Bitcoin Forum

In an attempt of removing the need to have to trust physical coin makers in generating private keys, I wanted to share the following...

In 2014-2015 I'd been contacted by Mike Caldwell and we had a few discussions on how to remove trust from loaded physical collectibles. We went back and forth a bit. In the end the discussion ended with the following possible solutions.

I approached several coin makers back then including Mike and all of them either did not get back to me or declined being involved with altogether what I’ve outlined below:

IDEA #1 - 2-factor keys generated by TWO trusted parties. Downside you need both parties to be 100% correct in their math to execute this.

IDEA #2 - 2-of-3 multisig with keys generated by THREE trusted parties. Downside you need to trust one of the other two parties did their math and key generation correctly.

The idea was to use a 2-factor or 2 or 3 multisig coin where multiple parties would create part of a key that would be added to the overall physical coin secured under each of our respective holograms.

Assuming it is a 2 of 3 multisig coin, then if one party wanted to scam, they would require at least one other person (i.e. 2 of 3 parties) to sweep/move the funds.

There is a possible downside. Not 100% sure how likely if things are tested correctly. If one party or more does their math wrong or doesn’t put the correct piece of the key on the coin, that can mess up the validity of the coin.

You can do everything on your end (like myself) but I would have to trust that the other parties involved actually did put the correct key on to the coin securely and that their math was done correctly.

This would be as close to a removal of trust from the key producers from scamming as possible.

As more ideas and items come up in this discussion I will collect them here in OP here.


Looking forward to hearing all of your thoughts, any and all.

 BIP 38 private keys possibly like ballet does it?

  One would need to generate the private key and not know the password and vice versa

  So two separate entities.

  Again ...trust is an issue here as the parties involved hopefully do not scheme together

Thank you,

Either this, or the customer DIY collectible route (or doing literally everything).

Part of me would like to see this 'as a service'. Which would have logistical and practical issues (shipping, stickers, etc).
Am a small fry, but would be nice to focus on (silver)work instead of doing everything.

Clay

I'm not familiar with BIP 38 specifically.

You would generate one third (1/3) of the key, second party does the same, third party the same.

Only two of those three keys generated would be needed to redeem the funds.

This is of course assuming you have three "trusted" parties with the same goal in mind.

Just as a n00b i could imagine a system where a private key is locked to an owner. It is solidified by a unique code that is created, when the pk is created. You need this code to crack the pk open. Whenever the owner switches, it will pass on its unique code, which then can be changed by the new owner for a new unique code. Its basically a password to get to the funds, which only the owner has access/ownership to.

Anyway, back to the belgian beer tasting we go, peace🍺🤗

The "not doing" everything route assumes you trust all of the other parties.

I'm assuming you are speaking as a coin maker?

   I think your talking of multisig wallets.

   I have made bip38 coins

    There is also Shamir's secret shares that I also did

    But there is always the weak link of humans involved

 You can see the various coin ideas I made here

https://bitcointalk.org/index.php?topic=5389190.msg59485933#msg59485933

https://bitcointalk.org/index.php?topic=5412935.0

Yes, as a maker. No coins though; handmade (funded / unfunded) silver objects.

The trust would be towards the other parties (as a service).

Yes multisig.

Yes humans are imperfect beings.

I'm unfamiliar with Shamir's secret shares. Do explain please.

Does bip38 coins allow the owner to successfully transfer ownership to another party should they want to sell it? Or is it the same as 2FA where you have a password and basically half the key to access the funds?

Oh okay I see.

Personally I would not be in favor of making it a service for other coin makers unless they were directly involved with assisting with the key generation process I was involved in for a multisig coin. There may be a market for this, not something I would likely get involved with personally.

Having skin in the game may make people less willing to scam.

A scammer would have to convince one of the other two parties to scam with them in order to be successful.

   Smoothie....I'm doing this on my cell so not at my computer
   Shamir's secret is all explained here on coins that I made
 https://bitcointalk.org/index.php?topic=5389190.msg59485933#msg59485933

    With the BIP38 the coin in my opinion would need to have two halos. One for the password and the other for the private key. You would need to have one person apply the private key under one holo and the other do the password under the other Holo and those people are not be next to each other whilst doing or even better...far away

     The program would be as such only one person can have access to the opriv key and the other just the password. One is useless without the other

  Or two coins...one with the priv key and the other with the password..I have made such coins as well
    

The 'service' would consist of two or three parties like you suggested.
It's like asking Ballet to make the keys for your coins (believe they do BIP38 with two different entities under the Ballet umbrella).

yes I follow you 100%.

I would just not be in favor of selling it as a service (personally for myself being involved in such an endeavor) if the parties I'm making multi-sig keys with would be selling it as a service to another coin maker that is not directly involved with being part of the key gen process.

There might be a market out there for it and perhaps others who would likely go along with making such a service available.

Personally not for me.


I'm not familiar with Ballet's key gen process but if the same entity (under the same umbrella) is making 2FA or multisig coin keys, I'm not sure how that works to speak on the matter with any accuracy.

Seems like a conflict if two parties associated with the same entity are making all parts of the overall key that allows redemption of funds and selling it as a 2FA key or multi-sig coin.

I can't speak on Ballet's process as I'm too uninformed to make any judgements.

We're working on an overhaul as well. I'll post an update soon.

We definitely need to solve the problem of pk trust in the physical crypto space.

Currently, nothing is stopping a maker from keeping a copy of all the private keys generated as a "just in case"

https://bitcointalk.org/index.php?topic=5434764.0

I would suggest to have a look into this idea proposed by @gbianchi.

long story short:
- Multisignature 2 of 2 (1 customer / 1 producer)
- Collectibles must be "broken" to access directly to private key made by producer.

even if there are some weakness and disadvantage it is a nice update/idea... I'm curious to read your comments and ideas about it...

Love the write up!

Great idea yes. This would apply to tech savvy collectors it would seem and not the average non-techie collector.

I'll read it again later and respond with additional thoughts/comments.

QUESTION: Are there any physical coin creators that would be willing to contribute to the process of creating a physical collectible where they would create a portion of the key in a multi-sig coin that would collaborate with other physical coin creators?

Requirement: At least 3 known and trusted physical coin creators would be needed to do a 2-of-3 multi-sig coin.

I can see why those who turned me down in 2014-2015 did not want to participate or just never got back to me. I'm also not 100% sure I would want to do such an endeavor as it would depend upon the terms & agreement and the outlined responsibilities of each party

Sounds like a lot of work.  :)

I posted in the thread that I started about the possibility of eliminating the human element.
digicoinuser uses opendimes: https://bitcointalk.org/index.php?topic=5354556.0

I know there was some resistance to it but I would like to keep exploring that idea.
If we take ourselves as flawed humans out of the entire loop would that be better?

There would probably be a bunch of things to be worked out, but it should probably be considered.
Along with the possibility of some kind of standard. Not sure what what it would be / how it would look.

=Dave

It does sound like a lot of work.

Trust is fragile, think the closest a maker can get to being trustworthy is by doxxing oneself.

Doxxed myself to some on this forum (to be findable / accountable to some extent for what I make), but not publicly.

But this has risks for the maker; talking about nutjobs, alamjobs or other nutters at your doorstep.

If I may ask, how did this affect you?
(sorry if this is out of bounds)

Yes, top of mind for future projects.
Current work would be difficult.

@smoothie, I recall you reaching out to me with this concept in 2014… yea it started getting a little too complex for me as my work has enough complexities as is... especially at that time. And working solo is always nice b/c you can go at your own pace.

@DaveF, I started exploring the idea of integrating Opendimes into my bars when they came out. The question that prevented me from going this direction is: How can you guarantee that the Opendime will be good in 100+ years? Or even 10 years.

I also considered a sculptural work that had let’s say ten Opendimes inside, where each would hold something like 0.1 BTC - to mitigate the risk a little.

And lately I've been looking into these Satschips as they’re much smaller, but still the same issue with a potential hardware failure.

In my minds eye I'm currently working on a concept that will be a DIY style piece but unique to what's currently on the market.

And perhaps as I transition to these DIY versions, it might make the previous versions that can hold bitcoin and be sold on the secondary market more valuable.

So yea, It's likely that the Kialara Builders will be the last pieces I created that will come loaded with public/private keys. I will confirm this soon. I do hope the issue of trust can somehow be solved... it's something I am thinking about all the time.

for bip38 and with having 2 entities involved with applying first the PK and then the pw - you would probably need two people somewhat close so as to not be paying a fortune to ship coins back and forth and without risk to losing them in the process.

there is the split key method https://en.bitcoin.it/wiki/Split-key_vanity_address

I apologize but someone here was working on it and at this time and moment, I cannot recall who it was.

another option is always offer DIY

The truth is, DIY coins are not as appealing as maker funded coins. Most collectors like to collect due to the potential upside in value of the pieces. DIY coins don't trade well since you have to trust the buyer who generated the private key instead of just the maker of the coin.

Yogg destroyed a coldkey collection worth over a million dollars for the $15k he has stolen so far. I suspect there will be more cases like this especially since a lot of new makers are entering the space and the price of BTC will rise

I'm happy to see smoothie taking initiative in finding a solution and I hope a solution that involves 2 trusted makers to work together can happen. Maybe smoothie and another trusted maker can work together and do what Ballet have done:

"To improve the security of Ballet Wallet private keys, the keys are encrypted – the key is generated and printed in China, while the required passphrase is generated and printed in the USA."

here is the deal with that - many of the coins are not actually "funded" by the maker. The maker has the buyer send funds to an address prior to shipment and then calls these "maker funded" and then they sell "buyer funded" where the buyer funds it when the receive it. There is no difference between these two scenarios - the buyer in both cases is directly funding the coin/collectible.

I do understand that not everyone wants to do their own keys though - so having a more secure way is a great idea.

Makers need to stop saving/keeping copies of the keys - use a system that puts the keys in RAM so when the machine is shut off the keys are gone - I have heard from some that do this.

Me personally, I dont save the fiile that comes out of the generator - I run the program copy the keys to a QR generator, copy that to a document and then print it - once done I close the document without saving, I close the programs without saving - essentially whatever I printed is all there is. I do typically do 2-3 of each address/key pair for in the situation I fuck up a holo. once the project is done, all remaining keys (good and peeled ones) are cross shredded and then burned. My system is airgapped - the wifi and bluetooth modules removed. I use disposable usb drives (made from paper) to update the laptop periodically - these are also cross shredded and burned after use and never ever go back to the online system. I also periodically replace the hard drive, drill it and burn it.

is there a chance that one time I could keep a key or two - sure.  But my face is known by many here - my name is known and my address is known.

There is not enough money in the world that would entice me - doing so would make me a marked man - I have too many kids and grandkids to go on the run lol

But I do get that this fear can still be there for some people. and a split key process or BIP38 or 2FA - something else would make it more secure.

It also makes the process longer and harder. Is it worth it?  and does it remove all the need to have trust?  hard to say...

See I'm BIP38 curious, please help me out! (https://bitcointalk.org/index.php?topic=1014202.0): $1000 wasn't enough motivation to crack password "zLwMiR" in 2 years time.

   I designed a stamp back in 2017 and loaded with 0.02 BTC. BIP38 encrypted...been onliine for 6 years now and the Bitcoin is still on it.

   Pretty secure design from the looks of it!  ;)

   https://crypto-stamps.com/

  https://talkimg.com/images/2023/05/14/blob45ec336a5c7bd422.png

The problem is of course that whoever created the encrypted key, has to know both private key and password. So it doesn't remove trust from the coin maker, unless the buyer of the coin provides the encrypted private key by himself. That means the buyer already has the private key and can sweep it without peeling, but it also means the buyer can't sell the coin again because the second buyer has to trust the first buyer.

  Your absolutely right and I was not implying that just by one person generating it solves the trust issue.

   However, if you were to trust two people then as I told Smoothie this is how I woud do it....  https://bitcointalk.org/index.php?topic=5434754.msg61596323#msg61596323

        With the BIP38 the coin in my opinion would need to have two halos. One for the password and the other for the private key. You would need to have one person apply the private key under one holo and the other do the password under the other Holo and those people are not be next to each other whilst doing or even better...far away

     The program would be as such only one person can have access to the opriv key and the other just the password. One is useless without the other

      Or two coins...one with the priv key and the other with the password..I have made such coins as well

   I am sure this code is very doable...we have Mr Robots here. Mike created BIP38 already...this would have to be done remotley from each other and in synch to generate a private BIP38 encrypted key to one person and the other would be the password issued person.

   Very doable. But then again its a matter of trust...but in this case you would need to have a failure from two people in instead of one!

Why not outsourcing key-production at all? This 2-factor and multi-sig solutions can work but come with their cons for less tech-affine producers and artists...

Some years ago I drafted a cold storage where key generation is basically outsourced to the most trusted producer I could find (in terms of accountability and liability) and I came across this: https://www.cardwallet.com/en/home/

In corporation with the Austrian state mint (they produce passports but AFAIK not the crypto stamps) which would transfer trust back to the state again -and I know how this sounds but hear me out- also liability) they developed an automated production process -no humans involved- and they have to be compliant with security standards...

The cards are customizable; IDK to which extent but by placing keys & QRs in a way so you can cut them out and insert into the collectible this made sense to me.

Price is a different story (€39.90 for a single pair of keys... puh) which would have been manageable for my planed run of 21 pieces.
But what if some manufacturers of collectibles work out a design-pattern which defines sizes, shapes, fonts, positions of all needed infos and do a customized run at the best producer of private keys we can find?

Edit.
New coin producers and artists who run small series could share the same security as producers of high numbered series while not being liable... bringing down costs further and I tend to believe that a state is easier to hold accountable for messing up than someone who can rug-pull you and hide in a hole.

Was chatting a lot with members here over the last days. Thinking about BIP 38 encryption, multisig, built in hardware...

As a non coin maker doing handmade, low output proof of work art pieces i thought about leaving holos and funding completely.

I can only speak for myself here of course. For me it's all about dedication, passion. What can be more beautiful than a rare piece of Bitcoin art in which 100s of hours of work got transfered.

Lifetime got spent, converted and saved in the Art

Good in theory... but now you are trusting 3 makers
And the logistics of this sound horrible

How about just let makers make their collectibles however they want.... keyed, keyless, DIY, whatever....
It just comes down to if you trust the maker... if not... don't buy the collectible

Can't we just make collectibles that are just that? why do they have to have keys? why do they have to be loaded?

"NOT YOUR KEYS, NOT YOUR COINS"

This still doesn't work.

Example:
BIP38 encrypted private key: 6PYW6YBemMMAdxWXFmo264SZjtVN5DW5hu2xeXVJyDA8S3v9NRTk1i7G1y
Password: bQ68SmCCNEuRBGx8
You're absolutely right: one is useless without the other. If you puth them under separate holograms, you'll need to peel both to redeem the coin.

But: I made both of them. I know the unencrypted private key is Kxj464nKCGk4qwdDWx1ribWSjttT3e9Y1qzFDYVQYvYJdQ2HyHS7 and there is no way to prevent this. It gives a fake sense of security at best, and it's impossible to avoid.

  Not if you have two people doing them separately.

  They would both need to try and scam you for it to work...instead of one person. One would not know the others keys or password

  But yes still a point of failure

Better have 2 different holograms then... what would prevent the 2nd person from peeling the first persons, taking the info and then reapplying that one and then their 2nd one??

Exactly what i think. Trustless Bitcoin art needs no priv keys & holos.

Trust one person or 3 or 50...does that make a big difference?

If someone trusts me i'm happy & will try to integrate a priv key & load an item. If not i'm doing the essential thing only...spending time doing Bitcoin art

Yes but with BIP38 private keys you don't need to use the password if you already know the unencrypted key. You only need it if you only know the encrypted one starting by 6P. It means the unencrypted one should be generated by a kind of blackbox that will destroy it after receiving the password and encrypting it into the 6P one.
People will need to trust this blackbox, this process and its robustness against possible hacks.
IMO it's more convenient and reliable to use 2 keys from a multisig wallet instead of a BIP38 key and a password.

That's impossible. You can't encrypt the private key without knowing both password and private key.

In that case, you need to trust whoever created the blackbox. I've thought of a scenario in which 3 trusted people work together to verify all equipment, create private keys, seal the holograms and destroy all other data, but giving more people access in the first place increases the risks again. Cameras can be very small and hidden.

  Dont think its impossible...I believe Ballet does it with their cards.

  And I am sure there are good programmers that can make this happen.

 

   Then it all boils down that even with one holo people can do exactly what you say if they create identical holograms which of course can be done easily.

I checked their website (https://www.ballet.com/whatisballet/), but couldn't find how they create it. Chances are someone has access.

Then you'll have to trust the programmers again. Maybe it can work, if you use (and verify) open source software that creates a random private key, creates a random password, encrypts the private key without showing it, verifies the decryption process, and then only prints the encrypted private key and password on different printers handled by different people.

Maybe a comparison would be how large exchanges handle their cold storage nowadays: after many hacks, there shouldn't be a single person within the company that has full access to any private keys on his own.

    Agree...their is always the human factor always.

     I will ask a Mr Robot if this is doable or not....but I figure the weakest link would be two people instead of one...which makes it a bit more secure.

    Again I prefered coins that are not buyer funded...but that's just me.

     But because of this fiasco that has changed my landscape

   

Yes I know Ballet is using BIP38 keys but I thought it was only a way to avoid being stolen by the manufacturer of the cards.

https://www.ballet.com/2FKG/#six

Well it seems they've found a way to generate an already encrypted 6P key that works with a random password from what I understand. Why they don't release the code they use? Why it's not open source?
They say they dont generate the 6P key in one step but they first generate an "intermediate code" of the 6P key before sending it to the manufacturer that will decode it into the final 6P key, print it and seal it.
But they are fully able to decode this "intermediate code" themselves if they want from what I understand and nobody can guarantee they has/will never done it.

With the same comment from my other post, I'm being a bit of an ass here not to be combative but to to make a point. Krogoth and mopar and probably a few others use a better grade of 'indestructible' paper for their keys. It should last 100 years. How do we know that some other people did not use the cheapest paper they could find and when you peel it in 2098 it's going to be so brittle and disintegrate into dust.

I don't know the raw cost of the satschips but you could in theory sole the issue like you said by using a few of them each holding a fraction of the funds. The other option, and I don't know if it's viable would be to have several of them setup as an x of y multisig. If they are low enough cost in bulk could you do a 2 of 5 and not really worry about it.




I think you are talking about WhyFly: https://bitcointalk.org/index.php?topic=5397602

-Dave

Yes! Whyfhy! He actually had me play with it when he was working on it a while back the name was just eluding me yesterday

As for the paper - yes that is very important - ask satslife the nightmare he had with an xmr coin a while back - luckily they did get if remedied and figured out but the key was literally falling apart/fading as he watched it - luckily he took pictures

I think it's good to explore ways to keep people honest.  That being said, personally, it has always seemed to me that people are willing to sacrifice some of their security for simplicity.  I thought about offering coins with the suggested methods but I don't believe anyone would actually prefer that and assumed the level of education and assistance that would be required for most users would be more than I'd personally be willing to take on and I don't think the users would want that either.  I'm not saying it shouldn't be done or that there isn't a market for it, but my ultimate solution was to try and make coins that were cool and demonstrated the ability to hold BTC, but wouldn't require deposits to load them or eventually hold so much BTC that if it were lost by the user it would be life changing.  I'm often criticized for my coins not holding more BTC, but I'm not sure those complaining consider that I didn't ever want to be the guy that generated keys that held thousands of BTC for others.  I wanted to be the guy that made demonstrably cool coins... 

I think a standard of 2fa or multisig being established for makers wouldn't be a bad thing and maybe for loaded coins it should be something customers should consider.  However, I only own 1 2fa coin, the 1000 BTC Casascius Gold coin, and I'd honestly prefer if it wasn't 2fa.  I believe coblee even once said that none of the people he sold the coins to ever even asked about the 2fa, making it beyond worthless.

  Wouldnt the 2Fa be an issue like with Titan? https://bitcointalk.org/index.php?topic=5369583.0

   Again if a website isnt kept online or anyone operating it is corrupt then it aint such a great idea IMO.

   

2fa could be done in different ways.  I'm not sure exactly how Titan did it as I never purchased any of their goods (what had they done before selling those coins to earn the trust required to offer such a product?), but if it relies on them being around in the future then they definitely did it poorly.  If I were going to implement it, I would have done it in a way where the user would have supplied a piece of the information used to generate the key.  Maybe 2fa isn't the right descriptor (split key generation?), it definitely isn't my area of expertise.  The problem however with the way that I looked at implementing it, is that the resale of the coin would be heavily dependent on the original buyer providing the new buyer with the information needed to access the private key (like in my coblee example above).  This would likely result in buyers losing their piece of the puzzle and funds being lost, or new buyers not getting correct information from the original owner, etc...  It would be a customer service nightmare.  That's a big part of the reason I did not go that route.  Simplicity and customer experience being the others.

can nfc tech be used to solve/aide in any of this?

I have thought about encoding private keys to nfc tag and then having some sort of key that unlocks the nfc chip if its split key then the "user" part is on the nfc tag while the maker part is under the tag and under the holo.

havent got a chance to play with this idea yet though.

If it breaks, your money is gone. With a 10 plus years (https://www.duratech.com/capabilities/near-field-communication/) lifespan, that's a real risk for collectibles.

Been doing some googling today about nfc and many casinos are using them in their chips. With the use / abuse and washing / cleaning cycles that they go through the chips tend to be destroyed before the tags stop working. BUT, there seems to be very little real data on that; just comments and discussions. If there is some public information out there my google skills are lacking in finding it.

The issue that comes to mind is that for casinos, a lot of the time, when it comes to dealing with the money side of it, cost is not an issue.
They don't, but if they replaced them as they are damaged beyond repair, they would probably buy more tomorrow to replace the ones damaged over the weekend then all the coin makers here would buy this year combined.

What would be the upper limit of additional cost people would be willing to pay for coins like that. Could put the lower end ones out of business, which is not the goal here. Nor a desired side effect.

-Dave

Good point. I was not aware of any 10 year lifespan.

"Removing trust from physical coin makers re: Priv Key generation"

easy.. don't make keys for your collectibles...they don't need it

There are Bitcoin collectibles, and there are Bitcoin themed collectibles.  One is an innovative product where the maker publishes lists of the keys used and has the products backed by something, an organization, physical BTC, usage case, etc...  The other is a trinket someone made and slapped a BTC logo on (maybe even including a non-vanity key with no use or published list as an afterthought).  People should be able to identify the difference and not get fooled into paying BTC collectible markups for BTC themed collectibles.  An example I would give is the difference in price I charge between a 1oz silver Bitcoin Binary round and a 1oz silver NastyFans Minted Seat. 

Nothing wrong with Bitcoin themed collectibles, I own many, but there's a huge difference between a themed collectible that has a logo on it versus a collectible that can functionally interact with a blockchain. 

I agree that you are right Bitcoin themed collectibles don't need a private key, but they are not in the same product galaxy as a functional collectible with a private key.

Good example...
After a little thought, I find it interesting that this is probably the only hobby/collectible space that attaches more value to the collectible by attaching more value to the collectible. :P
The only other collectible space like this I can think of would be traditional numismatics, where a collectible $20 bill is already worth $20 due to the value already associated with it.

it's like taping a $100 bill to a baseball card.... lol :D

To complete my previous answer (https://bitcointalk.org/index.php?topic=5434754.msg61599105#msg61599105), Ballet seems to use a feature belonging to the BIP38 specifications (https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki), the EC multiply mode (https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki#encryption-when-ec-multiply-mode-is-used)
This article ELI5 a little bit the process https://tara-annison.medium.com/encrypted-private-keys-an-outline-of-bip38-98ceae5d1558
But has we can read below from BIP38 specifications, the printer needs to generate a 24 random bytes(ie 192bits) seed by himself.
Thanks to that the purchaser can't guess which private key has been generated from his intermediate code, if the private key is sealed by the printer.
But CMIIW Ballet doesn't offer a way to check if the printer is really generating random seeds by himself or if he is using a given seed instead (given by Ballet).
https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki#encryption-when-ec-multiply-mode-is-used

Libbitcoin-explorer (fully open source) for example, allows to use this feature from BIP38 thanks to the bx ek-new command
https://github.com/libbitcoin/libbitcoin-explorer/wiki/bx-ek-new