Seems you guys aren't familiar with the history of these products and what's currently available.
If you're willing to get into complex hardware, you can always go the Smart Card route which is a very cheap way of printing an IC onto a piece of plastic like a credit card. This IC is the actual crypto function, and the private key is embedded into it. In order to get the private key, you need to either get it from the manufacturer or reverse engineer with a electron microscope and an evil genius for hire.
Smart Cards came out many years ago but were never really put into widespread use. https://en.wikipedia.org/wiki/Smart_card . I imagine that SCs are even more cheap today with what is available. Sergio, the issues of tampering with the physical factor have been solved long ago. Smart Cards caught on more in Europe than the Americas.
Of course you can introduce more factors into the auth process such as passwords or additional keys without modifying or replacing the smart card artifact. You don't really need much fancy math to give you these basic functions. Basically all you need is a smart card reader(some laptops have this or you could implement one very cheaply), and some simple software. It's far more secure than regular credit cards.
I also came up with a way to implement a useful paper wallet using Visual Cryptography. You can implement this scheme with a simple laser printer. Adding holographic serial numbers greatly enhances the security though(these can be obtained pre-printed for acceptable prices).
https://bitcointalksearch.org/topic/m.2386001
Topic: fixed public key coin transfer (for zero-trust physical coin transfer) - page 2. (Read 9857 times)
June 12, 2013, 03:23:29 PM
June 12, 2013, 02:57:58 PM
Now all we need is a kick starter for someone with a bit of hardware expertise to put an unpowered 1kB contact readable serial readable flash drive inside a coin
Maybe you could have a coin hold a standard usb drive, just pull it in half and plug it in even easier to read. Unfortunately smart phones dont have usb readers. This is what I did: check the new thread: https://bitcointalksearch.org/topic/firmcoins-a-new-kind-of-bitcoin-physical-bill-ready-for-off-line-transactions-232898
You can prove that you have a certain private key by simply signing an arbitrary message with it (but the message to be signed must be chosen such as neither of the parties can force it).
I've also added a new method to verify the FIRMWARE authenticity by using "practically incompressible" firmware. And challenging the firmcoin to dump the firmware in a very short time.
You can check how this protocol work in : http://firmcoin.com/?page_id=14
And also the firmcoin is rechargeable. You can store some funds, extract them, and store additional funds (the device generates a new private key address each time you load funds, using a hardware random number generator).
Best regards, Sergio.
June 12, 2013, 02:25:55 PM
Anyway, you proposal has no advantage at all, because it is equivalent to transferring bitcoin to another address. You can throw the physical coin away after that.
You just didn't understand his proposal...So far physical bitcoins sell for a big margin above BTC value, and they are things of beauty is part of the fun, so throwing them away would be undesirable.
However they are currently security/trust risk because of their design. Apparently some of them put the private key on the underside of a tamper evident sticker printed with inkjet.
You want the info on the outside of the coin to be unchanging and yet easily verifiable as to its spent state, and you want to fix the trust issues with transferring them in physical form, so the thing that has to change instead is the private key and base.
Now all we need is a kick starter for someone with a bit of hardware expertise to put an unpowered 1kB contact readable serial readable flash drive inside a coin
Maybe you could have a coin hold a standard usb drive, just pull it in half and plug it in even easier to read. Unfortunately smart phones dont have usb readers. btw it also occurs to me you could safely sell unloaded coins also, just engrave an address on the coin and include the public key on the embedded flash card. User loads by spending to that public key and some chosen base they chose themselves.
Also another weird thing you can do (unrelated to physical coins) if you allow user computed bases via y-th root, is have a public key which is human readable, without address mining. (Note address remains unreadable as its a hash of public key). eg your public key could be your email address. Possibly a bit dangerous because there is no registration to prove its your address, though I suppose they could email you to check... however you probably wouldnt want to transfer a coin with your address as its public key via a base change. (Just spend it normally to recipient).
Unfortunately you cant chose both base and public key arbitrarily - you cant do it with out breaking discrete log - you can chose either the base or the public key arbitrarily. To chose a point arbitrarily you have to use something called hash2curve - strings are not always valid points on the curve, so a simple deterministic algorithm is used to chose closest change from the string to make it into a point on the curve. eg see 4.1.1 of http://tools.ietf.org/html/draft-harkins-tls-pwd-03.
Adam
June 12, 2013, 01:34:17 PM
First of all, the private key is simply printed on the physical coin, no SD card involved.
This doesn't change anythingAnyway, you proposal has no advantage at all, because it is equivalent to transferring bitcoin to another address. You can throw the physical coin away after that.
You just didn't understand his proposal... June 12, 2013, 12:46:58 PM
First of all, the private key is simply printed on the physical coin, no SD card involved.
Anyway, you proposal has no advantage at all, because it is equivalent to transferring bitcoin to another address. You can throw the physical coin away after that.
Anyway, you proposal has no advantage at all, because it is equivalent to transferring bitcoin to another address. You can throw the physical coin away after that.
June 12, 2013, 12:33:59 PM
Wow that's smart...
I see one small drawback:
A client that would want to check if the n-th recipient can do so will have to download and process all the previous base changes to check everything is ok
Forget it, it would be just like a normal transaction: it would be verified change by change, assuming the previous was ok because we validated it
This is really a beautiful possibility
A client that would want to check if the n-th recipient can do so will have to download and process all the previous base changes to check everything is ok
Forget it, it would be just like a normal transaction: it would be verified change by change, assuming the previous was ok because we validated it
This is really a beautiful possibility
June 12, 2013, 12:11:56 PM
I have been musing about how to improve physical coin security, because well physical coins are just so cool
Its obvious that the https://www.casascius.com/ reliance on a hologram covering a microSD card held in a recess in the coin has several problems: how do you know there is a private key on a SD card inside it (trust manufacturer). Also how can you spend it convincingly without wrecking the hologram. And anyone can get some holograms printed up, remove key. Now apparently some of the coins have the coin address engraved on the coin rim which is quite cool as you can check if its currently spent. However it could be spent at anytime if the former owner or manufacturer cheated.
So my variation on this is that you can actually generate a new private key for an existing coin address / coin public key (relative to a new discrete log base). The effect is that I think you could hold a coin public key constant while convincing someone in zero-trust that you did not retain the effective private key, by changing the base.
Normally P = xG (elliptic curve discrete log notation)
Now you can use different G values and still make a signature. eg if you could compute P = x'G' (same public key P, different private key x', different base G') you can make an ECDSA signature wrt P, x' and G'. It will validate against P and G'.
But you have to be careful as anyone can cheaply compute the y-th root of P: if you can choose G' randomly, you can cheat. ie compute y-1 mod n and multiply: G' = y-1P. Thats because that is an elliptic curve y-th root which is trivial to calculate because G' is arbitrary result (the y-th root) not a pre-chosen discrete log base, even though it looks like a base when you've finished. (n is the order of the group).
So how could you fairly chose a new base? One way is to demonstrate you know ECDL of G', ie you know w such that G' = wG. We can probably do that safely:
recipient gets private key easily from coin, if it has an electrical interface to reveal it on contact. Computes new random z, and G' = zG and x'=xz-1 mod n. x' is the new private key because P=x'G' and P=x'G'=xz-1zG=xG so P is unchanged.
Recipient publishes multi-signature of P' with old private key x, and second signature of P' with new private key x' relative to new base G' to the bitcoin network. Once that is hashed after a few blocks they can be sure the previous owner can no longer claim the coin, even though the previous owner has the previous private key.
Its analogous to the current coin transfer (signature from old key to new key as transfer), except the discrete log base is changing, not the public key. (Currently G is held fixed as a fairly chosen EC parameter which is a constant point on the curve).
This obviously can be repeated: keep original x for calculation purposes and store on the coin the current x. So long as the new holder of the physical coin can choose their own x' and controls the IO interface to the coin, they can be confident the coin cant be stolen. They can network verify the coin, which retains its public key (though changing base).
Or maybe you write the first coin private key (and immediately change coin private key) around the rim of the coin, and just dont let people play with your coins up close, then you dont even need an electrical interface, nor any electronics on the coin. (Or maybe simpler electronics that can just read out a fixed original private key x). The transfer to new private key has to come via the smart phones on input of the private key manually, or just use the private key or part of it as a checksum to the actual private key sent to the user to check its the right physical coin. It would be nice to store the current private key into the coin.
In fact simplying slightly you could even allow transfer to a y-th root chosen base, so long as the holder knows the private key from the current base, and they sign the new base, why not. Then you only need a single signature not a multisig from old and new private key with respective bases.
You can think of this changing private key as a kind of one-use forward secure signature (foward secure signatures are where you can disavow old signatures because the old private keys are published after expiry). Original signatures are still convincing in this context because of the time-stamping from the period before private key disclosure.
The main advantage of keeping the public key fixed is you can engrave it on a coin (as now) and the main advantage of allowing a DL base to change to represent ownership change is you can safely transfer control of a physical coin without trusting anyone, the coin only needs to store the current private key for convenience.
Maybe there is some advantage to be had for other bitcoin uses of keeping the public key constant. eg maybe the UTXO set can be smaller (unclear how)? You could actually do change with a fixed public key, but then you end up with a below par coin. It could be two coins with the same fixed public key (but different bases and private keys and amounts adding up to the original coin denomination) or two coins one with a fixed public key and one not, or two not breaking the link with the physical coin public key. An emptied or disassociated coin could still be reloaded by spending to its address/public key with a new chosen base.
Coin addresses are currently somewhat opaque because its a hash of a public key. The new base on each spend could also be opaque if desired (eg publish hash of public key and base in the transfer message.)
Even if you wanted to go crazy for some esoteric reason (eg maybe someway to leverage for privacy somehow?) all coins could have the same public key (but different bases and private keys).
It strangely also allows you to spend to "current bearer" with a fixed coin address, to add value to a coin, because the coin address doesnt have to change, the network tells you via the UTXO query which is the current base allowed to claim ownership and spend the coin!
Adam
Its obvious that the https://www.casascius.com/ reliance on a hologram covering a microSD card held in a recess in the coin has several problems: how do you know there is a private key on a SD card inside it (trust manufacturer). Also how can you spend it convincingly without wrecking the hologram. And anyone can get some holograms printed up, remove key. Now apparently some of the coins have the coin address engraved on the coin rim which is quite cool as you can check if its currently spent. However it could be spent at anytime if the former owner or manufacturer cheated.
So my variation on this is that you can actually generate a new private key for an existing coin address / coin public key (relative to a new discrete log base). The effect is that I think you could hold a coin public key constant while convincing someone in zero-trust that you did not retain the effective private key, by changing the base.
Normally P = xG (elliptic curve discrete log notation)
Now you can use different G values and still make a signature. eg if you could compute P = x'G' (same public key P, different private key x', different base G') you can make an ECDSA signature wrt P, x' and G'. It will validate against P and G'.
But you have to be careful as anyone can cheaply compute the y-th root of P: if you can choose G' randomly, you can cheat. ie compute y-1 mod n and multiply: G' = y-1P. Thats because that is an elliptic curve y-th root which is trivial to calculate because G' is arbitrary result (the y-th root) not a pre-chosen discrete log base, even though it looks like a base when you've finished. (n is the order of the group).
So how could you fairly chose a new base? One way is to demonstrate you know ECDL of G', ie you know w such that G' = wG. We can probably do that safely:
recipient gets private key easily from coin, if it has an electrical interface to reveal it on contact. Computes new random z, and G' = zG and x'=xz-1 mod n. x' is the new private key because P=x'G' and P=x'G'=xz-1zG=xG so P is unchanged.
Recipient publishes multi-signature of P' with old private key x, and second signature of P' with new private key x' relative to new base G' to the bitcoin network. Once that is hashed after a few blocks they can be sure the previous owner can no longer claim the coin, even though the previous owner has the previous private key.
Its analogous to the current coin transfer (signature from old key to new key as transfer), except the discrete log base is changing, not the public key. (Currently G is held fixed as a fairly chosen EC parameter which is a constant point on the curve).
This obviously can be repeated: keep original x for calculation purposes and store on the coin the current x. So long as the new holder of the physical coin can choose their own x' and controls the IO interface to the coin, they can be confident the coin cant be stolen. They can network verify the coin, which retains its public key (though changing base).
Or maybe you write the first coin private key (and immediately change coin private key) around the rim of the coin, and just dont let people play with your coins up close, then you dont even need an electrical interface, nor any electronics on the coin. (Or maybe simpler electronics that can just read out a fixed original private key x). The transfer to new private key has to come via the smart phones on input of the private key manually, or just use the private key or part of it as a checksum to the actual private key sent to the user to check its the right physical coin. It would be nice to store the current private key into the coin.
In fact simplying slightly you could even allow transfer to a y-th root chosen base, so long as the holder knows the private key from the current base, and they sign the new base, why not. Then you only need a single signature not a multisig from old and new private key with respective bases.
You can think of this changing private key as a kind of one-use forward secure signature (foward secure signatures are where you can disavow old signatures because the old private keys are published after expiry). Original signatures are still convincing in this context because of the time-stamping from the period before private key disclosure.
The main advantage of keeping the public key fixed is you can engrave it on a coin (as now) and the main advantage of allowing a DL base to change to represent ownership change is you can safely transfer control of a physical coin without trusting anyone, the coin only needs to store the current private key for convenience.
Maybe there is some advantage to be had for other bitcoin uses of keeping the public key constant. eg maybe the UTXO set can be smaller (unclear how)? You could actually do change with a fixed public key, but then you end up with a below par coin. It could be two coins with the same fixed public key (but different bases and private keys and amounts adding up to the original coin denomination) or two coins one with a fixed public key and one not, or two not breaking the link with the physical coin public key. An emptied or disassociated coin could still be reloaded by spending to its address/public key with a new chosen base.
Coin addresses are currently somewhat opaque because its a hash of a public key. The new base on each spend could also be opaque if desired (eg publish hash of public key and base in the transfer message.)
Even if you wanted to go crazy for some esoteric reason (eg maybe someway to leverage for privacy somehow?) all coins could have the same public key (but different bases and private keys).
It strangely also allows you to spend to "current bearer" with a fixed coin address, to add value to a coin, because the coin address doesnt have to change, the network tells you via the UTXO query which is the current base allowed to claim ownership and spend the coin!
Adam
Jump to: