From the Cypherpunks mailing list (cypherpunks@cyberpass.net), December 6, 1998 (00:48:42 UTC):
Subject: Re: Wei Dei’s “b-money” protocol
From: Adam Back <aba@dcs.ex.ac.uk>
Adam Back replied to Wei Dai’s b-money proposal with a substantive monetary-design critique. Back identified seven distinct issues in the proposal as it stood, while explicitly proposing his own Hashcash as the candidate minting mechanism for the system.
Hashcash as b-money’s minting mechanism:
“to create value you burn CPU time, just like with hashcash”
This sentence is the explicit pre-Bitcoin proposal of the configuration Bitcoin would later realize: a proof-of-work primitive (Hashcash) used as the minting mechanism for a decentralized digital-cash system (b-money). Back proposed it as a candidate; he did not implement it.
Seven monetary-design issues identified by Back
- Inflation under Moore’s-Law hardware decline. The cost of the hardware required to compute a given hash-collision falls in line with Moore’s law. Hardware-cost decline produces mint-cost decline, which produces inflationary pressure on the value of newly-minted units.
- Borrowed-resource exploitation. A user with access to a population of workstations they do not personally own (Back’s example: a student with access to a campus full of workstations) can obtain effectively-free CPU time, undermining the cost-as-value-floor assumption.
- Transaction linkability. In b-money’s pseudonymous design, what looks like anonymity is in fact “linkable anonymity” — pseudonymity, not unlinkable anonymity.
- Economy-of-scale custom-hardware advantage. A participant who can deploy custom hardware specifically optimized for the hash-collision search obtains a “bulk discount” against general-purpose-CPU participants — a structural unfairness in mint allocation.
- Fiat on-ramp privacy leakage. Acquiring b-money from fiat currency requires the buyer to “reveal his identity by the use of traceable payment systems,” undermining anonymity at the system entry.
- Fiat off-ramp identity exposure. The symmetric problem at the exit: cashing out to fiat (“force-monopoly money”) without revealing identity is “difficult.”
- Resource-waste overhead. Operating the system imposes overhead “equivalent to the value of b-money in circulation” — the energy-consumption critique that would later attach to Bitcoin’s proof-of-work.
Wei Dai’s reply (December 7):
Wei Dai replied to Back’s critique on December 7, 1998, conceding that “b-money will at most be a niche currency/contract enforcement mechanism” and revealing a partial retreat from earlier crypto-anarchist positions: “I now tend to think that the government monopoly of force is a net benefit.” Dai also raised price stability, business cycles, and optimal inflation rates as open questions for any wider-adoption monetary system.
Mapping Back’s 1998 issues to Bitcoin’s design ten years later
| Back 1998-12-06 issue | Bitcoin’s resolution |
|---|---|
| ❶ Moore’s-Law mint-cost decline → inflation pressure | Difficulty adjustment — re-targeted every 2016 blocks to keep block-time approximately constant against compute-power growth, decoupling mint-rate from hardware-cost decline |
| ❹ Economy-of-scale custom-hardware advantage | Unresolved — surfaced later as the mining-ASIC concentration question in Bitcoin’s operational history |
| ❼ Resource-waste overhead equivalent to circulating value | Live debate — the energy-consumption critique that has continued to attach to Bitcoin’s proof-of-work since launch |
| Central proposal: “to create value you burn CPU time, just like with hashcash” | Bitcoin’s central mechanism — Bitcoin couples a Hashcash-style PoW primitive with a decentralized digital-cash ledger and uses block-subsidy issuance for mint allocation |