394 comments

[ 2.9 ms ] story [ 322 ms ] thread
Hi folks, I’m one of the contributors at Kong — https://kong.cash/. Kong is a physical cryptocurrency that looks, feels and works like traditional cash. You can think of it as an ultra-secure, time locked cryptocurrency wallet with a fixed face value — no one can access the token except for the holder of the note after a period of several years. It consists of a secure element and NFC chips mounted on a flexible PCB with a full color print. There are several gold elements that also serve as direct i2c interfaces to challenge the secure element’s authenticity by signing information with its private key.

Kong is based on two primary observations; (1) it’s really difficult to use and secure cryptocurrency for most people and (2) cryptocurrency has been useful as a means of speculation, but poor for actually buying goods and services. It’s our hypothesis that by making cryptocurrency more like cash it may be possible that people ultimately use it as a means of exchange.

Our background is in secure embedded hardware (Lockitron, YC S09); over the past year we did a deep dive to really consider how cryptocurrency key material is handled today. We found that cryptocurrency has a unique challenge and corresponding opportunity; unlike IoT products where the cost of a breach might be difficult to quantify, breaking a hardware wallet can yield clear rewards to the hacker.

We developed Kong around the notion that security should be isolated to the smallest possible footprint — in the case of Kong, to an individual single purpose secure element chip. Doing so removes additional layers of firmware and software in order to limit the attack surface (it also broadly questions how good are our existing secure chips today).

To date we’ve handed out close to 2,500 Kong notes; we’re now exploring more ways to distribute physical crypto. Take a look at https://ipfs.io/ipfs/QmRNRCocj4PwKMXrd1jeUGw7ASQSuEk7BDJu5Ks... for an in-depth technical overview.

> with a fixed face value

So how does a transaction work? Do I exchange a 500 kong note for a 10 kong item and 490 kong worth of notes?

Just like cash.

So if you use a 500 Kong note to someone for a 10 Kong item, they will have to make 490 Kong in change. 4x 100 Kong notes, 1x 50 Kong note and 2x 20 Kong notes...etc.

(comment deleted)
How do you expect to get this into the market? And what market do you expect to get this into?

Cash has an inherent agreement as to locality. When I'm in Australia, I use Australian dollars, when in the US, they have US dollars.

Though you may be solving this problem, I can use Kong everywhere, you need to somehow seed the market. How do you see that happening?

As you state, crypto is mostly a store of value atm. The benefit of not having physical crypto is that, in theory, I can trade my crypto for goods anywhere in the world. How will having a physical currency solve for this?

I went to my corner store at about 10:30 a few weeks ago to pick up a late dinner. I took out cash to pay, and the guy behind the register had already entered my purchase into his FPOS (credit card) machine. He looked at me and said "wow...old school. First time I've seen cash all day". You clearly feel that you are not fighting against a dying mode of payment, what makes you believe that? Or is there a piece I am missing?

I use almost exclusively cash and never get that response. Usually a smile as I sail out of the cashiers way faster than our abrtion of a chip+pin system customers possibly could. What part of the world are you in?
Much of the world has contactless payment (no pin, no physical card insertion).

It is more or less instant. Common in .au, .nz at least.

I'm actually noticing some cultural changes as a result of this, cash is starting to seem "dirty" since you often have to touch other people's hands to exchange it.

Pay with a card at a busy bar in the UK 15 years ago and everyone would sigh as the barman reached for the card terminal, did his thing, waited for you to type in your pin, etc etc. Paying with cash was far quicker.

Pay with cash at a bar now and everyone will sigh as the barman counts it up, puts it in the till etc etc. Contactless is so fast, the barman will be pouring the next drinks while you're tapping the machine.

Also anecdotally, many London cafes/restaurants are entirely card payments now. They just don't do cash.

Yeah I’m in NYC and I find it frustrating when people force a bartender to deal with cash at a busy spot.
Can they even not accept cash? It’s legal tender anywhere in the UK right?
Of course, why wouldn't they?
Because bills and cash are the cornerstone of all in-person payments? I honestly have a hard time imagining it as a secondary form of payment.
People are allowed to refuse cash for goods and services whenever they want for pretty much any reason other than discriminating against a protected class of people, including not wanting to handle cash as a form of payment. Amongst other things, this allows ecommerce to exist.

The legal tender laws just mean that if you offer a sufficient quantity of legal tender in settlement of debt, your debt is discharged and they can't sue you for non-payment. This ensures cash has value, and means that most shops will take most forms of cash, even if it means queueing up for counter service because the kiosks are card only

Legal tender is only required to be accepted for debts already incurred.

For instance, if you are at the bar and they pour you 3 drinks then ask for payment, they have to take your cash.

On the other hand if you are at the bar and, ask for a drink, and they say that'll be $10, they are not required to take your cash (the debt has yet to be incurred) and are also of course not required to provide you that drink if you pull out a $10 bill.

Not OP, but I can vouch that this is a common occurrence now in Australia. Contactless payment is now so ubiquitous, when you go to pay with cash it's often received with surprise. The vendor has indeed already readied the EFTPOS machine for your payment, and has to cancel that and put the transaction through as cash.

Only last year I always carried cash. I like cash. Now, I have a $10 note in my wallet and I can't even remember where it came from. I've stopped actually carrying my wallet, thanks to Apple Pay on my watch.

(I live in a major metropolitan area. It might be different elsewhere.)

Yesterday I bought coffee in a place that doesn't accept cash. Tapping a card is always faster than paying cash in my experience.
I'm in Australia, so we just have tap, only need to enter a pin for large purchases.

I just spent a few months in the US and didn't use cash once (LA, SF, NYC).

I went to many places that no longer accepted cash in the US, maybe we're just in different areas.

I don't understand any of this.
Admitting that is often a good start
It’s incumbent upon everyone here to consider how powerful that can be for the people who’re trying to sell Kong.
I'll try to sum it up: Kong notes are electronic devices which allow whoever has access to them to use a smart contract which after a given date can retrieve a given amount of cryptocurrency. They hold a key which allows them to operate on this smart contract, but don't reveal it, and are designed to be physically impractical to tamper with (https://en.wikipedia.org/wiki/Secure_cryptoprocessor).
(comment deleted)
This doesn't make any sense. Can only preordained organizations print the notes? Then we’re back to centralized cash. Can anyone print the notes? Then they can also print duplicates. Do we verify electronically when we transact to prevent that? Then we're back to electronic transactions.

What am I missing? How is this not fatally flawed?

Today, Kong's printing is centralized to the Kong project (similar to a premine) because we cannot guarantee that someone else will use a secure element which conforms to section 2 of the paper (which would preclude the creation of duplicates). If anyone else wants to print Kong, and we can verify they source a secure element conforming to section 2 of the paper, then we'll share "printing rights" with them. The Kong recurring lockdrop, section 4.2, is outside of our control and open to anyone.

We start to explore how someone could participate in printing Kong freely, without our influence, in section 5.1 but there are massive unsolved challenges to tackle here.

There is a significant distinction between verifying a note electronically and conducting an electronic transaction. The former can be done in an offline fashion; the latter cannot and, in the case of credit card networks, Ethereum and, Bitcoin, incurs a fee.

Is this not strictly worse than cash, then? It’s still a centralized physical currency, but instead of a government with checks and balances that is ostensibly accountable to its citizens, Kong is controlled by an opaque organization accountable to nobody.

After reading the paper, I’m still not exactly sure how the lockdrop works. Could you elaborate on it?

As for verifying transactions offline, I’m skeptical of how useful that is. If you can lock down printing, the supply of fake or duplicate Kong should be low anyway. If you decentralize printing (or a lot of counterfeit/duplicate Kong gets introduced into the market some other way) then offline verification seems insufficient. What’s to stop me from printing and spending two copies of a note if I know the other parties won’t veriify the transaction online until much later?

We can only print Kong; we cannot remove it from circulation. We're limited in the total amount of Kong we can print.

We likely will need to have another document detailing how the lock drop works. The short version is that you lock up Ethereum in a smart contract for between 30 and 365 days; when you prove that fact to a given Kong lock drop contract instance you receive Kong token (at the end of the period).

> If you decentralize printing (or a lot of counterfeit/duplicate Kong gets introduced into the market some other way) then offline verification seems insufficient. What’s to stop me from printing and spending two copies of a note if I know the other parties won’t certify the transaction online until much later?

Here's how I see offline verification working:

(1) I sync up directly with an Ethereum node and cache all the Kong note smart contracts (ideally my own would be the most trustworthy). Most importantly this contains the public key for each Kong note known at the time and the token associated with that note (2) I accept any notes that I can electronically verify from that cache. That's done by challenging the note to sign a message and verifying the response. (3) I don't accept any notes not in my cache. The downside is that I can't accept very new notes, but we suspect that if we continue to produce Kong that we'll do so in large batches infrequently.

> We can only print Kong; we cannot remove it from circulation.

This isn't strictly true; you can buy notes from people.

> We likely will need to have another document detailing how the lock drop works. The short version is that you lock up Ethereum in a smart contract for between 30 and 365 days; when you prove that fact to a given Kong lock drop contract instance you receive Kong token (at the end of the period).

It sounds like the basic idea is that you "preorder" Kong with Ethereum, and then you visit a physical location (the "contract instance") to receive your cash ("Kong token"). If my understanding is correct, then this isn't outside of your control at all — you (or the "contract instance") can simply refuse to issue the cash.

Re: verification, here's my issue:

> Most importantly this contains the public key for each Kong note known at the time and the token associated with that note

What if someone counterfeits Kong not by wholesale faking currency, but by duplicating valid notes in circulation? The public key would be the same, so they would both pass offline verification.

> This isn't strictly true; you can buy notes from people.

Haha, sure.

> It sounds like the basic idea is that you "preorder" Kong with Ethereum, and then you visit a physical location (the "contract instance") to receive your cash ("Kong token"). If my understanding is correct, then this isn't outside of your control at all — you (or the "contract instance") can simply refuse to issue the cash.

Nope, it's in a smart contract that can be deployed into perpetuity.

> What if someone counterfeits Kong not by wholesale faking currency, but by duplicating valid notes in circulation? The public key would be the same, so they would both pass offline verification.

Section 2 in the paper explains how difficult this would be do. You need to duplicate the private key from a secure chip designed not to reveal the private key.

> Nope, it's in a smart contract that can be deployed into perpetuity.

But I would be receiving a physical object, correct? Which means one of the following must happen:

- you give me notes in a manner that is not controlled by you (e.g. in the mail) assuming I'll fulfill the contract in good faith

- you give me notes in a manner that is controlled by you (e.g. at a bank-like location) to prevent theft

- we introduce an oracle (i.e. centralization in a third party)

> You need to duplicate the private key from a secure chip designed not to reveal the private key.

Yeah, this is an example of a problem that becomes much more likely if you share "printing rights".

Ultimately, I remain unconvinced — this is as proposed today a centralized currency that is almost strictly worse than a government currency, with the possibility of new drawbacks were printing ever to become decentralized.

> But I would be receiving a physical object, correct?

Incorrect. The lockdrop is for completely virtual Kong token.

> Yeah, this is an example of a problem that becomes much more likely if you share "printing rights".

Correct, as elucidated above. Likewise each Kong self generates its own private key by design, as outlined in section 2 of the paper. By design, the key is non-extractable.

> Ultimately, I remain unconvinced — this is as proposed today a centralized currency that is almost strictly worse than a government currency

We can't inflate Kong infinitely unlike every other paper fiat currency. We can only print Kong for four years. After that the only digital Kong produced is via lockdrop.

> We can't inflate Kong infinitely unlike every other paper fiat currency. We can only print Kong for four years. After that the only digital Kong produced is via lockdrop.

So what? As soon as you share printing rights the other party can. So can anyone else who has the private key. Not even by minting new Kong but by physically duplicating existing Kong. That's a much bigger problem than a well controlled 2% rate of inflation.

> but instead of a government with checks and balances that is ostensibly accountable to its citizens

what government is this and can I vote my face onto their currency?

(comment deleted)
Government with what? Hahaha!
(comment deleted)
It's a zero coupon bearer bond, that's all. With some very elaborate anti forgery. Nothing wrong with an organization printing bonds, it's just that these aren't a debt but represent locked up economically inactive etherum.
This might sway me if they didn't repeatedly refer to it as "cash" on their website.
There's a distinction that Kong is not payable on demand, until after expiry, but I'm not sure it's a useful distinction. Unlike a conventional bond, there isn't a question of default by the issuer; the Etherium is locked up in a smart contract, rather than relying on the issuer honouring the bond at maturation.

Rarely do users of cash care about the property of it being payable on demand by the issuer (conventionally a central bank), only the property that it be practical for physical commerce.

Here the risk is that the note becomes physically damaged in some trivial way and the value is lost forever. Maybe it's bent too far over in one direction, maybe something heavy falls on it, etc, etc.
That physical cash can become damaged is nothing new. Maybe this implementation could be easily damaged in some way, I don't think this threatens the concept of silicon cash generally.
Physical cash is both very resilient and if damaged can be replaced. This is neither.
The notes are more durable than linen currency and less durable than polymer currency. We found this to be an acceptable tradeoff. Most of the note can be destroyed but the funds still claimable. There is an envelope of durability properties associated with physical cash - Kong fits within most of these. Of course there is opportunity for improvement which we hope to address in future versions.
I'm not sure what you're making that assertion on the basis of. The note has redundant electrical connectors. You could melt the bulk of the note down and still claim the Etherium from the secure element. Hypothetically you could have redundant SEs.
What's the value of 1 Kong in USD, showing that would be helpful on your website front page.
Kong is very new. Only a few thousand are out there. Frustratingly, or perhaps amusingly, it doesn't yet have an agreed upon value. I don't think it's appropriate for us to set one.
Uh, well, then how do you know what denominations to print? What if the exchange rate ends up by 10,000 Kong per dollar? Are you going to issue Zimbabwe-style bills? What about as the exchange rate fluctuates wildly?
Lol, might as well use monopoly money then.
Which "secure computing element" are you using?
From the description I suspect it's a standard smartcard chip of the type used in SIM, EMV, and other access control/authentication cards.
A user accepting these "verifies" them by assuming that two properties hold if they connect over NFC or via pogo pins to the "gold elements", send a challenge over this connection, and receive in response the challenge signed with a public key associated with locked Kong tokens.

1. the relevant private key is known to only a Kong note's secure element. this is (hopefully) enforced by the secure element's, uh, security, and by the issuer.

2. the relevant private key is known to the secure element on the specific physical Kong note the user has been given.

2 is unenforced in your current design, from what I can see. A crafted note can relay all communication to the secure element of another note (e.g. over low-power RF from a single-use battery or small ultracapacitor).

better, a "dead" Kong note which performs no NFC communication can be given to a merchant; then, a high-power NFC transceiver can be used to pretend to be the note wirelessly (from a handful of meters away, but in a lot of situations that's more than enough). Of course, this one only works if the verifier is using NFC, but... This one is particularly nasty because it's relatively straightforwards to "weaponise" - imagine buying a "kit" off AliExpress which contains fifty dead notes, a ProxMark, and an amplified antenna. Then, in any situation where you're close enough to the person who'll be verifying your notes... just give them a dead one and relay communications. Verification passes, but what the merchant ends up putting in their cash drawer is worthless.

Is it more risky than getting a fake cash from someone? Is it difficult to validate NFC with say...your phone (make sure the NFC signal changes when you bring it close to your phone)?

For 2) I get the part about relaying communication but regardless of that, what makes you think any sort of communication will cause it to output the private key? As far as high powered NFC, I am not sure that would work to begin with (someone who knows radio explained it to me but I cannot recall) but even if it did how is it different than existing mobile phone NFC payment?

You also gotta keep in mind,this is in-person. If someone defrauds you, they face several risks including law enforcement,legal,phsyical altercation(violence) and more.

Better would be nice but I can live with "as good as cash" or "as good as mobile nfc payment" when it comes to security.

Are there any solutions to the relay attack you describe?

Perhaps by having the secure element "lock" and "unlock" each time the note changes hands, so that an attacker who uses a a relay will still have his note locked in a way that makes it useless unless he gives it to the recipient to unlock?

Depending on how much jitter there is in the time it takes to countersign the challenge, RTT might be one way.
Put a bit more "N" in their NFC. They can be tuned to work from millimeters to meters.
You could fix 2 by having a verifier that puts the note in a Faraday cage. While that's more work than just scanning with your phone it could still be cheap and worth it if you were receiving a lot of notes.
This specific man in the middle attack is risky in that it requires very close range, face to face interaction with your target, a fairly unreliable chance of success, and may only work on one of the four validation mechanisms. If effective the money is unlikely to propagate much further as the next user will fail to validate.
Hi,

I love this. I have been wanting something like this for a while. Personally, I desired a coin instead of a bill. 2-3CM thick coin made with material good for radio security and longevity would be neat. A phsyical 'coin'. Any plans for something like that? Any reasoning against it?

> To date we’ve handed out close to 2,500 Kong notes; we’re now exploring more ways to distribute physical crypto.

Are you in a non extradition treaty country? This could be a relevant question for you soon enough

How does this work? Is the first 2,500 part of your own ICO?
There is no ICO.

We're selling packs of Kong in a limited fashion to cover the costs of manufacturing the hardware. We have a limited number of units available so we're slowly opening up sales to our mailing list.

Take a look at sections 4.2 and 4.3 of the paper for information on our lockdrop; this is the only other way to get Kong token. Lockdrops are a novel means of distributing token based on opportunity cost rather than selling the token.

I'm impatient. Take my money now!
Just to clarify, that means that I would need to 1.) purchase some packs of Kong, which are unloaded, and then 2.) participate in a lockdrop to gain the tokens with which to load the Kong? Seems fine and dandy wrt the acquisition of bills, but how will adoption by vendors happen?
I fail to see how this solves a usability issue in developed nations. This also reintroduces the portability problems that are present in current fiat.
Japan is a fairly cash heavy developed nation. Likewise, the majority transactions under $25 in many countries are still conducted using cash. We don't necessarily expect people to revert to using cash; rather, Kong is a means of handling cryptocurrency that's vastly easier to understand as an introduction to cryptocurrency.

The usability problems are also a feature -- if Kong is burned, stolen or otherwise destroyed, the value is lost forever. Billions of people understand that's how cash functions and they take measures to secure it.

I'm curious, have you tried passing an airport border security with several of these notes, and have you been asked what they are :)? Do you have to declare them?
Yes, they look like a bunch of circuit boards under X-Ray, it's pretty cool. We've travelled with "unloaded" Kong thus far (i.e. not backed by token). See section 4.1 on minting in the paper.

Even so, we're unaware of any value to the Kong token independent from Kong notes and we are not taking steps to list it on exchanges. If Kong was to become a means of exchange somewhere then it might need to be declared as a monetary instrument depending on the jurisdiction.

How do they hold up in a saltwater environment? My feitan/yubikey U2F physical tokens are developing rust/corrosion just being on my keychain and being thrown in a drawer on my boat for a couple hours at a time. I2C leads + saltwater environment seems like it may cause some problems.
I doubt this version would hold up well in a salt water environment. The chips will ultimately have a conformal coating leaving only gold contacts which should fare better.

We have considered more robust variants that would fully seal all the components, but this is a v2 problem.

I should add that even a corroded chip should ultimately still be accessible; you might have to pull it off of the bill and decap it.

Do v1 people just not get to redeem their value in x years since they become unreadable?
The secure element chip is pretty robust on its own. Even if most of the bill is destroyed, it will be possible to communicate with the chip in most cases.
If the private key is inside of the note and stays the same when it changes hands, how do I know you did not make a copy of it when you created the note?
Another contributor here. This is one of the novel advancements made by Kong.

Specifically, Kong notes use a secure element which 1) self-generates a key pair 2) can attest the key pair was self-generated and 3) does not leak the private portion of that key pair. Section 2 of the paper (specifically 2.2) goes into more detail[1].

[1] https://ipfs.io/ipfs/QmRNRCocj4PwKMXrd1jeUGw7ASQSuEk7BDJu5Ks...

So your answer is "trust us". Because how would I know if the claims of the hardware manufacturer (you or your supplier) are true?

This of course holds true for all hardware. When someone creates or stores a Bitcoin key on a laptop, they are at the mercy of the laptop manufacturer.

There is also a private key inside simcard, and debit cards. Good luck fetching it. I mean, you can technically do this, but it would be really hard.
Yes -- see section 2.3 in the paper linked for our discussion on this. The chips you're referring to are broadly considered to be "smart cards" and usually based on something like Java Card.
Poe's Law is a hell of a thing... Is this for real?
I'm with you. The satire signals are so strong here.
So you can't backup Kong.cash? That's one main benefit of digital currency, why go backwards towards physical cash? Instead you should go towards the Wechat model of instant mobile payments.
We looked at various financial instruments and saw that cryptocurrency space lacked a cash instrument. We realized with our background we could create one.

Cash is the dominant form of consumer payments (77% world wide!) and the move to ban cash in various places disproportionately affects the underserved and marginalized members of society - ostensibly the audience cryptocurrency is trying to serve first. This is an effort to meet others with terms and technology they are comfortable and familiar with.

Is Kong stabilized/a stablecoin or is it a commodity-style asset?
No, there is nothing backing the Kong token. See section 4 in the paper for more of a discussion on the token issuance.

We considered various stablecoin constructions, but most of them effectively pin to fiat which (1) seems to defeat the original intent of cryptocurrencies (i.e. think back to 2009) as not subject to the whims of central banks and (2) seems to just duplicate fiat currencies in a more expensive format.

Likewise we are doubtful that most folks holding BTC/ETH/etc. would actually be willing to spend it on something, vs. just continue to hodl in a cooler format.

You mentioned two stablecoin methods, but not the interesting and somewhat successful MakerDAO approach. What do you think about that?
FYI: Your website is broken on the latest Firefox with uBlock Origin and Privacy Badger.

The email 'request access' thing doesn't work

Odd - working for me on Firefox with those plugins. What error are you getting?
This seems like a step in the wrong direction. Given the option, most people prefer not to use cash. Making me carry something around everywhere I go to be able to use it -- I don't see myself being more inclined to use it.

Potentially more people will accept it. But I doubt it.

Not sure if this is a common problem but their contact link just dumps you to the gmail 'about' page.
It's a "mailto" link, so it just opens up your default email app.
Cool! What is the cost to produce each note today, and how do you anticipate funding that longterm?
They're literally printing money, if people actually buy it I don't think funding will be the problem!

(I could be wrong but from skimming their technical spec it doesn't seem to be redeemable for anything other than digital Kong tokens)

Just a bit more expensive than the higher end notes produced by Switzerland/Australia and less expensive than limited edition postage stamps.

We looked at existing hardware wallets like trezor and ledger and realized we could create something like this for 1/20th the price. Once we realized the numbers we were playing with we ran with it. Conceptually, I prefer validating something with a cryptographic signing operations rather than looking at some watermarks.

Kong is a proof of concept but we could always print these for other governments.

OK, but how much is that? I don't see the point in being vague about it.
I'm sure it mentioned somewhere in the range of $3 per bill, but I can't find it now.

It's utterly impossible to sustain, it's highly likely that the physical cost could be higher than the face value

This seems like a VERY cool technical solution in a desperate and fruitless search of a problem.

> They consist of a flexible circuit board, specialized secure element chips and an independent NFC interface capable of powering the secure element. Each secure element stores an internally-generated ECDSA key pair that is associated with a unique smart contract on the Ethereum blockchain

Who wants bills that cost $3 ea, and are not likely to survive a wash?

> flexible circuit board

FPC != "meant to be constantly flexed". Most are not designed for a certain (not small) bend radius and to be bent no more than a dozen times. They are more meant to be curved once into a particular shape than to be constantly bent.

> I2C, raspberry pi connector

That will do great with dry pockets and ESD

> raspberry pi connector

tiny holes, so your notes can catch on your keys and any other thin sharp object in your pocket

> Who wants bills that ... are not likely to survive a wash?

Americans are already used to this.

I have washed $20 bills in my washing machine (by accident) a number of times with no ill effect
American bills are made out of linen. They wash just fine.
Glad you think it's cool, given your background that comment means a lot to me personally.

I would contend it's not "in search of a problem" but trying to solve one. Specifically the usability nightmare that is cryptocurrency. Cash has tradeoffs but it has great usability properties. The space needs rebalancing in that direction.

Linen notes last about 4,000 bends before breaking, FPC lasts about 6,000. The stuff thats critical to validation is not in the 'bendy bit' pathway.

Did some ESD testing but the NFC chip bears most of the brunt here and not the secure element. Likewise the tiny holes dont bug me so much as the QF Packaging. Want to go slimmer in our next revision.

> the usability nightmare that is cryptocurrency

yup. with you so far

> FPC lasts about 6,000

But, how tests are done differs from what bills face: Large curve radius, slow curving, nothing sharp poking at it in the middle. Basically the opposite of what is going on in tight pockets/purses.

> NFC chip bears most of the brunt here and not the secure element.

Unless the dielectric over your secure element is some previously unknown type, a few kilovolts will arc right through it and hit your secure element.

The 6,000 number is creasing the kapton 180º over the course of half a second with the 6mm curve radius. Copper breaks but not the lines critical for validation.

Our goal wasn't to make this thing indestructible, it was to figure out where the bar was for "good enough".

USD benchmarks are roughly:

    4000 folds
    2 years lifetime (low denomination)
    8 years lifetime (high denomination)
    30 transactions before decirculation
For Kong we aimed for:

    6000 folds
    10 years lifetime
    unknown number of transactions before decirculation. (Unknowable)
    Survives a wash
I think it's sufficient for what Kong is now but we have ideas for improvement and I would love here yours. Specifically anything we could do on the ESD side.

We've met before years ago but if you would like to get some to play with please email me.

(comment deleted)
Why limit the bill faces to Western philosophers? Seems like a more international approach is appropriate for both end-user adoption and the crypto space in general. Edit: or are they all Greek gods?
I understand many people here, and in the world, don't like cash anymore. But there are many others, like me, that still think that physical money gives them a better feeling of their spending. So in my eyes Kong is a really nice take on the cash technology, not to mention it's beautifully executed.
So why not just use regular cash?
Because "regular cash" requires trust and that trust has been routinely violated by various governments of the world so I would rather have trustless currency instead.

I trust math, science and verified algorithms rather than people or governments.

No amount of math, science, and verified algorithms are going to make someone else value your digital currency... you are still having to trust other people to maintain a somewhat stable value of the asset.

Since this is always going to be true, I am probably going to go with the best bets based on track record... I will use the currencies that have held pretty consistent value over the last 100 years.

I think the big point to get here is that having digital crypto vs physical crypto is not mutually exclusive.
Governments do not like this. See: Liberty Dollar
So physical Kong notes collateralized by ... digital Kong tokens? Don’t see how that could possibly go wrong. It’s Kong tokens all the way down.
I’ll tell you what, it looks really awesome. Kudos to the designers.
So in theoretical use, is everyone expected to validate authenticity of each note exchanged?

That seems painful for small transactions, but without it you lose absolutely all the security benefits of crypto, right? (e.g. vulnerable to good old fashioned counterfeiting)

Just do it like we do it in the US, $50s and $100s get checked consistently for counterfeits, $20s sometimes, $1s, $5s, and $10s never, and $2s are automatically assumed to be fake.
Yeah but what the hell is a Kong worth at the moment of sale?

Unless the price is listed in this particular crypto people will have to do a live conversion to even know what this space cash is even worth.

Also, very funny (and accurate) about the $2

A Kong is worth what I think it's worth. If I saw Kongs trading for 1 beer in the morning and some guy insisted that the rate was now 1.45 Kongs a beer in the evening I might object.
Yeah for sure, especially since there apparently aren’t partial Kongs.
>$2s are automatically assumed to be fake

Steve Wozniak used to keep uncut sheets of $2 bills that he perforated and would tear off to give tips to people. He has a great story about secret service agents detaining him and accepting his fake ID ("Laser Safety Officer" - it showed him with an eyepatch on) and generally having no idea $2 existed.

https://www.coinbooks.org/esylum_v18n36a40.html

Why are $2's assumed fake?
They are so rarely encountered than many people don't think that they are a denomination actually issued.
Correct, they aren't issued by anyone but cool grandpas and uncles in my experience.
You must not live in a state where pot is legal; in such places $2 bills floating around everywhere, I use them all the time. The reason: cash businesses use them heavily to reduce the amount of physical cash they need to maintain and move around. Pot shops occupy a gray area legally and banks don't like to deal with them so they often operate old school: cash businesses.

I have a few in my wallet most of the time, like to use them for tips when I eat out.

I use Twos all the time. I have never had it checked, or assumed fake.
Does this mean someone needs to verify every banknote handed over to them? If not, what's to stop me giving people unloaded notes and them assuming they have face-value?
The imagined usability is like cash. Low denominations notes are glanced at to sure they're intact, high denomination notes are scrutinized more closely. The difference is one can validate these notes with a cryptographic operation rather than a highlighter.
Online validation dissolves you’re anonymity value proposition instantly.

Bank notes are recognized as a financial instrument by the government, and have the accompanying legal repercussions to counterfeiting. I expect no such strictness being applied to a private digital token, what exactly de-incentivized someone from going crazy counterfeiting notes? Especially considering their transactions would be anonymous too?

You could cache a list of existing notes directly from an Ethereum node for offline verification; this cached information would work for verification until the claim date in the smart contract.

Correct, there is no secret service that will remove counterfeit Kong which is why you should verify it yourself or only accept it from parties you trust and have attested to previously verifying it. Habits around verification would likely be governed by the prevalence of counterfeits in a local money supply. If I hear about a bunch of 1 Kong notes failing to verify as counterfeit, then I'll likely verify every 1 Kong note before acceptance.

So once the time lock or whatever expires, I'm free to extract the value from my Kong and then go double-spend the physical bills in a corner store? In the hypothetical world where people use this, how are they expected to validate every note they receive?

Is there an equivalent to a starch pen like a suspicious cashier might use on a $100 bill today? Or is the process more painful? Does it require the internet? Remembering that many cash transactions happen person-to-person, in places with low or inconvenient connectivity.

The expiration mechanic is how Swiss Francs work and we believe a necessary tradeoff for decentralized cash issuance to work.

Validation can be performed with any smartphone. Notes are issued in blocks so technically if you downloaded the 2019 Kong Registry contract you would not need connectivity to validate a note. Purpose built hardware can also be built or existing android based POS systems updated to support kong-like validation. Other anti-counterfeiting techniques have been explored but it the only thing that really matters is securing the root of trust.

Technically with Swiss Francs, the notes have no value after their "expiration date", with Kong the escrow contract unlocks and the token can be claimed off the notes but the precedent made us comfortable enough with this tradeoff.

Alternative implementation 1) notes are not escrowed and funds can be claimed off the bills immediately - this is effectively how paper wallets, java smart card wallets, and trezors work. This is a gift card instrument not a cash instrument.

Alternative implementation 2) funds are locked up into perpetuity - all tokens are eventually lost to breakage.

Our back of the envelope expectancy was 10 years for these notes. We wanted the majority to be reclaimable well before their anticipated breakage so we set a claim date relatively soon in the future.

More importantly: you keep people trapped in your walled garden for several years waiting until they can cash out.
Why would drug cartels prefer this over existing cash?

I'm phrasing the question facetiously but the underlying intent is there: how is there more anonymity, usability, etc.?

We're not interested in doing business with drug cartels.

What is a lovely property of Kong is the only digital breadcrumb is leaves is when notes are loaded at creation and unloaded at de-circulation. Every person to person transaction of the instrument leaves no digital record or footprint. Usability is superior for new users - everyone understands how cash works.

> Every person to person transaction of the instrument leaves no digital record or footprint

That's true of cash as well, but that doesn't mean it's totally untraceable, as bills still have serial numbers. I think what GP is getting at is, Kong notes must completely lack any sort of persistent unique identifier in order to be an improvement over cash in anonymity. Can Kong make this claim?

>What is a lovely property of Kong is the only digital breadcrumb is leaves is when notes are loaded at creation and unloaded at de-circulation. Every person to person transaction of the instrument leaves no digital record or footprint.

What problem does that solve for me though? What benefit does that afford me? Why does that matter to me?

Except that real cash, in comparison, has no digital footprints. Why the hell wouldn't I just use cash?
In your paper, why you acknowledge people by their name but you don't disclose your names?
I really like the concept of physical electronic cash, but in practice nobody has figured out how to make it work.

There are many attacks to consider. The most obvious is to obtain the private key. If you did so, you could give the note to someone else in an environment lacking network access. This would enable double-spending - the main problem Bitcoin solves.

The attack can range in complexity from breaking into the secure element to physically separating the element from the note. The latter approach was used way back to pull private keys from Casascius coins by dissolving the adhesive on the security sticker.

I suspect not all of these kinds of attacks have been considered by the creators.

If it becomes necessary to verify Kong with a network connection, the main value proposition disappears. That can be done already without a physical note.

We have considered both of those attacks and address them in section 2.2 and 3.2 of the white paper respectively[1]. The short version is the key extraction attacks on this specific hardened chip are more expensive than the value they escrow, and in the event a key was extracted it creates a race condition at the period of claim not during the lifetime of its use - still providing some utility. What Kong does that Casascius didn't is provide guarantees that the minter never saw the private key.

[1] https://ipfs.io/ipfs/QmRNRCocj4PwKMXrd1jeUGw7ASQSuEk7BDJu5Ks...

> in the event a key was extracted it creates a race condition at the period of claim not during the lifetime of its use - still providing some utility.

So say the key was extracted, you would not be aware until the "maturity" or whatever time you can claim the real value?

How would one then know and trust that the note I'm holding on to won't be claimed by someone else at the period of claim? As far as I see it my best option would be to try and offload any Kong in my possession as soon as possible for real goods or other currency.

I haven't read the paper (yet), but from I read down-thread Kong is keeping reserves for the notes which can be redeemed later.

Wouldn't this mean that if the notes are destroyed the value of the other notes would increase?

Why would you suspect they haven't thought of simple attacks like these^? You haven't even read their paper and are already jumping to conclusions