Theft-Resistant "Specific Use Only" Wallets

[Kluge]

Was pooping, reading about Nigerian wealth disparity, and... no, no, wait - it's not racist, just hear me out!


Assuming people begin regularly carrying around bitcoins in a wallet for daily expenditure, could an organization pop up which, say, represents all Bitcoin merchants in North America - or perhaps BitPay could handle this all centrally... Anyway, is it possible to create separate "specific-use-only" wallets you could store in, say, your phone or your Trezor, where funds could only be sent to specific whitelisted addresses? (the whitelisted addresses must be impossible to edit with only the "specific use only" wallet, though maybe it could take an auto-updated list from the merchant organization?)

The idea is that the coins in the wallet could only be sent to specific addresses -- legitimate merchants. If a thief demanded your bitcoins, he'd have to steal the entire physical wallet device and could only spend the coins at legitimate merchants. He could not simply transfer coins to his own wallet. If the hardware wallet were stolen, the police can easily put together a database of blacklisted addresses which are pushed to merchants (this could be very effective if bitcoin change could be forced to go into old addresses instead of generating new ones). This DOES NOT affect fungibility. Since this is a "specific use only" wallet derived from a full-access wallet, it would be assumed that the user has a full-access wallet still at home on his more-secure device. Therefor, when he goes home, he simply transfers coins to a new address of his which does not need to be whitelisted because he'll be on the full-access wallet (the thief could not do this just by having, say, his cell phone). He can do whatever he wants from the full-access wallet, maybe create a "specific-use-only" wallet for terrorism and drugs - Idunno - or he could maybe create gift cards, where perhaps you can only spend the coins at, say, Amazon. (Oh. Giftcards. Maybe there's another application in this idea.)

I'm having trouble explaining this because I don't have the slightest idea how it would be implemented, but seems fairly plausible and maybe beneficial. Figured was worth throwing out there before I forget it.

[drrussellshane]

I hope that you still remembered to wipe.

[whtchocla7e]

Idea is flawed because there's no such thing as a theft-resistant wallet.

[Kluge]

Idea is flawed because there's no such thing as a theft-resistant wallet.

[Peter R]

...

I have a feeling this is presently under development.  

[runam0k]

Not knowing anything about anything, I would think no, because the private key would have to be present in order to be able to send the coins to whitelisted addresses. It could be a feature of the client, of course, but it wouldn't mean much if the private key itself was compromised. So I guess the question becomes how secure is the phone / hardware wallet?

[madmadmax]

The thief would then purchase Gold from a legitimate seller and then resell it for fiat or plain BTC?

[jimhsu]

I think this is one of the clear cases where some sort of multisig approach makes sense.

Naively, I would think a 2 out of n (where n is a really big number consisting of "trusted" merchants) approach could work. Though this has the obvious problem of n being very big, and vulnerable to cases where one of the merchants gets compromised (the risk of which scales linerally w/ the number of merchants).

Thinking some more, there are two other alternatives:

2 out of 3 multisig, where the third is someone trusted (like bitpay) - less compromise, but more reliance on a centralized entity
2 out of n, where n is a much smaller number than above - some sort of "hierarchial" trust model, where each merchant in turn trusts n other merchants. This would be the most "ripple-like" scheme, but I'm having trouble wrapping my head around how this would work exactly.

In any case, I think multisig is a critical part of the solution.

[ManaUser]

You could create and sign (but not send) multiple transactions from your address to another specific address in various amounts and then carry those instead of your actual private key. That's the only way I can think of, and it's kind of cumbersome.

[Kluge]

@Jim - Multisig approach makes sense The cold storage device has two parts (its own part and the mobile phone's part), and the mobile device has just one, so you could still "unlimit" your bitcoins if you want, but the thief still would be limited to merchants on the whitelist if he only had the mobile phone. Can you force certain parts of keys to be required instead of a blanket "m of n"? Like... can you force the mobile phone keypart to be required, and then require either the cold storage device keypart or a Bitpay keypart with a merchant keypart? I guess you could kludge something together where there are many multi-sigs and multiple ways to unlock the "master" multi-sig....?

The thief would then purchase Gold from a legitimate seller and then resell it for fiat or plain BTC?

If the thief can get there before a blacklist request is pushed from the list organizer (police, Bitpay, whoever) to the compliant merchants at the request of full-wallet owner and/or before the person who was stolen from moves the funds.

[jimhsu]

Like... can you force the mobile phone keypart to be required, and then require either the cold storage device keypart or a Bitpay keypart with a merchant keypart? I guess you could kludge something together where there are many multi-sigs and multiple ways to unlock the "master" multi-sig....?

2 out of 3 Shamir Secret Sharing with {phone, cold storage, bitpay}? This does not implicitly trust bitpay, but does trust it to spend funds to the "appropriate location".

Alternatively, several sets of {phone, cold storage, merchant(n)}

Most workable approach so far.

[Kluge]

Like... can you force the mobile phone keypart to be required, and then require either the cold storage device keypart or a Bitpay keypart with a merchant keypart? I guess you could kludge something together where there are many multi-sigs and multiple ways to unlock the "master" multi-sig....?

2 out of 3 Shamir Secret Sharing with {phone, cold storage, bitpay}? This does not implicitly trust bitpay, but does trust it to spend funds to the "appropriate location".

Alternatively, several sets of {phone, cold storage, merchant(n)}

Most workable approach so far.

I'm unsure if multisig may support (or may eventually support) conditional "n"s.

Maybe you need:
Phone
+
Cold Storage.

If no Cold Storage, then both Merchant + Bitpay. (Bitpay's sign-off by providing a keypart helps verify the merchant hasn't been compromised) Bitpay would also refuse a sign-off if the customer claimed his keys were stolen and could sign that claim with the cold storage device's keypart, so it'd require the cold storage device's sign-off to move.

[tabnloz]

I think this will be used for subscription based services where you set up a wallet with funds and BTC can only be sent to a nominated address. so if you subscribe to Bitcoin Magazine you have a contract that sends them .01 BTC every week for a new edition. Specific use address.

Don't know the technicalities of this but hope it can be done, as it minimises the big risk of entering cc details in that there is a limited amount of funds that can only be sent to one address by contract.

[amspir]

Anyway, is it possible to create separate "specific-use-only" wallets you could store in, say, your phone or your Trezor, where funds could only be sent to specific whitelisted addresses?

I don't see a reason to create such a thing, there already exist gift cards (as a private payment system)

The idea is that the coins in the wallet could only be sent to specific addresses -- legitimate merchants. If a thief demanded your bitcoins, he'd have to steal the entire physical wallet device and could only spend the coins at legitimate merchants. He could not simply transfer coins to his own wallet. If the hardware wallet were stolen, the police can easily put together a database of blacklisted addresses which are pushed to merchants (this could be very effective if bitcoin change could be forced to go into old addresses instead of generating new ones). This DOES NOT affect fungibility.

I image a hardware wallet as a device is a device that can be purchased anonymously.  It would be cheap, and designed to cheaply connect to a public network wirelessly to send transactions and monitor the blockchain.  You would use it to transfer money to another private person's wallet or the pay terminal of a retailer.   It's not designed to hold a lot of money, that is, more money than you are willing to lose.  It would be analogous to filling your own wallet with cash for the cash purchases you intend to make for the day.  The reason people may want anonymous wallets is the same reason today you would choose to buy something with cash rather than using a credit card.  You may not want the receiver to be able to know who you are.  

Now, if you lose your hardware wallet, you can go home and sweep the addresses that it owns with the optional wallet backup program.  Same thing if a thief physically takes your wallet, you can sweep the wallet with the backup program before the thief does, you get your money back.  If the thief sweeps the wallet before you do (after cracking or coercing the password on the device such as a 4 digit pin), then the police can track the money until it hits a public address that may unblind the thief (i.e. a retail pay terminal with surveillance.)  

If you keep a large amount of money in such a wallet, then you may be asking for trouble.   There's always a small possibility that manufacturer of the wallet may have inserted or allowed a hack that allows someone else to gain access to the wallet's private keys.  

The idea of a hardware wallet is that it would become an acceptable risk to carry certain amounts of money, and the device or the money can be lost without causing a catastrophic loss of funds.  There's no reason to implement a specialized limited fungibility system for bitcoin, the retailer can just sell you a gift card instead.

[jimhsu]

The only way that "anonymous" and "hardware wallet" can work is, I think, as a prepaid device. Otherwise, sending funds to it can be traced similarily to sending on any other device. So -- basically, a gift card.

[Kluge]

Anyway, is it possible to create separate "specific-use-only" wallets you could store in, say, your phone or your Trezor, where funds could only be sent to specific whitelisted addresses?

I don't see a reason to create such a thing, there already exist gift cards (as a private payment system)

The idea is that the coins in the wallet could only be sent to specific addresses -- legitimate merchants. If a thief demanded your bitcoins, he'd have to steal the entire physical wallet device and could only spend the coins at legitimate merchants. He could not simply transfer coins to his own wallet. If the hardware wallet were stolen, the police can easily put together a database of blacklisted addresses which are pushed to merchants (this could be very effective if bitcoin change could be forced to go into old addresses instead of generating new ones). This DOES NOT affect fungibility.

I image a hardware wallet as a device is a device that can be purchased anonymously.  It would be cheap, and designed to cheaply connect to a public network wirelessly to send transactions and monitor the blockchain.  You would use it to transfer money to another private person's wallet or the pay terminal of a retailer.   It's not designed to hold a lot of money, that is, more money than you are willing to lose.  It would be analogous to filling your own wallet with cash for the cash purchases you intend to make for the day.  The reason people may want anonymous wallets is the same reason today you would choose to buy something with cash rather than using a credit card.  You may not want the receiver to be able to know who you are.  

Now, if you lose your hardware wallet, you can go home and sweep the addresses that it owns with the optional wallet backup program.  Same thing if a thief physically takes your wallet, you can sweep the wallet with the backup program before the thief does, you get your money back.  If the thief sweeps the wallet before you do (after cracking or coercing the password on the device such as a 4 digit pin), then the police can track the money until it hits a public address that may unblind the thief (i.e. a retail pay terminal with surveillance.)  

If you keep a large amount of money in such a wallet, then you may be asking for trouble.   There's always a small possibility that manufacturer of the wallet may have inserted or allowed a hack that allows someone else to gain access to the wallet's private keys.  

The idea of a hardware wallet is that it would become an acceptable risk to carry certain amounts of money, and the device or the money can be lost without causing a catastrophic loss of funds.  There's no reason to implement a specialized limited fungibility system for bitcoin, the retailer can just sell you a gift card instead.

I could see a gift card being an okay solution if it were instead, say, redeemable private currencies I could redeem for a currency of my choice, but I was thinking more along the lines of something I could use at any legitimate merchant, but not a fencer, illegal gun salesman, or street-corner drug salesman. When I was thinking about this, I was envisioning a rubber hose kind of scenario, where bitcoins were being demanded of me, but it would be impossible for me to send them to the thief, so threats to make me hand money over to him would be ineffective since I couldn't send money to his address. I could give him the physical wallet hardware and password, but then he'd have to only use it at registered merchants, where the blacklisting and unblinding, as you mention, would come into play.

I'd guess this solution, if feasible, would permit conversion of the "specific use" keys/funds back into "true bitcoins" (thus not really impacting fungibility except while you're away from your cold storage device) while still allowing you to use the bitcoins at almost all merchants which accept BTC, which I definitely can't do with gift cards. It's also trustless insofar as BitPay (or whoever organizes the theoretical system) doesn't control funds -- they'd need my keyparts for each expenditure, which I'd hold. Idunno, though. It does all sound very complicated with fairly little reward. Hopefully, there're better ideas out there which I like from a security:convenience perspective.

[amspir]

The only way that "anonymous" and "hardware wallet" can work is, I think, as a prepaid device. Otherwise, sending funds to it can be traced similarily to sending on any other device. So -- basically, a gift card.

They most could be, but I'd prefer a reusable device that could have it's private keys changed.  I'd personally would be taking the money off the wallet when I wasn't using it, and putting it back on when I did, using paper wallets that had private keys that didn't exist on any machine.   Anonymity could be preserved by loading and unloading with anonymous paper wallets.  If it traces to your exchange, that is information that only LE should be able to access, not the retailer or an individual person.

[amspir]

I could see a gift card being an okay solution if it were instead, say, redeemable private currencies I could redeem for a currency of my choice, but I was thinking more along the lines of something I could use at any legitimate merchant, but not a fencer, illegal gun salesman, or street-corner drug salesman.

What you are seeking is the current credit/debit card system with reversible transactions an no anonymity.  Such as system currently does not allow payments to individual private persons.   I normally can't meet with a person that I find on craigslist selling an item I want and pay him with my debit card.

When I was thinking about this, I was envisioning a rubber hose kind of scenario, where bitcoins were being demanded of me, but it would be impossible for me to send them to the thief, so threats to make me hand money over to him would be ineffective since I couldn't send money to his address. I could give him the physical wallet hardware and password, but then he'd have to only use it at registered merchants, where the blacklisting and unblinding, as you mention, would come into play.

You shouldn't be carrying devices that have access private keys to large amounts of bitcoin, so they can be coerced from you.   The average person doesn't carry large amounts of cash so it minimizes the risk.  The risk vs. reward ratio should be large enough to deter most criminals.   If you are uncomfortable with carrying around a certain amount of cash, you should also be uncomfortable with carrying around the private keys to the same amount of bitcoin.

[BurtW]

I think there is a business case for this also.  Suppose a business or group of them want to sell/give away/discount Bitcoins that only work at their business or group of businesses.

Then I think the multisig would work here.  You buy/get for free/get at a discount the BTC but you can only spend them at certain places. 

[amspir]

I think there is a business case for this also.  Suppose a business or group of them want to sell/give away/discount Bitcoins that only work at their business or group of businesses.

Then I think the multisig would work here.  You buy/get for free/get at a discount the BTC but you can only spend them at certain places.  

You are still talking about limited fungibility bitcoins, and there can't and shouldn't be such a thing.  You may be able to make a hardware device that limits itself to generating transactions only to white-listed addresses, but it's only a hardware protection that could be hacked or cracked to get access to the private keys.   It might even get you killed if an armed mugger doesn't believe that your hardware bitcoin wallet is limited in that way.  Such a business or group should use their own gift card system, rather than trying to use bitcoins.

If you insist on grafting such a system to bitcoins, probably the only way is to have private keys in escrow with the "business or group", in a system where it requires both parties to access the private key.  But it would require the other party to release them back to you in the event you want to spend fully fungible bitcoins.  (update - just read jimhsu's suggestion https://bitcointalk.org/index.php?topic=505455.msg5574757#msg5574757 would could work)