Bitcoin Forum
November 19, 2024, 12:33:04 AM *
News: Check out the artwork 1Dq created to commemorate this forum's 15th anniversary
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Casascius 2-Factor Physical Bitcoin  (Read 4694 times)
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 01, 2012, 06:14:35 AM
 #1

I'm pleased to announce the creation of the first Casascius 2-factor Physical Bitcoin.

Info about it is on my website.  I am posting in the Bitcoin Discussion topic because I'm interested in discussing the practicality of this as an idea, more so than the existence of this as a "product for sale".  Most people aren't going to buy it - it is priced out of reach for most buyers mainly due to the overhead in customizing each one, but might make a lot of sense for an institutional buyer of bitcoins who needs an idiot-proof way to store a lot of bitcoins in a vault, or someone who wanted to buy a batch of them.


Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
panda1
Full Member
***
Offline Offline

Activity: 187
Merit: 100


View Profile
November 01, 2012, 06:17:56 AM
 #2

This is pretty cool!
caffeinewriter
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500



View Profile
November 01, 2012, 08:14:58 AM
 #3

With all the scams lately, this new two-factor implementation should help return trust to some parts of Bitcoin where it's been lost.

Mike Hearn
Legendary
*
Offline Offline

Activity: 1526
Merit: 1134


View Profile
November 01, 2012, 09:46:57 AM
 #4

Hmm, why are you doing stuff with EC math directly rather than using OP_CHECKMULTISIG? The latter is much easier to verify as correct.
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
November 01, 2012, 11:24:09 AM
 #5

clickable link: https://www.casascius.com/2factor/
Ente
Legendary
*
Offline Offline

Activity: 2126
Merit: 1001



View Profile
November 01, 2012, 11:50:15 AM
 #6

I'm pleased to announce the creation of the first Casascius 2-factor Physical Bitcoin.

Info about it is on my website.  I am posting in the Bitcoin Discussion topic because I'm interested in discussing the practicality of this as an idea, more so than the existence of this as a "product for sale".  Most people aren't going to buy it - it is priced out of reach for most buyers mainly due to the overhead in customizing each one, but might make a lot of sense for an institutional buyer of bitcoins who needs an idiot-proof way to store a lot of bitcoins in a vault, or someone who wanted to buy a batch of them.



I like it!
The concept is nice, surely with a lot of possibilities!

So, to simplify and sum up:
- You receive the public key pub1 from your customer. He keeps his corresponding private key priv1 secret
- You generate public key pub3, and engrave/laser/print it onto the coin
- You insert the private key priv2 into the coin

- Customer may create the corresponding priv3 which belongs to pub3, if he knows priv1 (which he created) and priv2 (which is in the coin)

So the customer still has to secure a piece of paper (with priv1) somewhere.
What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.
The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

Don't get me wrong, I am still wrapping my mind around this! I see it as a tool, a concept, where many great things can evolve from!

Ente

AfricanHunter
Full Member
***
Offline Offline

Activity: 157
Merit: 103


View Profile
November 01, 2012, 12:41:45 PM
 #7

Can you post a picture front/back of the 10BTC silver coin with 1oz of silver? Who mints the silver?

Thinking about doing business with johnniewalkerhttps://bitcointalk.org/index.php?action=profile;u=72227?
First read this thread https://bitcointalk.org/index.php?topic=131841.0

Also, Join the National Rifle Association to protect 2nd Amendment Rights http://membership.nrahq.org/default.asp?campaignid=XR020022
adamas
Legendary
*
Offline Offline

Activity: 1017
Merit: 1003


VIS ET LIBERTAS


View Profile WWW
November 01, 2012, 01:06:16 PM
 #8

I downloaded the btcaddress utility but I dont see how to use the keycombiner. There is a source.zip file in the main btcaddress.zip
Do i have to unpack both in the same folder? How to start the combiner?

"Es ist kein Zeichen geistiger Gesundheit, gut angepasst an eine kranke Gesellschaft zu sein."
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 01, 2012, 01:10:10 PM
Last edit: November 01, 2012, 02:12:54 PM by casascius
 #9

Hmm, why are you doing stuff with EC math directly rather than using OP_CHECKMULTISIG? The latter is much easier to verify as correct.

Is there a way that's easier for the non-technical buyer to verify as correct?  Last time I revisited multisig transactions, they had to be constructed in hexadecimal using bitcoind and RPC calls, but I could be behind the times on this.  The buyer sophisticated enough to do this may well just manage his own wallet - the imagined typical buyer for an item like this is non-technical and prefers to have some sort of legal recourse that it performs as expected and then trust me in that respect.

The non-technical buyer has the option to verify that my public key times his private key also yields the same bitcoin address with my utility.

I agree that multisig is fundamentally better - it adds ways to take away the possibility that he gets scammed by malware while combining his two keys and allows outsourcing of part of the process without compromising security.

What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.
The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

This is more a functional proof of concept.

Here might be a perfect prototypical use:  A charity wants to accept bitcoin donations, but the executives or controller don't want to delegate any ability to touch or handle money, but also aren't technically oriented.  They shove a 2-factor physical coin in the safe and publish the address as the "we accept bitcoins" donation address, not wanting to deal with any technical challenges involved in accepting Bitcoins today, but aware that if they start receiving large donations on it, they know they can figure out a way to get them off (even if it's sending it via overnight courier to FastCash4Bitcoins or BitPay and getting money in their bank).  In their mind, they're buying a pre-made bitcoin "account".

If I were to produce a presentation box for this bar (sort of like I have for the silver coins) where the box itself had a slot for the piece of paper, then keeping them together would be much more sensible.  Ditto if I were to make a new version of the piece that fit the profile of an off-the-shelf presentation box (e.g. something in the form factor of my silver coin, but made of cheaper gold-plated metal like my 25BTC coin, where the user could stuff that extra piece of paper into the acrylic capsule).  In such an event, I could provide the utility that pre-printed THEIR private key on a round piece of paper they cut out and shove into the capsule, or try to provide for others to do the same (e.g. get BitAddress to add private QR code to the vanity page so a buyer could cut it out).

Finally there is no reason their private key even has to be a randomly generated key.  It could be a password/passphrase turned into a private key with a very expensive KDF.  Since redeeming the bar is a once-in-a-blue-moon event, the KDF could be chosen to need seconds or minutes to run, providing reasonable security even without requiring brainwallet-quality passphrases.  (the space of potential attackers is pretty small - 1 - me)

I downloaded the btcaddress utility but I dont see how to use the keycombiner. There is a source.zip file in the main btcaddress.zip
Do i have to unpack both in the same folder? How to start the combiner?

It's in btcaddress-alpha.zip.  btcaddress.zip is a more stable release lacking this functionality.  I'd like to do some more testing on it before seriously telling people "go put 1000's of BTC's on an address relying on the output of this mostly untested program".

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250


Tangible Cryptography LLC


View Profile WWW
November 01, 2012, 01:13:29 PM
Last edit: November 01, 2012, 04:36:23 PM by TangibleCryptography
 #10

What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.  The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

Don't get me wrong, I am still wrapping my mind around this! I see it as a tool, a concept, where many great things can evolve from!

Maybe the next version can have two spots on the 'physical token' to secure the two halves of the partial key?  Another option would be
to use two physical tokens so they can be separated.  Imagine two similar bars but each one clearly marked a Partial Key A and Partial Key B.  If you want to get fancy it could even have a artistic design spread across both bars.  Put the two bars in separate locations and it would require compromise of both locations for the thief to gain access to funds.  Since each half bar is worthless by itself maybe include a "REWARD IF FOUND - No questions asked Call 1-800-xxx-xxxx for more information" stamped on the back of the token.


Nice to see casascius is still innovating!  Keep up the good work casascius.
phatsphere
Hero Member
*****
Offline Offline

Activity: 763
Merit: 500


View Profile
November 01, 2012, 01:25:02 PM
 #11

maybe, you could make a spot for a second hologram sticker and send this sticker separately (maybe, a 2x5cm stripe). then, the receiver could print and attach the private key by him/her self.
TangibleCryptography
Sr. Member
****
Offline Offline

Activity: 476
Merit: 250


Tangible Cryptography LLC


View Profile WWW
November 01, 2012, 01:33:59 PM
 #12

maybe, you could make a spot for a second hologram sticker and send this sticker separately (maybe, a 2x5cm stripe). then, the receiver could print and attach the private key by him/her self.

I don't think Casascius would want to provide a second hologram.  The hologram is an assurance that only Casascius had access to the private key.  If you trust the hologram is authentic/untampered and you trust Casascius then you can trust the security of the key.  It should never be affixed to any key that Casascius can't "guarantee".

A scammer could put a fake key (or no key at all) under the hologram and try to resell the brick to an unsuspecting customer.  The combined public key will show the brick is funded but the new customer won't have access to them and the scammer could then ransom the real private key.  

One option would be to leave a standard label height stripe indentation that is long enough for a label with private key to fit.  Customer could then print the second "half-key" on a normal label printer and affix it to the brick.  Technically customer could do this now it would just look a little more professional.
BitPay Business Solutions
Hero Member
*****
Offline Offline

Activity: 742
Merit: 500


View Profile WWW
November 01, 2012, 02:07:38 PM
 #13

nice work Mike.  great idea!

BitPay : The World Leader in Bitcoin Business Solutions

https://bitpay.com

Does your website accept bitcoins?
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
November 01, 2012, 03:51:02 PM
 #14

Here is an example of how I could do it with an existing coin: by laser engraving on the hologram itself.



The private key paper would go in the presentation box.  I could tweak my banknote printer to print special artwork for this purpose, and print the pubkey on the left side in place of the bitcoin address.  As you can see in my example, I just put one of my existing printable banknotes in there just as a demonstration.

The inner surfaces of the presentation boxes actually come out, and they are hollow inside, making it very easy to wedge documents in the void spaces.  Also, I can laser-engrave information on the acrylic capsule itself, such as the casascius.com/2factor URL.

This may not make huge sense on a 10 BTC silver coin, but on a 1000 BTC gold coin it makes a LOT of sense, and I'm willing to throw the 2nd factor in to the price (gold coin is already custom work as it is).

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
adamstgBit
Legendary
*
Offline Offline

Activity: 1904
Merit: 1037


Trusted Bitcoiner


View Profile WWW
November 01, 2012, 04:15:19 PM
 #15

bravo!

your products truly are exceptional Smiley

caffeinewriter
Hero Member
*****
Offline Offline

Activity: 532
Merit: 500



View Profile
November 01, 2012, 04:31:24 PM
 #16

Here is an example of how I could do it with an existing coin: by laser engraving on the hologram itself.



The private key paper would go in the presentation box.  I could tweak my banknote printer to print special artwork for this purpose, and print the pubkey on the left side in place of the bitcoin address.  As you can see in my example, I just put one of my existing printable banknotes in there just as a demonstration.

The inner surfaces of the presentation boxes actually come out, and they are hollow inside, making it very easy to wedge documents in the void spaces.  Also, I can laser-engrave information on the acrylic capsule itself, such as the casascius.com/2factor URL.

This may not make huge sense on a 10 BTC silver coin, but on a 1000 BTC gold coin it makes a LOT of sense, and I'm willing to throw the 2nd factor in to the price (gold coin is already custom work as it is).


I just cried a little. That coin is beautiful!

Mushroomized
Legendary
*
Offline Offline

Activity: 1470
Merit: 1002


Hello!


View Profile
November 01, 2012, 05:10:14 PM
 #17

Very nice dude

hi
deadserious
Full Member
***
Offline Offline

Activity: 121
Merit: 102



View Profile
November 01, 2012, 05:39:24 PM
 #18

Is this technically 2-factor?  It seems to me to simply be two of the same factor.

Or am I missing something...
Roger_Murdock
Sr. Member
****
Offline Offline

Activity: 342
Merit: 250



View Profile
November 01, 2012, 06:00:17 PM
 #19

Another option would be to use two physical tokens so they can be separated.  Imagine two similar bars but each one clearly marked a Partial Key A and Partial Key B.  If you want to get fancy it could even have a artistic design spread across both bars.

You know those pairs of necklaces where the two pendants fit together to form a heart that says "Best Friends"? Who doesn't love those? I think that should be the model.
TTBit
Legendary
*
Offline Offline

Activity: 1137
Merit: 1001


View Profile
November 01, 2012, 06:34:12 PM
 #20

Why is this better than me sending you a bitcoin address to send coins to? I still have to keep the privkey

good judgment comes from experience, and experience comes from bad judgment
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!