Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

Thinking a little deeper, I am persuaded that the only weak link left in the chain would be the maker of the smart card.

- The maker of the smart card could record the private key of all the smart cards he produces, and later steal the BTC from all the cards he produced, all at once.
- The maker of the smart card could make the card lie about max(X), so someone could have a valid transaction out there with nobody knowing it.

If I'm on the right track, then an effective countermeasure could be as follows.  BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

Signature 1 would be the private key embedded by the maker and cannot be changed.

Signature 2 would be a second private key, originally embedded by the maker but replaceable by any user.  A message could be broadcast via the block chain telling everybody the public key of signature 2, every client would then know that spending from this bitcoin address requires a valid second signature.

The private key for signature #2 doesn't really need to be kept secret from any possessor of the card, it only needs to be secret from the original maker of the card who might know private key for #1.  Private key #2 is useless when not accompanied by a signature made from private key #1.

Any user with a smart card reader could generate a brand new keypair for generating signature 2, and upload it to the card, and then send a signed "new second signature" message (signed by #1 and old #2) to the block chain, telling everybody about the replaced #2.  Such message, of course, would expire by a certain block X.

The verification process (the "counterfeit detection pen" process) would confirm that publicly known key for signature #2  had a corresponding private key on the card.

Original maker of smart card might know private key for signature #1, but definitely will not know private key for signature #2 since it was made by a user on their own computer.  Maker could steal the money from the card until the first person generates a new #2.

Anyone possessing a valid card but suspicious that the maker (or anybody else) might know private key #1 and possibly #2, may simply generate a brand new #2, once acknowledged by the block chain, he may know the BTC on the card is good without trusting anyone, not even the card maker.

The smart card will have memory to remember the last two or three keypair #2's instead of overwriting it immediately upon replacement, to eliminate the risk that a botched attempt to update #2 would render the card worthless.

Finally,

To prevent cards from lying about max(x), they could be required to give not just a block number, but also the known hash for a block.  The network could say, conditional transactions are good for 10 blocks and no more.  Instead of saying, "this transaction good till block 100000", it could say "I know the latest block 100000 has hash XXX", and all clients know, that transaction is void past block 100009.  Card would have no way to create a conditional transaction that lasted any longer than that.

explain.  Readers don't "grant access", they merely confirm the money is either good or it's not.  (and perhaps re-key the card if in doubt the keys are secure).

Unlike Visa or ATM, these cards don't need to be read to be spent, just to be verified as non-counterfeit.  Conscientious user can own and trust his own reader attached to his own computer.  User should practice safe sex, and not stick his smart cards ("bit cash") into random holes and he should have nothing to worry about.  If he wants to spend the money on the card, he GIVES the card away like cash.

You can rely on trust on the issuer, that's not a major problem, I think. All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

The problem I see in this is the card production cost... is it as cheap as a piece of paper? If the cost is high, this would only be useful for larger amounts of bitcoins, never for pennies...

I thought smart cards were designed in a way that stealing the private content of the memory was practically unfeasible.... isn't that the big deal about smart cards?

Why? Each card should contain a different bitcoin private key, the key that owns the amount... is this key that should be used to sign challenges...

This is an entirely different problem. It's like cracking DVD's CSS, not like cracking individual smartcards. It doesn't matter how difficult it is to crack because you only need to get one private key.

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

True, that's a security risk. I don't see how to remove it completely, but it could be mitigated by

• Making cards with an expire date.
• Improving fraud detection by physically tracing each card. Something like every merchant that verifies the validity of a card also publishes somewhere that "card X was here at this timestamp". This way the issuer might detect cloned cards faster.

As long as counterfeiting such cards is harder or as difficult as counterfeiting paper money, this can be see as an improvement... think about credit cards... all you need is to get hold of the numbers written on it and it's done, you can use somebody else's money to buy stuff on the net.

But yeah, it starts to get so complicated to implement it that maybe smartphones apps will be much more popular and efficient.

Just as you can accept the promise of that person to send you the 50 BTC when he gets a hold of his computer.

The point would be making BTC conveniently tradeable, like cash.  It lowers the minimum required IQ to participate in the Bitcoin economy, which would really help Bitcoin be accepted as mainstream currency.

If I have a babysitter watch my kids, the babysitter would like to get cash.  Or a check.  Both would be much more received than a promise to "I'll get online and transfer you some money through my bank next time I'm at my computer".  If everyone viewed receiving a promise of an electronic transfer the same way as receiving cash, society would have no need for cash.

If I buy someone a beer and he hands me a $10 bill and it turns out to be counterfeit, then I'm out my money.  Of course, next time I see him, I can certainly give him hell, or kick his ass, or...maybe I'm just out $10 and I don't worry about it.  If it's not enough for me to pull out a black counterfeit marker to check his $10, then it's probably no worse for me to accept a bitcoin smartcard that "could" be counterfeit as well.