Statement of Controls

The following is provided to answer questions as to the efforts made to ensure the integrity of Casascius Physical Bitcoins.

Private key generation, preparation, and storage

Synopsis: Private keys must be generated securely in order to prevent the possibility of theft by hackers, and copies must be controlled to prevent accidental discovery.  In addition, private keys must be produced accurately, and must properly correspond to the Bitcoin addresses on the outside of the physical item.

Objectives:

• Ensure that there is no possibility of access to private keys via "hacking".
• Ensure that private keys are generated using a suitable random number generator, so they cannot be predicted in the future.
• Ensure that the key generator consistently produces valid keypairs.
• Ensure that each private key is only printed exactly once.
• Ensure that each private key is legible and complete.
• Ensure that each private key properly corresponds to the address on the outside.

Controls:

Private keys are always produced on a dedicated computer that is set up temporarily for this purpose.  This computer is never connected to the Internet at any point during the production process.

The operating system for this computer is freshly installed for this purpose, as well as all of the software that will be used.  For all Casascius Physical Bitcoin addresses produced in 2011, Windows 7 was used, and Microsoft Access was used to manage the key list and to render them to paper.  A custom application is used for generating the Bitcoin addresses to a text file.  Moving data between the key generation computer and other computers is accomplished via removable USB flash drives that have never been used for any prior purpose.  At no point is private key material ever copied to drives based on flash memory technology, not even temporarily.  The key generation machine itself is equipped with one 80GB mechanical hard drive with magnetic rotating platters.

The random number generator used is the Microsoft secure random number generator in the System.Security.Cryptography namespace of the Microsoft .NET 4.0 Framework.  In addition, the custom application also asks for a "mash" of characters from the keyboard of no fewer than 50 characters, each time the application is run, which is answered with a string of non-memorable characters by "spidering" fingers around the keyboard.  The application generates a second pseudo-random byte stream using the SHA256 hash algorithm on this "mash" plus an incrementing nonce, and this second random number stream is combined with the first one using modular addition before being used as key material.  The "mash" string is never kept.

Integrity of the calculation process, including the elliptic curve mathematics that convert the private key to a Bitcoin address, was checked by using the same custom application to convert private keys generated on other platforms to ensure it consistently calculated the same Bitcoin address as elsewhere.  In order to confirm the program works as expected, two sets of dummy keypairs were produced externally and exported to text files, and then the custom application was used to recreate the Bitcoin address from the given private key to ensure it matched the Bitcoin address.  A set of keypairs generated by the official Bitcoin client (0.3.20, with dumpwallet patch), as well as a set created by v0.5 or later of the script at BitAddress.org, were tested in this manner.

After the addresses have been generated and printed to paper, the entire operating system installation is completely destroyed by booting the machine to a Linux Live CD, and executing cp /dev/zero /dev/sda until the command reports "No space left on device".  This procedure is repeated three times.  Afterwards, the drive is typically overwritten with a new operating system, and used for some other temporary purpose.

Series 1 Physical Bitcoins

The addresses for Series 1 physical Bitcoins were produced in advance of the hologram order.  Eleven thousand (11,000) addresses were created.  The first 8 characters of the Bitcoin addresses were isolated into their own text file, and this text file was e-mailed to the hologram manufacturer, who used the file to produce an inkjet "overprint" across the middle of each hologram.  This text file was sorted into alphabetical order (non-case-sensitive, numbers first) and this order is maintained throughout all of the production processes using this set of addresses.

When the addresses were created, they were printed to paper on sheets in grids of 15 by 22, or 330 keys per sheet.  This produced 34 sheets.  Only one copy of each sheet, and hence, one copy of each private key was made.

The sheets are double-sided.  On the back of each sheet, the private key is printed in black.  On the front of each sheet, the prefix of the Bitcoin address is printed repetitively in light blue.  The color coding is intended to help ensure that private keys are never loaded into coins upside-down.

Each sheet was individually hand-inspected to ensure the following: that it was unique (not a duplicate of any of the other sheets), and that the addresses on the front of the sheet properly corresponded to the keys on the back.  On the private key side, the address prefix is also printed alongside the private key, in an area that remains outside the circular cutout, to assist with this verification.  For each page, all four corners are verified individually, to verify that the sequence is still intact and that it has not been disrupted for any reason, such as printing problems.  Each page was also inspected for print quality, to ensure that each key printed completely and legibly.

If a page had to be rejected (for example, the printing on the front and back didn't align), the page was set aside for secure destruction.  Secure destruction was accomplished by putting the pages in a high-speed commercial-grade kitchen blender containing water, and operating the blender in excess of 30,000 RPM, so that the unwanted key pages were rapidly reduced to a mass of wet pulp with no discernible characters.

Upon arrival of the holograms, it was discovered that they were neatly sequenced following the sort order in pages of 25 holograms, five rows by five columns.  Based on this discovery, the key sheets were re-run through the printer, and overprinted with repeating red and black minor sequence numbers between 1 and 25 on the Bitcoin address side, so that the minor sequence number could serve as a secondary check for correctness during the coin production process.

Assembling the coins is always done in groups of five coins, as the hologram pages are designed in a way where it's easiest to remove exactly five labels at a time via a transfer tape.  This ensures a consistent process, and allows for easy manual recognition of the proper sequence number set (which will always be 1-5, 6-10, 11-15, 16-20, or 21-25).  If a hologram becomes damaged (which is somewhat frequent - the tamper evidence pattern can be easily made visible by accident), both the private key and the hologram are discarded together and are never reprinted.  Alternately, the hologram may be torn off and replaced after writing a small "x" on the private key with a pen, and the result given away or sold as a scrap "opened" coin for the purpose of demonstrating an opened coin.

Series 1 holograms have been exclusively applied personally by Mike Caldwell and/or his spouse.  The complete Bitcoin addresses for these 11,000 keypairs have been published at Casascius.com in a PGP-signed format.

Series 2 Physical Bitcoins

Series 2 physical Bitcoins were created in part to offer an enhanced verification scheme to increase the assurance that the private key on the inside corresponds to the Bitcoin address prefix on the outside.  Thus, the series 2 holograms have no overprinting, but instead have a small transparent window that allows a portion of the circular key paper to be seen from the outside of the coin.

An initial run of 1,000 Bitcoin addresses was created for the first Series 2 holograms.  This yielded 3 key pages (990 addresses), the last ten were discarded.  The Bitcoin addresses have been published at Casascius.com, and are the 1,000 addresses in the list immediately following the 11,000 addresses produced for Series 1.  These 1,000 addresses were completely consumed by December 2011, each address either having been placed into a coin, or discarded.

A second run of 17,000 addresses was produced in December 2011.  These were picked from a larger set of slightly over 2 million Bitcoin addresses generated for this run, so that Bitcoin addresses with special prefixes could be used (e.g. for silver coins whose addresses started with "1Ag").  Addresses were selected from the following prefixes:  1Ag*, 1Au*, 1BTC, 1CA, 1CC, 1CS, 1GO, 1GL, 1GD, 1GC, and 1oo*.  Prefixes marked with * were selected case-sensitively, and those without were not.  The digital copies of the addresses, including unused addresses from the set of over 2 million, have been securely deleted.

From this run of 17,000, unlike the prior 12,000, the 65-byte public keys were kept in addition to the Bitcoin addresses, to facilitate key schemes where two public keys are combined to create a composite key for enhanced security.  The public keys are not considered to be a security risk - they are published in the block chain during every Bitcoin transaction anyway.  Nevertheless, the complete list of public keys is not intended for publication, and is kept on removable media.

The process for creation of key pages is the same as for Series 1, except that the Bitcoin address prefix is repeatedly printed in green on the front side, and there is no minor sequence number.  The same checks are performed on each individual page by hand as on series 1.  Because Series 2 keys do not require matching with a pre-numbered hologram, they are cut without concern for sequence, placed into an envelope or jar, and are used in essentially random order as they are picked.

Series 2 keys have been exclusively cut using a laser cutting machine.  The laser cutting machine cuts a single page of 330 key circles in a single operation lasting about six minutes.  In contrast, series 1 holograms were individually cut with a large hole punch by hand prior to the acquisition of the laser machine.

During cutting, the private key side is face up and visible to the operator of the machine, who can easily see if there is ever an occurrence where the laser occludes or otherwise damages the private key.  In such a condition (which is rare), the machine can be paused at any time, and the damaged private key easily removed, crumpled, and thrown into the trash.  During cutting, key circles are occasionally sucked into the machine's ventilation system (averaging about 1 key circle per page of 330).  Those key circles are discarded and never used, nor are they ever reprinted.

Funding the coins

A database is used for tracking the funding status of the coins.  Funding the coins is performed by manual entry of the 8-character prefix on the reverse of the coin (or the last 5 characters thereof).  The database is consulted to ensure accuracy, and to ensure a coin isn't funded more than once, and to look up the remaining characters of the Bitcoin address.

When a batch of coins is ready to be funded, the database produces a Linux shell script that can be transported to another machine which is used to manage the actual Bitcoins.

The Bitcoins themselves are kept in an offline paper wallet which displays the Bitcoin addresses and private keys as QR codes.  A Wasp-brand hardware 2D barcode wedge (which connects via USB and acts as a keyboard) is used for importing Bitcoins into the transaction processing machine for immediate use, so the exposure of having Bitcoins stored online is minimized as much as possible.

In most cases, the incoming payments for the purchases of Casascius Physical Bitcoins are used to fund the physical coins themselves.  Most of the time, no attempt is made to correlate the payments with the coins, or to ensure that the same bitcoins received as payment go to fund a particular customer's physical coins.