Topic: [IDEA] Removing trust from physical coin makers re: Priv Key generation (Read 748 times)

To complete my previous answer, Ballet seems to use a feature belonging to the BIP38 specifications, the EC multiply mode
This article ELI5 a little bit the process https://tara-annison.medium.com/encrypted-private-keys-an-outline-of-bip38-98ceae5d1558
But has we can read below from BIP38 specifications, the printer needs to generate a 24 random bytes(ie 192bits) seed by himself.
Thanks to that the purchaser can't guess which private key has been generated from his intermediate code, if the private key is sealed by the printer.
But CMIIW Ballet doesn't offer a way to check if the printer is really generating random seeds by himself or if he is using a given seed instead (given by Ballet).
https://github.com/bitcoin/bips/blob/master/bip-0038.mediawiki#encryption-when-ec-multiply-mode-is-used

Libbitcoin-explorer (fully open source) for example, allows to use this feature from BIP38 thanks to the bx ek-new command
https://github.com/libbitcoin/libbitcoin-explorer/wiki/bx-ek-new

Good example...
After a little thought, I find it interesting that this is probably the only hobby/collectible space that attaches more value to the collectible by attaching more value to the collectible.
The only other collectible space like this I can think of would be traditional numismatics, where a collectible $20 bill is already worth $20 due to the value already associated with it.

it's like taping a $100 bill to a baseball card.... lol

There are Bitcoin collectibles, and there are Bitcoin themed collectibles.  One is an innovative product where the maker publishes lists of the keys used and has the products backed by something, an organization, physical BTC, usage case, etc...  The other is a trinket someone made and slapped a BTC logo on (maybe even including a non-vanity key with no use or published list as an afterthought).  People should be able to identify the difference and not get fooled into paying BTC collectible markups for BTC themed collectibles.  An example I would give is the difference in price I charge between a 1oz silver Bitcoin Binary round and a 1oz silver NastyFans Minted Seat. 

Nothing wrong with Bitcoin themed collectibles, I own many, but there's a huge difference between a themed collectible that has a logo on it versus a collectible that can functionally interact with a blockchain. 

I agree that you are right Bitcoin themed collectibles don't need a private key, but they are not in the same product galaxy as a functional collectible with a private key.

"Removing trust from physical coin makers re: Priv Key generation"

easy.. don't make keys for your collectibles...they don't need it

Good point. I was not aware of any 10 year lifespan.

Been doing some googling today about nfc and many casinos are using them in their chips. With the use / abuse and washing / cleaning cycles that they go through the chips tend to be destroyed before the tags stop working. BUT, there seems to be very little real data on that; just comments and discussions. If there is some public information out there my google skills are lacking in finding it.

The issue that comes to mind is that for casinos, a lot of the time, when it comes to dealing with the money side of it, cost is not an issue.
They don't, but if they replaced them as they are damaged beyond repair, they would probably buy more tomorrow to replace the ones damaged over the weekend then all the coin makers here would buy this year combined.

What would be the upper limit of additional cost people would be willing to pay for coins like that. Could put the lower end ones out of business, which is not the goal here. Nor a desired side effect.

-Dave

If it breaks, your money is gone. With a 10 plus years lifespan, that's a real risk for collectibles.

can nfc tech be used to solve/aide in any of this?

I have thought about encoding private keys to nfc tag and then having some sort of key that unlocks the nfc chip if its split key then the "user" part is on the nfc tag while the maker part is under the tag and under the holo.

havent got a chance to play with this idea yet though.

2fa could be done in different ways.  I'm not sure exactly how Titan did it as I never purchased any of their goods (what had they done before selling those coins to earn the trust required to offer such a product?), but if it relies on them being around in the future then they definitely did it poorly.  If I were going to implement it, I would have done it in a way where the user would have supplied a piece of the information used to generate the key.  Maybe 2fa isn't the right descriptor (split key generation?), it definitely isn't my area of expertise.  The problem however with the way that I looked at implementing it, is that the resale of the coin would be heavily dependent on the original buyer providing the new buyer with the information needed to access the private key (like in my coblee example above).  This would likely result in buyers losing their piece of the puzzle and funds being lost, or new buyers not getting correct information from the original owner, etc...  It would be a customer service nightmare.  That's a big part of the reason I did not go that route.  Simplicity and customer experience being the others.

  Wouldnt the 2Fa be an issue like with Titan? https://bitcointalksearch.org/topic/titan-mint-coins-serious-issue-new-updates-5369583

   Again if a website isnt kept online or anyone operating it is corrupt then it aint such a great idea IMO.

   

I think it's good to explore ways to keep people honest.  That being said, personally, it has always seemed to me that people are willing to sacrifice some of their security for simplicity.  I thought about offering coins with the suggested methods but I don't believe anyone would actually prefer that and assumed the level of education and assistance that would be required for most users would be more than I'd personally be willing to take on and I don't think the users would want that either.  I'm not saying it shouldn't be done or that there isn't a market for it, but my ultimate solution was to try and make coins that were cool and demonstrated the ability to hold BTC, but wouldn't require deposits to load them or eventually hold so much BTC that if it were lost by the user it would be life changing.  I'm often criticized for my coins not holding more BTC, but I'm not sure those complaining consider that I didn't ever want to be the guy that generated keys that held thousands of BTC for others.  I wanted to be the guy that made demonstrably cool coins... 

I think a standard of 2fa or multisig being established for makers wouldn't be a bad thing and maybe for loaded coins it should be something customers should consider.  However, I only own 1 2fa coin, the 1000 BTC Casascius Gold coin, and I'd honestly prefer if it wasn't 2fa.  I believe coblee even once said that none of the people he sold the coins to ever even asked about the 2fa, making it beyond worthless.

Yes! Whyfhy! He actually had me play with it when he was working on it a while back the name was just eluding me yesterday

As for the paper - yes that is very important - ask satslife the nightmare he had with an xmr coin a while back - luckily they did get if remedied and figured out but the key was literally falling apart/fading as he watched it - luckily he took pictures

With the same comment from my other post, I'm being a bit of an ass here not to be combative but to to make a point. Krogoth and mopar and probably a few others use a better grade of 'indestructible' paper for their keys. It should last 100 years. How do we know that some other people did not use the cheapest paper they could find and when you peel it in 2098 it's going to be so brittle and disintegrate into dust.

I don't know the raw cost of the satschips but you could in theory sole the issue like you said by using a few of them each holding a fraction of the funds. The other option, and I don't know if it's viable would be to have several of them setup as an x of y multisig. If they are low enough cost in bulk could you do a 2 of 5 and not really worry about it.




I think you are talking about WhyFly: https://bitcointalksearch.org/topic/1splitkeycom-the-easy-secure-and-mostly-free-vanity-wallet-service-closeddown-5397602

-Dave

Yes I know Ballet is using BIP38 keys but I thought it was only a way to avoid being stolen by the manufacturer of the cards.

https://www.ballet.com/2FKG/#six

Well it seems they've found a way to generate an already encrypted 6P key that works with a random password from what I understand. Why they don't release the code they use? Why it's not open source?
They say they dont generate the 6P key in one step but they first generate an "intermediate code" of the 6P key before sending it to the manufacturer that will decode it into the final 6P key, print it and seal it.
But they are fully able to decode this "intermediate code" themselves if they want from what I understand and nobody can guarantee they has/will never done it.

    Agree...their is always the human factor always.

     I will ask a Mr Robot if this is doable or not....but I figure the weakest link would be two people instead of one...which makes it a bit more secure.

    Again I prefered coins that are not buyer funded...but that's just me.

     But because of this fiasco that has changed my landscape

   

I checked their website, but couldn't find how they create it. Chances are someone has access.

Then you'll have to trust the programmers again. Maybe it can work, if you use (and verify) open source software that creates a random private key, creates a random password, encrypts the private key without showing it, verifies the decryption process, and then only prints the encrypted private key and password on different printers handled by different people.

Maybe a comparison would be how large exchanges handle their cold storage nowadays: after many hacks, there shouldn't be a single person within the company that has full access to any private keys on his own.

   Then it all boils down that even with one holo people can do exactly what you say if they create identical holograms which of course can be done easily.

  Dont think its impossible...I believe Ballet does it with their cards.

  And I am sure there are good programmers that can make this happen.

 

That's impossible. You can't encrypt the private key without knowing both password and private key.

In that case, you need to trust whoever created the blackbox. I've thought of a scenario in which 3 trusted people work together to verify all equipment, create private keys, seal the holograms and destroy all other data, but giving more people access in the first place increases the risks again. Cameras can be very small and hidden.

Yes but with BIP38 private keys you don't need to use the password if you already know the unencrypted key. You only need it if you only know the encrypted one starting by 6P. It means the unencrypted one should be generated by a kind of blackbox that will destroy it after receiving the password and encrypting it into the 6P one.
People will need to trust this blackbox, this process and its robustness against possible hacks.
IMO it's more convenient and reliable to use 2 keys from a multisig wallet instead of a BIP38 key and a password.