Forget Paper Wallets - Paper transactions?

[Meni Rosenfeld]

So basically, you have two pieces of information (the tx and the private key of the target address), and spending your coins requires having both. So this is in no way better than putting the coins in a 2-of-2 multisig address. But there are several ways it's worse:

- Less intuitive
- The deposit procedure is more convoluted
- Less flexible (there's no obvious way to extend to, say, 3-of-5 without involving multisig logic)
- Additional attack vectors - e.g., attacker steals just the target private key, and beats you to the tx that moves coins from it when you cash out
- Impossible to add more funds to the same wallet

[1714737532]

1714737532

[Qwedcxza1]

Instead of having one secret i.e. a private key to your address
You now have secret 1 and secret 2
secret 1 is the encoded transaction with private key discarded
You would have to keep it secret as otherwise anyone could just initiate the transaction and we would be back to square one
Secret 2 is your private key to your address

If only secret 1 is completely stolen your coins are lost (unless thief is good enough to process transaction)
If only secret 1 is stolen but you have a copy your coins are still safe but we are back to square one.
If only secret 2 is completely stolen your coins are lost.
If only secret 2 is stolen but you have a copy then it is a race to perform a transaction
If both secret 1 and secret 2 are stolen but you have a copy of both then it is a race to perform a transaction
If both secret 1 and secret 2 are stolen and you have no copy of either then your coins are stolen.
If both secret 1 and secret 2 are stolen but you have a copy of secret 1 but not a copy of secret 2 then the coins are stolen
If both secret 1 and secret 2 are stolen but you have a copy of secret 2 but not a copy of secret 1 then it is a race to perform a transaction

Now we need to to assess the probability of a breach of bank security or super-spy-government-satellite attack or other such attack on each of the above scenarios in relation to the increased probability of key loss.

If we calculate the relative probabilities for each scenario and use this to calculate an overall weighted probability that should give us some idea of whether we would be better off using this system or not. 

[Richy_T]

- Less intuitive
- The deposit procedure is more convoluted
- Less flexible (there's no obvious way to extend to, say, 3-of-5 without involving multisig logic)
- Additional attack vectors - e.g., attacker steals just the target private key, and beats you to the tx that moves coins from it when you cash out
- Impossible to add more funds to the same wallet

Yes.
Yes.
Yes. That's kind-of the point. There is no flexibility. All you can do is initiate the deposit of the coins to wallet X
No. That's pretty much the *only* attack vector.
Slightly incorrect. You can add more funds. You'll just never be able to get them out.

[Meni Rosenfeld]

Yes. That's kind-of the point. There is no flexibility. All you can do is initiate the deposit of the coins to wallet X

You're confusing the end with the means.

The goal is to keep your bitcoins secure. "Funds in a 2-of-2 address" is a better way to do it than "funds that can only be deposited to wallet X" - what these methods have in common is that they rely on two pieces of information that are both needed.

What I meant by "flexible" is that with multisig you can have other ways to secure your coins, potentially better - e.g. 2-of-3.

No. That's pretty much the *only* attack vector.

Ok, "additional attack vector", singular. The attack they have in common is stealing both pieces.

Slightly incorrect. You can add more funds. You'll just never be able to get them out.

That's not adding funds, that's discarding them. By "wallet" I don't mean "address", I mean "someplace that you keep bitcoins". If you can't get them out they're not "kept" and thus not in a wallet.

[Richy_T]

The goal is to keep your bitcoins secure. "Funds in a 2-of-2 address" is a better way to do it than "funds that can only be deposited to wallet X" - what these methods have in common is that they rely on two pieces of information that are both needed.

What I meant by "flexible" is that with multisig you can have other ways to secure your coins, potentially better - e.g. 2-of-3.

Fair enough. It's just another option I though might be interesting to consider and discuss. Multisig may be better in most or all scenarios but since this is operationally different, it is possible there are scenarios where it would be superior.

Consider, for example, that you can trust an entity to hold one of these tokens and give them full authority to be able to initiate the transfer of the funds into your wallet without actually having to trust that entity with any of your actual bitcoins.

No. That's pretty much the *only* attack vector.

Ok, "additional attack vector", singular. The attack they have in common is stealing both pieces.

Slightly incorrect. You can add more funds. You'll just never be able to get them out.

That's not adding funds, that's discarding them. By "wallet" I don't mean "address", I mean "someplace that you keep bitcoins". If you can't get them out they're not "kept" and thus not in a wallet.

Don't want to get into semantics, it's a distinction without a difference. So I'll let that stand.

[Kouye]

Seems interesting, though complicated, compared to the 'trust me for 12 months' I proposed here:
https://bitcointalk.org/index.php?topic=216376.msg2275068#msg2275068

Recipient knows you have reserved bitcoin for her/him/it.
You cannot claim those BTC back before the end of the contract.
Recipient cannot claim the BTC, you have to actually send them to make them her/his.

12 months can also be 2 weeks, or 2 days, depending on trust factor.
Solves the issue of exchanges being hacked.

They would only hack shadow coin, which real siblings are still safe in your wallet.

And when they ask you to validate one of your open orders to sell some shadow coins, you just have to send to coins to the required address to validate it. The one and only address you can send those bitcoins to, before the contract ends.