SaltySpitoon (OP)
Legendary
Offline
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
|
|
April 25, 2015, 03:24:55 AM |
|
Hey guys, so I've dabbled with the idea of making my own physical Bitcoins before, trying to remedy the issues that I percieve there to be with current coins. I have what I believe to be an incredibly interesting idea, but I have one major question so far unanswered. What is the prefered way to handle private keys.
There are two prevalent business models in existance. The Centrally issued and the Buyer Funded models. All regulation issues asside, as that isn't my concern at the moment, what do you, as physical Bitcoin users prefer? There are two major differences each with up sides and down sides and I'm wondering if anyone has any input on the matter.
Centrally issued: Ex. Casascius Coins
The producer of the coin generates the keypairs, attaches them to the piece, and disposes of the keypairs. The obvious downside is that the central issuer has had access to the keys, so there is always a doubt that the producer didn't dispose of the keys. There has yet to be an incident of Casascius/Smoothie abusing the flaw in this method, however a system that doesn't require trust in the first place in my opinion would be prefered. The alluring benefit to this type of system is there is then a secondary market. A 1 BTC Casascius coin can be resold repeatedly. If you buy it for 1.5 BTC, it can be sold later on for whatever premium the coins are fetching at the moment. You aren't stuck with just the 1 BTC that is loaded on the coin plus a piece of metal not worth the premium you paid.
Buyer Funded Model: Ex. Silver Wallets etc
You are shipped a physical product, and then the buyer applies the keypairs themselves. That way no one but yourself knows the keys. The problem with this method is as I said above, there is no secondary market. If the buyer pays 1.5 BTC in total for a Silver Wallet + 1 BTC to load onto it, there is no secondary market. You can't sell it for 1.5 BTC, you can redeem the 1 BTC you loaded onto it, and get $20 for the 1oz silver wallet. In this regard physical wallets like this are just a deterrent for the user not to spend the coins that they have loaded onto it.
I believe I have found a solution to eliminate the tacky tamperproof sticker, move away from the coin paradigm in itself, and provide a means of storing private keys in a way that also yields a display piece far more interesting than a metal round. I'm just conflicted as to whether people would rather I shipped the piece in itself and gave them the means to print their own private keys, increasing their keypair safety. Or, would they elect to trust me with properly disposing of the printed keypairs in order to create a secondary resale market for the pieces.
I've considered split key generation as well as printing encrypted keys sent by the buyer, however in the end either I or the buyer know the private key. Someone has to know the printed private key, so I'm curious as to the community's feelings on the matter. If you know of a way to fix the problem, that would be even better, but my hopes aren't especially high for that, so I guess I'm gauging which direction the community would wish I go.
I appreciate your feedback, thanks guys.
|
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
April 25, 2015, 03:44:48 AM Last edit: April 25, 2015, 04:03:22 AM by EcuaMobi |
|
What about having a coin (or whatever new paradigm you're proposing ) with 2 separate independent tamper-proof stickers? You would ask the buyer to send you a public key (while safely keeping the corresponding private key), you would create your own public key and generate a 2-of-2 multisig address. You would fund the resulting address and ship the coin with your private key protected with a sticker, along with another unused sticker. The buyer would receive the coin and add the private key he generated. To redeem the coins the final user would need to remove both stickers and use both keys. It is a little complex and the buyer would need to be tech-savvy but I guess almost all physical bitcoin buyers are. Edit: I guess on the secondary market there would always be a risk that the buyer didn't really include his key correctly, but at least because he never had access to the first private key he would have no motivation to keep the second one. To reduce this risk the process could be done by you and another very trusted and experienced person instead of the final buyer. So you would add the first private key and send it to a trusted middle man who would add the second key and forward the coin to the final buyer.
|
|
|
|
SaltySpitoon (OP)
Legendary
Offline
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
|
|
April 25, 2015, 07:19:24 AM |
|
I really appreciate that you took the time to give me such a well thought out response. I might be able to adopt a system like that, but as proposed there would be a few issues. I've reworded this post five times now, as I don't want to give too much away, yet I feel like people can't really suggest things properly if I don't tell them what it is I'm doing.
I'm doing away with the tamper proof stickers, but thats not a huge issue. As invisioned at the moment, after leaving my hands, the owner wont be able to get to the original private key. You are talking about a multisig system though correct?
|
|
|
|
Quickseller
Copper Member
Legendary
Offline
Activity: 2996
Merit: 2374
|
|
April 25, 2015, 08:30:14 AM |
|
I would say that having a central issuer generate the key pairs, and ensure the associated public address is funded prior to shipping is most likely going to be preferable over the buyer creating the private keys himself. Evidence of this would be the secondary market for Lealana coins. When smoothie auctions off his coins, he gives the option for the buyer to either fund the coins prior to shipping, or for him to mark the coins as "buyer funded" with a laser. The premium for buyer funded Lealana coins tends to be significantly smaller then the premium for funded coins, often times by 50%. My observation of the prices that Casascius coins sell for when they are funded vs. redeemed vs unfunded would cause me to reach a similar conclusion. My understanding of the target market of SilverWallets is that SilverWallets is targeted towards people who wish to keep their coins safe in a unique way. Silver wallets actually come with three holograms, so if someone were to create a key pair, fund the corresponding address with 1 BTC and then later sell the coin, they could first redeem the 1 BTC they had previously funded the coin with and then sell the coin with a hologram not yet applied to the coin. Generating the keypairs yourself also allows you to publicly publish a list of addresses associated with each of your coins. This will allow a potential secondary market buyer to easily check the "balance" of the address associated with a coin if only the first bits are displayed on the coin. Mike published a PGP signed list of all the addresses associated with his project and smoothie will PGP sign a list of addresses of the coins you buy when you win one of his auctions via PM (which allows a buyer to later prove the address, and the associated balance when he decides to sell it). I am curious to hear more about your solution to not needing to use a tamper proof hologram/sticker anymore.
|
|
|
|
EcuaMobi
Legendary
Offline
Activity: 1876
Merit: 1475
|
|
April 25, 2015, 12:35:31 PM |
|
I really appreciate that you took the time to give me such a well thought out response. I might be able to adopt a system like that, but as proposed there would be a few issues. I've reworded this post five times now, as I don't want to give too much away, yet I feel like people can't really suggest things properly if I don't tell them what it is I'm doing.
I'm doing away with the tamper proof stickers, but thats not a huge issue. As invisioned at the moment, after leaving my hands, the owner wont be able to get to the original private key. You are talking about a multisig system though correct?
I'm sure if I and everyone knew more about your new project then we could help better but I understand your predicament not wanting to make it public until you have it done. The basic points of my idea are: - Yes I'm talking about multisig system
- Nobody at all should have access to all the private keys. In the normal coins this would be achieved by protecting a key with a sticker before sending it to the next person. If you found a way to prevent accessing your key without the need of the sticker then multisig should work too.
- The total number of signatures and the required number can be modified to solve specific problems. As an example 2-of-3 could be used to reduce the chance of a missing key. I think it's pretty flexible.
If this can't be implemented at all for any reason I agree it would be much better for you to ship them already funded rather than being buyer funded.
|
|
|
|
miffman
Legendary
Offline
Activity: 1904
Merit: 1005
PGP ID: 78B7B84D
|
|
April 25, 2015, 02:37:44 PM |
|
I have thought about this too for a while since I was also considering making some coins just for a bit of fun.
So it really bothers me that people can know the private keys on the coin. My naive solution to the problem would be to video tape literally every single step for private key generation, blur out the actual private keys when generating it and then show on camera that you completely destroy all private keys and any evidence of private keys.
y/n?
edit: and of course this also covers the case where the maker may just rip off the stickers after the video and then generate new private keys, since you can video the public key, and then verify that you are infact selling coins with the private keys you generated on camera.
|
█ █ █ █ █ █ █ █ █ █ █ █
|
█ █ █ █ █ █ █ █ █ █ █
| | BitBlender |
█ █ █ █ █ █ █ █ █ █ █ █
|
█ █ █ █ █ █ █ █ █ █ █ █
| |
█ █ █ █ █ █ █ █ █ █ █
| █ █ █ █ █ █ █ █ █ █ █
| |
|
|
|
|
justbtcme
|
|
April 25, 2015, 07:18:38 PM |
|
The general trend with these physical cryptos is that an original creator funded coin is more desirable than a buyer funded one. Personally I would like to see a simple HIGH quality design rather than some fancy artwork. The hologram itself has to be super unique with possibly a feature that when you rub on it , it changes color, perhaps even showing the first couple keys of the public address and/or edition number. Super low productions on first editions is a must.
|
|
|
|
justbtcme
|
|
April 25, 2015, 07:29:49 PM |
|
It is a little complex and the buyer would need to be tech-savvy but I guess almost all physical bitcoin buyers are.
I agree with the first half of this statement. The less a buyer have to do or know about how a physical coin work the more attractive it will be. Peel the sticker and redeem your digital coins ! People don't want to buy something and have to learn how to use it or spend time to generate a private key putting in a sticker and so on. Buy a coin throw it in the safe and forget about it is what most people did with their high value Casascius coins I'm sure. Point being is, the more simple the more better and people would sacrifice a little security for simplicity and ease of use.
|
|
|
|
SaltySpitoon (OP)
Legendary
Offline
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
|
|
April 25, 2015, 07:48:13 PM Last edit: April 25, 2015, 08:00:19 PM by SaltySpitoon |
|
Thanks for the suggestions everyone, I'm reading over them all again to think about them more critically. I have thought about this too for a while since I was also considering making some coins just for a bit of fun.
So it really bothers me that people can know the private keys on the coin. My naive solution to the problem would be to video tape literally every single step for private key generation, blur out the actual private keys when generating it and then show on camera that you completely destroy all private keys and any evidence of private keys.
y/n?
edit: and of course this also covers the case where the maker may just rip off the stickers after the video and then generate new private keys, since you can video the public key, and then verify that you are infact selling coins with the private keys you generated on camera.
As to the video taping process, I wouldn't do it with every single piece produced, however I do plan on video taping at least one to allow anyone to watch the production methods and hopefully let me know if they see any flaws. As of now, I have about 2/3rds if not 3/4ths of the security measures figured out. As this point, counterfeiting would be possible, but so unbelievably hard to do well, it would end up costing more to counterfeit than they will be worth. The private keys should be safe from attack at this point of development, but what I percieve as an inevitable handling of the keys by myself if I wish to assure a secondary market is the biggest security flaw. Showing each step for each piece produced would be neat, but also hugely time intensive, and if I'm blurring out the private key, couldn't I be shredding/destroying a keypair that just says, "hehe suckers"? The general trend with these physical cryptos is that an original creator funded coin is more desirable than a buyer funded one. Personally I would like to see a simple HIGH quality design rather than some fancy artwork. The hologram itself has to be super unique with possibly a feature that when you rub on it , it changes color, perhaps even showing the first couple keys of the public address and/or edition number. Super low productions on first editions is a must. What I'm producing isn't a coin, and it wont have any hologram, it will be a completely new concept. But I think the majority of people in the market will be impressed. The one thing I wont be doing, is the stupid "error" thing that for some reason every coin has produced. Im thinking the chances that every coin out there has made a 1st batch error coin has more to do with getting people to buy them based on Casascius history than actually making an error. The productions, especially the first should be pretty low runs, I dont have a number in mind, but if they take me 6 hours to make, I wont be making 1000 of them. The entire production process will be done by myself with machinery that I have, so I will have the flexibility to change up designs and such on a whim to keep things fresh. I'm a very talented metalurgist so I'll be mixing things up on that front as well. Once again I want to thank everyone for being so incredibly helpful with their suggestions.
|
|
|
|
miffman
Legendary
Offline
Activity: 1904
Merit: 1005
PGP ID: 78B7B84D
|
|
April 25, 2015, 08:03:27 PM |
|
Thanks for the suggestions everyone, I'm reading over them all again to think about them more critically. I have thought about this too for a while since I was also considering making some coins just for a bit of fun.
So it really bothers me that people can know the private keys on the coin. My naive solution to the problem would be to video tape literally every single step for private key generation, blur out the actual private keys when generating it and then show on camera that you completely destroy all private keys and any evidence of private keys.
y/n?
edit: and of course this also covers the case where the maker may just rip off the stickers after the video and then generate new private keys, since you can video the public key, and then verify that you are infact selling coins with the private keys you generated on camera.
hehe suckers Well I meant like from actual key generation where you blur it out from then till you print and you still blur it and burn/shred it. But yeah, it's way too labour intensive, but definitely a good way to be open.
|
█ █ █ █ █ █ █ █ █ █ █ █
|
█ █ █ █ █ █ █ █ █ █ █
| | BitBlender |
█ █ █ █ █ █ █ █ █ █ █ █
|
█ █ █ █ █ █ █ █ █ █ █ █
| |
█ █ █ █ █ █ █ █ █ █ █
| █ █ █ █ █ █ █ █ █ █ █
| |
|
|
|
|
dooglus
Legendary
Offline
Activity: 2940
Merit: 1333
|
|
April 25, 2015, 09:17:58 PM |
|
I've considered split key generation as well as printing encrypted keys sent by the buyer, however in the end either I or the buyer know the private key. Someone has to know the printed private key, so I'm curious as to the community's feelings on the matter. If you know of a way to fix the problem, that would be even better, but my hopes aren't especially high for that, so I guess I'm gauging which direction the community would wish I go.
How about the buyer and the manufacturer both generate keypairs. The buyer keeps his private key secret, the manufacturer prints both keys on the wallet, with the private key hidden under the tamper-proof device. Either the buyer or the manufacturer funds the address resulting from combining the two public keys, and the balance can only be spent by combining the two private keys. The buyer and manufacturer each only know one of the two private keys and so the balance is safe until the sticker is peeled off. The buyer can sell the wallet to a third party along with his private key. The new buyer can verify that the private key he is given corresponds to a public key that when combined with the public key printed on the wallet gives a funded address, and so can be sure that the wallet is funded, and that he will have exclusive access to the coins when he peels off the sticker. Does that work? Edit: the idea is based on how vanitygen allows you to outsource vanity address generation by providing your public key to someone running vanitygen for you. He can generate a private key that gives a pretty BTC address when combined with your own private key, without him ever knowing the private key for the pretty address he generates.
|
Just-Dice | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | Play or Invest | ██ ██████████ ██████████████████ ██████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████████████ ██████████████████████ ██████████████ ██████ | 1% House Edge |
|
|
|
SaltySpitoon (OP)
Legendary
Offline
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
|
|
April 25, 2015, 09:32:58 PM |
|
I've considered split key generation as well as printing encrypted keys sent by the buyer, however in the end either I or the buyer know the private key. Someone has to know the printed private key, so I'm curious as to the community's feelings on the matter. If you know of a way to fix the problem, that would be even better, but my hopes aren't especially high for that, so I guess I'm gauging which direction the community would wish I go.
How about the buyer and the manufacturer both generate keypairs. The buyer keeps his private key secret, the manufacturer prints both keys on the wallet, with the private key hidden under the tamper-proof device. Either the buyer or the manufacturer funds the address resulting from combining the two public keys, and the balance can only be spent by combining the two private keys. The buyer and manufacturer each only know one of the two private keys and so the balance is safe until the sticker is peeled off. The buyer can sell the wallet to a third party along with his private key. The new buyer can verify that the private key he is given corresponds to a public key that when combined with the public key printed on the wallet gives a funded address, and so can be sure that the wallet is funded, and that he will have exclusive access to the coins when he peels off the sticker. Does that work? Edit: the idea is based on how vanitygen allows you to outsource vanity address generation by providing your public key to someone running vanitygen for you. He can generate a private key that gives a pretty BTC address when combined with your own private key, without him ever knowing the private key for the pretty address he generates. I sent you a pm. The biggest problem I'm facing, is that the buyer wont have access to where the first private key would be located, so they can't include half of it themselves, unless they put it on the outside, which would be a vulnerability. In order to get to the keypair that I'd include, you have to physically destroy the piece. That is the security, and the reason why no stickers are needed.
|
|
|
|
Cryddit
Legendary
Offline
Activity: 924
Merit: 1132
|
|
April 27, 2015, 10:57:56 PM |
|
I have an interesting proposal.
When subjected to ultrasonic vibrations, subsurface stress patterns in metals can relax causing changes in the metal's surface shape. The most frequent application of this is in forensics labs recovering serial numbers from items whose cast or stamped serial numbers have been filed off but which have not subsequently been annealed or otherwise stress-released.
You could cast your coins with the secret key, then file it off lightly and send out the coins. If someone wants to actually spend the money, they drop it into a liquid bath with a piezoelectric crystal attached to an oscillator and leave it there for a day, then pull it out and they'll be able to read the secret key. But at this point the coin is "defaced" because the secret key shows. If they file it off again, stress cracks around the site will be visible. If they don't, then the buyer will be able to know that the secret key is revealed and therefore the coin is (overwhelming likelihood) de-funded.
I think this is more elegant than the hologram-stickers.
|
|
|
|
SaltySpitoon (OP)
Legendary
Offline
Activity: 2590
Merit: 2156
Welcome to the SaltySpitoon, how Tough are ya?
|
|
April 28, 2015, 06:47:43 AM |
|
I have an interesting proposal.
When subjected to ultrasonic vibrations, subsurface stress patterns in metals can relax causing changes in the metal's surface shape. The most frequent application of this is in forensics labs recovering serial numbers from items whose cast or stamped serial numbers have been filed off but which have not subsequently been annealed or otherwise stress-released.
You could cast your coins with the secret key, then file it off lightly and send out the coins. If someone wants to actually spend the money, they drop it into a liquid bath with a piezoelectric crystal attached to an oscillator and leave it there for a day, then pull it out and they'll be able to read the secret key. But at this point the coin is "defaced" because the secret key shows. If they file it off again, stress cracks around the site will be visible. If they don't, then the buyer will be able to know that the secret key is revealed and therefore the coin is (overwhelming likelihood) de-funded.
I think this is more elegant than the hologram-stickers.
That is such a cool idea, I'll look into that method and similar methods. I really appreciate the ideas everyone. Assuming best case senario, I could have prototypes finished in two weeks or so, although I doubt that nothing will go wrong, so I expect it will take longer. I'm not going to set any firm expected release date, as Id rather finish when complete, rather than when I need to meet expectations.
|
|
|
|
bithalo
Legendary
Offline
Activity: 1470
Merit: 1017
Star Wars Ep. 9 is here
|
|
May 02, 2015, 01:44:43 AM |
|
While I realize a lot of other sellers do holograms, and they aren't tamper-proof, I personally like the look of them. Without them, they feel more like mass-produced tokens.
|
|
|
|
jdebunt
Legendary
Offline
Activity: 1596
Merit: 1010
|
|
May 02, 2015, 10:40:44 AM |
|
While I realize a lot of other sellers do holograms, and they aren't tamper-proof, I personally like the look of them. Without them, they feel more like mass-produced tokens.
Have to agree with Bithalo here. Holograms give it a sense of "uniqueness", even though it is not the most secure solution. Then again, I personally buy coins from a collector's perspective, and they are never funded
|
|
|
|
bithalo
Legendary
Offline
Activity: 1470
Merit: 1017
Star Wars Ep. 9 is here
|
|
May 02, 2015, 01:09:57 PM |
|
While I realize a lot of other sellers do holograms, and they aren't tamper-proof, I personally like the look of them. Without them, they feel more like mass-produced tokens.
Have to agree with Bithalo here. Holograms give it a sense of "uniqueness", even though it is not the most secure solution. Then again, I personally buy coins from a collector's perspective, and they are never funded I also only collect physical bitcoins, not fund them for cold storage. If I were to do that, I would prefer a DIY, where I put my own keys behind a hologram. But for certain trusted members on the forum like salty, I would have no worries with them setting the private key should I fund them.
|
|
|
|
unamis76
Legendary
Offline
Activity: 1512
Merit: 1012
|
|
May 02, 2015, 05:19:51 PM |
|
I don't see any issues regarding pre-funding by the coin's creator, but I do understand SaltySpitoon issue. As it was said, the best way to avoid this situation is indeed a multisig address with two holograms, but I don't see that being really feasible for selling and/or reselling the coin. At least for now (unless the next Bitcoin Core client is released with some kind of a multisig GUI). Issuing physical cryptos requires trust: if one wants it funded, it requires us to trust the creator of the coin to give it value, on way or another, and I think it will always be like that That being said, I wouldn't definitely mind buying a pre-funded coin from a well trusted member of the community.
|
|
|
|
BG4
Legendary
Offline
Activity: 1006
Merit: 1024
PaperSafe
|
|
May 07, 2015, 08:16:34 PM Last edit: May 08, 2015, 09:36:40 AM by BG4 |
|
The most secure trusted way to create keys for physical coins is to get Satoshi to do it.....End User produced keyed coins have no resell value as a collectable. If your looking to get into producing collectable coins.....even untrusted producers can create keyed coins unfunded and leave it up to end users trust level of the producer if they want to fund them or not.... are you looking to produce a secure place for people to park their bitcoins or are you trying to produce a novelty collectable....IMO it's either one or the other...
|
|
|
|
watashi-kokoto
|
|
May 12, 2015, 02:55:12 PM |
|
will there be a DIY version of this physical bitcoin? perhaps construction like https://github.com/platecoin/platecoin? the maker's private key sticker can be sticked on side A, while the clerk generates key B in shop and puts it to the rectangular window near buyer, charge it and show him the transaction in blockchain. buyer only need to trust maker sticker. opinios?
|
|
|
|
|