Bitcoin and the Digital Money Breakthrough
- Chapter 18: Bitcoin and the Digital Money Breakthrough
Chapter 18: Bitcoin and the Digital Money Breakthrough
“A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without going through a financial institution.”
Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System” (2008)^1^
Introduction
Digital money faced two fundamental problems that decades of cypherpunk research could not solve at once. The double-spending problem seemed to require a central authority, while the base-money problem meant most digital currencies were only claims on issuers, not money itself.
Satoshi Nakamoto’s breakthrough solved both. This chapter traces the twin problems and the failed precursors that supplied partial answers. It ends with the consensus architecture that finally made decentralized digital money possible.
18.1 The Twin Problems of Digital Money
The Double-Spending Problem
Physical cash cannot be spent twice. When Alice hands Bob a gold coin, she no longer possesses it. The physical transfer is the transaction. Physical objects are inherently scarce; possession by one excludes possession by another.
Digital information lacks this property. As Chapter 6 established, information is non-rivalrous: copying a file does not remove the original. If digital cash were a file that encoded value, Alice could send Bob a copy while keeping the original, then send the same “cash” to Carol. The double-spending problem is a scarcity problem: how can digital units be made rivalrous when digital information is inherently copyable?
Preventing double-spending requires establishing which transactions came first, thereby determining who possesses each unit. A database can record this, but who controls the database? Whoever controls the database can censor transactions or seize funds, and authorities can compel the operator to do either. The problem seemed to require centralization.
The Base Money Problem
Even if double-spending could be solved, a second problem remained: what exactly is being transferred?
Previous digital currencies were money substitutes: claims against issuers, not money proper. Users held account balances that companies promised to honor, not the money good itself: DigiCash balances were claims on DigiCash Inc., and E-gold balances were claims on e-gold Ltd. These systems created digital IOUs, not digital money.
Money substitutes require trust in the issuer. Issuers can fail, be shut down, refuse redemption, or be compelled by authorities to freeze accounts. A money substitute in your hand is a promise; money proper in your hand is the present good itself, valued for its monetary services without reference to any redeeming party. Physical gold requires no backing because the metal is what holders demand; a paper note promising gold requires trust that someone will honor the promise when presented with the note.
Creating digital money proper requires more than digital promises. A system must prevent double-spending without central control, and it must constitute base money itself, not claims on an issuer. No system before Bitcoin achieved both.
18.2 Precursors and Their Failures
Bitcoin did not emerge from nothing; it combined earlier cypherpunk innovations and pushed past their limits.
DigiCash: Privacy and Double-Spending, Without Decentralization
David Chaum’s DigiCash solved two problems at once. Blind signatures allowed the issuing bank to detect and reject duplicate tokens without being able to link withdrawals to deposits. Users could make untraceable payments, and the bank could prevent double-spending. Both problems seemed to require contradictory information flows, yet Chaum’s cryptography threaded the needle.^2^
DigiCash failed on different grounds. It required a central server, creating a single point of failure that authorities could target. And it issued money substitutes: account balances were claims on DigiCash Inc., not money proper. When the company filed for bankruptcy in 1998, the system died with it. Chaum solved the cryptographic problem but not the institutional one.
E-gold: Backing Without Resistance
E-gold (1996-2009) attempted to create digital gold by maintaining physical gold reserves backing account balances. It attracted millions of users but remained a money substitute: account balances were claims on e-gold Ltd., not gold itself. The centralized structure made it vulnerable; US authorities shut down the operation and prosecuted its founders. E-gold showed that even commodity backing cannot substitute for decentralization.
Hashcash: Proof-of-Work as Access Control
Adam Back’s Hashcash (1997) introduced proof-of-work: requiring computational effort to produce a token.^3^ Originally designed to prevent email spam, Hashcash tokens shared one property with base money: they required no issuer’s promise or backing. Validity came from proof-of-work alone.
Hashcash, however, was never intended as money. It was an access control system in which tokens were bound to specific recipients by embedding the recipient’s email address in the hashed data, and each mail server maintained its own database of tokens already seen, rejecting duplicates. That design prevented reuse of tokens at a single server but created no global scarcity: a token spent at one server had no effect on any other server, and there was no shared ledger or network-wide state that could give a token weight beyond its local context.
Money requires global consensus: all participants must agree on which units exist and who owns them. Hashcash had only local verification. It showed that computational work could create unforgeable tokens, but access rights are not money. The missing element was a shared, agreed-upon record of token ownership across all participants.
B-money and Bit Gold: The Inflation Problem
Wei Dai’s B-money (1998) and Nick Szabo’s Bit Gold (1998-2005) both proposed systems where proof-of-work directly created monetary units.^4^ In B-money, the value of one unit was meant to equal the computational cost of producing it. In Bit Gold, valid hashes were the monetary units themselves.
Both suffered from a fundamental flaw: as computing power increases, tokens become cheaper to produce. Szabo recognized this explicitly: if it became possible to be “a low-cost producer (by several orders of magnitude),” one could “swamp the market with bit gold.” His proposed solution was timestamping, so markets could value older hashes (harder to produce at the time) more than newer ones. But this destroys fungibility; not all units would be equal.
Neither solved the distributed consensus problem, and both remained theoretical. But their deepest issue was architectural: conflating proof-of-work with money creation. If work creates money, monetary policy depends on hardware economics.
The Missing Pieces
Each precursor solved part of the puzzle without closing the loop. DigiCash achieved privacy and solved double-spending but required centralization and issued money substitutes; e-gold achieved commodity backing yet remained a custodial claim; Hashcash showed unforgeable tokens through computational work, though as an access control system, not as money. B-money and Bit Gold articulated the architecture for decentralized digital money.
Two problems remained unsolved. First, none achieved decentralized consensus on a shared transaction history, the mechanism required to make digital units rivalrous without central control. Second, systems that used proof-of-work for money creation tied monetary policy to hardware economics, creating perpetual inflation as computing power grew.
Nakamoto solved both. His breakthrough joined decentralized consensus on transaction ordering to a full separation of proof-of-work from money creation.
18.3 Nakamoto Consensus
The Architecture
The problems are now clear. Double-spending requires global consensus on transaction ordering. Previous systems achieved this through central servers, which created single points of failure. Proof-of-work can create unforgeable tokens, but using it for money creation ties monetary policy to hardware economics. The challenge is to build a system where anyone can participate in ordering transactions, with no central authority to target, while monetary policy remains fixed regardless of computational growth.
Bitcoin’s architecture combines a distributed ledger that anyone can read with consensus rules that every participant enforces independently, linked by a permissionless block production mechanism. The ledger records transaction history, block production extends it, and consensus rules determine what extensions are valid.
Anyone can propose a block of transactions to append to the ledger. No permission is required; no single entity controls what gets recorded. But permissionless participation creates a problem: what prevents the system from being overwhelmed?
The Denial of Service Problem
If anyone can produce blocks without restriction, an attacker could flood the network. Each block must be downloaded and validated, then stored by every node. Even without malicious intent, if block production were free, rational participants would produce blocks constantly to collect fees and rewards. The network would drown in data.
The problem is larger than bandwidth alone, because verification also requires computational resources. Every transaction in every block must be checked for valid signatures, unspent inputs, and correct amounts. If blocks arrive faster than nodes can verify them, nodes fall behind, and if ordinary nodes cannot keep up, only those with exceptional resources can participate in verification. The system would centralize around whoever could afford the infrastructure, defeating its purpose.
A centralized system solves this trivially: the operator decides how many transactions to process. A decentralized system has no operator. The solution requires a throttling mechanism that emerges from the protocol itself, slowing block production without any authority deciding who may produce blocks or how often.
The target is roughly one block every ten minutes across the entire network, regardless of how many participants attempt to produce blocks. This rate is slow enough that ordinary hardware can verify all transactions, yet fast enough for practical use. The question is how to enforce this rate without a rate-limiter.
Proof-of-Work as Throttling
Proof-of-work provides the throttling mechanism. The insight comes from Hashcash: computational work that is difficult to produce but trivial to verify. Producing a valid block requires finding a specific kind of hash, which demands sustained computation. Verifying that someone found it requires a single hash operation, nearly instantaneous.
A block header contains metadata: the hash of the previous block, a hash of included transactions, a timestamp, and a nonce (a variable field the miner can change freely). To produce a valid block, a miner must find a nonce such that hashing the entire header produces a number below a difficulty threshold.
Cryptographic hash functions like SHA-256^9^ produce output that is effectively random given the input. Changing even one bit of input produces an entirely different hash. No mathematical relationship exists between input and output that would allow predicting which inputs yield low hashes. The only way to find a suitable nonce is repeated trial: set a nonce, compute the hash, check if it meets the threshold, increment the nonce, repeat. Miners perform billions of these operations per second.
This process provably takes time. The difficulty threshold determines how many attempts are needed on average. If the threshold requires a hash starting with 20 zero bits, approximately one in a million hashes will qualify. Requiring 30 zero bits means approximately one in a billion. The work cannot be faked or shortcut. Verification checks whether the hash meets the threshold, and anyone can verify instantaneously by computing a single hash.
The asymmetry is essential. Production is expensive; verification is cheap. This allows any node to validate blocks without trusting the miner, while making block production costly enough to throttle the rate.
Difficulty Adjustment
Proof-of-work throttles block production, but the throttle must adapt. If difficulty were fixed, increasing computational power would produce blocks faster, overwhelming the network. Decreasing power would slow blocks to a crawl, making the system unusable. The system needs a feedback mechanism.
Every 2016 blocks (approximately two weeks at the target rate), the protocol recalculates difficulty. It compares the actual time elapsed since the previous adjustment to the expected time (2016 blocks times ten minutes). If blocks arrived faster than ten minutes on average, difficulty increases; the threshold lowers, requiring hashes with more leading zeros. If blocks arrived slower, difficulty decreases; the threshold rises, accepting hashes that would previously have been rejected.
The adjustment is bounded: difficulty cannot change by more than a factor of four in either direction per period. This prevents extreme oscillations if hash rate changes dramatically. The bounds also limit potential manipulation; miners cannot game timestamps to radically lower difficulty.
This mechanism makes Bitcoin self-regulating. When mining becomes more profitable, for example because the price rises, more computational power enters the network; blocks would arrive faster, but difficulty adjusts upward and restores the ten-minute average. When profitability falls, miners exit, and difficulty adjusts downward to compensate. The system finds equilibrium at whatever level of computational power the market provides.
The result is that increased hash rate produces more security, not more blocks and not more bitcoin. A network with ten times the hash rate is ten times more expensive to attack, but still produces blocks at the same rate with the same reward schedule. This decouples security from monetary policy, a property no predecessor achieved.
What Proof-of-Work Does Not Do
Proof-of-work does not create bitcoin. This distinction separates Bitcoin from its predecessors.
In B-money and Bit Gold, proof-of-work was supposed to create monetary units directly: the work itself was the money. This tied monetary policy to hardware economics. As computing power grew cheaper, money creation would accelerate indefinitely.
Bitcoin inverts this relationship. Proof-of-work throttles block production and orders transactions; it does not determine how much bitcoin exists. The block reward is defined by consensus rules that every full node validates, not by the amount of work performed. A miner who claims a larger reward produces an invalid block, regardless of how much work went into it. Difficulty adjustment ensures that increased computing power produces more security, not more bitcoin.
Monetary policy in Bitcoin is enforced by full nodes run by economically relevant participants, not by miners performing work. Miners propose blocks; nodes accept or reject them according to fixed rules. This separation is why Bitcoin’s supply schedule remains unchanged despite hash rate increasing by orders of magnitude since launch.
Fair Issuance Through Mining
If proof-of-work does not create bitcoin, how do new coins enter circulation? The answer reveals another role for mining: distribution mechanism.
Each valid block includes a coinbase transaction that creates new bitcoin according to a consensus-defined schedule. The initial reward was 50 BTC per block. Every 210,000 blocks (approximately four years), the reward halves: 25, then 12.5, then 6.25, then the current 3.125 BTC. This halving continues until approximately 2140, when the last fraction of a bitcoin is mined and the total supply reaches 21 million.^10^
The miner who produces a valid block receives this reward. Since block production requires proof-of-work, and since anyone can attempt to mine, issuance operates as a continuous open lottery. Every ten minutes on average, the network awards new bitcoin to whoever finds the next valid block.
This mechanism has properties most later monetary systems did not achieve. New coins go to those who expend real resources securing the network, not to insiders, political favorites, or early investors. No premine allocated coins to founders before the network launched, and no ICO sold tokens to speculators. No central authority decides who receives new issuance. The first block Satoshi mined followed the same rules as every subsequent block.
The contrast with alternatives is stark. Fiat currencies are issued by central banks to governments and politically connected institutions. Proof-of-stake systems reward existing holders proportionally to their holdings; the rich get richer by definition. Many cryptocurrencies launched with premines or insider allocations that enriched founders before public participation was possible.
Bitcoin’s mining lottery ensures that anyone willing to expend resources can compete for new issuance. Geographic location does not matter. Political connections do not matter. Existing wealth provides no special claim. A miner in any jurisdiction, operating any scale of equipment, has a probability of winning proportional to their share of network hash rate. The playing field is not perfectly level, as industrial miners have economies of scale, but it is open. No permission is required to participate.
This transforms issuance from a political question into a market process. New bitcoin flows to those who provide the service the network needs: computational security. The work is not wasted; it throttles block production and orders transactions while distributing new coins to those who protect the ledger.
Chain Selection and Consensus
Bitcoin maintains a blockchain: an ordered sequence of blocks, each referencing the hash of its predecessor. The first block (the genesis block)^11^ has no predecessor; every subsequent block commits to the entire history before it. Changing any transaction in any historical block would change that block’s hash, which would invalidate the reference in the next block, which would change its hash, cascading forward to the present. The structure makes history tamper-evident.
But tamper-evidence is not consensus. Multiple valid chains could exist. When a miner finds a valid block, they broadcast it to the network. Other miners, upon receiving it, face a choice: build on this block, or continue working on their current candidate. Network latency means different miners see different blocks at different times. Two miners might find valid blocks at nearly the same moment, each unaware of the other. The network temporarily has two valid chain tips.
The protocol treats the temporary fork as expected operation and specifies a resolution rule: nodes follow the chain with the most accumulated proof-of-work, so when one branch gets extended before the other, the extended branch has more work, and miners abandon the shorter branch to build on the longer one. The abandoned block becomes orphaned; its transactions return to the mempool for inclusion in future blocks.
The rule means that transactions become more secure over time. A transaction in the most recent block could be displaced if that block is orphaned. A transaction buried under six blocks would require an attacker to produce a competing chain with more work than six blocks’ worth, an increasingly expensive proposition. Deep transactions are practically irreversible.
Nakamoto’s original analysis goes further. The catch-up attempt can be modeled as a probability problem, not only an economic one. In the Bitcoin whitepaper’s Section 11, an attacker who tries to rewrite recent history is treated as a gambler playing against the house: each new block is a contest in which the honest network either extends its lead or gives the attacker a chance to close it. The whitepaper’s only non-computer-science reference, William Feller’s An Introduction to Probability Theory and Its Applications (1957), supplies the Gambler’s Ruin mathematics behind this framing.^5^ If the attacker commands less than half the network’s hash power, the probability of ever catching up falls exponentially with the number of confirmations the honest chain has already accumulated. Six confirmations, the common rule of thumb, flows directly from this analysis. Bitcoin’s security against deep reorganization is therefore emergent: probabilistic dynamics make the attack overwhelmingly unlikely to succeed, and the improbability compounds with each additional block.
This mechanism achieves consensus through accumulated work, with no voting and no predetermined validator set. The chain with most accumulated work is network agreement on transaction order. Nakamoto called it a “proof-of-work chain” that serves as “proof of the sequence of events witnessed.” Miners do not vote; they produce blocks. Nodes independently select the chain with most accumulated proof-of-work.
Why Miners Validate
Miners receive block rewards (newly created bitcoin) and transaction fees for producing valid blocks. But why do miners bother validating transactions and following protocol rules? They could produce blocks containing invalid transactions or claiming excess rewards. Nothing in proof-of-work itself prevents this; the hash function does not know whether the block contents are valid.
The answer lies in the economic structure, specifically in who defines what counts as bitcoin.^6^
Economically relevant participants such as merchants and exchanges often run full nodes. A full node independently validates every transaction against protocol rules: correct signatures, unspent inputs, valid amounts, proper block reward. A node does not ask anyone whether a transaction is valid; it checks for itself. If a block violates any rule, the node rejects it. The proof-of-work is irrelevant; invalid blocks are discarded regardless of how much computation went into producing them.
Miners produce blocks, but the validating economy defines the valid chain. A miner who produces an invalid block, whether claiming an inflated reward, including a double-spend, or violating any consensus rule, has wasted their computational resources. Economically relevant nodes will reject that block. The block reward exists only on a chain that the wider economy does not recognize. It cannot circulate as bitcoin if counterparties refuse it.
This creates the enforcement mechanism. Miners validate because the wider economy validates. The block reward and transaction fees are worthless unless counterparties accept them as payment. Since economically relevant nodes accept bitcoin only from the valid chain with most accumulated work, miners are economically compelled to produce valid blocks on that chain.
The relationship is subtle but essential. Miners do not control Bitcoin; they serve it. A miner with 51% of hash power could theoretically reorganize recent history or censor transactions, but cannot change the rules. Attempting to overclaim the block reward or spend coins they do not own would produce an invalid chain that merchants reject. Hash power without validity is worthless.
This structure inverts common intuitions about how the system is secured. Security does not come from miners being trustworthy; it comes from independent validation, because every economically relevant node is an enforcement point and the more participants validate independently, the more resilient the system becomes. Those who do not validate, who trust someone else’s node, have delegated their enforcement power and depend on that delegate’s honesty.
Bitcoin as Commitment Device
Thomas Schelling’s 1960 analysis of strategic interaction introduced the commitment device as a tool that rational parties use to constrain their own future actions in ways that make threats and promises credible.^7^ A government that wants a low-inflation reputation benefits from a central bank whose institutional design makes high inflation costly for its governors. A contract that binds both parties is worth more than a contract either side can walk away from. A protocol whose rules cannot be changed by the operator is more useful as a commitment than a protocol whose rules can be rewritten.
Bitcoin’s architecture is a commitment device in this sense. The 21-million-coin supply cap is a number in the consensus rules, and a sufficiently coordinated majority of the economy could change it; the economy that would change it is the same economy whose savings the cap protects, which is why the cap has held across sixteen years of attempts to renegotiate it. The difficulty adjustment binds hash-rate growth to block timing, so that increased resources committed to the chain’s security cannot accelerate issuance or rewrite the monetary schedule. The proof-of-work chain is a commitment to whichever transaction ordering accumulated the most work, which binds every participant to treat the chain they join as the chain they will extend. Each is a self-imposed constraint participants honor because the value of honoring it depends on everyone else honoring it too.
Nick Szabo’s earlier work on smart contracts and the God protocols brought the same framing into the cypherpunk tradition.^8^ A contract executed by code is a commitment device whose enforcement is the code’s determinism, and participants extend trust to the deterministic execution instead of to any enforcer’s discretion. Bitcoin works as money because the protocol’s commitment is encoded in data every participant validates, and every participant’s validation is independent of any other participant’s willingness to honor a promise.
Chapter Summary
Digital money failed for years because two problems remained unsolved at once. Systems could protect privacy without decentralization or decentralize some functions without producing money proper, but none could prevent double-spending without reintroducing trusted control. Bitcoin succeeded by combining previously separate ideas into one architecture.^12^ Proof-of-work throttled denial-of-service and made cost imposition measurable. Chain selection solved transaction ordering without a central ledger: the chain with the most accumulated work is the chain, and an attacker who tries to rewrite recent history is playing a Gambler’s Ruin whose probability of success falls exponentially with each additional confirmation. Mining issues the asset through the same process that defends the network, which separates security from monetary policy, increased hash rate produces more security, not more bitcoin. This distinguishes Bitcoin from B-money and Bit Gold, where proof-of-work created monetary units directly and tied supply to hardware economics.
Bitcoin is base money. Unlike DigiCash balances or e-gold accounts, bitcoin units are not claims on an issuer. Holders possess the units themselves, verified by running a full node against consensus rules that no single entity controls. Miners produce blocks, but the validating economy defines the valid chain: a miner who tries to overclaim the block reward or spend coins they do not own produces an invalid chain that merchants and exchanges reject, and hash power without validity is worthless. The architecture is a commitment device in Schelling’s sense, rules that every participant can verify independently bind everyone to the same ledger, and no single authority can alter them without convincing the network to run different software.
Bitcoin’s monetary properties, its resistance to shutdown, and the empirical survival record belong to Chapter 19. Its privacy model, the base layer’s transparency, chain-analysis threats, and the layered privacy tools built around it, belongs to Chapter 20. The chapter argues that proof-of-work solved specific problems its predecessors could not; alternative consensus mechanisms exist and their comparison is the subject of separate work.
Endnotes
^1^ Satoshi Nakamoto, “Bitcoin: A Peer-to-Peer Electronic Cash System” (2008), https://bitcoin.org/bitcoin.pdf. First introduced at Chapter 2, note 8, which covers Bitcoin’s canonical project pages and launch context.
^2^ David Chaum, “Blind Signatures for Untraceable Payments,” Advances in Cryptology: Proceedings of Crypto 82, ed. David Chaum, Ronald L. Rivest, and Alan T. Sherman (Plenum Press, 1983), 199–203, is the foundational paper introducing blind signatures. Chaum, “Security Without Identification: Transaction Systems to Make Big Brother Obsolete,” Communications of the ACM 28, no. 10 (1985): 1030–1044, extends the argument to a whole-system design. For Hal Finney’s 1993 explanation of how Chaumian ecash detects double-spending while preserving anonymity until the second spend, see Finney, “Detecting Double Spending,” https://nakamotoinstitute.org/library/detecting-double-spending/. DigiCash’s company history is documented in Steven Levy, Crypto (Viking, 2001), chapter 8; on DigiCash’s bankruptcy (1998), see Julian Dibbell, “In Gold We Trust,” Wired (January 2002). On e-gold’s shutdown: the U.S. Department of Justice charged the operators of e-gold Ltd. in April 2007 under 18 U.S.C. § 1960 (operating an unlicensed money-transmitting business); the principals pleaded guilty in 2008 and the service ceased redemptions in 2009. United States v. e-gold, Ltd., No. 1:07-cr-00109 (D.D.C. 2007).
^3^ Adam Back, “Hashcash: A Denial of Service Counter-Measure,” Technical Report (2002), http://www.hashcash.org/papers/hashcash.pdf. The original proposal was announced on the cypherpunks mailing list in March 1997. For the bridge from non-reusable Hashcash stamps to transferable tokens backed by trusted hardware, see Hal Finney’s RPOW announcement (2004), https://nakamotoinstitute.org/library/rpow/. For the broader proof-of-work literature that Hashcash descends from, Cynthia Dwork and Moni Naor, “Pricing via Processing or Combatting Junk Mail,” CRYPTO ’92 (1993), 139–147, introduced the idea of using computational cost as an access-control mechanism.
^4^ Wei Dai, “b-money,” unpublished proposal (November 1998), http://www.weidai.com/bmoney.txt. Nick Szabo, “Bit Gold” (1998, published on Szabo’s blog in 2005), https://unenumerated.blogspot.com/2005/12/bit-gold.html. Szabo’s later “Bit Gold Markets” (2008), https://nakamotoinstitute.org/library/bit-gold-markets/, makes explicit the non-fungibility problem this chapter highlights: because puzzle solutions from different periods would have different production costs, markets would have to pool and tranche them into standard-value bundles. For the timestamping lineage that Bit Gold presupposes, see W. Scott Stornetta and Stuart Haber, “How to Time-Stamp a Digital Document” (1991), https://nakamotoinstitute.org/library/time-stamp-digital-document/. Satoshi Nakamoto cited Dai’s b-money in the Bitcoin whitepaper; the relationship between Bit Gold and Bitcoin is more elliptical but the conceptual debt is clear.
^5^ William Feller, An Introduction to Probability Theory and Its Applications, vol. 1 (New York: John Wiley & Sons, 1957), is cited in the Bitcoin whitepaper as reference [8] and supplies the Gambler’s Ruin analysis that Nakamoto uses to bound the probability of an attacker catching up to the honest chain. Bitcoin’s resistance to deep reorganization is not a wall the protocol builds around transactions but an emergent property of probabilistic dynamics under adversarial conditions, with the probability of successful attack falling exponentially as confirmations accumulate. The whitepaper’s Section 11 contains the full derivation.
^6^ On the economic relationship between merchants and miners, see Eric Voskuil, “Qualitative Security Model,” Cryptoeconomics (2020), https://github.com/libbitcoin/libbitcoin-system/wiki/Qualitative-Security-Model. Voskuil emphasizes that individuals who do not personally validate have delegated validation to a central authority, undermining the security model. For the wider treatment of Bitcoin’s security model in this book, see Chapter 5, note 9.
^7^ Thomas C. Schelling, The Strategy of Conflict (Cambridge, MA: Harvard University Press, 1960), especially chapter 2 (“An Essay on Bargaining”). Schelling’s later work in Arms and Influence (Yale University Press, 1966) develops the commitment-device analysis for strategic interaction more generally. For the economic application to monetary institutions, Finn E. Kydland and Edward C. Prescott, “Rules Over Discretion: The Inconsistency of Optimal Plans,” Journal of Political Economy 85, no. 3 (1977): 473–491, formalizes the time-inconsistency problem that central-bank commitment devices address.
^8^ Nick Szabo, “Smart Contracts: Building Blocks for Digital Markets” (1996), and “The God Protocols” (1997), both at https://nakamotoinstitute.org/the-god-protocols/ and https://www.fon.hum.uva.nl/rob/Courses/InformationInSpeech/CDROM/Literature/LOTwinterschool2006/szabo.best.vwh.net/smart_contracts_2.html. Szabo’s “Shelling Out: The Origins of Money” (2002), https://nakamotoinstitute.org/shelling-out/, develops the framing across commodity-money history. For the cryptoeconomic lineage connecting commitment devices to consensus protocols, see Vitalik Buterin, “A Next-Generation Smart Contract and Decentralized Application Platform” (2014), and Eric Voskuil, “Cryptoeconomics” (2020) already cited in note 6. For the earliest Bitcoin-era primary sources, Hal Finney’s posts to the cypherpunks mailing list (1992–2004) and to Bitcointalk (2009–2013) are archived at https://bitcointalk.org/index.php?action=profile;u=2435 and, for the earlier cypherpunk-era correspondence, at https://cypherpunks.venona.com; Finney received the first Bitcoin transaction from Satoshi on January 12, 2009 and posted one of the first public analyses of Bitcoin’s privacy properties. For a historical treatment of these precursors and their relationship to Bitcoin, see Finn Brunton, Digital Cash: The Unknown History of the Anarchists, Utopians, and Technologists Who Created Cryptocurrency (Princeton University Press, 2019), and Nathaniel Popper, Digital Gold (HarperCollins, 2015), chapters 1–3. On Byzantine fault tolerance, the classical underlying problem Bitcoin’s consensus solves probabilistically, see Leslie Lamport, Robert Shostak, and Marshall Pease, “The Byzantine Generals Problem,” ACM Transactions on Programming Languages and Systems 4, no. 3 (1982): 382–401, https://lamport.azurewebsites.net/pubs/byz.pdf. For the comparative lineage across all these precursors, see Arvind Narayanan and Jeremy Clark, “Bitcoin’s Academic Pedigree,” Communications of the ACM 60, no. 12 (2017): 36–45.
^9^ SHA-256 (Secure Hash Algorithm 256-bit) was designed by the U.S. National Security Agency and published by NIST in 2001 as FIPS PUB 180-2. Bitcoin uses a double application of SHA-256 (SHA-256d) for block hashing and a SHA-256/RIPEMD-160 combination for address derivation. The algorithm specification is available at National Institute of Standards and Technology, “Secure Hash Standard (SHS),” FIPS PUB 180-4 (2015), https://csrc.nist.gov/publications/detail/fips/180/4/final. For the security properties that make SHA-256 suitable for proof-of-work - collision resistance, preimage resistance, and the avalanche effect - see Alfred J. Menezes, Paul C. van Oorschot, and Scott A. Vanstone, Handbook of Applied Cryptography (CRC Press, 1996), chapter 9, freely available at https://cacr.uwaterloo.ca/hac/.
^10^ The Bitcoin supply schedule and halving mechanism are specified in the Bitcoin whitepaper, section 6 (“Incentive”), and encoded in Bitcoin Core’s GetBlockSubsidy() function. The 210,000-block halving interval and 21-million-coin cap are consensus rules enforced by every full node. For the on-chain record of each halving event, see https://mempool.space/mining. The economic implications of the fixed supply and disinflationary issuance are analyzed in Saifedean Ammous, The Bitcoin Standard: The Decentralized Alternative to Central Banking (Wiley, 2018), chapters 1–3, which situates Bitcoin’s supply schedule against the stock-to-flow dynamics of gold and silver. For a critical examination of the fee-transition question (what happens to miner revenue when block subsidies approach zero), see Miles Carlsten et al., “On the Instability of Bitcoin Without the Block Reward,” ACM CCS (2016).
^11^ The genesis block (block 0) was mined by Satoshi Nakamoto on January 3, 2009. Its coinbase transaction contains the text “The Times 03/Jan/2009 Chancellor on brink of second bailout for banks,” a reference to that day’s front-page headline in The Times (London), functioning as a timestamp and a statement of purpose. The block hash is 000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f. It is viewable at https://mempool.space/block/000000000019d6689c085ae165831e934ff763ae46a2a6c172b3f1b60a8ce26f. Uniquely, the 50 BTC coinbase reward in the genesis block is unspendable: it was not included in the initial unspent transaction output set. For a detailed analysis of the genesis block’s technical properties and embedded message, see Jameson Lopp, “Bitcoin’s Genesis Block,” https://blog.lopp.net/bitcoins-genesis-block/.
^12^ For a textbook-level synthesis of how Bitcoin combines proof-of-work, the blockchain data structure, and distributed consensus, see Arvind Narayanan, Joseph Bonneau, Edward Felten, Andrew Miller, and Steven Goldfeder, Bitcoin and Cryptocurrency Technologies (Princeton University Press, 2016), freely available at https://bitcoinbook.cs.princeton.edu/. Chapter 2 covers the cryptographic primitives (hash functions, hash pointers, digital signatures) that underpin the architecture described here, and chapter 3 covers the mechanics of Bitcoin’s consensus protocol. Narayanan and Clark’s companion article, “Bitcoin’s Academic Pedigree,” Communications of the ACM 60, no. 12 (2017): 36–45, traces how each component of Bitcoin’s design draws on prior academic work, providing the most complete map of Bitcoin’s intellectual lineage available in a single source.
<- Previous: Anonymous Communication Networks |
The Praxeology of Privacy – third edition. New chapters publish daily at 1600 UTC.
Write a comment