Bitcoin Forum

Hi

Let's discuss the potential of bitcoins to change drastically the current financial system!

Imagine if bitcoins could me used not only within PC and Internet but like real money. In such way that real money could totally substitute physical money -M0 (banknotes and coins).

If people could bit by bit to refuse using traditional banknotes and coins preferring instead offline bitcoins...

Let's assume  how offline bitcoins should look like in order to substitute  traditional money:


BTCMedium of exchange
When money is used to intermediate the exchange of goods and services, it is performing a function as a medium of exchange.

BTCUnit of account
To function as a 'unit of account', whatever is being used as money must be: Divisible into smaller units without loss of value; precious metals can be coined from bars, or melted down into bars again.

BTCFungible
that is, one unit or piece must be perceived as equivalent to any other, which is why diamonds, works of art or real estate are not suitable as money.

BTCStore of value
To act as a store of value, a money must be able to be reliably saved, stored, and retrieved – and be predictably usable as a medium of exchange when it is retrieved.

BTCStandard of deferred payment
 is an accepted way to settle a debt – a unit in which debts are denominated, and the status of money as legal tender, in those jurisdictions which have this concept, states that it may function for the discharge of debts.

BTCMeasure of value
Money acts as a standard measure and common denomination of trade and its most important usage is as a method for comparing the values of dissimilar objects.

BTCAnonymity
This is the feature which belongs to traditional money (banknotes and coins). If you see money usually you can exactly say whom do they belong to.

As we see bitcoins have all of mentioned function and I marked them  as BTC


But there is another one important feature of traditional money (banknotes and coins) is MOBILITY
 ???

It is the feature which let you store money in the pocket, wallet or safe and easily transfer them from place to place any time you want. This is feature which let you give anyone and anytime any amount of money.

So this is the point!

I would like to discuss the ways to provide this feature in bitcoin system. And here it is my point of view.



https://0khfaq.bn1303.livefilestore.com/y2p0D-oMDTF-MyAe0c3BMcjdcVXyJRf26etBtxTcCIKrns977p6OoR-quQqobIESUzjBF8EXq-fNYMLgoBe332KDLQWZeklJLQ6C4xU8pWO_ro/slide01.JPG?psid=1

https://y0jydq.bn1.livefilestore.com/y2p8apXQfqsoU0vyTl0FNuZYpW6xD7WbpUZKXiGjt6KJUTWfjEUKcgDmP74TLfBPsvfAhWfkhLZ1T3QNC_N0ZSxMEVF6XBESvOcPtyLEne9bF0/slide02.JPG?psid=1

https://0kheaq.bn1.livefilestore.com/y2pF8uz4g1KuK-DswgMvAacev-0jRvKUPLHS02s9WjUJNG_AXFwLSqn9i1iN1o0JfQfXxYEC8ZpZ76F_DrFjwYvfAhODxDSNEtt6isWYZl65xg/slide03.JPG?psid=1

https://y0jxdq.bn1.livefilestore.com/y2pJ_XF91e2ZXhlJUOzd4b8Jkrxrd8l-a3LDgxtBexOfVpBTigv6dG3AtXMHlcE4PN5nnwf9cjhNHZIJfJfbP48FiksbFoFXMbGEXP3i4zB0-g/slide04.JPG?psid=1

https://y0jwdq.bn1.livefilestore.com/y2paw4IQUAOTi4oyNU12AOe5lf-3hAVxV0X9QBeGyfrDZpcDmlVQ6cuUArH0p22jv6Fv_UaS-zLyNKFn8OwrfzBntK9zJqmDBxpD0AC_P_fsYo/slide05.JPG?psid=1

https://y0jvdq.bn1301.livefilestore.com/y2pGkQPSMtLScEL1rSS098RFRP0-BMakbhqNRRXnPcxwFQKAM5CFQzUOtRvLISm0gyta0N5DRCv6Me7TQrBn7dRXo5Hb2nIdk8zR69HjUds1xE/slide06.JPG?psid=1

https://y0jcdq.bn1302.livefilestore.com/y2p88Uqin1F41sCPuxDIzj1g_z9BcLOlbTzJyVLLWA5IOO7Y-yToMfu1qsFORkSsnKrLy4vZ54JyYd9ltHmqQXOrES_YEWl81L8WOzpIGtm7Lk/slide07.JPG?psid=1

https://y0jbdq.bn1.livefilestore.com/y2pPFnvT8DOX-u4qe17xR8Cak7JaN02KGWeYeM-DxZGoIu5dXtKWsPkbx7kX9jxglClXqIAVbb5Ey3S1rU7f-yuVPG4LacpRCgHu72iqRIPr_s/slide08.JPG?psid=1

https://y0jadq.bn1302.livefilestore.com/y2pJBkWwcGQIAzvahMZK3cDlv4XfLeL9BiefkIsdMLWpHZ2APpJA_kSCbJ4mXrbPRPEiNCs_AVC6xpYrVZkjcaSRtO5FavqDmbWvonnqd8r_js/slide09.JPG?psid=1

https://y0jzdq.bn1301.livefilestore.com/y2pAu8giOG1J3Jhaq4TQBf1HnojgAkw_dQq4unMobodOi7nHSkSW5H-Xnz550d8TK2sO5nV9oloZ_OKowB_vOLnNOFBkZ6V0EyKc-BG_yd-Bh0/slide10.JPG?psid=1

https://0kjgdq.bn1301.livefilestore.com/y2plEbsNzCriGxxBNH-RuT_c1Te7CVUjJJzKiJUbOfL4NEiEvGYx-nswDn13mveeboV8NCfz-tW6gnqcQwfnXqR5n6TBCydq9gkCWt-QJjyU7E/slide11.JPG?psid=1

This is already being implemented.  The first release was just this week.  https://bitcointalk.org/index.php?topic=321085.0  .  

However NFC exchange is yet to come-- although very easy to implement.  At the moment you have to take a photo of a QR code on the recipient's phone (I think) to set up the exchange (this is probably safer than using NFC anyway and not that much less convenient).

PS: It surprises me that no-one here has been talking about this project since it is the biggest technological advance in Bitcoin in the last year or so.

Those that takes advantage of the simplicity of NFC will have greater success as more people begin to use this tech to share and interact.

NFC along with direct wifi help people share at a files fast and at a private level and requires little technical knowledge its users.

I am disappointed that Apple have been so resistant in implementing such tech in their own phones.

WHY do you want a NFC chip ... when BITCOIN can use camera to pay ???!???
It's useless !

If you have a NFC chip, you must have a camera in your phone...

QR codes hold too little data.

Good. No more dirty bills being passed along while not giving up anonymity like using a card.

I was thinking for two weeks and "Eureka"!
How we can do that bitcoins could be really offline. Let's see my proposed algorithm:



1. First, user separates some amounts of bitcoins in his wallet. It's like en exchange of banknotes and coins. You have one banknote then you divide it into small banknotes and coins. So user makes new records it general register and sign them digital signature




2. Then user transfers this records (bitcoins) to his NFC-wallet.




3. When paying user connects his NFC-wallet to the active receiving NFC device and orders to pay the possessed amount of bitcoins. For example if earlier he transferred 1 Bitcoin and 0.5 Bitcoin, he can pay only this amount:
0.5,
1 or
1.5.

But no other variants (no 0.75 or 1.25....) of there is no Internet on the receiving device (offline transaction). If it has connection - he can pay any amount.




4. The  receiving device when getting this records verifies them according to its database (it should be synchronized) checking digital signature of the records.
if database is up to date and  digital signature is ok the  receiving device confirms the transaction. if  the database is not updated (records where made after the receiving device last synchronization) the receiving device decline the transaction.




Its essential that  the  receiving device should have all bitcoins records locally.

Of course it is not so convenient but I think this problem can be solved too. I shall write about it later.

 

This tech still needs to be flushed out.. I think there are still bugs in android
wallet ie nfc doesnt record timestamps and therefor you will need to redownload entire blockchain to earliest checkpoint if your missing a transaction.

This also means that checkpoints cannot
be updated after release so in the future
the large presetup time is still a nagging nuisance.

Overall this with open transactions for grandma will be a big step forward.

It's a neat concept... is there some solution to the double spending problem though?

If an attacker generated multiple NFC Wallets with the same .1 BTC, and went to a bazaar with no Internet access, could the attacker spend those NFC wallets with various vendors, handing each of them a duplicate of that .1 BTC, resulting in only the first vendor to transfer it upon gaining Internet access keeping the coin and the rest being denied?

Is the idea here that the NFC device itself holds a certain value (the hardware value itself), and the normal accepted values of BTC stored in such a device would preclude such fraud from being a profitable exercise?

nope its the same thing as accepting txs with 0 confirmations to a trusted node.

And no undos

I filled a patent in 31/DEC/2007 that accounts for this issue:
Subdividing the total amount in money cards 
http://worldwide.espacenet.com/publicationDetails/originalDocument?CC=GB&NR=2456000A&KC=A&FT=D&ND=&date=20090701&DB=&&locale=en_EP (http://worldwide.espacenet.com/publicationDetails/originalDocument?CC=GB&NR=2456000A&KC=A&FT=D&ND=&date=20090701&DB=&&locale=en_EP)

I am thinking on this issue...

Maybe someone has any ideas?

I have thoughts that the only way to secure double payments is to attract mediators to offline transactions.

If user wants to pay offline he goes to a mediator asking to provide his offline coins with his digital signature. Each recipient decide for him self does he trust this mediator or not.

Who is mediator? This is public entity which offers bitcoin owners to sing their offline bitcoins with its digital signature. Mediator publicly guarantees that his offline bitcoins singed by him shall be reimbursed if recipient find out his bitcoins been counterfeited

Such Mediators shall likely demand users to be fully authorized (ID and so on) and to pay commission and the most important offline user should pay pledge until made  offline transactions been verified.

This is question of trust...


But I hope that the real solution for this issue can be found by applying some software algorithms not Mediators!

any ideas?




can you  explain your thoughts?

Great!
would you join to the development?

If the attacker with bad intentions played along with this scenario, I'd expect them to make the duplicates right after the mediator signs the offline coin, leaving us with the same problem.

Trust, via some form of web-of-trust network, can augment the use of Bitcoin greatly... If I'm about to go shopping in the offline bazaar, I link my public trust profile to the bazaar the day before, so that my public profile, rating, and key can replicate through their network via a nightly sync or some such.  When I visit, if I hold my private key, I can sign a message, proving I am the trusted profile holder, and someone safe to do business with.  Web-of-Trust in general, offline or not, is going to revolutionize commerce as much as Bitcoin has, in conjunction with Bitcoin, but maybe we're overthinking this...

Bitcoin couldn't have been so useful prior to pervasive Internet connectivity... Perhaps there's no way around that.  However, if the "offline" bazaar I described earlier had an intranet, it could run standard Bitcoin software to relay transactions among vendors, shoppers, etc... if those involved at least had electronic devices and wifi.  If only one vendor had Internet access, this problem vanishes... or if one vendor had intermittent Internet access... the problem is also greatly reduced.  Then again, if the attacker brings his own Internet connection and does the first double spend right before his first intranet transaction, boom, lotsa invalidation.  That's only mitigated by not knowing when the honest vendors have their scheduled Internet sync occuring, so with each act of fraud, he increases his chance of being caught in the act...?

The solution here might just be standard Bitcoin protocol, plus the advent of pervasive Internet connectivity everywhere on the planet, but meanwhile, that doesn't help with the offline idea.

If these NFC tokens have a hardware value of .0025BTC (unfunded), and the maximum traditionally accepted value, per token is .01BTC, enacting such a fraud would have a maximum limit on the rewards-to-risk ratio, which might incentivize would-be crooks to go back to standard shoplifting, etc... instead.

Congrats on somehow managing to patent the concept of subdividing units of currency (https://en.wikipedia.org/wiki/Denomination_%28currency%29)...

...

I think an intermediate step to all this is allowing transactions when just the merchant has internet access. Does this exist yet?

(So, I just wave my phone at some NFC thing, and it downloads the small amount of blockchain data necessary to sign and create an offline transaction, which is passed to the merchant for propagation to the network.)

There's a huge amount of premises which might have wired internet yet have no suitable mobile coverage or wireless internet for the customer to use.

Continuing to think on this... I think I have the answer to preventing fraud at an "offline bazaar."  It doesn't help offline individuals privately transacting, but a shopping area with spotty Internet connectivity or an intentional lack thereof can work just fine using NFC tokens, or even plastic or wood tokens, etc...  The offline bazaar runs its own alt-coin.  The vendors hold the 51%, and the front desk runs an Internet connected exchange between Bitcoin and OfflineBazaarCoin.

This method is tried-and-true: arcades that offer their own tokens or mag-stripe cards, renaissance fairs issuing doubloons, "Disney Dollars."  It even provides another benefit to to those running the Bazaar: they usually have an agreement to take a cut of each vendor's proceeds, as part of that vendor's membership in the Bazaar... they can enforce this with a fee at the altcoin exchange itself.

Sure, I am very willing to help in what I can. But I am still getting to grips with understanding the bitcoin protocol and code. I'm stuck because there are no books. The IRC dev-channel is quite helpful but what I really miss are some books that could help in undertsanding the code and the protocol.
There is not even one...
The best we have that I am aware of are the wiki articles and the "Satoshi's Original Bitcoin Client - An Operational View" posts/articles.
A bit helpful... but...


Thanks, mate!

I am not optimistic. You are essentially proposing Bitcoin without a public ledger. You are going to run into the same problem that blocked the predecessors to Bitcoin, and that is the double spend problem.

I think you guys don't realise that ability to do off-chain transactions electronically already exists: https://bitcointalk.org/index.php?topic=321085.0

It is quite easy to extend this system to do off-line NFC transactions also (in fact the creator of the project intends to implement this I believe).

The way these off-chain transaction work is basically an electronic equivalent of a Casascius coin.  A Casascius coin is a physical token with a private key that remains hidden (unless revealed- in which case the reveal will be evident) so that the token can be exchanged like a normal fiat coin.  Whereas in this system linked above the private key is stored on an SD card and remains hidden on the card .  To perform a transaction the SD card will copy the key to another similar SD card without ever revealing the key to anything else and deletes its original copy.  To reclaim the money on the blockchain the SD card will reveal the private key and deletes it own copy.  

The important thing to notice about this above system it that it is off-chain, completely anonymous and totally free to make the transactions.  However, currently the software that handles the exchange does need to be aware of the current state of the block-chain (the SD card itself only stores the private key so it doesn't know what balance- if any- is associated with it) so the software needs to determine what the balance is by looking at the blockchain or by using a 3rd party such a blockchain.info.  Although, even this requirement will most likely be lifted in future revisions of the software because at the time of loading the SD card with the key the software can electronically sign the balance that is associated with it.  At this point it will be: off-chain, off-line, completely anonymous and totally free.

It's interresting idea but definitely  not the same.
To describe the OtherCoin idea figuratively let's imagine the cloakroom. You put money inside, close it with only one key. Then you just transfer this key.

But as I wrote in the first massege there are some required features of money (if a thing does not posses at least one of this features it means that we can't consider it as full featured money)

"Unit of account
To function as a 'unit of account', whatever is being used as money must be: Divisible into smaller units without loss of value; precious metals can be coined from bars, or melted down into bars again".

As I understood from the description user can't divide them (it is in the cloakroom!) . There is no small coin feature. Maybe only if you make many smartcards with different nominal value...
I'm not sure it's a good idea. It's better to have one card (NFC) with small coins inside

"a shopping area with spotty Internet connectivity"  great!

But I am not sure it's a good idea to make own alt-coin. The more complicated system is the more people won't accept it. But nevertheless even this idea can find its  niche!

And like the Casascius coin, it is susceptible to hacking and counterfeiting. How does your system detect duplicate keys sent from a hacked or counterfeit device?

You have the one SD card with many keys inside (instead of many SD cards with just one key).  You can actually see this in the video produced by the creator of this system:  http://www.youtube.com/watch?v=ZR8gz0uVBHk&feature=youtu.be

People will naturally tend to add keys for addresses that have balances with sensible denominations such as  100uBTC, 200uBTC, 500uBTC, 1mBTC, 2mBTC, ...., etc,  just like regular fiat currency.  When you wish to pay someone say for a coffee say of 4700uBTC you give them four 1mBTC coins + one 500uBTC + one 200 uBTC coins  (of course eventually the software will automatically do this for you I'd imagine-- its just a knapsack problem algorithm).  Also, I imagine that community minded people would set up change vending internet sites or local physical machines where you can exchange your larger coins into smaller or smaller to larger as you require.

Using phones as wallets is plain stupid

It prevents counterfeiting with tamper resistent SD smart cards.  

If this is not satisfactory for you then don't use it-- it's a voluntary thing.  However, the vast majority are prepared to use similar technology *everyday* to do small quick transactions, eg. Billions of dollars worth of transactions are completed using smart cards daily (traditional smart card technology).  In my home town alone all the public transport systems use smart cards-- a few million dollars worth of train, bus and ferry trips everyday. Now, personally I wouldn't feel safe putting more a $1000 dollars on a smart card and most people only recharge them to $100 or less but this is enough for the majority of daily small transactions such as coffee's and take-away.  
Just to give an exteme example of how willing the general population uses them I know of a small art gallery that has $10,000,000+ dollars worth of artwork and it security system is based around smart cards.  
Again, in summary- if this isn't good enough for you then don't use it but it's good enough for the majority.

(By-the-way: it's not my system. I've not developed it, I'm just a supporter of it.)

The keys are not stored on the phone alone.  It stores the key on a microSD smart card.  (Actually, it uses a split key system, which requires both the phone and the SD card to recover the key-- which is even safer-- you can read about it here: http://www.othercoin.com/OtherCoin.pdf )

It's just retarded, there is no need to speculate or explain anything, the very concept is extremely stupid on a fundamental level. Should every person on earth who wants to use crypto in person also have a phone? Do you know how long the battery lasts for modern phones?

In the future there will be small plastic computers the width of a paper bill that you would swipe against each other in order to pay, they will be so cheap to manufacture that you could simply swipe your reserves to a new bill instead of recharging, they would also be so efficient that you would be able to recharge them by manual means.

I'm not sure you answered my question. When you receive tokens from somebody, how can you be sure that they have not been duplicated. Also, how can you be sure that their bitcoins have not been spent at times when you don't have access to the block chain?

It doesn't accomplish it by 21 century social means, instead if accomplishes it by 19 century dollar printing essentially. They make dollars and expect all forgeries to be slightly different.

When preforming a transfer operation the smart card only ever gives the private key to another smart card of the same type (they do a formal handshake involving secret keys to convince each other that they are genuine cards).  You are relying of the smart card hardware.  Now some people here claim that smart cards are be hacked-- this is true, however it is a very, very hard thing to do.  It is harder to crack a smart card then a desktop computer.  Also, the system uses a spilt key-- you need compromise both the smart card and the phone.  If you're paranoid and have access to the Internet you can check via the blockchain that the balance of public address hasn't already been spent before accepting. 

Personally, I'd feel comfortable having a thousand dollars worth of BTC on such a card-- however some people may not like to store such a large amount so they might limit themselves to only a couple of hundred or even just tens of dollars.   You don't have to put all your bitcoin on the card.  Even with just $40 dollars a day on a card most people could cover their daily small expenses, eg: coffees, smoko/lunch, parking, newspapers, lending a 10er to someone, small purchases on the Internet such as music, movies or reading material (yes this system can also be used over the internet as well as locally face to face), etc..

More people have phones than have desktop/laptop computers.  It makes more sense to use phones than computers (by-the-way: you can easily adapt this system to use a desktop anyway).




What  does the battery charge life have to do with it?  The coins don't disappear if the battery is completely  drained.  Neither do you have to continuously run the software. You only need run the software when doing an actual transfer and it uses a very small amount of energy.




I don't even know how to reply to this?  What are you talking about?

This idea is very close to my proposed conception. Actually this idea can be completed with NFC technology cos the speed of pairing and connection of NFC is extremely high.
The main idea is to separate some amount of bitcoins, store and transfer keys.

I didn't understood a few things. How recipient can be sure that the payer didn't make (or someone else) the duplicate of the key?

And can the recipient get that key without been proceed this transaction online?
And can the recipient transfer key which he got from the payer to another recipient ? without been proceed and verified this keys online first

can it be multiply offline transactions?

like it's shown in 4b situation

https://mdsquq.bn1.livefilestore.com/y2pcDASNBb6TVC6mtFsd5QCd0rF6v-hI8k5TpSAHTdxrpYruvgstudAjyWWWTQxTFKFoh_U3fcSiHreINJ5kFt5OaswTEzm_cjUluyRVmm-3-U/offline%20bitcoin%20double%20spend%20analisys2%20-%20New%20Page.png?psid=1
 

we are talking not about "fundamental" future. but about tomorrow things. The main idea is to make some simply and available technology tomorrow.  That is why everybody is looking around himself in order to pick up something which already exists and there is no need to spend a lot of resources in order to implement the conception

look:
smartphones
smartcards
NFC tags
SD cards

are already exist!

It's only the question of software and in the nearest future (maybe months) we will have offline transaction technology.
Of course in some distance future we will have more advanced technologies. I think we will fly instead of driving cars in the future! )) and so what....? we shouldn't think how to develop cars?

actually I agree with this thesis.

That is why  I propose to use NFC tags.
They don't need batteries. they are passive devices. It's assumed that the recipient is merchant so he should have some active device (NFC terminal).

But using NFC active Smartphone will be good alternative for those individuals who want to transfer their bitcoins independently.

For those who doesn't have their own active NFC device there is still no need to have it, because they can use merchant's or anyone's else or even public NFC devices (bitcoins ATMs) to manage their own NFC tags.

http://mobileshop.amaysim.com.au/media/catalog/product/s/a/samsung-tectiles.jpg


I thing this is the future...

It could be possible to print our own banknotes?

Hi guys, author of OtherCoin here (thanks Beeblebrox for the support, I've just noticed this thread),

Just to summarize and answer your concerns:

1. The OtherCoin smartcard does not hold your private key. It generates a private key internally and gives you the corresponding public key. Your wallet (under your complete control, even our sample is open source, see https://github.com/razvandragomirescu/OtherCoin ) generates a similar keypair (public + private key). The two public keys are added to become your Bitcoin public key (and address). The card never knows what you'll generate as your half (that's exactly how Bitcoin vanity address generators work, I have not invented this), so we cannot touch your funds

2. The security of the system comes from the tamper-resistant nature of the smartcards we use. If you have a GSM phone, you're already using one (your SIM card). If you have a chip and pin card (in Europe for instance), you're also using one. These are chips/devices designed to be secure against all sort of attacks, including physical ones (since they operate in a hostile environment, their users are the most likely attackers).

3. Whenever two OtherCoin cards talk to each other (using your smartphones as proxies - they have no radio capabilities or any other way of reaching another card), they establish a secure encrypted channel and then pass the Bitcoin "half a private key" that they've generated to the other end and at the same time destroy it from local storage so that the current user cannot reuse it.

So take a look at the Android app we wrote as a sample: https://github.com/razvandragomirescu/OtherCoin/blob/master/src/com/cayennegraphics/othercoin/OtherCoinActivity.java (look at line 661 to see how the two key halves are combined into one) and the demo movie at the system in action at www.youtube.com/watch?v=ZR8gz0uVBHk&feature=youtu.be . Feel free to provide feedback, cards will be available for purchase in the next couple of weeks.

Oh and BTW, we support 3 form factors for the OtherCoin cards: microSD, Bluetooth smartcard reader and NFC (Yubikey Neo for instance). The microSD card can either be plugged directly into your smartphone or connected to the microUSB port if your phone supports USB storage (we'll bundle one of these: http://www.meenova.com/st/p/m3r.html with every card we sell, it's small, fits on a keychain and works great with the newer Android smartphones that have no microSD slot).

The recipient of the funds receives two keypairs: the one that the payer's smartphone has generated and the one the payer's smartcard has generated. The one from the smartphone is in the clear, he can take a look at it. The one from the smartcard is encrypted and can only be decrypted by the recipient's OtherCoin card. The payee imports the secure (encrypted) half into his OtherCoin (the OtherCoin verifies that the encrypted key came from a similar OtherCoin card). If the OtherCoin card has accepted the encrypted half, the user can be sure that the sum between the key that he holds and the key that the card holds is a private key for the funds and that it hasn't been used before.



The recipient gets the key in an offline transaction. The only thing he can't verify offline is the balance (how much that key is worth). He knows for sure that he holds the key to a particular Bitcoin address (he just doesn't know what that key is, half of it is stored in the OtherCoin card). Part of the OtherCoin service will be "certifying" balances for people that want to transact completely offline. Most users however will just look at the blockchain to see how much a Bitcoin address is worth.


Yes, they obviously can transfer it away, to a similar OtherCoin card. The guarantee comes from the fact that each and every OtherCoin card in the chain verifies that the sender is also an OtherCoin card, meaning that it has followed all the rules of the system (has not made copies of the key, etc). Think of it as a tamperproof computer sitting inside your smartphone - it guarantees that all participants in the protocol follow certain rules and even though it runs inside your smartphone you can't control what it does.


No, a key is either transferred via OtherCoin to a similar card or revealed to the user to be used in a Bitcoin transaction. It's either one or the other, as soon as the card gives you the secure part of the private key, it destroys it from its storage, so it can no longer be transferred via OtherCoin. It also destroys it as soon as it's transferred to someone else via OtherCoin.

So, to summarize, the security comes from the fact that all participants use the same hardware and software and that they cannot change the way the software works. They can't change the software to tell it to _not_ delete a private key after sending it or tell it to reveal its keys. It's a black box as far as the smartphone is concerned, you send some input to it and gives you some output, you don't control how it processes your input. What it does though is fairly public, it's described in the whitepaper and I can describe it further if needed.

Assuming that the devices are very difficult to crack, but not actually tamperproof:

1. Can the receiver verify that the sender is really an Othercoin card?
2. Does the device contain information that could compromise the entire system? For example, a private key used by every device?
3. Is there a way to blacklist a compromised device or to revoke compromised keys?

Yes, it does so now. The encrypted Bitcoin key it receives is also signed by the sender card (see below for details). Of course, if you compromise the card and extract its private key, you could sign Bitcoin keys that you've created outside the card (that you can later attempt to double spend).

However, this offers little reward for considerable effort. There's nothing stopping a recipient of funds from immediately running them on the Bitcoin network (and I actually expect people to do just that for higher amounts). So if you spend tens (if not hundreds) of thousands of dollars compromising a card to do a double spend and then the first person you try this on sends your transaction to the blockchain, you've accomplished nothing and lost a lot of money! Also, the wallet apps will monitor the blockchain for any transactions involving addresses they hold the keys to. If at any point they see money going out of an address they own, they should raise an alarm and report this to us, so it's not something that can be done "silently".


Each OtherCoin card has two keys used for encryption - one is a symmetric key (that all cards share) that is used for privacy (each outgoing message is encrypted with that shared key with a random seed (initialization vector) ). This hides the identity of the person sending the funds (so you could transact with the same person twice and not know that). It also makes things a bit harder for people that try to attack the card (since it's harder to craft meaningful messages to the card - you have to properly encrypt them, otherwise the card will drop them immediately since they decrypt to a bunch of nonsensical data).

However, the security of the system is given by the second key - it's a public/private keypair, generated by the card itself. It used to be RSA but now it is an Elliptic Curve key. Each card has a different one and it is used in an ECDH key exchange (see http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman). Card public keys are signed by our master private key (that is obviously NOT present on any card, it's actually on a smartcard connected to an offline computer, each OtherCoin gets provisioned/signed there).


Not at this point, but that's planned. With a bit of luck, this will actually be ready when we start selling the cards (in a couple of weeks). We will provide a signed blacklist of compromised public keys that each wallet can optionally download and send to the card (since the wallet receives only encrypted messages, it can't tell what public key the other OtherCoin card has).

To summarize, there is very little reward in compromising a single OtherCoin card. You would have to crack the shared key, then crack the private EC key and all that would give you would be the possibility to spend funds you already have twice (not create money out of thin air), while hoping and praying that the recipient doesn't post them to the blockchain or does not raise the alarm when you double spend them (and they see a transaction involving the keys they currently hold).

Keep in mind that these are EAL 5+ level cards that are certified for use by Visa, Mastercard and a bunch of governments. I'm not saying a well funded attacker cannot break one, but all they would get would be the private key for their card, allowing them to double spend funds they already own, in a very public way. I'm sure there are better ways for someone that has the technical ability to do this to make money :).

Hello Drazvan,

I think what he might be asking here is whether or not or can do a series of off-chain transfers without having to put it back on-chain in betwen each transfer (ie: you transfer it to your friend as a loan and they transfer it to a shop for a purchase, the shop transfers it to some other customer as part of change, the customer transfers it to another shop, etc..). 

So: Yes alex04210, you can do an infinite number of sequential off-chain transfers and every transfer is completely free!   (Of course, the original transfer from the block-chain to the coin is on-chain and involves the standard bitcoin network transaction fees).

(By the way Drazvan, I've been meaning to contact all last week and discuss some things.  Is it possible for you to private message me your email?  )

Thank you Beeblebrox! Yes, that is correct, you can transfer the private key over OtherChain as many times as you want (as long as you feel comfortable). If at any point you have reason to believe something fishy is going on, you can ask the OtherCoin card to reveal its half of the private key - from that point on it's just a simple Bitcoin private key, so you can sweep the funds to your wallet or do anything else you want.

Private message sent with my email Beeblebrox.

FYI everyone, I've posted a message on the OtherCoin thread about that blacklist / transaction history issue we talked about above. It's at https://bitcointalk.org/index.php?topic=321085.msg4915443#msg4915443 . The short version is that we decided to not implement this at all in order to protect the privacy of the OtherCoin users (if we cannot extract the history of a certain private key, neither can law enforcement or anyone else - it's not a matter of encryption, the info just isn't recorded anywhere).