From the Cypherpunks mailing list (cypherpunks@cyberpass.net), December 6, 1998 (00:48:42 UTC):
Subject: Re: Wei Dei’s “b-money” protocol
From: Adam Back <aba@dcs.ex.ac.uk>
Adam Back replied to Wei Dai’s b-money proposal with a substantive monetary-design critique posted to the Cypherpunks list. Back identified seven distinct issues in the proposal as it stood, while explicitly proposing his own Hashcash as the candidate minting mechanism for the system.
Back’s central proposal named Hashcash as the minting mechanism:
Quote from: Adam Back on December 06, 1998, 12:48:42 AM UTC
“to create value you burn CPU time, just like with hashcash”
This sentence is the explicit pre-Bitcoin proposal of the configuration Bitcoin would later realize: a proof-of-work primitive (Hashcash) used as the minting mechanism for a decentralized digital-cash system (b-money). Back proposed it as a candidate; he did not implement it.
Seven monetary-design issues identified by Back
The seven issues below are the editor’s structured summary of Back’s analysis. The original message is available in full at the cryptoanarchy.wiki archive linked under sourceUrl; readers checking specific phrasing should consult the archived original.
- Inflation under Moore’s-Law hardware decline. The cost of the hardware required to compute a given hash-collision falls in line with Moore’s law. Hardware-cost decline produces mint-cost decline, which produces inflationary pressure on the value of newly-minted units.
- Borrowed-resource exploitation. A user with access to a population of workstations they do not personally own (Back’s example: a student with access to a campus full of workstations) can obtain effectively-free CPU time, undermining the cost-as-value-floor assumption.
- Transaction linkability. In b-money’s pseudonymous design, what looks like anonymity is in fact “linkable anonymity” — pseudonymity, not unlinkable anonymity.
- Economy-of-scale custom-hardware advantage. A participant who can deploy custom hardware specifically optimized for the hash-collision search obtains a “bulk discount” against general-purpose-CPU participants — a structural unfairness in mint allocation.
- Fiat on-ramp privacy leakage. Acquiring b-money from fiat currency requires the buyer to “reveal his identity by the use of traceable payment systems,” undermining anonymity at the system entry.
- Fiat off-ramp identity exposure. The symmetric problem at the exit: cashing out to fiat (“force-monopoly money”) without revealing identity is “difficult.”
- Resource-waste overhead. Operating the system imposes overhead “equivalent to the value of b-money in circulation” — the energy-consumption critique that would later attach to Bitcoin’s proof-of-work.
Wei Dai’s reply (December 7)
Wei Dai replied to Back’s critique on December 7, 1998, conceding that “b-money will at most be a niche currency/contract enforcement mechanism” and revealing a partial retreat from earlier crypto-anarchist positions: “I now tend to think that the government monopoly of force is a net benefit.” Dai also raised price stability, business cycles, and optimal inflation rates as open questions for any wider-adoption monetary system.
Mapping Back’s 1998 issues to Bitcoin’s design ten years later
The table below is the editor’s structured comparison.
| Back 1998-12-06 issue | Bitcoin’s resolution |
|---|---|
| ❶ Moore’s-Law mint-cost decline → inflation pressure | Difficulty adjustment — re-targeted every 2016 blocks to keep block-time approximately constant against compute-power growth, decoupling mint-rate from hardware-cost decline |
| ❷ Borrowed-resource exploitation (CPU on machines the user does not own) | Indirectly neutralised — the mining-economics shift to ASIC-dominant hardware (see ❹) made general-purpose-CPU borrowing structurally uncompetitive; the vector was retired by a different system property, not by direct mitigation |
| ❸ Transaction linkability (“pseudonymity, not unlinkable anonymity”) | Persists at the base layer — Bitcoin’s UTXO graph remains publicly traceable, and address-clustering / chain-analysis tooling operationalise the linkability Back identified; privacy-layer protocols exist as opt-in mitigations rather than base-layer fixes |
| ❹ Economy-of-scale custom-hardware advantage | Unresolved — surfaced later as the mining-ASIC concentration question in Bitcoin’s operational history |
| ❺ Fiat on-ramp privacy leakage | Reinforced by regulation — modern AML / KYC frameworks require regulated fiat-onramps to verify identity, formalising the privacy gap Back named rather than closing it |
| ❻ Fiat off-ramp identity exposure | Same regulatory frame as ❺ — withdrawal-compliance requirements at regulated venues extend the same identification requirement to exit |
| ❼ Resource-waste overhead equivalent to circulating value | Live debate — the energy-consumption critique that has continued to attach to Bitcoin’s proof-of-work since launch |
| Central proposal: “to create value you burn CPU time, just like with hashcash” | Bitcoin’s central mechanism — Bitcoin couples a Hashcash-style PoW primitive with a decentralized digital-cash ledger and uses block-subsidy issuance for mint allocation |
This December 1998 critique is read closely by three later analyses. The Adam Back identity hypothesis treats Back’s enumerated seven issues as load-bearing evidence — §2.4 maps each issue onto how Bitcoin later resolves it, and §3.1 uses the same enumeration as the documented third-party reading the hypothesis must explain away. The fixed-supply vs adjustable-money analysis reads the same critique from a complementary angle, treating it as the documented cypherpunk monetary debate against which Bitcoin’s eventual fixed-supply choice was made. The cypherpunk-independent-arrival analysis reads Back’s central proposal — “to create value you burn CPU time, just like with hashcash” — as the specific proof-of-work-as-value configuration Satoshi reached and implemented without the channel that had already named it.