Counterfeit-Proof Physical Bitcoins

The problem with current “physical” Bitcoins systems is that their production cost scales at upfrontCost + btcValuerawMaterialsCost x coins while the attack cost is only upfrontCostrawMaterialsCost x coins.  Storing a physical one-way hash of the individual coins on Namecoin would make such coins “counterfeit-proof” in that the attack cost scales at some multiple of the reproduction cost of the physical one-way hash.  This is a major breakthrough for both Bitcoin and traditional currencies.

To counterfeit any currency there is a one-time upfront investment and an ongoing per-unit cost.  For example, to fake a US dollar one would have to buy printing equipment and spend lots of time and money figuring reverse engineering the designs.  However, after that upfront investment, it only costs ~$0.10 to produce each bill.  Currency is thus protected primarily by law-enforcement and geo-political deal-making.  Even so, it is profitable enough that there is large-scale counterfeiting of US bills.

The cost of counterfeiting a currency can be modeled in the same way as modeling complexity.  An attack against traditional currencies can thus be modeled as the one-time upfront amount c and the per-unit material cost n:

O(c + m x n) or upfrontCost + rawMaterialsCost x numberOfCoins.

When thinking about the difficulty of solving a computational problem, computer scientists just shave off the c because the limiting part is usually n: as numberOfCoins increases the upfrontCost is spread out over each coin.  Eventually, the value of the rawMaterialsCost multiple of n becomes larger than the factional cost of c.

To put this in more concrete terms, let’s consider the cost of attacking a physical Casascius Bitcoin protected by a holographic sticker.  If you want to create your own Casascius coin you must first create a die, a metal etching of the coin that is used to make the impression:

Image of coin die.

Dies for the 2013 US quarter.

I received quotes of ~$500 per die or ~$1,000 per coin.  For a shiny metal, the raw material cost of coin is ~$1 and the price of a holographic sticker is ~$0.10.  In (semi-accurate) Big-O notation, that would be O(c+n) = O($1000 + $1.10 x n).  If you are minting a single coin that coin will cost ~$1001.10.  However, if you are minting 1,000 coins, the price per coin drops to $2.10.  A run of 10,000 coins drops the per coin cost to $1.20: $1.00 for the metal, $0.10 for the holographic sticker, and $0.10 for the cost of the dies.

Governments issuing fiat money can arbitrarily fix the price of the minted coin well above the cost of production.  With Bitcoin, each physical coin corresponds to a wallet with an equivalent amount of funds, so the production price for each physical coin costs the face value of the minted coin in addition to it’s material costs:

  • Fiat: upfrontCost + (rawMaterialsCost  x numberOfCoins)
  • BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

Protecting the face value of Casascius and other physical Bitcoins has traditionally been handled by printing the public account number on the outside of the holographic sticker and printing a secret key for that account on the inside of the holographic sticker.  But the price of a holographic sticker is only ~$0.10; not much is protecting that account number.  This puts us in a losing position:

  • Counterfeit BTC: upfrontCost + (rawMaterialsCost x numberOfCoins)
  • Legitimate BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

The trick thus becomes increasing the per-coin cost of counterfeiting to something higher than the value of the face-value of the coin while also keeping the cost for producing each coin below the face-value of the coin.  As long as the cost to replicate the object is less than the face value, we win:  replication cost > face-value: 

  • Counterfeit BTC: upfrontCost + (rawMaterialsCost x replicationCost  x numberOfCoins)
  • Legitimate BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

To up the replication cost, we need to individualize each coin during production.  Printed money demarcates individual bills using serial numbers, but they are just that: numbers.  They do not represent anything inherent to the paper bill itself other than a single digit. However, each paper bills has hundreds or thousands of fibers that are essentially “randomly” placed.  If you could scan the position of those fibers at a high resolution and uploaded it to database, any money handler could look up the bill in the database to check if it is genuine.

The technical term for such randomness is a Physically Uncloneable Function, a physical version of a one-way hash.  The cost to create a PUF is essentially free because don’t care what the random signature is.  However replicating that random signature is not free.

However, simply upping the replication cost is not enough to create a physical Bitcoin because redeeming the value in the wallet requires being able to read the private key.  A physical Bitcoin could include a challenge/response chip to prove access to the private key.  However, to prevent physical “double-spends” one must wrap the key storage inside of a PUF, ensuring that retrieval of the private key would entail destruction of the PUF.

PUFs are a really neat use case for Namecoin, a cryptocurrency that acts as a censorship resistant key/value database. One would place the public key along with the PUF signature in the Namecoin database, ensuring no government could subvert or censor the hashes.  Namecoin doesn’t compete with Bitcoin directly and there is no reason to build a physical Namecoin currency.  However, any PUF database must have the security and censorship resistance qualities afforded by a Namecoin.

I claimed that the coins are “counterfeit-proof” – an astute hacker would likely ask me to put an asterisk next to that claim given the number of digital hash functions that turned out to be insecure.  However, just as dual MD5 and SHA-1 hashes delayed practical exploits of either single hash, layered PUF functions should be used here as well.  As PUFs are cracked the manufacturer would create new PUFs and remove the old physical Bitcoins from circulation.  Even if someone cracked all of the PUFs at once, existing coin holders would not suffer economically: simply crack open the physical coin and move the money to another wallet.

PUF Bitcoins would be perfect for the many countries with unstable national currencies, like Myanmar, Venezuela, and North Korea, and other countries which unofficially accept physical US dollars1.  There is a large amount of distrust in any paper currency to which even the venerable US dollar struggles to overcome,

When you arrive in Myanmar, you can see how eager the people are to do business … A guy in a booth offers to rent me a local cellphone — and he’s glad to take U.S. dollars. But when I pull out my money, he shakes his head.

“I’m sorry,” he says.

He points to the crease mark in the middle of the $20 bill. No creases allowed.

So I pull out another, which he rejects because it’s a little bit faded, and a third, which he doesn’t want because of a tiny tear, and a fourth, which he calls “not very acceptable” because of a little ink spot.

-Planet Money

The only thing holding Bitcoin from exploding in many markets is a lack of a physical incarnation.  At the most basic level, the technology required to use Bitcoins is a major roadblock: half of the stalls at the Seattle University District Farmer’s Market a block from my house do not accept credit cards.  If boutique, local, organic farmers selling to snobby Seattleites can’t be bothered to get a credit card machine, rural farmers in 3rd world countries are not going to get a $500 smartphone and a $100/month data plan just so they can accept Bitcoin.  A physical Bitcoin, even without PUF, levels the playing field with traditional currencies in these markets.

Optical PUF scanners have been made in the < $20 price-range.  You don’t need a regular internet connection, batches could be held back for months so that off-line devices could be updated with new coins as well as alert people if counterfeits are produced.  Even if you are able to crack the verification code of an offline reader and feed it faulty data you would also have to control what coins that person comes in contact with.  This relegates potential victims to extremely insular communities and potential attackers to someone with lots of technical sophistication and near global control over that community.

Many (if not most) alternative currencies are gimmicky imitators with superficial changes which are driven by nothing but market speculation.  There are “legitimate” mints looking into copying key features of Bitcoin as well.  The Canadian Mint tried making a digital currency and the Channel Islands are actively perusing producing physical coins based on cryptocurrencies.  However, both of these awkward attempts at bridging digital and physical incarnations of a cryptocoin fall short because they both rely on value stores other than Bitcoin itself.  A physical Bitcoin  extends all of the things that make Bitcoin useful in its respected niches to physical transactions.  Meaning that a hotel in Myanmar wouldn’t need to physically protect the hard currency it receives and a vendor in Venezuela could use their hard currency to purchase goods online.


  1. In response to a comment on Slashdot, I would like to clarify that I don’t believe this solves the larger socioeconomic problem in these unstable regions.  It can help, all currency manipulation is kept a bay by the long-term consequences of such manipulation.  A government can continue to reap short-term gains as long as sticking with the hyper-inflationary currency is a better option for the locals than using the alternatives.  Right now the only alternatives are to use physical US dollars or barter.  Both of those options suck compared to the ease of which one can transition a PUF Bitcoin into a digital value store.  However, citizens will still have to sneak around and go against the local authorities.  While it doesn’t make such activities any safer, it does make them easier and more secure.  

24 Responses to “Counterfeit-Proof Physical Bitcoins”

  1. SW February 9, 2014 at 7:31 am #

    Two questions.

    1. So someone receives one of your coins. How do they know the matching private key is actually inside?

    2. What is the difference of your proposal to having a mint simply publish a list of PUF signatures for verification? Then coins can be verified against this list. All data in the coin is only added for verifiability. What is lost from your proposal, except that no bitcoins are used?

    Stephan

    • indolering February 9, 2014 at 10:38 am #

      1. So someone receives one of your coins. How do they know the matching private key is actually inside?

      The simplest way is to just embed a challenge-response chip like they have on credit cards.

      2. What is the difference of your proposal to having a mint simply publish a list of PUF signatures for verification? Then coins can be verified against this list. All data in the coin is only added for verifiability. What is lost from your proposal, except that no bitcoins are used?

      Uhh, all of the benefits that come with using Bitcoins? :P

      • indolering February 9, 2014 at 12:56 pm #

        Which is to say that a physical Bitcoin bridges all of things that make Bitcoin great for 3rd world markets to physical transactions. Most of these countries are shut out of the legitimate banking system due to fraud. Even if, for example, a farmer is paid in physical currency the farmers *suppliers* can seamlessly exchange the physical currency for a digital one, much like we can deposit cash in a bank. Except they don’t have to go to a physical bank.

      • SW February 10, 2014 at 9:28 am #

        Thanks for your answer.

        About “… embed a challenge-response chip like they have on credit cards.”

        I don’t see how a challenge-response system can help here. The methods are about “providing a valid answer”, but how can the owner of a bitcoin get to verify the private key without learning about it?

        So I think such a mint could cheat, issue coins that are not backed by actual bitcoins.

        On top of that it might be accused of cheating without being able to defend itself. A bunch of people open their coins, extract the private key, transfer funds, and months later (so as to pretend they had nothing to do with it) complain that “the bitcoins were stolen.”

        • indolering February 11, 2014 at 4:10 pm #

          You validate that the private key exists by challenging it to encrypt something…. Think about PGP email signing or signed binaries.

          To prevent nefarious users, we could setup a WOT that would track the last time a coin had been scanned. If the users funds were stolen AFTER such a scan took place, we could verify whether that hash function had been broken.

          • SW February 11, 2014 at 7:53 pm #

            Just because a device can encrypt something doesn’t mean that the key itself is recoverable. I fear this coin design may get quite complicated.

        • Stuart Gathman April 1, 2014 at 8:22 pm #

          “Challenge response” refers to “zero knowledge proofs” – one of the many mathematical ways to prove you know a secret without revealing that secret. Digital signatures prove that you know the private key, without revealing that private key.

          A simple C/R with a 1 way hash may be simpler to understand. Server wants to know if user knows the password without the user having to transmit said password.

          1. Server sends a random number to user
          2. User (his computer rather) computes a hash of the password with the random number, and sends back the result.
          3. Server hashes the password with the random number, and checks that the result matches what the user (his computer rather) sent.

          • indolering June 8, 2014 at 4:32 pm #

            Not sure why I can’t respond to SW’s comment directly, but if the chip can access the private key it’s pretty damn hard to believe that you couldn’t access it as well. It certainly a hell of a lot better than relying a printed copy of the private key.

  2. proofreaderonimous February 9, 2014 at 11:43 pm #

    “The with these systems is no different” => “The problem with these systems is no different” or similar?

  3. SDLerner February 10, 2014 at 5:09 am #

    It’s unclear in this article how PUFs can be used to create digital signatures (a privkey/pubkey pair). PUFs can be verified as long as the verifier has already performed several challenge/response interactions and have the corresponding responses. And if these responses cannot be public: they should be stored secretly by a verification entity (such as a central bank). So people won’t be able to verify their physical coins without running an online protocol with a central authority.

    The right way to do this (completely offline) is using the Firmcoin (Firmcoin.com)

    • indolering February 11, 2014 at 4:03 pm #

      PUF’s are not pub/private signatures, they are physical one-way hash functions.

      Although a public/private key could be useful for dealing with low-fidelity PUF readers: if the PUF reader couldn’t get enough detail, it could rely on the manufacturers private key. However, a PUF removes the ability of a manufacturer to produce multiple coins with the same public/private key.

    • SW February 11, 2014 at 8:00 pm #

      Thanks for the link. Yes, firmcoin sounds more plausible and complete. It also shows how complicated this gets when one tries to cover all angles.

  4. Ron Helwig February 16, 2014 at 6:35 am #

    None of this addresses the primary issue with physical bitcoins, which is that the person receiving it has absolutely no way to ensure that the issuer hasn’t kept the private key. It might have enough tamper-resistant and tamper-evident features to make you believe that no one has retrieved the private key since it was issued, but you still have to have absolute trust in the issuer for it to be worth anything. This is a problem with every physical bitcoin proposal I have seen, and IMHO is the primary issue – counterfeiting of the physical token is much less of a problem.

    • indolering February 27, 2014 at 2:31 pm #

      Ahh, this is true! However, we can combat this in a few different ways. One is to just establish the issuer in a country with a strong rule-of-law. If said company or any of it’s employees tried to wholesale defraud their customers, they would be put in prison.

      However, we must protect against internal attacks as well. One can imagine a radically open system in which everything is cryptographically secure and formally proven, from the computers generating the wallets and transferring the money to the machines printing the physical coins. The entire production process could be streamed online it could be staffed with rotating academics and others so the system is regularly audited and the internals of the system are trustless.

    • indolering February 27, 2014 at 2:32 pm #

      Ahh, this is true! We must trust someone, that cannot be removed entirely. However, we can combat bad actors in a few different ways.

      One is to just establish the issuer in a country with a strong rule-of-law. If said company or any of it’s employees tried to wholesale defraud their customers, they would be put in prison.

      However, we must protect against internal attacks as well. One can imagine a radically open system in which everything is cryptographically secure and formally proven, from the computers generating the wallets and transferring the money to the machines printing the physical coins. The entire production process could be streamed online it could be staffed with rotating academics and others so the system is regularly audited and the internals of the system are trustless.

      Finally, we can also purchase insurance. An external organization can provide financial coverage to compensate those who stand to lose money from a systemic collapse. The insurance providers would watchdog the entire process and enable us to spread the risk of inevitable problems.

      I think these counter-measures can ameliorate the dangers to an acceptable level.

      Thank you for pointing this out!

    • indolering August 12, 2014 at 5:28 pm #

      Well, the entire business model of the issuer is tied up in the integrity of the system that they create. They could create an independent auditing system and there are interesting things you can do with the hardware itself.

  5. Burrito May 23, 2014 at 3:33 pm #

    I’d like to politely correct you on the political status of the Channel Islands.

    The Channel Islands are an archipelago of (two) British Crown Dependencies: Guernsey and Jersey. Not nearly a micro nation (not even a single political entity).

    • Burrito May 23, 2014 at 3:44 pm #

      Otherwise, a great article. I hope this can catch on. :)

      • indolering June 8, 2014 at 4:37 pm #

        Thanks for the correction, I added a link to your comment here. Us Americans go cross-eyed when it comes to the British system of governance : P

  6. Tony November 5, 2014 at 12:44 pm #

    I have gone round and round trying to come up with the best solution to truly put a crypto-currency onto a physical, “database-less” form of media which is not dependent on the internet or electricity. I have made several paper wallets for friends of mine and, for a while, I thought the BIP38 fix was the way to go. I kept finding Schrödinger’s cat (1935) every time I thought I was close to a solution. At some point you really have to put some serious thought into the idea that a physical currency may not be possible without a central source of trust.

    Sadly, I am 99.9% sure that all physical currencies are based on violence, fear and aggression.

Trackbacks/Pingbacks

  1. Counterfeit-proof Physical Bitcoins | Social Media Marketing 24/7 - February 8, 2014

    […] I haven’t seen this discussed here yet: http://www.indolering.com/puf-bitcoin […]

  2. bitcoins físicos, ¿posible? | Virgilio Leonardo Ruilova Castillo - February 9, 2014

    […] bitcoins físicos, ¿posible? […]

  3. Counterfeit-proof Physical Bitcoins | NewsBitcoin.com - February 9, 2014

    […] I haven't seen this discussed here yet: http://www.indolering.com/puf-bitcoin […]

Leave a Reply