Hi,
after having spent a sleepless night reading this complete thread, and more about physical bitcoins, I would give some feedback and suggestions for improvement, in some short statements:
1.)
Great idea to make bitcoins "physical" the way casascius does it - it helps spreading the word to the world, showing bitcoins to friends and making them curious, making gifts to nieces and nephews etc. Considering the fact that 100s of 1000s of years of evolution of home sapiens sapiens has created a brains that is still a lot more attached to tangible things than abstract things.
1.b) Interesting to realize that in FIAT money world as well as in gold-backed money, digital money is (supposed to be) backed by physical money (note that the electronic demand deposits in your banks are no official legal tender - only physical coins and bills are), whereas in bitcoin world it is the other way round - the physical
casascius coins (and alike) are backed by a digital "commodity".
2) Some improvement proposals for casascius.com web site:
2.a) Include a register with
photos of front and back side of each kind of coin (1, 5, 10, 25 btc , etc.) that is for sale or that is in circulation, possibly also of different versions like v1, v2, etc. (it certainly does not have to be as sophisticated as "
http://www.muenzkatalog-online.de"
)
I have seen much better photos on the forum than on the casascius website.
2.b) Include
photos of an original hologram as opposed to an
opened hologram (with the visible honeycomb structure) - I have seen one such a photo in the forum and it was quite meaningful to me.
2.c) Include full information of
weight, size (diameter and thickness) and material(s) of each coin. I can only see information in the linked page "
http://casascius.appspot.com/", but this seems to be not entirely correct and also not complete, e.g. it states that 1 BTC and 5 BTC coins are both 0.24 ounces which appears to be in contradiction to the fact that 1 btc coins are thinner than 5 btc coins, as I read somewhere in this forum. (Side note from the "metric world": Non-US customers like myself are completely unused to "inch" units. Ok, I know 1 inch=2.54 cm, but stating cm or mm sizes in addition would be much more intuitive and straightforward for people like myself. Similar for "ounce" unit (confusion even increases since a troy ounce (gold/silver) is not the same as a normal weight ounce (lemonade can...) afaik... We only use gramm as weight units in daily life, nothing else ["(troy) ounces" are only used for precious metals]).
2.c) I also propose to add some
useful information (FAQ page or so) to the interested reader about some technical details of these physical bitcoins. I am thinking especially about readers like myself that know the basics of the (digital) bitcoin system and how it works, but have some difficulties first to understand how this is "mapped" to the physical world. These informations/FAQs including:
- Why is not the complete btc address printed on the key, explain that it can always be identified uniquely from theses 8 characters even if later another BTC address will be created that starts with the very same 8 characters --> "firstbits" concept explanation, and link to blockchain.info and blockexplorer.com as well...
- How to redeem the short private key (22 or 30 characters) (minikey) codes digitally (which online wallets, which bitcoin clients support it), and how to convert the short private key code to the "full" long code that can e.g. be understood by most clients including the bitcoin.org client --> link to own conversion tool, zip-file or so
- Recommendations for physical handling of casascius coins: E.g. don't carry around "version 1" coins with you every day since the public key printed on it may get washed away after some time, and do not carry btc coin together with other coins too much since this may damage the hologram
- information about the (expected, even if not formally guaranteed) durability of the ink of the private key
- what's the difference between v1 and v2 coins --> durability/resistance of public key ink (printed from outside/inside of the hologram in v1/v2), and 22 vs. 30 characters short private keys (minikeys), typo of casa(s)cius in v1 holograms, plus ohter noteable differences that I am not aware off now...
- Explain the basics of the 2-factor keys. The fundamentals can be explained in few words within this FAQ that will help the interested reader to understand what this is all about. The basic info (I was not aware of this myself before my last "sleepless night" by the way) to be conveyed to the reader/potential customer is that if we have two public and private key pairs [pub1,priv1], [pub2,priv2], then a 3rd keypair "[pub3,priv3]" can be generated from this by known and open algorithms as follows: priv3=function(priv1, priv2), and pub3=function(pub1, pub2). Hence, both casascius and his customer know pub3, but only the customer (once he opens the hologram carrying "priv2") can get hold of priv3 to spend the coin, because "priv1" is not and was never known by casascius at any time.
-----------------------------------------------------------
Finally, here are some more
long-term ideas about how to make counterfeiting casascius coins even more difficult:
Basically, there are two kinds of counterfeiting methods I could think of with today's physical bitcoins (the third possibility, which is that the coin manufacturer might not be trustworthy with the treatment (and the destruction) of the private keys, is omitted here, because this is an inherent danger that cannot be ruled out conceptionally):
a) A counterfeiter produces own look-alikes of casascious coins, with own (new) keys, but he is silently keeping the private keys.
--> Solution: casascius to publish a list of all released casascius coins's btc addresses (already available today!) - hence, coins with different addresses must be counterfeits. Any user could check if a suspicious physical coin is this type of counterfeit if he/she has an online connection.
b) A counterfeiter produces own look-alikes of casascious coins, with original public key addresses printed on them acc. to above list.
--> Currently no solution available, just the hope that imitating the coins, and even more the casascius holograms, would be burdensome. At present no incentive for this counterfeiting method exist, but would change if casascius coins started getting used widely for offline transactions in economical life instead of EUR/USD/GPB/... coins.
Long-term solution for counterfeiting attack "
b)" (
no patent pending, I herewith release it to public domain and make it "prior art" for any future patent
): Each casascius coin includes a
unique RFID chip that, if excited by an input signal, will emit a signal that is a digital signature of the input signal. It is signed by two keys "
pi" and "
pc" (=private key "individual" and "common"): The unique private key "pi" of THIS physical coin, and the general private key "pc" of the coin minter (=casascus), which is e.g. casascius' commonly known unique "primary" btc address.
Hence, if I have a suitable RFID reader device (hopefully will be included in all smartphones in some years from now) I can check, even offline with no internet connection, if the public key printed outside this physical coin matches the "internal life" ("pi") of this coin, thus eliminating the counterfeiting method
b). Moreover, because the RFID's emitted signal is also signed with the minter's generic private key "pc", I can also exclude a type "
a)" kind of counterfeit, even if offline!
Note: If the smartphone with the RFID reader is online, it can also load the location of the scanned coin to a "casascius geo coin tracking database" (voluntarily of course), which would help to get hold of a new counterfeiter acting acc. to method c) described below.
To summarize: In this way,
above kinds of counterfeiting of physical bitcoins would become impossible, and the people
do not even need internet access to check if it is a counterfeit or a genuine casascius coin. What remains is that one has to trust the minter (=casascius), and now one has to trust in addition the RFID manufacturer that they do not secretly make duplicates.
The only drawback of this method is of course that we need an infrastructure of offline RFID readers widely built into smartphones first, and we would have much higher production costs because each sinlgle physical coin must contain a unique RFID chip.
A CHEAPER VARIANT:
Probably production is much cheaper if the RFID chip only contains "pc", but not "pi". This means that the SAME RFID chip can be used inside each casascius physical coin. Actually this would already be sufficient to avoid both counterfeit methods "a)" and "b)", because the counterfeiter is not in possession of private key "pc".
However, now (i.e. with RFID keys [pc] or [pi, pc] inside the coin) another "small-scale" counterfeiting methods would be still possible:
c) [small-scale counterfeit attack] The counterfeiter gets a proper casascius coin, opens the hologram and gets hold of the private key. Now he is in possession of the RFID chip and can use it to make an own counterfeit (or more easily, he re-uses this coin and just replaces the hologram with a good counterfeit hologram), and spends the physical coins somewhere. After that he redeems the face value with the private key that he has captured, i.e. he has
spent the face value twice.
This counterfeit method can be applied with the cheap [pc] and with the expensive [pi, pc] RFID variants.
However, the possibilities of counterfeiting would be limited, because the counterfeiter cannot go in large-scale production of counterfeit coins. Instead, he can only counterfeit as many coins as he has physically received before, and his net gain would be no more than the face value of these coins minus his work efforts. So this attack will probably not be worth the effort for a counterfeiter and remain theoretical.
Why the expensive variant [pi, pc] would still be better than the cheap one [pc]? Because of the following attack "d)", which works better for the cheap variant and would in fact enable the attacker to perform large-scale counterfeits:
d) The counterfeiter gets hold of any arbitrary casascius coin and re-engineers the private key "pc" (or "pc" and "pi") iniside the RFID using high-tech microscopes etc. Once he has done so, he can go into large-scale production of counterfeits just the way he did before RFID protetion was introduced, simply, because he is now in possession of the private key "pc" (and "pi"). For the cheap RFID protection ("pc" only) he could counterfeit any coin that is in circulation today acc. to the public list if coins in circulation. For the expensive RFID case [pi, pc] he could only counterfeit (=clone) this particular coin with this particular BTC address, which would put much tighter limits as to the scales (number of items) to be produced, so it is less likely to be worthwhile.
In any case, to fully rule out these counterfeiting methods, the best would be if it were possible to construct the coin mechanically (or chemically) in a way that the
RFID gets destroyed as soon as the hologram is removed to redeem the face value digitally.
So far my thoughts about possible future RFID-based counterfeiting protection mechanisms.
