Authors: Nathaniel Popper
T
HE
E
XTROPIANS AND
Cypherpunks were working on several different experiments that could help empower individuals against traditional sources of authority. But money was, from the beginning, at the center of their efforts to reimagine the future.
Money is to any market economy what water, fire, or blood is to the human ecosystemâa basic substance needed for everything else to work. For programmers, existing currencies, which were valid only within particular national borders and subject to technologically incompetent banks, seemed unnecessarily constrained. The science fiction that Hal and others had grown up on almost always featured some kind of universal money that could span galaxiesâin
Star Wars
it was the galactic credit standard; in the
Night's Dawn
trilogy it was Jovian credit.
Beyond these more fanciful ambitions, the existing financial system was viewed by the Cypherpunks as one of the biggest threats to individual privacy. Few types of information reveal as much about a person like Alice, the cryptographers' favorite, as her financial transactions. If snoopers get access to her credit card statements they can follow her movements over the course of a day. It's no accident that financial records are one of the primary ways that fugitives are tracked down. Eric Hughes's Cypherpunk Manifesto had dwelled on this problem at great length: “When my identity is revealed by the underlying mechanism of the transaction, I have no privacy. I cannot here selectively reveal myself; I must always reveal myself,” Hughes wrote.
“Privacy in an open society requires anonymous transaction systems,” he added.
Cold, hard cash had long provided an anonymous way of making payments, but this cash did not make the transition over
to the digital realm. As soon as money became digital, some third party, such as a bank, was always involved and therefore able to trace the transaction. What Hal, Chaum, and the Cypherpunks wanted was a cash for the digital age that could be secure and uncounterfeitable without sacrificing the privacy of its users. The same year as Hughes's manifesto, Hal wrote an e-mail to the group imagining a kind of digital cash for which “no records are kept of where I spend my money. All the bank knows is how much I have withdrawn each month.”
A month later, Hal even came up with a cheeky moniker for it: “I thought of a new name today for digital cash: CRASH, taken from CRypto cASH.”
Chaum himself had already come up with his own version of this by the time the Cypherpunks got interested. Working out of an institute in Amsterdam, he had created DigiCash, an online money that could be spent anywhere in the world without requiring users to hand over any personal information. The system harnessed public-key cryptography to allow for what Chaum called blind digital signatures, which allowed people to sign off on transactions without providing any identifying information. When Mark Twain Bank in the United States began experimenting with DigiCash, Hal signed up for an account.
But
Chaum's effort would rub Hal and others the wrong way. With DigiCash, a central organization, namely Chaum's company, needed to confirm every digital signature. This meant that a certain degree of trust needed to be placed in that central organization not to tinker with balances or go out of business. Indeed, when Chaum's company went bankrupt in 1998,
DigiCash went down with it. These concerns pushed Hal and others to work toward a digital cash that wouldn't rely on any central institution. The problem, of course, was that someone needed to check that people weren't simply copying and pasting their digital money and
spending it twice. Some of the Cypherpunks simply gave up on the project, but Hal wasn't one to fold so easily.
Ironically for a person so eager to create new money, Hal's interest wasn't primarily financial. The programs he was writing, like PGP, were explicitly designed to be available to anyone, free. His political distrust of government, meanwhile, was not driven by selfish resentment about paying taxes. During the 1990s
Hal would calculate the maximum bill for his tax bracket and send in a check for that amount, so as to avoid the hassle of actually filling out a return. He bought his modest home on the outskirts of Santa Barbara and stuck with it over the years. He didn't seem to mind that he had to work out of his living room or that the blue recliners in front of his desk were wearing thin. Instead of being motivated by self-interest, his work seemed driven by an intellectual curiosity that bubbled over in each e-mail he wrote, and by his sense of what he thought other people deserved.
“The work we are doing here, broadly speaking, is dedicated to this goal of making Big Brother obsolete. It's important work,” Hal would write to his fellow travelers. “If things work out well, we may be able to look back and see that it was the most important work we have ever done.”
1997
T
he notion of creating a new kind of money would seem, to many, a rather odd and even pointless endeavor. To most modern people, money is always and everywhere bills and coins issued by countries. The right to mint money is one of the defining powers of a nation, even one as small as the Vatican City or Micronesia.
But that is actually a relatively recent state of affairs. Until the Civil War, a majority of the money in circulation in the United States was issued by private banks, creating a crazy patchwork of competing bills that could become worth nothing if the issuing bank went down. Many countries at that time relied on circulating coins from other countries.
This was the continuation of a much longer state of affairs in which humans engaged in a seemingly ceaseless effort to find better forms of money, trying out gold, shells, stone disks, and mulberry bark along the way.
The search for a better form of money has always been about finding a more trustworthy and uniform way of valuing the things
around usâa single metric that allows a reliable comparison between the value of a block of wood, an hour of carpentry work, and a painting of a forest.
As sociologist Nigel Dodd put it, good money is “able to convert qualitative differences between things into quantitative differences that enable them to be exchanged.”
The money imagined by the Cypherpunks looked to take the standardizing character of money to its logical extreme, allowing for a universal money that could be spent anywhere, unlike the constrained national currencies we currently carry around and exchange at each border.
In their efforts to design a new currency, the Cypherpunks were mindful of the characteristics usually found in successful coinage. Good money has generally been durable (imagine a dollar bill printed on tissue paper), portable (imagine a quarter that weighed twenty pounds), divisible (imagine if we had only hundred-dollar bills and no coins), uniform (imagine if all dollar bills looked different), and scarce (imagine bills that could be copied by anyone).
But beyond all these qualities, money always required something much less tangible and that was the faith of the people using it. If a farmer is going to accept a dollar bill for his hard-earned crops, he has to believe that the dollar, even if it is only a green piece of paper, will be worth something in the future. The essential quality of successful money, through time, was not who issued itâor even how portable or durable it wasâbut rather the number of people willing to use it.
In the twentieth century, the dollar served as the global currency in no small part because most people in the world believed that the United States and its financial system had a better chance of surviving than almost anything else. That explains why people sold their local currency to keep their savings in dollars.
Money's relationship to faith has long turned the individuals who are able to create and protect money into quasi-religious
figures. The word
money
comes from the Roman god Juno Moneta, in whose temple coins were minted. In the United States, the governors of the central bank, the Federal Reserve, who are tasked with overseeing the money supply, are treated like oracles of sorts; their pronouncements are scrutinized like the goat entrails of olden days. Fed officials are endowed with a level of power and independence given to almost no other government leaders, and the task of protecting the nation's currency is entrusted to a specially created agency, the Secret Service, that was only later given the additional responsibility of protecting the life of the president.
Perhaps the most famous, if flawed, oracle of the Federal Reserve, former chairman Alan Greenspan, knew that money was something that not only central bankers could create. In a speech in 1996, just as the Cypherpunks were pushing forward with their experiments, Greenspan said that he imagined that the technological revolution could bring back the potential for private money and that it might actually be a good thing:
“We could envisage proposals in the near future for issuers of electronic payment obligations, such as stored-value cards or âdigital cash,' to set up specialized issuing corporations with strong balance sheets and public credit ratings.”
I
N THE YEARS
right after Greenspan's speech, there was a flurry of activity in the Cypherpunk world. In 1997
a British researcher named Adam Back released on the Cypherpunk mailing list his plan for something he called hashcash, which solved one of the most basic problems holding back the digital-cash project: the seeming impossibility of creating any sort of digital file that can't be endlessly copied.
To solve this problem, Back had a clever idea, which would later be an important building block for the Bitcoin software. Back's
concept made creative use of one of the central cogs of public-key cryptography: cryptographic hash functions. These are math equations that are easy to solve but hard to reverse-engineer, just as it is relatively easy to multiply 2,903 and 3,571 using a piece of paper and pencil, but much, much harder to figure out what two numbers can be multiplied together to get 10,366,613. With hashcash, computers essentially had to figure out which two numbers can be multiplied together to get 10,366,613, though the problems for hashcash were significantly harder than that. So hard, in fact, that all a computer could do was try out lots of different guesses with the aim of eventually finding the right answer. When a computer found the right answer, it would earn hashcash.
The creation of hashcash through this method was useful in the context of digital money because it ensured that hashcash would be scarceâa characteristic of most good money but not of digital files, which are generally easily duplicated. A computer had to perform lots of work to create each new unit of hashcash, earning the process the name “proof-of-work”âsomething that would later be a central innovation underpinning Bitcoin. The main problem with Back's system, as a type of digital money, was that each hashcash unit could be used only once and everyone in the system needed to create new units whenever they wanted to use any. Another problem was that a person with unlimited computing power could produce more and more hashcash and reduce the overall value of each unit.
A year after Back released his program, two different members of the Cypherpunk list came up with systems that solved some of hashcash's shortcoming, creating digital tokens that required a proof-of-work, but that could also be reused. One of these,
a concept called bit gold, was invented by Nick Szabo, a security expert and Cypherpunk who circulated his idea to close collaborators like Hal Finney in 1998, but never actually put it into practice.
Another, known as b-money, came from an American named Wei Dai.
Hal created his own variant, with a decidedly less sexy name: reusable proofs of work, or RPOWs.
The conversation around these ideas on the Cypherpunk list and among related groups sometimes resembled the bickering of rivalrous brothers trying to one-up each other. Szabo would snipe at other proposals, saying that they all relied too much on specialized computer hardware instead of software. But these menâand they were all menâalso built up deep respect for each other. And even as their experiments failed, their ambitions grew beyond just anonymous money. Among other things, Back, Szabo, and Finney sought to overcome the costs and frustrations of the current financial system in which banks charged fees with every transaction and made it difficult to move money over international borders.
“What we want is fully anonymous, ultra low transaction cost, transferable units of exchange. If we get that going (and obviously there are some people trying DigiCash, and a couple of others), the banks will become the obsolete dinosaurs they deserve to become,” Back told the Cypherpunk list soon after releasing hashcash.
The Cypherpunk seekers were given a platonic ideal to shoot for when science fiction writer Neal Stephenson published his book
Cryptonomicon
in 1999. The novel, which became legendary in hacker circles, imagined a subterranean world that was fueled by a kind of digital gold that allowed people to keep their identities private. The novel included lengthy descriptions of the cryptography that made it all possible.
But the experiments that the Cypherpunks were doing in the real world continued to hit practical hurdles. No one could figure out a way to create money without relying on a central institution that was vulnerable to failure or government oversight. The experiments also suffered from a more fundamental difficulty, which was the issue of getting people to use and value these new digital
tokens. By the time Satoshi Nakamoto came onto the scene, history had made many of Bitcoin's most likely fans very jaded. The goal of creating digital money seemed as much of a dream as turning coal into diamonds.
I
N
A
UGUST
2008 Satoshi emerged out of the mists in an e-mail sent to the creator of hashcash, Adam Back, asking him to look at a short paper describing something called Bitcoin. Back hadn't heard of it or Satoshi, and didn't spend much time on the e-mail, other than to point Satoshi to other Cypherpunk experiments that he might have missed.
Six weeks later, on Halloween, Satoshi sent a more fleshed-out proposal to a specialized, and heavily academic, mailing list focused on cryptographyâone of the main successors to the Cypherpunk list, which was defunct. As was typical in this community, Satoshi gave no information about his own identity and background, and no one asked. What mattered was the idea, not the person. In careful, dry language, Satoshi opened with a bold claim to have solved many of the problems that had dogged the long search for the holy grail of universal money.
“I've been working on a new electronic cash system that's fully peer-to-peer, with no trusted third party,” the e-mail began.
The nine-page PDF attached to the e-mail made it clear that Satoshi was deeply versed in all the previous efforts to create a self-sustaining digital money. Satoshi's paper cited Back and Wei Dai, as well as several obscure journals of cryptography. But Satoshi put all these earlier innovations together to create a system that was quite unlike anything that had come before it.
Rather than relying on a central bank or company to issue and keep track of the moneyâas the existing financial system and Chaum's DigiCash didâthis system was set up so that every
Bitcoin transaction, and the holdings of every user, would be tracked and recorded by the computers of all the people using the digital money, on a communally maintained database that would come to be known as the blockchain.
The process by which this all happened had many layers, and it would take even experts months to understand how they all worked together. But the basic elements of the system can be sketched out in rough terms, and were in Satoshi's paper, which would become known as the Bitcoin white paper.
According to the paper, each user of the system could have one or more public Bitcoin addressesâsort of like bank account numbersâand a private key for each address. The coins attached to a given address could be spent only by a person with the private key corresponding to the address. The private key was slightly different from a traditional password, which has to be kept by some central authority to check that the user is entering the correct password. In Bitcoin, Satoshi harnessed the wonders of public-key cryptography to make it possible for a userâlet's call her Alice againâto sign off on a transaction, and prove she has the private key, without anyone else ever needing to see or know her private key.
*
Once Alice signed off on a transaction with her private key she would broadcast it out to all the other computers on the Bitcoin network. Those computers would check that Alice had the coins she was trying to spend. They could do this by consulting the public record of all Bitcoin transactions, which computers on the network kept a copy of. Once the computers confirmed that Alice's address did indeed have the money she was trying to spend, the information about Alice's transaction was recorded in a list of all recent transactions, referred to as a block, on the blockchain.
The exact method used to add blocks to the blockchain was perhaps the most complicated part of the system. At the simplest level, it involved a sort of computational race between all computers on the network,
modeled after the contest that Adam Back had invented for hashcash. The computer that won the race was responsible for inscribing the most recent block of transactions onto the blockchain. Equally important, the winner also received a bundle of new Bitcoinsâ50 Bitcoins when the network actually started operating. This was, indeed, the only way new Bitcoins could be brought into the world. The reward of new coins helped encourage Bitcoin users to set their computers to partake in the communal work of recording transactions.
If there were disagreements about which computer won the lottery, the record of transactions that had already been adopted by the most computers on the network would prevail. If, for example, most of the computers on the network believed Alice won the latest race, but a few computers believed that Bob won the race, the computers that used Bob's record of transactions would be ignored by other computers on the network until they joined the majority. This democratic method of decision making was valuable because it prevented a few bad computers from going rogue and assigning themselves lots of new Bitcoins; rogue elements would have to capture a majority of the computers on the network to do this.
Alterations to the Bitcoin software, which would run on the computer of every user, would also be decided by means of this democratic model. Any user could make a change to the open source Bitcoin software, but the changes would generally be effective only when a majority of the computers on the network adopted the altered version of the software. If a lone computer began running a different version of the Bitcoin software it would essentially be ignored by the other computers and would no longer be part of the Bitcoin network.