Topic: The Collectibles Issue - page 2. (Read 486 times)

Now that would be dangerous. You accidentally sign a transaction to the wrong address, or with a sub 1 sat/vbyte fee, or with a locktime of block 1,000,000, or something else, and then the device bricks itself. Wave goodbye to your coins. Or you could accidentally send more coins to the collectible in the future, mixing it up for a similar one which is not bricked.

There needs to be some obvious way of telling whether the device is sealed or unsealed, much like an OpenDime does, but the device still needs to function regardless.

They can 'take' an open hardware & open source product, as long as they abide by the license (that usually requires them to release sources for their collectible, too - which I'd welcome anyway, though).

I would imagine this device to brick itself once it has signed a transaction, i.e. clear its keys (pivate and public) and stop responding to queries from the client. Just like visually inspecting a ripped hologram, a non-responsive device (or responding with a 'wiped' message) would indicate the same thing.

A physical seal such as on OpenDime, would of course work, as well.

It was in reference to a device like an OpenDime, which has to somehow be "unsealed" in order to sign a transaction. In the case of the OpenDime, you push an object through a small hole on the board, which unseats a chip on the other side and allows the private key to be accessed.

So prior to being unsealed, the device would be set up to allow people to sign arbitrary messages from it, proving that the necessary private key is indeed on the device, but it would have to be unsealed in order to sign a transaction. And once it has been unsealed, then at that point it cannot be sold to another person, since as you say a transaction could have been signed at any point, even if the coins are still present on the device.

I don't like to be the devil's advocate, however, a signed TX can be easily broadcasted anytime later. So no matter how smart the embedded device is, a previous owner can create and sign the transaction of spending the collectible's coins and... broadcast it years later. Or am I missing something?
Because if I'm right it's no use to embed smarter and more expensive devices into collectibles, this kind of stealing problems can still happen.

Difficult to say. A collectible producer obviously couldn't just take another company's tried and tested product and use it to start producing collectibles without risking running in to legal trouble. But if they instead had something specifically designed for them, then again it pushes the cost up and introduces a new device which has never been examined or tested by independent members of the community. I'm not sure the best solution to this which is both secure but also cheap.

Absolutely. I'm not really the target market for such things, and I only have one or two such things that I picked up in person at various meets and merchants, but I would only ever self fund such a device.

Sure; similar to any other hardware wallet (this would be a dumbed-down hardware wallet, in essence). But again, since those are sold dirt-cheap these days, even below the premium of these collectibles over their loaded value, it seems feasible. If they choose to use a smartcard chip, @tibu may have a business opportunity here. Not vouching for the security of his devices, as I never assessed it or even tested one of those cards, but that just sprung to mind.

He could also use this to impose a way higher premium (after-market prices..) or someone may just not be a daily Bitcointalk visitor. Collectibles as a general concept can be bought and stored for years or decades without 'checking on them' all the time. Imagine you're a big collector and suddenly you need to daily check that all the designers of all your Bitcoin collectibles are 'still trusted'. That can easily get out of hand.

Which is meaningless and provides zero protection.

Which means that all future owners of the coin still have to trust the manufacturer and the original owner.

But it has the same problem as above. It works for the first owner of the collectible, but all future owners have to have complete trust that the two split key parties won't collude to steal the coin.

That's a neat solution. Until of course someone finds a vulnerability and tricks it in to signing a transaction when it isn't supposed to.

True, but it also gives a false sense of security. The creator of some split key collectible could quite easily generate both parts himself, and then pose as a third party seller who says they generated half the split key. Any downstream seller then falsely believes it needs collusion between two parties to steal their coins, when in reality they are at just as much risk as they are now.

One coin at a time beats 100's, or thousands at a time like what happens now.

It gives people a fighting chance to detect it rather than hundreds of people getting their life savings stolen at once.

your forgetting 1 thing with split key generation. they are still your keys if you hold both pieces of the puzzle.

no one's custodial but the downstream owner.

therefore, colluding with a creator in this event would never yield a 100% rug sweep.

It would need some interface of course; USB being the cheapest and easiest to make. The device could e.g. sign messages to show that the (correct) key is there. As well as signing transactions, of course, to spend the funds from that key.

Yes, that's not going to work. If trust is just shifted around, it's pointless.

I mean, since people enjoy trading unique Bitcoin-related items, the most secure way would be to ditch the 'private key' aspect of them and make them just collectibles. No keys on them whatsoever. That makes sense.

Like most rug pulls in crypto / Bitcoin, they repeat quite frequently actually. All of the scams we have today already existed almost from its inception. Sometimes wrapped differently, sometimes blatantly copied.

---

Except that now whoever buys the coin from Alice, has to trust her. She may have a copy of the private key:

---

In case she can't get the partial private key from the coin without damaging it, she could collude with a malicious creator and get it that way (then e.g. split those stolen funds).

Most of these coins come with a certificate of authentication.
instead of releasing random coins they can make preorders,
buyer provides pub key and keeps partial priv.
maker creates
 the maker issue a template that the buyer prints half key on,
 if they resell it make sure its with it.
do a handwritten chain of ownership on the back(if wanted). if the holo is damaged its spent.
the only thing is a piece of paper to keep track of that everyone will, and does.
if the maker keeps all keys and get the single coin in hand again, they "could" sweep. a single coin.

but never an entire batch.

It's better than right now. they can all sweep. period.

Multisig is too risky. disagreement.

Split key generation would be user induced error.

There's a reason I've invested so much time in the splitkey ecosphere.    It's BTCrilliant  

I believe it was designed for this very scenario.  

Other projects like VanityPool used the same concepts and have never had an event.

From JLVS Github page
https://github.com/JeanLucPons/VanitySearch#generate-a-vanity-address-for-a-third-party-using-split-key

Generate a vanity address for a third party using split-key
It is possible to generate a vanity address for a third party in a safe manner using split-key.
For instance, Alice wants a nice prefix but does not have CPU power. Bob has the requested CPU power but cannot know the private key of Alice, Alice has to use a split-key.
*Added Or a Customer wants to buy a physical but doesn't want the issuing company knowing the key!

Step 1
Alice generates a key pair on her computer then send the generated public key and the wanted prefix to Bob. It can be done by email, nothing is secret. Nevertheless, Alice has to keep safely the private key and not expose it.

Note: The key pair is a standard SecpK1 key pair and can be generated with a third party software.

Step 2
Bob runs VanitySearch using the Alice's public key and the wanted prefix.

It generates a keyinfo.txt file containing the partial private key.

Bob sends back this file to Alice. It can also be done by email. The partial private key does not allow anyone to guess the final Alice's private key.

Step 3
Alice can then reconstructs the final private key using her private key (the one generated in step 1) and the keyinfo.txt from Bob.

How it works
Basically the -sp (start public key) adds the specified starting public key (let's call it Q) to the starting keys of each threads. That means that when you search (using -sp), you do not search for addr(k.G) but for addr(kpart.G+Q) where k is the private key in the first case and kpart the "partial private key" in the second case. G is the SecpK1 generator point.
Then the requester can reconstruct the final private key by doing kpart+ksecret (mod n) where kpart is the partial private key found by the searcher and ksecret is the private key of Q (Q=ksecret.G). This is the purpose of the -rp option.
The searcher has found a match for addr(kpart.G+ksecret.G) without knowing ksecret so the requester has the wanted address addr(kpart.G+Q) and the corresponding private key kpart+ksecret (mod n). The searcher is not able to guess this final private key because he doesn't know ksecret (he knows only Q).

Note: This explanation is simplified, it does not take care of symmetry and endomorphism optimizations but the idea is the same.




You guys can reinvent the wheel or overcomplicate things all you want but this is the cheap effective solution. no complicated signature chains , no more trust in the other person or makers.
just make a system based on split key generation. Anything else you can conjure up will be cost prohibitive or overthinking authoritative measures.


It's been done before on physicals. Not exactly as described but the groundworks all here
40mm x 3mm 30g Bitcoin Coin (loadable and customizable coin)

Ugh....if there were a 100% foolproof, failure-proof way of putting a private key onto something like a coin or other collectible thing I'd probably jump headfirst into that aspect of crypto collectibles.  But the fact is that I wouldn't buy a pre-loaded coin because I wouldn't be able to bring myself to unpeel it or otherwise damage it in order to access the key.

I traded a member here for a bunch of HW wallets, which I collect on a part-time basis, but even though I happen to like that member and really don't think he planted any landmines there's no way I'd put any crypto on a beaut like this:



Yeah, I remember the Gravitate fiasco very well, and that was over 6 years ago.  Maybe I was still naive, but I was actually surprised by what happened.

Ok sure, but how can you verify that the factory haven't influenced the private key in some way? How can you verify the private key is even there at all? As far as I am aware, not even something like OpenDime provides a zero knowledge way of confirming there is a private key on the device which corresponds to the address it is showing you. It's possible, but again it's all additional cost.

You could certainly set it up so the coins are spendable by the manufacturer generated private key after a specific time, or before that time by some other set of keys, but then when selling that collectible on then the new owner is still left with the issues of trusting the people holding this second set of keys.

I'm not sure which chip they use, but some chips are themselves made (from the factory) in a way that you can't extract any data from them (tamper-resistant or self-destructing when tampered). Such a chip should be used for this application.

That's true. I was thinking about something with 'emergency keys' (that could be used when people are alerted from one coin having been wiped by the designer - maybe collaboratively, to bypass the time lock) and more complicated crypto, but I don't think it is leading anywhere.

The complicated part isn't generating a random private key, but rather being able to prove to all future parties that it was both generated randomly and without influence, and has not been accessed or otherwise tampered with since then. Even with OpenDimes, has anyone verified that it is impossible to bypass the seal and view the private key without breaking the seal?

Surely any time lock which prevents the manufacturer from stealing the coins also prevents the users from moving the coins to safety.

Assuming a constant Bitcoin price, there could be 2 types:
(1) Low-value prefunded item: traditional way (trust the creator), cheap to manufacture, not too much risk if it gets wiped.
(2) Higher-value prefunded item: include chip that generates randomness internally on-device, stores it inside itself and can sign a transaction, but not output the key in plaintext (very similar to what hardware wallets do). Since hardware wallets with this type of chip can be bought for as low as 50 bucks on sale and have much more functionality, I assume that the functions I describe should be possible with a very cheap circuit board and much less coding. It shouldn't add more than $50 to the 'collectible premium'.

The only issue is when collectibles of the (1) type rise in value due to Bitcoin price increase. But at some point, the BTC value will exceed the 'collectible premium' you first paid for it anyway, so you won't lose anything from swiping it.

---

I'm currently also thinking about a Bitcoin script that would somehow prevent multiple collectibles to be spent in a single transaction and maybe even somehow time-locks them relative to each other (e.g. only 1 per day). That shouldn't inconvenience collectors too much, while preventing the designer to steal more than 1 item before people start talking to each other and doing something against it. I do think it's too complicated for Bitcoin script, though.

Yes, in that case a DIY solution is useless. DIY would only work if you are keeping it for yourself. Similarly any multi-sig or split key method between buyer and producer runs in to the same problems when it comes to resale, in that the new owner is just trusting two people instead of one.

You could essentially use something like OpenDime's system and embed that inside a coin, but yeah, then you are paying a premium for the collectible itself. I can't see any way to do it trustlessly for both the first buyer and all future buyers without electronics in the collectible, though.

What a lot of people are trying to come up with is a way that still allows for resale / trade.

Having me put the private key & hologram on the coin is no better then having the maker do it. You are just trusting a different person. And as they change hands over the years getting back to the person who made it, if it was not the original coin maker is going to be just about impossible.

NFC / RFID with a bit of 'intelligence' is an option that has been kicked around, but that can drive the cost way up.

Still a bit of a work in progress.

-Dave

If you want to do it completely trustlessly, then the only way to do it is a DIY solution where you add the key to the collectible yourself after you have received it.

You can spread the trust by having some kind of multi-sig set up where two or more different collectible producers add private keys to the collectible separately. But as mentioned, all you are doing there is spreading the trust, not eliminating it.

You could potentially do a multi-sig or split key set up where I generate one part and the collectible producer generates the other, but that then means your collectible on its own is worthless. Without my share/key/etc., then the collectible is unspendable, and you will have a hard time selling it to anyone else since they cannot trust that you and the producer are not conspiring together.

BIP38 doesn't work at all since at some point one party must know both the private key and the password.

I have a couple of pre-funded collectables, but they are low(ish) in value and realistically I don't trust them.  I would never keep a significant amount of value in key that was generated by someone else.

There may be a way to give the purchaser the control by forcing him to generate a key for a 2-of-2 multi-sig wallet in advance of the purchase.  But that could make the purchasing process more cumbersome for those who aren't technically inclined, and it would definitely put a crimp in the manufacturing process.

The collectible coin and card market is pretty cool and I would hate to see the recent events tarnish the segment, but I think the only safe way to purchase collectibles capable of holding funds is to only buy the DIY type.  Anything else is really the antithesis of all that bitcoin stands for.

I am not active in that board, but I thought that they were buying gold/silver/bronze holdings that have a value equal to the bitcoin you will pay, for example a card with about 3 grams of gold or some value and not preloaded addresses.

The solution is simple, which is to leave an empty place and then leave the choice to the person to download it or not, but the idea in itself is opposite to the way Bitcoin works.

I hope someone can explain to me more if I'm doing something wrong and I'll try to find out exactly what they're selling.