Bitcoin Forum

I thought of a way where someone could order physical bitcoins without any risk of loss in the mail.  I have never had any of my shipments lost, but of course it is always possible.  And the obvious solutions aren't easy.

• If I send funded bitcoins and they get lost, they're gone.
• If I send funded bitcoins and they don't get lost, the recipient could claim they were lost.
• If I send unfunded bitcoins and they get lost, someone out there (a postman) will have unfunded coins.  Unfunded coins are a problem because it makes it impossible to accept coins without checking block explorer - defeating the purpose of the whole series of coins.
• If I send unfunded bitcoins and they don't get lost, recipient could claim they were lost and ask for a replacement, but then they would have unfunded coins.
• If I send funded bitcoins but keep private keys, none of the problems are solved.  I could take back the funds, but then there's an unfunded piece somewhere.
• The very idea that I could keep private keys scares buyers of large value bitcoins.  It would also be nice to have physical bitcoins produced by two parties, so the buyer doesn't have to worry about the possibility of manufacturer scams.

I thought of "binary bitcoins" as an idea.  Basically, this would be a physical bitcoin in two parts, neither of which is the complete physical bitcoin.  For example, I could come up with a gold bar that has a hologram like normal, but also on the bottom, a precisely hollowed out spot that would accept, and permanently hold, a coin-shaped object, which would be an activation token with the 2nd key.  The bar could have a serial number (XYZ123) and lasered text to clearly indicate that the bar has no value without the matching hologrammed brass activation token, also bearing the same serial number (XYZ123) lasered on its face.

1.  I, and some other trusted party, would each generate a private key, and then calculate the bitcoin address of the combined key using only the public keys, and EC addition.  So nobody has the full private key.
2.  I would send out the piece with my half of the key.
3.  When the recipient said the bar arrived, the other trusted party would send out the activation token with his half of the key.
4.  When the recipient said the token arrived, he would "snap" it into the dugout on the gold bar, so it would permanently stay there.  At that point, I would fund the address calculated in step 1.

If the recipient says the bar didn't arrive, I could simply send a new bar with a different address.  The risk of loss becomes limited to the value of the unfunded bar.  Wherever the first bar ended up, whether a postal worker or a dishonest buyer, it would never become complete.

If the recipient says the token didn't arrive, as many duplicates as necessary would be sent.

Neither part has any Bitcoin value for customs purposes, and it doesn't really matter if customs seizes it.  Neither part should be mistakable for a complete item.

With this scheme, the buyer is assured that no mailman or customs agent can steal his bitcoins.  And no manufacturer can steal his bitcoins either, once he has had his bar funded.

I don't see an issue with trust. I would rather see more anti-forgery ideas than concern about adding an appeal to authority as a trust issue. Face it, when Bitcoin becomes quite valuable, all trust will be lost in a physical Bitcoin that is originated by a third-party. I like the spirit of what you are doing by creating aesthetically pleasing off-line Bitcoins, but think your POS idea is more sound for secure Bitcoin transactions.


This scheme seems secure enough.

* bold added.

Can you make a do-it-yourself tamper-resistant connection? Even if so, anyone accepting the combined pieces would have to verify each and the sum, which seems even more annoying than checking a single physical coin sealed by you. Say I buy two of your coins and swap tokens, either by mistake, or maliciously. I agree with Cbeast that if bitcoin goes mainstream, physical bitcoin will be a novel collector item at best, an untrusted nuance at worst. That does not mean I have not considered giving one to every one in my family for Christmas.

The bar and the coin each have a clearly visible serial number, and the combination will only be accepted if the serial numbers match. The manufacturers of the bar and the coin make sure to be synchronized between them so that matching items indeed can be use to redeem the address.

I'm not so sure. Physical currency is convenient for some people/applications. If they can be manufactured cheaply enough and with a small enough form factor (maybe so much so that they can only be redeemed by dedicated machines) and the trust issue is solved by multiple partial keys, they'll find a use.

In NYC we saw a demo of bitbar, a bar holding a private key in the form of rotatable magnetic elements. I wonder if these can be used instead of printed keys and holograms.

The scheme is secure enough only if eventual arrival is a guaranteed certainty. Unfortunately it is not.

If ordering a few 1 BTC coins, the risk of loss is not a big deal.  If you are buying a 1000 BTC bar, the risk of its non arrival is not insignificant.  In fact, I will bet it is a deterrent to even buying one.  And people do think I could steal it, that I might be more motivated to steal a big ticket bar, because it would be both more lucrative and less provable if I did so only occasionally. I am still a stranger and some of these orders get very large.

I certainly appreciate that you find me trustworthy. While I agree I have acted in a way to deserve it, a product that does not require trusting me, or limits peoples exposure even to me, is a higher quality product. If this scheme works, others can make trustworthy coins too, which enables competition, driving cost down and quality up.

I believe serial numbers from multiple parties, multiple keys, multiple issues, etc only confuses the bitcoin brand and will certainly lead to future breaches of trust. Physical bitcoins are a reverse abstraction, that may facilitate understanding and trust among our more pedestrian members of the info highway in the short term, but the physical abstraction are in fact far less secure than the real thing, and some perhaps large fraction of the competition will undoubtedly fail. Mike is in an enviable position to be a single (or one among a few) trusted sources of physical bitcoins. I do not hope for inferior competition.

I understand why you want something like this for large bitcoin bullion via post. I just don't think the idea can be easily copied without confusion. I would recommend instead Mike, that you franchise your brand. I think the competition would appreciate it. If I want to sell tupilak-coins, then I can buy and embed the token from you. If customers prefer (or even understand) tokens received in an escrow hand-shake postal protocol, all the power to them. I more expect they'll just buy the items and think (oh bonus, it comes with a Casascius bitcoin!).

Large bullion is the only way it would make sense.

On the other hand, large bullion is selling.  Memory Dealers is popping out those 100 BTC bars left and right, and my guess is it's because it represents an easy opportunity for non-technical people to get involved in Bitcoin just by clicking "buy now".  I wouldn't worry about a dual handshake scheme for their buyers, because more likely than not, they aren't even aware of the security implications, but are aware of their legal/chargeback recourse if there were a breach of trust, and that is good enough for them.  (It's a privilege they are paying for in that markup!)

Now that I just dangled a picture of the 1000 BTC bar, it is suddenly starting to sell.  I wouldn't say like mad or anything.  But it's attracted interest not just on Memory Dealers, but from Bitcoin community members who already are sitting on 1000's of BTC, and wouldn't mind dressing them up.  Those people are the ones the most aware of what the risks entail, the ones least interested in paying Visa/Mastercard a 13% markup on the 1000 BTC itself to acquire the bar, and would be the ones most interested in participating in a dual key scheme so their assets are protected.

It's so simple!

User instructions:

1. Buy bar
2. Tell us when it arrives, then we send you a token
3. When the token arrives, snap it into the slot on the bar
4. Let us know if anything doesn't arrive so we can replace it.

So simple!

Redemption:
1. Peel the hologram and enter the code as you do now
2. Also enter the code on the token.  The redeemer program/site already knows to ask for it.

...or you can just insure your packages.

...which drives up the shipping price, especially for international shipments...and is likely to be unclaimable anyway.

The following claims are considered to be non-payable by the USPS.
From the Domestic Mail Manual:

S010 Indemnity Claims
2.14 Nonpayable Claims

Indemnity is not paid for collect on delivery (COD), insured, or registered service or for Express Mail in these situations:

...
r. Negotiable items (defined as instruments that can be converted to cash without resort to forgery), currency, or bullion valued in total at more than $15 per shipment sent by Express Mail, except under 2.12c.
...


A simple technological means to prevent the eventual accident is always going to be better than paying for insurance to spread the cost of the accident among all the customers.

Common carriers sometimes already consider Bitcoins to be "currency", and they are definitely negotiable items.  There would be no recourse in collecting on an insurance claim.  It is clearly excluded.  FedEx recently returned a shipment of Bitcoins to the shipper because it said on the invoice it contained bitcoins and "we do not ship currency".

...which drives up the shipping price, especially for international shipments...and is likely to be unclaimable anyway.

The following claims are considered to be non-payable by the USPS.

From the Domestic Mail Manual:
A simple technological means to prevent the eventual accident is always going to be better than paying for insurance to spread the cost of the accident among all the customers.

Common carriers sometimes already consider Bitcoins to be "currency", and they are definitely negotiable items.  There would be no recourse in collecting on an insurance claim.  It is clearly excluded.  FedEx recently returned a shipment of Bitcoins to the shipper because it said on the invoice it contained bitcoins and "we do not ship currency".

Hm, very interesting. You do have something here it seems.

That is a fantastic thing to hear!   It means Bitcoin is getting name recognition if nothing else.

Crikey though ... if package delivery companies like FedEx won't allow bitcoin to be shipped, that could cause a few headaches going forward.

Just don't declare it as bitcoin on the shipping documentation and you'll be fine. That is what had happened in this case.

Reveal the mystery

http://www.youtube.com/watch?v=YAWqzRBG5tY&feature=related

Join the revo .... Electrantic-artica

http://www.facebook.com/#!/profile.php?id=100002154160776

She's good for bitcoin, she just doesn't know it yet.

I like it, and the idea makes me more likely to buy larger bitcoin bars.

Anyone who doesn't like it, or thinks it's confusing, can simply not buy it, possibly buying the "single authority" style instead, if it's an option.

The market will decide if this is a worthy method. And for the record, it will do so regardless of whether or not Casascius is the one selling physical bitcoins using this method.

One of the more painful aspects of importing from the US for us Europeans is the customs duty payable.
I have imported ultralight gear from the US and the duty plus post charge can add another 20% to the price.

I think if you are shipping 'pretty pieces of metal' of nominal value then the recipient would have little customs to pay, if any.

Similarly the snap-in tokens, by themselves, are 'worthless'.

With the two part private key like you described, you wouldn't be shipping bitcoins... just part of the physical bitcoin wallet.

I think you would want the material of the token and the main coin to be the either the same, or at least materials with *very* similar coefficients of thermal expansion.

You would not want the tokens falling out in either hot or cold climates (or if someone accidentally puts it in a boil wash). 

This thread has convinced me not to invest further in physical bitcoins.  One of the best features of bitcoin is that you can back up your private keys.  The original Casascius coin guarantees there will only ever be one copy of a private key- in order to make the coin act like physical property.  This was novel, for a while, and the coins are beautiful.  Now the idea of taking a key and breaking it in two pieces, such that if one is lost, the value is lost, just makes the coin even weaker. 
I'm not talking about during shipping, but after both parts are received, I assume Casascius would destroy any remaining copies.

What do you think about going the other direction?  I would be interested in "twin coin" issue- where there are only ever exactly 2 copies of the private key, stored under holograms, and clearly marked that either one of the two will allow redeeming the full value.  Each coin with the same key would indicate it was unique by some graphic (left/right halves of an image) or code (simply numbering them would be enough - such as "copy 1 of 2" and "copy 2 of 2").  It's still not as good as a digital bitcoin since you can't make unlimited copies of the key.  But it may be useful to someone.

I like the concept, though it does not resolve this problem:


The recient can still wait for two pieces to arrive, snap them together, then claim neither piece arrived. To be trusted, physical coins should always be checked against the block-chain. In fact, to be truly trusted, they would be single-use.

This scheme also does not prevent collusion among the manufacturers known or not. If both manufacturers are using the same brand of printer with remote update capabilities, the printer manufacturer may be able to steal the bitcoins (for example).

I think ulimately, physical bitcoins are going to end up working more like checks. We just need a relatively simple, tamper evident way of hiding the secret key (The 'Bitbills' design (https://bitcointalk.org/index.php?topic=7724.0) is almost ideal for this)

The second piece won't be sent until the recipient has confirmed receipt of the first one, so that can't happen.


It doesn't.  But that's a much smaller risk than one manufacturer cheating (which could happen if, for example, manufacturer really kept the private keys, and fell on hard times or was somehow robbed or coerced into giving them up).

The likelihood of a printer manufacturer stealing bitcoins by manufacturing rogue firmware that steals people's print jobs is astronomically low.  Having your HP printer send a "mystery file" to HP's servers every time you print (and the mystery file just magically matching the size of each print job) is something that would be noticed by sysadmins in minutes.  It would be all over the press the same day.  They would probably have an easier time just guessing private keys.  Besides, I print these on an inkjet printer via USB and no internet connection, so this issue is moot.


Yeah, or maybe someone can make coins with embedded tamper evident holograms.

That makes in unprofitable to cheat, not impossible.

Edit: If the recipient does not check that the serial number on the bar matches the expected number, it is possible to for a postal worker to profitably assemble an empty bar:

• Postal worker C  intercepts bar sent to recipient A. Recipient A receives a new bar with a new number.
• Optionally, postal worker C sells intercepted bar on black market to postal worker D.
• Postal worker D intercepts bar sent to recipient B; replaces it with bar intended for recipient A.
• Recipient B, without checking the number, confirms receipt of bar.
• Postal worker D intercepts the key intended for recipient B, and now has a complete, unloaded bar.
• Recipient B requests a new key. Meanwhile, Postal worker D sells unloaded bar on black market.
• When new key arrives, recipient B complains the serial numbers don't match.

Edit2: seems unlikely when I lay it out like that....


The dumber the printer, the better in this case. Yes, was refering to the printers I heard about that can automatically print from e-mail. Remember, your two-token scheme is being used for high value bars. If the printer is running a full-blown OS, it can simply send the private keys (in a nightly batch with the update check) without sending the whole print job. With PCL or Postscript, OCR is not even needed ;)


I was thinking something less coarse: the user would print off 2.379 BTC if that was how much they wanted to send, for example (this point is probably off-topic any way).