your choice, which serves as the second factor.

This is a whole lot easier to keep around.  You can engrave it on a gold-plated bar, or include it on a small card inside the presentation box of a gold coin.  Best yet, it uses a very slow variant of "scrypt", so even an 8 character password will provide a decent amount of security.  It only has to be kept secret from the maker of the coin (me), and can be publicly displayed to everyone else...  A Bitcoin-related phrase could be used as a passphrase that displays well, such as "Money of the 21st century"

help me please
need get address of the private key


now
SKhHHQLDkHsAniFW2MRyVw9jwDDkKx
SHA256( ): ae172028e80ef37d3e01906ccd05441946c3efa9e4532ab20f5a6e25ce293840
sha256(?): 0057497a02482464d757500773d3d2c26badbcd94d5081d1cff9ea7c16fd2175
Validated.

need
SKhHHQLDkHsAniFW2MRyVw9jwDDkKx
SHA256( ): ae172028e80ef37d3e01906ccd05441946c3efa9e4532ab20f5a6e25ce293840
sha256(?): 0057497a02482464d757500773d3d2c26badbcd94d5081d1cff9ea7c16fd2175
Address: 17bYqJpPz3huoXuz6Dx6iLejuAHA2k2q3H
Validated.