Two-Factor Physical Bitcoins

If you are reading this because you have received a Casascius Physical Bitcoin product that says "casascius.com/2factor" on it, be aware that your piece is only redeemable with a second private key that is not inside the piece.  Unless you ordered it directly from me, the key should have been provided to you with the piece, otherwise it has no value.

What is a two-factor Physical Bitcoin?

A two-factor physical bitcoin is a piece that has requires two pieces of information to be redeemed, each of which has been created independently by unrelated parties, and both of which are required to spend the funds.  A two-factor Casascius Physical Bitcoin is laser-engraved on its face with the URL "casascius.com/2factor" and has part of the key material embedded by Casascius, and the other part is typically a passphrase chosen by the person who bought the piece.  In order to redeem the funds on the piece, both the embedded key and the secondary passphrase must be known.

The main advantage to having a two-factor piece is a high level of security.  Since I (the issuer) never possess both private keys at any time, there is no chance that I could steal the funds.  This makes the piece useful for storing large amounts of bitcoin with a very high degree of confidence that no unauthorized person knows its private key.

How is this possible?

The strength is in the numbers.  Bitcoin is based upon a branch of mathematics called "elliptic curve cryptography", and the math allows for this.  The concept is called "elliptic curve multiplication", and is similar to the process used for outsourcing the creation of vanity Bitcoin addresses.  Although the piece is based on multiple pieces of private key material, it has only one Bitcoin address.

How do I order a two-factor physical bitcoin?

A downloadable tool called Bitcoin Address Utility assists you in getting started.  Bitcoin Address Utility is an open-source program written in C# for Windows, and will also run on Mac OS X and Linux (requires Mono).

This program has several functions, but the one you'll need is called "Intermediate Code Generator" and it's under the Tools menu.  You enter a passphrase here, and it will be converted to an "Intermediate Code".  Provide this part to me in the notes.

I can generate Bitcoin addresses for multiple pieces from a single intermediate code if they'll all require the same passphrase.

I can also create two-factor physical bitcoins from a hex public key instead of an Intermediate Code.  In this case, the key material you'll need to redeem the piece is the associated private key.  You'll also use the "key combiner" screen to do this, instead of the passphrase decryption process.

You gave me a "confirmation code".  What is this for?

The purpose of the confirmation code is to enable you to validate two things: first, that the Bitcoin address you'll be funding is one that is actually restricted by your passphrase.  Second, it confirms that you have the correct passphrase.  The utility's "Confirmation Code Validator" screen takes the confirmation code and gives you your own Bitcoin address.  The confirmation code is useful for this verification and nothing more.  It can't be used for redeeming the funds, and is not needed for redeeming the funds.

I have a two-factor Casascius Physical Bitcoin piece but don't know the passphrase.  Can I redeem the funds?

No.  You need them both.  There is no way to get around this - if there were, the two-factor scheme would have no value.  One private key is the one you generated when you placed the order, and the other is hidden inside the physical bitcoin piece.

I have a two-factor Casascius Physical Bitcoin piece.  How do I redeem the funds?

You need to use a tool that takes both private keys and combines them into a single private key.  Once you have the single private key, redemption is exactly the same as redeeming a single-factor private key.

The Bitcoin Address Utility tool can decrypt encrypted private keys.  Use the Address Utility screen for this (it's under Tools).  Type the encrypted private key into the "Private Key (WIF)" box, and the passphrase in the box below it.  Then click the double-down arrows.  The decrypted hex private key will appear.

If your physical bitcoin contains two key circles, you have a 58-character private key.  The one that starts with "6P" is where the code starts.  The dashes connect the two halves of the code, but are not part of the code itself.