There's even a somewhat-unreliable hack to create tokens on the Bitcoin blockchain, called colored coins.
You create a specific transaction sending some number of Satoshis to another key, and then your coloring scheme marks that transaction as "converting" the coins to whatever token you want. The definition of the token is just anything that address spent.
Of course, no Bitcoin users are required to honor the scheme, the colored coins are still valid Bitcoin and can be spent by an unaware wallet. But you can still pretend that they are, say, shares of some DAO or something.
You probably could extend this to NFTs on the Bitcoin blockchain as well.
The bitcoin ledger is a bit of a special case. Coins in a transaction are sent to output addresses identified by a signature which is usually a combination of SHA-256 and RIPEMD-160 hashes of a public key signature. Using coins as an input to a transaction (spending them) requires exposing the public ECDSA key used to originally create the signature.
If a particular address has never sent coins then an attacker has to perform a pre-image attack against SHA-256 and RIPEMD-160 which even for quantum computers would be 2^128 operations (generally believed to be intractable) and wouldn't even require breaking ECDSA.
Since most original coins have never been sent anywhere there isn't a way to directly attack their ECDSA keypairs.
There are, however, plenty of addresses holding (a lot of) coins whose public keys are in the blockchain, making them targets for quantum computing attacks. An attacker could solve the discrete logarithm problem for a key and forge a signature in a transaction sending all the coins owned by the matching signature to a new address owned by the attacker and the transaction would be accepted by everyone.
> wonder if there's a cryptographically secure way to build a known "stream" of one-use tokens (addresses, if you will) based on known "public key."
This is what Bitcoin's BIP-47[1] does, but you can hand that "public key" to anyone[2]. The communication layer in this case is the Bitcoin blockchain.
Hmm the whole way bitcoin is set up is tailored to making this impossible. Anyone can write a wallet program and create a private key.
Of course when converting to Fiat money they have a chance to ask for ID but I don't see this happening with bitcoin to bitcoin transactions unless the whole protocol is changed around.
You have to then fully trust your counterparty to not have retained a copy of the key to do his own BTC transaction on the network, later, forever.
You could probably use trusted computing/smartcards with a wallet inside them to do some kind of awesome self-attesting "no one has seen my key yet" physical payment token. Sort of like those Casascius coins, but without the need to trust the maker so much.
These are gorgeous and the idea of physical tokens has a rich history in Bitcoin. Some users love them but others not so much.
There are two problems to solve: (1) securing the cryptographic material (aka "private key(s)") stored on the physical token; and (2) securing the cryptographic material not stored on the physical token.
I can't speak to (1), but (2) has throughout Bitcoin's history been a very hard problem to solve. Even if the token is the only place that the cryptographic material is stored in all the universe, proving that fact is practically impossible.
Unfortunately, the page is light on details and the comments haven't answered al my questions so I'll speculate a bit.
It appears that this approach goes in a slightly different direction than others with "multisig." This implies to me that both issuer and user generate private keys. This could be a 1 of 2 (either user OR issuer must sign) or 2 of 2 (both user AND issuer must sign). If 1 of 2, the note issuer can in principle always spend the money at any time. If 2 of 2 the user needs to secure the private keys or risk being locked out forever.
Either way, we're right back at the fundamental problem: how to secure those keys. If the funds can be lost through loss of user keys, then this offers little practical advantage over bill-less bitcoin. If the issuer can always sign unilaterally, then users become dependent on a trusted third party, which is exactly the problem Bitcoin was created to solve.
You can find a list of Bitcoin script shortcomings in the Ethereum whitepaper and Ethereum Design Rationale document.
Writing a BIP to add a new opcode for every possible transaction type is not the answer. And still I don't see how multisig or P2SH can use something else than BTC tokens (colored coins require external asset registries).
Or, just use a system like we use on Bitalo, where fractional reserves are impossible because of use of multi-signature Bitcoin addresses, which means funds are specifically tied to user wallets and exchange operators cannot use them without user's signing all transactions by himself.
The github explains that you create a transaction as follows:
1) You have 50 coins in a 'bucket' or address?
2) You send 18 to a friend
3) You send 32 t yourself.
So you create two encrypted buckets, 18 in one, and 32 in the other. They seem to be the equivalent of UTXOs. I'm not clear if they need to be 'revealed' to be spent though.
The typical way to go about this would be creating separate Bitcoin wallets for different types of purchases. Many wallet clients support this out of the box.
Personally, I generate a new wallet for every transaction.
Interestingly enough, you don't send Bitcoin to addresses. You send Bitcoin to a script of your design, and whoever can provide an input which causes that script to evaluate true is allowed to spend those coins.
This was originally meant to allow you to come up with all sorts of fantastic transaction types, such as coins which need M of N signatures in order to be released, or a Kickstarter clause that only releases the coins if a certain amount has been pledged.
But, after the scripts had caused enough security vulnerabilities they were severely restricted. Clients will now only accept transactions which include one of the standard scripts.
it would be possible with concealed and rsa signed meta data. so theoretically you would be able to request a transaction revesal submitted to the miners after you verify your identity on the blockchain.
I thought transactions like that weren't supported by the bitcoin protocol. Are there any resources that explain how this works with the general blockchain?
I've studied blockchains a little bit but I don't understand how you can transfer funds between two wallets that you own without linking them. How would that be possible without either having some kind of zero sum proof (which none of the popular blockchains are using) or allowing an exploit which enables people to mint new tokens from thin air?
You create a specific transaction sending some number of Satoshis to another key, and then your coloring scheme marks that transaction as "converting" the coins to whatever token you want. The definition of the token is just anything that address spent.
Of course, no Bitcoin users are required to honor the scheme, the colored coins are still valid Bitcoin and can be spent by an unaware wallet. But you can still pretend that they are, say, shares of some DAO or something.
You probably could extend this to NFTs on the Bitcoin blockchain as well.
reply