Novel Idea: Unlosable "Binary" Physical Bitcoins

[Tril]

This thread has convinced me not to invest further in physical bitcoins.  One of the best features of bitcoin is that you can back up your private keys.  The original Casascius coin guarantees there will only ever be one copy of a private key- in order to make the coin act like physical property.  This was novel, for a while, and the coins are beautiful.  Now the idea of taking a key and breaking it in two pieces, such that if one is lost, the value is lost, just makes the coin even weaker. 
I'm not talking about during shipping, but after both parts are received, I assume Casascius would destroy any remaining copies.

What do you think about going the other direction?  I would be interested in "twin coin" issue- where there are only ever exactly 2 copies of the private key, stored under holograms, and clearly marked that either one of the two will allow redeeming the full value.  Each coin with the same key would indicate it was unique by some graphic (left/right halves of an image) or code (simply numbering them would be enough - such as "copy 1 of 2" and "copy 2 of 2").  It's still not as good as a digital bitcoin since you can't make unlimited copies of the key.  But it may be useful to someone.

[1713515462]

1713515462

[1713515462]

1713515462

[1713515462]

1713515462

[phillipsjk]

I like the concept, though it does not resolve this problem:

• If I send unfunded bitcoins and they don't get lost, recipient could claim they were lost and ask for a replacement, but then they would have unfunded coins.

The recient can still wait for two pieces to arrive, snap them together, then claim neither piece arrived. To be trusted, physical coins should always be checked against the block-chain. In fact, to be truly trusted, they would be single-use.

This scheme also does not prevent collusion among the manufacturers known or not. If both manufacturers are using the same brand of printer with remote update capabilities, the printer manufacturer may be able to steal the bitcoins (for example).

I think ulimately, physical bitcoins are going to end up working more like checks. We just need a relatively simple, tamper evident way of hiding the secret key (The 'Bitbills' design is almost ideal for this)

[casascius]

The recient can still wait for two pieces to arrive, snap them together, then claim neither piece arrived. To be trusted, physical coins should always be checked against the block-chain. In fact, to be truly trusted, they would be single-use.

The second piece won't be sent until the recipient has confirmed receipt of the first one, so that can't happen.

This scheme also does not prevent collusion among the manufacturers known or not. If both manufacturers are using the same brand of printer with remote update capabilities, the printer manufacturer may be able to steal the bitcoins (for example).

It doesn't.  But that's a much smaller risk than one manufacturer cheating (which could happen if, for example, manufacturer really kept the private keys, and fell on hard times or was somehow robbed or coerced into giving them up).

The likelihood of a printer manufacturer stealing bitcoins by manufacturing rogue firmware that steals people's print jobs is astronomically low.  Having your HP printer send a "mystery file" to HP's servers every time you print (and the mystery file just magically matching the size of each print job) is something that would be noticed by sysadmins in minutes.  It would be all over the press the same day.  They would probably have an easier time just guessing private keys.  Besides, I print these on an inkjet printer via USB and no internet connection, so this issue is moot.

I think ulimately, physical bitcoins are going to end up working more like checks. We just need a relatively simple, tamper evident way of hiding the secret key (The 'Bitbills' design is almost ideal for this)

Yeah, or maybe someone can make coins with embedded tamper evident holograms.

[phillipsjk]

The recient can still wait for two pieces to arrive, snap them together, then claim neither piece arrived. To be trusted, physical coins should always be checked against the block-chain. In fact, to be truly trusted, they would be single-use.

The second piece won't be sent until the recipient has confirmed receipt of the first one, so that can't happen.

That makes in unprofitable to cheat, not impossible.

Edit: If the recipient does not check that the serial number on the bar matches the expected number, it is possible to for a postal worker to profitably assemble an empty bar:

• Postal worker C  intercepts bar sent to recipient A. Recipient A receives a new bar with a new number.
• Optionally, postal worker C sells intercepted bar on black market to postal worker D.
• Postal worker D intercepts bar sent to recipient B; replaces it with bar intended for recipient A.
• Recipient B, without checking the number, confirms receipt of bar.
• Postal worker D intercepts the key intended for recipient B, and now has a complete, unloaded bar.
• Recipient B requests a new key. Meanwhile, Postal worker D sells unloaded bar on black market.
• When new key arrives, recipient B complains the serial numbers don't match.

Edit2: seems unlikely when I lay it out like that....

The likelihood of a printer manufacturer stealing bitcoins by manufacturing rogue firmware that steals people's print jobs is astronomically low.  Having your HP printer send a "mystery file" to HP's servers every time you print (and the mystery file just magically matching the size of each print job) is something that would be noticed by sysadmins in minutes.  It would be all over the press the same day.  They would probably have an easier time just guessing private keys.  Besides, I print these on an inkjet printer via USB and no internet connection, so this issue is moot.

The dumber the printer, the better in this case. Yes, was refering to the printers I heard about that can automatically print from e-mail. Remember, your two-token scheme is being used for high value bars. If the printer is running a full-blown OS, it can simply send the private keys (in a nightly batch with the update check) without sending the whole print job. With PCL or Postscript, OCR is not even needed

I think ulimately, physical bitcoins are going to end up working more like checks. We just need a relatively simple, tamper evident way of hiding the secret key (The 'Bitbills' design is almost ideal for this)

Yeah, or maybe someone can make coins with embedded tamper evident holograms.

I was thinking something less coarse: the user would print off 2.379 BTC if that was how much they wanted to send, for example (this point is probably off-topic any way).