The problem at hand

The first crypto currency based upon a block chain was Bitcoin, invented by a mysterious entity or person who called itself Satoshi Nakamoto, in the beginning of the year 2009.  We will pretend that it is a person, and call him Satoshi.  It might have been a person, in fact.  Some people claim it is the NSA.  Or for that matter, it might be the government of Monaco.

Depending on the viewpoint, the problem that Satoshi tried to solve, was a long-standing one: "electronic money", or was a totally new concept of interaction: "distributed trust-less consensus".  When reading Satoshi's writings, one is inclined to think that his goal was electronic money, and his tool was distributed trust-less consensus, but in doing so, the tool was in fact much more profound than the goal.  But for the moment, we will think about electronic money.

What is money ?

This is a very complicated subject, first considered by Aristotles and depending on the economic school one adheres, the definition of money is different.   Grossly, there are two "schools": money is a debt and money is a commodity.

The classical economic view on the origin of money is a story that has historically never been verified, but it is the standard story, it has a sound logic, and it goes as follows:  direct trade is a pain.  If I want to trade 10 apples I have for the pair of shoes that you want to sell, chances are that you're not interested in apples, but in oranges.  So I would have to find a third person who wants to exchange his oranges for my apples.  I first exchange my apples for his oranges.  Now I have oranges, and I can exchange them for your shoes.  But if the guy with the oranges is only interested in bananas, I first have to find someone who wants to exchange my apples against bananas.  Then I go with those bananas to the guy who wants to exchange oranges against bananas.  And then I can go to you, with the oranges.  Phew !  

However, everybody needs nails, to hammer things in the house or in the garden.  So even you would like to trade shoes for nails, they are handy.  Everybody is prepared to trade his goods and services for nails, and the more people know that other people will accept them, the more they are willing to accept nails themselves.   So the trick is that just anybody who needs apples, can trade them with me for nails, and I will accept nails, because I know that everybody likes nails.  Hurray, we invented nail-money.  Originally, we traded apples for nails because we had some use for nails.  In the end, we traded apples for nails because we knew other people were ready to accept them.  Nails transformed themselves from a generally useful commodity (which was the original reason to accept the trade for nails) into a monetary asset (which was the ultimate reason to accept them).

Note that in doing so, the demand for nails increased.  In the beginning, the demand for nails was just the demand for the use of nails, to hammer stuff.  In the end, the demand for nails was its use, plus the use as money.  Although many people were initially interested in nails to use them (which is why nails were a commodity that could serve as universal means of exchange in the first place: most people had some use for nails) just as they had interest in bread, milk and wood, in the end there was an extra interest in nails as a means of exchange.  This monetary use of the commodity "nails" increased its demand, and hence its price, over its original "use" price.

The point is, as David Graeber explains, that there is no historical evidence ever that money got to exist in that way.  In fact, if money were invented to avoid the hurdles of direct trade, we would have starved to death before we would ever have invented money in the first place !

People never bartered directly at large scale, exactly because it is so terribly inefficient.  What happened, was that people exchanged debt. If someone wanted my apples, I would give the apples to them immediately, and they owed me 10 apples. If I needed a pair of shoes, and you had a pair of shoes, you gave them to me, and I owed you a pair of shoes.  In as much as you could trust me that I would pay my debt, having my word for it was sufficient, but in as much as you didn't trust me, we both went to a trusted authority to declare that I owed you a pair of shoes and that this was written down officially.  But I could also clear my own debt towards you by transmitting the promise that I held: instead of the first person owing me 10 apples, I could tell him that now he owed you 10 apples, and that cleared my debt with you. 

Of course, there are two problems with this.  First of all, in as much as you didn't want real apples, you don't really care about a promise to give you apples by someone.  And second, even if you trust me, you don't know if you can trust the guy who promised me that he owed me 10 apples.  The first problem is relatively simple to solve: instead of denominating the debt in different kinds of stuff, we agree upon a "unit of debt": say, an oxen.  10 apples, that's 0.1 oxen, so the guy to whom I gave the apples, owes me 0.1 oxen.  Your pair of shoes is also worth 0.1 oxen (as I could get it for 10 apples...).  So I pass you the promise of 0.1 oxen that I detain from the guy who took my apples, to get your shoes, and yo now have a promise of 0.1 oxen.  No genuine oxen has ever been slaughtered for my apples or your shoes.  It is just a unit of debt.

As long as we are a small group of people, tied to each other, and accountable to each other, that's good enough, but if we don't know if we can trust each other, then such a promise may not do.   This is where "the authority" comes in.  The authority can be the local lord, the king, or the temple: something with power that you're not going to kid.  If you receive a promise from the king, then you surely will accept it, right ?

So the trick is: the guy who wants my apples, first goes to the king (not directly, but to a king's administrator), and promises the king 0.1 oxen, if the king promises him 0.1 oxen.  That seems like a crazy deal.  But it is not.  In as much as I wouldn't accept a promise of 0.1 oxen from a stranger, I surely accept a promise of 0.1 oxen from the king, because I know that you will accept that too.  I can now transmit that promise (from the king) of 0.1 oxen to you and get my shoes.

This promise from the king, denominated in oxen, is a means of exchange that is accepted by everybody, in the same way the nails were supposed to be accepted in the classical economy book story: the promise from the king has become money.

Of course, the king has quickly realized the advantage his trustworthiness can bring him.  First of all, a promise from a citizen will not be worth as much as a promise from the king, so the king can ask more: you'd have to promise the king 0.15 oxen, to get a promise of 0.1 oxen from the king.  Next, the idea is not that the king is ever held accountable for all the promises he issues: they are now money that will circulate, and will never come back to require an oxen from the king.  However, the guy promising 0.15 oxen to the king will be held accountable by the king.

As such, the full worth of all the money that the king brings in circulation will be sheer benefit for the king: seigniorage.   The entity that can issue money gets the full value of the money in goods and services (minus the cost of issuing the money).

The operation being so lucrative, the king may become scared that others might start issuing their promises too: usually, the king will impose his monopoly of money.  We have fiat money.

The modern monetary systems are in fact still of this form, but with the king replaced by the central bank.  In order to get money from the central bank, commercial banks have to "promise" assets to the central bank.  Commercial banks create money on their accounts against debt declarations of people borrowing from the bank, and these debt declarations can be assets promised to the central bank.

This kind of money is indeed "debt", turned into assets that can be traded, possessed.  It is not the debt that is the asset.  It is the promise.  The debt resulted in the creation of a promise, and that promise is the asset that can be changed hands.  If all debts are honoured. all money is gone.  The amount of money is the amount of still hanging debts and is very variable in such a system.  The "value" in the system is the belief in the fact that all debt will be honoured in the future even though that future is remote .

Now, there is a funny phenomenon going on here, which is similar with "nails as money" and "promises of the king as money".   There is a dichotomy in the reason why we accept this money.   Originally, we accepted the monetary asset because it had "intrinsic value": the nails were useful, and the promise was to be honoured.  And we still like to believe that it is the "intrinsic value" of the money which is what makes us accept it.  But in reality, we accept money because we believe that other people will accept it.   So the actual value of money comes from the belief that others will accept it, but somehow the illusion of its intrinsic value can stabilize that belief.   It is of course totally an illusion, because the market price of money comes mainly from its demand as a means of exchange, and not for its original "use" value.  The price of nails as money is much higher, than was the price of nails if it was just to hammer them into the wood.  But sometimes, this illusion is considered necessary for the monetary system to continue to sustain the belief in it.  This is especially true for a fiat monetary system.

As in such a system, all debt is by the king, or the central bank, the danger is that at a certain point, people will lose trust in whatever it is that they think they should have trust in.  As such, it is much more comfortable to know that the promises by the king (or the central bank) are backed by something of commercial value.  Oxen, for instance.   In order to "give power" to the promises issued by the king, he can declare them exchangeable at any moment.  In other words, the king declares that he will keep his promises.  Duh !

If the king has 1000 oxen, then there's no problem believing that he can honour his promises of in total 200 oxen in debt in circulation.  But the dirty secret is of course that the king has promised 10 000 oxen !  As long as people trust the king's promises in general, then even if someone wants to keep the king accountable for some promises he has, the king will be able to do so.  As long as only less than 10% of the people holding money will hold the king accountable at any moment, it looks like the king can honour all his debts.  But if ever the doubt installs about the backing of the money, and people get worried, more than 10% might want to exchange their king's promises in actual oxen.   The king will not be able to honour all his promises, and some people will not be able to get real oxen for the king's promises: a bank run !  Usually, a bank run results in a total loss of confidence in the issued promises.

The risk of a bank run comes from the cupidity of the king to issue more promises than he can honour, while still claiming he can honour them.  This is called fractional banking

A bank run is a very strange phenomenon if one thinks about it.  In the morning, everybody is still accepting the king's promises as a value, and one is ready to provide goods and services to its tender, because everybody is believing that everybody is believing that the king's promises are money.  Whether the king can honour them or not shouldn't matter, these promises run in circles.  And in the afternoon, because now it is obvious what everybody knew, the king can't honour his promises, the belief is gone, and nobody is willing to provide services or goods to tender any more.

This leads to the other view of "honest" money: there shouldn't be any fractional banking: if you promise 1000 oxen, you should be able to show 1000 oxen.  Instead of trading promises, we could trade the oxen directly, then we don't need any "authority" in which we have to have trust that it will honour its debt.  We have the oxen already !

The backing of promises by kings, banks and temples usually wasn't in oxen, but in precious objects.  Precious stones, and precious metals. like gold and silver.  As such, precious metals became very often the "true" value behind the kings promises.    A king's promise is good, but a king's gold is better !  And if we have his gold, we don't need the king any more !  Especially if we aren't sure that the king will win the war.

So, yes, precious metals did form money too.  It is a different kind of money and there are no debts involved, and no trust needed.  Gold is gold.  Gold is worth a lot.   But why is gold worth a lot ?  True, gold is a nice, shiny metal out of which one can make beautiful jewels.  And yes, gold has some technological applications.  But the price of gold comes not so much from its value for use in jewels and technology.  Most of the price of gold comes from the huge demand as a store of value !  People are willing to pay a high price for gold, because they think that most people are willing to pay a high price for gold, and there's a high demand for gold exactly because of that.  The value of gold is just as much a belief than was the belief in the untenable promises by the king !

Well, not entirely.  Even if the belief in the value of gold were gone, it would still have a price: the price set by offer and demand, where the demand is to make jewels and technology use of gold.  But that price is much, much lower than the "monetary" price of gold which is set by the demand for gold to be used as money (as a store of value).  The monetary value of gold is the same as the monetary value of nails in the other story.

In any case, the value of money is a belief system.

Money has value to you, because you believe that it has value to others.  You accept money in exchange for goods and services, because you believe that others will accept it too, and that you will be able to buy stuff with it.

And that's all there is to it: money has to be a belief system.

However, the exact value of money, even if everybody believes in it, will be set by the law of offer and demand.  The demand for money is determined by two aspects:

  1. its use in trade, that is, one needs money to buy stuff, so one sells stuff to obtain money
  2. its use as store of value "for later"

There is in fact not a fundamental distinction between both, only the time scale of holding between two transactions is different.

The offer of money is vastly different whether one has a debt-based money, or a commodity based money.  In the case of the debt-based money, "producing" money doesn't cost much (just promising), but one is limited by

  1. the privilege of making money, usually the monopoly of the king
  2. one's capacity to make honest promises, or at least one's capacity to make believable promises
  3. the fear of a bank run

You may have a few oxen, but you will be hung if ever you dare to issue king's bank notes.   The more oxen the king has, the more he can afford to put promises of oxen in circulation.  Even if the king has only 1000 oxen, he will issue 10 000, but he will not issue 10 000 000.  Because then it is too obvious that it won't work and he risks a bank run.

In the case of commodity based money, the production capacity of the commodity will determine the offer.  For gold, the mining capacity determines the offer of gold.

Abstractly, hence, and accepting that the belief that something is money has been established, what basic properties should it have ?

  • one should be able to transmit it easily, and when one has transmitted it, one shouldn't have it any more
  • it should be difficult or impossible to produce, like mining gold (although it cannot be impossible to produce in the beginning, of course), or it should be produced against some kind of counter party (say, a debt)
  • once it exists, it should keep on existing like gold (to support the belief in the belief in the belief .... that one will accept it), or be neutralized against something of value (say, the honouring of a debt)
  • it should be divisible in many small units to fit the value of whatever it is one wants to buy or sell and nevertheless practical in large lumps.

Economically, it is often said that a desirable property of a monetary asset is "price stability".  Although that concept is difficult to define in a changing economy, one can intuitively understand that it becomes difficult to use a monetary asset's value is so variable, that when you sell a car in the morning, you can buy a loaf of bread with the amount of money in the evening, and three houses, the next day.   In order for the belief that people will accept it to hold, you will also have to believe that they will accept it against sufficiently stable value.  

There are several theories over how the money supply should be in order to achieve price stability, but the problem with a variable money supply is that if it is a commodity, then there's no simple way to impose the right change in commodity production to achieve price stability, and if money is a debt, then there's no simple way, except for fractional banking, to change the amount of debt converted in money.

In other words, if price stability is to be obtained by playing with the money supply, this cannot be something else than a central planner trying to do so with money that can easily be issued or destroyed.  The general problems with central planners are well-known, but on top of these, there is the issue of seigniorage: if money is easily issued, it has to be a monopoly, and the monopolist will enjoy the seigniorage.

This is why there's a school of thinking, the "sound money doctrine", that says that the problems with central planners and seigniorage are such, that it is better to sacrifice price stability than to buy into central planners, monopolists and their seigniorage: keep the amount of money in circulation (almost) constant.

How to make electronic money ?

There have been several attempts at making electronic money.   Essentially, "electronic money" are going to be tokens that can be transmitted from one owner to another.  All electronic money systems have to solve the following issues:

  • deal with the issue of creation (and eventual destruction) and hence seigniorage
  • deal with the issue of double spending
  • deal with the issue of trust in the system
  • deal with the king's revenge for violating his monopoly

There are other desirable properties of money, such as being fungible, private, etc... but money can exist without them.  However, money cannot exist without these 4 core properties.

There is one form of electronic money that has been working without problems, and that is electronic money in the banking system.

The issue of creation and destruction of electronic money in the banking system is the debt system we have seen earlier: electronic money on a bank account is created against a form of debt.   There is no problem of double spending, because the bank's computers take care of that: if you spend your money in your bank account, the bank's computers will diminish it with the amount spend, which is exactly equal to the amount increased in the bank account of the guy you paid.  You can trust the electronic money system just as well as the paper banking system it replaced: instead of "writing it in the books", you assume that the bank's computer programs do the same.  There's no revenge from the King, because it is still his system.

But if you adhere to anarchistic, libertarian and egalitarian principles, can you make electronic money that is not the electronic version of the king's system ? 

Is it even possible to consider a system consisting only of something electronic, which is not just a book keeping system of "another" monetary system such as that of the king, to be money ?  Where does it value come from ?   As we have seen, a monetary system is a belief system, and the "intrinsic value" of the monetary asset doesn't really matter.  So yes, a purely electronic system of tokens without "intrinsic value" can just as well be the object of a monetary belief system as any other.  The dirty secret is in fact that the American dollar, since 1972, is also a system of tokens without any intrinsic value !

It might even be possible that such a system is in fact more robust against a bank run than the scam of fractional reserve, because one has taken untenable engagements to "give credibility to the monetary system.  When people then realize the fact that the engagements are fake, they can lose faith in the whole system for the wrong reasons.  If you lie to win confidence, then when your lie is discovered, this totally destroys any confidence.  If you don't say anything, then the confidence that builds up cannot be destroyed by the discovery of a non-existent lie.  That is exactly what president Nixon did in 1972: the false promise to exchange dollars against gold "to give credibility to the dollar" was more dangerous than to say that the dollar wasn't convertible in gold or in anything else.

So can one make private electronic money ? There have been several attempts, and they all broke down on one of the issues, and the reason was that they were, what is called, centralized.  In a way, they were imitations of the king's system.   Satoshi set out to find a way to invent electronic money that was not an imitation of the king's system, with a centralized "banker" as trusted, or untrusted, authority.

In fact, one single concept solved the 4 different issues simultaneously: the block chain.  But we will treat these aspects of the block chain differently. 

Double spending

The problem that seems the hardest to solve without a central authority, is the problem of double spending.  If you think of an "electronic coin" as a piece of data, a file, that the owner has, there's no way to stop him from giving this "coin" to three people at once.  Naively, you could think of a central "coin validator" where you can check that this particular coin has been spent: the receiver of the coin contacts the central authority, which invalidates now the old coin, and issues a new one to the new owner.   But without a central authority, how do you check that the coin you just received, has not been given to someone else ?  Data, by definition, can be copied.  How does one "destroy ownership of data" ?  A piece of data can hence never be a money token by itself.

The important insight is that it is not "the coin" that is the important data, but the transaction

A coin is a list of successive transactions, from its point of creation, to the identity of its current owner.

This is entirely different with commodity money or with centralized money accountancy.  With commodity money, we don't need to know its former transactions: the physical possession of the token (say, the piece of gold) is sufficient.   We can "prove" that we are the owner of gold by showing it in our physical possession, and when we "spend" the gold, we don' t have it any more and the new owner now has it.  The law of physics, conservation of matter, is what prevents double spending. The transaction history of a piece of gold is not needed to agree upon who's the current owner.   In a very similar way, a bank keeps the current status of your bank account in its computer's memory.  How it got there may be kept a while for auditing, but its history doesn't matter, as long as the right amount is in your account.

But without this central authority, the thing to do is to look at the list of successive transactions, and to look where that list stops: that's the current owner.  In order for the current owner to spend the coin, he has to add a transaction to the list, from him, to the new owner.  At that point, the former owner is not the end point of a transaction history any more, and hence cannot spend the coin twice, because the new owner is now seen as the new end point of that list.

There can of course be many coins, and hence many lists of successive transactions of coins.  It doesn't matter that they are mixed up.  One can always trace

One can hence replace the central authority by a public list of transactions.  Spending money is equivalent to writing your transaction on that public list.

So this list has not only to be public, but also has to be modifiable by everybody.  But if we make abstraction of the difficulties that might bring, if there's such a list, then the problem of double spending can be seen as solved.  At least, if we make it such that a transaction cannot be erased any more when it has been written to that public list.   Note that the order in the list is extremely important: the transactions, from creation to current ownership, have to be in the right order in the list for them to make sense.

Money creation, destruction and seigniorage

The list of transactions will be finite.  The end points of transactions give the state of current possession of coins, but these lists also have to have starting points, where the coin was created and assigned a first owner.  Nobody will deny a "new kind of money" to need money creation as it has to come from somewhere.  But the nasty thing of money creation is seigniorage: the fact that the first owner of the money will, at first sight, get value for nothing.   If seigniorage is believed to be unfair, then this will totally undermine the belief system that is needed for the tokens to be considered money in the first place.

So the obvious solution to money creation, namely "in the beginning, there was money" owned by the creator of the electronic money system, is never going to work.

If Satoshi would have said: "here are 21 million bitcoin, all mine" in 2009, it would not have worked, because nobody in his right mind would go and bake a pizza for an unknown guy on the internet, just to get some of his self-baked money he just invented.  The obvious seigniorage for the money creator would have been perceived as too big and unfair.   As such, for the monetary system to be believed, there has to be a rule of money creation that has to be perceived as fair.  The best way to make it acceptable, is to make the money creation such that everybody can create money.  But of course, this creation has to be limited in quantity in some way, or the monetary asset will fail: if it is easier to make money than to provide goods and services for it, then nobody will be able to buy goods and services with it.

So there has to be a rule that specifies that everybody can make money, but that the amount of created money is at the same time limited.   This rule is the most delicate and crucial in the belief system of the monetary asset.

The verification of that money creation rule has to be public, so that everybody can agree upon the created money tokens (coins) according to the accepted rule.

Satoshi invented such a rule in bitcoin, but it is not the only possible one, and other crypto currencies have proposed other rules that are just as acceptable.  The rule of money creation in bitcoin is: competitive proof of work.

In bitcoin, there is a fixed rule that tells that there are going to be created so many bitcoins every 10 minutes.  This "so many" started out to be 50 in 2009, and halves about every 4 years.  Towards the end of 2012, it became 25 coins every 10 minutes, and around half 2016 it is 12.5 coins every 10 minutes.  Somewhere in 2020 it will become 6.25 coins per 10 minutes.  As such a power series converges, there will be a finite amount of bitcoin in circulation.  Bitcoin is based on the sound money doctrine.  One can easily invent other rules, that will result in ever growing amounts of money.

Who gets them ?  Again, if it were Satoshi, it wouldn't work.  If it were his nephew, it wouldn't work either.  In fact, there is open competition to get the new bitcoins: the first one that can solve a mathematical cryptographic puzzle will get them.

At first sight, it seems incompatible to say that "every 10 minutes" there will be 50,  25, 12.5, ... coins created, and at the same time say that the fastest one in solving a puzzle will get them.  In fact, the trick is the following: if the puzzles get solved on average faster than every 10 minutes, every 2 weeks, the difficulty will be increased so as to bring it back to 10 minutes.  On the other hand, if the puzzles don't get solved fast enough, the difficulty will be decreased.

If, by reading this, one thinks that one needs a central authority to "decide" upon the difficulty, a kind of "bitcoin difficulty commission" that publishes every two weeks its recommendations for the difficulty of the problem at hand, then the nice thing to know is that this is not needed.  The respect of this rule is verifiable automatically, so one can spot those that do not use the right difficulty, and their "created coins" will simply not be accepted: their creation will not be valid (just as "not solving the mathematical puzzle" will lead to coin creation that is simply not valid).  In fact, in order to accept bitcoins, one has to verify not only that the owner offering them to you is "the last one on a transaction list", but also that the origin of the coins was according to the creation rules of bitcoin.

At first sight, the open competition solves the perceived unfairness of seigniorage, as the competition is open.  In fact, in the case of proof of work, one may even say that there is almost no seigniorage.  Suppose that we are in the period when every 10 minutes, there are 25 new bitcoins to win.  It is profitable to increase the means of computation put into the competition up to the point where the cost of the investment in the competition is larger than the value of 25 bitcoins.   There's no point in spending resources on computing equipment and electricity that's worth more than 25 bitcoins, to obtain 25 bitcoins, right ?

So apart from a small margin, one may think that all the seigniorage is spend/wasted in the competition for obtaining the new coins.

This is of course not entirely true, especially not for the beginning of bitcoin.  The fact that only a few persons knew about it makes that the competition in the beginning was not very fierce, and moreover, this was the period when the coin creation was the highest.  On top of that, the value of bitcoin was very low, so the incentive to mine, and hence the competitive cost, was very low.

As such, the first movers in bitcoin did enjoy a huge amount of seigniorage ; Satoshi himself is thought to possess between 500000 and 1.5 million bitcoin, which makes him possess a few percent of the final amount of coins.

But whether the seigniorage is actually "fair" or not doesn't matter ; what does matter is that any perceived unfairness doesn't kill the belief in the money system.  With bitcoin, this actually seems to be the case.

In the bitcoin system proposed by Satoshi, there is no rule specifying destruction of bitcoins.  Bitcoins are supposed to be eternal, as goes with the sound money doctrine.  However, bitcoins can be cryptographically destroyed, at will, or by accident, by their last owner.

However, nothing stops a crypto currency from specifying rules that destroy coins.  But bitcoin is not one of them.

In the same way as the receiver of crypto currency coins has to verify both the valid creation, and the transaction list before accepting a payment, in that case the receiver should also verify whether the coin is not destroyed if such rule exists.

Trust in the system

Trust in the system is not the same as the belief in the monetary value.  You may have a strong belief in the monetary value of the US dollar, but you may be suspicious that your bank is cheating.  The fact that the bank is cheating with the accounts has nothing to do with your belief in the US dollar as a monetary asset.  Of course, from a certain point of distrust in banks, you will start doubting in the monetary value itself, be it because all the means of transaction become doubtful, and even if you have "honest dollars in a bank account", nobody will believe that they are "genuine" if all banks are suspicious.

Trust in a crypto currency is similar.  There is on one side, the belief that the crypto currency is a monetary asset.  That is the fundamental belief of every monetary system, from gold, promises of the king and dollars to bitcoin.  But one also has to have faith in the "workings of the system".  That's a different issue.

In as much as the monetary system is the king's money, one can count on the muscle of the king, the whole legal system and the police to have trust in the actors of the financial system to abide by the law.  If you have a bank account in an officially installed bank, you do not really have to have fears that the banker will change the contents of your account in a random way, will suddenly assign it to someone else, or the like, and when it happens by mistake, there are procedures to try to get things right again.  In other words, you can use the normal banking system, and you can trust it for working more or less by the rules (the law in this case), because the banker can end up in jail if he doesn't.

But in an anarchist, worldwide, distributed system, this is not possible, and in fact, not desired at all.  But without the fear of the judge, how can one build a system in which people can have trust if it is perfectly egalitarian without any privileges and authority ?  The answer lies in a system which doesn't need any trust, because everything can be verified by everybody.    If there can be proof, there doesn't need to be faith.    But what needs to be proven ?  There are essentially four core elements that need to be proven in order to accept a crypto coin:

  1. that there is a correct list of transactions, linking the origin of the coin to the current owner of the coin
  2. that the coin was created according to the rules
  3. that there has never been a transaction of that coin by the claimed current owner or by a previous owner to someone else, as not shown in 1 (that the current owner is still the owner)
  4. that the one claiming to be the owner is really the current owner

Points 1 and 4 are cryptographically provable.  There's no doubt to be had.  The rules laid out in the beginning by which the coin is "working" specify explicitly how that should be verified, and in fact, in as much as the cryptographic techniques used are safe, given a list of transactions, starting from a coin creation, it is easy to verify (and impossible to fake) any list of transactions leading to the current owner.  The owner can easily prove that he's the owner.

The hard parts are 2 and 3.   Indeed, in as much as existing lists can be verified, the absence of elements is much harder to prove.  In fact, one cannot prove them.  In order to prove the correct creation of a coin, it is easy to verify that the mathematical puzzle was correctly solved.  However, it is impossible to prove that nobody else solved the puzzle faster !  It is also impossible to prove that, along the correct list of transactions, there haven't been transactions that aren't part of the list.  It is impossible to prove that the current owner didn't already make a transaction, before he showed you the list of transactions, that didn't contain that last transaction.

It is impossible to prove, but it is possible to find consensus, if all the data are public.  This was the hardest part to solve: how can we:

  1. reach consensus
  2. prove consensus

Remember that the consensus is about what has NOT been done: there hasn't been a faster winner in the coin creation contest, and there haven't been published transactions outside of the consensus list of transactions. 

The proposed solution to reach this consensus is to build a growing list of coin creation winners and transactions, in such a way, that this list becomes essentially unalterable of what is in the past.  It is a list that can only be appended.  If it isn't in the list, then the consensus is that it didn't exist. 

There isn't really a cryptographic technique that allows one to build a magic list that cannot be altered but only appended, but there is something that comes close: the block chain.  In fact, it is difficult, but not impossible, to alter the head of a block chain.  But the more one goes "down" in the past of the block chain, the harder it becomes to alter it, and from a certain point onward, one has to conclude that it is "graved in stone forever".  This is where "consensus" is reached.

It is of course of utmost importance that this list, this block chain, is publicly available in many copies.

And now comes the brilliant part: the cryptographic puzzle to be solved in order to obtain new coins allows at the same time to add a block of data to the list.  It is in fact the only way to add a block of data to the list: to solve the cryptographic puzzle.  When a block of data has been added to the list, this automatically changes the mathematical puzzle for the next block.   At the same time, competitors have been working on a "parallel block".  Once you, as a winner, publish your block, your competitors who are late, have a choice: they can continue to solve the old puzzle, but then they'd have to replace your block.   Or they can throw their efforts in the dust bin, and start immediately on the new puzzle following your block.  In the first case, they will publish their parallel block late.  If in the mean time, another competitor has found the solution to the next puzzle after yours, has added their block, our stubborn losers will now run two blocks late.  If they continue, they will never ever be able to add a new block to the longest chain, and their efforts are totally wasted.  So at a certain point, they have to accept your victory on this one.   This is how consensus is reached: by accepting victory and working on the next puzzle, or risk to run for ever behind and never include a block in the longest chain.

In the block of data added to the chain are also a big pack of transactions.  The people participating in the contest for adding data blocks to the chain (and win newly created coins) include transactions in the data block they add, because if they do so, they can obtain a small fee for each transaction (paid by the owner who wants to register a transaction), on top of the new coins.  And here comes the trick: the solution to the mathematical puzzle is different if one modifies this list of transactions.  As such, once the puzzle has been solved, and its solution published, one cannot remove a transaction, or add a transaction any more from the data block, or the puzzle would not appear to be correctly solved.  People can verify this, and would reject the validity of a block chain with false puzzles in it.

So if  one wants to alter the list of transactions in a block one has to redo all the puzzle-solving of the relevant block and all the blocks that come after it.

But remember that it was already a hard competition to solve one such puzzle in time.  Redoing all those puzzles in time is next to impossible.

As such, any transaction towards you that is a few blocks "deep" can be considered established, because consensus graved it in stone after a while.

The king's revenge

The king doesn't like competition, and as such, several people trying to invent private digital money have been punished with sometimes harsh jail sentences in the past.  Operating a central private money system is bound to violate many laws in most countries, where these laws are set up to protect the king's monetary monopoly.

However, it is much harder to take down a worldwide peer-to-peer network running free open source software written by an anonymous creator.  In several countries, crypto currencies have been outlawed.  Even though individuals running this software in these countries, if caught, can be severely punished, as there is no single point of failure and no hierarchy to take down, it is very difficult for any law enforcement system to totally kill such a system, lest becoming a tyranny.  The bitcoin network is now sufficiently large and world wide, that it has essentially become impossible to outlaw it in countries that guarantee some minimal personal freedom.

Block chain

Message digests, ownership challenge, and proof of work

Message digests are cryptographic fingerprints of fixed length of a message.   In order to be cryptographically valid, a message digest has to change completely when one single iota of the message is altered, and it should be near impossible to invent a message with a given fingerprint.  As the message digest is of given, finite length, we can interpret it as a natural number, smaller than a given maximum (say, 2128 if the digest is 128 bits).

In other words, if you can verify the message digest, you know for sure that the message hasn't been altered since the creation of that message digest.  Given a message, there are two distinct actions:

  1. digest creation
  2. digest verification

There are three different kinds of message digests, according to who can create and who can verify:

  1. message authentication codes (MAC)
  2. digital signatures
  3. hashes

With message authentication codes, the digest creation is done with a secret key which is shared between the digest creator and the digest receiver who will verify the digest.   The verification is simply done by re-calculating the digest of the received message with the shared secret key, and see whether it results in the same digest as the one that comes with the message.  If it is, the receiver knows that the couple (message,digest) has been created by one of the owners of the shared key.   Clearly, MACS are of no big use in a public crypto currency, as all verification has to be done by everybody, so whatever "secret" key is involved, it should be public knowledge, rendering its "secret" moot.

Digital signatures are such that there is a key pair, a secret key and a public key, such that the message digest is created with the secret key, and can be verified with the public key.  The procedures for producing the signature, and verifying the signature are hence different.  The verification of the signature (which can be done by any one who has the public key, which can be made public) proves that the digest could only be done by the person owning the secret key.  Digital signatures can be used to prove ownership, and to indicate non-repudiation.   As such, digital signatures can also be used as digital challenges.  Digital challenges which can only be taken on by an "owner" but which can be verified by everyone will be extremely important in crypto currencies.  For all practical purposes, a digital challenge is impossible to pass without the secret key.

Finally there are hashes.  Hashes are publicly known algorithms that produce a message digest without any key.   The digest creation and verification are the same: one applies the known algorithm to the message, and out comes the digest.  One can compare a hash function to a MAC with a single, generally known, fixed key attached to it which is part of the algorithm.   The calculation of a hash (the digest of a message by a hash function is called a message hash) doesn't demand much computing resources, but results in a hash which "looks like a random digest".  In order to obtain another hash, one has to change the message.  Hash functions can be used to deliver proof of work.  This goes as follows: a (small) part of the message can be altered.   This part is called a nonce.  By modifying the nonce, the hash will be modified of course, but there's in principle no way to calculate the nonce that will result in a specific hash: one has to try each nonce, and see what hash it gives with the given rest of the message.  As such, imposing that the hash belongs to a subset of the possible hashes is a cryptographic puzzle which requires a probable amount of hashes to be computed with different trial nonces.  The smaller the imposed subset, the higher the difficulty of the puzzle.

A simple subset formulation of hashes is: a hash smaller than a given number.  It doesn't have to be that way of course, but it is an easy way to impose a certain subset with a certain size. 

Indeed, suppose that the hash is a 128-bit digest, so the full set of possible hashes has a size of 2128, and the biggest hash is 2128 - 1.   Now, suppose that one requires the hash to be smaller than 2110.  Then this sub set has a size which is about 218 times smaller than the full set.  If one is drawing randomly in the big set, one has one chance in 218 to be in that subset.  As such, one should on average try 218 different nonces, and calculate 218 hashes, before one starts to have a reasonable chance to find a nonce that results in a hash in the sub set. 

Providing a nonce that results in a hash that is smaller than 2110 is hence a proof of work of about 218 calculated hashes.  But in order to verify it, one only has to calculate one single hash: the hash with the provided nonce in the message.  If the result is indeed smaller than 2110 then indeed, the proof of work is verified.

Bringing it all together: the block chain

The block chain consists of two principles: the block and the chain.  First, the block.

The block consists of a fairly long message, that includes transactions, and a coin creation indication.  A transaction is a correctly taken digital challenge of a previous transaction (or a set of previous transactions), including a new challenge (or new challenges).   The correctly taken challenge is a correct digital signature that proves ownership of the coins ; the new challenge can only be taken by the new owner of the coins, which will use it to sign the next transaction.  With each transaction, there is a fee, that is, a difference between the outgoing amount of coins, and the incoming amount of coins.  That fee is transformed in a digital challenge as specified by the block creator, in other words, this is a fee for the block creator, because he's the only one that will be able to stand up to the challenge.  In the same way, the block creator can specify a digital challenge for the newly created coins in the block.  It is the accepted creation of coins.  The block also contains a nonce.

So, whoever can create a block with transactions in it, will be the provable owner of all the fees of the transactions, and of the newly created coins of the block. 

Where do the transactions come from ?   They come from all the users of the crypto currency.  If you want to transact coins you own (that is, last transactions of which you own the secret key that can take the challenge) to someone else, you ask the public key (or a derivative of it) of the new to be owner, and you broadcast the message that says "I, owner of these coins, from these last transactions, declare them now to be owned by whoever can take the challenge of this public key", together with the proof of passing the challenge of these last transactions, proving that you own their secret key (without revealing it).

People interested in making blocks will capture all these broadcast messages, and include them (to get the fee) in their attempt at making a block.  Once your message gets included in an accepted block, your transaction is "graved in stone" and the new owner can consider the transaction as confirmed.

As long as the transaction message is broadcast, there is a risk that you will broadcast yet another transaction of the same coins (attempt at double spending).  If ever that other transaction gets into a block first, the first transaction will be considered "double" and it cannot be included in another block any more, so the transaction will never be part of the consensus.  However, these chances are small, because a later broadcast will result in less time for the block to be computed containing it, so if a transaction is broadcast, this is already a pretty good indication that the transaction will be accepted.  However, for large amounts, it is safer to wait for it to be included in a block, and even be covered under several blocks.

Next, the chain.

With what is said above, everybody can easily make blocks.  It is sufficient to collect broadcast transactions, right ?  The point is that you should also provide a nonce in that block such that the hash function of a composition of the current block, and all previous blocks, is smaller than a given number, which is called "the difficulty".  This is the competition we talked about earlier.  The first person who can broadcast a block with a nonce in it, that satisfies the required difficulty, will be declared, by consensus, the winner of this block, and the block will then be added to the previous list of blocks.  This list of blocks is the block chain.

So a block chain is a list of blocks, where each block contains a nonce that solves a cryptographic puzzle (usually a hash in a subset) involving itself and all previous blocks.  Nothing more, nothing less.

As such, it is always possible to add a new block to a block chain, by solving a new cryptographic puzzle.  But it becomes harder and harder to modify previous blocks, because one would have to re-solve all the successive puzzles from that point on.

This is why "old transactions" are considered graved in stone.


Given that a monetary system is a belief system, where one accepts money against goods and services, because one believes that others will accept money against goods and services, the only necessity of a monetary system is that it deals with a credible token system, such that tokens can be transmitted from one owner to another, and that the lucrative advantage of being able to issue new tokens, called seigniorage, is socially accepted.

Until 2009, no such system had been established without a central privileged authority, but in that year, a mysterious entity, calling itself Satoshi Nakamoto, has invented a trustless, distributed token system without any central authority.  The cryptographic tool used to do so is called a block chain.  The specific token system Satoshi invented was called bitcoin, but it was the first in a series of similar block chain based crypto currencies.   Of course, whether a token system becomes a monetary system is an open question, but it seems that bitcoin, and several other crypto currencies, have managed to create a monetary belief system.

In fact, bitcoin is more than just a crypto currency.  Many other crypto currencies are more than just a monetary system.  We only highlighted the basic properties of the bitcoin system, to serve as a monetary system, where coins are transmitted from one owner to another.  But in fact, the bitcoin system contains a simple language to implement smart contracts.   The bitcoin system, however, isn't sophisticated enough to build complex smart contracts.  Nevertheless, the language of bitcoin is way more than simply "coin transmission to the next owner".

As such, the bitcoin system contains in it, the seeds of another crypto-revolution, which may go well beyond the revolution of inventing a distributed monetary system without authority but also without physical assets: smart contracts.