The problem with current “physical” Bitcoins systems is that their production cost scales at O(1+v*m*n) (upfront + btc value x materials x n) while the attack cost is only O(1+m*n).Storing the physical one-way hash of the individual coins on Namecoin would make such coins “counterfeit-proof” in that the attack cost scales at some multiple of the production cost. This is a major breakthrough for both Bitcoin as well as currencies more generally.
To counterfeit any currency there is a fixed upfront investment in research and equipment followed by an ongoing per-unit cost. For example, to fake a US dollar one would have to buy printing equipment and spend lots of time and money figuring reverse engineering the designs. However, after that upfront investment, it only costs ~$0.10 to produce each dollar. Thus currency is protected primarily via law-enforcement efforts and Geo-political deal-making. Even so, it is profitable enough that there is large-scale counterfeiting of the US dollar.
The cost of counterfeiting a currency can be modeled in the same way which computer science models complexity more generally. An attack against a traditional currencies can thus be seen as costing a one-time constant amount c and the per-unit material cost n: O(1 x c + m x n) or upfrontCost + rawMaterialsCost x numberOfCoins.
When thinking about the difficulty of solving a computational problem, computer scientists just shave off the c because the limiting part is usually n: as numberOfCoins increases the upfrontCost is spread out over each coin. Eventually, the value of the rawMaterialsCost multiple of n becomes larger than the factional cost of c.
To put this in more concrete terms, let’s consider the cost of attacking a physical Bitcoin protected by a holographic sticker. If you want to create your own physical coin you must first create a die, a metal etching of the coin that is used to make the impression:
This costs ~$500 per die or ~$1,000 per coin. For a shiny metal, the raw material cost of coin is ~$1 and the price of a holographic sticker is ~$0.10. In (semi-accurate) Big-O notation, that would be O(c+n) = O($1000 + $1.10 x n). If you are printing one coin that single coin will cost ~$1001.10. However, if you are planning on printing 1,000 coins the price per coin drops to $2.10. A run of 10,000 coins drops the per coin cost to $1.20: the upfront constant price c is now the price of a holographic sticker.
Fiat money has the advantage in that the government issuing the money can arbitrarily fix the price of the minted coin well above the cost of production. With Bitcoin, each physical coin represents a wallet with an equivalent amount of funds, so each physical coin costs the face value of the minted coin in addition to it’s material costs:
- Fiat: upfrontCost + (rawMaterialsCost x numberOfCoins)
- Crypto: upfrontCost + (rawMaterialsCost x faceValue x numberOfCoins)
Protecting the face value of the coin has traditionally been handled by printing the public account number on the outside of the cryptographic seal and printing a secret key for that account on the inside of the holographic seal. But the price of a cryptographic seal is only ~$0.10; not much is protecting that account number. This puts us in a loosing position:
- Counterfeit crypto: upfrontCost + (rawMaterialsCost x numberOfCoins)
- Legitimate crypto: upfrontCost + (rawMaterialsCost x faceValue x numberOfCoins)
The trick thus becomes increasing the per-coin cost of counterfeiting to something higher than the value of the face-value of the coin while also keeping the cost for producing each coin below the face-value of the coin: counterfeit production cost > face-value > cost of initial production. As long as the cost to reproduce the object is less than the face value, we win.
To get there, we need to individualize each coin. If we store the unique properties of each physical coin in a database, the cost of counterfeiting each coin becomes:
- Counterfeit crypto: upfrontCost + (rawMaterialsCost x replicationCost x numberOfCoins)
- Legitimate crypto: upfrontCost + (rawMaterialsCost x faceValue x numberOfCoins)
Printed money demarcates individual bills using serial numbers, but they are just that: numbers. They do not represent anything inherent to the paper bill itself other than a single digit. To jack the replication cost cost up we can embed randomness into the production process, this is known as a Physically Uncloneable Function. A PUF is a really fancy term for a physical object that has a lot of randomness in it1. Adding randomness into the production process is essentially free because don’t care about what the random signature is, however, it’s akin to tossing a deck of cards onto the floor. Reproducing that random signature is not free, just as reproducing that random pile of cards would require several times the amount of effort to painstakingly place each and every card in the right position.
A real world example is the use of glitter nail polish to detect snooping on electronics gear. If a reporter wants to protect their computer and peripherals from NSA or other state-sponsored wiretaps, they could paint over every nail with some glitter nail polish and take a picture. Even the NSA is going to have a very hard time reproducing the exact pattern produced by a swipe of glitter.
A more practical implementation is the magnetic stripes on your credit card: millions of magnetic rods are “placed” at random and can be with high-precision all at a very low cost. Credit cards also have challenge/response chips and one could embed the private key of a Bitcoin within such a chip to ensure that the private key is present and retrievable. However, a challenge/response chip doesn’t prevent one from stealing the private key and then passing on the physical coin2. To prevent such “physical double-spends” we need to tie the PUF to the coins physical structure, ensuring that if someone was to retrieve the private key they would have to destroy the PUF to get it.
My proposal is to create a hollow coin with an NFC-readable signature. Print/place the private key on the inside of the coin and post the public key along with the NFC signature on the Namecoin database (a cryptocoin which allows for secure, uncensorable storage of arbitrary data) and anyone with an NFC equipped cellphone can check if a coin is counterfeit3. A challenge/response chip (NFC or otherwise) would enable people to ensure that the coin’s public/private key-pair is authentic and still retrievable.
Note that I claimed that the coins are “counterfeit-proof”, an astute hacker would likely ask me to put an asterisk there as it’s not impossible to create a duplicate just very, very hard. To increase the difficulty, you could layer multiple PUF functions: an NFC readable signature, a magnetic-strip readable signature, and optical signature, etc. If one PUF fails, you have 2 fundamentally different PUFs to fall-back on.
What’s great about this is that we can simply chart the cost to reproduce such coins and we know which models are vulnerable and which are not. Even if someone does crack all the PUFs and begins counterfeiting physical Bitcoins, owners of existing coins would not suffer economically: simply crack open the physical coin and move the money to another wallet. In the meantime, innovators will figure out a new PUF and move on.
The superior anti-counterfeit features of a PUF Bitcoin represents a serious opportunity for Bitcoin. There are “legitimate” mints looking into copying key features of Bitcoin as well. The Canadian Mint tried making a digital currency the Channel Islands (a pseudo-but-not-really micro-nation) is actively perusing producing coins based on Bitcoin. However, both of these awkward attempts at bridging the digital and physical incarnations of the cryptocoin fall short because they both rely on value stores other than Bitcoin itself4.
Finally, and perhaps most importantly, PUF Bitcoins would be perfect for the many countries with unstable national currencies, like Myanmar, Venezuela, and North Korea, and other countries which unofficially accept physical US dollars5. There is a large amount of distrust in any paper currency to which even the venerable US dollar struggles to overcome,
When you arrive in Myanmar, you can see how eager the people are to do business … A guy in a booth offers to rent me a local cellphone — and he’s glad to take U.S. dollars. But when I pull out my money, he shakes his head.
“I’m sorry,” he says.
He points to the crease mark in the middle of the $20 bill. No creases allowed.
So I pull out another, which he rejects because it’s a little bit faded, and a third, which he doesn’t want because of a tiny tear, and a fourth, which he calls “not very acceptable” because of a little ink spot.
The only thing holding Bitcoin from exploding in many markets is a lack of a physical incarnation. At the most basic level, the technology required to use Bitcoins is a major roadblock: half of the stalls at the Seattle University District Farmer’s Market a block from my house do not accept credit cards. If boutique, local, organic farmers selling to snobby Seattleites can’t be bothered to get a credit card machine, rural farmers in 3rd world countries are not going to get a $500 smartphone and a $100/month data plan just so they can accept Bitcoin. A physical Bitcoin, even without PUF, levels the playing field with traditional currencies in these markets.
Keep in mind that a PUF Bitcoin should be as resistant to counterfeiting as a traditional currency, verification is optional. If someone WANTS to verify the transactions the verification system for physical Bitcoins is much cheaper6 and more secure than even a credit card reader7. Optical PUF scanners have been made in the < $20 price-range8 which are probably more precise than what a cell-phone NFC reader would be capable of. You don’t need a regular internet connection either, batches could be held back for months so that off-line devices could be updated with new coins as well as alert people if counterfeits are produced. For users in 3rd world settings, such devices could be charged with a crank or solar energy and the data cost for an update could be split among several people9.
I do not have enough engineering expertise to work on this without spending a lot of time and I am WAY too busy at the moment. I have, however, put up a proposed puf/ namespace on Namecoin’s (temporary) wiki. As a “core” contributor to Namecoin, I am a bit biased in my opinion of Namecoin as being the best place for such a data store. After-all, do we really want to bloat the blockchain with all that data?
Many (if not most) alternative currencies are gimmicky imitators with superficial changes which are driven by nothing but market speculation. Puf’s are a really neat use-case for Namecoin which also demonstrate why the Namecoin’s generic key/value is so important. Namecoin doesn’t compete with Bitcoin at all, it’s not nearly as good of a medium of exchange and I don’t see any reason to build a physical Namecoin currency other than for fun. However, we will need a PUF database with the security and censorship resistant features afforded by a blockchain for things other than currencies, such as ID’s, electronics, and other cool stuff I haven’t thought up. Do we want to have to build a crypto-currency for each use case?
I’ve tossed the idea around with the genius-grade mechanical engineers over at Corvus and Columba. They have already put some thought into the problem, so if you (reporters or whomever) have questions about the actual production, talk to them. If you are interested in funding research in this area, they are dedicated Open Source fanatics and a few grand could fund enough initial research to produce some prototypes.
A PUF is like a one-way hash function, NOT a private key. A private key could be used as a way to get around low-fidelity PUF readers: if the PUF reader couldn’t get enough detail, it could rely on the manufacturers private key. However, a PUF removes the ability of a manufacturer to produce multiple coins with the same public/private key. ↩
… or from someone embedding the challenge/response chip into a new coin or from a manufacturer producing multiple coins with the same public/private key. ↩
Which, if you already have an NFC phone, lowers the cost of a verification device to $0. Factor in the efficiencies of mass production and the market for used devices … even the low-end markets in third world countries would have “free” verification devices after a few years. Given that the blockchain (esp the UXTO version) can be shared from cell-phone to cell-phone…. ↩
As noted in the comments, a national currency could setup a PUF system, however, simply using a PUF only prevents fraud. A physical Bitcoin basically extends all of the things that make Bitcoin useful in its respected niches to physical transactions. For example, a PUF Bitcoin could be translated into its digital equivalent without having to visit a bank. ↩
In response to a comment on Slashdot, I would like to clarify that I don’t believe this solves the larger socioeconomic problem in these unstable regions. It can help, all currency manipulation is kept a bay by the long-term consequences of such manipulation. A government can continue to reap short-term gains as long as sticking with the hyper-inflationary currency is a better option for the locals than using the alternatives. Right now the only alternatives are to use physical US dollars or barter. Both of those options suck compared to the ease of which one can transition a PUF Bitcoin into a digital value store. However, citizens will still have to sneak around and go against the local authorities. While it doesn’t make such activities any safer, it does make them easier and more secure. ↩
If you factor in the cost of a credit-card’s ongoing transaction fee. ↩
There are no fraudulent reversals. ↩
I cannot find the link ATM but even if you add in storage of the blockchain and a processor the price-point would stay will within the < $100 range ↩
In response to a comment elsewhere, the blockchain enables one to reliably and securely update off-line devices. Even if you are able to crack the verification code of an offline reader and feed it faulty data you would also have to control what coins that person comes in contact with. This relegates potential victims to extremely insular communities and potential attackers to someone with near global control over that community and a lot of technical sophistication. For a better overview, read up on how the UXTO extension can verify transactions authenticity without having the full block chain. ↩