Counterfeit-Proof Physical Bitcoins

The problem with current “physical” Bitcoins systems is that their production cost scales at O(1+v*m*n) (upfront + btc value x materials x n) while the attack cost is only O(1+m*n).Storing the physical one-way hash of the individual coins on Namecoin would make such coins “counterfeit-proof” in that the attack cost scales at some multiple of the production cost.  This is a major breakthrough for both Bitcoin as well as currencies more generally.

I have a disability that makes proofreading very difficult, please put any grammar/spelling corrections in the comments : )

To counterfeit any currency there is a fixed upfront investment in research and equipment followed by an ongoing per-unit cost.  For example, to fake a US dollar one would have to buy printing equipment and spend lots of time and money figuring reverse engineering the designs.  However, after that upfront investment, it only costs ~$0.10 to produce each dollar.  Thus currency is protected primarily via law-enforcement efforts and Geo-political deal-making.  Even so, it is profitable enough that there is large-scale counterfeiting of the US dollar.

The cost of counterfeiting a currency can be modeled in the same way which computer science models complexity more generally.  An attack against a traditional currencies can thus be seen as costing a one-time constant amount c and the per-unit material cost n: O(1 x c + m x n) or upfrontCost + rawMaterialsCost x numberOfCoins.

When thinking about the difficulty of solving a computational problem, computer scientists just shave off the c because the limiting part is usually n: as numberOfCoins increases the upfrontCost is spread out over each coin.  Eventually, the value of the rawMaterialsCost multiple of n becomes larger than the factional cost of c.

To put this in more concrete terms, let’s consider the cost of attacking a physical Bitcoin protected by a holographic sticker.  If you want to create your own physical coin you must first create a die, a metal etching of the coin that is used to make the impression:

Image of coin die.

Dies for the 2013 US quarter.

This costs ~$500 per die or ~$1,000 per coin.  For a shiny metal, the raw material cost of coin is ~$1 and the price of a holographic sticker is ~$0.10.  In (semi-accurate) Big-O notation, that would be O(c+n) = O($1000 + $1.10 x n).  If you are printing one coin that single coin will cost ~$1001.10.  However, if you are planning on printing 1,000 coins the price per coin drops to $2.10.  A run of 10,000 coins drops the per coin cost to $1.20: the upfront constant price c is now the price of a holographic sticker.

Fiat money has the advantage in that the government issuing the money can arbitrarily fix the price of the minted coin well above the cost of production.  With Bitcoin, each physical coin represents a wallet with an equivalent amount of funds, so each physical coin costs the face value of the minted coin in addition to it’s material costs:

  • Fiat: upfrontCost + (rawMaterialsCost  x numberOfCoins)
  • Crypto: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

Protecting the face value of the coin has traditionally been handled by printing the public account number on the outside of the cryptographic seal and printing a secret key for that account on the inside of the holographic seal.  But the price of a cryptographic seal is only ~$0.10; not much is protecting that account number.  This puts us in a loosing position:

  • Counterfeit crypto: upfrontCost + (rawMaterialsCost x numberOfCoins)
  • Legitimate crypto: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

The trick thus becomes increasing the per-coin cost of counterfeiting to something higher than the value of the face-value of the coin while also keeping the cost for producing each coin below the face-value of the coin:  counterfeit production cost > face-value > cost of initial production.  As long as the cost to reproduce the object is less than the face value, we win.

To get there, we need to individualize each coin.   If we store the unique properties of each physical coin in a database, the cost of counterfeiting each coin becomes:

  • Counterfeit crypto: upfrontCost + (rawMaterialsCost x replicationCost  x numberOfCoins)
  • Legitimate crypto: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

Printed money demarcates individual bills using serial numbers, but they are just that: numbers.  They do not represent anything inherent to the paper bill itself other than a single digit.  To jack the replication cost cost up we can embed randomness into the production process, this is known as a Physically Uncloneable Function.  A PUF is a really fancy term for a physical object that has a lot of randomness in it1Adding randomness into the production process is essentially free because don’t care about what the random signature is,  however, it’s akin to tossing a deck of cards onto the floor.   Reproducing that random signature is not free, just as reproducing that random pile of cards would require several times the amount of effort  to painstakingly place each and every card in the right position.

A real world example is the use of glitter nail polish to detect snooping on electronics gear.  If a reporter wants to protect their computer and peripherals from NSA or other state-sponsored wiretaps, they could paint over every nail with some glitter nail polish and take a picture.  Even the NSA is going to have a very hard time reproducing the exact pattern produced by a swipe of glitter.

A more practical implementation is the magnetic stripes on your credit card: millions of magnetic rods  are “placed” at random and can be with high-precision all at a very low cost. Credit cards also have challenge/response chips and one could embed the private key of a Bitcoin within such a chip to ensure that the private key is present and retrievable.  However, a challenge/response chip doesn’t prevent one from stealing the private key and then passing on the physical coin2.  To prevent such “physical double-spends” we need to tie the PUF to the coins physical structure, ensuring that if someone was to retrieve the private key they would have to destroy the PUF to get it.

My proposal is to create a hollow coin with an NFC-readable signature.  Print/place the private key on the inside of the coin and post the public key along with the NFC signature on the Namecoin database (a cryptocoin which allows for secure, uncensorable storage of arbitrary data) and anyone with an NFC equipped cellphone can check if a coin is counterfeit3.  A challenge/response chip (NFC or otherwise) would enable people to ensure that the coin’s public/private key-pair is authentic and still retrievable.

Note that I claimed that the coins are “counterfeit-proof”, an astute hacker would likely ask me to put an asterisk there as it’s not impossible to create a duplicate just very, very hard.  To increase the difficulty, you could layer multiple PUF functions: an NFC readable signature, a magnetic-strip readable signature, and optical signature, etc.  If one PUF fails, you have 2 fundamentally different PUFs to fall-back on.

What’s great about this is that we can simply chart the cost to reproduce such coins and we know which models are vulnerable and which are not.  Even if someone does crack all the PUFs and begins counterfeiting physical Bitcoins, owners of existing coins would not suffer economically: simply crack open the physical coin and move the money to another wallet.  In the meantime, innovators will figure out a new PUF and move on.

The superior anti-counterfeit features of a PUF Bitcoin represents a serious opportunity for Bitcoin.  There are “legitimate” mints looking into copying key features of Bitcoin as well.  The Canadian Mint tried making a digital currency  the Channel Islands (a pseudo-but-not-really micro-nation) is actively perusing producing coins based on Bitcoin.  However, both of these awkward attempts at bridging the digital and physical incarnations of the cryptocoin fall short because they both rely on value stores other than Bitcoin itself4.

Finally, and perhaps most  importantly, PUF Bitcoins would be perfect for the many countries with unstable national currencies, like Myanmar, Venezuela, and North Korea, and other countries which unofficially accept physical US dollars5.  There is a large amount of distrust in any paper currency to which even the venerable US dollar struggles to overcome,

When you arrive in Myanmar, you can see how eager the people are to do business … A guy in a booth offers to rent me a local cellphone — and he’s glad to take U.S. dollars. But when I pull out my money, he shakes his head.

“I’m sorry,” he says.

He points to the crease mark in the middle of the $20 bill. No creases allowed.

So I pull out another, which he rejects because it’s a little bit faded, and a third, which he doesn’t want because of a tiny tear, and a fourth, which he calls “not very acceptable” because of a little ink spot.

-Planet Money

The only thing holding Bitcoin from exploding in many markets is a lack of a physical incarnation.  At the most basic level, the technology required to use Bitcoins is a major roadblock: half of the stalls at the Seattle University District Farmer’s Market a block from my house do not accept credit cards.  If boutique, local, organic farmers selling to snobby Seattleites can’t be bothered to get a credit card machine, rural farmers in 3rd world countries are not going to get a $500 smartphone and a $100/month data plan just so they can accept Bitcoin.  A physical Bitcoin, even without PUF, levels the playing field with traditional currencies in these markets.

Keep in mind that a PUF Bitcoin should be as resistant to counterfeiting as a traditional currency, verification is optional.  If someone WANTS to verify the transactions the verification system for physical Bitcoins is much cheaper6 and more secure than even a credit card reader7. Optical PUF scanners have been made in the < $20 price-range8 which are probably more precise than what a cell-phone NFC reader would be capable of.  You don’t need a regular internet connection either, batches could be held back for months so that off-line devices could be updated with new coins as well as alert people if counterfeits are produced.  For users in 3rd world settings, such devices could be charged with a crank or solar energy and the data cost for an update could be split among several people9.

I do not have enough engineering expertise to work on this without spending a lot of time and I am WAY too busy at the moment.  I have, however, put up a proposed puf/ namespace on Namecoin’s (temporary) wiki.  As a “core” contributor to Namecoin, I am a bit biased in my opinion of Namecoin as being the best place for such a data store.  After-all, do we really want to bloat the blockchain with all that data?

Many (if not most) alternative currencies are gimmicky imitators with superficial changes which are driven by nothing but market speculation. Puf’s are a really neat use-case for Namecoin which also demonstrate why the Namecoin’s generic key/value is so important.  Namecoin doesn’t compete with Bitcoin at all, it’s not nearly as good of a medium of exchange and I don’t see any reason to build a physical Namecoin currency other than for fun.  However, we will need a PUF database with the security and censorship resistant features afforded by a blockchain for things other than currencies, such as ID’s, electronics, and other cool stuff I haven’t thought up.  Do we want to have to build a crypto-currency for each use case?

I’ve tossed the idea around with the genius-grade mechanical engineers over at Corvus and Columba.  They have already put some thought into the problem, so if you (reporters or whomever) have questions about the actual production, talk to them.  If you are interested in funding research in this area, they are dedicated Open Source fanatics and a few grand could fund enough initial research to produce some prototypes.


  1. A PUF is like a one-way hash function, NOT a private key. A private key could be used as a way to get around low-fidelity PUF readers: if the PUF reader couldn’t get enough detail, it could rely on the manufacturers private key.  However, a PUF removes the ability of a manufacturer to produce multiple coins with the same public/private key.  

  2. … or from someone embedding the challenge/response chip into a new coin or from a manufacturer producing multiple coins with the same public/private key. 

  3. Which, if you already have an NFC phone, lowers the cost of a verification device to $0.  Factor in the efficiencies of mass production and the market for used devices … even the low-end markets in third world countries would have “free” verification devices after a few years.  Given that the blockchain (esp the UXTO version) can be shared from cell-phone to cell-phone….  

  4. As noted in the comments, a national currency could setup a PUF system, however, simply using a PUF only prevents fraud.  A physical Bitcoin basically extends all of the things that make Bitcoin useful in its respected niches to physical transactions.  For example, a PUF Bitcoin could be translated into its digital equivalent without having to visit a bank. 

  5. In response to a comment on Slashdot, I would like to clarify that I don’t believe this solves the larger socioeconomic problem in these unstable regions.  It can help, all currency manipulation is kept a bay by the long-term consequences of such manipulation.  A government can continue to reap short-term gains as long as sticking with the hyper-inflationary currency is a better option for the locals than using the alternatives.  Right now the only alternatives are to use physical US dollars or barter.  Both of those options suck compared to the ease of which one can transition a PUF Bitcoin into a digital value store.  However, citizens will still have to sneak around and go against the local authorities.  While it doesn’t make such activities any safer, it does make them easier and more secure.  

  6. If you factor in the cost of a credit-card’s ongoing transaction fee. 

  7. There are no fraudulent reversals. 

  8. I cannot find the link ATM but even if you add in storage of the blockchain and a processor the price-point would stay will within the < $100 range  

  9. In response to a comment elsewhere, the blockchain enables one to reliably and securely update off-line devices.  Even if you are able to crack the verification code of an offline reader and feed it faulty data you would also have to control what coins that person comes in contact with.  This relegates potential victims to extremely insular communities and potential attackers to someone with near global control over that community and a lot of technical sophistication.  For a better overview, read up on how the UXTO extension can verify transactions authenticity without having the full block chain.   

22 Responses to “Counterfeit-Proof Physical Bitcoins”

  1. SW February 9, 2014 at 7:31 am #

    Two questions.

    1. So someone receives one of your coins. How do they know the matching private key is actually inside?

    2. What is the difference of your proposal to having a mint simply publish a list of PUF signatures for verification? Then coins can be verified against this list. All data in the coin is only added for verifiability. What is lost from your proposal, except that no bitcoins are used?

    Stephan

    • indolering February 9, 2014 at 10:38 am #

      1. So someone receives one of your coins. How do they know the matching private key is actually inside?

      The simplest way is to just embed a challenge-response chip like they have on credit cards.

      2. What is the difference of your proposal to having a mint simply publish a list of PUF signatures for verification? Then coins can be verified against this list. All data in the coin is only added for verifiability. What is lost from your proposal, except that no bitcoins are used?

      Uhh, all of the benefits that come with using Bitcoins? :P

      • indolering February 9, 2014 at 12:56 pm #

        Which is to say that a physical Bitcoin bridges all of things that make Bitcoin great for 3rd world markets to physical transactions. Most of these countries are shut out of the legitimate banking system due to fraud. Even if, for example, a farmer is paid in physical currency the farmers *suppliers* can seamlessly exchange the physical currency for a digital one, much like we can deposit cash in a bank. Except they don’t have to go to a physical bank.

      • SW February 10, 2014 at 9:28 am #

        Thanks for your answer.

        About “… embed a challenge-response chip like they have on credit cards.”

        I don’t see how a challenge-response system can help here. The methods are about “providing a valid answer”, but how can the owner of a bitcoin get to verify the private key without learning about it?

        So I think such a mint could cheat, issue coins that are not backed by actual bitcoins.

        On top of that it might be accused of cheating without being able to defend itself. A bunch of people open their coins, extract the private key, transfer funds, and months later (so as to pretend they had nothing to do with it) complain that “the bitcoins were stolen.”

        • indolering February 11, 2014 at 4:10 pm #

          You validate that the private key exists by challenging it to encrypt something…. Think about PGP email signing or signed binaries.

          To prevent nefarious users, we could setup a WOT that would track the last time a coin had been scanned. If the users funds were stolen AFTER such a scan took place, we could verify whether that hash function had been broken.

          • SW February 11, 2014 at 7:53 pm #

            Just because a device can encrypt something doesn’t mean that the key itself is recoverable. I fear this coin design may get quite complicated.

        • Stuart Gathman April 1, 2014 at 8:22 pm #

          “Challenge response” refers to “zero knowledge proofs” – one of the many mathematical ways to prove you know a secret without revealing that secret. Digital signatures prove that you know the private key, without revealing that private key.

          A simple C/R with a 1 way hash may be simpler to understand. Server wants to know if user knows the password without the user having to transmit said password.

          1. Server sends a random number to user
          2. User (his computer rather) computes a hash of the password with the random number, and sends back the result.
          3. Server hashes the password with the random number, and checks that the result matches what the user (his computer rather) sent.

          • indolering June 8, 2014 at 4:32 pm #

            Not sure why I can’t respond to SW’s comment directly, but if the chip can access the private key it’s pretty damn hard to believe that you couldn’t access it as well. It certainly a hell of a lot better than relying a printed copy of the private key.

  2. proofreaderonimous February 9, 2014 at 11:43 pm #

    “The with these systems is no different” => “The problem with these systems is no different” or similar?

  3. SDLerner February 10, 2014 at 5:09 am #

    It’s unclear in this article how PUFs can be used to create digital signatures (a privkey/pubkey pair). PUFs can be verified as long as the verifier has already performed several challenge/response interactions and have the corresponding responses. And if these responses cannot be public: they should be stored secretly by a verification entity (such as a central bank). So people won’t be able to verify their physical coins without running an online protocol with a central authority.

    The right way to do this (completely offline) is using the Firmcoin (Firmcoin.com)

    • indolering February 11, 2014 at 4:03 pm #

      PUF’s are not pub/private signatures, they are physical one-way hash functions.

      Although a public/private key could be useful for dealing with low-fidelity PUF readers: if the PUF reader couldn’t get enough detail, it could rely on the manufacturers private key. However, a PUF removes the ability of a manufacturer to produce multiple coins with the same public/private key.

    • SW February 11, 2014 at 8:00 pm #

      Thanks for the link. Yes, firmcoin sounds more plausible and complete. It also shows how complicated this gets when one tries to cover all angles.

  4. Ron Helwig February 16, 2014 at 6:35 am #

    None of this addresses the primary issue with physical bitcoins, which is that the person receiving it has absolutely no way to ensure that the issuer hasn’t kept the private key. It might have enough tamper-resistant and tamper-evident features to make you believe that no one has retrieved the private key since it was issued, but you still have to have absolute trust in the issuer for it to be worth anything. This is a problem with every physical bitcoin proposal I have seen, and IMHO is the primary issue – counterfeiting of the physical token is much less of a problem.

    • indolering February 27, 2014 at 2:31 pm #

      Ahh, this is true! However, we can combat this in a few different ways. One is to just establish the issuer in a country with a strong rule-of-law. If said company or any of it’s employees tried to wholesale defraud their customers, they would be put in prison.

      However, we must protect against internal attacks as well. One can imagine a radically open system in which everything is cryptographically secure and formally proven, from the computers generating the wallets and transferring the money to the machines printing the physical coins. The entire production process could be streamed online it could be staffed with rotating academics and others so the system is regularly audited and the internals of the system are trustless.

    • indolering February 27, 2014 at 2:32 pm #

      Ahh, this is true! We must trust someone, that cannot be removed entirely. However, we can combat bad actors in a few different ways.

      One is to just establish the issuer in a country with a strong rule-of-law. If said company or any of it’s employees tried to wholesale defraud their customers, they would be put in prison.

      However, we must protect against internal attacks as well. One can imagine a radically open system in which everything is cryptographically secure and formally proven, from the computers generating the wallets and transferring the money to the machines printing the physical coins. The entire production process could be streamed online it could be staffed with rotating academics and others so the system is regularly audited and the internals of the system are trustless.

      Finally, we can also purchase insurance. An external organization can provide financial coverage to compensate those who stand to lose money from a systemic collapse. The insurance providers would watchdog the entire process and enable us to spread the risk of inevitable problems.

      I think these counter-measures can ameliorate the dangers to an acceptable level.

      Thank you for pointing this out!

  5. Burrito May 23, 2014 at 3:33 pm #

    I’d like to politely correct you on the political status of the Channel Islands.

    The Channel Islands are an archipelago of (two) British Crown Dependencies: Guernsey and Jersey. Not nearly a micro nation (not even a single political entity).

    • Burrito May 23, 2014 at 3:44 pm #

      Otherwise, a great article. I hope this can catch on. :)

      • indolering June 8, 2014 at 4:37 pm #

        Thanks for the correction, I added a link to your comment here. Us Americans get cross-eyed when it comes to the British system of governance : P

Trackbacks/Pingbacks

  1. Counterfeit-proof Physical Bitcoins | Social Media Marketing 24/7 - February 8, 2014

    […] I haven’t seen this discussed here yet: http://www.indolering.com/puf-bitcoin […]

  2. bitcoins físicos, ¿posible? | Virgilio Leonardo Ruilova Castillo - February 9, 2014

    […] bitcoins físicos, ¿posible? […]

  3. Counterfeit-proof Physical Bitcoins | NewsBitcoin.com - February 9, 2014

    […] I haven't seen this discussed here yet: http://www.indolering.com/puf-bitcoin […]

Leave a Reply