Novel Idea: Unlosable "Binary" Physical Bitcoins

[casascius]

I thought of a way where someone could order physical bitcoins without any risk of loss in the mail.  I have never had any of my shipments lost, but of course it is always possible.  And the obvious solutions aren't easy.

• If I send funded bitcoins and they get lost, they're gone.
• If I send funded bitcoins and they don't get lost, the recipient could claim they were lost.
• If I send unfunded bitcoins and they get lost, someone out there (a postman) will have unfunded coins.  Unfunded coins are a problem because it makes it impossible to accept coins without checking block explorer - defeating the purpose of the whole series of coins.
• If I send unfunded bitcoins and they don't get lost, recipient could claim they were lost and ask for a replacement, but then they would have unfunded coins.
• If I send funded bitcoins but keep private keys, none of the problems are solved.  I could take back the funds, but then there's an unfunded piece somewhere.
• The very idea that I could keep private keys scares buyers of large value bitcoins.  It would also be nice to have physical bitcoins produced by two parties, so the buyer doesn't have to worry about the possibility of manufacturer scams.

I thought of "binary bitcoins" as an idea.  Basically, this would be a physical bitcoin in two parts, neither of which is the complete physical bitcoin.  For example, I could come up with a gold bar that has a hologram like normal, but also on the bottom, a precisely hollowed out spot that would accept, and permanently hold, a coin-shaped object, which would be an activation token with the 2nd key.  The bar could have a serial number (XYZ123) and lasered text to clearly indicate that the bar has no value without the matching hologrammed brass activation token, also bearing the same serial number (XYZ123) lasered on its face.

1.  I, and some other trusted party, would each generate a private key, and then calculate the bitcoin address of the combined key using only the public keys, and EC addition.  So nobody has the full private key.
2.  I would send out the piece with my half of the key.
3.  When the recipient said the bar arrived, the other trusted party would send out the activation token with his half of the key.
4.  When the recipient said the token arrived, he would "snap" it into the dugout on the gold bar, so it would permanently stay there.  At that point, I would fund the address calculated in step 1.

If the recipient says the bar didn't arrive, I could simply send a new bar with a different address.  The risk of loss becomes limited to the value of the unfunded bar.  Wherever the first bar ended up, whether a postal worker or a dishonest buyer, it would never become complete.

If the recipient says the token didn't arrive, as many duplicates as necessary would be sent.

Neither part has any Bitcoin value for customs purposes, and it doesn't really matter if customs seizes it.  Neither part should be mistakable for a complete item.

With this scheme, the buyer is assured that no mailman or customs agent can steal his bitcoins.  And no manufacturer can steal his bitcoins either, once he has had his bar funded.

[1713882732]

1713882732

[1713882732]

1713882732

[cbeast]

I don't see an issue with trust. I would rather see more anti-forgery ideas than concern about adding an appeal to authority as a trust issue. Face it, when Bitcoin becomes quite valuable, all trust will be lost in a physical Bitcoin that is originated by a third-party. I like the spirit of what you are doing by creating aesthetically pleasing off-line Bitcoins, but think your POS idea is more sound for secure Bitcoin transactions.

Keep in mind, the project is to promote Bitcoin, promote a proof of concept, and provide a neat-looking example of a good honest coin... but not to insure against things I couldn't possibly reasonably control.  Fortunately, to my knowledge, there have been no occurrences of this kind to report, and to the best of my knowledge, all coins in the wild are either legitimate and funded, or (at worst) are waiting to be funded when enough time has elapsed to ensure they've cleared customs of their buyer.

This scheme seems secure enough.

* bold added.

[netrin]

Can you make a do-it-yourself tamper-resistant connection? Even if so, anyone accepting the combined pieces would have to verify each and the sum, which seems even more annoying than checking a single physical coin sealed by you. Say I buy two of your coins and swap tokens, either by mistake, or maliciously. I agree with Cbeast that if bitcoin goes mainstream, physical bitcoin will be a novel collector item at best, an untrusted nuance at worst. That does not mean I have not considered giving one to every one in my family for Christmas.

[Meni Rosenfeld]

Can you make a do-it-yourself tamper-resistant connection? Even if so, anyone accepting the combined pieces would have to verify each and the sum, which seems even more annoying than checking a single physical coin sealed by you. Say I buy two of your coins and swap tokens, either by mistake, or maliciously.

The bar and the coin each have a clearly visible serial number, and the combination will only be accepted if the serial numbers match. The manufacturers of the bar and the coin make sure to be synchronized between them so that matching items indeed can be use to redeem the address.

I agree with Cbeast that if bitcoin goes mainstream, physical bitcoin will be a novel collector item at best, an untrusted nuance at worst.

I'm not so sure. Physical currency is convenient for some people/applications. If they can be manufactured cheaply enough and with a small enough form factor (maybe so much so that they can only be redeemed by dedicated machines) and the trust issue is solved by multiple partial keys, they'll find a use.

In NYC we saw a demo of bitbar, a bar holding a private key in the form of rotatable magnetic elements. I wonder if these can be used instead of printed keys and holograms.

[casascius]

This scheme seems secure enough.

* bold added.

The scheme is secure enough only if eventual arrival is a guaranteed certainty. Unfortunately it is not.

If ordering a few 1 BTC coins, the risk of loss is not a big deal.  If you are buying a 1000 BTC bar, the risk of its non arrival is not insignificant.  In fact, I will bet it is a deterrent to even buying one.  And people do think I could steal it, that I might be more motivated to steal a big ticket bar, because it would be both more lucrative and less provable if I did so only occasionally. I am still a stranger and some of these orders get very large.

I certainly appreciate that you find me trustworthy. While I agree I have acted in a way to deserve it, a product that does not require trusting me, or limits peoples exposure even to me, is a higher quality product. If this scheme works, others can make trustworthy coins too, which enables competition, driving cost down and quality up.

[netrin]

I believe serial numbers from multiple parties, multiple keys, multiple issues, etc only confuses the bitcoin brand and will certainly lead to future breaches of trust. Physical bitcoins are a reverse abstraction, that may facilitate understanding and trust among our more pedestrian members of the info highway in the short term, but the physical abstraction are in fact far less secure than the real thing, and some perhaps large fraction of the competition will undoubtedly fail. Mike is in an enviable position to be a single (or one among a few) trusted sources of physical bitcoins. I do not hope for inferior competition.

I understand why you want something like this for large bitcoin bullion via post. I just don't think the idea can be easily copied without confusion. I would recommend instead Mike, that you franchise your brand. I think the competition would appreciate it. If I want to sell tupilak-coins, then I can buy and embed the token from you. If customers prefer (or even understand) tokens received in an escrow hand-shake postal protocol, all the power to them. I more expect they'll just buy the items and think (oh bonus, it comes with a Casascius bitcoin!).

[casascius]

Physical bitcoins are a reverse abstraction, that may facilitate understanding and trust among our more pedestrian members of the info highway in the short term, but the physical abstraction are in fact far less secure than the real thing, and some perhaps large fraction of the competition will undoubtedly fail.
...
I understand why you want something like this for large bitcoin bullion via post.

Large bullion is the only way it would make sense.

On the other hand, large bullion is selling.  Memory Dealers is popping out those 100 BTC bars left and right, and my guess is it's because it represents an easy opportunity for non-technical people to get involved in Bitcoin just by clicking "buy now".  I wouldn't worry about a dual handshake scheme for their buyers, because more likely than not, they aren't even aware of the security implications, but are aware of their legal/chargeback recourse if there were a breach of trust, and that is good enough for them.  (It's a privilege they are paying for in that markup!)

Now that I just dangled a picture of the 1000 BTC bar, it is suddenly starting to sell.  I wouldn't say like mad or anything.  But it's attracted interest not just on Memory Dealers, but from Bitcoin community members who already are sitting on 1000's of BTC, and wouldn't mind dressing them up.  Those people are the ones the most aware of what the risks entail, the ones least interested in paying Visa/Mastercard a 13% markup on the 1000 BTC itself to acquire the bar, and would be the ones most interested in participating in a dual key scheme so their assets are protected.

[Jalum]

I thought of a way where someone could order physical bitcoins without any risk of loss in the mail.  I have never had any of my shipments lost, but of course it is always possible.  And the obvious solutions aren't easy.

• If I send funded bitcoins and they get lost, they're gone.
• If I send funded bitcoins and they don't get lost, the recipient could claim they were lost.
• If I send unfunded bitcoins and they get lost, someone out there (a postman) will have unfunded coins.  Unfunded coins are a problem because it makes it impossible to accept coins without checking block explorer - defeating the purpose of the whole series of coins.
• If I send unfunded bitcoins and they don't get lost, recipient could claim they were lost and ask for a replacement, but then they would have unfunded coins.
• If I send funded bitcoins but keep private keys, none of the problems are solved.  I could take back the funds, but then there's an unfunded piece somewhere.
• The very idea that I could keep private keys scares buyers of large value bitcoins.  It would also be nice to have physical bitcoins produced by two parties, so the buyer doesn't have to worry about the possibility of manufacturer scams.

I thought of "binary bitcoins" as an idea.  Basically, this would be a physical bitcoin in two parts, neither of which is the complete physical bitcoin.  For example, I could come up with a gold bar that has a hologram like normal, but also on the bottom, a precisely hollowed out spot that would accept, and permanently hold, a coin-shaped object, which would be an activation token with the 2nd key.  The bar could have a serial number (XYZ123) and lasered text to clearly indicate that the bar has no value without the matching hologrammed brass activation token, also bearing the same serial number (XYZ123) lasered on its face.

1.  I, and some other trusted party, would each generate a private key, and then calculate the bitcoin address of the combined key using only the public keys, and EC addition.  So nobody has the full private key.
2.  I would send out the piece with my half of the key.
3.  When the recipient said the bar arrived, the other trusted party would send out the activation token with his half of the key.
4.  When the recipient said the token arrived, he would "snap" it into the dugout on the gold bar, so it would permanently stay there.  At that point, I would fund the address calculated in step 1.

If the recipient says the bar didn't arrive, I could simply send a new bar with a different address.  The risk of loss becomes limited to the value of the unfunded bar.  Wherever the first bar ended up, whether a postal worker or a dishonest buyer, it would never become complete.

If the recipient says the token didn't arrive, as many duplicates as necessary would be sent.

Neither part has any Bitcoin value for customs purposes, and it doesn't really matter if customs seizes it.  Neither part should be mistakable for a complete item.

With this scheme, the buyer is assured that no mailman or customs agent can steal his bitcoins.  And no manufacturer can steal his bitcoins either, once he has had his bar funded.

It's so simple!

[casascius]

It's so simple!

User instructions:

1. Buy bar
2. Tell us when it arrives, then we send you a token
3. When the token arrives, snap it into the slot on the bar
4. Let us know if anything doesn't arrive so we can replace it.

So simple!

Redemption:
1. Peel the hologram and enter the code as you do now
2. Also enter the code on the token.  The redeemer program/site already knows to ask for it.

[ALPHA.]

...or you can just insure your packages.

[casascius]

...or you can just insure your packages.

...which drives up the shipping price, especially for international shipments...and is likely to be unclaimable anyway.

The following claims are considered to be non-payable by the USPS.
From the Domestic Mail Manual:

S010 Indemnity Claims
2.14 Nonpayable Claims

Indemnity is not paid for collect on delivery (COD), insured, or registered service or for Express Mail in these situations:

...
r. Negotiable items (defined as instruments that can be converted to cash without resort to forgery), currency, or bullion valued in total at more than $15 per shipment sent by Express Mail, except under 2.12c.
...


A simple technological means to prevent the eventual accident is always going to be better than paying for insurance to spread the cost of the accident among all the customers.

Common carriers sometimes already consider Bitcoins to be "currency", and they are definitely negotiable items.  There would be no recourse in collecting on an insurance claim.  It is clearly excluded.  FedEx recently returned a shipment of Bitcoins to the shipper because it said on the invoice it contained bitcoins and "we do not ship currency".

[casascius]

...or you can just insure your packages.

...which drives up the shipping price, especially for international shipments...and is likely to be unclaimable anyway.

The following claims are considered to be non-payable by the USPS.

From the Domestic Mail Manual:

S010 Indemnity Claims
2.14 Nonpayable Claims

Indemnity is not paid for collect on delivery (COD), insured, or registered service or for Express Mail in these situations:

...
r. Negotiable items (defined as instruments that can be converted to cash without resort to forgery), currency, or bullion valued in total at more than $15 per shipment sent by Express Mail, except under 2.12c.
...

A simple technological means to prevent the eventual accident is always going to be better than paying for insurance to spread the cost of the accident among all the customers.

Common carriers sometimes already consider Bitcoins to be "currency", and they are definitely negotiable items.  There would be no recourse in collecting on an insurance claim.  It is clearly excluded.  FedEx recently returned a shipment of Bitcoins to the shipper because it said on the invoice it contained bitcoins and "we do not ship currency".

[ALPHA.]

Hm, very interesting. You do have something here it seems.

[Stephen Gornick]

FedEx recently returned a shipment of Bitcoins to the shipper because it said on the invoice it contained bitcoins and "we do not ship currency".

That is a fantastic thing to hear!   It means Bitcoin is getting name recognition if nothing else.

Crikey though ... if package delivery companies like FedEx won't allow bitcoin to be shipped, that could cause a few headaches going forward.

[casascius]

Just don't declare it as bitcoin on the shipping documentation and you'll be fine. That is what had happened in this case.

[tetra4c]

Reveal the mystery

http://www.youtube.com/watch?v=YAWqzRBG5tY&feature=related

Join the revo .... Electrantic-artica

http://www.facebook.com/#!/profile.php?id=100002154160776

She's good for bitcoin, she just doesn't know it yet.

[westkybitcoins]

I like it, and the idea makes me more likely to buy larger bitcoin bars.

Anyone who doesn't like it, or thinks it's confusing, can simply not buy it, possibly buying the "single authority" style instead, if it's an option.

The market will decide if this is a worthy method. And for the record, it will do so regardless of whether or not Casascius is the one selling physical bitcoins using this method.

[jim618]

One of the more painful aspects of importing from the US for us Europeans is the customs duty payable.
I have imported ultralight gear from the US and the duty plus post charge can add another 20% to the price.

I think if you are shipping 'pretty pieces of metal' of nominal value then the recipient would have little customs to pay, if any.

Similarly the snap-in tokens, by themselves, are 'worthless'.

[mrdavis]

Just don't declare it as bitcoin on the shipping documentation and you'll be fine. That is what had happened in this case.

With the two part private key like you described, you wouldn't be shipping bitcoins... just part of the physical bitcoin wallet.

[jim618]

I think you would want the material of the token and the main coin to be the either the same, or at least materials with *very* similar coefficients of thermal expansion.

You would not want the tokens falling out in either hot or cold climates (or if someone accidentally puts it in a boil wash).