Topic: Coming Very Soon, a real Bitcoin you can hold! (and is worth 1 BTC) (Read 9237 times)

It's up now, the issue has been taken care of.  (that's what I get for running this from home =) )

https://bitcointalksearch.org/topic/m.544974

It will probably be down for several more hours.

The website seems down.

I understand, and yes if they can be easily counterfeited it is a problem, but I still think you're making too big a deal about the physicality of the coins.  That isn't really the issue - since ALL information is, ultimately, physical.  The coins' state of disconnectedness from the network isn't really the issue either.  The P2P system, by itself, doesn't do anything special to ensure uniqueness of the key that any given Bitcoin is associated with.  Even with conventional "all electronic" Bitcoins, there is no way to know for sure that a given Bitcoin's private key (even one you made yourself!) is truly unique, UNLESS you are 100% confident that no one other than yourself ever had access to that key from the moment the keypair was first created, and that either it was originally generated using a secure source of random numbers that couldn't be eavesdropped on in some way, or else by using a long passphrase (which only you know) as a random seed.

All that the P2P system does is to ensure that you can't transfer the same coins from a given account more than once, and have both transactions finally accepted by the network.  But, whether the destination account's private-key details are stored in a physical coin or on a hard drive (or in your head!) is really a completely separate from the issue of whether another copy of those details exists (or can be regenerated) somewhere else - which the P2P network itself does nothing to ensure.  Even if the only way to get the key is to regenerate it from a passphrase in your head, you could always mumble it in your sleep, and someone could overhear you, and then make another copy of your key & spend your coins before you ever get the chance.  

I think the real issue here is that the keypairs themselves are being generated by a third party, rather than by a client on your own computer.  Any time that's the case, no matter in what form the keys are delivered to you, you can't be sure the sender didn't keep a copy!  Whether they deliver the key details to you in a coin or on a USB drive or over an https connection has nothing to do with the question of whether they kept a copy of it for themselves.

On the plus side, anyone who is nervous about Casascius coins is always free to resell them, or to immediately take them apart and  transfer their value elsewhere... So there isn't really all that much risk of theft here, unless you plan to hold onto a lot of Casascius coins in their original form for a long time.  So I don't think most vendors would have a problem accepting them - especially if they can verify the balance on a smartphone by keying in the firstbits...

Either way, in this particular case, trust in the manufacturer is required.  I could just as easily make a physical bitcoin with a duplicate private key as one with no private key (except perhaps for the fact that I only got each address printed on each hologram once).

I sincerely hope that someone makes a bigger, better, badder, more secure, more auditable, more everything physical bitcoin (and cheaper, too).  As Bitcoin gets bigger, that's bound to happen.  Practically speaking, Casascius physical bitcoins get used right now mainly as all of the following:

• A collector's item.
• A low-cost gift (for the buyer) worth saving (for the recipient) because one day it may well be worth a ton.
• An appealing way to bring up the topic of Bitcoin with people who don't care about otherwise "imaginary" currency.
• A way for people who trust each other, one who has lots of Casascius coins and the other who doesn't, to settle some small debt (like paying for lunch) in a fun way.
• A proof of concept to the world, that bitcoins don't have to be intangible.
• A way to get otherwise uninterested people thinking about how the internals of Bitcoin really work... "so what you're saying... there's a code in here, and you call that a private key?"
• And finally, a few get torn apart just out of curiosity and to test the redemption process.

At this point, I bet very few get "spent" in the arms-length process where the recipient thinks very little of bitcoin other than just another kind of dollar.  Physical bitcoins get traded nowadays only among people who know each other's name, possibly because the spender paid a premium to acquire the coin and isn't eager to give it to someone who won't appreciate that or compensate them for it.  In an environment where trading partners generally know one another, passing counterfeits or duplicates or scams is arguably harder than making them.

I a willing to trust as secure the manufacturer's processes and the distribution of the coins that were shipped to me.  If I were to resell a batch of these the buyer would be trusting me as well as the manufacturer, etc.  

Perhaps simply a register or log of assignments is necessary.   For instance, Casascius creates a signed message for each physical coin (its address) asserting that it was sold to me (to my gpg public key).  When I sell one, I sign a message including the previous assignment and assert that I sold it and to whom (to the next party's public key).   And so on, for each sale.

So then when considering buying these physical bitcoins from a third party seller, the buyer can weigh whether or not all previous owners are trustworthy enough to feel comfortable that the bitcoin is truly authentic.  Think WingCash ( http://bitcointalk.org/?topic=4232.0 ) meets Bitcoin.

This ruins anonymity, though I suppose a party in the chain could remain pseudonymous -- just that I don't know how trusted the pseudonymous participants would be.

[Update: Or, can the model that namecoin offers, w/dot-bit offer something here?]

Of course I can check, but checking doesn't guarantee uniqueness. Our coins are unique because of P2P, but physical bitcoins can't be connected.

When I accept a physical bitcoin, I need to make sure no one else has it. If the OP can get the hologram for 0.15 BTC, I can take over the company the makes the hologram and do the same too.

I've been assuming that they're difficult to counterfeit due to the way the hologram is made.  If that's not the case, then of course you are right.

What if I'm a major merchant and I duplicate all the coins I accepted and save them secretly and only spend the duplicated ones? Then maybe I can redeem them all at once.

I don't have to be the issuer to be the Grand Theft, as long as I can manufacture myself without anyone else knowing.

Without P2P?
Without the network there is no Bitcoin. There is no value for anyone if the network goes down.
It all spontaneously vanishes.

In the meantime you can always check the address for it's value without ruining the coin or redeeming it.

Yeah, but look:  Let's say that 100,000 of these things get made and used by thousands of people over a period of years and years, with a good number of those coins getting redeemed by random people, and there is never a report of someone trying to redeem a coin only to find that someone else had already redeemed another coin with the same code.

In that case, then I can probably be at least 99% certain that there are no duplicates already in circulation of a coin I receive - since, statistically speaking, if as many as 1% of all coins were non-unique, and if (say) 10,000 of the 100,000 coins issued had already been redeemed, then you'd expect that several cases of duplicate coins would already have been found and reported.  (On average, 100 of the 10,000 coins already redeemed would have had duplicates, and ~10 of those 100 duplicates would be included among the 10% of coins already redeemed - so the fraud would have already been caught.)

So, once these things have been out there in circulation a while, there's no need for the person accepting them to have 100% proof that there's no duplicates already in circulation - the lack of any reports of problems from other users would be proof enough.

This statistical analysis doesn't, however, address the scenario I mentioned, wherein the issuer is planning to steal the value of all coins at once in a "Grand Theft" scenario.

The problem is not whether it'll eventually get caught. If I accept your physical bitcoin in an exchange for goods and services, I have to make sure that it's 100% unique if I'm not going to redeem it right away.

If I have to redeem it to make sure I can get the value, then there's no reason to make holograms - you can just print out the keys.

So, the problem lies on whether you can make sure that you can get the 1 BTC after 10 years without the use of P2P.

I like this idea very much, I mentioned it in my blog (http://minetopics.blogspot.com/2011/09/lets-get-physical.html) and I will probably order some coins from you soon to show off to friends.

Someone mentioned earlier the risk that multiple coins with the same key could be made - although if this were happening, it would eventually get caught by random sampling (by people converting their coins back to digital form), so I'm not too concerned about that.

A more serious risk, it seems to me (from the user's perspective) is:  How do we know that it's not the case that you are keeping copies of ALL the private keys for yourself, and, once there are (say) 100,000 of these coins in circulation that haven't had their values removed yet, maybe your plan is to quickly exchange the BTC backing all those coins for some other currency, and disappear?

I'm not saying it is a particularly likely scenario, and I personally have no particular inclination to suspect you of this, but I'm just saying it is a possibility that can't be eliminated from users' minds, unless you subjected your entire coin-making operation to continuous, detailed scrutiny by some trusted third-party auditors.  Or, if you were a company with numerous publicly-known officers that would be subject to prosecution in such an event, then that might generate more trust in your system.  But, as just a single individual, you might all-too-easily just grab all the loot one day, slip away, & hightail it to Rio.

Many people (myself included) may be willing to take that risk for the convenience of carrying around a little BTC-valued pocket change, but, I have a feeling nobody is going to be filling bank vaults with this stuff, at least not until it's made more accountable than a private one-man operation can be...

But, I think it's cool anyway... Kudos on the professional design work.

-Mike

A good idea, but there's one vulnerability of any physical Bitcoin that exists today - possibility of duplication. The public keys displayed can ensure that the money itself is backed by some Bitcoins, but before redemption, no one really knows whether there are the second piece of money that has the same public key.

Although holograms are hard to make, but it's not entirely impossible to duplicate. For fiat money, government controls most of the technologies to manufacture paper money, and to some extent, this control is quite effective.

One thing about crypto currency is that it can be easily duplicated and spent twice, and Bitcoin solved the problem perfectly, through P2P networks.

I wonder if there's any potential for a physical form of Bitcoin that can utilize the P2P network effectively by itself? Or other ways that can effectively reduce or eliminate the problem of double spending attacks on physical Bitcoins?

Received my coins yesterday.  VERY IMPRESSIVE.  Very cool.  Great job, casascius!  Thanks!

 

I am using Cygwin.  I can try that and see if it works on Cygwin.

Thanks, that does save a step (I only know enough Cygwin/Linux to be slightly dangerous - and learn something new every day).  Either of these will also work and will save the step of creating the file:

bash-4.1# echo -n S4b3N3oGqDqR5jNuxEvDwf | openssl dgst -sha256
0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d

bash-4.1# echo -n S4b3N3oGqDqR5jNuxEvDwf | sha256sum
0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d

Glad to see you got it working!

In Linux the three steps above can be replaced by the following single command:

 echo -n CodeGoesHere | sha256sum

For anyone interested it is possible to crack open one of these beauties and imported the Bitcoin into your wallet.dat.  It was not easy but it is possible.  Hopefully there will be a more user friendly way to do this soon.  Personally I think the best idea would be a web site which downloads a Javascript with two input windows:  1) A place to enter the mini private key from inside the coin and 2) a place to enter your destination public Bitcoin address.  The script would transfer the Bitcoin off the (now destroyed) physical Bitcoin and send it to the desired destination address.  Not having that, this is how I did it.  Ugly I admit:

• Bought a physical coins from https://www.casascius.com/
• Found the full Bitcoin address by entering the address on the outside of the coin (12ho33tJ) here:  http://firstbits.com/
• Verified it contained one Bitcoin in value at: http://blockexplorer.com/address/12ho33tJq5o4uQUnyEemErAgeTfS7YoXDc
• Installed pywallet from: https://github.com/downloads/jackjack-jj/pywallet/PWI_0.0.3.exe
• Before trying to decode my mini private key I used the private key published at https://en.bitcoin.it/wiki/Mini_private_key_format in order to test the decode process.  The mini private key I used was: S4b3N3oGqDqR5jNuxEvDwf
• I then made a file named “short” containing exactly these 22 characters.  This is not as easy as it sounds because most editors add CR/LF and EOF characters to a file.  I used hexedit to make a file of exactly these characters.
• Then I used openssl like so:   bash-4.1# openssl dgst -sha256 < short
• I got the following result and verified it with the result on the wiki page: 0c28fca386c7a227600b2fe50b7cae11ec86d3bf1fbe471be89827e19d72aa1d
• Then I killed my precious unicorn (peeled off the sticker) and read the private key from the sticker.
• I then made a file named “mine” containing exactly these 22 characters.
• Then I used openssl like so:   bash-4.1# openssl dgst -sha256 < mine
• Turned off my Windows Bitcoin client so I could run the pywallet browser
• I used pywallet to import the key in to my wallet.dat.  When it imported the private key into my wallet.dat file the Bitcoin address matched the address on the coin (12ho33tJq5o4uQUnyEemErAgeTfS7YoXDc) so I knew I had the correct private key.
• Finally, I fired up the Windows Bitcoin client with a –rescan and I got 1 more Bitcoin in my wallet!

I really like my coins and do not plan on destroying any more of them any time soon.  They are beautiful and collectable and I just ordered another batch.

@Casascius

I just saw these hollow coins for storing microSD cards inside.
I don't know if you could make these with a Bitcoin  design but that would be pretty cool and probably sell too.

http://www.ebay.com/itm/NEW-Hollow-Spy-Coin-Micro-SD-Card-Covert-US-Half-Dollar-/230435475593?pt=LH_DefaultDomain_0&hash=item35a7065089

The whole point of this exercise is to have physical bitcoin similar to gold coins that can be easily traded in person.  Each physical bitcoin should worth exactly 1 BTC and can be given/received just like a gold coin or any real currency.

To enforce this system, the construction of the coin have to be in such a way that if opened to obtain the private key of the 1BTC then the coin itself would be completely destroyed or at least easily identified as "used up".  I think the OP is using some sort of seal to ensure this.

Either way the whole system depends on not able to easily "fake", duplicate, or temper with the physical bitcoin construction. If people can duplicate the coin, or easily extract the private key of the BTC within the physical coin while leaving the structure interact, then this whole system collapses, as noone knows if the coin is 1) fake or 2)already used up.   

This is not an easy problem to solve.  OP is on the right track, but it takes a whole army of people to create regular coins...and what we are talking about here is far more complex than your regular pennies and quarters construction.  Nonetheless, thumbs up for thinking ahead of the herd.