Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: jim618 on April 21, 2012, 09:31:16 AM



Title: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 21, 2012, 09:31:16 AM
Mainly due to a serial line hack I am attempting (see thread in Alternative Clients) I have been thinking about if it is practical to have
dedicated bitcoin devices.

Here is what I have got so far.  Your feedback is very welcome.


What is a dedicated bitcoin device ?

It is a small device with:

1) A small LCD. (A few lines of text, non-touch)
2) A keyboard.
3) It has enough computing power and memory to sign transactions but not enough to maintain a blockchain.
4) No dedicated network connection (no WiFi, no cell phone connection)
5) IO is over a serial connection - micro USB and infrared (IRDA).
6) Low power - you could run it off button lithium batteries for a longtime.

Think: a glorified calculator or Casio electronic dictionary.
Think: cheap to mass produce.


What can you use it for ?

1) You can use it to pay for things in shops with bitcoin.
2) You can use it to send bitcoin directly from one device to another.
3) You sync it (like an iPod) with your main computer to see the transactions in detail and recharge it.


What are the problems  ?

There are two main problem areas:
1) Yeah, show me one that works and I will believe it. It's vaporware unless I can hold it in my hand.
2) If it does not have its own network connection how does it know what its balance is ?  What is to stop Mallory screwing around with it and sending it bogus transactions?
(Mallory is the generic 'Bad Guy').


Detailed operation in a shop

Here is how I think it would work at Point of Sale:

1) Prior to your shopping spree you sync your device at home against your home PC. The PC creates a watching wallet for the private key that is created on the device (and never leaves it). Because of iPods etc people are used to syncing their devices by plugging them in to their PC.  You trust your home PC to give you the real blockchain transactions.

2) The user 'charges' the device by sending it some BTC using your desktop client. The watching wallet sees the transaction and tells the device what unspent outputs it has available to spend. The transaction that the desktop bitcoin client uses to recharge the device has many small transaction outputs (say a tenth of a BTC each).

For instance, if you charged it with 10 BTC , you would have available 100 transaction outputs each of a 0.1 BTC value.

The device stores a list of its unspent outputs and hence knows its balance.  Because this is a sync with a PC you trust the device will be happy to spend these unspent outputs. It believes they are real.


3) At the shop, there would be a data exchange as follows. IRDA is at 115.2 kbps so you should be able to do it quickly enough for realtime use.

edit: simplified

3.1) Shop -> device. Shop identifies itself as, say 'Walmart'. Requests a payment of, say, 3.55 BTC  using a Bitcoin URI.
3.2) Device -> user. Prompts user with payment amount. User presses 'Confirm' or 'Cancel'.
3.3) Device -> shop. Device creates transaction for the 3.55 BTC, using a total of 3.6 BTC of transaction outputs and sending itself 0.05 BTC of change. Device signs tx and sends it back to shop
3.4) Shop -> bitcoin network. Transmits tx out to bitcoin network.
3.5) Shop -> device. Shop confirms that the tx has been transmitted to the bitcoin network.

The device would then go through its unspent outputs and mark off the spends. The change transaction output it does not believe it can spend yet as it depends on whether Walmart really transmitted the tx. It marks it internally as:
   Walmart says: Sent you 0.05 BTC

The shop also does not trust the transaction outputs used in the tx at stage (3.3). It would do a network webservice lookup with a well connected node to check that those outputs were REALLY unspent. It would know the txid and output number so this should be relatively quick. This limits the ability of Mallory to perform a double spend as he has a very short attack window.


Summary of shop transaction.

The device initially had 100 unspent transaction outputs of value 0.1 BTC.
Now it has:
   64 unspent outputs of value 0.1 BTC
   36 spent outputs of value 0.1 BTC
   1 transaction output of value 0.05 BTC that is marked as "Walmart says it sent it to you".


What happens at the next shop

At the next shop the device will not try to spend the "Walmart says" transaction output, only its unspent outputs.



When the user gets home s/he syncs the device and it and the watching wallet compare notes to:
4.1) Confirm the tx are spent and change has been received (It should be as the shop wants its money)
4.2) Perhaps the user also wants to recharge the device and hence there will be new outputs available to spend.


Sending BTC from one device to another

To send BTC from one device to another the exchange would be similiar to in a shop. Say Bob sends Alice 10 BTC. Alice's device stores the transaction but marks it internally as:

   "Bob says: Sent you 10 BTC"

Again Alice's device will not try to spend this BTC until the next sync.
The basic principle here is:
  You cannot spend a promise

There is more opportunity for Mallory here admittedly as he could hack his device and keep (trying to) spend the same BTC.   When Alice syncs she will see that Mallory's tx has been double spent.   I expect she will immediately get onto Facebook and start flaming him.   Alice's device and desktop in combination say:

   "Mallory said he sent you 10 BTC at 10:35am but he is a lying piece of s**t and cheated you"

Perhaps I would not use those exact words in the internationalisation file :-)


How would the UI present the information

Whilst the general public is not very good with technical ideas, everyone knows the difference between these two statements:

"Charlotte thinks you are totally hot and wants you to take her to the prom on Saturday"

and

John says: "Charlotte thinks you are totally hot and wants you to take her to the prom on Saturday"


For the UI on, say, a 2 line LCD you would have something like:

    LCD Top row:           Balance 12.4 BTC
    LCD Second row:      Bob says: Sent you 10 BTC
          Scrolls:             You sent Walmart 3.55 BTC
          Scrolls:             Walmart says: Sent you 0.05 BTC
          Scrolls:             Balance with promises: 22.45 BTC


Is this :
  Practical ?
  Doable ?
  Simple enough for the general public ?
  Can Mallory brick my device or mess me about ?




Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Revalin on April 21, 2012, 11:10:44 AM
A few thoughts:

The store does not have to send the change.  The device can create a transaction so 0.05BTC goes to the store and .05BTC goes back to you.  There is no need to trust the store to return it or to verify the change.

There is no need to split the inputs into 0.1BTC amounts.  It's just as easy (actually easier) to have a single 10BTC input and send a 3.55BTC output to the store and the remainder as change to yourself.

A 32-bit ARM MCU with 256KB of RAM is only about $10 in single units or $5 in volume.  That plus an SD card to store the blockchain would give you a full-function device.  A CR123A battery would run it for two days of continuous 150MHz operation, and essentially unlimited sleep time.  That's certainly heavier than an 8-bit micro running on a couple of watch batteries, but it's something to consider.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 21, 2012, 12:00:12 PM
Hi Revalin,

Interesting figures for hardware. That is pretty cheap.

My thinking about the change is that until you sync you cannot be sure that the shop actually sent your tx to the bitcoin network and that you will have the change available to spend later. Hence trying to keep it small.

For example if you use a 10BTC transaction output with 9.9 BTC in change (unconfirmed and possibly not transmitted to the bitcoin network) you cannot be sure that the 9.9 BTC tx output is available to spend at the next store.  The device has no network connection of its own to know.

Your device might be declined at the checkout at the next store because your previous change tx output (which you are now trying to spend) does not exist yet. You could send the previous tx in addition to the new one at the second store but it soon gets complicated.

Thanks for your feedback.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: pgajic on April 21, 2012, 12:07:50 PM
Quote
A 32-bit ARM MCU with 256KB of RAM is only about $10 in single units or $5 in volume.  That plus an SD card to store the blockchain would give you a full-function device.  A CR123A battery would run it for two days of continuous 150MHz operation, and essentially unlimited sleep time.  That's certainly heavier than an 8-bit micro running on a couple of watch batteries, but it's something to consider.

Any chance of a link where I could buy a board of this type.

 


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Revalin on April 21, 2012, 02:13:30 PM
Any chance of a link where I could buy a board of this type.

Here you go:

http://www.mouser.com/Embedded-Solutions/Engineering-Tools/Embedded-Processor-Development-Tools/Development-Boards-Kits-ARM/_/N-8x0x4/


Here's a nice cheap one. The chip is a Cortex M4 with 192KB RAM, 1MB flash, ethernet, USB, LCD drivers, SD card support, and more; the board has some accelerometers, buttons, LEDs, a USB port, and some prototyping leads, all for $15:

http://www.mouser.com/ProductDetail/STMicroelectronics/STM32F4DISCOVERY/?qs=J2qbEwLrpCFMptdjNAVzZeZDfltJ6JKw1GLhrq7db5E%3d


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 21, 2012, 06:08:31 PM
Thinking about it, there is no reason that you would have to just sync at home.

Say Starbucks accepts bitcoin and has a little cradle/ reader thing they use for payments. In a quiet moment you could always ask the barista if she minded you syncing. Pop your device in the cradle. Press a button on your device labelled 'sync'. Device asks cradle for up to date tx for it's address, updates it's records.


Because you explicitly requested a sync the device will say 'ok I can believe this data'.
Then if a friend sent you some BTC device to device you could sync and can then spend them.

Edit : hmm you would sync and the tx your friend sent to you you could transmit to the network, but it is not on the blockchain yet. Might be more trouble than its worth


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: schnell on April 21, 2012, 06:53:06 PM
Edit : hmm you would sync and the tx your friend sent to you you could transmit to the network, but it is not on the blockchain yet. Might be more trouble than its worth
The tx would have to send when THEY sync, then when it has x confirmations you can sync, confirm the tx and split it into 0.1 outputs.


Also, customising the output size sent to the device would be nice, personally I would do 0.001, but would that overload the cpu?

Also, lcd screens consume a shit tonne of power. Use kindle-like eink black and white screens, they only need power to move the ink then it stays there without any more power.

Would the communication with the shop be nfc?



Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Revalin on April 21, 2012, 08:08:23 PM
LCD backlights consume a ton of power.  Unlighted LCDs consume barely any, and regardless this is a device you'd only power up for a few seconds at a time.  eink's nice, but it costs a lot more than a $2-5 LCD.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: schnell on April 21, 2012, 08:30:16 PM
LCD backlights consume a ton of power.  Unlighted LCDs consume barely any, and regardless this is a device you'd only power up for a few seconds at a time.  eink's nice, but it costs a lot more than a $2-5 LCD.

Point taken.

How much do they cost?


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: theymos on April 21, 2012, 09:13:48 PM
A secure Bitcoin spending device doesn't need to store anything other than its private keys. It can give its public keys to the recipient and rely on them to create a valid unsigned transaction. The device just needs to figure out the BTC spent by the transaction (total output BTC minus output BTC to the device's keys) and get the user to confirm. It doesn't matter if the device is given an invalid transaction to sign, since the network will reject it.

It'd be nice for the device to store some transaction details for accounting purposes, of course.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 21, 2012, 09:34:38 PM
@theymos

If the user the device is talking to has network access you could give it your public key, it can get your unspent tx outputs and create an unsigned tx yes.

If you wanted to do a device to device transfer you would have to know your available unspent outputs as the other device is an unconnected as you.

@konichua I think there would be a variety of possibilities for the connectivity. I mention IRDA mainly because the hack I am working on has USB and IRDA.



Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Revalin on April 21, 2012, 09:48:20 PM
How much do they cost?

$40-60 for something the size of a Kindle.  It's hard to say what a tiny one would cost since there's not much of a market for it.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Revalin on April 21, 2012, 09:59:41 PM
(unconfirmed and possibly not transmitted to the bitcoin network) you cannot be sure that the 9.9 BTC tx output is available to spend at the next store.  The device has no network connection of its own to know.

Then you just spend the original inputs again.  :)

I can't imagine ANY store is going to deliver goods before the tx is at least broadcast, unless it's a regular customer they know and can trust.  For anyone else, they'd have to be online for any transaction.

Still, this is a good point: even if the store broadcasts it immediately your change won't be confirmed for an hour.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Andreas Schildbach on April 21, 2012, 10:52:49 PM
A secure Bitcoin spending device doesn't need to store anything other than its private keys.

It needs to know its unspent outputs so it can calculate the balance of a transaction received for signing.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Stephen Gornick on April 22, 2012, 04:19:02 AM
even if the store broadcasts it immediately your change won't be confirmed for an hour.

It won't have 6 confirmations but it can be spent right away.  The bitcoin client doesn't allow spending on 0/unconfirmed but the protocol allows it, clients will relay it and as long as there are fees paid, miners will likely include it.  BlockChain.info is one such wallet which allows immediate spend transactions, for example.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: FreeMoney on April 22, 2012, 05:04:08 AM
A bunch of .01 or .001 is not optimal. Probably a collection of UNIT * n^2 up to about average expected transaction amount would be good. But you could customize for reduced number of keys or reduced average or max change.

For example 100x .02 and 100x .01 is going to be strictly superior to 300x .01 unless you make hundreds of tx for amounts between .01 and .02.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 22, 2012, 07:58:24 AM
@freemoney - good point. That would also reduce the size of the tx which has several benefits.

@Stephen Gornick  With the change tx output as long as the previous tx has been transmitted by either you or the other party you would be able to use it.

However I am trying to think of a protocol that, even as a disconnected, untrusting device you can be 100% sure your tx will be accepted. You can only believe what your home sync computer tells you. You do not want to believe the contents of any tx you receive. Nor that any tx you produce actually gets transmitted to the network. It is for that reason that all the tx you receive and change is marked as 'somebody says this is true but I am not willing to put my reputation on the line just yet and reuse them'.

Another reason not to reuse unconfirmed tx specifically is the very human temptation that if someone sends you a fake tx you might be tempted to pass it on to someone disconnected who cannot get back at you when they detect the double spend.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: World on April 22, 2012, 01:08:17 PM
maybe like this watch?
http://www.kickstarter.com/projects/597507018/pebble-e-paper-watch-for-iphone-and-android?ref=search


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: wareen on April 22, 2012, 02:15:09 PM
@jim618: You should probably get in touch with Prof. Clemens Cap (http://wwwiuk.informatik.uni-rostock.de/wer_sind_wir/mitarbeiter/clemens_cap). He is working on a Bitcoin hardware wallet (https://www.youtube.com/watch?v=IavQ-Wc8S1U) and he called for interested people to participate.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 22, 2012, 02:22:17 PM
@wareen - good idea !
I am not really a hardware guy so it would be really useful to have someone to work on the hardware side and for me to concentrate on "serving up the data".

I will email him and see what he says.

Cheers.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: theymos on April 22, 2012, 08:57:27 PM
It needs to know its unspent outputs so it can calculate the balance of a transaction received for signing.

The recipient just needs to provide the device with copies of all of the transactions-being-spent (I forgot about this in my previous post). Then the device can calculate the input value and easily see the output value.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Bitcoin Oz on April 23, 2012, 06:00:32 AM
What about a wristwatch device for bitcoin ?



Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 23, 2012, 06:30:28 AM
@CryptoCoinMedia

A wrist device might be possible. The power requirements are low enough.
After perusing my Maplin catalog the most similar devices on sale currently are the little crossword puzzle solvers and translation machines, except that you do not need a QWERTY keyboard.

I think you need the following keys:

Numeric: 0123456789 and '.'

Action keys: "sync", "request payment", "send payment"
(as icons)

Confirmation: 'ok', 'cancel'
(like on PIN entry devices for debit cards)

Navigation: Perhaps also a 'menu' or 'home' or 'show history' key. Perhaps also an 'up' and ''down' arrow.

Of course the plethora of UIs for MP3 players indicate that what I think is the minimum may not be the case.  

Edit: the reason I am concentrating on the minimum required is for clarity and also ideally the devices would be so cheap you could practically give them away.

Not sure what the minimum size LCD display is yet. You could probably do it in one line of 20 characters.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 23, 2012, 07:13:02 AM
You could perhaps have a layout:
Code:
dddddddddddddddddddddd

1 2 3  sync requ send
4 5 6              
7 8 9             up
H 0 .   ok  can  down

Where:

dddd = the display
H =  home icon, this would also wake up the device out of a sleep mode.  (long press to switch off + you would have a 5 minute auto-sleep)
ok = ok, confirm payment. A green tick icon. Big key.
can = cancel. A red cross icon. Big key.
sync = sync icon
requ = request payment icon
send = send payment icon
up = up arrow
down = down arrow

By having it all icons the keyboard is fully internationalised. You would set the language of the display in your sync software on your PC.

You would put a border around the separate functional key groups to 'join them up' and to square up the keyboard layout.

If you were using infrared you would want the LED on the top edge of the device, in the middle. You would have a little alignment mark on the top of the case  That way when transferring BTC device to device via infrared you would have your device pointing at the recipient's and both could work the two keypads simultaneously.

You would put the microUSB connector on the back edge or the right hand side at the back. You want it at the back so that the device is wedge shaped. Thin at front, thicker at back. That makes the keypad slant towards you when it is sat on a table top. You want it on the right as Apple USB ports are typically on the left of their machines so the cable connection works better.

The position of the LED and microUSB suggests the batteries go at the back left, accessible through a little slot cover on the underside of the device. Circuitry is probably across the centre of the device, leaving only the membrane keypad at the front so it could be thin thin thin at the front edge.

You would also want a Bitcoin logo somewhere. Perhaps to the left of the screen as then you could have the balance (say, 12.345 BTC) right next to it and the two would be visually associated.

It would be thicker than a credit card (because of the microUSB connector) but I wonder if it could be the width and height of a credit card ?
Then it would be easier to fit into existing (physical) wallets people carry.

Something like:

http://econsumersearch.com/blog/credit-card-wisdom/files/2011/05/wpid-1306692099-39.jpg

Anybody any good with photoshop ?  :-)


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: World on April 23, 2012, 06:29:12 PM
something very nice is under development http://bitcoincard.org/


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 23, 2012, 07:02:50 PM
@World,

Thanks for that - I have just messaged them to say hello.

:-)


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: Xenland on April 23, 2012, 08:20:52 PM
Bitcoincard is like a smartphone but the size of the creditcard? Somehow I don't believe that is a reasonable goal or even possible with out some advancements in manufactured technology.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: MoonShadow on April 23, 2012, 09:37:32 PM
Bitcoincard is like a smartphone but the size of the creditcard?

No, it's not.  It seems like a small form factor imagination of a device that I've been (mentally) playing with for some time, that uses Dash7 radios to mesh to other such devices, with a dash7 dongle plugged into an Internet router somewhere in order to occasionally connect to any overlay network such as Stratum or the split wallet.dat system that BitcoinSpinner uses.  In fact, it looks a lot like that.  A small dash7 radio and a microcontroller running a custom cut version of BitcoinSpinner, through in the ability to send texts to other cards and a standardized system for requesting a payment via that text (all doable via Dash7 native to the radio) and you have a complete system.  In fact, the bit about the location detection in the video practically screams dash7, since that is the only protocol that I'm aware of that can precisely calculate relative position vectors without outside infrastructure (and thus, if you are a vendor with a few dash7 gateways & already know their precise physical placement, determining the absolute position & vector of any arbitrary dash7 radio is simply math) and the only protocol that can mesh via a rapidly changing network neighborhood.  It was originally developed for the US military for some kind of future warfighting gear including a heads-up display on the soldier's combat helmet that could tell him in near-real time where the nearest tanks/buddies/whatever were relative to himself as well as their "operational status" (i.e. are they still moving, or flat on their face?)  It's an awesome tech, that Dash7 mode 2 (version 2.0) has improved upon greatly for mesh networks.  Because there does not need to be a 'coordinator node' (access point for wifi, root server for other mesh networks) there can be a nearly limitless number of nodes on the network within the broadcast range of any single node. (more practically limted to about 1000 or so nodes within radio range, for reasons related to the physics of digital radios)  In practice, however, bandwidth is the issue, and Dash7 isn't intended for mass data transfers.  Moving whole blocks would be impossible, but moving block headers, pre-pruned merkle trees & loose transactions would be trivial.  If every gateway to the internet for such a dash7-like mesh network were also a Stratum network server, this kind of three layer payment network (the standard bitcoin network as the clearinghouse backend network, stratum as the user network & dash7 devices that can share data natively and communicate with a stratum server when possible) would be able to effectively utilized by the entire planet.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: kjj on April 24, 2012, 05:36:17 AM
This has been discussed at length in other threads.  I think the most recent useful thread was the one from etotheipi where we discussed a format/syntax/protocol for transaction proposals.  Also, see the "todo" link in my sig.


Title: Re: Dedicated bitcoin devices - dealing with untrusted networks
Post by: jim618 on April 24, 2012, 07:06:00 AM
Hi kjj,

Thanks for those links. Your 'todo' link is very interesting - it is practically identical and goes into the API calls required.

My feeling is that we are still a bit away from a nicely packaged consumer device but are now at the point where we:
1) could do it with a full size computer, etotheipi's push on offline is almost there (just needs serial rather than sneakernet which I know he has been investigating.
2) then we would have the serial line protocol specified enough for smaller devices, say a beagle board. This then makes it portable, though in a slightly 'jumbo' format.

Those are doable with 'garage tech'

3) a full custom device would then have working reference implementations to copy.

I will go through your 'todo' thread in detail. The RPC calls you planned to add are what I would want to add in my MultiBitShell project to enable the wallet device to manage its key etc  (see thread in 'Alternative clients').

Cheers