So people are aware of physical coins with user chosen password security (against the manufacturer and people with unattended access to the stored coins).
The simplified explanation basically the user generates password x, proto-coin P=xG, the manufacturer generates pub key Q=yP so the full coin private key is z=x*y mod n. And manufacturer generates check value B=yG. Now the user can see xB==Q so he knows his password was used.
I gave a summary of the BIP 38 protocol here:
https://bitcointalk.org/index.php?topic=311000.msg3342217#msg3342217(basically they have to move some stuff around to incorporate scrypt password stretching, and store a salt on the card for you to prevent scrypt rainbow tables).
The BIP itself is confusingly hard to read
https://en.bitcoin.it/wiki/BIP_0038 but says the same thing as the above.
Now if you dont trust the manufacturer, and really you shouldnt, there remains a problem: they can grind your password becaue they know P = x*G. (And the fulls scheme includes a modest amount of scrypt KDF stretching to frustrate that). So that is easy to fix, use a computer generated random password, and print it out, put it in a safety deposit box with your bank.
But there is another risk: extortion risk, (or bad batch due to software or other screw up) the manufacturer follows the protocol but prints something else on the card eg y'=E_m(y) where m is a master key he owns.
To explain the motivation to protect against extortion: despite reputation risk for manufacturer on discovery: the manufacturer knows your street address and maybe has an idea you're thinking of the long term holding, and somehow knows you are Satoshi (or Winkelvoss or other big bitcoin holder) who is about to stash $100m of bitcoins physically for his grand children. The investor is distrusting so he doesnt just give them unprotected form to his lawyer, nor due to business continuity risk and doubts about operational security to exante, bitcoin trust etc. So if he wants to use physical coins there is a low redemption and reputation risk for the printer to attack the investor because its long term storage. Maybe they risk their business reputation for this once only low risk of discovery opportunity to attack $100m of bitcoins.
Or maybe you're just paranoid and dont trust casascius or bit-card to not screw up their processes, because its a lot of bitcoin, and yet you like the physical coins they produce and their tamper evidence against people with unattended access to the coin storage area.
(Obviously the investor can monitor the block chain for his address, the extortion attack comes into play much later, once the coin/card holder tries to redeem and finds the code is invalid and contacts the manufacturer. Maybe a rogue employee, long fired did it, or the manufacturer can plausibly claim so. In any case the news gets out, and the coin/card holder receives anonymous email demanding 10% of funds.)
Your protection so far is once in a while people get curious or decide to redeem a physical coin, peel off the hologram etc. If they cant redeem it they're going to be complaining loudly in the forums, so you're fairly sure it hasnt happened. (The casacius ones cost a bit so redemption is probably less common than the nominal cost bit-card ones).
But history of non-complaint is not a direct, personal proof that your physical coin is not from a bad batch, and actually has the private key printed on it. Maybe they should send you the sticker and you put it on yourself. However that has other problems - now you can peel stickers off high value coins, and empty them and have a new sticker. (Of course realistically anyone can print stickers, or do as in the demo of using a hypodermic needle and the right kind of solvent to get the sticker to slide off without damaging it
Anyway so using Chaum's cut-and-choose crypto protocol (but done manually with paper (or plastic/metal) wallets) you can fix the extort/bad-batch risk. Order 128 bit-card.de password protected bit-cards (or cascius coins). Shuffle them, pull out 64 of them. Peel the stickers off, check they are valid, throw them away. Or put 0.01btc on each of the 64 and give them to your children to validate & redeem with smartphone as a fun exercise.
Now take the remaining 64 cards scan the addresses, Q1,...Q64 and create a new address Q=Q1+...+Q64 the sum of them. Because of the permutations even with copy of Q (which is public on the block chain) if the manufacturer guessed your password (or just the bare private key if you didnt use the BIP38 password extension), he still cant compute your private key because there are C(128,64) > 2^128 permutations.
You also have assurance there is a 1/C(128,64) < 2^-128 that none of the cards you used is defective or bad because of the cut-and-choose argument and you verified the other 64.
Of course you could use smaller numbers eg C(80,40) > 2^76 but do remember that security of O(2^n) password plus O(2^k) has security O(2^n)+O(2^k) which is much less than O(2^(k+n)) so you cant rely much on the password, even if its really really good, it only adds 1-bit to security.
Its a bit complex so you'd have to practice there were no operational screw ups. Like scratching the QR code off too vigorously when scraping of the sticker glue so you can read the qr.
Or much simpler from operational mistakes, just use armory's upcoming k of n (optionally printer secure) paper wallets with no passwords.
The bit-card approach has the arguable advantage that an internal threat the bank with your safety deposit box cant as easily see your private key without creating evidence with the tamper evident sticker. Its like being able to use the fancy printing technology they have and tamper evidence, but without trusting them due to Chaum's cut and choose, and it might be more durable than paper. Probably inkjets are not a good plan due to damp bleed. And you want color fast ink pen for the handwritten printed secure code.
Adam
