Wei Dei's "b-money" protocol
Wei Dei recently announced (on cypherpunks) his "b-money, a new protocol for monetary exchange and contract enforcement for pseudonyms". Below is the text of his proposal. Comments to follow. Adam ====================================================================== http://www.eskimo.com/~weidai/bmoney.txt ====================================================================== I am fascinated by Tim May's crypto-anarchy. Unlike the communities traditionally associated with the word "anarchy", in a crypto-anarchy the government is not temporarily destroyed but permanently forbidden and permanently unnecessary. It's a community where the threat of violence is impotent because violence is impossible, and violence is impossible because its participants cannot be linked to their true names or physical locations. Until now it's not clear, even theoretically, how such a community could operate. A community is defined by the cooperation of its participants, and efficient cooperation requires a medium of exchange (money) and a way to enforce contracts. Traditionally these services have been provided by the government or government sponsored institutions and only to legal entities. In this article I describe a protocol by which these services can be provided to and by untraceable entities. I will actually describe two protocols. The first one is impractical, because it makes heavy use of a synchronous and unjammable anonymous broadcast channel. However it will motivate the second, more practical protocol. In both cases I will assume the existence of an untraceable network, where senders and receivers are identified only by digital pseudonyms (i.e. public keys) and every messages is signed by its sender and encrypted to its receiver. In the first protocol, every participant maintains a (seperate) database of how much money belongs to each pseudonym. These accounts collectively define the ownership of money, and how these accounts are updated is the subject of this protocol. 1. The creation of money. Anyone can create money by broadcasting the solution to a previously unsolved computational problem. The only conditions are that it must be easy to determine how much computing effort it took to solve the problem and the solution must otherwise have no value, either practical or intellectual. The number of monetary units created is equal to the cost of the computing effort in terms of a standard basket of commodities. For example if a problem takes 100 hours to solve on the computer that solves it most economically, and it takes 3 standard baskets to purchase 100 hours of computing time on that computer on the open market, then upon the broadcast of the solution to that problem everyone credits the broadcaster's account by 3 units. 2. The transfer of money. If Alice (owner of pseudonym K_A) wishes to transfer X units of money to Bob (owner of pseudonym K_B), she broadcasts the message "I give X units of money to K_B" signed by K_A. Upon the broadcast of this message, everyone debits K_A's account by X units and credits K_B's account by X units, unless this would create a negative balance in K_A's account in which case the message is ignored. 3. The effecting of contracts. A valid contract must include a maximum reparation in case of default for each participant party to it. It should also include a party who will perform arbitration should there be a dispute. All parties to a contract including the arbitrator must broadcast their signatures of it before it becomes effective. Upon the broadcast of the contract and all signatures, every participant debits the account of each party by the amount of his maximum reparation and credits a special account identified by a secure hash of the contract by the sum the maximum reparations. The contract becomes effective if the debits succeed for every party without producing a negative balance, otherwise the contract is ignored and the accounts are rolled back. A sample contract might look like this: K_A agrees to send K_B the solution to problem P before 0:0:0 1/1/2000. K_B agrees to pay K_A 100 MU (monetary units) before 0:0:0 1/1/2000. K_C agrees to perform arbitration in case of dispute. K_A agrees to pay a maximum of 1000 MU in case of default. K_B agrees to pay a maximum of 200 MU in case of default. K_C agrees to pay a maximum of 500 MU in case of default. 4. The conclusion of contracts. If a contract concludes without dispute, each party broadcasts a signed message "The contract with SHA-1 hash H concludes without reparations." or possibly "The contract with SHA-1 hash H concludes with the following reparations: ..." Upon the broadcast of all signatures, every participant credits the account of each party by the amount of his maximum reparation, removes the contract account, then credits or debits the account of each party according to the reparation schedule if there is one. 5. The enforcement of contracts. If the parties to a contract cannot agree on an appropriate conclusion even with the help of the arbitrator, each party broadcasts a suggested reparation/fine schedule and any arguments or evidence in his favor. Each participant makes a determination as to the actual reparations and/or fines, and modifies his accounts accordingly. In the second protocol, the accounts of who has how much money are kept by a subset of the participants (called servers from now on) instead of everyone. These servers are linked by a Usenet-style broadcast channel. The format of transaction messages broadcasted on this channel remain the same as in the first protocol, but the affected participants of each transaction should verify that the message has been received and successfully processed by a randomly selected subset of the servers. Since the servers must be trusted to a degree, some mechanism is needed to keep them honest. Each server is required to deposit a certain amount of money in a special account to be used as potential fines or rewards for proof of misconduct. Also, each server must periodically publish and commit to its current money creation and money ownership databases. Each participant should verify that his own account balances are correct and that the sum of the account balances is not greater than the total amount of money created. This prevents the servers, even in total collusion, from permanently and costlessly expanding the money supply. New servers can also use the published databases to synchronize with existing servers. The protocol proposed in this article allows untraceable pseudonymous entities to cooperate with each other more efficiently, by providing them with a medium of exchange and a method of enforcing contracts. The protocol can probably be made more efficient and secure, but I hope this is a step toward making crypto-anarchy a practical as well as theoretical possibility. ======================================================================
Some discussion of the properties of Wei's b-money protocol. b-money seems to be book entry ecash system related to hashcash, where the "book" is open, and distributed. Anonymity is derived from the fact that the participants can be pseudonymous. hashcash would be a candidate function for Wei's decentralised minting idea: to create value you burn CPU time, just like with hashcash, but Wei's distributed open book entry system allows you to psuedonymously exchange value. Problems are (1) inflation, (2) borrowing resources, (3) linkability of transactions, (4) b-money has a big bulk discount, (5) getting money in and (6) out, (7) resource waste. (1) Inflation -- the cost of hardware to compute a given collision falls in line with Moores law. Perhaps one could get around this by defining a b-money unit to require more computational effort over time. Say define 1 b-money unit to be the computational effort of 1 months compute on the most efficient hardware that can be bought for $1000 at current prices and state of hardware. (2) Borrowing resources -- a student with access to a campus full of workstations can obtain quite a bit of free CPU time. (3) Linkability -- although the participants are anonymous, their transactions are linkable and so participants are pseudonymous in b-money (linkable anonymity being pseudonymity). This is inherent because of the need to broadcast transactions to ensure the open book entry is updated. (4) You can get money in -- by buying hardware -- but it will cost different people different amounts. If I am using an existing general purpose workstation my units will cost more than if I buy custom hardware. Not so bad a problem, just view this as an economy of scale, or a bulk discount. (5) Getting money in by buying hardware works, but people don't want the inconvenience of buying custom hardware, they would rather just buy b-money for force-monopoly backed money (national currencies). If we setup a mint which made it it's business to buy up-to-date custom hardware it would be difficult to buy b-money anonymously because the pseudonym would reveal his identity by the use of traceable payment systems (credit card, cheque, wire transfer, etc). (6) Getting money out is difficult also. The pseudonymous b-money user would find it difficult to obtain force-monopoly money without revealing his identity. (7) If such a system took off there seems to be an overhead equivalent to the value of b-money in circulation which over time has essentially been burnt off in disipated heat, and useless hardware. But probably the cost is still much lower than the enormous costs involved in maintaining a force monopoly to enforce traceable transactions. Some thoughts on ways to improve on some of these areas: To improve the problems of pseudonym identity leakage in (5) (paying for b-money) perhaps we could formulate a blinded cost function rather than my suggestion of hashcash. In this way one could easily purchase hashcash. One approach to achieving this would be to have an ordinary ecash mint using chaumian blinding but somehow be able to audit that the mint is producing hashcash tokens to match each ecash withdrawl. Then we would have an blind ecash mint backed in hashcash. The purchasing pseudonym unblinds the token and broadcasts it. Servers check that it has not been seen before, and increase the pseudonym's balance by it's value. Periodically the hashcash mint has to publish it's hashcash to prove that it is not cheating. It may be that you could find a blind cost function which achieves both blinding and some cost function at the same time, to skip the stage of the mint publishing associated hashcash. Adam
On Fri, Dec 11, 1998 at 02:27:10AM -0800, bill.stewart@pobox.com wrote:
It still doesn't solve the fundamental problem with the b-money idea, which is that there's no reason anybody should want to accept it, any more than they should want to accept dead-president fiat paper money. It fixes some symptoms of fiat money, but not the fundamental problem, because it's still fiat money, just with mathematically interesting artwork printed on the front.
This argument is based on the misconception that people have no reason to want to accept fiat money. But actually fiat money is valuable because it performs a service for those who use it, namely the service of a medium of exchange. It's value derives from the fact that there is positive demand for a medium of exchange, and the fact that its supply is finite and controlled by a sufficiently benevolent agency. Think about it this way. In the case of commodity money, its value comes partly from the industrial/aesthetic value of the commodity and partly from the usefulness of the commodity money as a medium of exchange. In the case of fiat money and b-money, all of its value comes from its usefulness as a medium of exchange.
This argument is based on the misconception that people have no reason to want to accept fiat money. But actually fiat money is valuable because it performs a service for those who use it, namely the service of a medium of exchange. It's value derives from the fact that there is positive demand for a medium of exchange, and the fact that its supply is finite and controlled by a sufficiently benevolent agency.
It is true that there is positive demand for a medium of exchange. It is not true that fiat money is controlled by a sufficiently benevolent agency, and it is patently not true that there is a finite supply. National monies are in effect, and in demand, because they are mandated by a number of methods. The us$ was made the dominant form by punitive taxation of alternates in the late 1900s. Other countries like the UK managed to destroy competitors, and in the course of this, bankrupt honest note issuers, by subjecting the note issuers to The notion that the current issuer of that money is benevolent is easily tested by circulating alternate monies. Any casino in the US will tell you that the reason they won't permit their chips to go outside is because the feds have quiet words with them. Disregarding journalistic fairy tales like Hiawatha Hours (or whatever they were called), pretty universally, you run the risk of being locked up if you circulate something called money. Of course, the Internet has changed all this. But not as much as you'd think, I'd lay 10 to 1 that if you started an issuer of Internet money on the wrong side of the German border you'd be finding out what bored prison guards talk about. The Federal Reserve of the US has said fairly plainly that you can do this. But the ABA, FinCen, the FBI, the DEA, and any other moralistic department of the US government that wants to get in the act are going to be looking at this with jaundiced eyes. The value of any monopolistic product can be simplistically stated to be driven by supply and demand, but the truth is different. Only when there is free issue of money will we know if a government can compete against the best and brightest of the profit minded world. In the past, the answer was a resounding No, as otherwise, governments would not have had to resort to legislation, taxes and other arbitrary punishments in order to win the field.
Think about it this way. In the case of commodity money, its value comes partly from the industrial/aesthetic value of the commodity and partly from the usefulness of the commodity money as a medium of exchange. In the case of fiat money and b-money, all of its value comes from its usefulness as a medium of exchange.
And a government enforced monopoly. The value of that is calculated at the seignorage, assuming that we agree that no government could compete on fair grounds. That makes the US monopoly worth $25 Bn per annum. iang
On Fri, Dec 11, 1998 at 06:48:05PM -0400, Ian Grigg wrote:
It is true that there is positive demand for a medium of exchange.
It is not true that fiat money is controlled by a sufficiently benevolent agency, and it is patently not true that there is a finite supply.
What I meant is that the current supply of money (i.e. the total amount of money in circulation) is finite, not that it can't increase in the future. And by sufficiently benevolent, I mean people do not expect the government to print so much money that it becomes totally worthless, at least not in the short term. I'm not trying to defend fiat money. After all I proposed b-money as an alternative exactly because fiat money does have serious problems. But having no reason for people to accept it is not one of them.
On Sun, Dec 06, 1998 at 12:08:04AM +0000, Adam Back wrote:
(1) Inflation -- the cost of hardware to compute a given collision falls in line with Moores law. Perhaps one could get around this by defining a b-money unit to require more computational effort over time. Say define 1 b-money unit to be the computational effort of 1 months compute on the most efficient hardware that can be bought for $1000 at current prices and state of hardware.
Actually this problem has already been accounted for in the protocol. The amount of b-money you create when you burn some CPU time depends on the relative cost of CPU time verses a standard basket of goods. As the cost of computation falls relative to that basket, the amount of CPU time needed to create a unit of b-money automaticly rises. So the result is that there should be no inflation with b-money, unless the b-money economy shrinks or the velocity of b-money increases (because it's not possible to reduce the b-money money supply).
(3) Linkability -- although the participants are anonymous, their transactions are linkable and so participants are pseudonymous in b-money (linkable anonymity being pseudonymity). This is inherent because of the need to broadcast transactions to ensure the open book entry is updated.
(4) You can get money in -- by buying hardware -- but it will cost different people different amounts. If I am using an existing general purpose workstation my units will cost more than if I buy custom hardware. Not so bad a problem, just view this as an economy of scale, or a bulk discount.
(5) Getting money in by buying hardware works, but people don't want the inconvenience of buying custom hardware, they would rather just buy b-money for force-monopoly backed money (national currencies). If we setup a mint which made it it's business to buy up-to-date custom hardware it would be difficult to buy b-money anonymously because the pseudonym would reveal his identity by the use of traceable payment systems (credit card, cheque, wire transfer, etc).
(6) Getting money out is difficult also. The pseudonymous b-money user would find it difficult to obtain force-monopoly money without revealing his identity.
Problems 3-6 can be solved with my payment-mix idea. This is simply a Chaumian mint where people buy blinded ecash with b-money and then sell it back a little later under a different pseudonym. Presto your b-money is no longer linkable. The nice thing about this mint is that you don't have to trust it very much since it should have very few outstanding obligations at any one time. What obligations it does have of course can be backed with b-money.
On Sun, Dec 06, 1998 at 12:08:04AM +0000, Adam Back wrote:
(2) Borrowing resources -- a student with access to a campus full of workstations can obtain quite a bit of free CPU time.
If a problem can be solved on a network of computers for free, then by definition broadcasting the solution to that problem won't create any money. B-money mints will need to solve problems that can't be parallelized well on low-bandwidth networks in order to prove that they're not using free idle time of network computers. I'm not sure if such a problem class exists, however. I think this problem will probably become less serious in the future as people discover more productive uses of idle computer time.
(7) If such a system took off there seems to be an overhead equivalent to the value of b-money in circulation which over time has essentially been burnt off in disipated heat, and useless hardware. But probably the cost is still much lower than the enormous costs involved in maintaining a force monopoly to enforce traceable transactions.
I now tend to think that the government monopoly of force is a net benefit. If you look at countries where the government doesn't have a monopoly of force (like Russia) things look pretty bleak. Anyway, back on topic. The resource waste in creating b-money can be reduced if we assume that b-money will be created gradually as the b-money economy expands rather than all at once at the beginning. If we build a deflation factor into b-money, b-money will be worth more over time and therefore not as much b-money will be needed to support the operation of the economy. This can be accomplished by specifying that the standard basket used to define the creation of b-money grow at a fixed rate over time. But of course deflation also has costs since it makes comparing prices across time more difficult. I think b-money will at most be a niche currency/contract enforcement mechanism, serving those who don't want to or can't use government sponsored ones. However if it did become mainstream I think there are some interesting macroeconomic questions here. Will prices really be stable as they're designed to be? Will there be business cycles? What is the optimum inflation/deflation rate?
participants (3)
-
Adam Back -
Ian Grigg -
Wei Dai