I have been musing about how to improve physical coin security, because well physical coins are just so cool
Its obvious that the
https://www.casascius.com/ reliance on a hologram covering a microSD card held in a recess in the coin has several problems: how do you know there is a private key on a SD card inside it (trust manufacturer). Also how can you spend it convincingly without wrecking the hologram. And anyone can get some holograms printed up, remove key. Now apparently some of the coins have the coin address engraved on the coin rim which is quite cool as you can check if its currently spent. However it could be spent at anytime if the former owner or manufacturer cheated.
So my variation on this is that you can actually generate a new private key for an existing coin address / coin public key (relative to a new discrete log base). The effect is that I think you could hold a coin public key constant while convincing someone in zero-trust that you did not retain the effective private key, by changing the base.
Normally P = xG (elliptic curve discrete log notation)
Now you can use different G values and still make a signature. eg if you could compute P = x'G' (same public key P, different private key x', different base G') you can make an ECDSA signature wrt P, x' and G'. It will validate against P and G'.
But you have to be careful as anyone can cheaply compute the y-th root of P: if you can choose G' randomly, you can cheat. ie compute y
-1 mod n and multiply: G' = y
-1P. Thats because that is an elliptic curve y-th root which is trivial to calculate because G' is arbitrary result (the y-th root) not a pre-chosen discrete log base, even though it looks like a base when you've finished. (n is the order of the group).
So how could you fairly chose a new base? One way is to demonstrate you know ECDL of G', ie you know w such that G' = wG. We can probably do that safely:
recipient gets private key easily from coin, if it has an electrical interface to reveal it on contact. Computes new random z, and G' = zG and x'=xz
-1 mod n. x' is the new private key because P=x'G' and P=x'G'=xz
-1zG=xG so P is unchanged.
Recipient publishes multi-signature of P' with old private key x, and second signature of P' with new private key x' relative to new base G' to the bitcoin network. Once that is hashed after a few blocks they can be sure the previous owner can no longer claim the coin, even though the previous owner has the previous private key.
Its analogous to the current coin transfer (signature from old key to new key as transfer), except the discrete log base is changing, not the public key. (Currently G is held fixed as a fairly chosen EC parameter which is a constant point on the curve).
This obviously can be repeated: keep original x for calculation purposes and store on the coin the current x. So long as the new holder of the physical coin can choose their own x' and controls the IO interface to the coin, they can be confident the coin cant be stolen. They can network verify the coin, which retains its public key (though changing base).
Or maybe you write the first coin private key (and immediately change coin private key) around the rim of the coin, and just dont let people play with your coins up close, then you dont even need an electrical interface, nor any electronics on the coin. (Or maybe simpler electronics that can just read out a fixed original private key x). The transfer to new private key has to come via the smart phones on input of the private key manually, or just use the private key or part of it as a checksum to the actual private key sent to the user to check its the right physical coin. It would be nice to store the current private key into the coin.
In fact simplying slightly you could even allow transfer to a y-th root chosen base, so long as the holder knows the private key from the current base, and they sign the new base, why not. Then you only need a single signature not a multisig from old and new private key with respective bases.
You can think of this changing private key as a kind of one-use forward secure signature (foward secure signatures are where you can disavow old signatures because the old private keys are published after expiry). Original signatures are still convincing in this context because of the time-stamping from the period before private key disclosure.
The main advantage of keeping the public key fixed is you can engrave it on a coin (as now) and the main advantage of allowing a DL base to change to represent ownership change is you can safely transfer control of a physical coin without trusting anyone, the coin only needs to store the current private key for convenience.
Maybe there is some advantage to be had for other bitcoin uses of keeping the public key constant. eg maybe the UTXO set can be smaller (unclear how)? You could actually do change with a fixed public key, but then you end up with a below par coin. It could be two coins with the same fixed public key (but different bases and private keys and amounts adding up to the original coin denomination) or two coins one with a fixed public key and one not, or two not breaking the link with the physical coin public key. An emptied or disassociated coin could still be reloaded by spending to its address/public key with a new chosen base.
Coin addresses are currently somewhat opaque because its a hash of a public key. The new base on each spend could also be opaque if desired (eg publish hash of public key and base in the transfer message.)
Even if you wanted to go crazy for some esoteric reason (eg maybe someway to leverage for privacy somehow?) all coins could have the same public key (but different bases and private keys).
It strangely also allows you to spend to "current bearer" with a fixed coin address, to add value to a coin, because the coin address doesnt have to change, the network tells you via the UTXO query which is the current base allowed to claim ownership and spend the coin!
Adam