The 25 BTC CASASCIUS PHYSICAL BITCOIN is here!

[pc]

I find these physical coins very interesting, but I just want to make sure I understand some of the technical aspects. I have some understanding of the basics of crypto, but not enough to really evaluate this.

The private key you generate is an SHA-256 hash of these letters that you generate and put on the back of the hologram. So, I assume that you are generating these random letters with a good random data source, and there's at least 256 bits of randomness in there, so in theory using the hash of it as a private key is "as random" as an address generated by the standard client in the usual way? Do i have that right?

And so, in addition to trusting you specifically that you don't keep any records of the private keys that you've loaded onto your coins (intentionally or not), we also need to trust that you've used a good random data source. Could you describe and explain your process to ensure that your generation of private keys is random and secure? (Or please point me in the right direction if you've already done so and I've missed it.)

Thank you.

[1714834625]

1714834625

[1714834625]

1714834625

[1714834625]

1714834625

[Yankee (BitInstant)]

I find these physical coins very interesting, but I just want to make sure I understand some of the technical aspects. I have some understanding of the basics of crypto, but not enough to really evaluate this.

The private key you generate is an SHA-256 hash of these letters that you generate and put on the back of the hologram. So, I assume that you are generating these random letters with a good random data source, and there's at least 256 bits of randomness in there, so in theory using the hash of it as a private key is "as random" as an address generated by the standard client in the usual way? Do i have that right?

And so, in addition to trusting you specifically that you don't keep any records of the private keys that you've loaded onto your coins (intentionally or not), we also need to trust that you've used a good random data source. Could you describe and explain your process to ensure that your generation of private keys is random and secure? (Or please point me in the right direction if you've already done so and I've missed it.)

Thank you.

There's no such thing as random....

[casascius]

I find these physical coins very interesting, but I just want to make sure I understand some of the technical aspects. I have some understanding of the basics of crypto, but not enough to really evaluate this.

The private key you generate is an SHA-256 hash of these letters that you generate and put on the back of the hologram. So, I assume that you are generating these random letters with a good random data source, and there's at least 256 bits of randomness in there, so in theory using the hash of it as a private key is "as random" as an address generated by the standard client in the usual way? Do i have that right?

And so, in addition to trusting you specifically that you don't keep any records of the private keys that you've loaded onto your coins (intentionally or not), we also need to trust that you've used a good random data source. Could you describe and explain your process to ensure that your generation of private keys is random and secure? (Or please point me in the right direction if you've already done so and I've missed it.)

Thank you.

There's no more than 123 bits of entropy due to the abbreviated length.  Bitcoin addresses themselves have no more than 160 bits of entropy because they are based on ripemd160.  I chose this as a tradeoff for space versus time.  It's still quite expensive to brute force 123 bits, especially when the payoff is that you might bump into a 1 BTC coin sometime before the end of the world, and especially considering that each iteration of any attack requires a relatively slow elliptic curve multiplication operation.  Mining is far more lucrative by several orders of magnitude to say the least.  

My source of entropy is the cryptographic secure random number generator in the .NET Framework, in the System.Security.Cryptography namespace, XORed with the SHA256 hash of (mash + incrementing number).  Mash is a constant string produced by me mashing gibberish (was probably 60-70 chars) on the keyboard and is meant as extra entropy against Microsoft's implementation.  (I'm familiar with Debian SSL flaw and thought that this would mitigate the possibility if there were something similar).

This was done on an airgapped machine, the OS installation dedicated just for this purpose, private keys have never touched any machine on the internet.  The hard drive was strictly controlled, and after the private keys were printed on 33 sheets of paper (each individually checked for accuracy), has since been zeroed over in its entirety (with linux) and a new OS installed over top of it.

I recognize and appreciate the importance of generating these keys securely.  It would be an epic fail for me to say "Whoops!  Hacker found your private keys in my temp directory... SORRY" and fortunately I know how not to do that.

[pc]

Thank you, casascius, for that great explanation. Perhaps you could include some description of it on your ordering page?

I assume the papers are shredded or similar after their keys are put onto coins?

[casascius]

The papers are what literally go in to the coin under the sticker. So nothing to shred.

[cbeast]

And so, in addition to trusting you specifically that you don't keep any records of the private keys that you've loaded onto your coins (intentionally or not), [snip]

Perhaps include the motto "In Casascius We Trust" 

[dunand]

You should sell them on tv ! Remember the $20 from Liberia to commemorate 9/11.

http://forums.commercialsihate.com/9-11-commmemorative-20-dollar-ad_topic1328.html

[casascius]

The 25 BTC coin is now available online.

I am also offering the piece for sale with no BTC value for 3.5 BTC.  Of course, it has no hologram on the back.  It looks the same as if you bought the full coin, redeemed the BTC, and cleaned off the hologram residue.

(Consider this:  Even though they won't be true "Casascius Coins", you could buy my blank coins and sticker them yourself with generic 1" circle hologram security labels off the Internet.  Even though you might not be able to circulate them, if all you care is to collect them or to give them to a loved one, you may not care.  This eliminates the risk of mailing real BTC.)

[Stephen Gornick]

From a different thread Casascius wrote:

For those considering reselling Casascius coins in local markets, I am able to do quantity discounts on the 25 BTC coin to make resale worthwhile if ordered in quantity 50+.  They'll also be shipped inactive, via express courier, and the BTC value not loaded until you receive them, to mitigate risk of loss and customs problems.

So just to clarify -- it is possible that these could be circulated without having the hologram tampered with but having no bitcoin funds loaded, correct?  I.e., if I were to accept one of these as payment or purchase one, I should first check the address to confirm it has the bitcoins loaded?

[Stephen Gornick]

I know that when a miner generates, the 50 BTC reward (or portion thereof) can go to a specific address.  Eligius, for instance, does this:
 - http://blockchain.info/tx-index/11312776/f46dd33fe4397cbba04bc7b25560ac3c715c6b4cd1371f61dba04a639cec98a7
As does P2Pool.  Eligius even offered to do this for non-miners on a contract basis.

I think one of these 25 BTC with the 25 bitcoins coming as generated coin would make it even more valuable.  Because there are only about 60 thousand 50 BTC blocks remaining, a pair of these collectibles each with 25 BTC from the same block would make them even more valuable as that is something that cannot be done again after about a year from now when the 50 BTC reward drops to 25 BTC.

Incidentally, I showed the physical 25 BTC coin at my monthly coin collector meeting.  Out of 40 (including many that are octogenarians or close to that) there were four who were interested in these.

[casascius]

From a different thread Casascius wrote:

For those considering reselling Casascius coins in local markets, I am able to do quantity discounts on the 25 BTC coin to make resale worthwhile if ordered in quantity 50+.  They'll also be shipped inactive, via express courier, and the BTC value not loaded until you receive them, to mitigate risk of loss and customs problems.

So just to clarify -- it is possible that these could be circulated without having the hologram tampered with but having no bitcoin funds loaded, correct?  I.e., if I were to accept one of these as payment or purchase one, I should first check the address to confirm it has the bitcoins loaded?

Not exactly.  I'm willing to ship them unloaded and load them on receipt so they aren't as valuable while they're being processed for customs.  But I am not willing to allow them to circulate unloaded.  If they are in the wild, they are either already loaded, or going to be loaded.  Also, any coins shipped that way would be shipped with a method that offers international tracking and a signature, because I intend to load the value whether the coins arrive or not.

[Stephen Gornick]

because I intend to load the value whether the coins arrive or not.

That is a satisfactory response.

[doobadoo]

I don't know what difference it would be. Isn't the security point here that you check balances before accepting them? Regardless, whatever suits casascius. It seems most logical to have the final product just with no value on it.

maybe i missed this, but how is this coin secured from 2x spend attack.  that is the issuer (Casasious) could also have a copy of teh coin's a privkey.  i know there is a tamper evident seal and a code to check with the issuer its authenticity.

Lastly, how is this secure from counterfeit?  couldn't i just copy the verification code of a legit coin and try to pass one off?  people accepting these will likely not redeem them, so the counterfeit may not have the right privkey inside, but its outer check number thingy would be right...

maybe i dont understand.  but if you can explain this to me i'd love to buy a 25 btc for my 3 year old nephew, just like i've been buying him silver eagles every b-day since.

[doobadoo]

The papers are what literally go in to the coin under the sticker. So nothing to shred.

did you select an ink and paper that could withstand the test time?  injet printer ink evaporates.  laser is better...  just curious if in 20 years it would have faded away b/c you used a crappy lexmark inkjet.

[casascius]

maybe i missed this, but how is this coin secured from 2x spend attack.  that is the issuer (Casasious) could also have a copy of teh coin's a privkey.  i know there is a tamper evident seal and a code to check with the issuer its authenticity.

In a theoretical sense, I could scam my customers.  In a practical sense, seeing as how I give away my real life identity and have PGP signed the list of addresses I have prepared for my coins, those I scammed would have fairly strong recourse against me.

Lastly, how is this secure from counterfeit?  couldn't i just copy the verification code of a legit coin and try to pass one off?  people accepting these will likely not redeem them, so the counterfeit may not have the right privkey inside, but its outer check number thingy would be right...

Sure, if anyone wants to spend four figures to get custom holograms done, only to be able to perpetrate a scam that will probably be figured out in days if not weeks.  It's been discussed in the past.  If someone goes to the effort of doing it, that'll be unfortunate.  Hopefully they'd see it as just as lucrative to generate real legit coins (i mean, I'm already charging a 20-25% premium over face value, isn't that good enough?).  Same argument as it applies to mining: it pays more to be an honest miner, and therefore have reasonable faith that miners are honest.

maybe i dont understand.  but if you can explain this to me i'd love to buy a 25 btc for my 3 year old nephew, just like i've been buying him silver eagles every b-day since.

Buy one, and buy a billy club with it.  If I scam you, come to Utah and beat my ass.  My real address is on my website.  If I don't scam you, you've just given a great gift that hopefully will appreciate.

did you select an ink and paper that could withstand the test time?  injet printer ink evaporates.  laser is better...  just curious if in 20 years it would have faded away b/c you used a crappy lexmark inkjet.

I deliberately chose inkjet.  Laser toner is relatively thick and can be read from the outside with radiation or ultrasound.  Inkjet may fade in the same sense old photos become slightly off color, but you don't see them fading into oblivion like the photos turning into blank paper.  That said, I used an off-black color to ensure that C+M+Y+K ink all contribute to the color, so they would all have to fade to blank for this to be an issue.

[cbeast]

If nothing else, I think Cassies will be collectable if not museum pieces in 50 years 

[doobadoo]

I deliberately chose inkjet.  Laser toner is relatively thick and can be read from the outside with radiation or ultrasound.  Inkjet may fade in the same sense old photos become slightly off color, but you don't see them fading into oblivion like the photos turning into blank paper.  That said, I used an off-black color to ensure that C+M+Y+K ink all contribute to the color, so they would all have to fade to blank for this to be an issue.

Wow, you thought this thru...as soon as some stuff clears i'll buy a few

[doobadoo]

Buy one, and buy a billy club with it.  If I scam you, come to Utah and beat my ass.  My real address is on my website.  If I don't scam you, you've just given a great gift that hopefully will appreciate.

Utah eh,?  R U a mormon?  If so its a deal.  Never met a crooked mormon (except for the ones in politics and Rick Koerber).

[pent]

i received this stuff! Very, very good product. Playing with it like a kid now )))

[bg002h]

I got my 25 BTC coin today...wow...as a hobbyist coin collector, I must say, this one was pressed with gusto...it's more like a mini 3D sculpture than a plain coin...the relief (in numismatic terms) is ultra high. It feels great in the hand...as does the gold plated bar!

Well done again, casascius!