Satoshi Nakamoto's Reasoning for Bitcoin: Solving the Double-Spending Problem with Sound Money

Author: UNCHAINED

Source: https://bitcoinmagazine.com/technical/how-did-satoshi-think-of-bitcoin

The core argument of this article is that Bitcoin can be considered a modified version of Dai’s b-money project, one that eliminates the freedom to create money. A few weeks after the initial publication of this article, new Satoshi emails were unearthed in which Satoshi claimed to have no knowledge of the b-money project, but admitted that Bitcoin started “from the exact same point.” With this new evidence, we are even more confident in the core argument of this article; while it is not absolutely accurate in terms of historical facts, it is still a meaningful and useful perspective on the origins of Bitcoin.

—— Foreword to the Second Edition

Bitcoin is often compared to the Internet in the 1990s, but I think a more appropriate analogy is the telegraph in the 1840s. ^[1]

The telegraph was the first technology that could transmit coded data over long distances at speeds close to the speed of light. The invention of the telegraph marked the birth of the communications industry. Although the Internet is larger in scale, richer in content, and can achieve many-to-many communication (rather than just one-to-one), it is still fundamentally a communications technology.

Both the telegraph and the internet rely on a business model: companies invest capital to build a physical network and then charge users to use that network to send messages. AT&T’s network has been used to transmit telegrams, phone calls, TCP/IP packets, text messages, and, most recently, TinkTok videos.

The telecommuting of society has brought great freedom, but also great centralization. The Internet has expanded the reach of millions of content creators and small businesses, but it has also strengthened the power of a few corporations, governments, and other powerful institutions to monitor and manipulate online activity.

But Bitcoin is not the end of any social change — it is the beginning of a change. Like telecommunications, Bitcoin will change human society and everyone’s daily life. To predict the scope of this change today is like imagining the Internet in the era of the telegraph.

What this article wants to do is to imagine the future by understanding the past. First, we will trace the history of electronic currencies before Bitcoin. Only by understanding why these projects failed can we understand what made Bitcoin successful - and how it established a methodology for the development of future decentralized systems.

How did Satoshi Nakamoto reason about Bitcoin?

Satoshi Nakamoto is a genius, but Bitcoin did not come out of nowhere.

Bitcoin combines existing work in cryptography, distributed systems, economics, and political philosophy. The concept of “proof of work” (PoW) existed long before it was used for electronic currency; cypherpunks before Satoshi Nakamoto, such as Nick Szabo, Wei Dai, and Hal Finney, all participated in and influenced the design of Bitcoin through the bit gold, b-money, and PROW projects, respectively. Consider that when Satoshi Nakamoto wrote the Bitcoin white paper in 2008 ^[2] , many of the ideas important to Bitcoin had already been proposed and/or implemented:

• Electronic money should use peer-to-peer networks
• Proof of Work is the basis for currency creation
• Money is created through auctions
• Public key cryptography can be used to define ownership and transfer of money
• Transactions can be packaged into blocks
• Blocks can be linked forward and backward through proof of work
• Each participant saves all blocks

Bitcoin leverages these concepts, and Satoshi is not the original author of any of these ideas. To better understand Satoshi’s contributions, we should identify which principles of Bitcoin are not included in the above list.

Some obvious candidates include Bitcoin’s finite supply, Nakamoto consensus, and the difficulty adjustment algorithm. But what led Satoshi to these ideas in the first place?

This article examines the history of electronic money and argues that Satoshi Nakamoto’s focus on sound monetary policy allowed Bitcoin to overcome obstacles that had failed previous projects, such as bit gold and b-money.

I. The decentralized system is the market

Bitcoin is often described as a decentralized system, or a distributed system. However, the terms “decentralized” and “distributed” are often confused. In the field of electronic systems, both terms refer to the method of breaking down a monolithic application into a network of communicating components.

From our perspective, the main difference between decentralized and distributed systems is not the topology of the network , but the way they enforce rules. Below, we will spend a little time comparing distributed and decentralized systems, and then introduce the idea that "robust decentralized systems are markets."

Distributed systems still rely on a central authority

In this article, we use "distributed" to refer to any system that has been broken into many parts (usually called "nodes") that must communicate with each other (in order for the entire system to function properly), generally through a network.

Software engineers have become increasingly skilled at developing globally distributed systems. The Internet itself is made up of distributed systems, comprising billions of nodes in total. Each of us has a node in our pocket that both participates in and depends on these distributed systems.

But almost all distributed systems we use in daily life are controlled by some central authority, including system administrators, companies, and governments, which are trusted by all nodes in the system.

The central authority ensures that all nodes follow the rules, and kicks out, fixes, and punishes nodes that fail to follow the rules. People trust the authority for coordination services, conflict resolution, and allocation of shared resources. Over time, the central authority manages changes to the system, upgrades the system or adds features, and ensures that all participants comply with these changes.

Distributed systems gain benefits from relying on a central authority, but not without costs. While the system as a whole can cope with the failure of some nodes, the failure of the central authority can cause the entire system to cease functioning. The ability of the central authority to make unilateral decisions also means that simply subverting or eliminating the central authority is enough to control or destroy the entire system.

Despite this trade-off, if a single actor or alliance must maintain a central authority, or if participants within a system simply rely on a central authority, then traditional distributed systems are the best solution. No blockchains , tokens, or decentralized wrappers are needed.

Especially in cryptocurrencies developed by venture capital (VC) or endorsed by the government, since one party needs to be able to monitor and restrict payments and freeze accounts, it is a perfect application scenario for traditional decentralized systems.

Decentralized systems have no central authority

"Decentralization", in our opinion, is narrower than "distributed": decentralized systems are a subset of distributed systems, which are distributed systems without any central authority. A closer synonym for "decentralization" is "peer-to-peer".

Removing a central authority brings several benefits. Decentralized systems:

• Grows quickly because there are no barriers to entry — anyone can run a new node, which grows the system; no registration is required and no permission from a central authority is required.
• Robust, because there is no central authority whose failure can bring down the entire system. All nodes are identical, so failures are localized and the network will bypass the damaged area.
• It is difficult to capture, regulate, tax and monitor because there is no central control point to subvert.

These advantages are exactly why Satoshi Nakamoto chose a decentralized, peer-to-peer design for Bitcoin:

"Governments are very good at chopping off the heads of ... networks that have control centers, like Napster; but pure P2P networks, not like Gnutella and Tor, seem to be able to hold up."

— Satoshi Nakamoto, 2008

But these strengths also come with corresponding weaknesses. Decentralized systems can be more inefficient because each node must take on additional coordination responsibilities that were originally assumed to be borne by the central authority.

Decentralized systems are also more vulnerable to fraud and hostile behavior. Although Satoshi Nakamoto praised Gnutella, anyone who has used a peer-to-peer file sharing program to download a file and ended up downloading vulgar content, malicious programs, etc., knows why peer-to-peer file sharing has never become a mainstream mode of online data transmission.

Satoshi didn’t name any, but email is another decentralized system that has escaped government control. Email, likewise, is a hotbed of spam.

Decentralized systems are governed by economic incentives

In all of these cases, the fundamental problem is that hostile behavior (serving the wrong files, sending spam) is not punished, and cooperative behavior (sending the right files, sending only useful emails) is not rewarded. If a decentralized system relies on its members being all good, it will not scale because there is no way to prevent bad actors from getting involved.

In the absence of a central authority, the only way to solve this problem is to use economic incentives. Literally, a good person is someone who follows the rules out of an inherent sense of morality. Literally, a bad person is someone who is selfish and hostile, but reasonable economic incentives can make them change their behavior and contribute to the public welfare. A decentralized system can only scale if it ensures that cooperative behavior can reap benefits and hostile behavior is costly.

The best way to achieve reliable decentralized services is to create a market where all participants, good or bad, can benefit from providing services. In a decentralized market, there are no barriers to entry for buyers and sellers, which leads to scale expansion and efficiency improvement. As long as the market's protocol protects participants from fraud, theft, and abuse, bad guys will find that the best thing to do is either to follow the rules or to leave and attack another system.

II. Decentralized markets require decentralized goods

But markets are also complex. Markets must provide sellers and buyers with the ability to price and bargain, as well as the ability to discover, match, and settle orders. Markets must be fair, provide strong consistency, and remain available through cycles of volatility.

Today's global market is very large and complex, but in a decentralized system, using traditional goods and payment networks to achieve economic incentives is different. Any connection between a decentralized system and fiat currency, traditional assets, and physical goods will go back and rely on central authorities that control payment processors, banks, and exchanges.

- Decentralized systems cannot deliver cash, check brokerage account balances, or determine ownership of real estate. Traditional goods are completely unrecognizable in a decentralized system. But the reverse is not true - traditional systems can interact with Bitcoin just as well as new decentralized systems (if they really want to). The barrier between traditional systems and decentralized systems is not an impenetrable wall, but a semi-permeable membrane. -

This means that the decentralized system cannot execute payments denominated in any traditional commodity. It cannot even determine the balance of a fiat currency account or the ownership of real estate. The entire traditional economy is completely obscured in the decentralized system.

Creating decentralized markets requires trading new types of decentralized goods, which must be identifiable and transferable within a decentralized system.

Computing is the first decentralized commodity

The first example of a “decentralized commodity” is a special type of computing, first proposed by Cynthia Dwork and Moni Naor in 1993 ^[3] .

Because of the deep connection between mathematics, physics and computer science, this kind of calculation must consume the energy and resources of the real world - that is, it cannot be faked. Because the resources of the real world are limited, this kind of calculation is naturally scarce.

The input to such a computation can be any data. The final output is an electronic "proof" that the computation was run on the given input data. Proofs contain a certain "difficulty", which is a (statistical) proof of the amount of computational work that took place. Most importantly, the relationship between the input data, the proof, and the amount of computation originally expended can be independently verified without any central authority.

This idea—passing some input data along with its electronic proof as evidence that real computational work was performed on that input—is now known as “proof of work” ^[4] . In the words of Nick Szabo, proof of work is “an unforgeable luxury.” Because proof of work is verifiable by anyone, it becomes an economic resource that everyone can identify in a decentralized system. Proof of work makes computation on data a decentralized commodity. Dwrok and Naor propose limiting the abuse of a resource by forcing participants to provide proof of work of a certain difficulty before acquiring the resource:

"In this paper, we present a computationally based approach to combating email bombing. More generally, we design an access control mechanism that can be used anywhere access to resources needs to be restricted but not prohibited."

— Dwoak & Naor, 1993

In Dwoak and Naor's proposal, an email system administrator would set a proof-of-work difficulty threshold for sending emails. Users who want to send emails need to use the email as input data and perform the corresponding number of calculations. The calculated proof of work will be submitted to the email server along with the email request.

Dwork and Naor call difficulty the "pricing function" of proof of work because, simply by adjusting the difficulty, a "pricing authority" can ensure that the shared resource remains cheap for honest ordinary users, but becomes expensive for users who try to abuse it. In the email delivery market, server administrators are such pricing authorities; they must decide a "price" for email delivery that makes sending email cheap enough for regular use, but expensive for email bombing.

While Daork and Naor present proof of work as a disincentive measure to combat resource abuse, terms like “pricing function” and “pricing authority” suggest an alternative market-based interpretation: users can purchase resources by paying for computation at a price set by the controller of the resource.

From this perspective, the email delivery network truly becomes a decentralized market where computation is used to purchase email delivery. The difficulty threshold of the proof of work is the price marked by the email server, in units of computational currency.

Currency is the second decentralized commodity

But computation itself is not a very good currency.

A proof is only valid for one input. This unbreakable link means that the proof of work for one input cannot be reused for another input.

- Proof of Work was originally proposed as an access control mechanism to limit email bombing. Users need to provide proof of work for the emails they send. This mechanism can also be thought of as a market where users use computation to purchase email delivery services, and the price is determined by the email service provider. -

This reality can be useful - it can be used to prevent work paid by one buyer from being double-spent by another. For example, HashCash, the first real implementation of an email delivery market, included metadata such as the current timestamp and the sender's email address as input to the proof-of-work calculation. A proof made by one user for one email cannot be used to send another email.

But this also means that proof-of-work computation is a customized commodity. It is not homogeneous, cannot be spent again ^[5] , and does not solve the "coincidence of needs" problem. The lack of these monetary characteristics prevents it from becoming a currency. Despite the good name, email service providers have no intention of accumulating HashCash, but they are certainly willing to save cash.

Adam Back, the inventor of HashCash, fully understands these issues:

"Hashcash can't be transferred directly because, in order for hashcash to be distributed, each service provider would only accept payments in cash specifically created for it. Perhaps you could set up a digicash-style mint (which issues David Chaum-style ecash) and have the mint mint only mint ecash when it receives hashcash specifically for it. But that would mean you'd have to trust the mint not to over-mint the currency."

— Adam Back, 1997

We don’t want custom computation for every exchange of goods and services in a decentralized economy. We want a universal electronic currency that can be used directly to coordinate the exchange of value in any market.

Developing a usable electronic currency that also maintains decentralization is a major challenge. Currency requires interchangeable units of value that can be transferred directly between users. It requires designing a currency issuance model, cryptographically defined ownership and value transfer, transaction discovery and settlement mechanisms, and a ledger that can record history. When proof of work is simply understood as an "access control mechanism", none of the above infrastructure is required.

Furthermore, decentralized systems are markets, and therefore all of the underlying functions of money, when provided by service providers, must be paid in some sense… denominated in the currency thus created!

Like the compilation of the first compiler, the black start of the power grid, and even life’s own fireworks, creators of digital currencies face a cold start problem: how to define the economic incentives that underlie a functioning currency without having a functioning currency in which to denominate or pay those incentives.

- Computation and currency are the first and second commodities in decentralized markets. Proof of work itself allows computation to be exchanged, but usable currency requires more infrastructure. It took the cypherpunk community 15 years to develop such infrastructure. -

The first decentralized market must exchange computation for currency

Progress on this cold start problem comes from getting to the right node on the problem boundary.

A decentralized system must become a market. A market consists of buyers and sellers exchanging goods. In a decentralized market for electronic money, there are only two identifiable goods:

1. Computation with Proof of Work
2. The basic unit of currency that this decentralized system is going to build

Therefore, the only possible market transaction must be between the two. Computation must be purchasable with units of currency, or (to be completely equivalent), units of currency must be purchasable with computation. It is easy to point this out - the hard part is to construct a market such that simply allowing currency and computation to be traded with each other enables all the functions of currency itself!

The entire history of electronic money, culminating in Satoshi Nakamoto’s publication of the white paper in 2008, is a series of increasingly sophisticated attempts to construct such a market. In the next chapter, we’ll review projects such as Nick Szabo’s big gold and Wei Dai’s b-money. Understanding how these projects attempted to construct their markets, and why they failed, can help us understand why Satoshi Nakamoto and Bitcoin succeeded.

III. How do decentralized systems price computation?

One of the main functions of markets is price discovery. Therefore, markets that trade computation and currency must find a price for computation itself, expressed in currency units.

We don’t usually assign monetary values to computation directly. We generally value the capital stock that performs the computation, because we value the results of the computation, not the computation itself. If the same output can be computed more efficiently (using less computation), this is usually called “progress”.

Proof of work represents a particular kind of computation whose only output is a proof that those computations were performed. Being able to produce the same proof with less computation (and less energy) is not progress — it’s a bug. Proof of work-related computation is therefore a strange commodity, difficult to value.

When proofs of work are understood as a disincentive against abuse of resources, it is not necessary to accurately and consistently assess their value. The only important thing is that email providers set the difficulty just right, low enough that it is not noticeable to ordinary users, but high enough to discourage spammers. Therefore, there is a wide range of acceptable "prices", and each participant can be his own pricing authority, applying a local pricing function.

But units of currency must be fungible, meaning that each unit has the same value. Moreover, as technology advances, two units of currency created with the same proof-of-work difficulty — measured by the number of corresponding computations — may have very different production costs — measured in terms of the amount of time, energy, and/or capital used to perform those computations. If computation is exchanged for currency, and the underlying production costs are variable, how can the market ensure a consistent price?

Nick Szabo clearly identified this pricing issue when he proposed bit gold:

“The main problem…is that proof-of-work schemes rely on computer architecture, not just abstract mathematics based on abstract ‘cycles of computation.’ … Therefore, it is possible for a very low-cost producer (orders of magnitude lower than everyone else) to emerge and flood the market with bit gold.”

— Nick Szabo, 2005

- Decentralized currencies created through proof of work can become oversupplied and collapse as the supply of computation grows over time. To mitigate this volatility, the network must learn to dynamically price computation. -

Early electronic currencies attempted to price computation by measuring the “cost of computation” as a whole. For example, Wei Dai proposed the following manual solution in b-money:

"The number of currency units created is equal to the cost of the computation, measured in terms of the value of a basket of standard commodities. For example, if a problem takes 100 hours to solve on the cheapest computer, and on the open market it takes 3 units of the standard basket of commodities to buy 100 hours of computing time on that computer, then after the solution to the problem is broadcast, everyone adds 3 units of currency to the broadcaster's ledger."

—— Wei Dai, 1998

Unfortunately, Dai does not explain how users can agree on the definition of a “standard basket of goods” in a supposedly decentralized system, how to know which computer can solve a given problem “most economically”, and how to know the cost of “open market” computation. Reaching consensus among all users on a shared data set that changes over time is the essential problem of a decentralized system!

To be fair, Wei Dai himself is aware of this:

“The most problematic part of the b-money protocol is the creation of currency. The protocol requires all [users] to determine and agree on the cost of a particular computation. However, because computational technology advances rapidly and not always publicly, relevant information may not be available, or available information may be inaccurate or outdated, all of which create serious problems for the protocol.”

—— Wei Dai, 1998

Wei Dai later proposed a more sophisticated auction-based pricing mechanism, which was also said by Satoshi Nakamoto to be the starting point of his idea. We will return to this auction scheme later, but for now, let's turn to big gold and see Nick Szabo's insights on this issue.

Using External Marketplace

Szabo believes that proof of work should be “securely timestamped”:

“This proof of work is securely timestamped. This can be done in a distributed way, with multiple timestamping services, so it doesn’t really depend on any one of them.”

— Nick Szabo, 2005

Szabo lists a page of resources on secure timestamping protocols, but does not specify a specific algorithm. The words “securely” and “distributedly” are used in a very strong way, leaving out the complexity of relying on one (or more) “external” timestamping services ^[6] .

- The creation time of a specific unit of electronic money is important because it is associated with the real-world cost of the computation performed. -

Leaving aside the vagueness of implementation details, Szabo is right — the time at which a proof of work is created is an important factor in its price, as it relates to its computational cost:

“…However, because bit gold is timestamped, the time when it was created and the mathematical difficulty of the work done can be automatically proven. Using these factors, it is generally possible to infer how much it cost to produce during that time…”

— Nick Szabo, 2005

The “inferred” production cost is important because Big Gold has no mechanism to limit the creation of currency. Anyone can create Bit Gold by running the appropriate calculations. Without the ability to regulate issuance, Bit Gold is more like a collectible:

"…not like homogenous gold atoms, but like something that collectors like, a large supply over a period of time will reduce the value of such things. In this sense, bit gold is more like a collectible than gold…"

— Nick Szabo, 2005

Bit gold requires an additional, external process to create fungible currency units:

“…bit gold cannot be made fungible by a simple function of, say, the length of a string. Instead, to create fungible units, dealers need to bundle together several bits of gold of varying value to form a larger unit of nearly equal value, much like dealers enable commodity markets today. Trust is still distributed, because assessing the value of these bundles can be run by many different actors in a largely or even fully automated fashion.”

— Nick Szabo, 2005

In Szabo’s words, “to assess the value of… bit gold, dealers check and verify difficulty, inputs, and timestamps.” Dealers who define “larger units of nearly equal value” provide a similar pricing function to what Wei Dai calls a “standard basket of goods.” In bit gold, homogeneous units are not created when the proofs of work are produced, but later when those proofs are combined into a larger “unit of nearly equal value” by market dealers outside the network.

To his credit, Szabo is aware of this flaw:

“…the possibility of an initially hidden oversupply due to hidden innovations in machine architecture is a potential vulnerability in the bit gold protocol, or at least an imperfection that the initial auction and subsequent trading of bit gold must address.”

— Nick Szabo, 2005

Again, while not arriving at the solution (as we know it today), Szabo correctly points out that because the cost of computation changes over time, the network must adjust the price of the currency to account for changes in the supply of computation.

Use of internal market

A dealer in Szabo's sense is an external market that defines the price of (a set of) bits of gold (after they have been created). Is it possible to implement such a market within the system (rather than outside)?

Let’s go back to Wei Dai and b-money. As mentioned earlier, Dai proposed another auction-based b-money creation model. Satoshi Nakamoto’s design for Bitcoin was improved on this basis ^[7] :

“So, I propose to use another currency creation sub-protocol, where [users] … decide how much b-money to create in a period of time, and the cost of creating these currencies is discovered by the auction party. Each cycle of currency creation can be divided into the following four stages:

Planning phase. [Users] calculate and negotiate the optimal currency increment for the next cycle. Regardless of whether the [network] can reach a consensus, everyone broadcasts their own currency creation amount and all macroeconomic considerations used to support their own plan.

Bidding phase. Anyone who wants to create b-money broadcasts a bid in the form of: I want to create x units of b-money and am willing to solve y unsolved problems in a predefined class of problems. Each problem in this class should have a publicly agreed nominal cost (assuming it is in MIPS (million instructions per second)-years).

Calculation phase. After seeing the bids, each bidder solves the problem in his or her bid and broadcasts the answer. This is how money is created.

Money creation phase. Each [user] accepts the highest bid (among all the answers actually broadcasted), measured as the nominal cost divided by the amount of b-money created, and then adds the corresponding amount of b-money to the bidder’s account.”

—— Wei Dai, 1998

B-money is a major step towards the right market structure for electronic money. It attempts to eliminate Szabo’s external dealers and allow users to participate in price discovery by bidding directly against others.

But it is not easy to implement Dai’s proposal in detail:

• In the "planning phase", users are responsible for negotiating the "optimal currency increment for the next cycle". How to define this "optimal"? How should users negotiate with others? How should the results of the negotiation be shared? None of them are clearly stated.
• Whatever the plan, the "bid" phase allows anyone to submit a bid to create b-money. This bid contains both the amount of b-money to be created and the proof of work to be committed, so each bid is a price, the amount of computation the bidder is willing to pay to purchase a certain amount of b-money.
• Once a bid is submitted, the “compute” phase begins, where bidders run proof of work and then broadcast their answers. There is no mechanism to match bidders with answers. A bigger problem is that it’s unclear how users know that all bids have been submitted — when does the “bid” phase end and the “compute” phase begin?
• This problem arises again at the "currency creation" stage. Because of the nature of proof of work, users can verify that the answers they receive are true. But how do users collectively agree on the "highest bid"? What happens if different users choose different combinations (whether due to machine performance or network latency)?

It’s difficult for decentralized systems to track data and make consistent choices, and b-money requires tracking bids from many users and reaching consensus on the choices. This complexity has prevented b-money from ever being implemented.

The source of this complexity lies in Wei Dai’s belief in an “optimal” growth rate: the creation of b-money should fluctuate based on the “macroeconomic considerations” of its users. Like bit gold, b-money has no mechanism to limit the creation of currency. Anyone can create b-money by broadcasting a bid and running the corresponding calculations.

IV. Satoshi Nakamoto’s monetary policy objectives led to the design of Bitcoin

In contrast, sound monetary policy is one of Satoshi Nakamoto’s primary goals in Bitcoin. In the earliest email announcing Bitcoin, Satoshi Nakamoto wrote:

“The fundamental problem with traditional currency is that it requires trust to work. People have to trust the central bank not to debase the currency, but the history of fiat currency is littered with incidents where that trust has been betrayed.”

— Satoshi Nakamoto, 2009

Then, Satoshi introduced other problems with fiat currencies, such as the risky fractional reserve banking system, the lack of privacy, rampant theft and fraud, and the inability to make small payments. But Satoshi started with the problem of central banks debasing currencies — he was concerned with monetary policy.

Satoshi Nakamoto hopes that the final circulating supply of Bitcoin is limited and will not be diluted over time. For Satoshi Nakamoto, the "optimal" currency growth rate of Bitcoin should eventually be zero.

This monetary policy goal, and not any other individual (or collective!) trait exhibited by Satoshi, is why Satoshi “discovered” Bitcoin, blockchain, Satoshi consensus, etc. — and why no one else invented Bitcoin. That’s the short answer to the question in the title of this article: Satoshi was able to reason about Bitcoin because they (they) focused on creating an electronic currency with a limited supply.

For Bitcoin, limited supply is more than just a monetary policy or a quip that Bitcoiners love to throw around. It’s a fundamental technical simplification that allowed Satoshi Nakamoto to develop a working electronic currency while Dai’s b-money remained a work of art.

Bitcoin is b-money that additionally requires a predefined monetary policy. Like many technical simplifications, constrained monetary policy advances through reductions in size. Let’s look at how the four stages of creating b-money can be simplified using this constraint.

All 21 million BTC have been created

In b-money, every "currency creation cycle" includes a "planning" phase, in which users need to share their "macroeconomic considerations" and defend their currency creation proposals. Satoshi's monetary policy goal is to achieve a limited supply and zero long-tail issuance, which is incompatible with the freedom of currency creation that b-money gives to individual users. Therefore, the first step from b-money to Bitcoin is to remove this freedom. Bitcoin users cannot create Bitcoins. Only the Bitcoin network can create Bitcoins, and it only creates them once, when Satoshi Nakamoto launched the Bitcoin project in 2009.

Satoshi could replace the recurring “planning” phase of b-money with a predetermined schedule for the 21 million BTC created in 2009 to enter circulation in the future. Users voluntarily agree to Satoshi’s monetary policy by downloading and running the Bitcoin software that hard-codes this monetary policy.

This changes the semantics of the Bitcoin computing market. Bitcoins paid to miners are not newly issued; they are simply unlocked from the existing supply and put into circulation.

This mindset is completely different from the naive argument that “Bitcoin miners create Bitcoin.” Bitcoin miners don’t create Bitcoin, they just buy Bitcoin. Bitcoin is not valuable because “it’s made with energy” — people are willing to spend energy to buy Bitcoin just because Bitcoin is valuable.

Let us repeat: Bitcoin is not created through proof of work, it is created through consensus.

- Satoshi’s design eliminated the need for a recurring “planning” phase for b-money, since all planning was done in advance. This allowed Satoshi to hard-code a sound monetary policy while simplifying Bitcoin’s implementation. -

Bitcoin is priced through consensus

In the b-money network, users gain the freedom to create currency, but they also have to bear the corresponding burden. During the "bidding" stage, the b-money network must collect and share currency creation "bids" from many users.

Removing the freedom to create money also frees the Bitcoin network from this burden. Since all Bitcoins (21 million BTC) already exist, the network does not need to collect bids from users to create coins, it only needs to sell Bitcoins in a schedule predetermined by Satoshi Nakamoto.

Therefore, the Bitcoin network provides a consensus asking price for each Bitcoin sold in each block. This price is calculated independently by each node using its copy of the blockchain. As long as the nodes can reach consensus on the same blockchain (which we will discuss later), they can give the same asking price in each block ^[8] .

The first half of the consensus price calculation is to decide how many bitcoins to sell. This is fixed using Satoshi’s predetermined unlocking schedule. All Bitcoin nodes in the Bitcoin network can come up with the same amount by block number:

The second half of the consensus price calculation is to decide how much computation is required. Once again, all nodes in the network can calculate the same value (we will talk about this difficulty adjustment in the next chapter):

Combined, the block subsidy and difficulty define the current asking price of Bitcoin, which is priced in units of computational power. Because the blockchain has reached consensus, this price is a consensus price.

B-money also assumes that users have a consensus “blockchain” containing the history of all transactions. But Wei Dai never came up with a simple solution: to set a consensus asking price for the creation of b-money based entirely on the data in the blockchain.

Wei Dai, in contrast, assumes that money creation must continue indefinitely. Therefore, individual users need to have the power to influence monetary policy — just like in fiat currencies. This perception led Wei Dai to design a bidding system that is so complex that b-money cannot achieve it.

In Satoshi’s case, the predefined monetary policy eliminates the additional complexity.

Time closes all spreads

In the “computation” phase of b-money, users perform the computations they promised in their previous bids. In Bitcoin, the entire network acts as the seller — so where are the buyers?

In the email delivery market, the buyer is the user who wants to send emails. As the pricing authority, the email service provider will set a price that they think is cheap enough for ordinary users but expensive enough for scammers. But if the number of ordinary users increases, this price can remain the same because the computing power of ordinary users may not change.

In b-money, each user who proposes a bid to create a currency is expected to perform a corresponding amount of computation on their own. Each user acts as their own pricing authority based on their knowledge of their own computational power.

The Bitcoin network offers a price in computation for the latest block subsidy. But no single miner needs to perform that many computations to find a block ^[9] . The winning block is a result of all miners collectively performing the required number of computations. Therefore, the buyer of the block subsidy is the global Bitcoin mining industry.

After reaching a consensus asking price, the Bitcoin network will not change the price until more blocks are produced. These blocks must contain the proof of work required by the current asking price. Therefore, the mining industry has no choice but to pay so much computing power as long as they want to "close the deal."

The only variable that the mining industry can control is how long it takes to produce the next block. Just as the Bitcoin network can give a price, the mining industry can also give a bid - the time it will take to produce the next block that meets the network's current asking price.

“To compensate for increasing hardware speeds and varying interest in running nodes, the difficulty of the proof of work is determined by a moving average targeting the number of blocks produced per hour. If blocks are produced too quickly, the difficulty increases.”

— Satoshi Nakamoto, 2009

Satoshi Nakamoto introduced the difficulty adjustment algorithm in a rather plain way; yet this algorithm is often considered one of the most original ideas in the Bitcoin implementation. This is true, but rather than focusing on the innovativeness of this solution, it is better to look at why solving this problem was so important to Satoshi Nakamoto.

Projects like bit gold and b-money do not need to limit the rate of currency issuance because they do not have a fixed supply or a predetermined monetary policy. Cycles of currency issuance that become faster or slower can be offset by other means, such as external dealers combining bit gold into larger sets (or splitting into smaller ones); or b-money users can change their bids.

But Satoshi's monetary policy goals require a predefined "increment" (unlocking new bitcoins into circulation) rate for Bitcoin. Constraining the (statistical) speed of block creation is natural for Bitcoin, because the speed at which blocks are generated is the speed at which the initial supply of Bitcoin is sold. Selling 21 million BTC in 140 years is completely different from selling them all in 3 months.

Moreover, Bitcoin can truly implement this constraint because the blockchain is what Nick Szabo calls a “secure timestamp protocol.” Satoshi Nakamoto said that Bitcoin is a “distributed timestamp server on a peer-to-peer basis,” and the early Bitcoin source code used “timechain” rather than “blockchain” to refer to this shared data structure that implements Bitcoin’s PoW market ^[10] .

- Unlike bit gold and b-money, there is no oversupply of coins in Bitcoin. The Bitcoin network uses a difficulty adjustment algorithm to change the price of the currency in response to calculated supply changes -

Bitcoin’s difficulty adjustment algorithm leverages the power of the blockchain, a consensus-based blockchain that is used by participants to enumerate historical bids for the mining industry and readjust the difficulty to move toward a target block time.

Long-term order creates consensus

The chain of simplifications generated by the desire for sound monetary policy extends to the “money creation” stage of b-money.

In b-money, user-submitted bids suffer from a “nothing at stake” problem. There is no mechanism preventing users from submitting bids for large amounts of b-money with very little work. This requires the network to track completed bids and only accept “the highest bid… measured by the nominal cost divided by the amount of b-money created” to avoid such harassing bids. Every participant in b-money must keep track of the full order book of bids, but the bids are tied to their subsequent calculations and only settle orders that complete at the highest price.

This problem is an example of a broader problem: consensus in decentralized systems. The consensus in decentralized systems problem is also called the "Byzantine Generals" problem, or sometimes, in the context of cryptocurrencies, the "double-spend" problem. Distributing the same ordered data among all participants in a hostile, decentralized network is difficult. A solution to this problem, called the "Byzantine Fault Tolerant (BFT) consensus algorithm," requires some pre-coordination between participants and a majority (> 67%) of participants not to act maliciously.

Bitcoin does not need to manage an order book of bids, because the Bitcoin network is given a single asking price. This means that Bitcoin nodes can accept the first (valid) block they see that satisfies the network's current asking price - nuisance bids can be simply ignored, and making such nuisance bids would be a waste of a miner's resources.

The consensus calculation price allows the matching of buy and sell orders in Bitcoin to be completed elegantly: first come, first served. Such elegant order matching also means that the Bitcoin market does not need to be divided into stages like b-money - it can run uninterruptedly, and every time an order is matched (a new block is found), a new consensus price can be calculated. In order to avoid network forks caused by network delays and hostile behavior, nodes must also follow the "heaviest chain rule". This greedy order settlement rule ensures that only the highest bid price can be accepted by the network.

This combination of elegance and greed — nodes accept the first valid block they see and always follow the heaviest chain of blocks — is a new Byzantine fault-tolerant algorithm that allows consensus on the sequence of blocks to converge quickly. Satoshi Nakamoto spent 25% of his white paper proving this point ^[11] .

The understanding we established in the previous chapter is that Bitcoin’s consensus asking price relies on the consensus blockchain. But it turns out that the existence of a single consensus asking price is the reason why this computing market can match orders elegantly; and the computing market’s ability to match orders elegantly is the reason why consensus can be reached!

Moreover, this new “Nakamoto consensus” only requires 50% of the participants not to take malicious actions, which is a significant improvement over the original technology. It was cypherpunks like Satoshi Nakamoto who made this breakthrough in computer science theory, not traditional academic or industrial researchers, because Satoshi Nakamoto was only focused on achieving sound money, not a general consensus algorithm for distributed computing.

IV. Conclusion

B-money is a powerful framework for developing electronic money, but it is not a complete solution because it does not have a monetary policy. Constraining currency issuance with a predetermined unlocking schedule reduces the scope of the protocol and simplifies implementation by eliminating the need to track and choose among user-submitted currency creation bids. Protecting the cadence of the Nakamoto issuance schedule leads to the difficulty adjustment algorithm and enables Nakamoto consensus; the latter is widely considered the most innovative aspect of the Bitcoin implementation.

The full design of Bitcoin involves much more than what we have discussed so far. Our focus in this article is only on the “primary” market in Bitcoin, the market that unlocks the Bitcoin supply into circulation.

The next article in this series will explore the market for settling Bitcoin transactions and how it relates to the market for distributing Bitcoin supply. This relationship will provide a methodology for building futures markets for decentralized services based on Bitcoin.

Acknowledgements

I have been speaking about Bitcoin and the market for years. I must thank many people who have listened to my ideas and helped me clarify them. In particular, Ryan Gentry , Will Cole , and Stephen Hall have met with me weekly to discuss these ideas. Without their help and support, I would not have been able to overcome countless false starts. Ryan also helped me to speak publicly about these ideas in our Bitcoin 2021 talk . Afsheen Bigdeli , Allen Farrington , Joe Kelly , Gigi , Tuur Demeester , and Marty Bent have all been encouraging and giving me valuable feedback. I must apologize to Allen for being such a terrible collaborator. Finally, Michael Goldstein may be famous for his writing and memes, but I want to thank him for his archival work at the Nakamoto Institute , which preserves the history of digital currency.

footnote

1. The title of this series is taken from the first telegraph message in history, sent by Samuel Morse in 1844: "What hath God made?" ↩

2. Bitcoin: A Peer-to-Peer Electronic Cash System , available at: https://bitcoin.org/bitcoin.pdf ↩

3. Pricing via Processing or Combatting Junk Mail , from Dwork & Naor, available at: https://www.wisdom.weizmann.ac.il/~naor/PAPERS/pvp.pdf ↩

4. While they invented the concept, Dwork and Naor did not invent the term “proof of work” — that moniker was coined by Markus Jakobsson and Ari Juels in 1999. ↩

5. Hal Finney's RPOW project was an attempt to create a transferable proof of work, but Bitcoin does not use this concept because Bitcoin does not use computation as currency. When discussing bit gold and b-money below, we will see that computation cannot become currency because computations in different eras have different values, but the value of two currency units must be equal. Bitcoin is not computation, Bitcoin is a currency that can be bought with computation. ↩

6. At this juncture, some readers may think that I am discounting the contributions of Wei Dai or Nick Szabo because they were vague or silent on some issues. I feel just the opposite: Wei Dai and Nick Szabo were both fundamentally right, and their failure to outline all the details as Satoshi later did does not negate their contributions. On the contrary, it should arouse our admiration, because it shows how difficult electronic money is, even for the best practitioners in the field. ↩

7. Wei Dai’s b-money article is listed first in the Satoshi white paper references, see: http://www.weidai.com/bmoney.txt ↩

8. Two simplifications are made here: (a) the number of bitcoins sold per block is also affected by the transaction fee market, but this is beyond the scope of this article and is left for future work; (b) the difficulty reported in Bitcoin is not exactly equal to the number of expected computations; you also have to multiply by a scaling factor. ↩

9. At least not since the dark ages when Satoshi was the only miner on the network. ↩

10. Gigi’s classic Bitcoin is a Clock is an excellent introduction to Bitcoin’s profound relationship with time, see: https://dergigi.com/2021/01/14/bitcoin-is-time/ ( Chinese translation ) ↩

11. Satoshi Nakamoto made a mistake in both his analysis in the white paper and in the subsequent initial implementation of Bitcoin, using the “longest chain” rule instead of the “heaviest chain” rule. ↩