Making a real tangible bitcoin that actually conveys BTC

[Mike Hearn]

I'm probably just being slow but I don't see how stealing a private key through breaking into the chip is any different to it simply being spent then handed on. You would get a card with a useless (already spent) address in it. But that could happen anyway by the holder simply redeeming the card.

I don't buy the cash analogy. Such a smartcard is NOT cash because forging counterfeit notes that resemble the real thing is hard, but redeeming a smartcard would hopefully be very easy (otherwise they have no point).

So it's pretty tough for you to pay me for my beer with a counterfeit note that'll fool me. But unless the smartcards somehow self destruct in a way that's easy to visually see, it's very easy for you to pay me with a used up card. I would then pass it on (why redeem it, it's cash!) and it'd pass between people until one day somebody wanted to send the cash electronically. Only then would they discover the card had already been redeemed and was useless.

Sorry, I don't see any way this can work reliably. NFC enabled smartphones will work a lot better for casual transactions because they can trigger real BitCoin transfers that can be quickly verified by a trusted node.

[casascius]

Sorry, I don't see any way this can work reliably.

No one is stopping you from demanding the payment method of your choice, even if that's Federal Reserve Notes.

NFC enabled smartphones will work a lot better for casual transactions because they can trigger real BitCoin transfers that can be quickly verified by a trusted node.

That will work a lot better for people who a) have smartphones b) know how to use them c) want to use them.  It won't work better for the drunk at the bar (he pawned his smartphone long ago), the guy who can't afford one, or Grandpa who can barely grasp the cellphone concepts of "talk" and "end".

Sure, for you, you might say you want to be paid in bitcoin through your smartphone.

Bitcoin, to be acceptable as a mainstream currency, ought to be convertible to all kinds of forms.  Many people indeed will appreciate a paper "banknote" backed by bitcoin.  That banknote has to be backed by a company, which will bother libertarians, but not the casual beer drinker.  On the other hand, the banknote exchange could be shut down like eGold or Liberty Dollar, and it wouldn't have the protection of the Secret Service going after counterfeiters and could be brought to its knees by people who redeemed the BTC with counterfeit notes, so choose your risks.

We all wonder when Bitcoin will be useful for something more than "bitcoinxxx" porn and some offshore VPN hosting and Tuesday and Thursday babysitting in south Wichita Kansas.  The more media the better - the tangible one is important and ought not be brushed off.


Besides, at some point, such smart cards may as well be RFID (they're going that way already), and in a world of RFID cash, would certainly be readable by your smartphone.  You just whip out your smartphone, touch the bitcash card to it, and it verifies that it's good.  Best of both worlds.

[Gavin Andresen]

The smartcard-generates-a-private-key-itself seems like overkill.  No matter what, you have to trust the smartcard manufacturer.  Because even if the smartcard generates a private key, you have to trust that the smartcard manufacturer didn't:
 + Add a backdoor that lets them read the private key
 + Break the implementation so the private key created is predictable

If you have to trust the smartcard manufacturer anyway, it seems to me a much simpler solution is to just associated a bitcoin address with a tangible bitcoin.

Redeeming the tangible bitcoin then means turning it over to the issuer and having them send the bitcoins to one of your addresses.

It is easy to solve half of the "is this valid" problem-- you can easily check to see if bitcoins have been sent to that address and are still unspent.

The other half of the problem is "is there another unredeemed copy out there?"

Perhaps the issuer could publish a public database of unredeemed tangible bitcoins that is:
  bitcoin address -->  hash of information that the tangible bitcoin purchaser provides

I could then check that database to see if bitcoin address 1abc was sold ONLY to SHA256("Gavin Andresen 1-Jan-2011").  That stops the issuer from selling the same bitcoins over and over again.

I still have to trust that the issuer won't decide to spend all the bitcoins (since they have the private keys) and disappear.  But that's really no different from trusting your smartcard manufacturer.

(interesting thing to think about:  the issuer could actually use just one private key and generate as many public keys as they like that can all be signed using that one private key...)

[casascius]

The smartcard-generates-a-private-key-itself seems like overkill.  No matter what, you have to trust the smartcard manufacturer.  Because even if the smartcard generates a private key, you have to trust that the smartcard manufacturer didn't:
 + Add a backdoor that lets them read the private key
 + Break the implementation so the private key created is predictable

If you have to trust the smartcard manufacturer anyway, it seems to me a much simpler solution is to just associated a bitcoin address with a tangible bitcoin.

Both problems are alleviated by requiring a 2nd signature, that any user in possession of the card can load on the card, as well as encumber the bitcoins via the blockchain.  Without proof of knowing the user-provided 2nd private key, the bitcoins could not be spent.  All nodes can verify this because they would have the public portion of that 2nd key.

Redeeming the tangible bitcoin then means turning it over to the issuer and having them send the bitcoins to one of your addresses.

It is easy to solve half of the "is this valid" problem-- you can easily check to see if bitcoins have been sent to that address and are still unspent.

Public key cryptography allows someone to prove mathematically they are in of possession of a private key, without requiring the private key to be divulged.  It's nifty.  SSL depends on it.  Smart cards come with the built-in ability to execute the algorithm that provides this proof.  The "is this valid" problem is easily solved without needing to actually move any bitcoins anywhere.

The other half of the problem is "is there another unredeemed copy out there?"

This would be answered by the second signature.  If you question whether someone else has the private key, you merely replace the #2 key yourself.  As soon as that replacement is accepted by the block chain, you can be pretty sure that any other unredeemed copy out there is worthless.

(interesting thing to think about:  the issuer could actually use just one private key and generate as many public keys as they like that can all be signed using that one private key...)

I don't think it works like that.  One private key has exactly one public key.  They have a mathematical relationship that is easily confirmed.

[Mike Hearn]

Current smartphone sales rates are so high that within a few years, basically everyone will have them. Android alone is selling over 300,000 devices a day right now and shows no signs of stopping. In other words over 2 million new devices every week.

   http://www.infosyncworld.com/reviews/cell-phones/google-android-sales/11591.html

Apple is selling fewer but still a huge number. Add them together and you have an incredible force that shows no signs of slowing down. And it sounds like the cost might drop dramatically in future:

   http://technorati.com/technology/android/article/broadcoms-new-bcm2157-chipset-may-bring/

Your grandpa who can't work a phone won't want to deal with smartcards. As pointed out several times, you cannot verify they are anything more than a lump of plastic and metal without some kind of extra hardware and software.

I think your idea of just using paper cash is way more on target. Just print regular banknotes that have the address printed onto them and all the regular paper money anti-counterfeiting protections. You can then redeem the notes into BitCoins to a target address by handing them in to the central authority that mints them. After the coins are sent on, the mint "reloads" the note by doing a Bitcoin transfer to the notes address and reissues it into circulation.

Now you can accept these notes easily and know it's valid, because the only time it's not valid is when it's sitting in a vault in the mints offices.

But national currencies aren't going anywhere. The best way for people who don't want to deal with new fangled technology will just be to use old style cash with a robust network of currenct exchangers. Kind of like how the internet changed everything but lots of people don't use it and do just fine.

[casascius]

Current smartphone sales rates are so high that within a few years, basically everyone will have them. Android alone is selling over 300,000 devices a day right now and shows no signs of stopping. In other words over 2 million new devices every week.

I would be willing to bet that the number of Americans who don't even own sheets for their bed numbers into the millions, despite the wide availability of bed sheets at Wal-Mart and even thrift stores.  You mention the Internet changed everything but lots of people get by without it... Same thing goes here with smartphones.

Your grandpa who can't work a phone won't want to deal with smartcards. As pointed out several times, you cannot verify they are anything more than a lump of plastic and metal without some kind of extra hardware and software.

Grandpa doesn't want to deal with smart cards, but if he can wave his card at a reader and the reader can say "card is good", I think he can buy that.  Beyond that, he will think of the card no differently than he now thinks of a banknote.  Typical Grandpa hates smartphones, but amazingly has no problem with using an ATM.

I think your idea of just using paper cash is way more on target. Just print regular banknotes that have the address printed onto them and all the regular paper money anti-counterfeiting protections. You can then redeem the notes into BitCoins to a target address by handing them in to the central authority that mints them. After the coins are sent on, the mint "reloads" the note by doing a Bitcoin transfer to the notes address and reissues it into circulation.

Somebody, with near certainty, will do this.  Of course, it provides none of the benefits of using Bitcoin in the first place.  If you're using banknotes backed by Bitcoin, then you are using something distributed by a central issuer.  All of those banknotes will be worthless if the issuer decides to squander the BTC, or inflate his banknotes by letting the press run wild, or gets raided by the fed.  The fact that it's on target and will be acceptable by many doesn't mean we need to stop looking for a way for the average non-computer-owning drunk to put bitcoins in his pocket with the same level of protection that we have as bitcoin client users.

[davout]

Bitcoin behaves like cash in the digital sphere, not in the physical world.

Trying to have bitcoin behave like physical cash is like trying to stuff a $10 bill in an e-mail. Good luck with that.

[casascius]

Bitcoin behaves like cash in the digital sphere, not in the physical world.

Trying to have bitcoin behave like physical cash is like trying to stuff a $10 bill in an e-mail. Good luck with that.

If Bitcoins can be encumbered with two private keys instead of one, I feel quite certain this magic would be possible.

Look at it another way.  A smart card bearing Bitcoins would be the physical equivalent of carrying a "wallet.dat" on a memory stick, with the only difference being that spending those coins requires a second digital signature by a key only known to a TPM.  It's just convenient that a smart card could serve both purposes at once, fit in a wallet, and be cheaply made.  When a password takes the place of "wallet.dat", the world calls this "two factor authentication".

I dare you to give me an intelligent rebuttal as to why that can't work, rather than a senseless non-sequitur.  Assuming we both welcome the future success of Bitcoin, I hope we can hope together that this assumption is a mistaken one.

[davout]

I dare you to give me an intelligent rebuttal as to why that can't work

Because fiat currency, gold and silver coins do the job much better if all you want is have a beer