Bitcoin Forum
October 23, 2017, 05:22:25 PM *
News: Latest stable version of Bitcoin Core: 0.15.0.1  [Torrent]. (New!)
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: partially non-transferable coins (w. applications for physical coins?)  (Read 886 times)
adam3us
Sr. Member
****
expert
Offline Offline

Activity: 400


in bitcoin we trust


View Profile WWW
November 02, 2013, 02:50:15 PM
 #1

Towards reducing the manufacturer and hardware trust of physical coins it occurred to me that you can easily and voluntarily create a non-block-chain-transferable bitcoin.  Its a bit like partially destroying a coin (by spending it to an invalid address) where you create a coin that is not blockchain spendable (by bitcoins rules), but where you can still prove you half-own it, and can hence half-transfer it.  Because you can half-transfer it, it can still be transferred outside of blockchain rules (eg offline or by a group of clients respecting these alternate rules).

To summarize existing methods that coins can be sacrificed or made permanently non-transferable: spend the bitcoin to an invalid address, eg to the address 0, or H(digits of pi) or to an address formed from a public key of form H(random).

Now back on topic, to create a coin that is partly spendable is analogous:  a 2 of 2 signature with one invalid address.  Or requiring hash preimage of 0, or digits of pi.

(I mentioned the idea of having a multisig with one invalid address in the thread about fixed public key coins, also about physical coins, but I did not see this use case at that time.)

Alternatively if the serial number were implemented as a demonstrably invalid optional second signing address added to a multisig, on each physical coin, probably tools could already index it; though invalid addresses are frowned on for frustrating compaction.

The partially-transferable coin means you have intentionally created a coin that can not be transferred on the blockchain but the physical ownership can still be demonstrated if you have an electronic coin like firmcoin ( https://bitcointalk.org/index.php?topic=232898.0 ).

How does that help physical bitcoin security?  Well it ensures that someone cannot empty a coin of its value undetectably by removing the SD card under the tamper evident sticker, or spending the private key where its hidden under a tamper evident sticker, or trusting the coin manufacturer that the coin is even in there in the first place.  And relative to firmcoin (which allows coins to be unloaded and reloaded, but deletes the private key on unload, you no longer have to trust the manufacturer to do that as much, because even if they have the private key in unloaded state on their computer, they still cant spend it on the block chain).

To double spend a coin the attacker would need an extra empty physical coin, or the manufacturer could put the same private key in multiple coins (or the user if the user loaded the private key).  And whats more if multiple people think they own the same coin it can be somewhat obvious in that the coin is spent at locations too far apart to physically move in the time frame.  (And this is a topic of another post, tracking that).

If its permanently non-block-chain transferable that creates two non-intercheangeable bitcoins a physical coin that can not be unloaded, and an online bitcoin, and the only way to trade them is to swap them 1 for 1.

You might also consider variants where the 2nd element is not invalid but heavily time-locked eg 1 year.   To time-lock the person loading the coin would create a 1 year time-lock and put the time-lock private key in the physical coin.  In this way anyone can validate the address and see it wouldnt have been possible to spend it yet.

Or where the 2nd signature allowing online redemption can be spent but only in cooperation with a somewhat-trusted entity, or a quorum of entities or users (k of n of them.)

Adam

hashcash, committed transactions, homomorphic values, blind kdf; researching decentralization, scalability and fungibility/anonymity
1508779345
Hero Member
*
Offline Offline

Posts: 1508779345

View Profile Personal Message (Offline)

Ignore
1508779345
Reply with quote  #2

1508779345
Report to moderator
1508779345
Hero Member
*
Offline Offline

Posts: 1508779345

View Profile Personal Message (Offline)

Ignore
1508779345
Reply with quote  #2

1508779345
Report to moderator
1508779345
Hero Member
*
Offline Offline

Posts: 1508779345

View Profile Personal Message (Offline)

Ignore
1508779345
Reply with quote  #2

1508779345
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1508779345
Hero Member
*
Offline Offline

Posts: 1508779345

View Profile Personal Message (Offline)

Ignore
1508779345
Reply with quote  #2

1508779345
Report to moderator
1508779345
Hero Member
*
Offline Offline

Posts: 1508779345

View Profile Personal Message (Offline)

Ignore
1508779345
Reply with quote  #2

1508779345
Report to moderator
jedunnigan
Sr. Member
****
Offline Offline

Activity: 280


View Profile
November 02, 2013, 09:10:59 PM
 #2

Yes, such a method was proposed in the Bitcoin Banknote scheme by Sergio. I like both ideas, although your solution works outside of the dollar bill scenario.
maaku
Legendary
*
expert
Offline Offline

Activity: 905


View Profile
November 02, 2013, 09:31:35 PM
 #3

One way to do this is to put OP_RETURN in front of any scriptPubKey. That will not just make it unspendable, but also remove it from the UTXO set, and the off-chain convention would be simple: drop the OP_RETURN code, and then treat it like a normal script.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
adam3us
Sr. Member
****
expert
Offline Offline

Activity: 400


in bitcoin we trust


View Profile WWW
November 03, 2013, 10:02:42 PM
 #4

Yes, such a method was proposed in the Bitcoin Banknote scheme by Sergio. I like both ideas, although your solution works outside of the dollar bill scenario.

Yes I was aware of that one, the original poster had a 2 of 2 sig which might a bit more like what discussed above (partly non-transferable) though it was hard to understand what he meant, and Sergio simplified it to literally non-respendable period - sacrifice a bitcoin to a non-spendable address being hash of bank note serial number. 

I had posted something earlier about fixing a coin public key while still being able to prove ownership also https://bitcointalk.org/index.php?topic=232787.5.  That idea was to hold the public key constant and change the base (which is not bitcoin format compatible).  There was also an idea to do something similar in a bitcoin standard way that could be a stable coin serial number (an auxiliary signed message, that the recipient would demand to be present).  The purpose of which is to allow the user to check the coins current ownership status, with respect to a static identifier that is engraved around its rim say.

I more like to think about a mostly online world where you want to ideally be able to check the status of a coin.  So the ability to do that without the ability to transfer it back to the blockchain (or with a clear long lock-time) means one issue is taken out of the picture - that if you are not online for a while after receiving the coin, that a previous owner cant spend the bitcoin underneath you on the blockchain.

Adam

hashcash, committed transactions, homomorphic values, blind kdf; researching decentralization, scalability and fungibility/anonymity
Luckybit
Hero Member
*****
Offline Offline

Activity: 714



View Profile
November 03, 2013, 11:16:40 PM
 #5

Towards reducing the manufacturer and hardware trust of physical coins it occurred to me that you can easily and voluntarily create a non-block-chain-transferable bitcoin.  Its a bit like partially destroying a coin (by spending it to an invalid address) where you create a coin that is not blockchain spendable (by bitcoins rules), but where you can still prove you half-own it, and can hence half-transfer it.  Because you can half-transfer it, it can still be transferred outside of blockchain rules (eg offline or by a group of clients respecting these alternate rules).

To summarize existing methods that coins can be sacrificed or made permanently non-transferable: spend the bitcoin to an invalid address, eg to the address 0, or H(digits of pi) or to an address formed from a public key of form H(random).

Now back on topic, to create a coin that is partly spendable is analogous:  a 2 of 2 signature with one invalid address.  Or requiring hash preimage of 0, or digits of pi.

(I mentioned the idea of having a multisig with one invalid address in the thread about fixed public key coins, also about physical coins, but I did not see this use case at that time.)

Alternatively if the serial number were implemented as a demonstrably invalid optional second signing address added to a multisig, on each physical coin, probably tools could already index it; though invalid addresses are frowned on for frustrating compaction.

The partially-transferable coin means you have intentionally created a coin that can not be transferred on the blockchain but the physical ownership can still be demonstrated if you have an electronic coin like firmcoin ( https://bitcointalk.org/index.php?topic=232898.0 ).

How does that help physical bitcoin security?  Well it ensures that someone cannot empty a coin of its value undetectably by removing the SD card under the tamper evident sticker, or spending the private key where its hidden under a tamper evident sticker, or trusting the coin manufacturer that the coin is even in there in the first place.  And relative to firmcoin (which allows coins to be unloaded and reloaded, but deletes the private key on unload, you no longer have to trust the manufacturer to do that as much, because even if they have the private key in unloaded state on their computer, they still cant spend it on the block chain).

To double spend a coin the attacker would need an extra empty physical coin, or the manufacturer could put the same private key in multiple coins (or the user if the user loaded the private key).  And whats more if multiple people think they own the same coin it can be somewhat obvious in that the coin is spent at locations too far apart to physically move in the time frame.  (And this is a topic of another post, tracking that).

If its permanently non-block-chain transferable that creates two non-intercheangeable bitcoins a physical coin that can not be unloaded, and an online bitcoin, and the only way to trade them is to swap them 1 for 1.

You might also consider variants where the 2nd element is not invalid but heavily time-locked eg 1 year.   To time-lock the person loading the coin would create a 1 year time-lock and put the time-lock private key in the physical coin.  In this way anyone can validate the address and see it wouldnt have been possible to spend it yet.

Or where the 2nd signature allowing online redemption can be spent but only in cooperation with a somewhat-trusted entity, or a quorum of entities or users (k of n of them.)

Adam

Do you think this idea could work for Mastercoin under the context of user issued redeemable cryptocurrencies?

I will watch this.
jedunnigan
Sr. Member
****
Offline Offline

Activity: 280


View Profile
November 04, 2013, 01:14:36 AM
 #6


Do you think this idea could work for Mastercoin under the context of user issued redeemable cryptocurrencies?

I will watch this.

Yes absolutely. It would for effectively any color coin implementation.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!