Since a lot of the people who post here in the HW board tend to be more about security and tech then the collectable area was wondering if anyone else had any ideas on how to make it work better / more securely. Any useful input would be appreciated.
If you want to do it completely trustlessly, then the only way to do it is a DIY solution where you add the key to the collectible yourself after you have received it.
You can spread the trust by having some kind of multi-sig set up where two or more different collectible producers add private keys to the collectible separately. But as mentioned, all you are doing there is spreading the trust, not eliminating it.
You could potentially do a multi-sig or split key set up where I generate one part and the collectible producer generates the other, but that then means your collectible on its own is worthless. Without my share/key/etc., then the collectible is unspendable, and you will have a hard time selling it to anyone else since they cannot trust that you and the producer are not conspiring together.
BIP38 doesn't work at all since at some point one party must know both the private key and the password.
Most of these coins come with a certificate of authentication.
instead of releasing random coins they can make preorders,
buyer provides pub key and keeps partial priv.
maker creates
the maker issue a template that the buyer prints half key on,
if they resell it make sure its with it.
do a handwritten chain of ownership on the back(if wanted). if the holo is damaged its spent.
the only thing is a piece of paper to keep track of that everyone will, and does.
if the maker keeps all keys and get the single coin in hand again, they "could" sweep. a single coin.
but never an entire batch.
It's better than right now. they can all sweep. period.
Multisig is too risky. disagreement.
Split key generation would be user induced error.
There's a reason I've invested so much time in the splitkey ecosphere.
It's BTCrilliant I believe it was designed for this very scenario. Other projects like VanityPool used the same concepts and have never had an event.
From JLVS Github page
https://github.com/JeanLucPons/VanitySearch#generate-a-vanity-address-for-a-third-party-using-split-keyGenerate a vanity address for a third party using split-key
It is possible to generate a vanity address for a third party in a safe manner using split-key.
For instance, Alice wants a nice prefix but does not have CPU power. Bob has the requested CPU power but cannot know the private key of Alice, Alice has to use a split-key.
*Added Or a Customer wants to buy a physical but doesn't want the issuing company knowing the key!
Step 1
Alice generates a key pair on her computer then send the generated public key and the wanted prefix to Bob. It can be done by email, nothing is secret. Nevertheless, Alice has to keep safely the private key and not expose it.
VanitySearch.exe -s "AliceSeed" -kp
Priv : L4U2Ca2wyo721n7j9nXM9oUWLzCj19nKtLeJuTXZP3AohW9wVgrH
Pub : 03FC71AE1E88F143E8B05326FC9A83F4DAB93EA88FFEACD37465ED843FCC75AA81
Note: The key pair is a standard SecpK1 key pair and can be generated with a third party software.
Step 2
Bob runs VanitySearch using the Alice's public key and the wanted prefix.
VanitySearch.exe -sp 03FC71AE1E88F143E8B05326FC9A83F4DAB93EA88FFEACD37465ED843FCC75AA81 -gpu -stop -o keyinfo.txt 1ALice
It generates a keyinfo.txt file containing the partial private key.
PubAddress: 1ALicegohz9YgrLLa4ADCmam7X2Zr6xJZx
PartialPriv: L2hbovuDd8nG4nxjDq1yd5qDsSQiG8xFsAFbHMcThqfjSP6WLg89
Bob sends back this file to Alice. It can also be done by email. The partial private key does not allow anyone to guess the final Alice's private key.
Step 3
Alice can then reconstructs the final private key using her private key (the one generated in step 1) and the keyinfo.txt from Bob.
VanitySearch.exe -rp L4U2Ca2wyo721n7j9nXM9oUWLzCj19nKtLeJuTXZP3AohW9wVgrH keyinfo.txt
Pub Addr: 1ALicegohz9YgrLLa4ADCmam7X2Zr6xJZx
Priv (WIF): p2pkh:L1NHFgT826hYNpNN2qd85S7F7cyZTEJ4QQeEinsCFzknt3nj9gqg
Priv (HEX): 0x7BC226A19A1E9770D3B0584FF2CF89E5D43F0DC19076A7DE1943F284DA3FB2D0
How it works
Basically the -sp (start public key) adds the specified starting public key (let's call it Q) to the starting keys of each threads. That means that when you search (using -sp), you do not search for addr(k.G) but for addr(kpart.G+Q) where k is the private key in the first case and kpart the "partial private key" in the second case. G is the SecpK1 generator point.
Then the requester can reconstruct the final private key by doing kpart+ksecret (mod n) where kpart is the partial private key found by the searcher and ksecret is the private key of Q (Q=ksecret.G). This is the purpose of the -rp option.
The searcher has found a match for addr(kpart.G+ksecret.G) without knowing ksecret so the requester has the wanted address addr(kpart.G+Q) and the corresponding private key kpart+ksecret (mod n). The searcher is not able to guess this final private key because he doesn't know ksecret (he knows only Q).
Note: This explanation is simplified, it does not take care of symmetry and endomorphism optimizations but the idea is the same.
You guys can reinvent the wheel or overcomplicate things all you want but this is the cheap effective solution. no complicated signature chains , no more trust in the other person or makers.
just make a system based on split key generation. Anything else you can conjure up will be cost prohibitive or overthinking authoritative measures.
It's been done before on physicals. Not exactly as described but the groundworks all here
40mm x 3mm 30g Bitcoin Coin (loadable and customizable coin)
