The following is an essay originally published on Unchained.com<\/a> by Dhruv Bansal<\/a>, CSO and Co-founder of Unchained, the Official US Collaborative Custody Partner of Bitcoin Magazine.\u00a0<\/strong>For more information on services offered, custody products, and the relationship between Unchained and Bitcoin Magazine, please visit our website<\/a>.<\/em><\/p>\n Bitcoin is often compared to the internet in the 1990s, but I believe the better analogy is to the telegraph in the 1840s.[1]<\/p>\n The telegraph was the first technology to transmit encoded data at near-light speed over long distances. It marked the birth of the telecommunications industry. The internet, though it is bigger in scale, richer in content, and manyto-many instead of one-to-one, is fundamentally still a telecommunications technology.<\/p>\n Both the telegraph and the internet rely upon business models in which companies deploy capital to build a physical network and then charge users to send messages through this network. AT&T\u2019s network has historically transmitted telegrams, telephone calls, TCP\/IP packets, text messages, and now TikToks.<\/p>\n The transformation of society through telecom has led to greater freedoms but also greater centralization. The internet has increased the reach of millions of content creators and small businesses, but has also strengthened the grasp of companies, governments and other institutions well-positioned enough to monitor and manipulate online activity.<\/p>\n But bitcoin is not the end of any transformation\u2014 it\u2019s the beginning of one. Like telecommunications, bitcoin will change both human society and daily life. Predicting the full scope of this change today is akin to imagining the internet while living in the era of the telegraph.<\/p>\n This series attempts to imagine this future by starting with the past. This initial article traces the history of digital currencies before bitcoin. Only by understanding where prior projects fell short can we perceive what makes bitcoin succeed\u2014and how it suggests a methodology for building the decentralized systems of the future.<\/p>\n I. <\/strong>Decentralized systems are markets A central claim of this article is that bitcoin can be thought of as an adaptation of Dai\u2019s b-money project that eliminates the freedom to create money. Just weeks after this article was originally published, new emails surfaced in which Satoshi claimed to be unfamiliar with b-money, yet admitted that bitcoin starts \u201cfrom exactly that point.\u201d In light of this new evidence, we believe this central claim, while not historically accurate, is still a meaningful and helpful way to think about the origin of bitcoin.\u00a0<\/em><\/p>\n <\/a> Satoshi was brilliant, but bitcoin didn\u2019t come out of nowhere.<\/p>\n Bitcoin iterated on existing work in cryptography, distributed systems, economics, and political philosophy. The concept of proof-of-work existed long before its use in money and prior cypherpunks such as Nick Szabo, Wei Dai, & Hal Finney anticipated and influenced the design of bitcoin with projects such as bit gold, b-money, and RPOW. Consider that, by 2008, when Satoshi wrote the bitcoin white paper,[2] many of the ideas important to bitcoin had already been proposed and\/or implemented:<\/p>\n Digital currencies should be P2P networksProof-of-work is the basis of money creationMoney is created through an auctionPublic key cryptography is used to define ownership & transfer of coinsTransactions are batched into blocksBlocks are chained together through proof-of-workAll blocks are stored by all participants<\/p>\n Bitcoin leverages all these concepts, but Satoshi didn\u2019t originate any of them. To better understand Satoshi\u2019s contribution, we should determine which principles of bitcoin are missing from the list.<\/p>\n Some obvious candidates are the finite supply of bitcoin, Nakamoto consensus, and the difficulty adjustment algorithm. But what led Satoshi to these ideas in the first place?<\/p>\n This article explores the history of digital currencies and makes the case that Satoshi\u2019s focus on sound monetary policy is what led bitcoin to surmount challenges that defeated prior projects such as bit gold and b-money.<\/p>\n Bitcoin is often described as a decentralized or distributed system. Unfortunately, the words \u201cdecentralized\u201d and \u201cdistributed\u201d are frequently confused. When applied to digital systems, both terms refer to ways a monolithic application can be decomposed into a network of communicating pieces.<\/p>\n For our purposes, the major difference between decentralized and distributed systems is not the topology of their network diagrams,<\/a> but the way they enforce rules. We take some time in the following section to compare distributed and decentralized systems and motivate the idea that robust decentralized systems are markets.<\/p>\n In this work, we take \u201cdistributed\u201d to mean any system that has been broken up into many parts\u00a0(often referred to as \u201cnodes\u201d) which must communicate, typically over a network.<\/p>\n Software engineers have grown adept at building globally distributed systems. The internet is composed of distributed systems collectively containing billions of nodes. We each have a node in our pocket that both participates in and relies upon these systems.<\/p>\n But almost all the distributed systems we use today are governed by some central authority, typically a system administrator, company, or government that is mutually trusted by all nodes in the system.<\/p>\n Central authorities ensure all nodes adhere to the system s rules and remove, repair, or punish nodes that fail to do so. They are trusted to provide coordination, resolve conflicts, and allocate shared resources. Over time, central authorities manage changes to the system, upgrading it or adding features, and ensuring that participating nodes comply with the changes.<\/p>\n The benefits a distributed system gains from relying upon a central authority come with costs. While the system is robust against failures of its nodes, a failure of its central authority may cause it to stop functioning overall. The ability for the central authority to unilaterally make decisions means that subverting or eliminating the central authority is sufficient to control or destroy the entire system.<\/p>\n Despite these trade-offs, if there is a requirement that a single party or coalition must retain central authority, or if the participants within the system are content with relying upon a central authority, then a traditional distributed system is the best solution. No blockchain, token, or similar decentralized dressing is required.<\/p>\n In particular, the case of a VC- or government-backed cryptocurrency, with requirements that a single party can monitor or restrict payments and freeze accounts, is the perfect use case for a traditional distributed system.<\/p>\n We take \u201cdecentralized\u201d to have a stronger meaning than \u201cdistributed\u201d: decentralized systems are a subset of distributed systems that lack any central authority. A close synonym for \u201cdecentralized\u201d is \u201cpeer-to-peer\u201d (P2P).\u00a0<\/p>\n Removing central authority confers several advantages. Decentralized systems:<\/p>\n Grow quickly because they lack barriers to entry\u2014anyone can grow the system by simply running a new node, and there is no requirement for registration or approval from the central authority.Are robust because there is no central authority whose failure can compromise the functioning of the system. All nodes are the same, so failures are local and the network routes around damage.Are difficult to capture, regulate, tax, or surveil because they lack centralized points of control for governments to subvert.<\/p>\n These strengths are why Satoshi chose a decentralized, peer-to-peer design for bitcoin:<\/p>\n “Governments are good at cutting off the heads of\u2026 centrally controlled networks like Napster, but pure P2P networks like Gnutella and Tor seem to be holding their own.” – Nakamoto, 2008<\/em><\/p>\n But these strengths come with corresponding weaknesses. Decentralized systems can be less efficient as each node must additionally bear responsibilities for coordination previously assumed by the central authority.<\/p>\n Decentralized systems are also plagued by scammy, adversarial behavior. Despite Satoshi\u2019s nod to Gnutella, anyone who\u2019s used a P2P file sharing program to download a file that turned out to be something gross or malicious understands the reasons that P2P file sharing never became the mainstream model for data transfer online.<\/p>\n Satoshi didn\u2019t name it explicitly, but email is another decentralized system that has evaded government controls. And email is similarly notorious for spam.<\/p>\n The root problem, in all of these cases, is that adversarial behavior (seeding bad files, sending spam emails) is not punished, and cooperative behavior (seeding good files, only sending useful emails) is not rewarded. Decentralized systems that rely upon their participants to be good actors fail to scale because they cannot prevent bad actors from also participating.<\/p>\n Without imposing a central authority, the only way to solve this problem is to use economic incentives. Good actors, by definition, play by the rules because they\u2019re inherently motivated to do so. Bad actors are, by definition, selfish and adversarial, but proper economic incentives can redirect their bad behavior towards the common good. Decentralized systems that scale do so by ensuring that cooperative behavior is profitable and adversarial behavior is costly.<\/p>\n The best way to implement robust decentralized services is to create markets where all actors, both good and bad, are paid to provide that service. The lack of barriers to entry for buyers and sellers in a decentralized market encourages scale and efficiency. If the market\u2019s protocols can protect participants from fraud, theft, and abuse, then bad actors will find it more profitable to either play by the rules or go attack a different system.<\/p>\n But markets are complex. They must provide buyers and sellers the ability to post bids & asks as well as discover, match and settle orders. They must be fair, provide strong consistency, and maintain availability despite periods of volatility.<\/p>\n Global markets today are extremely capable and sophisticated, but using traditional goods and payment networks to implement incentives in a decentralized market is a nonstarter. Any coupling between a decentralized system and fiat money, traditional assets, or physical commodities would reintroduce dependencies on the central authorities that control payment processors, banks, & exchanges.<\/p>\n Decentralized systems cannot transfer cash, look up the balance of a brokerage account, or determine the ownership of property. Traditional goods are completely illegible from within a decentralized system. The inverse is not true\u2014traditional systems can interact with bitcoin as easily as any other actor (once they decide they want to). The boundary between traditional and decentralized systems is not an impassable wall, but a semi-permeable membrane.<\/p>\n This means that decentralized systems cannot execute payments denominated in any traditional good. They cannot even determine the balances of fiat-dominated accounts or the ownership of real estate or physical goods. The entire traditional economy is completely illegible from within decentralized systems.<\/p>\n Creating decentralized markets requires trading new kinds of decentralized goods which are legible and transferable within decentralized systems.<\/p>\n The first example of a \u201cdecentralized good\u201d is a special class of computations first proposed in 1993 by Cynthia Dwork and Moni Naor.[3]<\/p>\n Because of deep connections between mathematics, physics, and computer science, these computations cost real-world energy and hardware resources\u2014they cannot be faked. Since real-world resources are scarce, these computations are also scarce.<\/p>\n The input for these computations can be any kind of data. The resulting output is a digital \u201cproof\u201d that the computations were performed on the given input data. Proofs contain a given \u201cdifficulty\u201d which is (statistical) evidence of a given amount of computational work. Most importantly, the relationship between the input data, the proof, and the original computational work performed can be independently verified without appeal to any central authority.<\/p>\n The idea of passing around some input data along with a digital proof as evidence of real-world computational work performed on that input is now called \u201cproof-of-work\u201d.[4] Proofs-of-work are, to use Nick Szabo\u2019s phrase, \u201cunforgeable costliness\u201d. Because proofs-of-work are verifiable by anyone, they are economic resources that are legible to all participants in a decentralized system. Proofs-of-work turn computations on data into decentralized goods. Dwork & Naor proposed using computations to limit the abuse of a shared resource by forcing participants to provide proofsof-work with a certain minimum difficulty before they can access the resource:<\/p>\n “In this paper we suggest a computational approach to combatting the proliferation of electronic mail. More generally, we have designed an access control mechanism that can be used whenever it is desirable to restrain, but not prohibit, access to a resource.”\u00a0– Dwoak & Naor, 1993<\/em><\/p>\n In Dwork & Naor\u2019s proposal, an email system administrator would set a minimum proof-of-work difficulty for delivering email. Users wanting to send email would need to perform a corresponding number of computations with that email as the input data. The resulting proof would be submitted to the server alongside any request to deliver the email.<\/p>\n Dwork & Naor referred to the difficulty of a proofof-work as a \u201cpricing function\u201d because, by adjusting the difficulty, a \u201cpricing authority\u201d could ensure that the shared resource remained cheap to use for honest, average users but expensive for users seeking to exploit it. In the email delivery market, server administrators are the pricing authorities; they must choose a \u201cprice\u201d for email delivery which is low enough for normal usage but too high for spam.<\/p>\n Though Dwork & Naor framed proofs-of-work as an economic disincentive to combat resource abuse, the nomenclature \u201cpricing function\u201d and \u201cpricing authority\u201d supports a different, marketbased interpretation: users are purchasing access to a resource in exchange for computations at a price set by the resource\u2019s controller.<\/p>\n In this interpretation, an email delivery network is really a decentralized market trading email delivery for computations. The minimum difficulty of a proof-of-work is the asking price for email delivery denominated in the currency of computations.<\/p>\n But computations aren\u2019t a good currency.<\/p>\n The proofs used to \u201ctrade\u201d computations are only valid for the input used in those computations. This unbreakable lilnk between a specific proof and a specific input means that the proof-of-work for one input can\u2019t be reused for a different input.<\/p>\n Proof-of-work was originally proposed as an access control mechanism for limiting spam emails. Users would be expected to provide proofs-of-work alongside any emails they wanted to send. This mechanism can also be thought of as a market where users are purchasing email deliveries with computations at a price chosen by the email service provider.<\/p>\n This constraint is useful \u2013 it can be used to prevent the work done by one buyer in the market from being re-spent by another. For example, HashCash, the first real implementation of the market for email delivery, included metadata such as the current timestamp and the sender\u2019s email address in the input data to its proof-of-work computations. Proofs produced by a given user for a given email can\u2019t be respent for sending a different email.<\/p>\n But this also means that proof-of-work computations are bespoke goods. They aren\u2019t fungible, they can\u2019t be re-spent,[5] and they don\u2019t solve the coincidence-of-wants problem. These missing monetary properties prevent computations from being currency. Despite the name, there is no incentive for an email delivery provider to want to accumulate HashCash, as there would be for actual cash.<\/p>\n Adam Back, inventor of HashCash, understood these problems:<\/p>\n “hashcash is not directly transferable because to make it distributed, each service provider accepts payment only in cash created for them. You could perhaps setup a digicash style mint (with chaumian ecash) and have the bank only mint cash on receipt of hash collisions addressed to it. However this means you’ve got to trust the bank not to mint unlimited amounts of money for it’s own use.”\u00a0– Adam Back, 1997<\/p>\n We don\u2019t want to exchange bespoke computations for every individual good or service sold in a decentralized economy. We want a general purpose digital currency that can directly be used to coordinate exchanges of value in any market.<\/p>\n Building a functioning digital currency while remaining decentralized is a significant challenge. A currency requires fungible units of equal value that can be transferred among users. This requires issuance models, cryptographic definitions of ownership and transfer, a discovery and settlement process for transactions, and a historical ledger. None of this infrastructure is required when proof-of-work is thought of as a mere \u201caccess control mechanism\u201d.<\/p>\n Moreover, decentralized systems are markets, so all these basic functions of a currency must somehow be provided through paying service providers\u2026in the units of the currency that\u2019s being created!<\/p>\n Like compiling the first compiler, a black start of the electrical grid, or the evolution of life itself, the creators of digital currencies were confronted with a bootstrapping problem: how to define the economic incentives that underlie a functioning currency without having a functioning currency in which to denominate or pay those incentives.<\/p>\n Computations and currency are the first and second goods in decentralized markets. Proof-of-work alone allows for the exchange of computations but a functioning currency requires more infrastructure. It took 15 years for the cypherpunk community to develop that infrastructure.<\/p>\n Progress on this bootstrapping problem comes from properly framing its constraints.<\/p>\n Decentralized systems must be markets. Markets consist of buyers and sellers exchanging goods. The decentralized market for a digital currency only has two goods that are legible within it:<\/p>\n Computations through proof-of-workUnits of the currency we\u2019re trying to build<\/p>\n The only market trade possible must therefore\u00a0be between these two goods. Computations must be sold for units of currency orF equivalentlyF units of currency must be sold for computations. Stating this is easy\u2014the hard part is structuring this market so that simply exchanging currency for computation bootstraps all the capabilities of the currency itself!<\/p>\n The entire history of digital currencies culminating in Satoshi\u2019s 2008 white paperF was a series of increasingly sophisticated attempts at structuring this market. The following section reviews projects such as Nick Szabo\u2019s bit gold and Wei Dai\u2019s b-money. Understanding how these projects structured their marketsF and why they failed will help us frame why Satoshi and bitcoin succeeded.<\/p>\n A major function of markets is price discovery. A market trading computations for currency must therefore discover the price of computation itself, as denominated in units of that currency.<\/p>\n We don\u2019t typically assign monetary value to computations. We typically value the capacity to perform computations because we value the output of computations, not the computations themselves. If the same output can be performed more efficiently, with fewer computations, that is usually called \u201cprogress\u201d.<\/p>\n Proofs-of-work represent specific computations whose only output is proof that they were performed. Producing the same proof by performing fewer computations and less work wouldn\u2019t be progress\u2014it would be a bug. The computations associated with proofs-of-work are thus a strange and novel good to attempt to value.<\/p>\n When proofs-of-work are thought of as disincentives against resource abuse, it is not necessary to value them precisely or consistently. All that matters is that the email service provider sets difficulties low enough to be unnoticeable for legitimate users yet high enough to be prohibitive for spammers. There is thus a broad range of acceptable \u201cprices\u201d and each participant acts as their own pricing authority, applying a local pricing function.<\/p>\n But units of a currency are meant to be fungible, each having the same value. Due to changes in technology over time, two units of currency created with the same proof-of-work difficulty\u2014 as measured by the number of corresponding computations\u2014may have radically different realworld costs of production, as measured by the time, energy, and\/or capital to perform those computations . When computations are sold for currency, and the underlying cost of production is variable, how can the market ensure a consistent price?<\/p>\n Nick Szabo clearly identified this pricing problem when describing bit gold:<\/p>\n “The main problem\u2026is that proof of work schemes depend on computer architecture, not just an abstract mathematics based on an abstract “compute cycle.” \u2026Thus, it might be possible to be a very low cost producer (by several orders of magnitude) and swamp the market with bit gold.”\u00a0– Szabo, 2005<\/em><\/p>\n A decentralized currency created through proof-of-work will experience supply gluts and crashes as the supply of computations changes over time. To accommodate this volatility, the network must learn to dynamically price computations.<\/p>\n Early digital currencies attempted to price computations by attempting to collectively measure the \u201ccost of computing\u201d. Wei Dai, for example, proposes the following hand-wavy solution in b-money:<\/p>\n ‘The number of monetary units created is equal to the cost of the computing effort in terms of a standard basket of commodities. For example if a problem takes 100 hours to solve on the computer that solves it most economically, and it takes 3 standard baskets to purchase 100 hours of computing time on that computer on the open market, then upon the broadcast of the solution to that problem everyone credits the broadcaster’s account by 3 units.” – Dai, 1998 Unfortunately, Dai does not explain how users in a supposedly decentralized system are supposed to agree upon the definition of a \u201cstandard basket\u201d, which computer solves a given problem \u201cmost economically\u201d, or the cost of computation on the \u201copen market\u201d. Achieving consensus among all users about a time-varying shared dataset is the essential problem of decentralized systems!<\/p>\n To be fair to Dai, he realized this:<\/p>\n “One of the more problematic parts in the b-money protocol is money creation. This part of the protocol requires that all [users] decide and agree on the cost of particular computations. Unfortunately because computing technology tends to advance rapidly and not always publicly, this information may be unavailable, inaccurate, or outdated, all of which would cause serious problems for the protocol.”\u00a0– Dai, 1998<\/em><\/p>\n Dai would go on to propose a more sophisticated auction-based pricing mechanism which Satoshi would later say was the starting point for his ideas. We will return to this auction scheme below, but first let\u2019s turn to bit gold, and consider Szabo\u2019s insights into the problem.<\/p>\n Szabo claims that proofs-of-work should be \u201csecurely timestamped\u201d:<\/p>\n “The proof of work is securely timestamped. This should work in a distributed fashion, with several different timestamp services so that no particular timestamp service need be substantially relied on.” – Szabo, 2005<\/em><\/p>\n Szabo links to a page of resources on secure timestamping protocols but does not describe any specific algorithm for secure timestamping. The phrases \u201csecurely\u201d and \u201cdistributed fashion\u201d are carrying a lot of weight here, hand-waving through the complexities of relying upon one (or many) \u201coutside the system\u201d services for timestamping.[6]<\/p>\n The time a unit of digital currency was created is important because it links the computations performed to real-world production cost.<\/p>\n Regardless of implementation fuzziness, Szabo was right\u2014the time a proof-of-work was created is an important factor in pricing it because it is related to the cost of computation:<\/p>\n “\u2026However, since bit gold is timestamped, the time created as well as the mathematical difficulty of the work can be automatically proven. From this, it can usually be inferred what the cost of producing during that time period was\u2026” – Szabo, 2005<\/em><\/p>\n “Inferring\u201d the cost of production is important because bit gold has no mechanism to limit the creation of money. Anyone can create bit gold by performing the appropriate computations. Without the ability to regulate issuance, bit gold is akin to a collectible:<\/p>\n “\u2026Unlike fungible atoms of gold, but as with collector s items, a large supply during a given time period will drive down the value of those particular items. In this respect bit gold acts more like collector s items than like gold\u2026” – Szabo, 2005<\/em><\/p>\n Bit gold requires an additional, external process to create fungible units of currency:<\/p>\n “\u2026[B]it gold will not be fungible based on a simple function of, for example, the length of the string. Instead, to create fungible units dealers will have to combine different-valued pieces of bit gold into larger units of approximately equal value. This is analogous to what many commodity dealers do today to make commodity markets possible. Trust is still distributed because the estimated values of such bundles can be independently verified by many other parties in a largely or entirely automated fashion.” – Szabo, 2005<\/em><\/p>\n To paraphrase Szabo, \u201cto assay the value of\u2026 bit gold, a dealer checks and verifies the difficulty, the input, and the timestamp\u201d. The dealers defining \u201clarger units of approximately equal value\u201d are providing a similar pricing function as Dai\u2019s \u201cstandard basket of commodities\u201d. Fungible units are not created in bit gold when proofs-ofwork are produced, only later when those proofs are combined into larger \u201cunits of approximately equal value\u201d by dealers in markets outside the network.<\/p>\n To his credit, Szabo recognizes this flaw:<\/p>\n “\u2026The potential for initially hidden supply gluts due to hidden innovations in machine architecture is a potential flaw in bit gold, or at least an imperfection which the initial auctions and ex post exchanges of bit gold will have to address.” – Szabo, 2005<\/em><\/p>\n Again, despite not having arrived at (what we now know as) the solution, Szabo was pointing us at it: because the cost of computation changes over time, the network must respond to changes in the supply of computation by adjusting the price of money.<\/p>\n Szabo\u2019s dealers would have been an external market that defined the price of (bundles of) bit gold after its creation. Is it possible to implement this market within the system instead of outside it?<\/p>\n Let\u2019s return to Wei Dai and b-money. As mentioned earlier, Dai proposed an alternative auction-based model for the creation of bmoney. Satoshi\u2019s design for bitcoin improves directly on bmoney\u2019s auction model[7]:<\/p>\n “So I propose an alternative money creation subprotocol, in which [users]\u2026 instead decide and agree on the amount of b-money to be created each period, with the cost of creating that money determined by an auction. Each money creation period is divided up into four phases, as follows:\u00a0<\/em><\/p>\n Planning. The [users] compute and negotiate with each other to determine an optimal increase in the money supply for the next period. Whether or not the [network] can reach a consensus, they each broadcast their money creation quota and any macroeconomic calculations done to support the figures.<\/p>\n Bidding. Anyone who wants to create b-money broadcasts a bid in the form of where x is the amount of b-money he wants to create, and y is an unsolved problem from a predetermined problem class. Each problem in this class should have a nominal cost (in MIPS-years say) which is publicly agreed on.<\/p>\n Computation. After seeing the bids, the ones who placed bids in the bidding phase may now solve the problems in their bids and broadcast the solutions. Money creation.<\/p>\n Money creation. Each [user] accepts the highest bids (among those who actually broadcasted solutions) in terms of nominal cost per unit of bmoney created and credits the bidders accounts accordingly.” Dai, 1998<\/p>\n B-money makes significant strides towards the correct market structure for a digital currency. It attempts to eliminate Szabo\u2019s external dealers and allow users to engage in price discovery by directly bidding against each other.<\/p>\n But implementing Dai\u2019s proposal as written would be challenging:<\/p>\n In the \u201cPlanning\u201d phase, users bear the burden of negotiating the \u201coptimal increase in the money supply for the next period\u201d. How \u201coptimal\u201d should be defined, how users should negotiate with each other, and how the results of such negotiations are shared is not described.Regardless of what was planned, the \u201cBidding\u201d phase allows anyone to submit a \u201cbid\u201d to create b-money. The bids include both an amount of b-money to be created as well as a corresponding amount of proofof-work so each bid is a price, the number of computations for which a given bidder is willing to perform in order to buy a given amount of b-money.Once bids are submitted, the \u201ccomputation\u201d phase consists of bidders performing the proof-of-work they bid and broadcasting solutions. No mechanisms for matching bidders to solutions is provided. More problematically, it\u2019s not clear how users should know that all bids have been submitted \u2013 when does the \u201cBidding\u201d phase end and the \u201ccomputation\u201d phase begin?These problems recur in the \u201cMoney ]reation\u201d phase. Because of the nature of proof-of-work, users can verify the proofs they receive in solutions are real. But how can users collectively agree on the set of \u201chighest bids\u201d? What if different users pick different such sets, either due to preference or network latency?<\/p>\n Decentralized systems struggle to track data and make choices consistently, yet b-money requires tracking bids from many users and making consensus choices among them. This complexity prevented b-money from ever being implemented.<\/p>\n The root of this complexity is Dai\u2019s belief that the \u201coptimal\u201d rate at which b-money is created should fluctuate over time based on the \u201cmacroeconomic calculations\u201d of its users. Like bit gold, b-money has no mechanism to limit the creation of money. Anyone can create units of b-money by broadcasting a bid and then doing the corresponding proof-of-work.\u00a0<\/p>\n Both Szabo and Dai proposed using a market exchanging digital currency for computations yet neither bit gold nor b-money defined a monetary policy to regulate the supply of currency within this market.<\/p>\n <\/a> In contrast, a sound monetary policy was one of Satoshi\u2019s primary goals for the bitcoin project. In the very first mailing list post where bitcoin was announced, Satoshi wrote:<\/p>\n “The root problem with conventional currency is all the trust that’s required to make it work. The central bank must be trusted not to debase the currency, but the history of fiat currencies is full of breaches of that trust.” – Satoshi, 2009<\/em><\/p>\n Satoshi would go on to describe other problems with fiat currencies such as risky fractional reserve banking, a lack of privacy, rampant theft & fraud, and the inability to make micropayments. But Satoshi started with the issue of debasement by central banks\u2014with a concern about monetary policy.\u00a0<\/p>\n Satoshi wanted bitcoin to ultimately reach a finite circulating supply that cannot be diluted over time. The \u201coptimal\u201d rate of bitcoin creation, for Satoshi, should thus eventually be zero.\u00a0<\/p>\n This monetary policy goal, more than any other characteristic they personally (or collectively!) possessed, was the reason Satoshi \u201cdiscovered\u201d bitcoin, the blockchain, Nakamoto consensus, etc. \u2014and not someone else. It\u2019s the short answer to the question posed in the title of this article: Satoshi thought of bitcoin because they were focused on creating a digital currency with a finite supply.<\/p>\n A finite supply of bitcoin is not only a monetary policy goal or a meme for bitcoiners to rally around. It\u2019s the essential technical simplification\u00a0that allowed Satoshi to build a functional digital currency while Dai\u2019s b-money remained just a fascinating web post.\u00a0<\/p>\n Bitcoin is b-money with an additional requirement of a predetermined monetary policy. Like many technical simplifications, constraining monetary policy enables progress by reducing scope. Let\u2019s see how each of the phases of b-money creation is simplified by imposing this constraint.<\/p>\n In b-money, each \u201cmoney creation period\u201d included a \u201cPlanning\u201d phase, in which users were expected to share their \u201cmacroeconomic calculations\u201d justifying the amount of b-money they wanted to create at that time. Satoshi\u2019s monetary policy goals of a finite supply and zero tail emission were incompatible with the freedom granted by b-money to individual users to create money. The first step on the journey from bmoney to bitcoin was therefore to eliminate this freedom. Individual bitcoin users cannot create bitcoin. Only the bitcoin network can create bitcoin, and it did so exactly once, in 2009 when Satoshi launched the bitcoin project.<\/p>\n Satoshi was able to replace the recurring \u201cPlanning\u201d phases of b-money into a single, predetermined schedule on which the 21M bitcoin created in 2009 would be released into circulation. Users voluntarily endorse Satoshi\u2019s monetary policy by downloading and running the Bitcoin Core software in which this monetary policy is hard-coded.\u00a0<\/p>\n This changes the semantics of bitcoin\u2019s market for computations. The bitcoin being paid to miners is not newly issued; it\u2019s newly released into circulation from an existing supply.\u00a0<\/p>\n This framing is crucially different from the naive claim that \u201cbitcoin miners create bitcoin\u201d. Bitcoin miners are not creating bitcoin, they\u2019re buying it. Bitcoin isn\u2019t valuable because \u201cbitcoin are made from energy\u201d\u2014bitcoin\u2019s value is demonstrated by being sold for energy.\u00a0<\/p>\n Let\u2019s repeat it one more time: bitcoin isn\u2019t created through proof-of-work, bitcoin is created through consensus.<\/p>\n Satoshi\u2019s design eliminates the requirement for ongoing \u201cPlanning\u201d phases from b-money by doing all the planning up front. This allowed Satoshi to hard-code a sound monetary policy but also simplified the implementation of bitcoin.<\/p>\n This freedom granted to users to create money results in a corresponding burden for the bmoney network. During the \u201cBidding\u201d phase the b-money network must collect and share money creation \u201cbids\u201d from many different users.\u00a0<\/p>\n Eliminating the freedom to create money relieves the bitcoin network of this burden. Since all 21M bitcoin already exist, the network doesn\u2019t need to collect bids from users to create money, it merely has to sell bitcoin on Satoshi\u2019s predetermined schedule.\u00a0<\/p>\n The bitcoin network thus offers a consensus asking price for the bitcoin it is selling in each block. This single price is calculated by each node independently using its copy of the blockchain. If nodes have consensus on the same blockchain (a point we will return to later) they will all offer an identical asking price at each block.[8]<\/p>\n The first half of the consensus price calculation determines how many bitcoin to sell. This is fixed by Satoshi\u2019s predetermined release schedule. All bitcoin nodes in the network calculate the same amount for a given block:<\/p>\n The second half of the consensus asking price is the number of computations the current subsidy is being sold for. Again, all bitcoin nodes in the\u00a0network calculate the same value (we will revisit this difficulty calculation in the next section):<\/p>\n Together, the network subsidy and difficulty define the current asking of bitcoin as denominated in computations. Because the blockchain is in consensus, this price is a consensus price.<\/p>\n Users in b-money also were presumed to have a consensus \u201cblockchain\u201d containing the history of all transactions. But Dai never thought of the simple solution of a single consensus asking price for the creation of new b-money, determined solely by the data in that blockchain.<\/p>\n Instead, Dai assumed that money creation must go on forever. Individual users would therefore need to be empowered to affect monetary policy \u2013 just as in fiat currencies. This perceived requirement led Dai to design a bidding system which prevented b-money from being implemented.<\/p>\n This added complexity was removed by Satoshi\u2019s requirement of a predetermined monetary policy.<\/p>\n In the \u201cComputation\u201d phase of b-money, individual users would perform the computations they\u2019d committed to in their prior bids. In bitcoin, the entire network is the seller \u2013 but who is the buyer?<\/p>\n In the email delivery market, the buyers were individuals wanting to send emails. The pricing authority, the email service provider, would set a price that was considered cheap for individuals but expensive for spammers. But if the number of legitimate users increased, the price could still remain the same because the computing power of individual users would have remained the same.\u00a0<\/p>\n In b-money, each user who contributed a bid for money creation was supposed to subsequently perform the corresponding number of computations themselves. Each user was acting as their own pricing authority based on their knowledge of their own computing capabilities.\u00a0<\/p>\n The bitcoin network offers a single asking price in computations for the current bitcoin subsidy. But no individual miner who finds a block has performed this number of computations.[9] The individual miner\u2019s winning block is proof that all miners collectively performed the required number of computations. The buyer of bitcoin is thus the global bitcoin mining industry.\u00a0<\/p>\n Having arrived at a consensus asking price, the bitcoin network will not change that price until more blocks are produced. These blocks must contain proofs-of-work at the current asking price. The mining industry therefore has no choice if it wants to \u201cexecute a trade\u201d but to pay the current asking price in computations.\u00a0<\/p>\n The only variable the mining industry can control is how long it will take to produce the next block. Just as the bitcoin network offers a single asking price, the mining industry thus offers a single bid\u2014the time it takes to produce the next block meeting the network\u2019s current asking price.<\/p>\n To compensate for increasing hardware speed and varying interest in running nodes over time, the proof-of-work difficulty is determined by a moving average targeting an average number of blocks per hour. If they’re generated too fast, the difficulty increases. – Nakamoto, 2008<\/em><\/p>\n Satoshi is modestly describing the difficulty adjustment algorithm, often cited as one of the most original ideas in bitcoin\u2019s implementation. This is true, but instead of focusing on the inventiveness of the solution, let\u2019s instead focus on why solving the problem was so important to Satoshi in the first place.\u00a0<\/p>\n Projects such as bit gold and b-money didn\u2019t need to constrain the rate in time of money creation because they didn\u2019t have a fixed supply or a predetermined monetary policy. Periods of faster or slower money creation could be compensated for through other means, e.g. external dealers putting bit gold tokens into larger or smaller bundlers or b-money users changing their bids.\u00a0<\/p>\n But Satoshi\u2019s monetary policy goals required bitcoin to have a predetermined rate at which bitcoin was to be released for circulation. Constraining the (statistical) rate at which blocks are produced over time is natural in bitcoin because the rate of block production is the rate at\u00a0which the initial supply of bitcoin is being sold. Selling 21M bitcoin over 140 years is a different proposition than allowing it to be sold in 3 months.\u00a0<\/p>\n Moreover, bitcoin can actually implement this constraint because the blockchain is Szabo\u2019s \u201csecure timestamping protocol.\u201d Satoshi describes bitcoin as first and foremost a \u201cdistributed timestamp server on a peer-to-peer basis,\u201d and early implementations of the bitcoin source code use the world \u201ctimechain\u201d rather than \u201cblockchain\u201d to describe the shared data structure that implements bitcoin\u2019s proof-of-work market.[10]<\/p>\n Unlike bit gold or b-money, tokens in bitcoin do not experience supply gluts. The bitcoin network uses the difficulty adjustment to change the price of money in response to changes in the supply of computations.<\/p>\n Bitcoin\u2019s difficulty readjustment algorithm leverages this capability. The consensus blockchain is used by participants to enumerate the historical bids made by the mining industry and readjust the difficulty in order to move closer to the target block time.<\/p>\n The chain of simplifications caused by demanding strong monetary policy extends to the \u201cMoney creation\u201d phase of b-money.\u00a0<\/p>\n User-submitted bids in b-money suffer from \u201cnothing at stake\u201d problem. There is no mechanism to prevent users from submitting bids with a huge amount of b-money for very little work. This requires the network to both track which bids have been completed and only accept\u00a0the \u201chighest bids\u2026in terms of nominal cost per unit of b-money created\u201d in order to avoid such nuisance bids. Each b-money participant must track an entire order book worth of bids, match bids with their subsequent computations, and only settle such completed orders with the highest prices.\u00a0<\/p>\n This problem is an instance of the more general problem of consensus in decentralized systems, also known as the \u201cByzantine generals\u201d or sometimes the \u201cdouble-spend\u201d problem in the context of digital currencies. Sharing an identical sequence of data among all participants is challenging inside an adversarial, decentralized network. Existing solutions to this problem \u2013 socalled \u201cByzantine-fault tolerant (BFT) consensus algorithms\u201d\u2014require previous coordination among participants or a supermajority (>67%) of participants to not behave adversarially.<\/p>\n Bitcoin doesn\u2019t have to manage a large order book of bids because the bitcoin network offers a single consensus asking price. This means bitcoin nodes can accept the first (valid) block they see that meets the network\u2019s current asking price\u2014 nuisance bids can easily be ignored and are a waste of a miner\u2019s resources.\u00a0<\/p>\n Consensus pricing of computations allows the matching of buy\/sell orders in bitcoin to be done eagerly, on a first-come, first-served basis. Unlike b-money, this eager order matching means that bitcoin\u2019s market has no phases\u2014it operates continuously, with a new consensus price being calculated after each individual order is matched\u00a0(block is found). To avoid forks caused by network latency or adversarial behavior, nodes must also follow the heaviest chain rule. This greedy order settling rule ensures that only the highest bids are accepted by the network.<\/p>\n This combination eager-greedy algorithm, where nodes accept the first valid block they see and also follow the heaviest chain, is a novel BFT algorithm which rapidly converges on consensus about the sequence of blocks. Satoshi spends 25% of the bitcoin white paper demonstrating this claim.[11]\u00a0<\/p>\n We established in previous sections that bitcoin\u2019s consensus asking price itself depends on the blockchain being in consensus. But it turns out that the existence of a single consensus asking price is what allows the market for computations to eagerly match orders, which is what leads to consensus in the first place!\u00a0<\/p>\n Moreover, this new \u201cNakamoto consensus\u201d only requires 50% of participants to not be adversarial, a significant improvement on the prior state of the art. A cypherpunk like Satoshi made this theoretical computer science breakthrough, instead of a traditional academic or industry researcher, because of their narrow focus on implementing sound money, rather than a generic consensus algorithm for distributed computing.<\/p>\n B-money was a powerful framework for building a digital currency but one that was incomplete because it lacked a monetary policy. Constraining b-money with a predetermined release schedule for bitcoins reduced scope and simplified implementation by eliminating the requirement to track and choose among user-submitted money creation bids. Preserving the temporal pace of Satoshi\u2019s release schedule led to the difficulty adjustment algorithm and enabled Nakamoto consensus, widely recognized as one of the most innovative aspects of bitcoin\u2019s implementation.<\/p>\n There is a lot more to bitcoin\u2019s design than the aspects discussed so far. We have focused this article on the \u201cprimary\u201d market within bitcoin, the market which distributes the initial bitcoin supply into circulation.\u00a0<\/p>\n The next article in this series will explore the market for bitcoin transaction settlement and how it relates to the market for distributing the bitcoin supply. This relationship will suggest a methodology for how to build future markets for decentralized services on top of bitcoin.<\/p>\n <\/a> I\u2019ve been ranting about bitcoin and markets for years now and must thank the many people who listened and helped me sharpen my thinking. In particular, Ryan Gentry<\/a>,\u00a0Will Cole<\/a> and Stephen Hall<\/a> met with me weekly to debate these ideas. I would not have been able to overcome countless false starts without their contributions and their support. Ryan also helped me begin talking about these ideas publicly in our Bitcoin 2021 talk<\/a>. Afsheen Bigdeli<\/a>, Allen Farrington<\/a>, Joe Kelly<\/a>, Gigi<\/a>, Tuur Demeester<\/a>, and Marty Bent<\/a>, have all encouraged me over the years and provided valuable feedback. I must also apologize to Allen for turning out to be such a lousy collaborator. Finally, Michael Goldstein<\/a> may be better known for his writing & memes, but I\u2019d like to thank him for the archival work he does at the Nakamoto Institute<\/a> to keep safe the history of digital currencies.<\/p>\n [1] The title of this series is taken from the first telegraph message in history, sent by Samuel Morse in 1844: \u201cWhat hath God wrought?\u201d.\u00a0<\/p>\n [2] Bitcoin: A Peer-to-Peer Electronic Cash System, available:\u00a0https:\/\/bitcoin.org\/bitcoin.pdf\u00a0<\/a><\/p>\n [3] Pricing via Processing or Combatting Junk Mail by Dwork and Naor available: https:\/\/www.wisdom.weizmann.ac.il\/~naor\/PAPERS\/pvp.pdf<\/a>\u00a0<\/p>\n [4] Despite originating the idea, Dwork & Naor did not invent \u201cproof-of-work\u201d\u2014that moniker was provided later in 1999 by Markus Jakobsson and Ari Juels.\u00a0<\/p>\n [5] Hal Finney\u2019s RPOW project was an attempt at creating transferable proofs-of-work but bitcoin doesn\u2019t use this concept because it doesn’t treat computations as currency. As we\u2019ll see later when we examine bit gold and b-money, computations cannot be currency because the value of computations changes over time while units of currency must have equal value. Bitcoin is not computations, bitcoin is currency that is sold for computations.\u00a0<\/p>\n [6] At this juncture, some readers may believe me dismissive of the contributions of Dai or Szabo because they were inarticulate or hand-wavy on some points. My feelings are the exact opposite: Dai and Szabo were essentially right and the fact\u00a0that they did not articulate every detail the way Satoshi subsequently did does not detract from their contributions. Rather, it should heighten our appreciation of them, as it reveals how challenging the advent of digital currency was, even for its best practitioners.\u00a0<\/p>\n [7] Dai\u2019s b-money post is the very first reference in Satoshi\u2019s white paper, available: http:\/\/www.weidai.com\/bmoney.txt\u00a0<\/a><\/p>\n [8]There are two simplifications being made here:
Click here<\/a> to download a PDF<\/a> of this 7,000 word essay on the origins of Bitcoin.<\/strong><\/p>\nOutline<\/h3>\n
II. <\/strong>Decentralized markets require decentralized goods
III. <\/strong>How can decentralized systems price computations?
IV.<\/strong> Satoshi\u2019s monetary policy goals led to bitcoin
V. <\/strong>Conclusion<\/p>\n
\n Unchained<\/a> is the Official Collaborative Custody Partner of Bitcoin Magazine. Click here<\/a>\u00a0to learn more about Unchained’s bitcoin financial services and receive exclusive discounts on Unchained vault, Signature and IRA.<\/p>\nHow did Satoshi think of bitcoin?<\/h3>\n
I. Decentralized systems are markets\u00a0<\/h3>\n
Distributed systems rely upon central authorities<\/h3>\n
Decentralized systems have no central authorities\u00a0<\/h3>\n
Decentralized systems are governed through incentives<\/h3>\n
II. Decentralized markets require decentralized goods\u00a0<\/h3>\n
Computation is the first decentralized good<\/h3>\n
Currency is the second decentralized good\u00a0<\/h3>\n
The first decentralized market must trade computations for currency<\/h3>\n
III. How can decentralized systems price computations?<\/h3>\n
<\/em><\/p>\nUse external markets<\/h3>\n
Use internal markets<\/h3>\n
\n Visit Unchained.BitcoinMagazine.com<\/a>\u00a0to access educational content focused on collaboartive custody and financial services as well as tools to upgrade your bitcoin security.<\/p>\nIV. Satoshi\u2019s monetary policy goals led to bitcoin<\/h3>\n
All 21M bitcoin already exist<\/h3>\n
Bitcoin is priced through consensus<\/h3>\n
Time closes all spreads<\/h3>\n
A standing order creates consensus\u00a0<\/h3>\n
IV. Conclusion<\/h3>\n
\n To continue your Bitcoin education, click here<\/a>\u00a0to download the full report: “How to Position for the Bitcoin Boom” <\/a>by Tuur Demeester,<\/a> prepared for Unchained<\/a><\/p>\nAcknowledgements<\/h3>\n
Footnotes<\/h3>\n
a. The number of bitcoin being sold in each block is also affected by the transaction fee market, which is out of scope for this article, though lookout for subsequent work.
b. The difficulty as reported by bitcoin is not exactly the number of expected computations; one must multiply by a proportionality factor.\u00a0<\/p>\n