Mint Chip Technical Details

[cbeast]

MintChip has a poor security scheme and will be counterfeited. It will probably have high fees from brokers. It will have limited use, what can you buy for ten bucks? It is vaporware and is probably a FUD against what we have planned for Bitcoin.

The list of negatives for MintChip go on and on. At least it will be good for buying Bitcoin.

[1715084496]

1715084496

[1715084496]

1715084496

[1715084496]

1715084496

[1715084496]

1715084496

[1715084496]

1715084496

[Dan The Man]

any merchants that accepts mintchip can easily accept bitcoin too, because exchanging bitcoins for mintchip's USD or CAD can be automated and FREE! 0.00% exchange fee! how? P2P irreversible transactions Biatches  !

What makes you think MintChip will be free?  Name on instance where a monopoly gives away its product for free?

Android, Team Fortress 2

[DeathAndTaxes]

MintChip has a poor security scheme and will be counterfeited. It will probably have high fees from brokers. It will have limited use, what can you buy for ten bucks? It is vaporware and is probably a FUD against what we have planned for Bitcoin.

The list of negatives for MintChip go on and on. At least it will be good for buying Bitcoin.

Wouldn't the negatives you just outlined also apply for buying Bitcoins.

1) Seller is exposed to potential counterfeiting
2) Buyer's acqusistion price includes those high fees.
3) Both parties are limited to a small number of coins.



The best thing about MintChip is increasing awareness of Bitcoin.  The first time someone runs into an artificial limit set by a central bank they will ask "Why?" and hopefully it is something like "Why does MintChip have a limit on tx but Bitcoin doesn't?"  or "Why do I need to buy this $10 chip only from the central bank but with Bitcoin I can use any free wallet?" or "Why does the value of my MintChips continually go down due to inflation but Bitcoin works with a predetermined minting rate?"

[DeathAndTaxes]

To answer the OP direct question this is my understanding by reading the spec and API docs.  Everything is closed source and some low level details are simply not provided so assumptions and inferences which may later prove to be incorrect had to be made.

How it works?
The blockchain is the cornerstone technology for Bitcoin.  Without the blockchain nothing is possible.  The equivelent in MintChip system is the physical MintChip ("the chip").  The chip is a physically hardened tamper resistant cryptographic processor.  It will be available in a variety of formats (SD card, USB stick, crypto module) but the internal chip is the same.

The chip has four key functions:
a) protects a private key from extraction (and provide access to the corresponding public key).
b) sign outgoing tx w/ private key
c) verify incoming tx as valid
d) process tx to update an internal record of current balance and enforce rules based on that internal balance value (i.e. can't spend money you don't have).

Like in Bitcoin the private key "controls" the funds but unlike in Bitcoin the private key is kept private even from the user.  The private key is known only to the chip.  The entire security model works around the inability for anyone even the owner/user to ever know the private key.

There is no central ledger (either private like in Paypal or distributed like in Bitcoin).  Duplicate tx (double spends) in Bitcoin can be easily made as the user has access to private key.  To prevent that Bitcoin uses the distributed consensus created by the blockchain and forwarding rules by nodes to make double spend attempts "easy but uneconomical".

With no central ledger each chip uses the public key of the sending chip, the signature or the tx, and a nonce to ensure that tx can't be faked.  If the tx is valid then the chip assumes it had to have been created by the sender's chip.  Given the private key is known only to the chip normally that is a valid assumption. If someone could extract the private key from the chip they could fake txs at will.  Essentially print money from nothing. For the system work nobody can ever extract the private key from any MintChip under any circumstances until the end of time.

Given the track record of "secret of a chip" systems it is an inevitability that someone will eventually be able to extract a private key and "counterfeit" funds.   Unlike physical counterfeiting there would be no incremental cost and counterfeit txs would be indistinguishable from valid txs.  Much like 51% attack is the Achilles heel of Bitcoin the extraction of private key from "the chip" is the Achilles heel of MintChip.

The "nobody not even user can know the secret key" limitation of MintChip creates some unique non-counterfeiting limitations:
a) deterministic wallets are impossible.  your chip is the wallet there is no exceptions.
b) backups of funds are impossible.  funds on lost/damaged chips are lost forever.
c) impossible to make "strongcoin" like limited trust ewallet services.  An ewallet provide will need physical access to "your chip" and thus 100% implicit trust is required.
d) unlike in Bitcoin double spends can't be detected.  Thus if fraud occurs the funds in circulation will be larger than the reserves held.  How this will be handled is unknown (central bank prints to cover the increase? fees remove funds from circulation?  exchange rate between physical CAD : mintchip CAD drops below 1:1?)

[Dan The Man]

Does a receiver need a special chip? How does it vet the valid senders from invalid ones? Is there a stored list of every valid public key somewhere? Essentially what is the mechanism that stops someone from imitating a broker.

[Etlase2]

Would be nice to know what "inferences" D&T had to make to spread his FUD lol

[ribuck]

unlike in Bitcoin double spends can't be detected.

I bet double-spends can be detected, just not if you're doing an offline transaction.

One way this could be done is for each transaction to carry around all of its inputs (to use the Bitcoin terminology), right back to the original input that loaded value onto the chip. Then, the double-spends get detected when chips are eventually "cashed in". The double-spends can be investigated and prosecuted by regular means (i.e. police evidence gathering rather than cryptographic techniques).

That, combined with the low transaction size limit and the high cost of extracting the key, is probably sufficient in practise to keep fraud low.

[caveden]

One way this could be done is for each transaction to carry around all of its inputs (to use the Bitcoin terminology), right back to the original input that loaded value onto the chip.

How would that scale? I suppose these chips have very limited memory, they can't keep such a record.

The system described by Death&Taxes really need a way to detect double-spends (done by someone who manage to access the private key of a chip), or it risks failing hard. And if this is tied to the CAD as I understand, potential hyperinflation of the Canadian currency could follow. I suppose they would "shut down MintChip" before such thing happens, but I can't see how you do it without damaging all legitimate owners of MintChips.

The Royal Canadian Mint better know what they are doing.... so far, to me, it seems they are taking a huge risk.

[DeathAndTaxes]

Does a receiver need a special chip?

Receiver needs the same chip, the MintChip.  TX are only between MintChips.* 

* (loading and unloading chips is done only between a Mintchip and a broker)  

How does it vet the valid senders from invalid ones?

That information isn't provided in the very limited docs provided.  My assumption would be that all valid public keys have some cryptological property that allows identification.

Is there a stored list of every valid public key somewhere? Essentially what is the mechanism that stops someone from imitating a broker.

Not as far as I can tell.  Brokers however are a special case.  Brokers don't use a MintChip.  They simply issue "load" and "unload" tx  to "mint" and "destroy" funds at will.   They have a cert/key? issued by the Royal Mint and the Royal Mint CA is available to all chips.  Each chip is able to validate 1) the cert from a broker is valid 2) the load/unload tx is valid (because it is signed by trusted broker).

MintChip uses the term "trusted broker" so my guess is that the regulations to be a "trusted broker" would be similar to being a bank or other financial services company.

[DeathAndTaxes]

I bet double-spends can be detected, just not if you're doing an offline transaction.

One way this could be done is for each transaction to carry around all of its inputs (to use the Bitcoin terminology), right back to the original input that loaded value onto the chip. Then, the double-spends get detected when chips are eventually "cashed in". The double-spends can be investigated and prosecuted by regular means (i.e. police evidence gathering rather than cryptographic techniques).

That, combined with the low transaction size limit and the high cost of extracting the key, is probably sufficient in practise to keep fraud low.

I guess I should have said in realtime.  Online or offline doesn't really matter.  At the point of the fraud the fraud is undetectable.

Also tracing counterfeiting after the fact doesn't really help to prevent the fraud.  Imagine is counterfeit bills were so flawless than even US Treasury official would say they are valid.  Sure when checking serial # at the central bank they could realize that there are duplicate bills but that doesn't help enable detection/prevention at the point of fraud.

For example I buy a stolen mintchip (so any ID attached to the load and prior tx is not my own).  I extract the private key and counterfeit funds.   If I used those funds to purchase say Bitcoins anonymously there is now no trail which leads back or forward to me.

[ribuck]

One way this could be done is for each transaction to carry around all of its inputs (to use the Bitcoin terminology), right back to the original input that loaded value onto the chip.

How would that scale? I suppose these chips have very limited memory, they can't keep such a record.

It's not like the card needs to hold the whole block chain. A 2GB microSD card can hold plenty of transaction data. Most transactions probably only do a few hops before they make their way back to the "trusted issuer".

I'm not saying this is how they would do it. I'm just saying that there are ways they could do it, and I don't think they're so stupid as to release a system that can be hacked to allow infinite double-spends.

Maybe they don't even allow re-spends? Maybe you can only spend the money you got loaded onto the card from your bank account, and that money can only be redeemed by you or the person you directly spend it to (unless you go online so that the trusted issuer can validate your balance).

In other words: Canadian Mint -> Trusted Issuer -> You -> Coffee Shop -> Trusted Issuer

[DeathAndTaxes]

One way this could be done is for each transaction to carry around all of its inputs (to use the Bitcoin terminology), right back to the original input that loaded value onto the chip.

How would that scale? I suppose these chips have very limited memory, they can't keep such a record.

It's not like the card needs to hold the whole block chain. A 2GB microSD card can hold plenty of transaction data. Most transactions probably only do a few hops before they make their way back to the "trusted issuer".

I'm not saying this is how they would do it. I'm just saying that there are ways they could do it, and I don't think they're so stupid as to release a system that can be hacked to allow infinite double-spends.

Maybe they don't even allow re-spends? Maybe you can only spend the money you got loaded onto the card from your bank account, and that money can only be redeemed by you or the person you directly spend it to (unless you go online so that the trusted issuer can validate your balance).

In other words: Canadian Mint -> Trusted Issuer -> You -> Coffee Shop -> Trusted Issuer

You also keep making this distinction w/ offline & online where none exists.  It doesn't matter if the receiver is online or not.  There is no central ledger that an online receiver can consult.

The ONLY things the receiver has access to are:
a) sender's public key
b) the signed tx (signed by sender's private key)
c) a nonce (to prevent casual double spend - simply keep giving receiver the same exact signed tx over and over)

If the private key remains a secret then the system is impossible to forget or brute force.  Everything about the system is based on condition that sender will never be able to gain access to the private key.  If that remains true then double spend (more correctly counterfeiting) is impossible and the system works.

The tx history can't be used to validate if a tx is valid without access to the entire tx of the sender.  So while receiver may have tx record of prior tx from the sender that provides no security.

[adamstgBit]

It's for very small transactions, as in that's one of it's main benefits over say Paypal or Visa. It's not limited to small transactions. Obviously even if it was limited you could easily make a big transaction as the sum of many small transactions.

The design docs seem to indicate the chips will enforce a hard limit on the amount of funds which can be stored on each chip.  Of course the chips aren't free either.

So yeah I guess if you decide to buy 100 mintchips (at what $10 ea?) then pay a broker a fee for 100 loads on your 100 chips (will you even be able to do that, will broker's ask for detailed ID and limit one person to 1 active chip?) and hook them into a rats nets of usb cables and hub and use them to process 100x the enforced limit.

I doubt many people will do that.

What is the limit?  Well it is closed source and the specs don't state but I guarantee a limit will be enforced if no other reason than AML.  Also remember if a chip is hacked the amount of funds the central bank loses is directly related to the size of the chip (and # of tx that can be completed before blocking the hack) so there is another reason to limit both the max value on the chip and the max tx size.

I never paid for a debit card or lost visa card replacements.

you can speculate that mintchip will be a totally useless and costly if you want ....

i think its more useful to think mintchip will be an improvement on "Chipped money", and will have some degree of success. and then we can have some fun it with it.

[DeathAndTaxes]

I never paid for a debit card or lost visa card replacements.

Of course you did just like you paid for all the bank's profit and all the merchants losses.  You paid for all of that in the form of higher prices.  Still it is an awesome model which VISA developed.  All the cost is obfuscated so customer just sees it as "free" and convenient.  Once you get a large enough network effect businesses are forced to play, cost goes up but is still hidden from the consumer.  As long as the consumer is happy VISA is happy.

you can speculate that mintchip will be a totally useless and costly if you want ....

I never said it would be useless but it surely won't be free.  

The designers finally released some more data on limitations

The maximum number of Credit transactions allowed before Reset: 500
The maximum number of Debit transactions allowed before Reset: 500
The maximum cumulative Credit value allowed before Reset: 50000.00
The maximum cumulative Debit value allowed before Reset: 50000.00
The maximum value allowed in a single Credit transaction: 100.00
The maximum value allowed in a single Debit transaction: 100.00
The maximum balance allowed: 500.00

http://mintchipchallenge.com/forum_topics/859

So if they stick w/ a $500 max balance and $100 max tx is more interesting that the marketing talk about micro transactions.

Looks like every 500 tx though you will need to have a Trusted Broker download the log, erase the chip storage, and reset the starting balance to end prior ending balance ("reset").    

Now about that claim of anonymity ...

[paraipan]

Heh, thanks D&T i read the mintchip thread and this is starting to look more like a joke to me. I'm really out of comparing points between mintchip and bitcoin, the later is the obvious winner.

[adamstgBit]

The designers finally released some more data on limitations

The maximum number of Credit transactions allowed before Reset: 500
The maximum number of Debit transactions allowed before Reset: 500
The maximum cumulative Credit value allowed before Reset: 50000.00
The maximum cumulative Debit value allowed before Reset: 50000.00
The maximum value allowed in a single Credit transaction: 100.00
The maximum value allowed in a single Debit transaction: 100.00
The maximum balance allowed: 500.00

Heh, thanks D&T i read the mintchip thread and this is starting to look more like a joke to me. I'm really out of comparing points between mintchip and bitcoin, the later is the obvious winner.

their api ref. said the limit for a tx was about 16,000$ not 100$

agreed these limits are ridiculous ... now building a decentralized exchange using mint-chip seems pointless

[Gavin Andresen]

RE: $100 per-transaction, $500 balance limit:

That makes perfect sense; they probably figured out about how much it will cost to hack a MintChip to get it's private key (dissolve case in acid, put it under an electron microscope, attach electrodes at exactly the right spots, etc...). Do a little calculation involving the cost of hacking one chip, the number of times you can double-spend before you're likely to get caught and the maximum amount per transaction and I bet they figure it doesn't pay.

Especially if online transactions "phone home" to detect double-spends.  If you have to physically walk to 500 different not-online merchants to get away with $50,000 worth of double-spends that's just like counterfeiting $100 bills, and that's an attack Mints have been pretty successfully dealing with for hundreds of years.

RE: anonymity: the anonymity model is similar to Bitcoin. Each physical MintChip is like a Bitcoin keypair, if you can easily buy/load a bunch of them anonymously then it will be hard for Them to track your purchases.

If MintChip fails I bet it is not due to hacking or lack of anonymity, but just due to the inconvenience of needing Yet Another Physical Doohickey. Paper money fits nicely into the wallet I already have, I don't want Yet Another Dongle on my keychain, and I bet before the end of the year either Apple will finally approve a Bitcoin app or there will be a nifty HTML5-based web wallet I can use on my iPhone...

[DeathAndTaxes]

RE: anonymity: the anonymity model is similar to Bitcoin. Each physical MintChip is like a Bitcoin keypair, if you can easily buy/load a bunch of them anonymously then it will be hard for Them to track your purchases.

Big IF there.  The only entities which can load/unload chips are trusted brokers.

Initially I thought of that being a non-issue as currency could circulate internal perpetually however w/ 500 tx limit everything goes through brokers initially and eventually so the govt has a complete list of all tx (albeit delayed up to 500 tx per user).

Thus I am not sure the claim of even even psuedo-anonymity can be made. 

It would be trivial for the govt to put all tx in database, link that to ID information on each mint user, load amounts, and unload amounts and build a complete tx record of every single user.   Given the potential I don't see how the central bank says "no" the first time the Canadian IRS or Police want that information.

The Bitcoin comparison would be if Mt.Gox collected ID on all users (sadly they pretty much do), the only place you could buy Bitcoins was Mt.Gox, and the only place you could sell them was Mt.Gox and every 500 tx you had to turn over your entire tx log (tighly coupled to your ID) to Mt.Gox to otherwise any Bitcoins you hold would become worthless.  Oh and there is no internal (anonymous) mining of coins, all mining is done by Mt.Gox.

[Mike Hearn]

That information isn't provided in the very limited docs provided.  My assumption would be that all valid public keys have some cryptological property that allows identification.

IIUC they do. All chips (not just brokers) have a cert connected to the MintChip CA chain.

Cryptographically it's very straightforward and traditional. There is no support for anything resembling contracts or other complex transactions. You sign messages saying "increment your balance by X", and that's about it.

I'd like to see MintChip gain some of the features of Bitcoin, protocol wise. Cryptography based currencies are a new design space and can use some competition around different approaches. My gut feeling is that a hybrid solution would be best - using hardened chips can help Bitcoin, by making zero-conf offline transactions dramatically less risky, and a block chain can help MintChip by removing the "key leak = system doom" failure mode that undermines it today.

[caveden]

If they really intended to make something as anonymous as cash, they could have used a blinded signature algorithm like what's done in Open Transactions. Actually, they could become an Open Transaction issuer and server. That would be more anonymous than Bitcoin.

I'm not sure what they want, exactly.