{"id":21943,"date":"2018-06-14T20:31:55","date_gmt":"2018-06-14T20:31:55","guid":{"rendered":"http:\/\/ci027cfe7ba0012697"},"modified":"2018-06-14T20:31:55","modified_gmt":"2018-06-14T20:31:55","slug":"genesis-files-if-bitcoin-had-first-draft-wei-dais-b-money-was-it","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/genesis-files-if-bitcoin-had-first-draft-wei-dais-b-money-was-it","title":{"rendered":"The Genesis Files: If Bitcoin Had a First Draft, Wei Dai\u2019s B-Money Was It"},"content":{"rendered":"
<\/div>
<\/figure>\n

All Cypherpunks value privacy; it\u2019s basically the founding principle of the collective of cryptographers, academics, developers and activists grouped around the 1990s mailing list by the same name. But few put it in practice like Wei Dai does. Once described<\/a> as an \u201cintensely private computer engineer\u201d by the New York Times<\/em>, not many personal details are known about the man who, two decades ago, dreamed up an electronic cash system intriguingly similar to Bitcoin.<\/p>\n

This lack of personal details is made up for by Wei Dai\u2019s work and proliferation of ideas. A talented cryptographer, Dai created and still maintains Crypto++<\/a>: a C++ library for cryptographic algorithms. Dai is also, to this day, active on rationality forums like LessWrong<\/a>, where he philosophizes on such topics as artificial intelligence, ethics, epistemology and more. His insights earned<\/a> him<\/a> the praise of well-known AI researcher Eliezer Yudkowsky and repeated invitations to speak at his Machine Intelligence Research Institute<\/a> (MIRI; previously known as the Singularity Institute).<\/p>\n

Dai\u2019s interest in philosophy and politics is nothing new. Back in the 1990s, as a young bachelor student in computer science at Washington University, his curiosity led him to the writings of Timothy May, one of the \u201cfounding fathers\u201d of the Cypherpunk movement. Dai was inspired<\/a> by the crypto-anarchy<\/a> May advocated; the brand-new ideology prevalent amongst Cypherpunks based on the conviction that cryptography and software could provide and safeguard political and economic freedom better than any system of government would.<\/p>\n

\u201cI am fascinated by Tim May’s crypto-anarchy,\u201d Dai wrote<\/a> in 1998. \u201cUnlike the communities traditionally associated with the word \u2018anarchy\u2019, in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It’s a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations.\u201d<\/p>\n

By the mid-1990s, Dai engaged in discussions on various topics on the Cypherpunks mailing list such as digital reputation systems<\/a>, game theory<\/a>, privacy<\/a> and anonymity in digital cash systems<\/a>. Perhaps more importantly, Dai made a number of proposals to further the Cypherpunk cause, including trusted timestamping<\/a>, an encrypted TCP tunneler<\/a>, a secure file sharing system<\/a> and more. It garnered him a reputation as a prolific contributor to the Cypherpunk community \u2014 though, even back then, no one knew much about him personally. (Not even whether Dai was male or female, Timothy May recently said<\/a>.)<\/p>\n

But Dai would become best known for an idea he casually announced<\/a> in November 1998, just after graduating from university. \u201cEfficient cooperation requires a medium of exchange (money) and a way to enforce contracts,\u201d Dai explained. \u201cThe protocol proposed in this article allows untraceable pseudonymous entities to cooperate with each other more efficiently, by providing them with a medium of exchange and a method of enforcing contracts. […] I hope this is a step toward making crypto-anarchy a practical as well as theoretical possibility.\u201d<\/p>\n

He called his proposal \u201cb-money\u201d<\/a>.<\/p>\n

B-money<\/h2>\n

Typical digital money systems use a central ledger to keep track of account balances. Whether it\u2019s a central bank, a commercial bank, VISA or any other payment provider, a centrally-controlled database somewhere tracks who owns what.<\/p>\n

The problem with this solution, from Dai\u2019s and the crypto-anarchist perspective, is that it ultimately lets governments control the flow of money through regulation, while participants in the system are usually required to identify themselves. \u201cMy motivation for b-money was to enable online economies that are purely voluntary \u2026 ones that couldn\u2019t be taxed or regulated through the threat of force,\u201d he later explained<\/a>.<\/p>\n

So, Dai came up with an alternative solution. Or really, two alternative solutions.<\/p>\n

In the first solution, instead of a central entity controlling the ledger, all participants maintain separate copies of the same ledger. Any time a new transaction is made, everyone updates their records. These ledgers, furthermore, would consist of public keys, with amounts attached to them \u2014 no real names. This decentralized approach would prevent any single entity from blocking transactions, while offering a level of privacy to all users.<\/p>\n

As a quick example, let\u2019s say Alice and Bob are b-money users. They both have a public key: Alice has public key \u201cA\u201d and Bob has public key \u201cB\u201d, for which they both control their unique private keys. And, as recorded in the ledgers maintained by all users, both their public keys hold b-money units; let\u2019s say three units each.<\/p>\n

If Bob wants to receive two b-money units from Alice (because he\u2019s selling her a product), he sends her his public key: B. Assuming Alice wants to buy the product, she then creates a transaction in the form of a message: \u201c2 b-money from A to B.\u201d Next, she signs this message, with her private key corresponding to A. The message and the cryptographic signature is then sent to all b-money users.<\/p>\n

The signed message proves to all b-money users that the rightful owner of A wants to send two b-money units to B. Everyone, therefore, updates their ledgers, now attributing a total of one b-money unit to A and a total of five b-money units to B \u2014 without learning that Alice or Bob control either.<\/p>\n

If this solution sounds familiar, it should: It\u2019s roughly how, 10 years later, Satoshi Nakamoto designed Bitcoin.<\/p>\n

B-money, Version 2<\/h2>\n

Dai considered his first b-money solution impractical, however, \u201cbecause it makes heavy use of a synchronous and unjammable anonymous broadcast channel,\u201d he explained in his proposal.<\/p>\n

Put differently, the first b-money proposal didn\u2019t solve the double-spending problem. Alice could send two b-money units to both Bob\u2019s B and to Carol\u2019s C at the same time, transmitting these transactions to different parts of the network. Both Bob and Carol would give Alice a product in return \u2026 only to later find out that half of the network won\u2019t acknowledge their new balances.<\/p>\n

That\u2019s why Dai came up with a second b-money solution, all in the same proposal.<\/p>\n

In this version, not everyone maintains a version of the ledger. Instead, the system would consist of two types of users: regular users and \u201cservers.\u201d Only the servers, linked through a Usenet<\/a>-style broadcast network, would maintain the b-money ledgers. To verify that a transaction went through like it should, regular users \u2014 like Bob and Carol \u2014 would have to verify it with a random subset of these servers. (In case of a conflict, Bob and Carol would presumably reject the transaction from Alice and not sell her anything.)<\/p>\n

While not detailed in the proposal, anyone would probably have been able to become a server, but \u201ceach server is required to deposit a certain amount of money in a special account to be used as potential fines or rewards for proof of misconduct,\u201d Dai proposed. The servers should also periodically publish and cryptographically commit to ownership databases.<\/p>\n

\u201cEach participant should verify that his own account balances are correct and that the sum of the account balances is not greater than the total amount of money created,\u201d Dai envisioned. \u201cThis prevents the servers, even in total collusion, from permanently and costlessly expanding the money supply.\u201d<\/p>\n

If this sounds somewhat familiar as well, that\u2019s no wonder either: Dai\u2019s second b-money proposal loosely resembles what would today be called a proof-of-stake system.<\/p>\n

To boot, Dai added an early version of a smart contract solution to his proposal(s). These types of smart contracts most closely resemble a mixture of a proof-of-stake system and an arbitration system, where both parties to a contract and an arbitrator must all deposit funds in a special account. Curiously for modern standards, however, these contracts did not have a dispute resolution system encoded: Instead it was possible that, in case of disputes, different users (or servers) would adjust their own ledgers differently, in effect leaving the state of ledgers on the network out of consensus. (Presumably, the potential penalties would make the cost of cheating too high to risk it.)<\/p>\n

Monetary Policy<\/h2>\n

Yet, where b-money would have perhaps differed most sharply from Bitcoin was Dai\u2019s proposed monetary policy.<\/p>\n

Bitcoin\u2019s monetary policy is of course very straightforward. To bring coins in circulation, it initially issued 50 new bitcoins per block, a number which has since dropped to 12.5. This number will continue to decrease over time until, some hundred years from now, the total amount of bitcoin issued caps out at slightly below 21 million. Whether or not such a monetary policy is ideal has been a subject of debate, but one thing is clear: So far it has not produced a stable coin value.<\/p>\n

In contrast, a stable coin value was explicitly part of Dai\u2019s vision. To achieve this, the value of b-money was to be coupled to the value of a (theoretical) basket of goods. For example, 100 b-money units would be worth one basket of goods. This should give b-money a stable value, at least in relation to this basket of goods: the same 100 b-money units would buy the same basket of goods in the past, in the present and in the future.<\/p>\n

To issue new coins, users were to determine what a basket of goods would cost relative to a solution to a computational problem: a \u201cproof of work.\u201d If, for example, a basket of goods should cost $80 at specific point in time, it would have to be matched by a proof of work that would on average cost $80 to produce. If, 10 years later, the same basket of goods were to cost $120, the same 100 units would have to be matched with a proof of work that\u2019d cost $120 to produce.<\/p>\n

Using this indicator, the first person to produce a valid proof of work would be credited 100 new b-money by all users or the servers. Therefore, no one would be particularly incentivized to produce proofs of work unless they intended to use b-money, limiting inflation to the growth of the \u201cb-money economy.\u201d<\/p>\n

Alternatively, in an appendix to his proposal, Dai suggested that money creation could be realized through an auction. Either all users (first protocol) or the servers (second protocol) would first have to determine an optimal increase of the monetary base. Then, if this ideal increase were to be established at 500 b-money units, for example, an auction would determine who should create these 500 units: whoever was willing and able to provide the most proof of work for it.<\/p>\n

Bitcoin<\/h2>\n

B-money was never implemented. It couldn\u2019t have been: \u201cb-money wasn’t a complete practical design yet,\u201d Dai acknowledged in a LessWrong forum thread<\/a> a couple of years ago. What\u2019s more, Dai did not expect b-money to take off in a big way, even if it was implemented. <\/p>\n

\u201cI think b-money will at most be a niche currency\/contract enforcement mechanism, serving those who don’t want to or can’t use government sponsored ones,\u201d he explained in an email<\/a> following his announcement on the Cypherpunks mailing list.<\/p>\n

Indeed, several of b-money\u2019s problems remained unsolved or at least under-specified. Perhaps, most importantly, its consensus model was not very robust, as best shown by Dai\u2019s proposed smart contract solution. It has since also been found that proof-of-stake systems introduce new challenges that Dai may not have foreseen; for example, it\u2019s not clear how \u201cmisconduct\u201d can be objectively established. And that doesn\u2019t even get into the more nuanced problems of the proposal, such as a lack of privacy due to traceability of funds or potential coin issuance (\u201cmining\u201d) centralization. Indeed, some of these problems are still not solved for Bitcoin today.<\/p>\n

Dai \u2014 who after proposing b-money went on to work for TerraSciences and Microsoft, and may have retired early on since then \u2014 would not stick around to solve these problems.<\/p>\n

\u201cI didn’t continue to work on the design because I had actually grown somewhat disillusioned with crypto-anarchy by the time I finished writing up b-money,\u201d Dai later explained<\/a> on LessWrong. He reiterated, \u201cI didn’t foresee that a system like it, once implemented, could attract so much attention and use beyond a small group of hardcore Cypherpunks.\u201d<\/p>\n

Yet, Dai\u2019s proposal was not forgotten: b-money ended up as the first reference in the Bitcoin white paper<\/a>. Still, as similar as b-money and Bitcoin\u2019s designs may be, it\u2019s possible that Satoshi Nakamoto was not inspired by Dai\u2019s idea at all. Dai himself believes that Bitcoin\u2019s inventor came up with the idea independently. <\/p>\n

Shortly before publishing the Bitcoin white paper, Hashcash inventor Dr. Adam Back directed<\/a> Satoshi Nakamoto to Dai\u2019s work, making Dai one of few people Bitcoin\u2019s inventor personally reached out to before publishing his white paper. But Dai did not respond to Satoshi\u2019s email. In retrospect, he wished he had. Unsurprisingly, Dai questions Bitcoin\u2019s coin generation model.<\/p>\n

\u201cI would consider Bitcoin to have failed with regard to its monetary policy (because the policy causes high price volatility which imposes a heavy cost on its users, who have to either take undesirable risks or engage in costly hedging in order to use the currency),\u201d he wrote<\/a> on LessWrong. \u201c[O]ne possible impact of Bitcoin might be that due to its deficient monetary policy and associated price volatility it can’t grow to very large scales, and by taking over the cryptocurrency niche, it has precluded a future where a cryptocurrency does grow to very large scales.\u201d<\/p>\n

He added, \u201cThis may have been partially my fault because when Satoshi wrote to me asking for comments on his draft paper, I never got back to him. Otherwise perhaps I could have dissuaded him (or them) from the \u2018fixed supply of money\u2019 idea.\u201d<\/p>\n

Author’s note: After finishing this article, it was pointed out that the first version of Nick Szabo’s Bit Gold<\/a> goes back to early 1998. Even more similar to Satoshi Nakamoto’s invention than b-money, it’s probably more accurate to consider Bit Gold “Bitcoin’s first draft”.<\/em><\/p>\n

This is the third installment in Bitcoin Magazine\u2019s The Genesis Files series. The first two articles covered Dr. David Chaum\u2019s eCash<\/a> and Dr. Adam Back\u2019s Hashcash<\/a>. For more from Wei Dai, visit weidai.com<\/a>.<\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

“Efficient cooperation requires a medium of exchange (money) and a way to enforce contracts,\u201d Dai explained when he introduced b-money in November of 1998.<\/p>\n","protected":false},"author":2509,"featured_media":21944,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[889],"class_list":{"0":"post-21943","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-genesis"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/the-genesis-files-if-bitcoin-had-a-first-draft.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/21943","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=21943"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/21943\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/21944"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=21943"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=21943"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=21943"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}