Posted 26 Jun 2003 at 14:50 UTC by DeepNorth Share This

Using multiple public key encryptions, I believe it is possible to make paper currency that is counterfeit-proof using plain paper and a relatively inexpensive printer.

Below is a note that I sent to the Bank of Canada after an (unsuccessful) interview for the contract to project manage the introduction of the new Canadian $50 and $100 bills. I never heard back from them and wonder whether this touched a nerve or was simply misunderstood. FWIW, I am GPL'ing the protocol and this text. Enjoy. <h3> Note -- if you implement this protocol, please send me a link! </h3> <h3> Note also -- This is the 'base' protocol. There are many trivial variations on this theme. If someone manages to patent some variation, I would find the patent highly suspect. This is 'prior art' folks. </h3>

(Name Redacted),

Thank you very much for meeting with me today.

I am sending the note about how you can produce a counterfeit-proof note on ordinary paper from a low-quality printer such as the one I have here.


  1. Print a 'blank', which has all the features of your note except the security code. It looks just like an ordinary bill (a really fake looking bill on my printer).
  2. Randomly choose several small portions of the bill to scan at high resolution. Scan and produce images.
  3. Process the images so that they are reduced to relatively unambiguous pools of dark and light.
  4. Generate hashes from various portions of the resulting images such that they produce a small set of codes -- one or two hundred bytes.
  5. Generate a public/private key pair.
  6. Encrypt the codes above with your private key along with the information to find the portions of the bill that you scanned.

To test the bill, you decrypt with the public key, scan the bill and test to see that it matches.

There are, of course, many variations on a theme here. I said that I could produce bills such that I could make them and you could not counterfeit them. I think the above demonstrates that this is quite possible, even with relatively primitive equipment.

The security comes from the fact that even you can't produce bills that are exact in every single detail one from the next. In the test above, I would not reveal even the public key to you. The only way that you could produce a counterfeit that I would not be able to detect would be to produce an exact match of the entire bill down to the layout of fibres in the paper. Likely impossible, but definitely expensive enough to make counterfeiting a profitless operation. Given the resources of your vendors, I am quite confident that this would give you security that even the Bank and its vendors could not circumvent. That is to say that even if I say to you that you can use everything the Bank has at it's disposal including special papers, inks, printing presses and all the various experts involved you still would not be able to produce a counterfeit even on your own equipment.

There are, of course, many details to add to have a working system. Devices need to be available widely enough that can run the test. More than one set of the above should be generated and particular client banks would only get access to one of the multiples of 'public' keys used in the system. They would be able to test and verify their own portion to validate the bill, but would never have enough information to counterfeit anything but their own portion.

It is easy to create a particular bill and to take a high-resolution picture of it, but it is quite impossible to reproduce the exact thing in every detail at a microscopic level. It is cheap to produce, but even with my laser printer very, very expensive to re-produce.

I hope you understand the above. Let me know if you need further clarification.

riiight., posted 26 Jun 2003 at 17:37 UTC by etrepum » (Journeyer)

Money gets worn and dirty, and then your method will stop working. The more lenient your algorithm is to accomodate for that fact, the easier it is to make a copy of that bill.

It's not really possible to have counterfeit-proof anonymous paper money that can be verified without some seriously expensive infrastructure. You could throw something like RFID chips in the bills, which makes it a lot harder to counterfeit because you'd have to make/steal compatible chips and antennas, but that's not impossible.

The real problem is that there's no way to determine the serial number of a particular bill is globally unique. Nomatter what magic you use, unless there's a central database and a way to write data to the bill (change some bits after a transaction), you're going to have a near impossible time making something that can't be counterfeited eventually. But then you have a whole new can of worms (what happens when the communication lines or "money servers" go down or get hacked?).

It's a nice idea but I guess it will not work, posted 26 Jun 2003 at 19:17 UTC by chalst » (Master)

To avoid the "dirty note" effect described by etrepum it would be necessary to find some relatively unforgeable feature of the note that doesn't deteriorate. Clearly raw image scans are not going to stay the same as the note is used, but perhaps we can exploit variations in the weave of the paper to provide a metric that does. Some thoughts:

  • Knot theorists have studied abstract representations that might be useful in the design of the metric.
  • There's no way of avoiding an empirical investigation of the material: how much variation of weave does paper provide? Can weaves be duplicated? Does the weave really remain constant with use?
  • If weaves in ordinary paper don't have the desired properties, there may be other ways of producing paper that do work.
  • Forgers are smart people and once the system is deployed, all the advantages from technical innovation are on their side. Just because the paper production techniques today mean forgeries are impossible, doesn't mean that will still be the case next year.
Still, it's a nice idea, and one that is worth persevering with.

Network of verification devices?, posted 26 Jun 2003 at 20:42 UTC by jrobbins » (Master)

It sounds like someone would need a device with a scanner and computer to verify the authenticity of a note. If you assume that, then you could use the following scheme instead which is much simpler and would make it hard for crooks.

  • Scan the note serial number, printing date, and deminination

  • Connect to a central database to tell if a note with that serial number, print date, and demonination was ever printed and is currently in circulation

  • Make sure that one note is not in two places at the same time: e.g., in a bank vault and at a bar.

  • optionally, compute a fraud score in much the same way that credit card companies do: Has the note suddendly travelled 1000 miles? Is it a high demonimation? Have similar couterfeit notes been passed in this area recently? If the score is too high, alert the clerk to look more closely at other security features, ask to see ID, ask for a fingerprint, or decline to accept the note.

  • optionally, if the note has been seen several times in the same area recently, direct the clerk to set the note aside (out of circulation for 72 hours or so). Record that in the central database. That way multiple literal copies of a note cannot be quickly passed in one area.

  • Optionally, punch a hole in the note or make some other scannable (but invisible?) marking. Record that fact in the database for later verifiction. Once all punchable area has been punched, set the note aside to be taken out of circulation and replaced with a new note.

Any such device would have to work fast to be better than the counterfeit-detecting highlighter pens that I see many businesses using now.

Drawbacks of central databases, posted 26 Jun 2003 at 21:05 UTC by chalst » (Master)

There are civil liberties issues involved with having the history of transactions of each banknote being tracked. The interest of DeepNorth's proposal is that it just might avoid the need of a central database.

Related links, posted 26 Jun 2003 at 22:59 UTC by vinsci » (Master)

There are some intresting online books at ("money reform") (in several languages).

After having read chapter one, Four Basic Misconceptions About Money of Margrit Kennedy's book, chances are you won't be able to stop reading. The full book is online and only 139 pages. A bit into the book, you'll find that the ideas have been tested in reality, with huge success. From there, go on to read Silvio Gesell's The Natural Economic Order (fourth edition, 1920; again, full text online). John Maynard Keynes (yes, that Keynes) said of his work "I believe the future will learn more from the spirit of Gesell than from that of Marx".

More related book in english and other languages at the money reform site.

For digital cash, you can't ignore David Chaum's DigiCash (now gone, but purchased by eCash, which is now gone, but purchased by...), whose main fault, I guess, was that the world lacked a world wide web to enable them (I remember some early versions of his software being ftp:able with source). Wired has had a number of stories on DigiCash, so you might as well point your search engine at and "DigiCash".

Combining the above two, who knows what the limits are?

Related links, revisited, posted 27 Jun 2003 at 00:11 UTC by vinsci » (Master)

Rather than a oneline commentary on Gesell's book, why not read some short reviews at published references to Gesell, including the full quotes from Keynes in his book General Theory of Employment, Interest and Money (1936):

"Gesell's main book is written in cool, scientific language; though it is suffused throughout by a more passionate, a more emotional devotion to social justice than some think decent in a scientist. The purpose of the book may be described as the establishment of an anti-Marxian socialism, a reaction against laissez-faire built on theoretical foundations totally unlike those of Marx in being based on an unfettering of competition instead of its abolition . . . I believe that the future will learn more from the spirit of Gesell than from that of Marx. The preface to The Natural Economic Order will indicate to the reader the moral quality of Gesell. The answer to Marxism is, I think, to be found along the lines of this preface." (p. 355).

"The idea behind Gesell's stamped money is sound." (p.357).

You'd also want to read Stamp Scrip by Irving Fisher, LL.D. (Professor of Economics, Yale University). Chapter 4, The first experiments abroad, might make you think. Again the full book is online.

Some quotes by Irving Fisher:

Booms and Depressions (1933) p.142:

"If only buying could be started first, business borrowing would follow. For this purpose (of directly stimulating the buyers), a unique 'stamped dollar' plan has been devised - a sort of tax on hoarding. This plan did not come to my attention until after this book had been finished. The plan offers the most efficient method of controlling hoarding and probably the speediest way out of the depression."

Stable Money (1934) pp. 9, 11:

"One of the most interesting examples of monetary manipulation is to be found in the silver "Bracteates" of central Europe between 1150 and 1350 . . . Recoinage was periodical . . . A ruler would call in all outstanding coins twice or three times a year and exchange them for new ones after deducting a seignorage fee of about 25 % . . . It is said that trade, handicrafts and the arts received a stimulus from the eagerness of the people to get rid of their money . . ."

"This first example of something akin to velocity control is of particular interest in the history of stabilisation. After the bracteates had disappeared about 1350, this principle was forgotten until it reappeared definitely in the writing of Silvio Gesell. After his death velocity control was in some instances applied in the form of Stamp Scrip during 1931 - 33 in Germany, Austria and the United States."

Stamp Scrip (1933) p.67:

"There are some of us who believe Stamp Scrip to be more than a temporary auxiliary currency for the present emergency, believing that if its volume and stamp intervals were regulated according to various conditions, it would be the best regulator of monetary speed. which is the most baffling factor in stabilising the price level."

Chaum's stuff, posted 27 Jun 2003 at 13:58 UTC by Omnifarious » (Journeyer)

The main problem with Chaum's stuff is that it is patented. All the companies that had it tried to use it for basically the same purpose. Those same algorithms could be repurposed to other things that would be more wildly popular and provide a base from which e-money could grow. But, that won't happen until the patents expire.

Software patents retard innovation.

Wow, posted 29 Jun 2003 at 01:56 UTC by DeepNorth » (Journeyer)

I am positively humbled by the quality of the replies to this rather modest post. Thanks to all of you.

I should note that 'variations on a theme' includes all of the common security features of real bank notes as well as more elaborate coding. I did not want to complicate the idea with complicated explanations of multiple keys, error correcting code, etc. In a real currency, one would have to create the kind of hardy bills that we currently circulate, the 'uniqueness factors' would have to be well chosen and the techniques similar to those used in RAID would have to be used for redundancy and error correction.

One person commented that the bill would degrade rapidly and have to be replaced. This is true of the plain paper bill, but the only purpose of the plain paper bill is to prove the relative simplicity of the scheme for production versus the extreme difficulty of producing a passable counterfeit. Remember that a 'checking' machine available to one individual is only capable of doing a single check on a bill with multiple checkpoints.

The problem this protocol is attempting to address is the extreme lengths to which forgers have gone to produce counterfeit bills. In some cases, the mints themselves have a very hard time making the distinction. This protocol can make it impossible to produce a forgery without collusion with the actual mint. Even with collusion at the mint, it would be extremely difficult given the fact that bills are produced with modern papers, inks, embedded fibres, holographs, etc, and that checkpoint features are chosen from randomly distributed features. The real key here is that to produce a real passable fake you need to be able to produce a high quality forgery AND find all the public keys and their corresponding checkpoints AND somehow divine the private keys. Doable, I suppose, but much, much more difficult than current forgery.

Although I made the post for the amusement of geeks, it is still serious business. Counterfeit bills have become a major nuisance, at least in Canada.

Again, thanks for all the thoughtful replies. Especially the slight 'red herring' bits that have added to my education.

This is a very thoughtful community in more ways than one. I squawked a bit at the trust metric, but it appears to have done its job remarkably well and is more than worth the trouble.

re-issuing bills, posted 30 Jun 2003 at 09:33 UTC by lkcl » (Master)

1) keep a digital copy of the original bill's "image".

2) if the original bill becomes dirty, disfigured, and impossible to verify by machine, approach the mint and ask them to manually verify the bill.

presumably they will have better techniques for validation of the bill against its original image?

maybe not!!!

3) re-issue a reprint of a bill with a digital signature of the bill it replaces.

4) make a better "validation" system that covers "areas" of the bill, where such areas are OVERLAPPING, and has dozens, if not hundreds, of separate checksums (one per area).

then, relax the criteria a bit such that at least 50% of the PK-signed checksums need to pass.

YES there DO exist public key systems that require "n out of m" parties to agree.

i can't remember the name of such PK systems but i am sure someone else here has.

note tracking, posted 30 Jun 2003 at 09:37 UTC by lkcl » (Master)

note tracking would actually, IMO, have the effect of devaluing a currency!

people would lose confidence in the currency in the perception that if it's trackeable, so are they!

cash is CASH. untraceable for your everyday dodgy financial transactions such as paying CASH so the recipient can choose whether to avoid paying taxes. paying CASH so that they can remain anonymous about what they are paying for.

do you know _anyone_ who buys drugs with anything other than a stolen credit card??? :)

Check out Ben Laurie's Lucre, posted 2 Jul 2003 at 01:12 UTC by fen » (Journeyer)

From the anon CVS home page:

lucre is an implementation (in C++ and Java) of David Wagner's Diffie-Hellman variant on Chaumian blinding. This variant is thought to be unprotected by patents, however, you use it at your own risk.

Also check out Lucrative which is "an open source digital bearer instrument system based on Ben Laurie's Lucre Project."

You mean David Wagner's Lucre, posted 20 Jul 2003 at 18:53 UTC by phr » (Journeyer)

Ben Laurie may have done an implementation but Lucre is Wagner's work.

I believe Chaum's original patent expires in 2006 anyway (I may be confused). Chaum's scheme is much more intuitive than Lucre, and the original version of Lucre had a security flaw, but I think it's been fixed.

I agree with the other posters who said that keeping the signatures verifiable as the bill gets worn and dirty, while still making the bill hard to counterfeit, is pretty much impossible.

New Advogato Features

New HTML Parser: The long-awaited libxml2 based HTML parser code is live. It needs further work but already handles most markup better than the original parser.

Keep up with the latest Advogato features by reading the Advogato status blog.

If you're a C programmer with some spare time, take a look at the mod_virgule project page and help us with one of the tasks on the ToDo list!

Share this page