Topic: Making a real tangible bitcoin that actually conveys BTC - page 2. (Read 4562 times)

It's not as simple as you think. If the owner publishes a signed list of addresses, the fake card can just use one of those. If the real card contains a signed message from the owner, the fake card can copy this. If the real card signs challenges, then it contains a private key that the fake card can steal.

This is how DVD and Blu-Ray got cracked; it's impossible to secure hardware.

You can rely on trust on the issuer, that's not a major problem, I think. All you need is a way to be sure it really was the issuer you trust who created that smart card, and that could be done by a simple signature of the card address/public key.

The problem I see in this is the card production cost... is it as cheap as a piece of paper? If the cost is high, this would only be useful for larger amounts of bitcoins, never for pennies...

This can't be implemented because it breaks certain transaction guarantees. In particular, it would allow transactions with more than 6 confirmations to be accidentally reversed due to network segmentation.


Bitcoin already has code to delay transaction validity until a certain time, but it will never expire transactions.


This is already supported by the protocol.

explain.  Readers don't "grant access", they merely confirm the money is either good or it's not.  (and perhaps re-key the card if in doubt the keys are secure).

Unlike Visa or ATM, these cards don't need to be read to be spent, just to be verified as non-counterfeit.  Conscientious user can own and trust his own reader attached to his own computer.  User should practice safe sex, and not stick his smart cards ("bit cash") into random holes and he should have nothing to worry about.  If he wants to spend the money on the card, he GIVES the card away like cash.

If you were to incorporate a trusted 3rd party, such as Open-Transactions that held the keys it might be doable. The only downfall is fake readers with a modified merkletree that fails to grant access.

Thinking a little deeper, I am persuaded that the only weak link left in the chain would be the maker of the smart card.

- The maker of the smart card could record the private key of all the smart cards he produces, and later steal the BTC from all the cards he produced, all at once.
- The maker of the smart card could make the card lie about max(X), so someone could have a valid transaction out there with nobody knowing it.

If I'm on the right track, then an effective countermeasure could be as follows.  BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

Signature 1 would be the private key embedded by the maker and cannot be changed.

Signature 2 would be a second private key, originally embedded by the maker but replaceable by any user.  A message could be broadcast via the block chain telling everybody the public key of signature 2, every client would then know that spending from this bitcoin address requires a valid second signature.

The private key for signature #2 doesn't really need to be kept secret from any possessor of the card, it only needs to be secret from the original maker of the card who might know private key for #1.  Private key #2 is useless when not accompanied by a signature made from private key #1.

Any user with a smart card reader could generate a brand new keypair for generating signature 2, and upload it to the card, and then send a signed "new second signature" message (signed by #1 and old #2) to the block chain, telling everybody about the replaced #2.  Such message, of course, would expire by a certain block X.

The verification process (the "counterfeit detection pen" process) would confirm that publicly known key for signature #2  had a corresponding private key on the card.

Original maker of smart card might know private key for signature #1, but definitely will not know private key for signature #2 since it was made by a user on their own computer.  Maker could steal the money from the card until the first person generates a new #2.

Anyone possessing a valid card but suspicious that the maker (or anybody else) might know private key #1 and possibly #2, may simply generate a brand new #2, once acknowledged by the block chain, he may know the BTC on the card is good without trusting anyone, not even the card maker.

The smart card will have memory to remember the last two or three keypair #2's instead of overwriting it immediately upon replacement, to eliminate the risk that a botched attempt to update #2 would render the card worthless.

Finally,

To prevent cards from lying about max(x), they could be required to give not just a block number, but also the known hash for a block.  The network could say, conditional transactions are good for 10 blocks and no more.  Instead of saying, "this transaction good till block 100000", it could say "I know the latest block 100000 has hash XXX", and all clients know, that transaction is void past block 100009.  Card would have no way to create a conditional transaction that lasted any longer than that.

A viable countermeasure might be that instead of signing a nonce, it signs a conditional transaction that is only good before block number X, and makes the highest X ever emitted for such a transaction available to any device reading the card.  The card would never know if it was forking over the bitcoins for real, but any reader who knew the current block count was well beyond max(X) could trust that the last transaction it emitted was void.

Obviously the bitcoin software would have to be modified to accept (or reject) such conditional transactions, but that doesn't sound like outside the realm of feasibility.

If it did this, it would permanently negate the need for the card to ever spill the private key to give up the bitcoins, or to generate a brand new key pair.  Dumping out the coins would simply mean broadcasting the conditional transaction in a timely manner.  Once block X came and went, the card would still be good if the bitcoins were merely "given back" to the card's address.

Interesting idea. It'd probably be more counterfeit-proof than paper currency.

However, you could create a counterfeit card that does all of the signing and stuff, but when you try to withdraw the bitcoins, it deletes the private key. Whoever creates the card gets to trade it and keep the BTC it represents.

This is an idea for a practical way to create a physical cash-like form of BTC, I will call a token.

The requirements for making a BTC token are 1) a way for a holder to prove it's real and 2) a way for a holder to get the BTC by themselves... beyond that, it needs to be a physical medium of exchange that can be entirely conveyed just by passing it to another person.

I propose this idea.

1 - BTC can be loaded on a pre-denominated smart card.  Have a peek at http://www.basiccard.com.  You can buy fully programmable smart cards for as little as $1.  Suppose I bought their kit and "made" a 50 BTC card (simply by printing 50 [Bitcoin logo] artwork on it)

2 - People would treat the smart card just like a 50 BTC bill, like cash.  It could be traded around for years, just like a 50 dollar bill.  The smart card contains the private key for a Bitcoin address holding 50 BTC, and an on-board application for keeping that private key secure.

3 - Anyone wanting to check the validity of the BTC on the smart card could stick the smart card into a reader.  The smart card would cough up the bitcoin address, public key, and sign a nonce (provided by the reader) to prove that the private key was on the card, to avoid divulging it.  The open source program on the reader would verify against the block chain to ensure 50 BTC was really at the address claimed on the card.  This function would be similar to using a "counterfeit detection pen" on FRN's.

4 - Anyone wanting to "cash out" the BTC on the card could do it, though this function would be a last resort as the card would no longer be usable.  The smart card application would have a mode that forces it to cough up the private key.  Once the private key were coughed up, the card would permanently report that the private key was divulged during future validity checks, so they would fail for that reason.

5 - Can the smart card generate its own keypair?  I happen to own a USB crypto stick (for Adobe CDS) that, by design, produces its own RSA keypair in hardware.  It's damn slow, but it works, and they've made it this way just to be very sure I can't physically get my own private key, so that usage of private key essentially proves physical possession of the device.  The device itself does all the signing, I must plug it in to sign a document.  I guess a smart card is really just a small processor.  A card that was able to generate its own keypair could theoretically be reloaded, because it could internally generate itself a brand new Bitcoin address that was known to no one else, to which somebody could send the 50 BTC back to.

For curiosity's sake, this is a link to the physical device I own: http://www.cyprotect.com/e/main0105.php (mine is identical other than mine doesn't say SafeNet on it)... it looks like a thumb drive, but it definitely is not.  Windows sees this as a smart card reader that happens to have a smart card in it (as though it were removable) - so physically, it's probably just a reader with the smart card soldered in place.  Whatever this can do, probably so can a smart card.

Ideas?  Any obvious flaws?