Bitcoin Forum
November 08, 2024, 11:18:16 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1] 2 »  All
  Print  
Author Topic: Making a real tangible bitcoin that actually conveys BTC  (Read 4598 times)
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 04:43:20 AM
Merited by ABCbits (1), ChiBitCTy (1)
 #1

This is an idea for a practical way to create a physical cash-like form of BTC, I will call a token.

The requirements for making a BTC token are 1) a way for a holder to prove it's real and 2) a way for a holder to get the BTC by themselves... beyond that, it needs to be a physical medium of exchange that can be entirely conveyed just by passing it to another person.

I propose this idea.

1 - BTC can be loaded on a pre-denominated smart card.  Have a peek at http://www.basiccard.com.  You can buy fully programmable smart cards for as little as $1.  Suppose I bought their kit and "made" a 50 BTC card (simply by printing 50 [Bitcoin logo] artwork on it)

2 - People would treat the smart card just like a 50 BTC bill, like cash.  It could be traded around for years, just like a 50 dollar bill.  The smart card contains the private key for a Bitcoin address holding 50 BTC, and an on-board application for keeping that private key secure.

3 - Anyone wanting to check the validity of the BTC on the smart card could stick the smart card into a reader.  The smart card would cough up the bitcoin address, public key, and sign a nonce (provided by the reader) to prove that the private key was on the card, to avoid divulging it.  The open source program on the reader would verify against the block chain to ensure 50 BTC was really at the address claimed on the card.  This function would be similar to using a "counterfeit detection pen" on FRN's.

4 - Anyone wanting to "cash out" the BTC on the card could do it, though this function would be a last resort as the card would no longer be usable.  The smart card application would have a mode that forces it to cough up the private key.  Once the private key were coughed up, the card would permanently report that the private key was divulged during future validity checks, so they would fail for that reason.

5 - Can the smart card generate its own keypair?  I happen to own a USB crypto stick (for Adobe CDS) that, by design, produces its own RSA keypair in hardware.  It's damn slow, but it works, and they've made it this way just to be very sure I can't physically get my own private key, so that usage of private key essentially proves physical possession of the device.  The device itself does all the signing, I must plug it in to sign a document.  I guess a smart card is really just a small processor.  A card that was able to generate its own keypair could theoretically be reloaded, because it could internally generate itself a brand new Bitcoin address that was known to no one else, to which somebody could send the 50 BTC back to.

For curiosity's sake, this is a link to the physical device I own: http://www.cyprotect.com/e/main0105.php (mine is identical other than mine doesn't say SafeNet on it)... it looks like a thumb drive, but it definitely is not.  Windows sees this as a smart card reader that happens to have a smart card in it (as though it were removable) - so physically, it's probably just a reader with the smart card soldered in place.  Whatever this can do, probably so can a smart card.

Ideas?  Any obvious flaws?

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
January 07, 2011, 05:33:41 AM
 #2

Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 06:06:33 AM
 #3

Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

A viable countermeasure might be that instead of signing a nonce, it signs a conditional transaction that is only good before block number X, and makes the highest X ever emitted for such a transaction available to any device reading the card.  The card would never know if it was forking over the bitcoins for real, but any reader who knew the current block count was well beyond max(X) could trust that the last transaction it emitted was void.

Obviously the bitcoin software would have to be modified to accept (or reject) such conditional transactions, but that doesn't sound like outside the realm of feasibility.

If it did this, it would permanently negate the need for the card to ever spill the private key to give up the bitcoins, or to generate a brand new key pair.  Dumping out the coins would simply mean broadcasting the conditional transaction in a timely manner.  Once block X came and went, the card would still be good if the bitcoins were merely "given back" to the card's address.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 06:46:34 AM
Last edit: January 07, 2011, 07:18:52 AM by casascius
 #4

Thinking a little deeper, I am persuaded that the only weak link left in the chain would be the maker of the smart card.

- The maker of the smart card could record the private key of all the smart cards he produces, and later steal the BTC from all the cards he produced, all at once.
- The maker of the smart card could make the card lie about max(X), so someone could have a valid transaction out there with nobody knowing it.

If I'm on the right track, then an effective countermeasure could be as follows.  BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

Signature 1 would be the private key embedded by the maker and cannot be changed.

Signature 2 would be a second private key, originally embedded by the maker but replaceable by any user.  A message could be broadcast via the block chain telling everybody the public key of signature 2, every client would then know that spending from this bitcoin address requires a valid second signature.

The private key for signature #2 doesn't really need to be kept secret from any possessor of the card, it only needs to be secret from the original maker of the card who might know private key for #1.  Private key #2 is useless when not accompanied by a signature made from private key #1.

Any user with a smart card reader could generate a brand new keypair for generating signature 2, and upload it to the card, and then send a signed "new second signature" message (signed by #1 and old #2) to the block chain, telling everybody about the replaced #2.  Such message, of course, would expire by a certain block X.

The verification process (the "counterfeit detection pen" process) would confirm that publicly known key for signature #2  had a corresponding private key on the card.

Original maker of smart card might know private key for signature #1, but definitely will not know private key for signature #2 since it was made by a user on their own computer.  Maker could steal the money from the card until the first person generates a new #2.

Anyone possessing a valid card but suspicious that the maker (or anybody else) might know private key #1 and possibly #2, may simply generate a brand new #2, once acknowledged by the block chain, he may know the BTC on the card is good without trusting anyone, not even the card maker.

The smart card will have memory to remember the last two or three keypair #2's instead of overwriting it immediately upon replacement, to eliminate the risk that a botched attempt to update #2 would render the card worthless.

Finally,

To prevent cards from lying about max(x), they could be required to give not just a block number, but also the known hash for a block.  The network could say, conditional transactions are good for 10 blocks and no more.  Instead of saying, "this transaction good till block 100000", it could say "I know the latest block 100000 has hash XXX", and all clients know, that transaction is void past block 100009.  Card would have no way to create a conditional transaction that lasted any longer than that.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
FreddyFender
Full Member
***
Offline Offline

Activity: 215
Merit: 100


Shamantastic!


View Profile
January 07, 2011, 06:59:11 AM
 #5

If you were to incorporate a trusted 3rd party, such as Open-Transactions that held the keys it might be doable. The only downfall is fake readers with a modified merkletree that fails to grant access.

casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 07:07:39 AM
 #6

If you were to incorporate a trusted 3rd party, such as Open-Transactions that held the keys it might be doable. The only downfall is fake readers with a modified merkletree that fails to grant access.

Huh explain.  Readers don't "grant access", they merely confirm the money is either good or it's not.  (and perhaps re-key the card if in doubt the keys are secure).

Unlike Visa or ATM, these cards don't need to be read to be spent, just to be verified as non-counterfeit.  Conscientious user can own and trust his own reader attached to his own computer.  User should practice safe sex, and not stick his smart cards ("bit cash") into random holes and he should have nothing to worry about.  If he wants to spend the money on the card, he GIVES the card away like cash.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
January 07, 2011, 08:28:24 AM
 #7

A viable countermeasure might be that instead of signing a nonce, it signs a conditional transaction that is only good before block number X, and makes the highest X ever emitted for such a transaction available to any device reading the card.  The card would never know if it was forking over the bitcoins for real, but any reader who knew the current block count was well beyond max(X) could trust that the last transaction it emitted was void.

This can't be implemented because it breaks certain transaction guarantees. In particular, it would allow transactions with more than 6 confirmations to be accidentally reversed due to network segmentation.

We can't safely do OP_BLOCKNUMBER.  In the event of a block chain reorg after a segmentation, transactions need to be able to get into the chain in a later block.  The OP_BLOCKNUMBER transaction and all its dependants would become invalid.  This wouldn't be fair to later owners of the coins who weren't involved in the time limited transaction.

Bitcoin already has code to delay transaction validity until a certain time, but it will never expire transactions.

BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

This is already supported by the protocol.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
January 07, 2011, 08:37:05 AM
 #8

You can rely on trust on the issuer, that's not a major problem, I think. All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

The problem I see in this is the card production cost... is it as cheap as a piece of paper? If the cost is high, this would only be useful for larger amounts of bitcoins, never for pennies...
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
January 07, 2011, 08:41:24 AM
 #9

All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

It's not as simple as you think. If the owner publishes a signed list of addresses, the fake card can just use one of those. If the real card contains a signed message from the owner, the fake card can copy this. If the real card signs challenges, then it contains a private key that the fake card can steal.

This is how DVD and Blu-Ray got cracked; it's impossible to secure hardware.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
January 07, 2011, 09:53:14 AM
 #10

If the real card signs challenges, then it contains a private key that the fake card can steal.

I thought smart cards were designed in a way that stealing the private content of the memory was practically unfeasible.... isn't that the big deal about smart cards?
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
January 07, 2011, 10:03:46 AM
 #11

I thought smart cards were designed in a way that stealing the private content of the memory was practically unfeasible.... isn't that the big deal about smart cards?

You only need to crack one to get unlimited counterfeiting ability. Trusted platform modules have been cracked, and smart cards can be, too.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
January 07, 2011, 10:15:16 AM
 #12

Why? Each card should contain a different bitcoin private key, the key that owns the amount... is this key that should be used to sign challenges...
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1134


View Profile
January 07, 2011, 10:25:06 AM
 #13

I don't really understand the point of this.

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

On smartcard security. I don't really agree with theymos. Modern smartcard security can be incredibly strong. Look at satellite TV for an example of that. If you don't have access to a sophisticated lab and a scanning electron microscope you aren't even in the game. And cracking one doesn't mean you can crack them all - only if you can find some kind of flaw in the card that allows that. The linked article about hacking TPMs is by Christopher Tarnovsky. If you look into the history of secure chip hacking this name comes up a lot, because he's one of the very few guys in the world that are able to do it. Even then it took him 6 months. He does this kind of thing as an advert for his company and because he enjoys it, not because it's economically feasible to spend 6 months hacking one chip.

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.
theymos
Administrator
Legendary
*
Offline Offline

Activity: 5376
Merit: 13407


View Profile
January 07, 2011, 10:39:58 AM
 #14

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.

This is an entirely different problem. It's like cracking DVD's CSS, not like cracking individual smartcards. It doesn't matter how difficult it is to crack because you only need to get one private key.

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
January 07, 2011, 12:49:22 PM
 #15

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

This problem could be avoided if we could assure that the only way the coins in a card could be spent was through the card destruction.

A way I can think of implementing this is by having only part of the bitcoin private key on the card, and the other part remains under possession of the issuer. Only the issuer, with the card in hands, could then sign a transaction. Such issuer could assure that all cards are destroyed right after such signature.

This would require a second, full private key in the card for signing challenges - and the issuer would have to sign the public part of this key as well - and, of course, would render the cashing-out of such cards more complicated. But, well, if they are supposed to be used as physical cash, this is much like how bank notes backed by gold were redeemed in the past.
caveden
Legendary
*
Offline Offline

Activity: 1106
Merit: 1004



View Profile
January 07, 2011, 01:03:42 PM
 #16

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

True, that's a security risk. I don't see how to remove it completely, but it could be mitigated by
  • Making cards with an expire date.
  • Improving fraud detection by physically tracing each card. Something like every merchant that verifies the validity of a card also publishes somewhere that "card X was here at this timestamp". This way the issuer might detect cloned cards faster.

As long as counterfeiting such cards is harder or as difficult as counterfeiting paper money, this can be see as an improvement... think about credit cards... all you need is to get hold of the numbers written on it and it's done, you can use somebody else's money to buy stuff on the net.

But yeah, it starts to get so complicated to implement it that maybe smartphones apps will be much more popular and efficient.
MacRohard
Full Member
***
Offline Offline

Activity: 212
Merit: 100



View Profile
January 07, 2011, 01:08:24 PM
 #17

I don't really understand the point of this.

You can't know whether a card has been spent or not without a complicated bit of technology AND a full block chain verification. This negates the point of having a cash-like thing. I can't just buy somebody a beer and have them hand me a 50 BTC smartcard because I have no idea if it's really got 50 unspent coins in it or if it's just a worthless piece of plastic. And if I have the technology to hand that can prove it's valid, we might as well be doing direct BTC transfers in the usual manner.

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.

davout
Legendary
*
Offline Offline

Activity: 1372
Merit: 1008


1davout


View Profile WWW
January 07, 2011, 01:26:39 PM
 #18

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.
Just as you can accept the promise of that person to send you the 50 BTC when he gets a hold of his computer.

casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 01:59:06 PM
Last edit: January 07, 2011, 02:14:01 PM by casascius
 #19

Are you Christopher Tarnovsky? Are your friends? If the answer is no, then you don't have to worry about smartcard security. The field is really that tiny.

This is an entirely different problem. It's like cracking DVD's CSS, not like cracking individual smartcards. It doesn't matter how difficult it is to crack because you only need to get one private key.

Before BitCorp sells Bitcoin cards, they publish a signed list of all the addresses the cards are using. If one of those addresses goes rogue, then an unlimited number of counterfeit cards can be created using that one public key. BitCorp can revoke the signature on that address, but this news won't propagate fast enough -- hundreds or thousands of unbacked cards can be made by a counterfeiter in the meantime.

If cards required a 2nd keypair that could be changed by any user at any time, the entire batch of cards would instantly fail to validate the moment anyone performed a rekey on ANY card from the entire batch.  Only the rekeyed card would continue to work.

There would be no need to go to such lengths to "steal" a private key from a card... there's nothing special about it, a would-be thief would be able to just get one from wallet.dat.

Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
casascius (OP)
Mike Caldwell
VIP
Legendary
*
Offline Offline

Activity: 1386
Merit: 1140


The Casascius 1oz 10BTC Silver Round (w/ Gold B)


View Profile WWW
January 07, 2011, 02:37:24 PM
 #20

I don't think it's completly pointless. You could accept a 50 BTC smartcard from someone you trust.
Just as you can accept the promise of that person to send you the 50 BTC when he gets a hold of his computer.

The point would be making BTC conveniently tradeable, like cash.  It lowers the minimum required IQ to participate in the Bitcoin economy, which would really help Bitcoin be accepted as mainstream currency.

If I have a babysitter watch my kids, the babysitter would like to get cash.  Or a check.  Both would be much more received than a promise to "I'll get online and transfer you some money through my bank next time I'm at my computer".  If everyone viewed receiving a promise of an electronic transfer the same way as receiving cash, society would have no need for cash.

If I buy someone a beer and he hands me a $10 bill and it turns out to be counterfeit, then I'm out my money.  Of course, next time I see him, I can certainly give him hell, or kick his ass, or...maybe I'm just out $10 and I don't worry about it.  If it's not enough for me to pull out a black counterfeit marker to check his $10, then it's probably no worse for me to accept a bitcoin smartcard that "could" be counterfeit as well.




Companies claiming they got hacked and lost your coins sounds like fraud so perfect it could be called fashionable.  I never believe them.  If I ever experience the misfortune of a real intrusion, I declare I have been honest about the way I have managed the keys in Casascius Coins.  I maintain no ability to recover or reproduce the keys, not even under limitless duress or total intrusion.  Remember that trusting strangers with your coins without any recourse is, as a matter of principle, not a best practice.  Don't keep coins online. Use paper or hardware wallets instead.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!