Casascius 2-Factor Physical Bitcoin

[casascius]

I'm pleased to announce the creation of the first Casascius 2-factor Physical Bitcoin.

Info about it is on my website.  I am posting in the Bitcoin Discussion topic because I'm interested in discussing the practicality of this as an idea, more so than the existence of this as a "product for sale".  Most people aren't going to buy it - it is priced out of reach for most buyers mainly due to the overhead in customizing each one, but might make a lot of sense for an institutional buyer of bitcoins who needs an idiot-proof way to store a lot of bitcoins in a vault, or someone who wanted to buy a batch of them.

[panda1]

This is pretty cool!

[caffeinewriter]

With all the scams lately, this new two-factor implementation should help return trust to some parts of Bitcoin where it's been lost.

[Mike Hearn]

Hmm, why are you doing stuff with EC math directly rather than using OP_CHECKMULTISIG? The latter is much easier to verify as correct.

[phatsphere]

clickable link: https://www.casascius.com/2factor/

[Ente]

I'm pleased to announce the creation of the first Casascius 2-factor Physical Bitcoin.

Info about it is on my website.  I am posting in the Bitcoin Discussion topic because I'm interested in discussing the practicality of this as an idea, more so than the existence of this as a "product for sale".  Most people aren't going to buy it - it is priced out of reach for most buyers mainly due to the overhead in customizing each one, but might make a lot of sense for an institutional buyer of bitcoins who needs an idiot-proof way to store a lot of bitcoins in a vault, or someone who wanted to buy a batch of them.

I like it!
The concept is nice, surely with a lot of possibilities!

So, to simplify and sum up:
- You receive the public key pub1 from your customer. He keeps his corresponding private key priv1 secret
- You generate public key pub3, and engrave/laser/print it onto the coin
- You insert the private key priv2 into the coin

- Customer may create the corresponding priv3 which belongs to pub3, if he knows priv1 (which he created) and priv2 (which is in the coin)

So the customer still has to secure a piece of paper (with priv1) somewhere.
What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.
The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

Don't get me wrong, I am still wrapping my mind around this! I see it as a tool, a concept, where many great things can evolve from!

Ente

[AfricanHunter]

Can you post a picture front/back of the 10BTC silver coin with 1oz of silver? Who mints the silver?

[adamas]

I downloaded the btcaddress utility but I dont see how to use the keycombiner. There is a source.zip file in the main btcaddress.zip
Do i have to unpack both in the same folder? How to start the combiner?

[casascius]

Hmm, why are you doing stuff with EC math directly rather than using OP_CHECKMULTISIG? The latter is much easier to verify as correct.

Is there a way that's easier for the non-technical buyer to verify as correct?  Last time I revisited multisig transactions, they had to be constructed in hexadecimal using bitcoind and RPC calls, but I could be behind the times on this.  The buyer sophisticated enough to do this may well just manage his own wallet - the imagined typical buyer for an item like this is non-technical and prefers to have some sort of legal recourse that it performs as expected and then trust me in that respect.

The non-technical buyer has the option to verify that my public key times his private key also yields the same bitcoin address with my utility.

I agree that multisig is fundamentally better - it adds ways to take away the possibility that he gets scammed by malware while combining his two keys and allows outsourcing of part of the process without compromising security.

What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.
The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

This is more a functional proof of concept.

Here might be a perfect prototypical use:  A charity wants to accept bitcoin donations, but the executives or controller don't want to delegate any ability to touch or handle money, but also aren't technically oriented.  They shove a 2-factor physical coin in the safe and publish the address as the "we accept bitcoins" donation address, not wanting to deal with any technical challenges involved in accepting Bitcoins today, but aware that if they start receiving large donations on it, they know they can figure out a way to get them off (even if it's sending it via overnight courier to FastCash4Bitcoins or BitPay and getting money in their bank).  In their mind, they're buying a pre-made bitcoin "account".

If I were to produce a presentation box for this bar (sort of like I have for the silver coins) where the box itself had a slot for the piece of paper, then keeping them together would be much more sensible.  Ditto if I were to make a new version of the piece that fit the profile of an off-the-shelf presentation box (e.g. something in the form factor of my silver coin, but made of cheaper gold-plated metal like my 25BTC coin, where the user could stuff that extra piece of paper into the acrylic capsule).  In such an event, I could provide the utility that pre-printed THEIR private key on a round piece of paper they cut out and shove into the capsule, or try to provide for others to do the same (e.g. get BitAddress to add private QR code to the vanity page so a buyer could cut it out).

Finally there is no reason their private key even has to be a randomly generated key.  It could be a password/passphrase turned into a private key with a very expensive KDF.  Since redeeming the bar is a once-in-a-blue-moon event, the KDF could be chosen to need seconds or minutes to run, providing reasonable security even without requiring brainwallet-quality passphrases.  (the space of potential attackers is pretty small - 1 - me)

I downloaded the btcaddress utility but I dont see how to use the keycombiner. There is a source.zip file in the main btcaddress.zip
Do i have to unpack both in the same folder? How to start the combiner?

It's in btcaddress-alpha.zip.  btcaddress.zip is a more stable release lacking this functionality.  I'd like to do some more testing on it before seriously telling people "go put 1000's of BTC's on an address relying on the output of this mostly untested program".

[TangibleCryptography]

What exactly is the benefit of the coin? You lose the printout, you lose it all. Just like before, when people may use a paperwallet.  The benefit of the original Casascius coin was, for me, to have the funds in a, well, coin? Which may or may not be more robust and easy to lose than a printout..

Don't get me wrong, I am still wrapping my mind around this! I see it as a tool, a concept, where many great things can evolve from!

Maybe the next version can have two spots on the 'physical token' to secure the two halves of the partial key?  Another option would be
to use two physical tokens so they can be separated.  Imagine two similar bars but each one clearly marked a Partial Key A and Partial Key B.  If you want to get fancy it could even have a artistic design spread across both bars.  Put the two bars in separate locations and it would require compromise of both locations for the thief to gain access to funds.  Since each half bar is worthless by itself maybe include a "REWARD IF FOUND - No questions asked Call 1-800-xxx-xxxx for more information" stamped on the back of the token.


Nice to see casascius is still innovating!  Keep up the good work casascius.

[phatsphere]

maybe, you could make a spot for a second hologram sticker and send this sticker separately (maybe, a 2x5cm stripe). then, the receiver could print and attach the private key by him/her self.

[TangibleCryptography]

maybe, you could make a spot for a second hologram sticker and send this sticker separately (maybe, a 2x5cm stripe). then, the receiver could print and attach the private key by him/her self.

I don't think Casascius would want to provide a second hologram.  The hologram is an assurance that only Casascius had access to the private key.  If you trust the hologram is authentic/untampered and you trust Casascius then you can trust the security of the key.  It should never be affixed to any key that Casascius can't "guarantee".

A scammer could put a fake key (or no key at all) under the hologram and try to resell the brick to an unsuspecting customer.  The combined public key will show the brick is funded but the new customer won't have access to them and the scammer could then ransom the real private key.  

One option would be to leave a standard label height stripe indentation that is long enough for a label with private key to fit.  Customer could then print the second "half-key" on a normal label printer and affix it to the brick.  Technically customer could do this now it would just look a little more professional.

[BitPay Business Solutions]

nice work Mike.  great idea!

[casascius]

Here is an example of how I could do it with an existing coin: by laser engraving on the hologram itself.



The private key paper would go in the presentation box.  I could tweak my banknote printer to print special artwork for this purpose, and print the pubkey on the left side in place of the bitcoin address.  As you can see in my example, I just put one of my existing printable banknotes in there just as a demonstration.

The inner surfaces of the presentation boxes actually come out, and they are hollow inside, making it very easy to wedge documents in the void spaces.  Also, I can laser-engrave information on the acrylic capsule itself, such as the casascius.com/2factor URL.

This may not make huge sense on a 10 BTC silver coin, but on a 1000 BTC gold coin it makes a LOT of sense, and I'm willing to throw the 2nd factor in to the price (gold coin is already custom work as it is).

[adamstgBit]

bravo!

your products truly are exceptional

[caffeinewriter]

Here is an example of how I could do it with an existing coin: by laser engraving on the hologram itself.



The private key paper would go in the presentation box.  I could tweak my banknote printer to print special artwork for this purpose, and print the pubkey on the left side in place of the bitcoin address.  As you can see in my example, I just put one of my existing printable banknotes in there just as a demonstration.

The inner surfaces of the presentation boxes actually come out, and they are hollow inside, making it very easy to wedge documents in the void spaces.  Also, I can laser-engrave information on the acrylic capsule itself, such as the casascius.com/2factor URL.

This may not make huge sense on a 10 BTC silver coin, but on a 1000 BTC gold coin it makes a LOT of sense, and I'm willing to throw the 2nd factor in to the price (gold coin is already custom work as it is).

I just cried a little. That coin is beautiful!

[Mushroomized]

Very nice dude

[deadserious]

Is this technically 2-factor?  It seems to me to simply be two of the same factor.

Or am I missing something...

[Roger_Murdock]

Another option would be to use two physical tokens so they can be separated.  Imagine two similar bars but each one clearly marked a Partial Key A and Partial Key B.  If you want to get fancy it could even have a artistic design spread across both bars.

You know those pairs of necklaces where the two pendants fit together to form a heart that says "Best Friends"? Who doesn't love those? I think that should be the model.

[TTBit]

Why is this better than me sending you a bitcoin address to send coins to? I still have to keep the privkey