Bitcoin Forum

Hi everybody!
http://firmcoin.com//wp-content/uploads/2013/06/FirmCoin.png

I'd like to present my latest innovative hardware project.
It's called Firmcoin. Check http://FirmCoin.com

It's like cheap eWallet. But it's so cheap that, in order to pay with Bitcoins, you can actually give the Firmcoin to the payee. And it's rechargeable!

Currently you can verify the authenticity of a Firmcoin with any NFC-enabled smartphone (that can run our software).

When requested, a Firmcoin will send you its Bitcoin private key, but will automatically and atomically wipe the private key from memory, preventing double-spends.

There are several ways to verify the authenticity of a Firmcoin. For low value payments, you can just query the device if it has funds or not.  Also the device can cryptographically prove that it is holding a certain private key, by signing user provided messages (but not transactions!)

If you want to verify the authenticity of a Firmcoin with more confidence, you must have connected to the Bitcoin network in the last 24 hours in order to download the list of Firmcoin addresses with funds. The Firmcoin can only receive funds if the transactions that load the funds are 24 hours old.

Carrying this small database, you can check the full validity of a Firmcoin without being online!

Also you can download a physical description of random features of each manufactured token and check its physical authenticity by just taking a photo of the Firmcoin.
Last but not least, we have a novel method to verify the authenticity of the firmware loaded.

And we hope we can sell each Firmcoin for less than 5 USD when we start manufacturing in higher volumes.

Keep in mind that we're still developing the product to make it ready for mass production, so we're open to any ideas you may want to share with us. Also if you have the skills to help us develop a better product, we'd be glad to hire you in our team, or partner with you.

Best regards,
  Sergio.
  Part of the Firmcoin team.

_{(please note the image is not the actual prototype, it is photoshoped).}

Awesome project!

So if I understand correctly, the NFC interface lets you both retrieve the public key and the atomically-destroyed private key?

Are you going to integrate this with the Android wallet app? It already has some NFC support and syncs with the network every 24 hours.

However, I must admit I am not entirely sure of the purpose. If you accept a firmcoin without checking it with your smart phone, it might be empty, so that's dangerous. And if you have a working smartphone, you could just as well do a direct P2P payment. I suppose the difference is, the payer doesn't have to have a phone, just the receiver. But is that really an advantage?

It let's you retrieve both keys and atomically change the state of the firmcoin to "empty".


It would an interesting feature, I will think about it. But we're not ready to manufacture in high volumes.


For a first security level, none of them have to be online. If you trust the manufacturer (us) then you can trust a firmcoin has coins. You query the firmcoin with a NFC-enabled smartphone and it will tell you if it has coins or not. Another version we're building has a LED that flashes when it has coins when you touch it.

And you don't even need to trust us: we've done things so that you have to trust only "ST Electronics" (at least now).

For a higher security level, you can carry with you the UXTO set of the day before (and update them once each day).
A firmcoin will only respond that it has funds if the transactions that fund the firmcoin are at least one day old.

For a higher security level, you can photograph the firmcoin and check its random features against a small database of physical features you can download from our servers.

For more security you can even query the firmcoin to prove it has a private key related to a certain public key (without the firmcoin disclosing the private key).

For even more security you can access our database online which can track which addresses are associated with each firmcoin.

For even more security you can upload the photographs of the device and we'll check the authenticity of the firmcoin against high definition images taken during the manufacturing process.

For even more security you can just extract the private key, transfer the funds using any Bitcoin client, and then send new funds to the firmcoin.

This is (IMHO) the future of off-line anonymous transactions (bills and coins),
Best regards, Sergio.

I don't know how Firmcoins exactly works but I think there is a potential problem.

As you said, Firmcoin can export the private key to a smartphone through NFC. Is the following attack possible?

1. The phone requests the private key through NFC
2. Firmcoin sends the key through NFC
3. The phone receives the key but does not response
4. Firmcoin is not sure whether the key has been successfully sent, and does not delete the key. (If Firmcoin deletes they key without confirmation from the phone, the key may be lost if there is communication error)

Possible solution: the Firmcoin will always send a warning to the user if it had any unsuccessful key export attempt.

The firmcoin BEFORE sending the private key enters a special internal state "no-funds". The private key is NOT immediately wiped. You can query the device for the private key as many times as you want until you're satisfied the transmission has no errors.

Then you send the firmcoin a command "wipe" and the firmcoin will wipe the private key.

The firmcoin will never go back to the state "funded" after the state "no-funds" without going through the state "create-new-key".

Sergio.

Seems to me what you really want is two states:

1) Private key NOT revealed

2) Private key revealed

Unless the coin is in the state of having never revealed the private key I shouldn't accept it from someone else. However there is no need to actually delete that key until the next private key is created.

http://cdn0.mos.techradar.futurecdn.net///classifications/world%20of%20tech/sniper-580-75.jpg

Request private key!

Very innovative. Me likey! ;D

Awesome work! I would, however, consider changing the wording on the holographic portion. Usually things that say "valid, genuine, authentic, secure" scream, and are, "invalid, ingenuous, unauthentic, and insecure".

When looking for fake ID's, one of the things you look for is any mention of those 4 words or similar words. If something is valid, genuine, authentic, and secure, then there would be ways to make sure, which makes saying them on there irrelevant.

OK


I don't see how it gives higher security level.

Can you please explain what attacks you consider and how Firmcoin protects against them. I.e. "attacker does this and this", "you can protect against that if you do this and this".

This is excellent!

The LED along with other physical security features that can be quickly checked by a user of low skill seems critical. Otherwise we're back to needing a smart phone to check the validity of the firmcoin every time it changes hands. And then you may as well just use regular phone wallets.

This is awesome. Transparent acrylic card with holograms, buttons, LEDs and NFC tag. How futurist is that? :D

$5 as cost seems too much for people to pass it around as they do with cash/coins, though. It's probably higher as amount than a significant number of all cash transactions done in the world.
But it's still great as a gift card, or if anything, as a cool way to show people how real Bitcoin is getting.

I want one. :)

This is ingenius, congrats.

Please ensure that somehow lasers are involved in the production process. Everything's better with lasers.

I believe that trust is not a boolean variable. You may trust me to hold 1 BTC for you but not to hold 1000 BTC.
If we (the manufacturers) make all possible measures to help you identify authentic hardware from counterfeit, authentic firmware from counterfeit, and so on, then you will trust us a little bit more.

We've made every possible effort so that even if we are hacked the next month, and all our private keys are stolen, a hacker cannot create counterfeit Firmcoins that pass all the tests and tools we give you to verify them.

Keep in mind that:

1. If you change the firmware of a device, then the device won't pass an offline verification tests.
2. If you change the hardware of the device, then the device won't pass offline and online verification tests
3. If you change the look of the device, then the device won't pass offline and online verification tests.
4. If you create a perfect counterfeit device, and you handle it to someone else, you're giving him the proof of your criminal act.

Best regards, Sergio.

So as silly as the post looked, benjamindees made a good point.  "Request private key!"  A long range nfc reader (hah, far field?) could be a security issue.

I've heard recent stories (http://www.bbc.co.uk/news/business-22545804) from the UK, saying nfc payment systems are reading cards accidentally (at longer ranges than intended). Clearly if this can happen accidentally, there's the possibility for this kind of attack to made deliberately.

See the Q & A section of the Firmcoin page:

Q8. What stops me walking past someone holding one of these and stealing all their money?

A8. The Firmcoin has two capacitive buttons. You have to press only one to redeem the private key. If you press both, then the private key cannot be retrieved for a few seconds.

Wow nice! I'm looking forward to the finished product!

It's true that hackers are always finding new ways to crack crypto, but since we've hired hackers ourselves, and we follow the best security practices, and we follow closely the security research, we think we will be well protected.

Now, if you see the video, they are using two type of attacks:

1. An active attack to measure the power consumption of the device to extract some "master key".

Firmcoin do not have any master key, so there is nothing to extract in one Firmcoin that let you crack another FirmCoin. If you physically break your Firmcoin, nobody will accept it as payment.

2. A passive attack technique "Side Channel Attack" to compromise some information sent by RF (without breaking the device). This kind of attacks are based on the fact that the device performs cryptographic operations using private keys. The attacks presented require repeating the same operation over and over.

If you have a Firmcoin will only send its private key after entering the "no funds" state, so there no advantage on capturing the RF signals.

You could try to attack the function that a Firmcoin can execute a private-key proof of knowledge operation. This would be the weakest point of the Firmcoin security. Currently, to prevent side-channel attacks, we four protective measures:

A. We use a side-channel protected modular exponentiation algorithm
B. We use randomization techniques to make difficult to predict where an operation is taking place.
C. We limit the frequency of proofs the Firmcoin can execute, currently at 1 every 5 seconds (after the power is applied, you must wait 5 seconds before requesting such a proof).
D. We use an industry standard tamper-proof micro-controller, made by a company with more than 10 years of experience in smart cards.

Nevertheless we might remove the private-key proof of knowledge feature if we are not totally satisfied with our power analysis tests we'll perform on the final device we'll use for mass production.

Best regards, Sergio.

Congratulations for the idea, Sergio! I hope to have the possibility of buying those lovely Gizmos...

Best regards.

That is pretty cool. 

It says 1BTC on it, so does that mean the intention is for them to be fixed denominations?

From your Why? page, I found
I am at a loss to figure out what makes Firmcoins special compared to smart cards (whether they are NFC enabled or not).
If a private key is stored in a smart card, the card can read a message and return a signature, thus proving it holds the key to a given address.
Also, smart card prototypes with input buttons have been displayed by smart card manufacturers, right ?

I assume that firm coins have a private key (of the "firm") embedded in them.  The card would first prove it is a valid firmcoin card.

We have two models: one (the cheapest) has fixed denominations. The other has a display that shows the Firmcoin balance.

They are similar in many things, specially in tamper-proof measures.

Yes but a Smartcard will sign anything you ask it for, for example, a transaction, so it will happily loose its funds.
A Fiirmcoin will also sign anything you want, but it will immediately enter the "empty" state.
A Firmcoin will sign special messages that cannot be transactions, to prove the possession of the private key.

Yes.

Sergio.

Excellent.

I've pretty much had thoughts about this exact product, only lacking the technical know-how to actually create it.

First thought, how secure is the key generation in this? I'm thinking partly about the generation algorithm (deterministic? random?), but also on what kind of guarantees customers have that you aren't saving all your keys somewhere.

Second thought, you could make these cards even more trust-free by using 2-of-2 transactions, where one key is generated by the card and the other is generated by the customer's own device. Thus, when I recieve a card I generate a key by myself and give it to the card and therefore know that you can't steal my funds. If I give the card to someone else as payment he knows I can't steal the funds since I don't have access to the key generated by the card.

Is there any clever protection against fooling the card making it think it has funds when it doesn't? The card would have to rely on data from your own device, so how come you can't just create a new key and tell the card it's funded?

Edit: All the bolded was answered to satisfaction by simply reading your FAQ (http://firmcoin.com/?page_id=29).  :)

Only one of my questions remains then. What is the life expectancy of these cards and how durable are they?

Thanks!


The process involves using both a hardware random generator and a firmware random pool. But most important, the process is a two-party computation where the hardware cannot force a certain key-pair, not generate key-pairs with any probability distribution other than uniform random.
Regarding saving the keys somewhere, there is no problem with saving these keys. Whenever you decide to extract the funds from a Firmcoin, you should also transfer the funds to another Bitcoin address.
Nevertheless, the Firmcoin will wipe the keys from memory and it can prove (yes it can) that the keys have been erased.
The way it is proved is by a method I created that is called "practical compressibility".  Basically the device will fill its memory with some incompressible data and then send you a hash of this data in reverse order, proving that there is no free memory left that can hold a private key.


Yes, I've already discussed this setting somewhere in the bitcointalk forum (here https://bitcointalk.org/index.php?topic=232787.msg2463058#msg2463058)


First you don't create the key: the Firmcoin creates the key.

To fund the Firmcoin you either give it a block-chain-branch which proves that the funds were transferred to the Firmcoin or you get a certificate from one or more Certificate "authorities" that prove that the address is funded. If many people trust you, you can become your own CA for Firmcoin funds.
Both methods can even coexist, because the Firmcoin remembers the certifications it has.

So why didn't you write this line BEFORE the questions so didn't have to answered all your questions!! :-)


I owe you an more technical answer to this question, but there are many usage factors we still don't know.
The product durability is affected by both physical and usage patterns (that affects the number of FLASH/EPROM write cycles).
The physical properties are very good, since there are no holes, nor connectors and all the prints are inside the package.

My rough estimation is that a Firmcoin can last more than 10 years funded and more than 50 years if the Firmcoin is empty or you don't care if the funds are lost afterwards. We could add the Firmcoin a procedure to "refresh" the memory, so if you execute this function every 5 years, you could have the same funds stored for 50 years. But I'm almost sure that the Bitcoin protocol will change in the following 50 years so you will probably need to do something with your wallet and coins (probably change the signing scheme) before the Firmcoin will wear out.
If the Firmcoin is reloaded every day, it will reach the maximum write-cycles in 270 years.


Best regards,
 Sergio.

so how do you flash check the chip to verify that it is not been corrupted or 2x spent~~~many thanks

How to order?

All info is in the FAQ (http://firmcoin.com/?page_id=29)

The idea is that the device is tamper-evident, and the private key is chosen by the Firmcoin and stored in tamper-proof memory.
If someone has violated the security of the device, the payee will know.
 

What is the purpose of the hologram sticker?

Add still another layer of physical security.  It's a measure to deter counterfeiting, but REALLY it does not buy much additional security as I suppose that holograms can be reverse-engineered and cracked.

I know you guys are going to extreme lengths to keep people from 'cracking' these. I do apologize in advance, but hackers and crackers WILL break into and or intercept information from the device. The length of how far they can go, I am not sure. It is INEVITABLE though. I think if people can crack software and hardware that took multi-million and billion dollar companies years to create, then someone with enough time and knowledge or exploration factor will be able to do something you're not supposed to with a firmcoin. I still want one :)

HOW TO ORDER??? /When??

Firmcoins are not completely hack-proof nor any device I know of. With enough money it's possible to crack anything.

Was is important is that Firmcoins are designed so that cracking a single Firmcoin does not give the attacker a significant advantage for cracking the next one.  We've put a lot attention to protect the Firmcoin from software bugs, which could be exploited from the outside world without physically compromising the device.

There is no global key, nor shared symmetric secret that you can extract from a Firmcoin, to use in another Firmcoin. Almost everything that's inside the Firmcoin, you can extract by just asking the device for it.

So if a Firmcoin holds 1 BTC, and cracking a Firmcoin costs 100 BTC, then there is no incentive on cracking it for money. I even expect that a university will crack one some day, and that won't affect the security of Firmcoins as a means to make low to medium valued payments (e.g. less or equal to 100 USD per Firmcoin). The same is true for bank notes (and that's why there are no 1M USD banknotes)

If you want to pay more, you're probably in a a context where you're online and you can just make a normal Bitcoin transaction.

The key property of a Firmcoin is not tamper-proof, but tamper-evidence.

howsit going with ja firmcoins project? We'd love to integrate these into my forthcoming media/not for profit projects!  8) x10 many thanks!

Did this progress any further. Am keen to find out more about what happened to the project.

After some firmcoin prototypes were created, a new company was built to create firmcoins en masse at low costs. The new design was called Digibill and the company behind it was called Doosra.

Sadly, due to different conflicting visions on how the project should grow, the founding team split and the project was abandoned.

It will someday make a comeback, because it's super cool.
The most similar project is Opendime (opendime.com).

I certainly hope it does make a comeback, it sounds awesome!  These are the type of innovations needed to bring BTC to the masses.