Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: Making a real tangible bitcoin that actually conveys BTC
by
casascius
on 07/01/2011, 06:46:34 UTC
Thinking a little deeper, I am persuaded that the only weak link left in the chain would be the maker of the smart card.

- The maker of the smart card could record the private key of all the smart cards he produces, and later steal the BTC from all the cards he produced, all at once.
- The maker of the smart card could make the card lie about max(X), so someone could have a valid transaction out there with nobody knowing it.

If I'm on the right track, then an effective countermeasure could be as follows.  BTC addresses could have a "dual signature" scheme, where creating a valid transaction to spend the coins requires a second signature.

Signature 1 would be the private key embedded by the maker and cannot be changed.

Signature 2 would be a second private key, originally embedded by the maker but replaceable by any user.  A message could be broadcast via the block chain telling everybody the public key of signature 2, every client would then know that spending from this bitcoin address requires a valid second signature.

The private key for signature #2 doesn't really need to be kept secret from any possessor of the card, it only needs to be secret from the original maker of the card who might know private key for #1.  Private key #2 is useless when not accompanied by a signature made from private key #1.

Any user with a smart card reader could generate a brand new keypair for generating signature 2, and upload it to the card, and then send a signed "new second signature" message (signed by #1 and old #2) to the block chain, telling everybody about the replaced #2.  Such message, of course, would expire by a certain block X.

The verification process (the "counterfeit detection pen" process) would confirm that publicly known key for signature #2  had a corresponding private key on the card.

Original maker of smart card might know private key for signature #1, but definitely will not know private key for signature #2 since it was made by a user on their own computer.  Maker could steal the money from the card until the first person generates a new #2.

Anyone possessing a valid card but suspicious that the maker (or anybody else) might know private key #1 and possibly #2, may simply generate a brand new #2, once acknowledged by the block chain, he may know the BTC on the card is good without trusting anyone, not even the card maker.

The smart card will have memory to remember the last two or three keypair #2's instead of overwriting it immediately upon replacement, to eliminate the risk that a botched attempt to update #2 would render the card worthless.

Finally,

To prevent cards from lying about max(x), they could be required to give not just a block number, but also the known hash for a block.  The network could say, conditional transactions are good for 10 blocks and no more.  Instead of saying, "this transaction good till block 100000", it could say "I know the latest block 100000 has hash XXX", and all clients know, that transaction is void past block 100009.  Card would have no way to create a conditional transaction that lasted any longer than that.