Hey guys, so I've dabbled with the idea of making my own physical Bitcoins before, trying to remedy the issues that I percieve there to be with current coins. I have what I believe to be an incredibly interesting idea, but I have one major question so far unanswered. What is the prefered way to handle private keys.

There are two prevalent business models in existance. The Centrally issued and the Buyer Funded models. All regulation issues asside, as that isn't my concern at the moment, what do you, as physical Bitcoin users prefer? There are two major differences each with up sides and down sides and I'm wondering if anyone has any input on the matter.

Centrally issued: Ex. Casascius Coins

The producer of the coin generates the keypairs, attaches them to the piece, and disposes of the keypairs. The obvious downside is that the central issuer has had access to the keys, so there is always a doubt that the producer didn't dispose of the keys. There has yet to be an incident of Casascius/Smoothie abusing the flaw in this method, however a system that doesn't require trust in the first place in my opinion would be prefered. The alluring benefit to this type of system is there is then a secondary market. A 1 BTC Casascius coin can be resold repeatedly. If you buy it for 1.5 BTC, it can be sold later on for whatever premium the coins are fetching at the moment. You aren't stuck with just the 1 BTC that is loaded on the coin plus a piece of metal not worth the premium you paid.

Buyer Funded Model: Ex. Silver Wallets etc

You are shipped a physical product, and then the buyer applies the keypairs themselves. That way no one but yourself knows the keys. The problem with this method is as I said above, there is no secondary market. If the buyer pays 1.5 BTC in total for a Silver Wallet + 1 BTC to load onto it, there is no secondary market. You can't sell it for 1.5 BTC, you can redeem the 1 BTC you loaded onto it, and get $20 for the 1oz silver wallet. In this regard physical wallets like this are just a deterrent for the user not to spend the coins that they have loaded onto it.

I believe I have found a solution to eliminate the tacky tamperproof sticker, move away from the coin paradigm in itself, and provide a means of storing private keys in a way that also yields a display piece far more interesting than a metal round. I'm just conflicted as to whether people would rather I shipped the piece in itself and gave them the means to print their own private keys, increasing their keypair safety. Or, would they elect to trust me with properly disposing of the printed keypairs in order to create a secondary resale market for the pieces.

I've considered split key generation as well as printing encrypted keys sent by the buyer, however in the end either I or the buyer know the private key. Someone has to know the printed private key, so I'm curious as to the community's feelings on the matter. If you know of a way to fix the problem, that would be even better, but my hopes aren't especially high for that, so I guess I'm gauging which direction the community would wish I go.

I appreciate your feedback, thanks guys.

I really appreciate that you took the time to give me such a well thought out response. I might be able to adopt a system like that, but as proposed there would be a few issues. I've reworded this post five times now, as I don't want to give too much away, yet I feel like people can't really suggest things properly if I don't tell them what it is I'm doing.

I'm doing away with the tamper proof stickers, but thats not a huge issue. As invisioned at the moment, after leaving my hands, the owner wont be able to get to the original private key. You are talking about a multisig system though correct?

I'm sure if I and everyone knew more about your new project then we could help better but I understand your predicament not wanting to make it public until you have it done.

The basic points of my idea are:

• Yes I'm talking about multisig system
• Nobody at all should have access to all the private keys. In the normal coins this would be achieved by protecting a key with a sticker before sending it to the next person. If you found a way to prevent accessing your key without the need of the sticker then multisig should work too.
• The total number of signatures and the required number can be modified to solve specific problems. As an example 2-of-3 could be used to reduce the chance of a missing key. I think it's pretty flexible.

If this can't be implemented at all for any reason I agree it would be much better for you to ship them already funded rather than being buyer funded.

The general trend with these physical cryptos is that an original creator funded coin is more desirable than a buyer funded one. Personally I would like to see a simple HIGH quality design rather than some fancy artwork. The hologram itself has to be super unique with possibly a feature that when you rub on it , it changes color, perhaps even showing the first couple keys of the public address and/or edition number. Super low productions on first editions is a must. 

Thanks for the suggestions everyone, I'm reading over them all again to think about them more critically.


As to the video taping process, I wouldn't do it with every single piece produced, however I do plan on video taping at least one to allow anyone to watch the production methods and hopefully let me know if they see any flaws. As of now, I have about 2/3rds if not 3/4ths of the security measures figured out. As this point, counterfeiting would be possible, but so unbelievably hard to do well, it would end up costing more to counterfeit than they will be worth. The private keys should be safe from attack at this point of development, but what I percieve as an inevitable handling of the keys by myself if I wish to assure a secondary market is the biggest security flaw.

Showing each step for each piece produced would be neat, but also hugely time intensive, and if I'm blurring out the private key, couldn't I be shredding/destroying a keypair that just says, "hehe suckers"?



What I'm producing isn't a coin, and it wont have any hologram, it will be a completely new concept. But I think the majority of people in the market will be impressed. The one thing I wont be doing, is the stupid "error" thing that for some reason every coin has produced. Im thinking the chances that every coin out there has made a 1st batch error coin has more to do with getting people to buy them based on Casascius history than actually making an error. The productions, especially the first should be pretty low runs, I dont have a number in mind, but if they take me 6 hours to make, I wont be making 1000 of them. The entire production process will be done by myself with machinery that I have, so I will have the flexibility to change up designs and such on a whim to keep things fresh. I'm a very talented metalurgist so I'll be mixing things up on that front as well.

Once again I want to thank everyone for being so incredibly helpful with their suggestions.

How about the buyer and the manufacturer both generate keypairs. The buyer keeps his private key secret, the manufacturer prints both keys on the wallet, with the private key hidden under the tamper-proof device. Either the buyer or the manufacturer funds the address resulting from combining the two public keys, and the balance can only be spent by combining the two private keys.

The buyer and manufacturer each only know one of the two private keys and so the balance is safe until the sticker is peeled off.

The buyer can sell the wallet to a third party along with his private key. The new buyer can verify that the private key he is given corresponds to a public key that when combined with the public key printed on the wallet gives a funded address, and so can be sure that the wallet is funded, and that he will have exclusive access to the coins when he peels off the sticker.

Does that work?

Edit: the idea is based on how vanitygen allows you to outsource vanity address generation by providing your public key to someone running vanitygen for you. He can generate a private key that gives a pretty BTC address when combined with your own private key, without him ever knowing the private key for the pretty address he generates.

I have an interesting proposal.

When subjected to ultrasonic vibrations, subsurface stress patterns in metals can relax causing changes in the metal's surface shape.  The most frequent application of this is in forensics labs recovering serial numbers from items whose cast or stamped serial numbers have been filed off but which have not subsequently been annealed or otherwise stress-released. 

You could cast your coins with the secret key, then file it off lightly and send out the coins.  If someone wants to actually spend the money, they drop it into a liquid bath with a piezoelectric crystal attached to an oscillator and leave it there for a day, then pull it out and they'll be able to read the secret key.  But at this point the coin is "defaced" because the secret key shows.  If they file it off again, stress cracks around the site will be visible.  If they don't, then the buyer will be able to know that the secret key is revealed and therefore the coin is (overwhelming likelihood) de-funded. 

I think this is more elegant than the hologram-stickers.

While I realize a lot of other sellers do holograms, and they aren't tamper-proof, I personally like the look of them.  Without them, they feel more like mass-produced tokens.

I also only collect physical bitcoins, not fund them for cold storage.  If I were to do that, I would prefer a DIY, where I put my own keys behind a hologram.   But for certain trusted members on the forum like salty, I would have no worries with them setting the private key should I fund them.

The most secure trusted way to create keys for physical coins is to get Satoshi to do it.....End User produced keyed coins have no resell value as a collectable. If your looking to get into producing collectable coins.....even untrusted producers can create keyed coins unfunded and leave it up to end users trust level of the producer if they want to fund them or not.... are you looking to produce a secure place for people to park their bitcoins or are you trying to produce a novelty collectable....IMO it's either one or the other...