{"id":22005,"date":"2018-06-04T13:05:23","date_gmt":"2018-06-04T13:05:23","guid":{"rendered":"http:\/\/ci027cfe7a20032697"},"modified":"2018-06-04T13:05:23","modified_gmt":"2018-06-04T13:05:23","slug":"genesis-files-hashcash-or-how-adam-back-designed-bitcoins-motor-block","status":"publish","type":"post","link":"https:\/\/bitcoinmagazine.com\/technical\/genesis-files-hashcash-or-how-adam-back-designed-bitcoins-motor-block","title":{"rendered":"The Genesis Files: Hashcash or How Adam Back Designed Bitcoin\u2019s Motor Block"},"content":{"rendered":"
<\/div>
<\/figure>\n
\n

[ANNOUNCE] hash cash postage implementation<\/em><\/p>\n<\/blockquote>\n

The date is March 28, 1997, when the 2,000-or-so subscribers of the Cypherpunks mailing list receive an email<\/a> with the above header in their inbox. The sender is a 26-year-old British postdoc at the University of Exeter, a young cryptographer and prolific contributor to the mailing list named Dr. Adam Back. The email includes a description and early implementation of what he describes as a \u201cpartial hash collision based postage scheme\u201d \u2014 a sort of stamp equivalent for emails, based on a nifty cryptographic trick.<\/p>\n

\u201cThe idea of using partial hashes is that they can be made arbitrarily expensive to compute,\u201d wrote Back, explaining the advantage of his system, \u201cand yet can be verified instantly.\u201d<\/p>\n

This proposal by the cryptographer who would go on to become the current Blockstream<\/a> CEO did not immediately garner much attention on the email list; just one reader responded<\/a>, with a technical inquiry about the hashing algorithm of choice. Yet, the technology underlying Hashcash \u2014 proof of work<\/em><\/em>\u2014 would shape research into digital money for more than a decade to come.<\/p>\n

\u201cPricing via Processing or Combatting Junk Mail\u201d<\/h2>\n

Back\u2019s Hashcash was actually not the first solution of its kind.<\/p>\n

By the early 1990s, the promise of the internet, and the advantages of an electronic mailing system in particular, had become obvious to techies paying attention. Still, internet pioneers of the day came to realize that email, as this electronic mailing system was called, presented its own challenges.<\/p>\n

\u201cIn particular, the easy and low cost of sending electronic mail, and in particular the simplicity of sending the same message to many parties, all but invite abuse,\u201d IBM researchers Dr. Cynthia Dwork and Dr. Moni Naor explained in their 1992 white paper bearing the name \u201cPricing via Processing or Combatting Junk Mail<\/a>.\u201d<\/p>\n

Indeed, as email rose in popularity, so did spam.<\/p>\n

A solution was needed, early internet users agreed \u2014 and a solution is what Dwork and Naor\u2019s paper offered.<\/p>\n

The duo proposed a system where senders would have to attach some data to any email they send. This data would be the solution to a math problem, unique to the email in question. Specifically, Dwork and Naor proposed three candidate puzzles that could be used for the purpose, all based on public-key cryptography and signature schemes.<\/p>\n

Adding a solution to an email wouldn\u2019t be too difficult, ideally requiring only a couple of seconds of processing power from a regular computer, while its validity could easily be checked by the recipient. But, and this is the trick, even a trivial amount of processing power per email adds up for advertisers, scammers and hackers trying to send thousands or even millions of messages at once. Spamming, so was the theory, could be made expensive and, therefore, unprofitable.<\/p>\n

\u201cThe main idea is to require a user to compute a moderately hard, but not intractable, function in order to gain access to the resource, thus preventing frivolous use,\u201d Dwork and Naor explained.<\/p>\n

While Dwork and Naor did not propose the term, the type of solution they introduced would become known as a \u201cproof of work\u201d system. Users would have to literally show that their computer performed work, to prove that they spent real-world resources.<\/p>\n

A nifty solution, but perhaps too far ahead of its time. The proposal never made it very far beyond a relatively small circle of computer scientists.<\/p>\n

Adam Back and the Cypherpunks<\/h2>\n

Around the same time that Dwork and Naor published their white paper, a group of privacy activists with a libertarian bent came to recognize the enormous potential of the internet as well. The ideologically driven crowd started to organize through a mailing list centred around privacy-enhancing technologies. Like Dwork and Naor, these \u201cCypherpunks\u201d \u2014 as they would come to be called \u2014 utilized the relatively new science of cryptography to work toward their goals.<\/p>\n

Over the years, Adam Back \u2014 who earned his Ph.D. in 1996 \u2014 established himself as one of the more active participants on this list, at times contributing dozens of emails in a single month. Like most Cypherpunks, the cryptographer was passionate about topics including privacy<\/a>, free speech<\/a> and libertarianism<\/a>, and engaged in technical discussions pertaining to anonymous remailers<\/a>, encrypted file systems<\/a>, electronic cash<\/a> as introduced<\/a> by Dr. David Chaum, and more.<\/p>\n

But for a while, Back was perhaps best known for printing and selling \u201cmunition\u201d shirts: T-shirts with an encryption protocol printed on them, intended to help point out the absurd decision by the U.S. government to regulate Phil Zimmermann\u2019s PGP (Pretty Good Privacy) encryption program as \u201cmunitions\u201d within the definition of the U.S. export regulations. Wearing Back\u2019s shirt while crossing the border to exit the United States technically made you a \u201cmunitions exporter.\u201d<\/p>\n

<\/figure>\n

Like many, Back was not aware<\/a> of Dwork and Naor\u2019s proof-of-work proposal. But by the mid-1990s, he was thinking of similar ideas to counter spam, sometimes \u201cout loud\u201d on the Cypherpunks mailing list.<\/p>\n

\u201cA side benefit of using PGP, is that PGP encryption should add some overhead to the spammer \u2014 he can probably encrypt less messages per second than he can spam down a T3 link,\u201d Back commented<\/a>, for example, in the context of adding more privacy to remailers; an idea somewhat similar to Dwork and Naor\u2019s.<\/p>\n

The Cypherpunks mailing list grew significantly in about half a decade. What started out as an online discussion platform for a group of people that initially gathered at one of their startups in the Bay Area became a small internet phenomenon with thousands of subscribers \u2014 and often more emails on a single day than anyone could reasonably keep track of.<\/p>\n

It was around this time \u2014 1997, close to the list\u2019s peak popularity \u2014 that Back submitted his Hashcash proposal.<\/p>\n

Hashcash<\/h2>\n

Hashcah is similar to Dwork and Naor\u2019s anti-spam proposal and has the same purpose, though Back proposed some additional use cases like countering anonymous remailer abuse. But as the name suggests, Hashcash was not based on cryptographic puzzles like Dwork and Naor\u2019s; it was based on hashing.<\/p>\n

Hashing is a cryptographic trick that takes any data \u2014 whether it\u2019s a single letter or an entire book \u2014 and turns it into a seemingly random number of predetermined length.<\/p>\n

For example, a SHA-256 hash of the sentence This is a sentence<\/em> produces this hexadecimal number:<\/p>\n

<\/figure>\n

Which can be \u201ctranslated\u201d to the regular decimal number:<\/p>\n

<\/figure>\n

Or to binary:<\/p>\n

<\/figure>\n

Meanwhile, a SHA-256 hash of the sentence This, is a sentence<\/em> produces this hexadecimal number:<\/p>\n

<\/figure>\n

As you can see, merely inserting one comma into the sentence completely changes the hash. And, importantly, what the hash of either sentence would be was completely unpredictable; even after the first sentence was hashed, there was no way to calculate the second hash from it. The only way to find out was to actually hash both sentences.<\/p>\n

Hashcash applies this mathematical trick in a clever way.<\/p>\n

With Hashcash, the metadata of an email (the \u201cfrom\u201d address, the \u201cto\u201d address, the time, etc.) is formalized as a protocol. Additionally, the sender of an email must add a random number to this metadata: a \u201cnonce.\u201d All this metadata, including the nonce, is then hashed, so the resulting hash looks a bit like one of the random numbers above.<\/p>\n

Here\u2019s the trick: not every hash is considered \u201cvalid.\u201d Instead, the binary version of the hash must start with a predetermined number of zeroes. For example: 20 zeroes. The sender can generate a hash that starts with 20 zeroes by including a nonce that randomly adds up correctly \u2026 but the sender can\u2019t know in advance what that nonce will look like.<\/p>\n

To generate a valid hash, therefore, the sender has only one option: trial and error (\u201cbrute force\u201d). He must keep trying different nonces until he finds a valid combination; otherwise, his email will be rejected by the intended recipient\u2019s email client. Like Dwork and Naor\u2019s solution, this requires computational resources: it\u2019s a proof-of-work system.<\/p>\n

\u201c[I]f it hasn\u2019t got a 20 bit hash [\u2026] you have a program which bounces it with a notice explaining the required postage, and where to obtain software from,\u201d Back explained on the Cypherpunks mailing list. \u201cThis would put spammers out of business overnight, as 1,000,000 x 20 = 100 MIP years which is going to be more compute than they’ve got.\u201d<\/p>\n

Notably, Back\u2019s proof-of-work system is more random than Dwork and Naor\u2019s. The duo\u2019s solution required solving a puzzle, meaning that a faster computer would solve it faster than a slow computer every time. But statistically, Hashcash would still allow for the slower computer to find a correct solution faster some of the time.<\/p>\n

(By analogy, if one person runs faster than another person, the former will win a sprint between them every time. But if one person buys more lottery tickets than another person, the latter will statistically still win some of the time \u2014 just not as often.)<\/p>\n

Digital Scarcity<\/h2>\n

Like Dwork and Naor\u2019s proposal, Hashcash \u2014 which Back would elaborate on in a white paper<\/a> in 2002 \u2014 never took off in a very big way. It was implemented in Apache\u2019s open-source SpamAssassin platform, and Microsoft gave the proof-of-work idea a spin in the incompatible \u201cemail postmark\u201d format. And Back, as well as other academics, came up with various alternative applications for the solution over the years, but most of these never gained much traction. For most potential applications, the lack of any network effect was probably too big to overcome.<\/p>\n

Nevertheless, Dwork and Naor as well as Back (independently) did introduce something new. Where one of the most powerful features of digital products is the ease with which they can be copied, proof of work was essentially the first concept akin to virtual scarcity that didn\u2019t rely on a central party: it tied digital data to the real-world, limited resource of computing power.<\/p>\n

And scarcity, of course, is a prerequisite for money. Indeed, Back in particular explicitly placed Hashcash in the category of money throughout his Cypherpunks mailing list contributions and white paper, mirroring it to the only digital cash the world had seen at that point in time: DigiCash\u2019s Ecash by Chaum.<\/p>\n

\u201cHashcash may provide a stop gap measure until digicash becomes more widely used,\u201d Back argued on the mailing list. \u201cHashcash is free, all you\u2019ve got to do is burn some cycles on your PC. It is in keeping with net culture of free discourse, where the financially challenged can duke it out with millionaires, retired government officials, etc on equal terms. [And] Hashcash may provide us with a fall back method for controling [sic] spam if digicash goes sour (gets outlawed or required to escrow user identities).\u201d<\/p>\n

Despite the name, however, Hashcash couldn\u2019t properly function as a full-fledged cash in itself (nor could Dwork and Naor\u2019s proposal). Perhaps most importantly, any \u201creceived\u201d proof of work is useless to the recipient. Unlike money, it could not be re-spent elsewhere. On top of that, as computers increased in speed every year, they could produce more and more proofs over time at lower cost: Hashcash would have been subject to (hyper)inflation.<\/p>\n

What proof of work did offer, more than anything else, was a new basis for research in the digital-money realm. Several of the most notable digital-money proposals that followed were building on Hashcash, typically by allowing the proofs of work to be reused. (With Hal Finney\u2019s Reusable Proof of Work \u2014 RPOW \u2014 as the most obvious example.)<\/p>\n

Bitcoin<\/h2>\n

Ultimately, of course, proof of work became a cornerstone for Bitcoin, with Hashcash as one of the few citations in the Bitcoin white paper.<\/p>\n

Yet, in Bitcoin, Hashcash (or, rather, a version of it) is utilized very differently than many would have guessed beforehand. Unlike Hashcash and other Hashcash-based proposals, the scarcity it provides is not itself used as money at all. Instead, Hashcash enables a race. Whichever miner is the first to produce a valid proof of work \u2014 a hash of a Bitcoin block \u2014 gets to decide which transactions go through. At least in theory, anyone can compete equally: much like a lottery, even small miners would statistically be the first to produce a valid proof of work every so often.<\/p>\n

Further, once a new block is mined, confirming a set of transactions, these transactions are unlikely to be reversed. An attacker would have to prove at least as much work as required to find the block in the first place, adding up for every additional block that is found, which under normal circumstances becomes exponentially harder over time. The real-world resources that must be spent in order to cheat typically outweigh the potential profit that can be made by cheating, giving recipients of Bitcoin transactions confidence that these transactions are final.<\/p>\n

This is how, in Bitcoin, Hashcash killed two birds with one stone. It solved the double-spending problem<\/a> in a decentralized way, while providing a trick to get new coins into circulation with no centralized issuer.<\/p>\n

Hashcash did not realize the first electronic cash system \u2014 Ecash takes that crown, and proof-of-work could not really function as money. But a decentralized<\/em> electronic cash system might well have been impossible without it.<\/p>\n

This is the second instalment in Bitcoin Magazine’s The Genesis Files series. The first article covered Dr. David Chaum’s eCash<\/a><\/em><\/p>\n","protected":false},"excerpt":{"rendered":"

A look at how the technology underlying Hashcash \u2014 proof of work \u2014 would shape research into digital money for more than a decade to come.<\/p>\n","protected":false},"author":2509,"featured_media":22008,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[35],"tags":[118,889,1884,1219],"class_list":{"0":"post-22005","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-technical","8":"tag-adam-back","9":"tag-genesis","10":"tag-hashcash","11":"tag-proof-of-work"},"author_data":{"id":2509,"name":"Aaron van Wirdum","nicename":"aaron-van-wirdum","avatar_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/12\/aaron-van-wirdum-96x96.jpg"},"featured_image_url":"https:\/\/bitcoinmagazine.com\/wp-content\/uploads\/2024\/11\/the-genesis-files-hashcash-or-how-adam-back-designed-bitcoins-motor-block.jpg","_links":{"self":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/22005","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/users\/2509"}],"replies":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/comments?post=22005"}],"version-history":[{"count":0,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/posts\/22005\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media\/22008"}],"wp:attachment":[{"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/media?parent=22005"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/categories?post=22005"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/bitcoinmagazine.com\/wp-json\/wp\/v2\/tags?post=22005"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}