Bitcoin Forum

Hey guys, so I've dabbled with the idea of making my own physical Bitcoins before, trying to remedy the issues that I percieve there to be with current coins. I have what I believe to be an incredibly interesting idea, but I have one major question so far unanswered. What is the prefered way to handle private keys.

There are two prevalent business models in existance. The Centrally issued and the Buyer Funded models. All regulation issues asside, as that isn't my concern at the moment, what do you, as physical Bitcoin users prefer? There are two major differences each with up sides and down sides and I'm wondering if anyone has any input on the matter.

Centrally issued: Ex. Casascius Coins

The producer of the coin generates the keypairs, attaches them to the piece, and disposes of the keypairs. The obvious downside is that the central issuer has had access to the keys, so there is always a doubt that the producer didn't dispose of the keys. There has yet to be an incident of Casascius/Smoothie abusing the flaw in this method, however a system that doesn't require trust in the first place in my opinion would be prefered. The alluring benefit to this type of system is there is then a secondary market. A 1 BTC Casascius coin can be resold repeatedly. If you buy it for 1.5 BTC, it can be sold later on for whatever premium the coins are fetching at the moment. You aren't stuck with just the 1 BTC that is loaded on the coin plus a piece of metal not worth the premium you paid.

Buyer Funded Model: Ex. Silver Wallets etc

You are shipped a physical product, and then the buyer applies the keypairs themselves. That way no one but yourself knows the keys. The problem with this method is as I said above, there is no secondary market. If the buyer pays 1.5 BTC in total for a Silver Wallet + 1 BTC to load onto it, there is no secondary market. You can't sell it for 1.5 BTC, you can redeem the 1 BTC you loaded onto it, and get $20 for the 1oz silver wallet. In this regard physical wallets like this are just a deterrent for the user not to spend the coins that they have loaded onto it.

I believe I have found a solution to eliminate the tacky tamperproof sticker, move away from the coin paradigm in itself, and provide a means of storing private keys in a way that also yields a display piece far more interesting than a metal round. I'm just conflicted as to whether people would rather I shipped the piece in itself and gave them the means to print their own private keys, increasing their keypair safety. Or, would they elect to trust me with properly disposing of the printed keypairs in order to create a secondary resale market for the pieces.

I've considered split key generation as well as printing encrypted keys sent by the buyer, however in the end either I or the buyer know the private key. Someone has to know the printed private key, so I'm curious as to the community's feelings on the matter. If you know of a way to fix the problem, that would be even better, but my hopes aren't especially high for that, so I guess I'm gauging which direction the community would wish I go.

I appreciate your feedback, thanks guys.

What about having a coin (or whatever new paradigm you're proposing :)) with 2 separate independent tamper-proof stickers?

You would ask the buyer to send you a public key (while safely keeping the corresponding private key), you would create your own public key and generate a 2-of-2 multisig address. You would fund the resulting address and ship the coin with your private key protected with a sticker, along with another unused sticker. The buyer would receive the coin and add the private key he generated.

To redeem the coins the final user would need to remove both stickers and use both keys. It is a little complex and the buyer would need to be tech-savvy but I guess almost all physical bitcoin buyers are.

Edit: I guess on the secondary market there would always be a risk that the buyer didn't really include his key correctly, but at least because he never had access to the first private key he would have no motivation to keep the second one.
To reduce this risk the process could be done by you and another very trusted and experienced person instead of the final buyer. So you would add the first private key and send it to a trusted middle man who would add the second key and forward the coin to the final buyer.

I really appreciate that you took the time to give me such a well thought out response. I might be able to adopt a system like that, but as proposed there would be a few issues. I've reworded this post five times now, as I don't want to give too much away, yet I feel like people can't really suggest things properly if I don't tell them what it is I'm doing.

I'm doing away with the tamper proof stickers, but thats not a huge issue. As invisioned at the moment, after leaving my hands, the owner wont be able to get to the original private key. You are talking about a multisig system though correct?

I would say that having a central issuer generate the key pairs, and ensure the associated public address is funded prior to shipping is most likely going to be preferable over the buyer creating the private keys himself.

Evidence of this would be the secondary market for Lealana coins. When smoothie auctions off his coins, he gives the option for the buyer to either fund the coins prior to shipping, or for him to mark the coins as "buyer funded" with a laser. The premium for buyer funded Lealana coins tends to be significantly smaller then the premium for funded coins, often times by 50%. My observation of the prices that Casascius coins sell for when they are funded vs. redeemed vs unfunded would cause me to reach a similar conclusion.

My understanding of the target market of SilverWallets is that SilverWallets is targeted towards people who wish to keep their coins safe in a unique way. Silver wallets actually come with three holograms, so if someone were to create a key pair, fund the corresponding address with 1 BTC and then later sell the coin, they could first redeem the 1 BTC they had previously funded the coin with and then sell the coin with a hologram not yet applied to the coin.

Generating the keypairs yourself also allows you to publicly publish a list of addresses associated with each of your coins. This will allow a potential secondary market buyer to easily check the "balance" of the address associated with a coin if only the first bits are displayed on the coin. Mike published (http://www.casascius.com/fulllist.txt) a PGP signed list of all the addresses associated with his project and smoothie will PGP sign a list of addresses of the coins you buy when you win one of his auctions via PM (which allows a buyer to later prove the address, and the associated balance when he decides to sell it).

I am curious to hear more about your solution to not needing to use a tamper proof hologram/sticker anymore.

I'm sure if I and everyone knew more about your new project then we could help better but I understand your predicament not wanting to make it public until you have it done.

The basic points of my idea are:

• Yes I'm talking about multisig system
• Nobody at all should have access to all the private keys. In the normal coins this would be achieved by protecting a key with a sticker before sending it to the next person. If you found a way to prevent accessing your key without the need of the sticker then multisig should work too.
• The total number of signatures and the required number can be modified to solve specific problems. As an example 2-of-3 could be used to reduce the chance of a missing key. I think it's pretty flexible.

If this can't be implemented at all for any reason I agree it would be much better for you to ship them already funded rather than being buyer funded.

I have thought about this too for a while since I was also considering making some coins just for a bit of fun.

So it really bothers me that people can know the private keys on the coin. My naive solution to the problem would be to video tape literally every single step for private key generation, blur out the actual private keys when generating it and then show on camera that you completely destroy all private keys and any evidence of private keys.

y/n?

edit: and of course this also covers the case where the maker may just rip off the stickers after the video and then generate new private keys, since you can video the public key, and then verify that you are infact selling coins with the private keys you generated on camera.

The general trend with these physical cryptos is that an original creator funded coin is more desirable than a buyer funded one. Personally I would like to see a simple HIGH quality design rather than some fancy artwork. The hologram itself has to be super unique with possibly a feature that when you rub on it , it changes color, perhaps even showing the first couple keys of the public address and/or edition number. Super low productions on first editions is a must.  8)

I agree with the first half of this statement. The less a buyer have to do or know about how a physical coin work the more attractive it will be. Peel the sticker and redeem your digital coins ! People don't want to buy something and have to learn how to use it or spend time to generate a private key putting in a sticker and so on. Buy a coin throw it in the safe and forget about it is what most people did with their high value Casascius coins I'm sure. Point being is, the more simple the more better and people would sacrifice a little security for simplicity and ease of use.

Thanks for the suggestions everyone, I'm reading over them all again to think about them more critically.


As to the video taping process, I wouldn't do it with every single piece produced, however I do plan on video taping at least one to allow anyone to watch the production methods and hopefully let me know if they see any flaws. As of now, I have about 2/3rds if not 3/4ths of the security measures figured out. As this point, counterfeiting would be possible, but so unbelievably hard to do well, it would end up costing more to counterfeit than they will be worth. The private keys should be safe from attack at this point of development, but what I percieve as an inevitable handling of the keys by myself if I wish to assure a secondary market is the biggest security flaw.

Showing each step for each piece produced would be neat, but also hugely time intensive, and if I'm blurring out the private key, couldn't I be shredding/destroying a keypair that just says, "hehe suckers"?



What I'm producing isn't a coin, and it wont have any hologram, it will be a completely new concept. But I think the majority of people in the market will be impressed. The one thing I wont be doing, is the stupid "error" thing that for some reason every coin has produced. Im thinking the chances that every coin out there has made a 1st batch error coin has more to do with getting people to buy them based on Casascius history than actually making an error. The productions, especially the first should be pretty low runs, I dont have a number in mind, but if they take me 6 hours to make, I wont be making 1000 of them. The entire production process will be done by myself with machinery that I have, so I will have the flexibility to change up designs and such on a whim to keep things fresh. I'm a very talented metalurgist so I'll be mixing things up on that front as well.

Once again I want to thank everyone for being so incredibly helpful with their suggestions.

Well I meant like from actual key generation where you blur it out from then till you print and you still blur it and burn/shred it.

But yeah, it's way too labour intensive, but definitely a good way to be open.

How about the buyer and the manufacturer both generate keypairs. The buyer keeps his private key secret, the manufacturer prints both keys on the wallet, with the private key hidden under the tamper-proof device. Either the buyer or the manufacturer funds the address resulting from combining the two public keys, and the balance can only be spent by combining the two private keys.

The buyer and manufacturer each only know one of the two private keys and so the balance is safe until the sticker is peeled off.

The buyer can sell the wallet to a third party along with his private key. The new buyer can verify that the private key he is given corresponds to a public key that when combined with the public key printed on the wallet gives a funded address, and so can be sure that the wallet is funded, and that he will have exclusive access to the coins when he peels off the sticker.

Does that work?

Edit: the idea is based on how vanitygen allows you to outsource vanity address generation by providing your public key to someone running vanitygen for you. He can generate a private key that gives a pretty BTC address when combined with your own private key, without him ever knowing the private key for the pretty address he generates.

I sent you a pm. The biggest problem I'm facing, is that the buyer wont have access to where the first private key would be located, so they can't include half of it themselves, unless they put it on the outside, which would be a vulnerability. In order to get to the keypair that I'd include, you have to physically destroy the piece. That is the security, and the reason why no stickers are needed.

I have an interesting proposal.

When subjected to ultrasonic vibrations, subsurface stress patterns in metals can relax causing changes in the metal's surface shape.  The most frequent application of this is in forensics labs recovering serial numbers from items whose cast or stamped serial numbers have been filed off but which have not subsequently been annealed or otherwise stress-released. 

You could cast your coins with the secret key, then file it off lightly and send out the coins.  If someone wants to actually spend the money, they drop it into a liquid bath with a piezoelectric crystal attached to an oscillator and leave it there for a day, then pull it out and they'll be able to read the secret key.  But at this point the coin is "defaced" because the secret key shows.  If they file it off again, stress cracks around the site will be visible.  If they don't, then the buyer will be able to know that the secret key is revealed and therefore the coin is (overwhelming likelihood) de-funded. 

I think this is more elegant than the hologram-stickers.

That is such a cool idea, I'll look into that method and similar methods. I really appreciate the ideas everyone. Assuming best case senario, I could have prototypes finished in two weeks or so, although I doubt that nothing will go wrong, so I expect it will take longer. I'm not going to set any firm expected release date, as Id rather finish when complete, rather than when I need to meet expectations.

While I realize a lot of other sellers do holograms, and they aren't tamper-proof, I personally like the look of them.  Without them, they feel more like mass-produced tokens.

Have to agree with Bithalo here. Holograms give it a sense of "uniqueness", even though it is not the most secure solution. Then again, I personally buy coins from a collector's perspective, and they are never funded :)

I also only collect physical bitcoins, not fund them for cold storage.  If I were to do that, I would prefer a DIY, where I put my own keys behind a hologram.   But for certain trusted members on the forum like salty, I would have no worries with them setting the private key should I fund them.

I don't see any issues regarding pre-funding by the coin's creator, but I do understand SaltySpitoon issue.

As it was said, the best way to avoid this situation is indeed a multisig address with two holograms, but I don't see that being really feasible for selling and/or reselling the coin. At least for now (unless the next Bitcoin Core client is released with some kind of a multisig GUI).

Issuing physical cryptos requires trust: if one wants it funded, it requires us to trust the creator of the coin to give it value, on way or another, and I think it will always be like that :)

That being said, I wouldn't definitely mind buying a pre-funded coin from a well trusted member of the community.

The most secure trusted way to create keys for physical coins is to get Satoshi to do it.....End User produced keyed coins have no resell value as a collectable. If your looking to get into producing collectable coins.....even untrusted producers can create keyed coins unfunded and leave it up to end users trust level of the producer if they want to fund them or not.... are you looking to produce a secure place for people to park their bitcoins or are you trying to produce a novelty collectable....IMO it's either one or the other...

will there be a DIY version of this physical bitcoin?
perhaps construction like https://github.com/platecoin/platecoin (https://github.com/platecoin/platecoin)?

the maker's private key sticker can be sticked on side A, while the clerk generates key B in shop and puts
it to the rectangular window near buyer, charge it and show him the transaction in blockchain.

buyer only need to trust maker sticker.

opinios?

Use multisign address?

The buyer signs the address then the company returns his signature?

Biggest problem is the coins would have to be pre-ordered

I personally prefer assembled coins. It saves on a lot of hassle, however, there's an element of trust involved that some people may not feel comfortable with.
You could always offer a pre-assembled coin or a BIP38 encrypted wallet so that the buyer can be sure that there's no way the seller would have access to the full private key.

Big fan of pre-assembled coins myself, although I wouldn't mind getting my hands "dirty" by putting one together myself :)

Yeah, as expected, things came up. I needed to order additional machinery, so things are delayed a bit, but still moving forward. This is the reason you never take preorders.



Personally, I've always found the holograms sort of tacky. Anyway, I can guarantee this won't feel like mass produced tokens. What I'm making are hand made, one at a time, and not tokens.



Correct, this is why I'm trying to figure out what to do here. The most secure way to do it would be to do multisig so I never have access to the private keys. But, there is no resale value of a piece if you are relying on a stranger that knows the private keys not to steal the coins. With Casascius coins, you are relying on Casascius not to steal the Bitcoins, but that is better than trusting whoever it is who purchased the coins first.



With what I'm planning, buyer funded isn't possible. Each buyer would have to have expensive machinery, and be willing to sign a liability waiver to not hold me responsible for burns from molten 2000ish degree metal.



BIP38 encrypted would work for buyer funded models, where the original buyer gives me the private key encrypted so that I don't know what it is, but then they would have access to the private key, again making resale impossible. If I end up making buyer funded pieces, this would most likely be the route that I'd take.




Buyer assembled models are very unlikely at this point. That is unless I ship every unit sold with metalworking tools and safety equipment, a CNC Mill/Router, Metal furnace.

I have been thinking a lot about this question as well.

The best solution we have right now, is the "Casascius model", where a trusted person insert the private key into the coin.
As you all know the weakness with this model is that the private key is exposed to the person assembling the coin.

I have though about a model that would eliminate this problem.
Before people gets there expectations up, I must warn you, this idea is not easy to implement and it will be expensive to develop, produce and verify (compared to printing a private key on a piece of paper).
But there is no limitation in the current technology for implementing this idea.

The whole idea is to place a micro computer inside the coin instead of a piece of paper.
The circuit will not require more real estate than the indent in a Casascius coin, perhaps slightly deeper, but definitely possible in a 1 Oz coin.

The core of the idea is that the micro computer generates the private key after initial power up.
When the micro computer powers up for the first time, then will it burn the key into an array of electrical fuses (alternative could internal NAND flash be used).

The micro computer will have an RFID transponder (many smart phones today have a RFID transponder build in as well), the micro computer will then be able to transmit the public key via RFID when anybody request it. Obviously the private key is never transmitted.

In order to redeem the private key, then must the coin be dissembled and two electrical points must be shorted, this will cause the micro computer to change state and start transmitting the private key instead, this state is irreversible, even if the two points are disconnected again.

In this way, is it not possible for the creator (or anybody else) to access the private key without changing the state of the microcomputer.
The user can verify that the private key is intact by checking that the RFID is transmitting a public key.
If the user read a private key with the RFID, then is the private key exposed.

The issue about battery could be addressed in many different ways: e.g. by using magnetic field charging, which many newer smarts phones also support (chargers are off the shelf). The given circuit could properly last about 10-20 years on a small lithium battery, if the public key is not read every day via RFID. The battery is not a real issue, since you would be able to power up the micro computer if disassembling the coin, but obviously for the second market value would it be necessary to be able to charge the battery, to check the public key. It might be possible to use Seiko Kinetic technology to charge the battery (if it could fit inside the coin, I doubt it though). The real limitation will be the program state and code, which need to be stored in NAND flash, with current NAND technology will this limit the life time of the coins to 100-200 hundred years, I think this is acceptable.

For the paranoid bitcoin user will it be a challenge for the micro computer to generate a private key with high enough entropy, this could be address by e.g. using the production variation in the silicon wafer (transmission line timing) to generate the seed. I read about this technique in a paper not too long ago, basically is it possible to make a unique fingerprint for every silicon based chip produced, which can be read (calculated) by the silicon circuit.

There is still an element of trust here, the buyer must trust that creators have not implemented a backdoor in the code, this can be address by using open source and have several people involved in the design and production of the micro chip. Remember, the private key is only generated after the micro computer powers up, "impossible" for anybody to read without change the state.

There are side doors attacks for NAND flash which should be considered and risk estimated in the design process.

That was my 2 satoshi, if anybody likes my idea and want to develop and refine it, I would be more than happy to participate.

Physical bitcoin with chip inside can work as follows:

at home

1. Smart coin would be produced in perpetual RNG seeding state.
2. After that the user shall choose his vanity address prefix/postfix (to prevent producer hardcoding private key)
3. The coin receives vanity prefix and start bruteforcing address.
4. Coin now in propagating pubkey state while keeping the private key secret.
5. User check the pubkey has vanity prefix and top ups his coin.

secure payment

5. The POS terminal sends the transaction to physical bitcoin.
6. Physical bitcoin atomically signs the transaction and destroys the private key (can destroy the signing circuit & priv/pubkey memory ).
7. Coin now in perpetually propagating txsig state with all non needed circuits destroyed.
8. Tx sig is sent to POS. TX Sent to bitcoin network. The clerk gives the goods to customer.

Opinions?

This is indeed a good idea.
It take the idea a step further.
Basically it is a smart coin.

I like the idea about the vanity prefix, this could be a good idea for a bearer bar, you could even place a electrophoretic display on the bar to show the vanity key.
Electrophoretic displays is virtually not using power when static.

I don't know if there is an demand for such a smart coin... In any case it could be interesting to develop.

I like the idea of electrophoretic display. I suggest such device be separate from the physical coin, because it's reusable.
Such display can be used for 1. display vanity address; 2. display the full transaction the coin will sign.

This picture is a diagram of the 4 states of a "smart physical bit coin" in order.

http://imgh.us/physical_bitcoin.svg (http://imgh.us/physical_bitcoin.svg)

Took, you have just blown my mind

Need to lie down

http://i61.tinypic.com/zu1ao7.png

http://imgh.us/system_1.svg (http://imgh.us/system_1.svg)

The most secure trusted way to create keys for physical coins is to get Satoshi to do it.....End User produced keyed coins have no resell value as a collectable. If your looking to get into producing collectable coins.....even untrusted producers can create keyed coins unfunded and leave it up to end users trust level of the producer if they want to fund them or not.... are you looking to produce a secure place for people to park their bitcoins or are you trying to produce a novelty collectable....IMO it's either one or the other...

How to deal with a good crypto? I have been reading few good cryptos during these days. Here they are: BTC, PTC, SciDex, Ethereum, Altcoin. Who has the best chances for growing?

If you are looking to get coin collecting income even unreliable producers can create coins and leave it up to the end user's level of trust if they want to finance them. or not?
Are you looking to create a safe place for people to park their bitcoin or are you trying to produce a new collection?
There may be more good ones. ;D

Cool idea, Sir!

This is also considered as the premise for the market. There are many items and many attractions for investors. Especially bring them new collections. It's just like you're example of them being awesome.