Please login or register.
This location

Creating a standard for physical coins

fluffypony posted this 9 years ago

fluffypony | 9 years ago

After receiving my physical coins from Cryptonic we've been discussing a standard format for physical coins that represent funds on the Monero network. The first batch of coins from Cryptonic had an alphanumeric serial on the side, but that isn't great on its own, and would rely on Cryptonic staying in operation forever. The suggestion I made is to use the base58 charset instead of alphanumeric, and to print 7 characters on each side (so 14 characters in total), which in base58 gives us ~81 bits of entropy.

Cryptonic then suggested that, in order to maintain the order of the two 7 character pairs, one of the pairs starts with a base58 letter (a - Z excluding uppercase o / uppercase i / lowercase L), and one starts with a base58 number (1 - 9, no 0). That then gives us (12*log2(58)) + log2(49) + log2(9) = ~79 bits of entropy, which is good enough.

Basic Derivation Process:

  1. A manufacturer makes coins with the two sets of 7 random base58 characters (123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz, no 0 (zero) or O (capital letter o), no I (capital i) or l (lower L)), one set starts with a number from 1-9, the other starts with a letter from a to Z.

  2. Users receive their coins along with (online) instructions on "activating" the coins on MyMonero / simplewallet / whatever GUI supports it.

  3. During activation they are asked if they want to either (a) have an address directly linked to the coin, so if they lose the coin or someone gets the serial numbers they get access to that account, or (b) have an address linked to the coin, but encrypted with a password/PIN of their choice.

  4. If the coins are not pre-funded by the manufacturer then that is the end of that. If the coins are pre-funded by the manufacturer, then they have to login to the manufacturer's site and confirm receipt of their coins by entering the serial numbers and the address derived from it. The manufacturer's system would then transfer the pre-funded amount to that address. This transfer would include a payment ID that is a hash of some standard metadata (we need to decide on the exact metadata and format, but at the very least it would be the manufacturer, the coin type/description, the owner's email address or some other contact info, date/time of purchase, coin serial numbers).

Advantages:

  • buyers of pre-funded coins don't need to trust the manufacturer (unless they use a direct derivation)

  • buyers of pre-funded coins can sell the coins to someone, and the new owner can create an encrypted address of their own; the new owner doesn't need to trust any of the previous owners (unless they all use a direct derivation)

  • the process of transferring funds to the new owner's derived account will also include a payment ID that is a hash of metadata; this metadata will indicate who the new owner is, the transaction ID of the previous metadata, as well as all previous metadata, thus an indelible chain-of-ownership will exist on the blockchain (this is something that literally no physical coin has done). In the (far) future this data can be represented instead in a MoneroAssets sidechain.

  • actual Monero on the network doesn't have to move when the coins is sold, the buyer/seller can choose to hand over the password for the derived account instead, or use a straight derivation, and can still send a transaction with hashed metadata indicating the change of ownership.

  • buyers of unfunded coins can still link an address and fund it themselves, although there's obviously something to be said about the collectability of prefunded coins

Disadvantages:

  • unless the owner uses a straight derivation this is a very different approach to traditional Bitcoin coins, and may take some getting used to

  • the tooling for handling the metadata and metadata chain does not exist, we'd have to add it to MyMonero + Cryptonic and possibly build out a command-line tool for it

  • this is further complicated by the fact that the metadata doesn't actually exist anywhere except as a hash; we'll probably want to have some sort of distributed dataset between MyMonero, Cryptonic, etc. Maybe Tahoe-LAFS or something.

Example Metadata:

{  
  "manufacturer":"Cryptonic.net",
  "description":"Silver-plated brass, original run",
  "prefunded_balance":100,
  "manufacture_date":"2014-11-19",
  "serial_pre":"3Sifa5R",
  "serial_post":"fQ92kM2",
  "history":[  
    {  
      "owner":"Alice Bobson",
      "contact":"alice on the Monero Forum",
      "purchase_price":"180 XMR",
      "condition":"as new",
      "balance_at_purchase":100,
      "purchase_date":"2016-01-07",
      "receipt_date":"2016-01-14",
      "notes":"actual balance just below 100 XMR due to transaction fee, I will top it up to 100 XMR exactly"
    },
    {  
      "owner":"Riccardo Spagni",
      "contact":"[email protected]",
      "purchase_price":"100 XMR",
      "condition":"Brand new",
      "balance_at_purchase":100,
      "purchase_date":"2014-12-03",
      "receipt_date":"2015-03-01",
      "notes":"Shipping delayed due to postal strike"
    }
  ]
}
Replies: 7
5w00p69 edited 9 years ago Replies: 2 | Weight: -465 | Link [ + ]

Where are we at with this?

I received a physical Monero from Cryptonic (it's awesome) and I am wondering about funding it (derived wallet) via the codes inscribed on the side of the coin.

I want to test it for myself, and then explore ordering more coins, funding them, and giving them as gifts.

Thanks in advance for help/replies.

Reply to: 5w00p69
Cryptonic posted 8 years ago Replies: 1 | Weight: -35 | Link [ - ]

There is no visible movement at this direction yet, but I do hope it will change once more urgent goals are achived in Monero development.

Reply to: Cryptonic 5w00p69
Cryptonic edited 8 years ago Replies: 1 | Weight: -25 | Link [ - ]

Comments related to this discussion: https://www.reddit.com/r/Monero/comments/3wv7tt/a_supplemental_review_of_the_batch_2_solid_silver/

Reply to: Cryptonic Cryptonic 5w00p69
Cryptonic edited 8 years ago Weight: 0 | Link [ - ]

Moneromooo has added an optional user supplied entropy to his offline wallet generator. So now it's possible to use it with cryptonic coins' IDs (and a password).

https://github.com/moneromooo-monero/monero-wallet-generator/

https://moneroaddress.org/

There is a field Custom entropy. To create a cold Monero wallet from a coin ID you can fill it there, for example:

1Fe58dA D7auQk6 your_password

and click Generate wallet.

Reply to: 5w00p69
Lloydimiller4 edited 9 years ago Weight: -464 | Link [ + ]

I am still not convinced. I really hope it is possible to have it done securely, but I still think the best method is with a hologram and the private key underneath.

The Cryptonic coins are still really cool though, I just consider them more as souvenir tokens instead of having actual XMR on them. The quality of the coins is marvelous, I just wish they had XMR inside them.

Cryptonic edited 9 years ago Weight: -574 | Link [ + ]

Regarding the derivation process:

  • 1 is just great. We are ready to start implementing it.

  • 2 instructions on "activating" the coins on MyMonero / simplewallet / whatever GUI can be send by email while ordering, displayed online at Cryptonic and optionally included as a printed material together with the coins.

  • It will be really great to interlink some functionality of a manufacturer's site with MyMonero / simplewallet / etc to strengthen the Monero ecosystem. For example together with the initial derivation process we can also optionally activate a coin at manufacturer's site if it has not been done before and in that case the owner will need to provide an activation code that he received from manufacturer. The activation code ensures that nobody except the legitimate owner can activate it. If a coin is already activated we can send back to the manufacturer's site the serial IDs of the coin, a public Monero address derived from it and a View Key associated with it. It will allow coin owners to check coin balance directly at manufacturer's site. We can also display a direct link to MyMonero based on a coin serials. By clicking this link user will need only to enter his password/PIN and optional 2FA to decode an actual seed and instantly get access to his wallet at MyMonero / other GUI of his choice.

  • 3 makes me think that it's reasonable to always ask the coin owners to provide password/PIN as mandatory while encoding/decoding the derivation of a seed from coin serials. It will greatly reduce the security risks and will allow the easy interlinks mentioned above. It can also simplify the ownership transferring. If a new owner is not trusting to a previous owner, he can easily create an another derivation from the coin serials with a different Password/PIN.

  • If the previously derived account contains some funds and the counterparties agreed to keep it linked to the coin in a new derived account we can create a simple escrow system for that purpose and request the person who is transferring the coin to send the agreed amount to the specified intermediate address from which they will be automatically transferred to the new owner's account derived from the coin serials and his new Password/PIN.

  • If we decide to use obligatory Password/PIN we need to think how to protect a coin owner if he accidentally forget his Password/PIN. It's obvious that we can not keep it in our systems. But I have just realized that MyMonero users can also loose an access to their wallets if they forget a private login key. Probably it's OK if we just advice the coin owners to keep a Password/PIN in a safe place. I think we should keep away from the straight derivation and always ask a Password/PIN.

  • 4 If the coins are pre-funded by the manufacturer the funding can be done automatically while initial activation/derivation process. In an order confirmation email there is no information about a coin serials. We do not usually track who will get a coin with the specified serial. Only an actual receiver of the coin can know it when he actually gets it. At the same time we send coin activation codes by email as a secret second factor. Even if somebody steal it he will also need a coin serials to activate it and vice versa if somebody get an access to the coin serials he will also need the activation code to confirm the activation and optionally claim the pre-funded amount.

  • A payment ID that is a hash of some standard metadata looks very interesting. Probably we can use the hash from metadata for some other purposes as well including a reliable physical coin validation with its history accessible from any supported GUI. We have a plan to upgrade our validation system to display some important information about each coin according to its serials (a batch number, total number of coins in that batch, date of production etc). Some fields offered in the example meta data can be also used for that purpose. It will help to estimate a collectors value of each coin. The indelible chain-of-ownership on the blockchain sounds futuristic and really inspiring. If we link a traditional DB with some info on each coin (excluding personal data of the owners) with hashes on the blockchain it can open up even more possibilities.

  • I think in most cases the coin owners will prefer to hand over the password for the derived accounts only in case if they giving the coins as a gift to someone. In case of selling a coin the majority of buyers will probably prefer to create a new account with their own Password/PIN.

I totally agree with David regarding the disadvantages. They can be resolved over time and people can adjust to the new technology.

As per other things:

  • Is it true that by adding a mandatory user Password/PIN to 79 bits of entropy provided by two sets of serials we can increase the overall entropy level substantially?

  • I think we should provide and option for coin owners at any time to relink his own coin to another account derived from the serials + another Password/PIN. In that case the entropy level can be increased indefinitely in the future by using much stronger Passwords of any length.

  • We did not planed to limit the amount of Moneroj that can be stored at the linked addresses and as you see the current coin has no fixed amount. In my opinion the fixed amount is important to standalone physical coins that bring all keys with them under a hologram. As per online coins like Cryptonic Moneroj in the future it should be easy to check the current balance either at Cryptonic or directly at MyMonero/ etc. The physical Moneroj are much closer conceptually to online wallets with physical representation than to pure physical wallets.

davidlatapie edited 9 years ago Weight: -577 | Link [ + ]

Interesting because of the long-term thinking, the proof again than Monero constantly innovates and the synergy with future Monero technology (since I studied Microsoft ecosystem during my recent IT studies, I can see how a small, general-purpose move, can output large consequences when done in an ecosystem).

Regarding the disadvantages:

  • 1 is fine for me, the physical coin holders are still a rare breed
  • 2 just a matter of time
  • 3 this one deserves some particular attention, but I am not otherwise worried

Other things:

  • 2015 silver series would be the very first one to have this (somewhat) future-proof scheme, which would make them even more valuable
  • Am I right that, whatever the level of entropy, as long as it cannot be changed in the future, there will eventually be a time when it will asily be cracked, the physical monero at this retaining only its collector value?
  • it possible to store any amount of monero on this physical monero, ultimately making a "physical wallet" (bad practice probably)? Or is there a mechanism that insure a fixed amount of moneroj?