Making a real tangible bitcoin that actually conveys BTC

[casascius]

This is an idea for a practical way to create a physical cash-like form of BTC, I will call a token.

The requirements for making a BTC token are 1) a way for a holder to prove it's real and 2) a way for a holder to get the BTC by themselves... beyond that, it needs to be a physical medium of exchange that can be entirely conveyed just by passing it to another person.

I propose this idea.

1 - BTC can be loaded on a pre-denominated smart card.  Have a peek at http://www.basiccard.com.  You can buy fully programmable smart cards for as little as $1.  Suppose I bought their kit and "made" a 50 BTC card (simply by printing 50 [Bitcoin logo] artwork on it)

2 - People would treat the smart card just like a 50 BTC bill, like cash.  It could be traded around for years, just like a 50 dollar bill.  The smart card contains the private key for a Bitcoin address holding 50 BTC, and an on-board application for keeping that private key secure.

3 - Anyone wanting to check the validity of the BTC on the smart card could stick the smart card into a reader.  The smart card would cough up the bitcoin address, public key, and sign a nonce (provided by the reader) to prove that the private key was on the card, to avoid divulging it.  The open source program on the reader would verify against the block chain to ensure 50 BTC was really at the address claimed on the card.  This function would be similar to using a "counterfeit detection pen" on FRN's.

4 - Anyone wanting to "cash out" the BTC on the card could do it, though this function would be a last resort as the card would no longer be usable.  The smart card application would have a mode that forces it to cough up the private key.  Once the private key were coughed up, the card would permanently report that the private key was divulged during future validity checks, so they would fail for that reason.

5 - Can the smart card generate its own keypair?  I happen to own a USB crypto stick (for Adobe CDS) that, by design, produces its own RSA keypair in hardware.  It's damn slow, but it works, and they've made it this way just to be very sure I can't physically get my own private key, so that usage of private key essentially proves physical possession of the device.  The device itself does all the signing, I must plug it in to sign a document.  I guess a smart card is really just a small processor.  A card that was able to generate its own keypair could theoretically be reloaded, because it could internally generate itself a brand new Bitcoin address that was known to no one else, to which somebody could send the 50 BTC back to.

For curiosity's sake, this is a link to the physical device I own: http://www.cyprotect.com/e/main0105.php (mine is identical other than mine doesn't say SafeNet on it)... it looks like a thumb drive, but it definitely is not.  Windows sees this as a smart card reader that happens to have a smart card in it (as though it were removable) - so physically, it's probably just a reader with the smart card soldered in place.  Whatever this can do, probably so can a smart card.

Ideas?  Any obvious flaws?

[1714057280]

1714057280

[1714057280]

1714057280

[1714057280]

1714057280

[1714057280]

1714057280

[theymos]

Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

[casascius]

Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

A viable countermeasure might be that instead of signing a nonce, it signs a conditional transaction that is only good before block number X, and makes the highest X ever emitted for such a transaction available to any device reading the card.  The card would never know if it was forking over the bitcoins for real, but any reader who knew the current block count was well beyond max(X) could trust that the last transaction it emitted was void.

Obviously the bitcoin software would have to be modified to accept (or reject) such conditional transactions, but that doesn't sound like outside the realm of feasibility.

If it did this, it would permanently negate the need for the card to ever spill the private key to give up the bitcoins, or to generate a brand new key pair.  Dumping out the coins would simply mean broadcasting the conditional transaction in a timely manner.  Once block X came and went, the card would still be good if the bitcoins were merely "given back" to the card's address.

[casascius]

Thinking a little deeper, I am persuaded that the only weak link left in the chain would be the maker of the smart card.

- The maker of the smart card could record the private key of all the smart cards he produces, and later steal the BTC from all the cards he produced, all at once.
- The maker of the smart card could make the card lie about max(X), so someone could have a valid transaction out there with nobody knowing it.

If I'm on the right track, then an effective countermeasure could be as follows.  BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

Signature 1 would be the private key embedded by the maker and cannot be changed.

Signature 2 would be a second private key, originally embedded by the maker but replaceable by any user.  A message could be broadcast via the block chain telling everybody the public key of signature 2, every client would then know that spending from this bitcoin address requires a valid second signature.

The private key for signature #2 doesn't really need to be kept secret from any possessor of the card, it only needs to be secret from the original maker of the card who might know private key for #1.  Private key #2 is useless when not accompanied by a signature made from private key #1.

Any user with a smart card reader could generate a brand new keypair for generating signature 2, and upload it to the card, and then send a signed "new second signature" message (signed by #1 and old #2) to the block chain, telling everybody about the replaced #2.  Such message, of course, would expire by a certain block X.

The verification process (the "counterfeit detection pen" process) would confirm that publicly known key for signature #2  had a corresponding private key on the card.

Original maker of smart card might know private key for signature #1, but definitely will not know private key for signature #2 since it was made by a user on their own computer.  Maker could steal the money from the card until the first person generates a new #2.

Anyone possessing a valid card but suspicious that the maker (or anybody else) might know private key #1 and possibly #2, may simply generate a brand new #2, once acknowledged by the block chain, he may know the BTC on the card is good without trusting anyone, not even the card maker.

The smart card will have memory to remember the last two or three keypair #2's instead of overwriting it immediately upon replacement, to eliminate the risk that a botched attempt to update #2 would render the card worthless.

Finally,

To prevent cards from lying about max(x), they could be required to give not just a block number, but also the known hash for a block.  The network could say, conditional transactions are good for 10 blocks and no more.  Instead of saying, "this transaction good till block 100000", it could say "I know the latest block 100000 has hash XXX", and all clients know, that transaction is void past block 100009.  Card would have no way to create a conditional transaction that lasted any longer than that.

[FreddyFender]

If you were to incorporate a trusted 3rd party, such as Open-Transactions that held the keys it might be doable. The only downfall is fake readers with a modified merkletree that fails to grant access.

[casascius]

If you were to incorporate a trusted 3rd party, such as Open-Transactions that held the keys it might be doable. The only downfall is fake readers with a modified merkletree that fails to grant access.

explain.  Readers don't "grant access", they merely confirm the money is either good or it's not.  (and perhaps re-key the card if in doubt the keys are secure).

Unlike Visa or ATM, these cards don't need to be read to be spent, just to be verified as non-counterfeit.  Conscientious user can own and trust his own reader attached to his own computer.  User should practice safe sex, and not stick his smart cards ("bit cash") into random holes and he should have nothing to worry about.  If he wants to spend the money on the card, he GIVES the card away like cash.

[theymos]

A viable countermeasure might be that instead of signing a nonce, it signs a conditional transaction that is only good before block number X, and makes the highest X ever emitted for such a transaction available to any device reading the card.  The card would never know if it was forking over the bitcoins for real, but any reader who knew the current block count was well beyond max(X) could trust that the last transaction it emitted was void.

This can't be implemented because it breaks certain transaction guarantees. In particular, it would allow transactions with more than 6 confirmations to be accidentally reversed due to network segmentation.

We can't safely do OP_BLOCKNUMBER.  In the event of a block chain reorg after a segmentation, transactions need to be able to get into the chain in a later block.  The OP_BLOCKNUMBER transaction and all its dependants would become invalid.  This wouldn't be fair to later owners of the coins who weren't involved in the time limited transaction.

Bitcoin already has code to delay transaction validity until a certain time, but it will never expire transactions.

BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

This is already supported by the protocol.

[caveden]

You can rely on trust on the issuer, that's not a major problem, I think. All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

The problem I see in this is the card production cost... is it as cheap as a piece of paper? If the cost is high, this would only be useful for larger amounts of bitcoins, never for pennies...

[theymos]

All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

It's not as simple as you think. If the owner publishes a signed list of addresses, the fake card can just use one of those. If the real card contains a signed message from the owner, the fake card can copy this. If the real card signs challenges, then it contains a private key that the fake card can steal.

This is how DVD and Blu-Ray got cracked; it's impossible to secure hardware.

[caveden]

If the real card signs challenges, then it contains a private key that the fake card can steal.

I thought smart cards were designed in a way that stealing the private content of the memory was practically unfeasible.... isn't that the big deal about smart cards?

[theymos]

I thought smart cards were designed in a way that stealing the private content of the memory was practically unfeasible.... isn't that the big deal about smart cards?

You only need to crack one to get unlimited counterfeiting ability. Trusted platform modules have been cracked, and smart cards can be, too.

[caveden]

Why? Each card should contain a different bitcoin private key, the key that owns the amount... is this key that should be used to sign challenges...

[Mike Hearn]

I don't really understand the point of this.

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

On smartcard security. I don't really agree with theymos. Modern smartcard security can be incredibly strong. Look at satellite TV for an example of that. If you don't have access to a sophisticated lab and a scanning electron microscope you aren't even in the game. And cracking one doesn't mean you can crack them all - only if you can find some kind of flaw in the card that allows that. The linked article about hacking TPMs is by Christopher Tarnovsky. If you look into the history of secure chip hacking this name comes up a lot, because he's one of the very few guys in the world that are able to do it. Even then it took him 6 months. He does this kind of thing as an advert for his company and because he enjoys it, not because it's economically feasible to spend 6 months hacking one chip.

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.

[theymos]

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.

This is an entirely different problem. It's like cracking DVD's CSS, not like cracking individual smartcards. It doesn't matter how difficult it is to crack because you only need to get one private key.

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

[caveden]

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

This problem could be avoided if we could assure that the only way the coins in a card could be spent was through the card destruction.

A way I can think of implementing this is by having only part of the bitcoin private key on the card, and the other part remains under possession of the issuer. Only the issuer, with the card in hands, could then sign a transaction. Such issuer could assure that all cards are destroyed right after such signature.

This would require a second, full private key in the card for signing challenges - and the issuer would have to sign the public part of this key as well - and, of course, would render the cashing-out of such cards more complicated. But, well, if they are supposed to be used as physical cash, this is much like how bank notes backed by gold were redeemed in the past.

[caveden]

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

True, that's a security risk. I don't see how to remove it completely, but it could be mitigated by

• Making cards with an expire date.
• Improving fraud detection by physically tracing each card. Something like every merchant that verifies the validity of a card also publishes somewhere that "card X was here at this timestamp". This way the issuer might detect cloned cards faster.

As long as counterfeiting such cards is harder or as difficult as counterfeiting paper money, this can be see as an improvement... think about credit cards... all you need is to get hold of the numbers written on it and it's done, you can use somebody else's money to buy stuff on the net.

But yeah, it starts to get so complicated to implement it that maybe smartphones apps will be much more popular and efficient.

[MacRohard]

I don't really understand the point of this.

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.

[davout]

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.

Just as you can accept the promise of that person to send you the 50 BTC when he gets a hold of his computer.

[casascius]

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.

This is an entirely different problem. It's like cracking DVD's CSS, not like cracking individual smartcards. It doesn't matter how difficult it is to crack because you only need to get one private key.

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

If cards required a 2nd keypair that could be changed by any user at any time, the entire batch of cards would instantly fail to validate the moment anyone performed a rekey on ANY card from the entire batch.  Only the rekeyed card would continue to work.

There would be no need to go to such lengths to "steal" a private key from a card... there's nothing special about it, a would-be thief would be able to just get one from wallet.dat.

[casascius]

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.

Just as you can accept the promise of that person to send you the 50 BTC when he gets a hold of his computer.

The point would be making BTC conveniently tradeable, like cash.  It lowers the minimum required IQ to participate in the Bitcoin economy, which would really help Bitcoin be accepted as mainstream currency.

If I have a babysitter watch my kids, the babysitter would like to get cash.  Or a check.  Both would be much more received than a promise to "I'll get online and transfer you some money through my bank next time I'm at my computer".  If everyone viewed receiving a promise of an electronic transfer the same way as receiving cash, society would have no need for cash.

If I buy someone a beer and he hands me a $10 bill and it turns out to be counterfeit, then I'm out my money.  Of course, next time I see him, I can certainly give him hell, or kick his ass, or...maybe I'm just out $10 and I don't worry about it.  If it's not enough for me to pull out a black counterfeit marker to check his $10, then it's probably no worse for me to accept a bitcoin smartcard that "could" be counterfeit as well.

[Mike Hearn]

I'm probably just being slow but I don't see how stealing a private key through breaking into the chip is any different to it simply being spent then handed on. You would get a card with a useless (already spent) address in it. But that could happen anyway by the holder simply redeeming the card.

I don't buy the cash analogy. Such a smartcard is NOT cash because forging counterfeit notes that resemble the real thing is hard, but redeeming a smartcard would hopefully be very easy (otherwise they have no point).

So it's pretty tough for you to pay me for my beer with a counterfeit note that'll fool me. But unless the smartcards somehow self destruct in a way that's easy to visually see, it's very easy for you to pay me with a used up card. I would then pass it on (why redeem it, it's cash!) and it'd pass between people until one day somebody wanted to send the cash electronically. Only then would they discover the card had already been redeemed and was useless.

Sorry, I don't see any way this can work reliably. NFC enabled smartphones will work a lot better for casual transactions because they can trigger real BitCoin transfers that can be quickly verified by a trusted node.

[casascius]

Sorry, I don't see any way this can work reliably.

No one is stopping you from demanding the payment method of your choice, even if that's Federal Reserve Notes.

NFC enabled smartphones will work a lot better for casual transactions because they can trigger real BitCoin transfers that can be quickly verified by a trusted node.

That will work a lot better for people who a) have smartphones b) know how to use them c) want to use them.  It won't work better for the drunk at the bar (he pawned his smartphone long ago), the guy who can't afford one, or Grandpa who can barely grasp the cellphone concepts of "talk" and "end".

Sure, for you, you might say you want to be paid in bitcoin through your smartphone.

Bitcoin, to be acceptable as a mainstream currency, ought to be convertible to all kinds of forms.  Many people indeed will appreciate a paper "banknote" backed by bitcoin.  That banknote has to be backed by a company, which will bother libertarians, but not the casual beer drinker.  On the other hand, the banknote exchange could be shut down like eGold or Liberty Dollar, and it wouldn't have the protection of the Secret Service going after counterfeiters and could be brought to its knees by people who redeemed the BTC with counterfeit notes, so choose your risks.

We all wonder when Bitcoin will be useful for something more than "bitcoinxxx" porn and some offshore VPN hosting and Tuesday and Thursday babysitting in south Wichita Kansas.  The more media the better - the tangible one is important and ought not be brushed off.


Besides, at some point, such smart cards may as well be RFID (they're going that way already), and in a world of RFID cash, would certainly be readable by your smartphone.  You just whip out your smartphone, touch the bitcash card to it, and it verifies that it's good.  Best of both worlds.

[Gavin Andresen]

The smartcard-generates-a-private-key-itself seems like overkill.  No matter what, you have to trust the smartcard manufacturer.  Because even if the smartcard generates a private key, you have to trust that the smartcard manufacturer didn't:
 + Add a backdoor that lets them read the private key
 + Break the implementation so the private key created is predictable

If you have to trust the smartcard manufacturer anyway, it seems to me a much simpler solution is to just associated a bitcoin address with a tangible bitcoin.

Redeeming the tangible bitcoin then means turning it over to the issuer and having them send the bitcoins to one of your addresses.

It is easy to solve half of the "is this valid" problem-- you can easily check to see if bitcoins have been sent to that address and are still unspent.

The other half of the problem is "is there another unredeemed copy out there?"

Perhaps the issuer could publish a public database of unredeemed tangible bitcoins that is:
  bitcoin address -->  hash of information that the tangible bitcoin purchaser provides

I could then check that database to see if bitcoin address 1abc was sold ONLY to SHA256("Gavin Andresen 1-Jan-2011").  That stops the issuer from selling the same bitcoins over and over again.

I still have to trust that the issuer won't decide to spend all the bitcoins (since they have the private keys) and disappear.  But that's really no different from trusting your smartcard manufacturer.

(interesting thing to think about:  the issuer could actually use just one private key and generate as many public keys as they like that can all be signed using that one private key...)

[casascius]

The smartcard-generates-a-private-key-itself seems like overkill.  No matter what, you have to trust the smartcard manufacturer.  Because even if the smartcard generates a private key, you have to trust that the smartcard manufacturer didn't:
 + Add a backdoor that lets them read the private key
 + Break the implementation so the private key created is predictable

If you have to trust the smartcard manufacturer anyway, it seems to me a much simpler solution is to just associated a bitcoin address with a tangible bitcoin.

Both problems are alleviated by requiring a 2nd signature, that any user in possession of the card can load on the card, as well as encumber the bitcoins via the blockchain.  Without proof of knowing the user-provided 2nd private key, the bitcoins could not be spent.  All nodes can verify this because they would have the public portion of that 2nd key.

Redeeming the tangible bitcoin then means turning it over to the issuer and having them send the bitcoins to one of your addresses.

It is easy to solve half of the "is this valid" problem-- you can easily check to see if bitcoins have been sent to that address and are still unspent.

Public key cryptography allows someone to prove mathematically they are in of possession of a private key, without requiring the private key to be divulged.  It's nifty.  SSL depends on it.  Smart cards come with the built-in ability to execute the algorithm that provides this proof.  The "is this valid" problem is easily solved without needing to actually move any bitcoins anywhere.

The other half of the problem is "is there another unredeemed copy out there?"

This would be answered by the second signature.  If you question whether someone else has the private key, you merely replace the #2 key yourself.  As soon as that replacement is accepted by the block chain, you can be pretty sure that any other unredeemed copy out there is worthless.

(interesting thing to think about:  the issuer could actually use just one private key and generate as many public keys as they like that can all be signed using that one private key...)

I don't think it works like that.  One private key has exactly one public key.  They have a mathematical relationship that is easily confirmed.

[Mike Hearn]

Current smartphone sales rates are so high that within a few years, basically everyone will have them. Android alone is selling over 300,000 devices a day right now and shows no signs of stopping. In other words over 2 million new devices every week.

   http://www.infosyncworld.com/reviews/cell-phones/google-android-sales/11591.html

Apple is selling fewer but still a huge number. Add them together and you have an incredible force that shows no signs of slowing down. And it sounds like the cost might drop dramatically in future:

   http://technorati.com/technology/android/article/broadcoms-new-bcm2157-chipset-may-bring/

Your grandpa who can't work a phone won't want to deal with smartcards. As pointed out several times, you cannot verify they are anything more than a lump of plastic and metal without some kind of extra hardware and software.

I think your idea of just using paper cash is way more on target. Just print regular banknotes that have the address printed onto them and all the regular paper money anti-counterfeiting protections. You can then redeem the notes into BitCoins to a target address by handing them in to the central authority that mints them. After the coins are sent on, the mint "reloads" the note by doing a Bitcoin transfer to the notes address and reissues it into circulation.

Now you can accept these notes easily and know it's valid, because the only time it's not valid is when it's sitting in a vault in the mints offices.

But national currencies aren't going anywhere. The best way for people who don't want to deal with new fangled technology will just be to use old style cash with a robust network of currenct exchangers. Kind of like how the internet changed everything but lots of people don't use it and do just fine.

[casascius]

Current smartphone sales rates are so high that within a few years, basically everyone will have them. Android alone is selling over 300,000 devices a day right now and shows no signs of stopping. In other words over 2 million new devices every week.

I would be willing to bet that the number of Americans who don't even own sheets for their bed numbers into the millions, despite the wide availability of bed sheets at Wal-Mart and even thrift stores.  You mention the Internet changed everything but lots of people get by without it... Same thing goes here with smartphones.

Your grandpa who can't work a phone won't want to deal with smartcards. As pointed out several times, you cannot verify they are anything more than a lump of plastic and metal without some kind of extra hardware and software.

Grandpa doesn't want to deal with smart cards, but if he can wave his card at a reader and the reader can say "card is good", I think he can buy that.  Beyond that, he will think of the card no differently than he now thinks of a banknote.  Typical Grandpa hates smartphones, but amazingly has no problem with using an ATM.

I think your idea of just using paper cash is way more on target. Just print regular banknotes that have the address printed onto them and all the regular paper money anti-counterfeiting protections. You can then redeem the notes into BitCoins to a target address by handing them in to the central authority that mints them. After the coins are sent on, the mint "reloads" the note by doing a Bitcoin transfer to the notes address and reissues it into circulation.

Somebody, with near certainty, will do this.  Of course, it provides none of the benefits of using Bitcoin in the first place.  If you're using banknotes backed by Bitcoin, then you are using something distributed by a central issuer.  All of those banknotes will be worthless if the issuer decides to squander the BTC, or inflate his banknotes by letting the press run wild, or gets raided by the fed.  The fact that it's on target and will be acceptable by many doesn't mean we need to stop looking for a way for the average non-computer-owning drunk to put bitcoins in his pocket with the same level of protection that we have as bitcoin client users.

[davout]

Bitcoin behaves like cash in the digital sphere, not in the physical world.

Trying to have bitcoin behave like physical cash is like trying to stuff a $10 bill in an e-mail. Good luck with that.

[casascius]

Bitcoin behaves like cash in the digital sphere, not in the physical world.

Trying to have bitcoin behave like physical cash is like trying to stuff a $10 bill in an e-mail. Good luck with that.

If Bitcoins can be encumbered with two private keys instead of one, I feel quite certain this magic would be possible.

Look at it another way.  A smart card bearing Bitcoins would be the physical equivalent of carrying a "wallet.dat" on a memory stick, with the only difference being that spending those coins requires a second digital signature by a key only known to a TPM.  It's just convenient that a smart card could serve both purposes at once, fit in a wallet, and be cheaply made.  When a password takes the place of "wallet.dat", the world calls this "two factor authentication".

I dare you to give me an intelligent rebuttal as to why that can't work, rather than a senseless non-sequitur.  Assuming we both welcome the future success of Bitcoin, I hope we can hope together that this assumption is a mistaken one.

[davout]

I dare you to give me an intelligent rebuttal as to why that can't work

Because fiat currency, gold and silver coins do the job much better if all you want is have a beer