Bitcoin Forum

I'm trying to find out if bitcoin can replace cash and I'm having an important question about that right now, probably because I don't understand how a wallet's balance is stored:

Is it possible to make secure bitcoin transactions offline?

I know transactions can be stored and flushed to the network later on, but does this mean that offline there is no verification possible of whether the sender actually has enough bitcoins to make the transaction? So...  say, there is no internet available. I imagine that if someone who's standing in front of me buys from me and they try to make a transaction they cannot make to me (because their wallet does not have the required bitcoins available or some other form of fraud), I can only find out the transaction was not valid (it failed) after I exported the transaction online to the bitcoin network? I assume that a negative balance is not possible.
A related question would be: (how) can I find out my wallet's balance offline?

Seriously, out of 63 people reading my question no one knows the answer? If I have to clarify I'd gladly do so.

A wallet's balance is not "stored" anywhere. Bitcoins exist purely as transactions, which are stored in the blockchain. Each transaction contains a reference to one or more previous transactions, eg, if someone sends you 10 BTC, you can create a transaction that sends those specific 10 BTC to someone else, after which the transaction in which you received the 10 BTC is considered "spent" and cannot be referenced in future transactions (trying to spend a transaction which has already been spent is called "double-spending" and is invalid). Note that this 10 BTC must be spent entirely in one transaction; if you want to spend (say) 8 BTC, then the transaction will be split into two parts: 8 BTC goes to the person you want to send it to, while the remaining 2 BTC is sent to yourself as "change". A wallet's balance is simply the sum of all unspent transactions that have been sent to it.

No. To verify that a transaction is valid, it is necessary to ensure that the previous transaction(s) which make it up haven't been already spent. This is only possible with an up-to-date copy of the blockchain, and even then it is necessary to wait until the new transaction is mined into a block (at which point it is considered "confirmed"), since until a transaction is confirmed, it may be invalidated by a double-spend in the future.

Correct. Without a connection to the Bitcoin network, there is absolutely no way to know whether a transaction sent to you is valid.

In direct contradiction to what Foxpup just told you, the real answer is yes but....

Any client needs access to the network occasionally, but it is not always a requirement for safety.  The trick is that, should a client be developed for this purpose since one does not yet exist (I'm confident that one will eventually, the Bitcoincard is one such possibility) such a client would have to keep not only the transactions that it would use for the inputs to an offline transaction, but also a copy of the merkle tree that each fits it and the entire set of block headers.  This would allow the receiving client to check and see that the sender had honestly once owned those coins.  If these clients were both full clients with blockchains recent enough to both have copies of all input transactions, they would already both that this evidence anyway.  However, the receiving client could not verify that the sending client had not already created a transaction and forwarded it to the network and was trying to pass off a double-spend upon yourself.  A live internet connection to the bitcoin network protects the receiver against this kind of thing pretty well, but sans a live connection the client cannot determine this, so then it would fall upon the user of the receiving client to determine the risks.  Now any double spend attempt is technically difficult, so it would be easy enough for a vendor to accept bitcoins for a fast food meal or something else along those value lines; because the relative difficulty of a double spend attempt even when the attacker knows that the vendor can't have a live connection (Internet kill switch?) would outweigh the value of the fraud.  Credit card companies depend upon this for just about every transaction value under $50.  Also, if you are dealing with someone that you already know (and presumedly trust) you could accept the transaction on faith.

It depends on what you specifically mean.

You can securely GIVE someone your funds offline, using any of the following methods:
* give someone a private key you own
* give someone a bit bill, casascius coin, etc. (which is fundamentally the same as the first)
* give someone a signed transaction generated from information you collected online earlier (e.g. created with Armory)

All of these methods are secure for YOU as the payer, but the recipient can only be certain it is secure for THEM by taking the private key or transaction received from you, sending it to the block chain so the funds are payable only to them, and waiting for it to confirm.  (For example, assume they can't be sure you won't give the same private key or funds to someone else)

The OP specifically asked about secure transactions, as in safe from double-spend attempts. Accepting transactions offline (as in, actual signed transaction data, as opposed to physical bitcoins) flat out cannot be done in a secure manner as that requires either a connection to the Bitcoin network or a trusted connection to someone who does in order to verify that the transaction is not a double-spend.

I fail to see your logic. A double-spend attempt is technically trivial to perform; the hard part is ensuring the vendor doesn't realise it's a double-spend until it's too late. If the vendor is known to not have a connection to the Bitcoin network, this is easy: pick up goods from the store, "pay" the vendor, go home, send a double-spend to yourself, wait for your double-spend to be confirmed, then wonder what the look on the vendor's face will be when he eventually tries to broadcast your original transaction.

It can be done securely, but not in the same manner as the bitcoin network does it.  The key difference here is risk management.  Accepting transactions offline does involve some level of risk, much like accepting instant/zero-comfirmation transactions at a point-of-sale terminal with live internet.  Accepting only transactions after 6 or more confirmations provides a (nearly) absolute certainty that the transaction is valid and cannot be reversed, but those kind of transactions requiring that level of certainty are and will be rare.  Bitcoin only grows if use cases involving lower, yet acceptable, levels of risk are possible.  As of yet, they are not possible; but this is because no clients support methods of risk assessment nor deliberately accepting zero-conf transactions.


Doing a double spend online is trivial, because on the Internet no one knows your a serial thief.  The hard part is doing this offline, as in person with someone you are dealing with or inside a vendor's shop, and defrauding them without getting pinched.  The risk of that possiblity is a strong, but not absolute, deterrent against attempting a double-spend for relatively low value transactions.  It's true that a simple double spend attempt is technically trivial if leaving evidence of the fraud isn't a concern, as that would simply involve the backing up & restoration of a wallet.dat file.  However bitcoin is no more anonymous in person than cash is, and probably less likely to be accepted by someone that doesn't know you.  Try to buy a candy bar at a gas station with cash anonymously.  While it's true that the attendent neither knows nor cares what your name is, your face is on camera the entire time.  A double spend is still fraud and can be expected to be pursued in like manner whenever such a pursuit is possible.

Correct.

Take your scenario: someone in front of you wants to do an offline payment. They give you their private key, or they give you a USB stick with a signed transaction, or whatever.
There is no way to make sure that he didn't copy his key / transaction / whatever, gave it to a friend, and his friend is doing the same offline spending at the same moment.

 
Great, thanks for all the answers guys! Y'all gave me different words for the same information; it all makes sense now! :)

I guess I'll have to conclude that Bitcoin is not a cash replacement now, as it has the major drawback of needing internet for confirmition  :-\ Maybe later, when everyone has a smartphone and mobile internet actually works everywhere.

You know... somehow I assumed that it would be possible to make uncopyable digital 'cash'... So that it would be possible to have a truly digital, decentralised, offline and secure money system. Maybe that was stupid or naïve, but how about prepaid chip cards? in the Netherlands we used such a system for public phones, replacing coins, before we had our centralised bank chip cards. I never heard of people hacking these, although it's probably been done. Will such a decentralised offline system never be secure enough?

Actually that's a completely new question, but it would be great to hear your input on this! (by the way: the title still applies :) )

You can easily hold Bitcoins offline and securely - but if you want to transfer bitcoins, then you need to have a mechanism of transfer.
There already exist 'prepaid' solutions for bitcoin - see casacius (spelling someone?) coin and there are already other prepaid solutions; but like the prepaid card you talk about, you have to trust the issuing party - presumably you trusted them (but they could have just reneged as they have no real authority).
I can easily send you some bitcoins in the post by sending you a private key or a link to instawallet, but you would have to trust me rather than the network.

Edit - the prepaid phone cards also rely on internet access otherwise how do they work? If you say you have a prepaid card with 10 euros on it why should I believe you - maybe you already spent them. How would we confirm it without access to the network?

Interesting point. As far as I know they don't use external communication, but the balance is just stored in the chip some way to maintain integrity, similar to our Chipknip (http://en.wikipedia.org/wiki/Chipknip (http://en.wikipedia.org/wiki/Chipknip)) design. Chipknip does need the network though, just not necessarily at the moment of payment. So, in effect the bank guarantees the transaction.
Obviously a phone has a phone connection though, so you might be right about the prepaid phone cards, I'm not sure...

You sure about that? Seems like a security flaw to me. What would hold me from backing up my chipknip card data, spending some money, restoring the backup and spending the same money again (in another store if necessary)?

Oh, wait, a chipknip is probably not anonymous. These banks have your name and address and ID and your soul, I guess. They come after you when you screw around with double spending :(

Exactly, that's the beauty of centralized systems :-p

But, apperantly there are people who believe this is also untraceably possible. Take for instance this: http://dl.acm.org/citation.cfm?id=1945262