Topic: Theft-Resistant "Specific Use Only" Wallets (Read 1965 times)

How about you two realize what you are talking about before posting nonsense?

I'd be very interested in knowing how a 2-of-3 approach adds insecurity?

By the way, I'm not affiliated with BitGo, but I summoned this guy from Reddit.

anything goes online is not 100% safe. Anyone heard of the hardware btc wallet?

http://www.youtube.com/watch?v=pp0cg91rK2o

Interesting. Will check it out. Thanks!

Have you tried BitGo (https://bitgo.com)? BitGo is a theft-resistant wallet that uses multi-sig built on P2SH. 3 keys issued, 2 required to sign any transaction. One key is stored with BitGo, one with the user, and one offline. Security of multi-sig with the ease of use of online/mobile access.

We've published a whitepaper (https://www.bitgo.com/p2sh_safe_address) on our tech and open-sourced a lot of components. Our tech was built by a team compiled of veterans in online security and digital currency.

In addition to the security of multi-sig, our platform enables additional protections like spending limits, network fraud detection, and whitelist addresses. This means that you could design a specific-use wallet that can has limits on how much can be spent in a day or where you could spend your funds. If a thief took your wallet/phone, they would be stopped by these protections and you could move your funds to a new wallet later on.

Please give BitGo a try and let us know what you think! https://bitgo.com
Learn more about BitGo at http://bitgoinc.com

Somewhat related:

Check out the two wallets in my signature. https://api.trustedcoin.com//#/ provides a service that locks payouts for 24 hours by using 2-out-of-3 multi signature transactions where the user holds two key - one for the online computer, the other one as secure backup/offline key and they hold one.

The payout is initiated by the user and they sign and broadcast the transaction after 24 hours. The user is informed via email and sms, if a payout is initiated and has 24 hours to cancel. The service provider has never the authority to spend coins without the user's approval nor is the user dependent on the serivce provider.

Within the Master protocol there are going to be "saving wallets", but that is limited to the Mastercoin ecosystem of course. Preliminary spec can be found here: https://github.com/mastercoin-MSC/spec#transactions-to-limit-funds-theft-prevention

The ideas there could be transformed into an oracle service and applied to real BTC with a similar service as mentioned above. Something like "sign only, if recipient address is X" should certainly be possible with a 2-out-of-3 signatures approach.

I don't disagree (and I was definitely fantasizing), but we will have local anomaly cases where BTC acceptance is strangely high, maybe not always German in the future.

Better calmly prepare for the future than scramble to fix the past, yeah?

But fungibility IS limited while you are not at home.   No buying a hotdog from the street corner vendor that doesn't have the approved limited-fungibility-bitcoin terminal, or the girl scout selling girl scout cookies until after you get back home and convert it.

There is really no need to have such a system until bitcoin becomes the only form of payment.  In spite of anarcho-libertarian wishing for this in the near future, it's not gonna happen for a long, long, time.  VISA/Mastercard's legacy system would be sufficient, but I'm sure they would rather have your money under their control (as a demand deposit or credit) as it would be currently than sharing partial control with them.

I would really prefer that no amount could be easily coerced from me, and I've never mentioned reversibility, which this scheme would not enable. Fungibility isn't really limited since the limits can be easily reversed once you arrive home.

You are still talking about limited fungibility bitcoins, and there can't and shouldn't be such a thing.  You may be able to make a hardware device that limits itself to generating transactions only to white-listed addresses, but it's only a hardware protection that could be hacked or cracked to get access to the private keys.   It might even get you killed if an armed mugger doesn't believe that your hardware bitcoin wallet is limited in that way.  Such a business or group should use their own gift card system, rather than trying to use bitcoins.

If you insist on grafting such a system to bitcoins, probably the only way is to have private keys in escrow with the "business or group", in a system where it requires both parties to access the private key.  But it would require the other party to release them back to you in the event you want to spend fully fungible bitcoins.  (update - just read jimhsu's suggestion https://bitcointalksearch.org/topic/m.5574757 would could work)

I think there is a business case for this also.  Suppose a business or group of them want to sell/give away/discount Bitcoins that only work at their business or group of businesses.

Then I think the multisig would work here.  You buy/get for free/get at a discount the BTC but you can only spend them at certain places. 

What you are seeking is the current credit/debit card system with reversible transactions an no anonymity.  Such as system currently does not allow payments to individual private persons.   I normally can't meet with a person that I find on craigslist selling an item I want and pay him with my debit card.


You shouldn't be carrying devices that have access private keys to large amounts of bitcoin, so they can be coerced from you.   The average person doesn't carry large amounts of cash so it minimizes the risk.  The risk vs. reward ratio should be large enough to deter most criminals.   If you are uncomfortable with carrying around a certain amount of cash, you should also be uncomfortable with carrying around the private keys to the same amount of bitcoin.

They most could be, but I'd prefer a reusable device that could have it's private keys changed.  I'd personally would be taking the money off the wallet when I wasn't using it, and putting it back on when I did, using paper wallets that had private keys that didn't exist on any machine.   Anonymity could be preserved by loading and unloading with anonymous paper wallets.  If it traces to your exchange, that is information that only LE should be able to access, not the retailer or an individual person.

I could see a gift card being an okay solution if it were instead, say, redeemable private currencies I could redeem for a currency of my choice, but I was thinking more along the lines of something I could use at any legitimate merchant, but not a fencer, illegal gun salesman, or street-corner drug salesman. When I was thinking about this, I was envisioning a rubber hose kind of scenario, where bitcoins were being demanded of me, but it would be impossible for me to send them to the thief, so threats to make me hand money over to him would be ineffective since I couldn't send money to his address. I could give him the physical wallet hardware and password, but then he'd have to only use it at registered merchants, where the blacklisting and unblinding, as you mention, would come into play.

I'd guess this solution, if feasible, would permit conversion of the "specific use" keys/funds back into "true bitcoins" (thus not really impacting fungibility except while you're away from your cold storage device) while still allowing you to use the bitcoins at almost all merchants which accept BTC, which I definitely can't do with gift cards. It's also trustless insofar as BitPay (or whoever organizes the theoretical system) doesn't control funds -- they'd need my keyparts for each expenditure, which I'd hold. Idunno, though. It does all sound very complicated with fairly little reward. Hopefully, there're better ideas out there which I like from a security:convenience perspective.

The only way that "anonymous" and "hardware wallet" can work is, I think, as a prepaid device. Otherwise, sending funds to it can be traced similarily to sending on any other device. So -- basically, a gift card.

I don't see a reason to create such a thing, there already exist gift cards (as a private payment system)


I image a hardware wallet as a device is a device that can be purchased anonymously.  It would be cheap, and designed to cheaply connect to a public network wirelessly to send transactions and monitor the blockchain.  You would use it to transfer money to another private person's wallet or the pay terminal of a retailer.   It's not designed to hold a lot of money, that is, more money than you are willing to lose.  It would be analogous to filling your own wallet with cash for the cash purchases you intend to make for the day.  The reason people may want anonymous wallets is the same reason today you would choose to buy something with cash rather than using a credit card.  You may not want the receiver to be able to know who you are.  

Now, if you lose your hardware wallet, you can go home and sweep the addresses that it owns with the optional wallet backup program.  Same thing if a thief physically takes your wallet, you can sweep the wallet with the backup program before the thief does, you get your money back.  If the thief sweeps the wallet before you do (after cracking or coercing the password on the device such as a 4 digit pin), then the police can track the money until it hits a public address that may unblind the thief (i.e. a retail pay terminal with surveillance.)  

If you keep a large amount of money in such a wallet, then you may be asking for trouble.   There's always a small possibility that manufacturer of the wallet may have inserted or allowed a hack that allows someone else to gain access to the wallet's private keys.  

The idea of a hardware wallet is that it would become an acceptable risk to carry certain amounts of money, and the device or the money can be lost without causing a catastrophic loss of funds.  There's no reason to implement a specialized limited fungibility system for bitcoin, the retailer can just sell you a gift card instead.

I think this will be used for subscription based services where you set up a wallet with funds and BTC can only be sent to a nominated address. so if you subscribe to Bitcoin Magazine you have a contract that sends them .01 BTC every week for a new edition. Specific use address.

Don't know the technicalities of this but hope it can be done, as it minimises the big risk of entering cc details in that there is a limited amount of funds that can only be sent to one address by contract.

I'm unsure if multisig may support (or may eventually support) conditional "n"s.

Maybe you need:
Phone
+
Cold Storage.

If no Cold Storage, then both Merchant + Bitpay. (Bitpay's sign-off by providing a keypart helps verify the merchant hasn't been compromised) Bitpay would also refuse a sign-off if the customer claimed his keys were stolen and could sign that claim with the cold storage device's keypart, so it'd require the cold storage device's sign-off to move.

2 out of 3 Shamir Secret Sharing with {phone, cold storage, bitpay}? This does not implicitly trust bitpay, but does trust it to spend funds to the "appropriate location".

Alternatively, several sets of {phone, cold storage, merchant(n)}

Most workable approach so far.

@Jim - Multisig approach makes sense The cold storage device has two parts (its own part and the mobile phone's part), and the mobile device has just one, so you could still "unlimit" your bitcoins if you want, but the thief still would be limited to merchants on the whitelist if he only had the mobile phone. Can you force certain parts of keys to be required instead of a blanket "m of n"? Like... can you force the mobile phone keypart to be required, and then require either the cold storage device keypart or a Bitpay keypart with a merchant keypart? I guess you could kludge something together where there are many multi-sigs and multiple ways to unlock the "master" multi-sig....?

If the thief can get there before a blacklist request is pushed from the list organizer (police, Bitpay, whoever) to the compliant merchants at the request of full-wallet owner and/or before the person who was stolen from moves the funds.