Bitcoin Forum
December 04, 2016, 06:13:59 AM *
News: To be able to use the next phase of the beta forum software, please ensure that your email address is correct/functional.
 
   Home   Help Search Donate Login Register  
Pages: [1] 2 »  All
  Print  
Author Topic: Dedicated bitcoin devices - dealing with untrusted networks  (Read 3580 times)
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 21, 2012, 09:31:16 AM
 #1

Mainly due to a serial line hack I am attempting (see thread in Alternative Clients) I have been thinking about if it is practical to have
dedicated bitcoin devices.

Here is what I have got so far.  Your feedback is very welcome.


What is a dedicated bitcoin device ?

It is a small device with:

1) A small LCD. (A few lines of text, non-touch)
2) A keyboard.
3) It has enough computing power and memory to sign transactions but not enough to maintain a blockchain.
4) No dedicated network connection (no WiFi, no cell phone connection)
5) IO is over a serial connection - micro USB and infrared (IRDA).
6) Low power - you could run it off button lithium batteries for a longtime.

Think: a glorified calculator or Casio electronic dictionary.
Think: cheap to mass produce.


What can you use it for ?

1) You can use it to pay for things in shops with bitcoin.
2) You can use it to send bitcoin directly from one device to another.
3) You sync it (like an iPod) with your main computer to see the transactions in detail and recharge it.


What are the problems  ?

There are two main problem areas:
1) Yeah, show me one that works and I will believe it. It's vaporware unless I can hold it in my hand.
2) If it does not have its own network connection how does it know what its balance is ?  What is to stop Mallory screwing around with it and sending it bogus transactions?
(Mallory is the generic 'Bad Guy').


Detailed operation in a shop

Here is how I think it would work at Point of Sale:

1) Prior to your shopping spree you sync your device at home against your home PC. The PC creates a watching wallet for the private key that is created on the device (and never leaves it). Because of iPods etc people are used to syncing their devices by plugging them in to their PC.  You trust your home PC to give you the real blockchain transactions.

2) The user 'charges' the device by sending it some BTC using your desktop client. The watching wallet sees the transaction and tells the device what unspent outputs it has available to spend. The transaction that the desktop bitcoin client uses to recharge the device has many small transaction outputs (say a tenth of a BTC each).

For instance, if you charged it with 10 BTC , you would have available 100 transaction outputs each of a 0.1 BTC value.

The device stores a list of its unspent outputs and hence knows its balance.  Because this is a sync with a PC you trust the device will be happy to spend these unspent outputs. It believes they are real.


3) At the shop, there would be a data exchange as follows. IRDA is at 115.2 kbps so you should be able to do it quickly enough for realtime use.

edit: simplified

3.1) Shop -> device. Shop identifies itself as, say 'Walmart'. Requests a payment of, say, 3.55 BTC  using a Bitcoin URI.
3.2) Device -> user. Prompts user with payment amount. User presses 'Confirm' or 'Cancel'.
3.3) Device -> shop. Device creates transaction for the 3.55 BTC, using a total of 3.6 BTC of transaction outputs and sending itself 0.05 BTC of change. Device signs tx and sends it back to shop
3.4) Shop -> bitcoin network. Transmits tx out to bitcoin network.
3.5) Shop -> device. Shop confirms that the tx has been transmitted to the bitcoin network.

The device would then go through its unspent outputs and mark off the spends. The change transaction output it does not believe it can spend yet as it depends on whether Walmart really transmitted the tx. It marks it internally as:
   Walmart says: Sent you 0.05 BTC

The shop also does not trust the transaction outputs used in the tx at stage (3.3). It would do a network webservice lookup with a well connected node to check that those outputs were REALLY unspent. It would know the txid and output number so this should be relatively quick. This limits the ability of Mallory to perform a double spend as he has a very short attack window.


Summary of shop transaction.

The device initially had 100 unspent transaction outputs of value 0.1 BTC.
Now it has:
   64 unspent outputs of value 0.1 BTC
   36 spent outputs of value 0.1 BTC
   1 transaction output of value 0.05 BTC that is marked as "Walmart says it sent it to you".


What happens at the next shop

At the next shop the device will not try to spend the "Walmart says" transaction output, only its unspent outputs.



When the user gets home s/he syncs the device and it and the watching wallet compare notes to:
4.1) Confirm the tx are spent and change has been received (It should be as the shop wants its money)
4.2) Perhaps the user also wants to recharge the device and hence there will be new outputs available to spend.


Sending BTC from one device to another

To send BTC from one device to another the exchange would be similiar to in a shop. Say Bob sends Alice 10 BTC. Alice's device stores the transaction but marks it internally as:

   "Bob says: Sent you 10 BTC"

Again Alice's device will not try to spend this BTC until the next sync.
The basic principle here is:
  You cannot spend a promise

There is more opportunity for Mallory here admittedly as he could hack his device and keep (trying to) spend the same BTC.   When Alice syncs she will see that Mallory's tx has been double spent.   I expect she will immediately get onto Facebook and start flaming him.   Alice's device and desktop in combination say:

   "Mallory said he sent you 10 BTC at 10:35am but he is a lying piece of s**t and cheated you"

Perhaps I would not use those exact words in the internationalisation file :-)


How would the UI present the information

Whilst the general public is not very good with technical ideas, everyone knows the difference between these two statements:

"Charlotte thinks you are totally hot and wants you to take her to the prom on Saturday"

and

John says: "Charlotte thinks you are totally hot and wants you to take her to the prom on Saturday"


For the UI on, say, a 2 line LCD you would have something like:

    LCD Top row:           Balance 12.4 BTC
    LCD Second row:      Bob says: Sent you 10 BTC
          Scrolls:             You sent Walmart 3.55 BTC
          Scrolls:             Walmart says: Sent you 0.05 BTC
          Scrolls:             Balance with promises: 22.45 BTC


Is this :
  Practical ?
  Doable ?
  Simple enough for the general public ?
  Can Mallory brick my device or mess me about ?



MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
1480832039
Hero Member
*
Offline Offline

Posts: 1480832039

View Profile Personal Message (Offline)

Ignore
1480832039
Reply with quote  #2

1480832039
Report to moderator
1480832039
Hero Member
*
Offline Offline

Posts: 1480832039

View Profile Personal Message (Offline)

Ignore
1480832039
Reply with quote  #2

1480832039
Report to moderator
1480832039
Hero Member
*
Offline Offline

Posts: 1480832039

View Profile Personal Message (Offline)

Ignore
1480832039
Reply with quote  #2

1480832039
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480832039
Hero Member
*
Offline Offline

Posts: 1480832039

View Profile Personal Message (Offline)

Ignore
1480832039
Reply with quote  #2

1480832039
Report to moderator
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 21, 2012, 11:10:44 AM
 #2

A few thoughts:

The store does not have to send the change.  The device can create a transaction so 0.05BTC goes to the store and .05BTC goes back to you.  There is no need to trust the store to return it or to verify the change.

There is no need to split the inputs into 0.1BTC amounts.  It's just as easy (actually easier) to have a single 10BTC input and send a 3.55BTC output to the store and the remainder as change to yourself.

A 32-bit ARM MCU with 256KB of RAM is only about $10 in single units or $5 in volume.  That plus an SD card to store the blockchain would give you a full-function device.  A CR123A battery would run it for two days of continuous 150MHz operation, and essentially unlimited sleep time.  That's certainly heavier than an 8-bit micro running on a couple of watch batteries, but it's something to consider.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 21, 2012, 12:00:12 PM
 #3

Hi Revalin,

Interesting figures for hardware. That is pretty cheap.

My thinking about the change is that until you sync you cannot be sure that the shop actually sent your tx to the bitcoin network and that you will have the change available to spend later. Hence trying to keep it small.

For example if you use a 10BTC transaction output with 9.9 BTC in change (unconfirmed and possibly not transmitted to the bitcoin network) you cannot be sure that the 9.9 BTC tx output is available to spend at the next store.  The device has no network connection of its own to know.

Your device might be declined at the checkout at the next store because your previous change tx output (which you are now trying to spend) does not exist yet. You could send the previous tx in addition to the new one at the second store but it soon gets complicated.

Thanks for your feedback.

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
pgajic
Jr. Member
*
Offline Offline

Activity: 53


View Profile
April 21, 2012, 12:07:50 PM
 #4

Quote
A 32-bit ARM MCU with 256KB of RAM is only about $10 in single units or $5 in volume.  That plus an SD card to store the blockchain would give you a full-function device.  A CR123A battery would run it for two days of continuous 150MHz operation, and essentially unlimited sleep time.  That's certainly heavier than an 8-bit micro running on a couple of watch batteries, but it's something to consider.

Any chance of a link where I could buy a board of this type.

 
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 21, 2012, 02:13:30 PM
 #5

Any chance of a link where I could buy a board of this type.

Here you go:

http://www.mouser.com/Embedded-Solutions/Engineering-Tools/Embedded-Processor-Development-Tools/Development-Boards-Kits-ARM/_/N-8x0x4/


Here's a nice cheap one. The chip is a Cortex M4 with 192KB RAM, 1MB flash, ethernet, USB, LCD drivers, SD card support, and more; the board has some accelerometers, buttons, LEDs, a USB port, and some prototyping leads, all for $15:

http://www.mouser.com/ProductDetail/STMicroelectronics/STM32F4DISCOVERY/?qs=J2qbEwLrpCFMptdjNAVzZeZDfltJ6JKw1GLhrq7db5E%3d

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 21, 2012, 06:08:31 PM
 #6

Thinking about it, there is no reason that you would have to just sync at home.

Say Starbucks accepts bitcoin and has a little cradle/ reader thing they use for payments. In a quiet moment you could always ask the barista if she minded you syncing. Pop your device in the cradle. Press a button on your device labelled 'sync'. Device asks cradle for up to date tx for it's address, updates it's records.


Because you explicitly requested a sync the device will say 'ok I can believe this data'.
Then if a friend sent you some BTC device to device you could sync and can then spend them.

Edit : hmm you would sync and the tx your friend sent to you you could transmit to the network, but it is not on the blockchain yet. Might be more trouble than its worth

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
schnell
Sr. Member
****
Offline Offline

Activity: 266


View Profile
April 21, 2012, 06:53:06 PM
 #7

Edit : hmm you would sync and the tx your friend sent to you you could transmit to the network, but it is not on the blockchain yet. Might be more trouble than its worth
The tx would have to send when THEY sync, then when it has x confirmations you can sync, confirm the tx and split it into 0.1 outputs.


Also, customising the output size sent to the device would be nice, personally I would do 0.001, but would that overload the cpu?

Also, lcd screens consume a shit tonne of power. Use kindle-like eink black and white screens, they only need power to move the ink then it stays there without any more power.

Would the communication with the shop be nfc?

Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 21, 2012, 08:08:23 PM
 #8

LCD backlights consume a ton of power.  Unlighted LCDs consume barely any, and regardless this is a device you'd only power up for a few seconds at a time.  eink's nice, but it costs a lot more than a $2-5 LCD.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
schnell
Sr. Member
****
Offline Offline

Activity: 266


View Profile
April 21, 2012, 08:30:16 PM
 #9

LCD backlights consume a ton of power.  Unlighted LCDs consume barely any, and regardless this is a device you'd only power up for a few seconds at a time.  eink's nice, but it costs a lot more than a $2-5 LCD.

Point taken.

How much do they cost?
theymos
Administrator
Legendary
*
expert
Offline Offline

Activity: 2492


View Profile
April 21, 2012, 09:13:48 PM
 #10

A secure Bitcoin spending device doesn't need to store anything other than its private keys. It can give its public keys to the recipient and rely on them to create a valid unsigned transaction. The device just needs to figure out the BTC spent by the transaction (total output BTC minus output BTC to the device's keys) and get the user to confirm. It doesn't matter if the device is given an invalid transaction to sign, since the network will reject it.

It'd be nice for the device to store some transaction details for accounting purposes, of course.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 21, 2012, 09:34:38 PM
 #11

@theymos

If the user the device is talking to has network access you could give it your public key, it can get your unspent tx outputs and create an unsigned tx yes.

If you wanted to do a device to device transfer you would have to know your available unspent outputs as the other device is an unconnected as you.

@konichua I think there would be a variety of possibilities for the connectivity. I mention IRDA mainly because the hack I am working on has USB and IRDA.


MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 21, 2012, 09:48:20 PM
 #12

How much do they cost?

$40-60 for something the size of a Kindle.  It's hard to say what a tiny one would cost since there's not much of a market for it.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
April 21, 2012, 09:59:41 PM
 #13

(unconfirmed and possibly not transmitted to the bitcoin network) you cannot be sure that the 9.9 BTC tx output is available to spend at the next store.  The device has no network connection of its own to know.

Then you just spend the original inputs again.  Smiley

I can't imagine ANY store is going to deliver goods before the tx is at least broadcast, unless it's a regular customer they know and can trust.  For anyone else, they'd have to be online for any transaction.

Still, this is a good point: even if the store broadcasts it immediately your change won't be confirmed for an hour.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
Andreas Schildbach
Hero Member
*****
Offline Offline

Activity: 563



View Profile WWW
April 21, 2012, 10:52:49 PM
 #14

A secure Bitcoin spending device doesn't need to store anything other than its private keys.

It needs to know its unspent outputs so it can calculate the balance of a transaction received for signing.

Bitcoin Wallet for Android: Your own Bitcoins, in your own pocket!
https://play.google.com/store/apps/details?id=de.schildbach.wallet
Stephen Gornick
Legendary
*
Offline Offline

Activity: 1988



View Profile
April 22, 2012, 04:19:02 AM
 #15

even if the store broadcasts it immediately your change won't be confirmed for an hour.

It won't have 6 confirmations but it can be spent right away.  The bitcoin client doesn't allow spending on 0/unconfirmed but the protocol allows it, clients will relay it and as long as there are fees paid, miners will likely include it.  BlockChain.info is one such wallet which allows immediate spend transactions, for example.

FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
April 22, 2012, 05:04:08 AM
 #16

A bunch of .01 or .001 is not optimal. Probably a collection of UNIT * n^2 up to about average expected transaction amount would be good. But you could customize for reduced number of keys or reduced average or max change.

For example 100x .02 and 100x .01 is going to be strictly superior to 300x .01 unless you make hundreds of tx for amounts between .01 and .02.

Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 22, 2012, 07:58:24 AM
 #17

@freemoney - good point. That would also reduce the size of the tx which has several benefits.

@Stephen Gornick  With the change tx output as long as the previous tx has been transmitted by either you or the other party you would be able to use it.

However I am trying to think of a protocol that, even as a disconnected, untrusting device you can be 100% sure your tx will be accepted. You can only believe what your home sync computer tells you. You do not want to believe the contents of any tx you receive. Nor that any tx you produce actually gets transmitted to the network. It is for that reason that all the tx you receive and change is marked as 'somebody says this is true but I am not willing to put my reputation on the line just yet and reuse them'.

Another reason not to reuse unconfirmed tx specifically is the very human temptation that if someone sends you a fake tx you might be tempted to pass it on to someone disconnected who cannot get back at you when they detect the double spend.

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
World
Hero Member
*****
Offline Offline

Activity: 746



View Profile
April 22, 2012, 01:08:17 PM
 #18

maybe like this watch?
http://www.kickstarter.com/projects/597507018/pebble-e-paper-watch-for-iphone-and-android?ref=search

Supporting people with beautiful creative ideas. Bitcoin is because of the developers,exchanges,merchants,miners,investors,users,machines and blockchain technologies work together.
wareen
Millionaire
Hero Member
*****
Offline Offline

Activity: 742

bitcoin-austria.at


View Profile
April 22, 2012, 02:15:09 PM
 #19

@jim618: You should probably get in touch with Prof. Clemens Cap. He is working on a Bitcoin hardware wallet and he called for interested people to participate.
jim618
Legendary
*
Offline Offline

Activity: 1708



View Profile WWW
April 22, 2012, 02:22:17 PM
 #20

@wareen - good idea !
I am not really a hardware guy so it would be really useful to have someone to work on the hardware side and for me to concentrate on "serving up the data".

I will email him and see what he says.

Cheers.

MultiBit HD   Lightweight desktop client.                    Bitcoin Solutions Ltd   Bespoke software. Consultancy.
Pages: [1] 2 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!