A Physical Bitcoin Bearer Bond Design

Aaaaand it’s broken:

The design below is seriously flawed, since Alice always has the private keys — and once Bob spends the coins he reveals the preimage. This front-run attack plagues any lock that does not use an asymmetric key. ¯\_(ツ)_/¯

Description:

Opchip is an idea for a hardware device that enables transferring control of Bitcoin by exchanging a physical object.

Basic idea is to spend to a hash-locked output, and then transfer control of that output by giving someone a microchip that can reveal the preimage to the hash, and can prove that it has not previously revealed the preimage.

Example implementation:

Hardware consists of a circuit board with the ATSHA204A chip and a MB85RS64V chip and a raspberry pi header connector. (Cost is less than $5.00)

ATSHA204A chip is a secure cryptoprocessor programmed so that it can do the following:

1. generateNonce = chip creates a nonce and stores it in private memory

2. getHash = chip returns the hash of the nonce

2. revealNonce = chip moves the nonce from private memory to public memory and returns nonce

3. deleteNonce = chip deletes the nonce from public memory

MB85RS64V chip is a FRAM chip for storing data

You can deposit to Opchip this way:

1. Plug Opchip hardware into raspberry pi

2. execute generateNonce()

3. execute getHash()

4. Creating a transaction that spends to a P2SH output that includes a hashlock clause like this:

OP_HASH256 the-hashed-nonce-stored-on-the-chip OP_EQUAL

5. Store the script and the private key necessary to sign the script on the FRAM chip.

You can redeem from Opchip this way:

1. Plug Opchip hardware into raspberry pi

2. execute revealNonce()

3. Read the script and private key from the FRAM chip

4. Build a transaction, provide the nonce and sign with the private key

A couple other thoughts:

Opchip is reusable. After you withdraw money, you can just ask the chip to create a new unrevealed nonce.

You could reduce the money secured by Opchip without taking it down to zero. Just reveal the nonce, create a new nonce, and create a tranasction that spends part of the money to you and part of the money to an output secured by the new nonce.

The motivation to create an evil SHA chip that does not create random nonces is minimized. The manufacturer needs not only the nonce, but also the private key created by the person who makes the deposit in order to spend the funds.

If the price of Bitcoin goes up 10x, that physical bitcoin token you had with $100 now has $1000. Wouldn’t you like to sweep the funds back down to $100?

The private keys stored on the FRAM chip could be encrypted by the owner. This could be helpful to split the transaction into 2 parts. In the first part, Alice gives the Opchip to Bob, who verifies that it can produces hashes that control the money. When everyone is satisfied that the Opchip has enough money, Alice can give Bob the password to decrypt the private keys.

Perhaps the FRAM chip could also store an encrypted secret without which the SHA chip will refuse to divulge the nonce? This would lock the device against evil maids.

Reduced security mode:

In a slightly reduced security model, Opchip could be used for zero-confirmation partial transfers. For example, the same chip could have 5 nonces N1, N2, N3, N4, N5 controlling outputs O1 = $10, O2 = $20, O3 = $40, O4 = $80 and O5 = $160. Each of these outputs would be associated with a different private key P1, P2, P3, P4, P5. Any payment in the range from $10 to $310 in steps of ten dollars could be made.

For example, if the payment is $50, then Alice would leave N1 and N3 sealed, but would take the following steps to prevent O2, O4 and O5 from being transferred:

1. Unseal N2, N4 and N5

2. Make a copy of N2, N4, N5

3. Make a copy of P2, P4 and P5

4. Erase N2, N4, N5 from the SHA chip

5. Erase P2, P4 and P5 from the FRAM chip

The reason this is a reduced security model, is that it is possible that by luck Bob previously possessed the exact same Opchip and saved P2, P4 and P5. If this is the case, then when Alice goes to spend O2, O4 and O5, she must broadcast N2, N4 and N5, which Bob can then learn. Since he is now in possession of both P and N, Bob can create a double spend to himself. If Alice is monitoring for this, she could use a scorched earth strategy against Bob by following his double spend with her own double spend at a higher fee rate.