what's the point of having the physical coin at all?
The answer is already in this thread. First post. First line.
I think there are people who like to work with the limited trust you can place in a piece of hardware made by a third party and given to you by a person hostile to your interests (or to just pretend thats secure, or secure enough for the low value transfer and social face loss of cheating).
Under this argument they want to make the coin somewhat safe to transfer offline, eg to the extent that the coin makes it hard to take the private key out of it.
However it seems that the same people want the coin to be online spendable (emptyable) and reloadable. Those objectives seem in conflict as any non-technical guy can follow the online spendable procedure, and end up with a coin that within protocol has no bitcoins in it! So then you see the defense that the coin is somewhat offline verifiable in that it reports itself over local hardware link (eg NFC in case of firmcoin) as empty. (eg it deletes its private key when spent).
Maybe to the limited extent of the tamper resistance, tamper evidence, an holograms etc that some people may want to trust that, we could have both objectives in one coin (moderately safe for offline transfer AND new owner chooses part of the key). And Sergio Lerner said something like this:
What I actually do is to create the private-key in the hardware, then the hardware tell the user the public key. Then the user provides a user-chosen random multiplication factor to the hardware and then the hardware multiplies both the private and the public key.
Then the hardware manufacturer cannot know the private key.
So that means device computes P1=x'G, then user chooses y such that P=x'P1=x'yG so the final key is x=x'y mod n. So while its true that the device didnt chose all of the private key bits, it still knows the full private key, could leak it over NFC, or more subtly send it in k when making the ECDSA signature via the big fat 256-bit DSA subliminal channel, so the user or manufacturer or criminal buyer of hostile hardware can later harvest coins from the signatures published to the network by examining the signatures.
Concretely lets say you have some hostile hardware, here's how you leak x=x'y mod n. key is some key buried in the hardware, loaded into its firmware etc and know to the attacker.
Compute k=H(key||H(m)||P)
Now the normal DSA signture:
(r=[kG]x, s=k
-1(H(m)+rx)
syntax [G]x indicates the x coordinate of point g.
in this case x=x'y because of the way firmcoin generates x' on the coin and allows the user to generate y and pass it in.
Now the attacker can recover the coin private key seeing only the signture (r,s) on message m (the transaction details) published on the bitcoin block chain, and then pre-spend your coin.
that is because:
s=k
-1(H(m)+rx)
=> sk
^-1=H(m)+rx
=> sk
^-1-H(m)=rx
=> x=r
^-1(sk
^-1-H(m))
and notice that the user generate x where x=x'y didnt help a bit.
You either need to not trust the hardware to make the signature, or you need the DSA subliminal channel to be plugged.
So you might imagine doing the same trick again, hardware chooses R=k'G and sends the user R, users chooses z so that r=[yR]x=[yk'G]x. ie k=yk', and verifies that r=[yR]x. Now the attacker cant set k arbitrarily. You have to do the current x=x'y defense as well otherwise the hardware can set x to H(key||counter).
Now there is no subliminal channel so you can safely have the coin make a signature (modulo NFC leaking).
You better check R is on the curve, and that it generates the same subgroup (or that the card knows the discrete log of R in base G, eg with a schnorr proof in such a way that protects the card from private key extraction).
You might want to arrange things so the hardware manufacturer can help the user recover x when mailed back the coin, and with y and z. (eg from serial number on outside of coin package plus a secret key known to manufacturer). Otherwise people are going to pretty annoyed if the hardware fails). You can probably do that such that the manufacturer still cant do anything useful by itself with out the users knowledge of y and z.
Adam