1998-12-06 - Re: Wei Dei’s “b-money” protocol

Header Data

From: Adam Back <aba@dcs.ex.ac.uk>
To: cypherpunks@cyberpass.net
Message Hash: 0b252a6001b0bb9e53289d9a7679164a884a28626360ff8a05ba8c5e9f4208ae
Message ID: <199812060008.AAA27126@server.eternity.org>
Reply To: <199812051937.TAA12780@server.eternity.org>
UTC Datetime: 1998-12-06 00:48:42 UTC
Raw Date: Sun, 6 Dec 1998 08:48:42 +0800

Raw message

From: Adam Back <aba@dcs.ex.ac.uk>
Date: Sun, 6 Dec 1998 08:48:42 +0800
To: cypherpunks@cyberpass.net
Subject: Re: Wei Dei's "b-money" protocol
In-Reply-To: <199812051937.TAA12780@server.eternity.org>
Message-ID: <199812060008.AAA27126@server.eternity.org>
MIME-Version: 1.0
Content-Type: text/plain

Some discussion of the properties of Wei's b-money protocol.

b-money seems to be book entry ecash system related to hashcash, where
the "book" is open, and distributed.  Anonymity is derived from the
fact that the participants can be pseudonymous.  hashcash would be a
candidate function for Wei's decentralised minting idea: to create
value you burn CPU time, just like with hashcash, but Wei's
distributed open book entry system allows you to psuedonymously
exchange value.

Problems are (1) inflation, (2) borrowing resources, (3) linkability
of transactions, (4) b-money has a big bulk discount, (5) getting
money in and (6) out, (7) resource waste.

(1) Inflation -- the cost of hardware to compute a given collision
falls in line with Moores law.  Perhaps one could get around this by
defining a b-money unit to require more computational effort over
time.  Say define 1 b-money unit to be the computational effort of 1
months compute on the most efficient hardware that can be bought for
$1000 at current prices and state of hardware.

(2) Borrowing resources -- a student with access to a campus full of
workstations can obtain quite a bit of free CPU time.

(3) Linkability -- although the participants are anonymous, their
transactions are linkable and so participants are pseudonymous in
b-money (linkable anonymity being pseudonymity).  This is inherent
because of the need to broadcast transactions to ensure the open book
entry is updated.

(4) You can get money in -- by buying hardware -- but it will cost
different people different amounts.  If I am using an existing general
purpose workstation my units will cost more than if I buy custom
hardware.  Not so bad a problem, just view this as an economy of
scale, or a bulk discount.

(5) Getting money in by buying hardware works, but people don't want
the inconvenience of buying custom hardware, they would rather just
buy b-money for force-monopoly backed money (national currencies).  If
we setup a mint which made it it's business to buy up-to-date custom
hardware it would be difficult to buy b-money anonymously because the
pseudonym would reveal his identity by the use of traceable payment
systems (credit card, cheque, wire transfer, etc).

(6) Getting money out is difficult also.  The pseudonymous b-money
user would find it difficult to obtain force-monopoly money without
revealing his identity.

(7) If such a system took off there seems to be an overhead equivalent
to the value of b-money in circulation which over time has essentially
been burnt off in disipated heat, and useless hardware.  But probably
the cost is still much lower than the enormous costs involved in
maintaining a force monopoly to enforce traceable transactions.

Some thoughts on ways to improve on some of these areas:

To improve the problems of pseudonym identity leakage in (5) (paying
for b-money) perhaps we could formulate a blinded cost function rather
than my suggestion of hashcash.  In this way one could easily purchase
hashcash.  One approach to achieving this would be to have an ordinary
ecash mint using chaumian blinding but somehow be able to audit that
the mint is producing hashcash tokens to match each ecash withdrawl.
Then we would have an blind ecash mint backed in hashcash.  The
purchasing pseudonym unblinds the token and broadcasts it.  Servers
check that it has not been seen before, and increase the pseudonym's
balance by it's value.

Periodically the hashcash mint has to publish it's hashcash to prove
that it is not cheating.

It may be that you could find a blind cost function which achieves
both blinding and some cost function at the same time, to skip the
stage of the mint publishing associated hashcash.