Topic: offline bitcoins + NFC = the end of era of current financial system (?) (Read 5018 times)

FYI everyone, I've posted a message on the OtherCoin thread about that blacklist / transaction history issue we talked about above. It's at https://bitcointalksearch.org/topic/m.4915443 . The short version is that we decided to not implement this at all in order to protect the privacy of the OtherCoin users (if we cannot extract the history of a certain private key, neither can law enforcement or anyone else - it's not a matter of encryption, the info just isn't recorded anywhere).

Thank you Beeblebrox! Yes, that is correct, you can transfer the private key over OtherChain as many times as you want (as long as you feel comfortable). If at any point you have reason to believe something fishy is going on, you can ask the OtherCoin card to reveal its half of the private key - from that point on it's just a simple Bitcoin private key, so you can sweep the funds to your wallet or do anything else you want.

Private message sent with my email Beeblebrox.

Hello Drazvan,

I think what he might be asking here is whether or not or can do a series of off-chain transfers without having to put it back on-chain in betwen each transfer (ie: you transfer it to your friend as a loan and they transfer it to a shop for a purchase, the shop transfers it to some other customer as part of change, the customer transfers it to another shop, etc..). 

So: Yes alex04210, you can do an infinite number of sequential off-chain transfers and every transfer is completely free!   (Of course, the original transfer from the block-chain to the coin is on-chain and involves the standard bitcoin network transaction fees).

(By the way Drazvan, I've been meaning to contact all last week and discuss some things.  Is it possible for you to private message me your email?  )

Yes, it does so now. The encrypted Bitcoin key it receives is also signed by the sender card (see below for details). Of course, if you compromise the card and extract its private key, you could sign Bitcoin keys that you've created outside the card (that you can later attempt to double spend).

However, this offers little reward for considerable effort. There's nothing stopping a recipient of funds from immediately running them on the Bitcoin network (and I actually expect people to do just that for higher amounts). So if you spend tens (if not hundreds) of thousands of dollars compromising a card to do a double spend and then the first person you try this on sends your transaction to the blockchain, you've accomplished nothing and lost a lot of money! Also, the wallet apps will monitor the blockchain for any transactions involving addresses they hold the keys to. If at any point they see money going out of an address they own, they should raise an alarm and report this to us, so it's not something that can be done "silently".


Each OtherCoin card has two keys used for encryption - one is a symmetric key (that all cards share) that is used for privacy (each outgoing message is encrypted with that shared key with a random seed (initialization vector) ). This hides the identity of the person sending the funds (so you could transact with the same person twice and not know that). It also makes things a bit harder for people that try to attack the card (since it's harder to craft meaningful messages to the card - you have to properly encrypt them, otherwise the card will drop them immediately since they decrypt to a bunch of nonsensical data).

However, the security of the system is given by the second key - it's a public/private keypair, generated by the card itself. It used to be RSA but now it is an Elliptic Curve key. Each card has a different one and it is used in an ECDH key exchange (see http://en.wikipedia.org/wiki/Elliptic_curve_Diffie%E2%80%93Hellman). Card public keys are signed by our master private key (that is obviously NOT present on any card, it's actually on a smartcard connected to an offline computer, each OtherCoin gets provisioned/signed there).


Not at this point, but that's planned. With a bit of luck, this will actually be ready when we start selling the cards (in a couple of weeks). We will provide a signed blacklist of compromised public keys that each wallet can optionally download and send to the card (since the wallet receives only encrypted messages, it can't tell what public key the other OtherCoin card has).

To summarize, there is very little reward in compromising a single OtherCoin card. You would have to crack the shared key, then crack the private EC key and all that would give you would be the possibility to spend funds you already have twice (not create money out of thin air), while hoping and praying that the recipient doesn't post them to the blockchain or does not raise the alarm when you double spend them (and they see a transaction involving the keys they currently hold).

Keep in mind that these are EAL 5+ level cards that are certified for use by Visa, Mastercard and a bunch of governments. I'm not saying a well funded attacker cannot break one, but all they would get would be the private key for their card, allowing them to double spend funds they already own, in a very public way. I'm sure there are better ways for someone that has the technical ability to do this to make money .

Assuming that the devices are very difficult to crack, but not actually tamperproof:

1. Can the receiver verify that the sender is really an Othercoin card?
2. Does the device contain information that could compromise the entire system? For example, a private key used by every device?
3. Is there a way to blacklist a compromised device or to revoke compromised keys?

The recipient of the funds receives two keypairs: the one that the payer's smartphone has generated and the one the payer's smartcard has generated. The one from the smartphone is in the clear, he can take a look at it. The one from the smartcard is encrypted and can only be decrypted by the recipient's OtherCoin card. The payee imports the secure (encrypted) half into his OtherCoin (the OtherCoin verifies that the encrypted key came from a similar OtherCoin card). If the OtherCoin card has accepted the encrypted half, the user can be sure that the sum between the key that he holds and the key that the card holds is a private key for the funds and that it hasn't been used before.



The recipient gets the key in an offline transaction. The only thing he can't verify offline is the balance (how much that key is worth). He knows for sure that he holds the key to a particular Bitcoin address (he just doesn't know what that key is, half of it is stored in the OtherCoin card). Part of the OtherCoin service will be "certifying" balances for people that want to transact completely offline. Most users however will just look at the blockchain to see how much a Bitcoin address is worth.


Yes, they obviously can transfer it away, to a similar OtherCoin card. The guarantee comes from the fact that each and every OtherCoin card in the chain verifies that the sender is also an OtherCoin card, meaning that it has followed all the rules of the system (has not made copies of the key, etc). Think of it as a tamperproof computer sitting inside your smartphone - it guarantees that all participants in the protocol follow certain rules and even though it runs inside your smartphone you can't control what it does.


No, a key is either transferred via OtherCoin to a similar card or revealed to the user to be used in a Bitcoin transaction. It's either one or the other, as soon as the card gives you the secure part of the private key, it destroys it from its storage, so it can no longer be transferred via OtherCoin. It also destroys it as soon as it's transferred to someone else via OtherCoin.

So, to summarize, the security comes from the fact that all participants use the same hardware and software and that they cannot change the way the software works. They can't change the software to tell it to _not_ delete a private key after sending it or tell it to reveal its keys. It's a black box as far as the smartphone is concerned, you send some input to it and gives you some output, you don't control how it processes your input. What it does though is fairly public, it's described in the whitepaper and I can describe it further if needed.

Oh and BTW, we support 3 form factors for the OtherCoin cards: microSD, Bluetooth smartcard reader and NFC (Yubikey Neo for instance). The microSD card can either be plugged directly into your smartphone or connected to the microUSB port if your phone supports USB storage (we'll bundle one of these: http://www.meenova.com/st/p/m3r.html with every card we sell, it's small, fits on a keychain and works great with the newer Android smartphones that have no microSD slot).

Hi guys, author of OtherCoin here (thanks Beeblebrox for the support, I've just noticed this thread),

Just to summarize and answer your concerns:

1. The OtherCoin smartcard does not hold your private key. It generates a private key internally and gives you the corresponding public key. Your wallet (under your complete control, even our sample is open source, see https://github.com/razvandragomirescu/OtherCoin ) generates a similar keypair (public + private key). The two public keys are added to become your Bitcoin public key (and address). The card never knows what you'll generate as your half (that's exactly how Bitcoin vanity address generators work, I have not invented this), so we cannot touch your funds

2. The security of the system comes from the tamper-resistant nature of the smartcards we use. If you have a GSM phone, you're already using one (your SIM card). If you have a chip and pin card (in Europe for instance), you're also using one. These are chips/devices designed to be secure against all sort of attacks, including physical ones (since they operate in a hostile environment, their users are the most likely attackers).

3. Whenever two OtherCoin cards talk to each other (using your smartphones as proxies - they have no radio capabilities or any other way of reaching another card), they establish a secure encrypted channel and then pass the Bitcoin "half a private key" that they've generated to the other end and at the same time destroy it from local storage so that the current user cannot reuse it.

So take a look at the Android app we wrote as a sample: https://github.com/razvandragomirescu/OtherCoin/blob/master/src/com/cayennegraphics/othercoin/OtherCoinActivity.java (look at line 661 to see how the two key halves are combined into one) and the demo movie at the system in action at www.youtube.com/watch?v=ZR8gz0uVBHk&feature=youtu.be . Feel free to provide feedback, cards will be available for purchase in the next couple of weeks.

It could be possible to print our own banknotes?

actually I agree with this thesis.

That is why  I propose to use NFC tags.
They don't need batteries. they are passive devices. It's assumed that the recipient is merchant so he should have some active device (NFC terminal).

But using NFC active Smartphone will be good alternative for those individuals who want to transfer their bitcoins independently.

For those who doesn't have their own active NFC device there is still no need to have it, because they can use merchant's or anyone's else or even public NFC devices (bitcoins ATMs) to manage their own NFC tags.




I thing this is the future...

we are talking not about "fundamental" future. but about tomorrow things. The main idea is to make some simply and available technology tomorrow.  That is why everybody is looking around himself in order to pick up something which already exists and there is no need to spend a lot of resources in order to implement the conception

look:
smartphones
smartcards
NFC tags
SD cards

are already exist!

It's only the question of software and in the nearest future (maybe months) we will have offline transaction technology.
Of course in some distance future we will have more advanced technologies. I think we will fly instead of driving cars in the future! )) and so what....? we shouldn't think how to develop cars?

This idea is very close to my proposed conception. Actually this idea can be completed with NFC technology cos the speed of pairing and connection of NFC is extremely high.
The main idea is to separate some amount of bitcoins, store and transfer keys.

I didn't understood a few things. How recipient can be sure that the payer didn't make (or someone else) the duplicate of the key?

And can the recipient get that key without been proceed this transaction online?
And can the recipient transfer key which he got from the payer to another recipient ? without been proceed and verified this keys online first

can it be multiply offline transactions?

like it's shown in 4b situation


 

More people have phones than have desktop/laptop computers.  It makes more sense to use phones than computers (by-the-way: you can easily adapt this system to use a desktop anyway).




What  does the battery charge life have to do with it?  The coins don't disappear if the battery is completely  drained.  Neither do you have to continuously run the software. You only need run the software when doing an actual transfer and it uses a very small amount of energy.




I don't even know how to reply to this?  What are you talking about?

When preforming a transfer operation the smart card only ever gives the private key to another smart card of the same type (they do a formal handshake involving secret keys to convince each other that they are genuine cards).  You are relying of the smart card hardware.  Now some people here claim that smart cards are be hacked-- this is true, however it is a very, very hard thing to do.  It is harder to crack a smart card then a desktop computer.  Also, the system uses a spilt key-- you need compromise both the smart card and the phone.  If you're paranoid and have access to the Internet you can check via the blockchain that the balance of public address hasn't already been spent before accepting. 

Personally, I'd feel comfortable having a thousand dollars worth of BTC on such a card-- however some people may not like to store such a large amount so they might limit themselves to only a couple of hundred or even just tens of dollars.   You don't have to put all your bitcoin on the card.  Even with just $40 dollars a day on a card most people could cover their daily small expenses, eg: coffees, smoko/lunch, parking, newspapers, lending a 10er to someone, small purchases on the Internet such as music, movies or reading material (yes this system can also be used over the internet as well as locally face to face), etc..

It doesn't accomplish it by 21 century social means, instead if accomplishes it by 19 century dollar printing essentially. They make dollars and expect all forgeries to be slightly different.

I'm not sure you answered my question. When you receive tokens from somebody, how can you be sure that they have not been duplicated. Also, how can you be sure that their bitcoins have not been spent at times when you don't have access to the block chain?

It's just retarded, there is no need to speculate or explain anything, the very concept is extremely stupid on a fundamental level. Should every person on earth who wants to use crypto in person also have a phone? Do you know how long the battery lasts for modern phones?

In the future there will be small plastic computers the width of a paper bill that you would swipe against each other in order to pay, they will be so cheap to manufacture that you could simply swipe your reserves to a new bill instead of recharging, they would also be so efficient that you would be able to recharge them by manual means.

The keys are not stored on the phone alone.  It stores the key on a microSD smart card.  (Actually, it uses a split key system, which requires both the phone and the SD card to recover the key-- which is even safer-- you can read about it here: http://www.othercoin.com/OtherCoin.pdf )

It prevents counterfeiting with tamper resistent SD smart cards.  

If this is not satisfactory for you then don't use it-- it's a voluntary thing.  However, the vast majority are prepared to use similar technology *everyday* to do small quick transactions, eg. Billions of dollars worth of transactions are completed using smart cards daily (traditional smart card technology).  In my home town alone all the public transport systems use smart cards-- a few million dollars worth of train, bus and ferry trips everyday. Now, personally I wouldn't feel safe putting more a $1000 dollars on a smart card and most people only recharge them to $100 or less but this is enough for the majority of daily small transactions such as coffee's and take-away.  
Just to give an exteme example of how willing the general population uses them I know of a small art gallery that has $10,000,000+ dollars worth of artwork and it security system is based around smart cards.  
Again, in summary- if this isn't good enough for you then don't use it but it's good enough for the majority.

(By-the-way: it's not my system. I've not developed it, I'm just a supporter of it.)

Using phones as wallets is plain stupid