Counterfeit-Proof Physical Bitcoins

The problem with current “physical” Bitcoins systems is that their production cost scales at upfrontCost + btcValuerawMaterialsCost x coins while the attack cost is only upfrontCostrawMaterialsCost x coins.  Storing a physical one-way hash of the individual coins on Namecoin would make such coins “counterfeit-proof” in that the attack cost scales at some multiple of the reproduction cost of the physical one-way hash.  This is a major breakthrough for both Bitcoin and traditional currencies.

To counterfeit any currency there is a one-time upfront investment and an ongoing per-unit cost.  For example, to fake a US dollar one would have to buy printing equipment and spend lots of time and money figuring reverse engineering the designs.  However, after that upfront investment, it only costs ~$0.10 to produce each bill.  Currency is thus protected primarily by law-enforcement and geo-political deal-making.  Even so, it is profitable enough that there is large-scale counterfeiting of US bills.

The cost of counterfeiting a currency can be modeled in the same way as modeling complexity.  An attack against traditional currencies can thus be modeled as the one-time upfront amount c and the per-unit material cost n:

O(c + m x n) or upfrontCost + rawMaterialsCost x numberOfCoins.

When thinking about the difficulty of solving a computational problem, computer scientists just shave off the c because the limiting part is usually n: as numberOfCoins increases the upfrontCost is spread out over each coin.  Eventually, the value of the rawMaterialsCost multiple of n becomes larger than the factional cost of c.

To put this in more concrete terms, let’s consider the cost of attacking a physical Casascius Bitcoin protected by a holographic sticker.  If you want to create your own Casascius coin you must first create a die, a metal etching of the coin that is used to make the impression:

Image of coin die.

Dies for the 2013 US quarter.

I received quotes of ~$500 per die or ~$1,000 per coin.  For a shiny metal, the raw material cost of coin is ~$1 and the price of a holographic sticker is ~$0.10.  In (semi-accurate) Big-O notation, that would be O(c+n) = O($1000 + $1.10 x n).  If you are minting a single coin that coin will cost ~$1001.10.  However, if you are minting 1,000 coins, the price per coin drops to $2.10.  A run of 10,000 coins drops the per coin cost to $1.20: $1.00 for the metal, $0.10 for the holographic sticker, and $0.10 for the cost of the dies.

Governments issuing fiat money can arbitrarily fix the price of the minted coin well above the cost of production.  With Bitcoin, each physical coin corresponds to a wallet with an equivalent amount of funds, so the production price for each physical coin costs the face value of the minted coin in addition to it’s material costs:

  • Fiat: upfrontCost + (rawMaterialsCost  x numberOfCoins)
  • BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

Protecting the face value of Casascius and other physical Bitcoins has traditionally been handled by printing the public account number on the outside of the holographic sticker and printing a secret key for that account on the inside of the holographic sticker.  But the price of a holographic sticker is only ~$0.10; not much is protecting that account number.  This puts us in a losing position:

  • Counterfeit BTC: upfrontCost + (rawMaterialsCost x numberOfCoins)
  • Legitimate BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

The trick thus becomes increasing the per-coin cost of counterfeiting to something higher than the value of the face-value of the coin while also keeping the cost for producing each coin below the face-value of the coin.  As long as the cost to replicate the object is less than the face value, we win:  replication cost > face-value: 

  • Counterfeit BTC: upfrontCost + (rawMaterialsCost x replicationCost  x numberOfCoins)
  • Legitimate BTC: upfrontCost + (rawMaterialsCost x faceValue  x numberOfCoins)

To up the replication cost, we need to individualize each coin during production.  Printed money demarcates individual bills using serial numbers, but they are just that: numbers.  They do not represent anything inherent to the paper bill itself other than a single digit. However, each paper bills has hundreds or thousands of fibers that are essentially “randomly” placed.  If you could scan the position of those fibers at a high resolution and uploaded it to database, any money handler could look up the bill in the database to check if it is genuine.

The technical term for such randomness is a Physically Uncloneable Function, a physical version of a one-way hash.  The cost to create a PUF is essentially free because don’t care what the random signature is.  However replicating that random signature is not free.

However, simply upping the replication cost is not enough to create a physical Bitcoin because redeeming the value in the wallet requires being able to read the private key.  A physical Bitcoin could include a challenge/response chip to prove access to the private key.  However, to prevent physical “double-spends” one must wrap the key storage inside of a PUF, ensuring that retrieval of the private key would entail destruction of the PUF.

PUFs are a really neat use case for Namecoin, a cryptocurrency that acts as a censorship resistant key/value database. One would place the public key along with the PUF signature in the Namecoin database, ensuring no government could subvert or censor the hashes.  Namecoin doesn’t compete with Bitcoin directly and there is no reason to build a physical Namecoin currency.  However, any PUF database must have the security and censorship resistance qualities afforded by a Namecoin.

I claimed that the coins are “counterfeit-proof”, an astute hacker would likely ask me to put an asterisk next to that claim given the number of digital hash functions that turned out to be insecure.  However, just as dual MD5 and SHA-1 hashes delayed practical exploits of either single hash, layered PUF functions should be used here as well.  As PUFs are cracked the manufacturer would create new PUFs and remove the old physical Bitcoins from circulation.  Even if someone cracked all of the PUFs at once, existing coin holders would not suffer economically: simply crack open the physical coin and move the money to another wallet.

PUF Bitcoins would be perfect for the many countries with unstable national currencies, like Myanmar, Venezuela, and North Korea, and other countries which unofficially accept physical US dollars1.  There is a large amount of distrust in any paper currency to which even the venerable US dollar struggles to overcome,

When you arrive in Myanmar, you can see how eager the people are to do business … A guy in a booth offers to rent me a local cellphone ”” and he’s glad to take U.S. dollars. But when I pull out my money, he shakes his head.

“I’m sorry,” he says.

He points to the crease mark in the middle of the $20 bill. No creases allowed.

So I pull out another, which he rejects because it’s a little bit faded, and a third, which he doesn’t want because of a tiny tear, and a fourth, which he calls “not very acceptable” because of a little ink spot.

Planet Money

The only thing holding Bitcoin from exploding in many markets is a lack of a physical incarnation.  At the most basic level, the technology required to use Bitcoins is a major roadblock: half of the stalls at the Seattle University District Farmer’s Market a block from my house do not accept credit cards.  If boutique, local, organic farmers selling to snobby Seattleites can’t be bothered to get a credit card machine, rural farmers in 3rd world countries are not going to get a $500 smartphone and a $100/month data plan just so they can accept Bitcoin.  A physical Bitcoin, even without PUF, levels the playing field with traditional currencies in these markets.

Optical PUF scanners have been made in the < $20 price-range.  You don’t need a regular internet connection, batches could be held back for months so that off-line devices could be updated with new coins as well as alert people if counterfeits are produced.  Even if you are able to crack the verification code of an offline reader and feed it faulty data you would also have to control what coins that person comes in contact with.  This relegates potential victims to extremely insular communities and potential attackers to someone with lots of technical sophistication and near global control over that community.

Many (if not most) alternative currencies are gimmicky imitators with superficial changes which are driven by nothing but market speculation.  There are “legitimate” mints looking into copying key features of Bitcoin as well.  The Canadian Mint tried making a digital currency and the Channel Islands are actively perusing producing physical coins based on cryptocurrencies.  However, both of these awkward attempts at bridging digital and physical incarnations of a cryptocoin fall short because they both rely on value stores other than Bitcoin itself.  A physical Bitcoin  extends all of the things that make Bitcoin useful in its respected niches to physical transactions.  Meaning that a hotel in Myanmar wouldn’t need to physically protect the hard currency it receives and a vendor in Venezuela could use their hard currency to purchase goods online.


  1. In response to a comment on Slashdot, I would like to clarify that I don’t believe this solves the larger socioeconomic problem in these unstable regions.  It can help, all currency manipulation is kept a bay by the long-term consequences of such manipulation.  A government can continue to reap short-term gains as long as sticking with the hyper-inflationary currency is a better option for the locals than using the alternatives.  Right now the only alternatives are to use physical US dollars or barter.  Both of those options suck compared to the ease of which one can transition a PUF Bitcoin into a digital value store.  However, citizens will still have to sneak around and go against the local authorities.  While it doesn’t make such activities any safer, it does make them easier and more secure.  

Powered by WordPress. Designed by WooThemes