Coming Very Soon, a real Bitcoin you can hold! (and is worth 1 BTC)

[mpfrank]

I like this idea very much, I mentioned it in my blog (http://minetopics.blogspot.com/2011/09/lets-get-physical.html) and I will probably order some coins from you soon to show off to friends.

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.

A more serious risk, it seems to me (from the user's perspective) is:  How do we know that it's not the case that you are keeping copies of ALL the private keys for yourself, and, once there are (say) 100,000 of these coins in circulation that haven't had their values removed yet, maybe your plan is to quickly exchange the BTC backing all those coins for some other currency, and disappear?

I'm not saying it is a particularly likely scenario, and I personally have no particular inclination to suspect you of this, but I'm just saying it is a possibility that can't be eliminated from users' minds, unless you subjected your entire coin-making operation to continuous, detailed scrutiny by some trusted third-party auditors.  Or, if you were a company with numerous publicly-known officers that would be subject to prosecution in such an event, then that might generate more trust in your system.  But, as just a single individual, you might all-too-easily just grab all the loot one day, slip away, & hightail it to Rio.

Many people (myself included) may be willing to take that risk for the convenience of carrying around a little BTC-valued pocket change, but, I have a feeling nobody is going to be filling bank vaults with this stuff, at least not until it's made more accountable than a private one-man operation can be...

But, I think it's cool anyway... Kudos on the professional design work.

-Mike

[1714931680]

1714931680

[1714931680]

1714931680

[1714931680]

1714931680

[zhoutong]

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.
-Mike

The problem is not whether it'll eventually get caught. If I accept your physical bitcoin in an exchange for goods and services, I have to make sure that it's 100% unique if I'm not going to redeem it right away.

If I have to redeem it to make sure I can get the value, then there's no reason to make holograms - you can just print out the keys.

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

[mpfrank]

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.
-Mike

The problem is not whether it'll eventually get caught. If I accept your physical bitcoin in an exchange for goods and services, I have to make sure that it's 100% unique if I'm not going to redeem it right away.

If I have to redeem it to make sure I can get the value, then there's no reason to make holograms - you can just print out the keys.

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Yeah, but look:  Let's say that 100,000 of these things get made and used by thousands of people over a period of years and years, with a good number of those coins getting redeemed by random people, and there is never a report of someone trying to redeem a coin only to find that someone else had already redeemed another coin with the same code.

In that case, then I can probably be at least 99% certain that there are no duplicates already in circulation of a coin I receive - since, statistically speaking, if as many as 1% of all coins were non-unique, and if (say) 10,000 of the 100,000 coins issued had already been redeemed, then you'd expect that several cases of duplicate coins would already have been found and reported.  (On average, 100 of the 10,000 coins already redeemed would have had duplicates, and ~10 of those 100 duplicates would be included among the 10% of coins already redeemed - so the fraud would have already been caught.)

So, once these things have been out there in circulation a while, there's no need for the person accepting them to have 100% proof that there's no duplicates already in circulation - the lack of any reports of problems from other users would be proof enough.

This statistical analysis doesn't, however, address the scenario I mentioned, wherein the issuer is planning to steal the value of all coins at once in a "Grand Theft" scenario.

[BkkCoins]

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Without P2P?
Without the network there is no Bitcoin. There is no value for anyone if the network goes down.
It all spontaneously vanishes.

In the meantime you can always check the address for it's value without ruining the coin or redeeming it.

[zhoutong]

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.
-Mike

The problem is not whether it'll eventually get caught. If I accept your physical bitcoin in an exchange for goods and services, I have to make sure that it's 100% unique if I'm not going to redeem it right away.

If I have to redeem it to make sure I can get the value, then there's no reason to make holograms - you can just print out the keys.

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Yeah, but look:  Let's say that 100,000 of these things get made and used by thousands of people over a period of years and years, with a good number of those coins getting redeemed by random people, and there is never a report of someone trying to redeem a coin only to find that someone else had already redeemed another coin with the same code.

In that case, then I can probably be at least 99% certain that there are no duplicates already in circulation of a coin I receive - since, statistically speaking, if as many as 1% of all coins were non-unique, and if (say) 10,000 of the 100,000 coins issued had already been redeemed, then you'd expect that several cases of duplicate coins would already have been found and reported.  (On average, 100 of the 10,000 coins already redeemed would have had duplicates, and ~10 of those 100 duplicates would be included among the 10% of coins already redeemed - so the fraud would have already been caught.)

So, once these things have been out there in circulation a while, there's no need for the person accepting them to have 100% proof that there's no duplicates already in circulation - the lack of any reports of problems from other users would be proof enough.

This statistical analysis doesn't, however, address the scenario I mentioned, wherein the issuer is planning to steal the value of all coins at once in a "Grand Theft" scenario.

What if I'm a major merchant and I duplicate all the coins I accepted and save them secretly and only spend the duplicated ones? Then maybe I can redeem them all at once.

I don't have to be the issuer to be the Grand Theft, as long as I can manufacture myself without anyone else knowing.

[mpfrank]

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.
-Mike

The problem is not whether it'll eventually get caught. If I accept your physical bitcoin in an exchange for goods and services, I have to make sure that it's 100% unique if I'm not going to redeem it right away.

If I have to redeem it to make sure I can get the value, then there's no reason to make holograms - you can just print out the keys.

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Yeah, but look:  Let's say that 100,000 of these things get made and used by thousands of people over a period of years and years, with a good number of those coins getting redeemed by random people, and there is never a report of someone trying to redeem a coin only to find that someone else had already redeemed another coin with the same code.

In that case, then I can probably be at least 99% certain that there are no duplicates already in circulation of a coin I receive - since, statistically speaking, if as many as 1% of all coins were non-unique, and if (say) 10,000 of the 100,000 coins issued had already been redeemed, then you'd expect that several cases of duplicate coins would already have been found and reported.  (On average, 100 of the 10,000 coins already redeemed would have had duplicates, and ~10 of those 100 duplicates would be included among the 10% of coins already redeemed - so the fraud would have already been caught.)

So, once these things have been out there in circulation a while, there's no need for the person accepting them to have 100% proof that there's no duplicates already in circulation - the lack of any reports of problems from other users would be proof enough.

This statistical analysis doesn't, however, address the scenario I mentioned, wherein the issuer is planning to steal the value of all coins at once in a "Grand Theft" scenario.

What if I'm a major merchant and I duplicate all the coins I accepted and save them secretly and only spend the duplicated ones? Then maybe I can redeem them all at once.

I don't have to be the issuer to be the Grand Theft, as long as I can manufacture myself without anyone else knowing.

I've been assuming that they're difficult to counterfeit due to the way the hologram is made.  If that's not the case, then of course you are right.

[zhoutong]

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Without P2P?
Without the network there is no Bitcoin. There is no value for anyone if the network goes down.
It all spontaneously vanishes.

In the meantime you can always check the address for it's value without ruining the coin or redeeming it.

Of course I can check, but checking doesn't guarantee uniqueness. Our coins are unique because of P2P, but physical bitcoins can't be connected.

When I accept a physical bitcoin, I need to make sure no one else has it. If the OP can get the hologram for 0.15 BTC, I can take over the company the makes the hologram and do the same too.

[Stephen Gornick]

When I accept a physical bitcoin, I need to make sure no one else has it.

I a willing to trust as secure the manufacturer's processes and the distribution of the coins that were shipped to me.  If I were to resell a batch of these the buyer would be trusting me as well as the manufacturer, etc.  

Perhaps simply a register or log of assignments is necessary.   For instance, Casascius creates a signed message for each physical coin (its address) asserting that it was sold to me (to my gpg public key).  When I sell one, I sign a message including the previous assignment and assert that I sold it and to whom (to the next party's public key).   And so on, for each sale.

So then when considering buying these physical bitcoins from a third party seller, the buyer can weigh whether or not all previous owners are trustworthy enough to feel comfortable that the bitcoin is truly authentic.  Think WingCash ( http://bitcointalk.org/?topic=4232.0 ) meets Bitcoin.

This ruins anonymity, though I suppose a party in the chain could remain pseudonymous -- just that I don't know how trusted the pseudonymous participants would be.

[Update: Or, can the model that namecoin offers, w/dot-bit offer something here?]

[casascius]

Either way, in this particular case, trust in the manufacturer is required.  I could just as easily make a physical bitcoin with a duplicate private key as one with no private key (except perhaps for the fact that I only got each address printed on each hologram once).

I sincerely hope that someone makes a bigger, better, badder, more secure, more auditable, more everything physical bitcoin (and cheaper, too).  As Bitcoin gets bigger, that's bound to happen.  Practically speaking, Casascius physical bitcoins get used right now mainly as all of the following:

• A collector's item.
• A low-cost gift (for the buyer) worth saving (for the recipient) because one day it may well be worth a ton.
• An appealing way to bring up the topic of Bitcoin with people who don't care about otherwise "imaginary" currency.
• A way for people who trust each other, one who has lots of Casascius coins and the other who doesn't, to settle some small debt (like paying for lunch) in a fun way.
• A proof of concept to the world, that bitcoins don't have to be intangible.
• A way to get otherwise uninterested people thinking about how the internals of Bitcoin really work... "so what you're saying... there's a code in here, and you call that a private key?"
• And finally, a few get torn apart just out of curiosity and to test the redemption process.

At this point, I bet very few get "spent" in the arms-length process where the recipient thinks very little of bitcoin other than just another kind of dollar.  Physical bitcoins get traded nowadays only among people who know each other's name, possibly because the spender paid a premium to acquire the coin and isn't eager to give it to someone who won't appreciate that or compensate them for it.  In an environment where trading partners generally know one another, passing counterfeits or duplicates or scams is arguably harder than making them.

[mpfrank]

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

Without P2P?
Without the network there is no Bitcoin. There is no value for anyone if the network goes down.
It all spontaneously vanishes.

In the meantime you can always check the address for it's value without ruining the coin or redeeming it.

Of course I can check, but checking doesn't guarantee uniqueness. Our coins are unique because of P2P, but physical bitcoins can't be connected.

When I accept a physical bitcoin, I need to make sure no one else has it. If the OP can get the hologram for 0.15 BTC, I can take over the company the makes the hologram and do the same too.

I understand, and yes if they can be easily counterfeited it is a problem, but I still think you're making too big a deal about the physicality of the coins.  That isn't really the issue - since ALL information is, ultimately, physical.  The coins' state of disconnectedness from the network isn't really the issue either.  The P2P system, by itself, doesn't do anything special to ensure uniqueness of the key that any given Bitcoin is associated with.  Even with conventional "all electronic" Bitcoins, there is no way to know for sure that a given Bitcoin's private key (even one you made yourself!) is truly unique, UNLESS you are 100% confident that no one other than yourself ever had access to that key from the moment the keypair was first created, and that either it was originally generated using a secure source of random numbers that couldn't be eavesdropped on in some way, or else by using a long passphrase (which only you know) as a random seed.

All that the P2P system does is to ensure that you can't transfer the same coins from a given account more than once, and have both transactions finally accepted by the network.  But, whether the destination account's private-key details are stored in a physical coin or on a hard drive (or in your head!) is really a completely separate from the issue of whether another copy of those details exists (or can be regenerated) somewhere else - which the P2P network itself does nothing to ensure.  Even if the only way to get the key is to regenerate it from a passphrase in your head, you could always mumble it in your sleep, and someone could overhear you, and then make another copy of your key & spend your coins before you ever get the chance.  

I think the real issue here is that the keypairs themselves are being generated by a third party, rather than by a client on your own computer.  Any time that's the case, no matter in what form the keys are delivered to you, you can't be sure the sender didn't keep a copy!  Whether they deliver the key details to you in a coin or on a USB drive or over an https connection has nothing to do with the question of whether they kept a copy of it for themselves.

On the plus side, anyone who is nervous about Casascius coins is always free to resell them, or to immediately take them apart and  transfer their value elsewhere... So there isn't really all that much risk of theft here, unless you plan to hold onto a lot of Casascius coins in their original form for a long time.  So I don't think most vendors would have a problem accepting them - especially if they can verify the balance on a smartphone by keying in the firstbits...

[Adult BTC]

The website seems down.

[nhodges]

The website seems down.

https://bitcointalk.org/index.php?topic=41892.msg544974#msg544974

It will probably be down for several more hours.

[casascius]

It's up now, the issue has been taken care of.  (that's what I get for running this from home =) )