David Chaum, the inventor of eCash and CEO of xx network, and Adam Back, the inventor of Hashcash and the cofounder and CEO of Blockstream, discuss their involvement in digital currency well before Bitcoin existed. In this episode, they discuss:
- how they each became enamored with the idea of digital currency years before such an idea was widely discussed
- the crypto wars of the 1990s and the U.S. government’s attempts to control access to advanced cryptography
- Digicash, the creation of eCash, and the difficulties of implementing the system with the technology available at the time
- the innovation of blind signatures used in eCash
- what caused the demise of Digicash, and David’s role in that
- the development of Hashcash and the problems Adam was trying to solve by creating it
- their initial reactions to learning about Bitcoin for the first time
- how they think Bitcoin might improve in the future
- the stock-to-flow Model, and where they believe the Bitcoin price might go next
- why the Hashcash proof-of-work mechanism became so widely used
Thank you to our sponsor!
Crypto.com: https://crypto.com/
Episode links:
Adam Back: https://twitter.com/adam3us
Blockstream: https://blockstream.com
Adam’s website: http://www.cypherspace.org
David Chaum: https://twitter.com/chaumdotcom
Elixxir: https://elixxir.io
XX Network: https://xx.network
Previous Unchained episode on the history of digital currency: https://unchainedpodcast.com/why-bitcoin-now-the-history-of-digital-currency/
Wired article on “e-money”: https://www.wired.com/1994/12/emoney/
Translated Dutch article on why DigiCash failed: https://cryptome.org/jya/digicrash.htm
Aaron Van Wirdum’s Bitcoin Magazine series on the history of digital currency: https://www.whatbitcoindid.com/podcast/the-beginners-guide-to-bitcoin-part-3-bitcoins-pre-history-and-the-cypherpunks-with-aaron-van-wirdum
David Chaum’s e-Cash: https://bitcoinmagazine.com/articles/genesis-files-how-david-chaums-ecash-spawned-cypherpunk-dreamHashcash: https://bitcoinmagazine.com/articles/genesis-files-hashcash-or-how-adam-back-designed-bitcoins-motor-block
Transcript:
Laura Shin:
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I’m your host Laura Shin, a journalist with over two decades of experience. I started covering crypto five years ago, and as a senior editor at Forbes, was the first mainstream media reporter to cover cryptocurrency full time. Subscribe to Unchained on YouTube, where you can watch the videos of me and my guests. Go to YouTube.com/C/UnchainedPodcast and subscribe today.
Crypto.comCrypto.com is waiving the 3.5% credit card fee for all crypto purchases until the end of September. Download the Crypto.com app today.
Laura Shin:
This is the fourth installment in the Why Bitcoin Now series, which takes a closer look at bitcoin in the context of larger macroeconomic forces, such as the pandemic and geopolitical moves happening in crypto. My guests for today are Adam Back, the inventor of Hashcash and the cofounder and COO of Blockstream, and David Chaum, the inventor of eCash and the cofounder and CEO of Elixxir. Welcome, Adam and David.
David Chaum:
Hey, it’s great to be here, Laura. Nice to see you.
Adam Back:
Likewise. Good to be here.
David Chaum:
And Adam.
Laura Shin:
So, just a quick note before we begin, I’ve been a little bit under the weather. I’ve managed to gather the fortitude to do this episode. Hopefully it will all turn out fine, but I just wanted people to know that’s what was happening while I was trying to prepare for this. All right, so, let’s start with the first question. How did you both become enamored with the idea of digital currency at a time when that was something that wasn’t even really on the radar of anybody in the world and the internet wasn’t even really a big thing, and why don’t we start with you, David?
David Chaum:
Well, sure. Yeah, so, well, in 1977, in the spring, I moved to Berkeley to start my PhD in computer science, and…well, I was transferring. Actually, I had a Regents four-year graduate fellowship in UCLA, but I decided Berkeley was more my kind of place. So, I moved to Berkeley, and I, you know, really focused on privacy and trying to foresee how the digital world would play out, and I realized that privacy was a key ingredient in that.
And I started developing, you know, a few technologies to see where this would all go, and the first one I started with was actually voting, which, more or less, immediately led to what’s called Mix Networks today, and that’s something I published in ’79 as my master’s thesis, and then it appeared in CACM in ’82 I think, but it’s a pretty well referenced work, and many people have implemented this over the years. Put it in the public domain, and it’s the only real way that’s practical at all to create what we call a large anonymity set, which is the figure of merit in any kind of privacy system, right?
It’s like how many people are you actually anonymous among, assuming that the bad guys can see everything that everyone sends to everyone else? That’s the threat model, you know, and we learned from Snowden now that that’s the real threat model. So that was kind of where I started. I thought, yeah, this is really important. If the government can see who talks to who and when, then you don’t really have a basis for being a participant in a democracy.
This could be kind of a chilling thing, and so then the next step, to come to your question about money, was…well, then I thought, well, great. So I can participate in this upcoming internet thing or this…you know, the future digital world. We didn’t know exactly how it was going to play out in the late ‘70s, but I’ll need some way to pay things and be paid to do things.
And if, you know, that payment system allowed the linking of who’s paying who to be recognized by people listening in on the network, then it would undo all of the what we call traffic analysis protection, now called metadata, shredding. The hiding of who talks to who in the messaging system would be obviated. It would be undone by learning who pays who because then you’d know anyway. So, I thought, well, we need a payments technology that will work in this privacy-protected metadata-shredding sphere.
Let’s say in the early ‘80s, I invented eCash, which was a privacy-protecting digital bearer instrument, and that’s something that I don’t think people really recognized. I mean, you know, in some sense, you could call it Bitcoin Zero because…but you know, it had certain advantages over bitcoin and that, of course, there was very strong privacy that you couldn’t break, even with unlimited computing power, and then it also had the property that when you had this money, no one could take it away from you. So, you know, nowadays, you could change things on the chain if you really want to.
Sometimes it happens, but with eCash, there’d be no way to take money away from you because you would have these digital signatures on serial numbers that you chose at random, and no one would see them, even if they had quantum computers or unlimited computing power. They couldn’t figure out which serial numbers you chose at random and have the signatures on. So, you would be protected in the holding of your money. So, it was a digital bearer instrument that, you know, no one had ever thought of anything like that, and that was a really big deal. So that’s how I came to it.
Laura Shin:
Okay. Yeah. We’ll dive a little bit more into eCash in a moment. Adam, what about you? How did you get into digital currency so early on, before anything like bitcoin was on the scene?
Adam Back:
So, I started PhD in 1991, and I guess the year before that, I had a friend who was doing a master’s degree, and this is at University of Exeter. We had a distributed systems group with some parallel hardware. So, lots of processers, high-speed interconnects, and it’s a kind of interesting challenge to program those things, and that was the topic of my PhD, actually. Initially, it was more about distributed systems.
So, I came to know about the Byzantine Generals Problem and things like that before other people who maybe heard about that topic first in the bitcoin cryptocurrency context. So, in any case, my friend there was trying to accelerate the RSA encryption algorithm on this parallel hardware because, at the time, CPUs were a lot slower than they are now, and even to encrypt messages was somewhat slow on a general desktop processor and that kind of thing.
So, I got to know the technology before the kind of very interesting balance of power change of being able to have end-to-end secure messaging that governments couldn’t encrypt and so on. So, wasn’t long after that that PGP came out, and PGP had that very interesting property. I think the internet itself brought a lot of kind of freedoms and more direct participation, for example, in media and blogging and conversations. It was less hierarchical.
Initially, some government friction and adapting to the concept that, you know, while they could maybe influence a large media organization, it was very difficult to influence millions of independent voices with their own views on things. Of course, that’s progressed a lot since the ‘80s and ‘90s, but from the interest in PGP, I joined the Softwink’s list, which is basically a group of people interested in technology like that.
So, internet technology with some kind of privacy benefit or changing the balance of power, so the kind of things that Snowden came to blow the whistle on, people were suspicious of, and these were the kinds of people that were suspicious, you know? Is the government really actually recording all this stuff, and there was a whole what they call battle about the banning of encryption, actually, or the banning of export of encryption from some countries or you know, discussion about countries banning encryption software that the National Security apparatus couldn’t decrypt, and some of those things pop up even decades and decades later.
So, it’s kind of disappointing that that’s still ongoing, but I think my view was that we have, in laws and regulations established rights, and it’s a kind of natural balance in society for, you know, respect and privacy and personal independence and so forth, that you have various rights, but they become harder to enforce or eroded by the mechanisms of the internet.
So, those are some of the things that David was taking about that, you know, actually, to even hold onto the rights that you naturally assume and expect in the physical world, some of those start to get eroded because ISPs are keeping logs, initially for service reasons, but once they’re recorded, then people start to ask for access to the logs, you know, different law enforcement and so on.
So, very interested in privacy technology and spent much of the time when I should’ve been working with distributed systems actually reading all kinds of applied cryptography papers, including some of David Chaum’s papers, and implemented some of them in cryptographic libraries and actually implemented an eCash library that implements…David’s eCash protocol, the online version, not the more complicated cut and choose offline version, and also a related system by Steven Brantz, which is just another variety of that.
So, I implemented both of their systems in a library, and there was a great deal of interest in privacy technology, but all of the networks were operated by volunteers. So, you know, the cost of the server, the cost of the bandwidth, the volunteer, and it was a big gap in the technology. That there was no way to pay for anything, and as David said, you know, as soon as you whip out your credit card and pay for something, now all the privacy’s been undone and gone.
So, clearly, electronic cash was needed, so there’s a lot of excitement about David’s company DigiCash at the time, which was deploying the technology that he talked about some decades after he first published the blind signature paper, and so I guess, yeah, people wanted to see that deployed in some way or another, and that was, for a time, deployed in a kind of demo server.
But I think bitcoin, which came very much later, struck…you know, approached from a different angle, which is it was more distributed, but less private, and the reasons for the distribution or the centralization are sort of censorship resistance, survivability. You know, so it didn’t depend for its viability on any group of individuals or companies, right, if it would just keep operating as a fabric. So, there’s not really any prospect of the internet disappearing because there are so many different service providers and operators.
And so it is with bitcoin that there are, you know, so many different companies offering integration services and wallets and doing mining and providing various infrastructure services. So, bitcoin becomes much more of a fabric and so more survivable, but it’s not as good from a privacy kind of point of view. So, you know, with my interest in cryptography, when I saw bitcoin and started taking more of an interest in it, it struck me that now that it was here and it addressed sort of the robust survivability, that maybe there would be some way to improve the privacy.
Of course, there’ve been incremental improvements over time, but I proposed something called confidential transactions, which is a way to encrypt the values of the…so how many coins have been transferred, but still have it be publicly auditable. So it turns out, you can do that using zero-knowledge proofs, and the challenge is to make it compact and efficient. So, that’s been implemented in sort of related systems.
So, like side chains to bitcoin, so kind of modular layer twos to bitcoin and some other systems, and there are a variety of privacy technologies surrounding cryptocurrencies, which are interesting, and I hope that one day, as the technology matures, bitcoin itself will incorporate more strong privacy either in a layer one or in a layer two. So, I came at it from a privacy technology perspective. I think bitcoin adds one other dimension, which was not something I was focusing on before.
I mean, I think that, you know, in the early to mid ‘90s onwards, there are a lot of people interested to try and find a way to deploy electronic cash either using Chaum’s protocols or other protocols or independently, and finding it difficult, like, technically challenging to do that, and so I was part of that kind of group of researchers, like Hal Finney and Nick Szabo and other people that were discussing those things. One thing that bitcoin adds that wasn’t, to my mind, the major concern at the time is the digital gold like aspect, right?
That it would have also some kind of monetary reform or return to a gold standard, but in a digital format. You know, we were looking at it from the point of view we need electronic money with strong privacy and bearer properties, but if that would’ve been denominated in US dollars or some other stable large country currency, we would’ve been very happy and felt that we’d achieved the objective. So, bitcoin adding that is a new dimension and I think likely helped its popularity and adoption, as well.
Laura Shin:
Yeah, super interesting points, and we’ll dive into some of these a bit more later, but one other thing I wanted to ask about those early days was, was there a sense at that time that it was kind of like an active group of people that were all working on this, or did it have this feeling more of people that were kind of loosely connected on the internet, and then each of you were sort of tinkering on your own? I’m just trying to get a sense of the feeling during those days, whether or not it was something that felt like it was almost imminent or if it really felt like, well, at least people are trying to run things, but it’s probably kind of far from the future?
David Chaum:
Maybe I could speak to that, Adam, because I think we’re talking about two different time frames here totally, right? Adam’s talking about the ‘90s. I’m talking about, you know, I invented all this stuff in the late ‘70s and published it in the early ‘80s, and I think I…I did another thing which was really fundamental that opened up this whole discussion.
Adam mentioned the crypto wars, without calling them that, but that, you know, governments were in this mode of saying that you couldn’t explore cryptographic software or that you couldn’t…in fact, they were putting secrecy orders on researchers in the United States, people I knew. Independently created ideas, and the government would come at them, you can’t talk about that. It’s a national security…you know, they’re going to put you in prison if you talked about it.
Laura Shin:
Well, Adam, I mean, you have on your famous t-shirt, the RSA t-shirt. Can you talk about that for a second, because that seems…
Adam Back:
Yeah, it’s related to what David just mentioned, yeah. So, well, I was living in the UK at the time, and so the, I mean, you know, various countries had different controls and regulations, but the US was the largest exporter of software, you know, the nexus with a lot of internet software development, and so the fact that it’s had this non-expert policy on cryptography, I was concerned.
And it struck me as kind of silly, because sort of what I said about making it a very small program that would normally be un-exportable, and you know, it’s like three lines of code or something. So it’s very small, and I made a t-shirt and sold some t-shirts, and people did other things with it, you know, like got a tattoo or put it as a signature line on the email and so on, and I think there was a law professor who…there was a procedural way you could ask if your software was exportable.
So there was a law professor who was trying to fight this export regulation through the US courts, and he asked for approval to export this, you know, three-lines of code, he said he couldn’t, and it’s also very anachronous because there’s the very strong US free speech, and it particularly applies to written…books. You shouldn’t ban books and things like that, and so there were people that, you know, put the PGP source code in books and freely exported them, but to do it electronically would’ve been illegal for some things.
It struck me as sort of silly, but at the same time, serious. You know, it was hampering business, and it was meaning that the fact that a lot of software wasn’t as secure as it could’ve been. So, it was a way to sort of put some political commentary on it. Look, here’s the de minimis thing that they would apparently consider to be un-exportable. Anyway, so continue with your line of thought there, David.
Laura Shin:
But just to make clear for people, you printed it on a t-shirt, and then so if people flew internationally with that t-shirt on, then they were breaking this law. Is that the case?
Adam Back:
I don’t know. I mean, if you can export a book, can you export a t-shirt? That is a perfect gray area I guess, but at least people thought it was an amusing kind of way to protest something that they were quite unhappy about. It was a serious thing, you know, because it was impeding internet commerce, basically, because people didn’t feel they could trust encryption, and it was also pushing jobs away from the US.
You know, now that there were people in Europe writing cryptographic libraries because their US counterparts wouldn’t be able to export them, or international companies saying I bought this in Europe to do applied cryptography implementations and things. So, it was quite the inconvenience, and it eventually got overturned, but not before there were test cases and a lot of drama. So, the crypto wars, as David called it, yeah, that was a real thing in the ‘90s.
Laura Shin:
And so, David, yeah, we interrupted your line of thought. What were you going to mention?
David Chaum:
Oh, well, I’d like to…let me just turn the big old heavy TV camera back to the…you know, when this all was really in place. So, as I was saying, a number of my colleagues and friends had secrecy orders placed on them by the United States government, which made it a federal crime to reveal what they were researching, even though they weren’t drawing in any classified sources.
So that’s a doctrine that’s sometimes referred to as born classified, which we have as an official policy in the United States when it relates to nuclear weapons technology. It makes a certain amount of sense to me I guess, but you know, to apply that to cryptography seemed a bit out of range, and so I was a graduate student at Berkeley thinking about, you know, liberty in the digital world, and what it would be like because it’s a lot more kind of bistable, you know, because everything’s digital.
You could spy on everything pretty easily, or I developed these technologies that would allow you to protect your privacy. So, it could go sort of one of the two ways, but all the privacy technology was based on encryption, and special kinds of encryption that I developed. So, I really pioneered a lot of that stuff, and I think that’s what inspired the cypherpunk movement.
I mean, that’s what everyone says, but the other thing that I think really is very significant is that this all could’ve gone a very different way, because the National Security Agency, which is our main cryptographic authority in the United States, you know, for protecting secrets and breaking codes, they got a new director, and this fellow came in, and he started writing letters to all the scientific associations, like that…you know, the ACM and the IEEE, which are the main ones for computer technology, telling them that they should not have conferences or even sessions at conferences that covered cryptography because this was an illegal export and that they would…you know, he was going to throw the full force of the US government at them and unbelievable penalties would accrue to them because this was totally illegal, and so, you know, with my perspective at how important all this encryption would be to deciding which way the world would go.
And being a relatively, I don’t know, Berkeley young guy caught up in the whole atmosphere there, and everything I thought, there’s only one thing to do, and that is to organize a conference on cryptography, but to do it secretly, not to use the phone. So, I did it all by in-person conversations and by…and I mailed out invitations to a bunch of…basically, a guy named Len Adleman was a researcher from the RSA name. He had a list of, like, a printout in those days, and he and my girlfriend sat in the apartment, you know, and we cut those out and glued them onto these envelopes.
And we mailed these things out in the paper mail, and so there was a conference, and most people interested in the field came to it, and it was in Santa Barbara, and I stood up there on the stage and thanked everyone for showing up, and I announced that since they paid 100 bucks or whatever it was, 80 bucks, for the registration fee, that now they were…that was a membership fee in a new International Association for Cryptologic Research, and international scientific associations are protected by the United Nations.
So, you know, there was a bunch of people in the front row who’d registered for the conference as private individuals, not affiliated with any institution, but they all happened to live in Laurel, Maryland, which, if you know anything about the NSA, that’s where they are. So, when I said this, they just…you know, these people all turned green. That was it. It was over. I said, okay, we’re having our next event. It’ll be in Italy and here’s Henry Becker. He’s going to be the chairman of that. That’ll be in the spring, and you know, it was over.
So, the government tried to make cryptography born classified, and they threatened these big organizations, and that scared them because those bureaucrats, they had a lot of skin in the game, but I felt that it was just too important, so I risked spending the rest of my life in jail to set cryptography free, which I did, and I’m very proud of it, and at that conference, I published the eCash paper, and that conference, that association, by the way, is very robust and exists to this day. It is probably the only real organization in the field of cryptography.
It publishes a journal through Springer-Verlag. All of its proceedings are published. It has three conferences every year in different parts of the world, plus half a dozen workshops. So, it’s the International Association for Cryptologic Research it’s called, and it has enough money in the bank to whether the pandemic, even if it has to pay for conference for, like, a year or two if no one comes. It can afford that. So, we resisted joining these other scientific associations, so it’s maintained a very independent and robust position and done a great deal to, you know, facilitate and build up the scientific community in the field. So, this was a pivotal thing.
Laura Shin:
It’s so fascinating. I love that story. So, in a moment, we’re going to talk more about eCash as well as Hashcash, but first a quick word from the sponsors who make this show possible.
Crypto.comHow much in fees are you paying for your crypto purchases? Crypto.com is waiving the 3.5% credit card fee for all crypto purchases which means you can buy crypto with a 0% fee. Apart from your crypto purchases, you can also get a great deal on food and grocery shopping too. Get up to 10% back on Uber Eats, McDonald’s, Domino’s Pizza, Walmart, and many more when you pay with your MCO Visa card. No card? On the Crypto.com app, buy gift cards and get up to 20% back from merchants like Whole Foods, Safeway, Burger King, Papa John’s and Domino’s. Download the Crypto.com app today and enjoy these offers till the end of September.
Laura Shin:
Back to my conversation with David Chaum and Adam Back. So, David, you did allude to this briefly earlier. You created the eCash system which had, as its currency, cyber bucks. How did eCash work, and you can also explain DigiCash?
David Chaum:
Okay, well, that’s a lot of…yeah, it’s kind of a lot of stuff, but if you go to Chaum.com, scroll down the projects, and one of them is the eCash project, and you can see there’s a whole DigiCash museum there, and so you can see all about the history of it and pictures of the people and all this stuff, and you can see, interestingly, the banners of the original cyber-bucks-accepting shops on the internet, and so there’s a whole bunch of them that are…
Laura Shin:
Yeah, do you want to list some of those for people?
David Chaum:
I don’t really remember them off the top of my head, but you can go there because if you hover over them…you know, if you’re on a laptop, then it’ll show the name, and if you click through, you can see, like, from the Wayback Machine, what their homepage looked like. So, you could see all sorts of people selling interesting stuff. So the deal was if you put up a shop and accepted eCash, I would give you 100 cyber bucks, and okay, it wasn’t a…you know, we just said, well, we’re going to have a million. It was limited.
So, the idea of a limited issue was something that a lot of people had talked to me about because there a lot of people feel that’s very important to do. So we did that, and it was a pretty successful thing, but think Adam will recall this. Back in those days, you know, it wasn’t that easy to install the client’s software and get it to work, and everyone has different versions of the different operating systems, and computers were very slow for processing all this, and we were using modems and all that back in those days.
It wasn’t easy for us to make it a seamless experience on your smartphone or something. It was really something you had to want to do, and so it was kind of hard to compete with credit cards and all that, as the internet had just, you know, accelerated, but what we did license and build for different banks also their own system. So, the largest bank in Europe at that time was Deutsche Bank, and I went over there, and I talked to their board, and they were all excited about it, and they decided to back us.
And you know, people say DigiCash failed. Well, it’s not really true. It was taken down because they were willing to invest quite a lot more money in it, and the people who got control of the company didn’t want that. They wanted to kill it. So it was a sad thing, but Deutsche Bank was a very tough customer. You know, if you could imagine a German Bank, you know, the biggest bank in Europe, their data center was in an old bunker. It was several stories underground, and they wanted every kind of backup and recovery and everything.
So we had to build all this stuff for them, and we satisfied them. I think it’s quite an achievement. So it was a very industrial strength eCash banking system, if you will, that attached to their, what are called, current accounts, so their regular consumer bank accounts, and there were shops that were accepting, and in those days, of course, it was before the Euro, right, and so it’s Deutsche Marks, and so you could use Deutsche bank-issued Deutsche Marks and buy things online with…so we made all that for them.
It was all Deutsche Bank branded, and then we had Mark Twain Bank in the US which offered US dollars, and they were an international currency bank, so they could do various conversions. So that was great, and then we had Advanced Bank in Australia, which I think was, like, the number 2 or 3 bank at that time. Now it’s been merged in, but they were issuing in Australian dollars, and we had bunches of people wanting to use it, and starting to use it, in various countries.
I mean, I think my congressional testimony in the US is maybe noteworthy, but I also spoke to a bunch of other governments and visited many central banks around the world, and you know, I told people at that time…what I really told them was, you know, if your country would take the initiative and issue its money in eCash, you could be the electronic commerce leader of the world. This would be a tremendous economic opportunity for your country.
That’s what I was pitching when I had that chance to speak to…because I was invited to a lot of central banks and VISA International and Citibank and all these other…I was sitting there in the boardrooms and meeting the executives that come to visit me and all this stuff. So, I mean, there was a lot of interest in what we were doing. I have boxes of press clippings from those days because when I announced…you know, I did the first eCash payment and the first World Wide Web conference from CERN to Amsterdam, and then wrote a little press release.
And this guy sent it out from the company, and the New York Times picked it up and Wall Street…it was all over the global media in about 48 hours, and there was so much interest in the idea that a number itself could be worth money, you know, that I was interviewed in all kinds of languages. I don’t even know what languages. I have a whole archive of videotapes, you know, those big old videotapes of TV shows where I was interviewed. There was so much interest in it. It was a really big deal.
Laura Shin:
Yeah, and let’s just look under the hood and talk a little bit about eCash. So I believe that blind signatures were one of the breakthroughs that…
David Chaum:
Yes.
Laura Shin:
Yeah, so can you just explain that?
David Chaum:
Sure. Yeah. Absolutely. So, I mean, there are many kinds of digital signatures. Digital signature’s a pretty general term these days in its usage, but we had one type. Its blind signatures, and I invented them especially for payments and eCash. Now, actually, I was hoping that they would be used in a whole range of other applications to do with what I call credential mechanisms, but I wrote this paper that appeared in…you know, it was mentioned on the cover of Scientific American.
It was also on the cover of the best journal of computer science, CACM, at that time. You can see it on my website. There’s another one of the little project things there at Chaum.com, but I created a whole concept for how you could use the mixing to have perfect privacy in who you talk to at eCash to make your payments, and then the blind signatures could be used to basically prove things about you without revealing who you are, and so, like, you know, classic…say if a kid’s at a bar or somewhere they want to get in.
So, they have to prove that they’re old enough or they have a driving license or they’re from a different state or whatever, but they don’t want to give their address and all this other stuff. Well, that’s what you could do with a credential mechanism. You can prove exactly that you qualify according to whatever…you know, to one way, but you wouldn’t have to reveal which way that was. You would just reveal the exact one bit that you were qualified and give a signature that would prove that irrefutably.
So I found a way to basically turn the databases that companies would have about you inside out, so that now, you maintained your own information about yourself, and whenever they would normally ask their own database a query, they would have to ask you, and you would prove the answer was correct. You’d give the answer and prove it was correct, if you wanted to answer it. So that was a whole comprehensive thing. So blind signatures went a little bit beyond.
I was hoping that eCash would be like a Trojan horse, you know? People would start using it for payments, and they’d start to say, hey, wait a minute. I don’t have to reveal my identity to make payments, but if I want to, I can prove that that shop got my money. So that’s pretty cool. Maybe I could use that to check out library books or maybe for these other things, and then the credential mechanism would kind of grow organically.
And that’s why I went to a lot of effort to publish it in these mainstream publications, try to really distill it and work with artists to get the concepts across and all that, but so the idea of a blind signature is very, very simple, and in those days, we had carbon paper. I don’t know if people these days know what carbon paper is.
Laura Shin:
I know what it is.
David Chaum:
Yeah. We have carbonless carbon paper I guess! You know about that. It copies through. So, basically, the easy way to understand eCash, and it’s very close to the reality of it, the blind signature, is that let’s just say I take a piece of paper and I write a random serial number on it that only I know, and I put it in an envelope with some carbon paper inside or carbonless lining or whatever. I give it to my bank, and I say, hey, it’s me.
Take the money out of my checking account and validate this with your special worth-one-dollar stamp, or it’s like a signature that they can make, but on the outside of the envelope, they return the envelope to me. Then I can remove the envelope. Now I have my own random serial number with the carbon image of their un-forgeable worth-a-dollar stamp on it. So now I have this dollar, but no one knows the serial number, and so I’m sure I have the money, and so when I go and I…you know, no one can take it away from me.
They can’t screw with my account or anything. So, then I take it to a shop, and they say that looks nice. You know, but we got to check that you haven’t spent that serial number before. So, they check with the bank. That’s the so-called what I call the double spending problem in those days. I mean, you hear a lot about it these days, right? So the bank would then say, oh, yeah, that’s our signature, and we haven’t accepted that number before.
So, we will honor this and put the money on the shop’s account, but of course, we have no idea who the payer is. However, the user’s very well protected. So I didn’t mention this, but that serial number, it’s actually the result of applying a hash function. So, if the bank says, oh, we already saw that number. You know, it’s not valid. Then the shop would say, oh, that’s interesting. Can you please show me the number that when you hash it, gives you that serial number?
And of course, they wouldn’t be able to do it. So only once they sign and say, okay, we’ll accept it, then I give that hash pre-image, and then they know, and so it’s totally secured in that way, but the privacy is, let’s say, asymmetric, and I was very happy with this. In those days, it really worked well. You know, there’s something called the Bank for International Settlements, which is the central banker’s central bank. I visited, and then I spoke there.
It’s a whole thing, but they promulgated…they have a publication in those days called, you know, Definition of Criminal Use of Payments, and they listed them, and they were very strident about it all. It was basically extortion, black markets, and bribery, and so it turns out, in any of those scenarios, if you used eCash instead of a suitcase full of 20-dollar bills, right, but if you used eCash, then no criminals would accept it because since you knew the serial number that you created, you could always kind of tell the bank or the government or something, look out, these guys are going to be spending that.
You know, so no blackmailer would take payment by check or no black market’s going to accept Fedwire or these things. So, it was a way to protect the privacy of the individual, and we said unconditionally, because the blinding in the blind signature is not just cryptography. It’s what we call information theoretic statistical security. With unlimited computing power, quantum computers, whatever, you cannot learn anything about what’s blinded in there.
So, it unconditionally protects you as a consumer, your privacy and the protection of your money that you held was perfect, but on the other hand, it wasn’t really a suitable currency for, you know, paying bribes to politicians and things like that. So, I felt it was a really superior form of money, and in fact, if we could get rid of paper money and switch to this, we could get rid of a lot of corruption and problems which are a pretty big deal.
Laura Shin:
And let’s also briefly just go over what happened with DigiCash. You did talk about that a little bit. You know, it had offers of investment from places like ING Investment. There was even a plan I think for ING Barings and Goldman Sachs to bring DigiCash to the stock market, and Bill Gates expressed interest in integrating it with Windows 95. Netscape expressed interest. VISA wanted to invest 40 million dollars, and none of these potential deals happened, and in subsequent reporting, I guess some sources say that you wanted too much control and employees also felt you were too paranoid or greedy or stubborn, and that’s why these deals fell through.
David Chaum:
Well, that’s sour grapes.
Laura Shin:
Yeah, what’s your sense?
David Chaum:
No, look, I’m doing this to make the world a better place, and that’s why I put my life on the line, and that’s what I’ve been working on all along, and you know, I think it’s really true that the powers that be wanted to kind of stop this from being what it could’ve been and I really want…
Laura Shin:
Wait, but when you say that, do you mean?
David Chaum:
…give it a chance.
Laura Shin:
Do you mean Microsoft and VISA and Netscape, or what do you mean by the powers that be? Because they were interested in using this and integrating it with their businesses or investing in it.
Adam Back:
Well, I mean, what about policymakers, regulators, things like that?
Laura Shin:
But I don’t think they were the ones who stopped these deals. Were they?
David Chaum:
Well, you know, one thing I’d like to say is that it’s a testament to the significance of the ideas that I developed that there was so much interest, and we had very serious conversations with a number of these organizations. It’s true, and you know, we were represented by investment banks and so forth and so on, but yeah, if there was ever a scenario in which I felt that the potential of this was going to be taken forward and used to really plant that seed of privacy that I’d hoped for…
That was the last thing in the world I’d want to do, would be to stop that. So, yeah, you know, when you start to really see the…when you’re invited into the corridors of massive power, it’s quite an eye-opening experience, and I spoke at a conference of central banks in Rome, and they told me that…I mean, the airport was clogged up. It was like there were private planes. I mean, they closed off avenues, and we walked across a bunch of streets. Police had blocked it all off. We walked right into the Vatican. You know, it was only for us.
I mean, they said no non-central banker had even been allowed to attend any of their meetings, and they had me speak there. I mean, people recognized the significance of what this was, but I’m not sure that anyone was really interested in the disruptive power of it. Yeah, and it’s not like I had a monopoly on this. As Adam mentioned, there were other kinds of blindable signatures that were contorted in a way that they didn’t really fall under our control.
I don’t want to get too broad a perspective in answer to your specific question, but what I would say is that the…I mean, just a little bit more generally, you know, if we want cryptography to rise to its potential to make the world a better place for people, then probably we need to do that in a way that it works in a more comprehensive manner and is not, more or less, a guerilla action on the side.
And that’s kind of what I’ve been really trying to do, and that puts the burden on us to figure out how you could really use this in a way that would address legitimate issues in society and at the same time, liberate people and human potential…this is the thing that will take civilization to the next level.
Laura Shin:
Yeah. It’s interesting because that description of a guerilla action on the side is almost a description of bitcoin, but anyway…
David Chaum:
Oh, no, not at all. I wouldn’t say that. No, no. I’m a huge fan of bitcoin. I think bitcoin changed the whole landscape. I would say eCash is bitcoin zero. Bitcoin one made a lot of people rich, no question, and bitcoin two, that’s coming, and maybe it needs to be a little more hard to take down and a little bit real privacy, and maybe it’ll bring it with some other features.
Laura Shin:
Yeah, so just to give people a sense of the timeline, so you left DigiCash in 1996. DigiCash went bankrupt in 1998, and meanwhile, right in the middle there, in 1997, Adam sent an email to the cypherpunk mailing list about Hashcash. So, David, do you want to dispute what I just said there?
David Chaum:
I’m sorry. Laura, it’s such a pleasure…
Adam Back:
It was a timeline, right?
David Chaum:
…speaking with you, but I’m not sure…I feel like I’m being cross-examined. You know, a lot of what you said has been said, but none of it’s exactly accurate, and what you said is not exactly accurate. I don’t want to be put in a position to criticize any of this, but…
Laura Shin:
No, I mean, if I don’t have the facts…
David Chaum:
I didn’t leave DigiCash in ’96.
Laura Shin:
Oh, you didn’t? Okay.
David Chaum:
No, in ’94…I don’t know what you’re referring to. I mean, the Hashcash was just something that Adam developed, as, you know, to protect against spam by using computational cost, and this was something that was already, you know…remember I mentioned the cryptography conferences that I created? So years before Adam’s mention of that, it was already, you know, published by Dwork and Naor at the conference.
Laura Shin:
Well, proof-of-work. Proof-of-work.
David Chaum:
Proof-of-work for preventing spam. So, yeah, it was already…I mean, what do you mean? Adam wrote a letter to what? I already knew about this years earlier. I was there when Cynthia presented…you know, Moni Naor was my co-author on the offline eCash article back in the day.
Laura Shin:
Right. So, just for listeners, Cynthia Dwork and Moni Naor wrote the proposed proof-of-work much earlier than Adam wrote the proposed Hashcash to the cypherpunk mailing list. I’m just making…
David Chaum:
They published it. They presented it at the flagship conference, the crypto conference.
Laura Shin:
Yeah, I believe they presented it in 1993. I’m just…
David Chaum:
I was there. That was the conference that I founded.
Laura Shin:
…trying to make a transition for us to talk about Hashcash, that’s all, and to show that all of these things were happening right around the same time.
David Chaum:
Yes.
Laura Shin:
That’s all.
David Chaum:
That’s fine.
Laura Shin:
But yes…
David Chaum:
You know, it’s really true, and I think that’s…
Laura Shin:
But yes, proof-of-work.
David Chaum:
You know, let me say this. There were a lot of people, a lot of cypherpunks that I invited to visit us and work for us at eCash. It was a very open company. We had a research component. So I had a lot of interaction with people like us. Zooko was there for quite a while, and I’ve worked with him.
Laura Shin:
Zooko Wilcox of Zcash.
David Chaum:
Yeah. Yeah, you know, tried to help him develop his own competing systems while he was there under my employ on my nickel, and I mean, later, Zooko wrote to…he wanted to come to crypto. He had no money. I said, sure, I’ll pay for you to come, and I picked him up at the airport or whatever it was, you know, to help him, and Nick was there…
Laura Shin:
Yeah, Nick Szabo.
David Chaum:
Nick Szabo, and it was a very open process…
Laura Shin:
So now we’re going to talk about Hashcash. So, Adam, in 1997, you sent an email to the cypherpunk mailing list proposing Hashcash. What problem were you trying to solve, and how did Hashcash do that?
Adam Back:
Yeah, so I was running a remailer, so a way to send anonymous email and communicate on user net discussion groups with anonymity, and as I mentioned earlier, the technology for these things was basically operated by volunteers, and so the problem, or one of the problems as an operator of these things, it wasn’t that expensive to operate in terms of bandwidth and civil resources, but it seemed that some people didn’t like free speech or you know, ability to communicate privately or anonymously, and had taken it upon themselves to spam through the systems, and it wasn’t even commercial spam.
It was just, you know, random numbers, just trying to be disruptive, and we think, because it was happening to multiple remailers, so probably about 30 to 50 of them at various times, that the people doing this were trying to annoy system administrators who operated Usenet servers and Usenet distributed discussion groups, and they use a lot of bandwidth. Like a university site or a big ISP use, enormous amounts of bandwidth.
So, you know, it would start to annoy the system administrators that people were spamming through the remailers. The reaction would be maybe to block remailers or something like that, and I think that was what they were trying to achieve. So, it occurred to me that it would be good if there was a way to combat this spam problem, and because it was involving privacy, I had to think about it in a different way, because the usual anti-spam technique the system administrators use…
David Chaum:
But Adam, can I just interrupt you?
Adam Back:
Yeah.
David Chaum:
I’ve heard you give the same presentation before, but I’m just wondering, I mean, but Dwork and Naor had already published proof-of-work as an anti-spam mechanism. This was at the premier conference. Everyone in the field knew about it. It was published in the Springer lecture notes, and it was in every computer science library in the world, practically. It was very widely disseminated, so why did you have to think so deeply about it?
Adam Back:
Well, there’s two things here, right? One is…
David Chaum:
Oh, okay, but I have one other question for you. I’m sorry. I know you’ve made some…look, I value what you were doing, and I know it’s tough to operate a remailer in those days. Were there also MIX masters? Were those running in those days and were the real deal…
David Chaum:
…because you put yourself in a very difficult position knowing the linkings, right, but if you have cooperated with us in a more open system using the mixing technology, you would’ve been maybe better off.
Adam Back:
There were two generations for remailers. So Hal Finney wrote the first one, which was just a kind of nested onion, but because it didn’t standardize the message sizes, you could say that a global…you know, that wasn’t very good for passive traffic analysis, if you’d like.
David Chaum:
I get you. Yeah, I see. I got it. Thanks.
Adam Back:
The second generation was a MIX master. So I was running…actually, it’s backwards compatible, but I was running a MIX master remailer for a few years, and I mean, so in terms of Hashcash, I was not aware of Dwork’s paper until somebody sent me a link to the publication a couple months after I’d posted the source code for Hashcash.
So, some years later, I got around to kind of writing a paper about the experiences of people using Hashcash for various things, and in there, I cited a number of things. Obviously, Dwork’s paper, as I was aware at that point, but also, there were some other related things. I think, in a way of thinking, the sort of very conventional public-key cryptography with Merkle puzzles is a kind of proof of…I mean, it’s not exactly proof-of-work, but it’s related, right, using computation…
David Chaum:
That’s very interesting. Yeah. Yeah.
Adam Back:
And if you look around, there’s a lot of linkages and reinventions in this space. You know, so there have been other things where people have published something…there were, for example, client puzzles, which was another kind of hash-based proof-of-work by Ari Juels and Brainard. It’s probably also in one of the crypto review papers, and they were not aware of Hashcash, for example, right? So the original Dwork and Naor was using asymmetric techniques. So, there’s a lot of reinvention. Of course, I didn’t publish it in an academic paper. So I just published it on a website, so fair enough, they wouldn’t have been aware of it, but it was just to say that there’s a lot of kind of reinvention, and in my experience, you know, building things in an applied way sometimes brings together new ideas, right?
David Chaum:
Yeah. Necessity is the mother of invention. Right.
Adam Back:
So you can have an idea. You can write a paper about…exactly. Right. So that was the kind of general thrust of it. So, I have, you know, done general publications and things, but more in the distributed systems space. So, because it was a kind of applied thing for remailers, I just put it on a tech report on the website kind of thing. Yeah, so, I mean, the idea there was to think about it in a way that could preserve privacy.
So, there are a few features about it that are privacy related. So, it has a time stamp, but there’s some randomization of the time stamp so that you wouldn’t reveal…you know, from a black box, you can look at from the outside, see other messages are going in. You wouldn’t reveal who’s the likely sender by looking at the time stamp. So, it had some features like that.
And so then just the idea is to, the same as Dwork’s in the kind of concept level, which is to create cost, right? That’s the basic observation, right, that the problem with commercial box form is that it costs effectively zero, but I think the advantage of that kind of system is that it doesn’t…it’s not as attractive because it’s not respendable, but it’s more scalable. It doesn’t require any infrastructure, really. You can just attach it to an email.
Actually, much later in 2004, Hal Finney kind of got a bit closer to assembling these different parts together. So, he used Hashcash as the proof-of-work, and he used a Chaum blind signature-based token server, and he assembled it in an IBM tamper-resistant secure processor that he ran. So, it kind of had the central point of failure risk, but he introduced mining, effectively, into the conversation. So, he was using Hashcash. You can find the website online somewhere. Some of these are archived a bit.
So, basically, you would do some work. You would send it to this IBM processor that he has running in his server, and it would send you back a Chaum token, and because of the kind of trustworthy computing aspect of this card, if you assumed that he wasn’t colluding with IBM, which would be, you know, a big stretch to say that they designed this card, they colluded with him, right? So, it’s a serious piece of hardware that banks buy, and it can provide a kind of signature of execution.
So you get…now you can verify what code it’s running with reasonable security. Not as much as a bitcoin network because anybody can fully verify, and you don’t depend on this kind of, you know, trusted hardware sequence, but nevertheless, it was kind of interesting assemblage of parts. So, you could call that kind of bitcoin 0.5 if you’d like, you know, the bitcoin zero without a proof-of-work. When it’s got proof-of-work in there and he’s bridging technologists, right?
So it’s centralized. It’s got the strong privacy because you get, in exchange for your work, a Chaum token, and the scarcity is there. So it’s introducing digital scarcity, too, and I think that Hal Finney and Nick Szabo and a few people were more interested in monetary reform, so, you know, return to the gold standard or re-establishing something like that. So, people were looking at the electronic cash problem from different directions.
You know, some from monetary reform perspectives, some from a privacy perspective. I was a little bit more on the kind of privacy bearer of cash perspective. I would’ve been okay with dollars or any reasonably stable currency, and if you scroll forward to bitcoin, you know, it loses some of the privacy, but it does plus or minus, what, Hal Finney’s…he called it RPOW, Reusable Proof-of-Work. So, it basically does that, but in a distributed setting, and the privacy it loses is a side effect.
I think most people who were involved would like to establish a way to bring that back, but it’s more technically challenging to do that, as David would have a lot of experience in protocol design around, to do that in a way…you end up with bigger zero-knowledge proofs and more cryptographic assumptions. So, bitcoin is using, actually, quite basic cryptographic assumptions. So, it doesn’t really do anything advanced with zero-knowledge proofs and things like that.
Laura Shin:
So, for both of you, when did you hear about bitcoin and how, and what were your initial thoughts?
Adam Back:
So do you want to go, David?
David Chaum:
Well, you know, I’d rather not comment on that exactly. I don’t think I’ve done so publicly, but can we just go back…before we answer that…off the next question to…because I think it’s a very interesting conversation about these early days, and you know, one of the things that’s colored my thinking, Adam, on this, and I’m curious on your thoughts on this.
But was really in the mid ‘90s, as I think you’ve pointed out, the computing power and the network connections and all this wasn’t really up to doing a lot of stuff, and the idea that you’d have all these servers running all around the world, you know, supporting payments, I think this was somewhat inconceivable to us. We were happy that we could get this client side to just make a payment in a couple minutes, do an eCash payment and that we could get the servers to be able to handle their side of it.
So instead of, you know, replicating that server, so to speak, many times, but what we did consider, and I don’t believe it’s ever been discussed publicly, but several of us in the DigiCash company were working on a more distributed version of eCash that was not…you know, it was somewhere in between. I mean, it’s very easy to imagine distributing eCash in a simple-minded way, right, where you say, well, we’ve got 10 servers now, and if a majority of them agree that it has…you know, they all sign, and then they all check the double spending, and if a majority say it’s okay, then it’s okay.
You know, if you were to combine that with what I published as my dissertation at Berkeley, right, which was everything about blockchain, except for the proof-of-work part, then…because that was a majority rule network, right? So that’s kind of what we were thinking of as a step to distribute this process because…you know, there wasn’t really the resource to just…I don’t think it was at that point. So that would’ve been something that would’ve been achievable to make them somewhat more decentralized, you know, more in the classic BFT kind of model.
Adam Back:
Right. Yeah. I mean, I think there are…
David Chaum:
I never heard anyone talk about it. It’s on us I guess!
Adam Back:
No, yeah, so we…Greg Maxwell had a look at doing that, as well. So just to kind of make a threshold, you know, like k of n assigners and you can see in a straightforward way that that would…I mean, that should work. You know, if you can do a single blind signature, you can make k of n inefficiently, maybe more efficiently with some more thought.
And I think state change, which is another kind of bitcoin layer two, is contemplating doing the same thing that the…I think Greg had some source code, but hadn’t published it for the threshold blind signature approach, but I think the challenge…and Blockstream actually has a kind of federated blockchain, which is also k of n. So it kind of fits into our thinking for layer two security but the advantage for bitcoin itself in the layer one is it’s…
We published a paper on side chains and coined the word dynamic membership signature, because you could think of the proof-of-work as sort of evolving and signing in some way with the work, you know, the most work, the longest chain with the most work signing off…the majority of the work signing off, and you know, each signature or each edition of a proof-of-work, you can have a freshly anonymous participant.
So I think bitcoin stumbled across…and nobody knows who Satoshi is or how he hit upon this idea, you know, whether he came at it from the Byzantine Generals fixed membership, BFT protocols, or he started straight from an anonymous group of work, but it doesn’t have the membership challenge, and something with a membership is never so permissionless.
David Chaum:
Oh, yeah. Oh, yeah. That’s the big breakthrough of bitcoin, and thank god that it happened, and you know, it’s changed the world in a dramatic way.
Laura Shin:
Yeah, so let’s talk about bitcoin because we’re well over time, and we’re running out. So, yeah, just how did you learn about bitcoin? When was that, and what were your initial thoughts?
Adam Back:
So I learnt about it in…I think it was, like, August 2008. Got an email from Satoshi Nakamoto with the abstracts and asking for the correct citation for Hashcash, and I sent it to him, a couple of other papers to look at. One of them being b-money, and I looked at it in more detail, actually, when Hal Finney started posting his experiences running it and understanding how it works.
So he posted some longer commentary on I think the cryptography mailing list or the cypherpunks mailing list, and you know, I suppose for somebody who’s spent much of his professional career working on applied cryptography, you know, with libraries and perhaps in-house technologies and things, the thing that will strike you initially, until you’ve become accustomed to it is, well, that hasn’t got very strong privacy assurances, at least compared to the previous systems, and that the security margin on a double spending is kind of 50/50, right?
So, you’re sort of trusting that the economic majority is honest, to some extent. It depends on the aspects of the system you’re protecting, and so coming from the normal cryptographic kind of asymmetric crypto, you typically have an enormous benefit as a defendant versus the attacker. You know, you’re going to do some computation that takes a fraction of a second. The attacker’s going to sit there for, you know, thousands of years with using up an enormous amount of compute and probably going to fail to decrypt your message.
So, you’re used to this kind of enormous asymmetry, and bitcoin is like, well, you know, it’s the good guys versus the bad guys. It’s a fair fight kind of thing, right? So it takes you a while to get over that, and you reflect on it. You say, well, you know, on the other hand, it has proposed a novel new solution to the dynamic membership, Byzantine Generals Problem space. As I mentioned, I was somebody who read Leslie Lamport’s paper while I was doing my computer science PhD.
So, something interesting and new in that space, and it’s here. It’s bootstrapped, you know? After a while, it had a value and so forth when there were exchanges I guess over a year in, before there was a price at all, right? Just people playing with it to start with. So, the bootstrap story’s kind of interesting, but you know, the fact that it’s deployed and it’s decentralized, so there’s no really identifiable nexus of a company, of an individual that you would ask to switch off a server or block something.
So I think it’s an interesting tradeoff, right, because with DigiCash and its related blind signature-based protocols, you’ve got a very strong assurance that you can’t selectively block transactions, and the only thing that a party operating it could do is shut down, right? They could say, well, I refuse…I mean, I can’t block anything selectively, so what do you want me to do? They’re all indistinguishable to me, assuming that the sender wants privacy, whereas bitcoin is not so much in that vein.
It’s more that, you know, people are transacting. They’re sort of pseudonymity. The coins are pseudonymous. There’s no wallet, identifier tracking at all. It’s kind of imperfect, but there’s a de facto fungibility and privacy and an assumption that this is an economic incentive that, sooner or later, some miner somewhere will process your transaction, even if the first one chooses not to for policy reasons, and there’s plus or minus holdup.
It’s a bit of a gray area. There are the companies that specialize in tracking coins that’ve been stolen. So those ones are kind of a bit gray, but some of them move once in a while in small numbers, and there are mixes in the network doing coin mixes or coin joins and things like that. So, it’s an interesting system in which to try and deploy privacy improvements.
So, you know, the lighting network, which is not allowed to, has some MIX-like on your routing technology, and the layer one conjoins and liquid, which is the layer two that my company, Blockstream, is working on, has confidential transactions. So, they have a different kind of privacy. Not sort of linkability privacy, but privacy of the amount of value being transferred.
Laura Shin:
And David, what about you, just briefly? We’re going to move onto some other questions in a moment.
David Chaum:
Well, like I said, you know, I was pretty familiar with all the different aspects of it, so I don’t really comment on that, but what I could say, and I’d like to say, I think is that, I mean, to Adam’s point, yeah, I think there are now the technology is out there, both on the bad guys’ side, because of the quantum computers and all this possibly percolating, and then some of the new stuff that has been done to speed up mixing by precomputation very dramatically.
And to make real quantum-secure BFT, those things can come together and create something that has all the real goodness. It’s much more definitive, far higher barrier against being taken down, even by a national adversary, and the privacy, then you get the full anonymity sets, and you know, you might have also privacy in the messaging. Who talks to who, that’s a great thing!
So, I think there’s another shoe to drop in this space, but I would never want to be thought of as someone diminishing the significance of bitcoin. I mean, to me, that is this game-changing, world-changing thing, and it’s…you know, technologically, it’s quite a complex beast, and I think it’s pointing the way to different things that we could try to improve.
I appreciate the way you’re tackling it, Adam, just trying to add things onto it to make it better, and I think that’s promising, but one could also take it all to the next level, and that’s something that I think is also…you know, Laura, your viewers should keep their eyes open for something really dramatically different. I think there’s room there to really take it to the next level. So, yeah.
Laura Shin:
So bitcoin has gone from a value of nothing, basically, to currently having a market cap of 200 billion dollars, and meanwhile, we have this pandemic going on, which is causing this economic freeze that has led to governments printing more money, and there’s all kinds of other factors going on, like China launching its own digital currency and these other central banks, you know, eyeing the same idea. So when you look at these different forces, where do you think bitcoin is headed next?
David Chaum:
To the stratosphere? Adam, did you recently say 300 thousand dollars?
Adam Back:
Yeah. I mean, actually, there’s been some recent discussion on a different track, which is this stock-to-flow model, which is just a curve fit on previous years’ price movement, but actually, the 300 thousand comment was before, which was just, you know, you can’t make predictions about these things, but just looking at the use case and the similarity with digital gold…so I was just looking at, well…and I’d go and look up the metrics. Well, how much gold is there in the world?
And people are not exactly sure how much physical gold there is in the world, but they have a rough idea, and then so what’s the market cap of gold, and divide that by the eventual supply of bitcoin, and you come out with a number that’s, like, 300 to 500 thousand bitcoin, but then that depends on the gold price, which is also a moving target, and of course, with all this pandemic economic uncertainty, gold is typically a kind of macro hedge.
So gold price is up. Surprise, surprise, but you know, bitcoin price is up, too, and I have to suppose that while a lot of people have heard about bitcoin, there’s probably many people who haven’t taken the plunge. Bitcoin has differences to gold. You can send it a distance. You can verify it has a lot of sort of more transactional value, utility value I guess. So, we’ll see. I mean, I think it’s certainly a very interesting experience to send some bitcoin.
I think, you know, in our company, we sent a bitcoin transaction of, like, 100 thousand dollars or something. It involves multiple people decrypting and signing different things, and you end up with a small blob of text, and you’re like, wow, this is 100 thousand dollars of bearer money. It’s just an amazing phenomena, right, to contemplate. As somebody from a computer science background, that’s really a very interesting artifact from the world.
So, you know, as technologists, we’re very enamored by the potential of this building block I think and what it can do for society to have kind of dependable electronic money from a monetary reform perspective, and of course, it seems that the economic commentators are saying that even though there’s been a lot of money printing, it hasn’t translated into much price inflation yet, but obviously, there’s more money in the system.
But economic downturn has suppressed price inflations, people not spending money, and so the suppliers are having to, you know, coax people to buy things by reducing prices to what they would do in a robust economic situation if you printed this quantity of money. So, we don’t know if and when that will take effect. I think the experience in Japan has shown that countries can have, you know, low inflation rates for a very long period of time.
So some people are looking at the US, for example, as a major economic factor in the world, which is to say that might be in the future, but I think more recently, the US has even said that it has an economic…it’s considering a new economic policy of creating or targeting the creation of price inflation. So, I don’t know. We live in interesting times, I guess is the thing we can say there.
Laura Shin:
Yeah, and just for listeners who don’t know, I have mentioned this before on the show, but stock-to-flow is this ratio of the existing supply versus the new supply. So, for instance, with bitcoin, you know, it’s relatively small, but actually, it’s still greater than the ratio for gold, but after the next happening, it will actually drop below that of gold. However, one interesting thing is that somebody took that and applied it to the price of gold over the course of history, and there was not a correlation. So then they felt that that disproved the stock-to-flow theory. So we will see how this bears out. I’m not sure whether or not that will apply to bitcoin, but David, what about you? Where do you think this is all headed?
David Chaum:
Well, I’m extremely optimistic about the future. I mean, all the trends that you mentioned, Laura, seem to indicate that, you know, I mean, if you’re afraid to go places in person, you want something you can transact with online, and yeah, there’s a ton of crazy stuff going on with governments these days. So it must all be pointing in a very positive direction, but we’re not seeing it right now that dramatically because, as we said, people aren’t really spending that much.
So I think it’s…yeah, this bodes extremely well for the whole space, bitcoin especially, and yeah, so this is…I mean, it’s sad to have to…I mean, I’d rather not think that something that I care about, like bitcoin, is going to benefit from all these bad things that are happening to the planet, but in fact, yeah, it seems that it will really…yeah, it all should be very positive for it, but I’m rooting for the planet, too, you know?
Laura Shin:
Yes. I think we all are and for humanity so we can all go out and hang out.
David Chaum:
Yeah. Yeah. So that ethereal next time, yeah.
Laura Shin:
Yeah. Okay, well, this has been so fun chatting, and I really enjoyed learning about your early work in digital currencies pre bitcoin. That was very fun. Where can people learn more about each of you and your work?
David Chaum:
Well, I would like to suggest people also could look at the xx network. You know, we’re live in beta, and we’ve got a lot of good stuff running, and look at the white papers. It’s really solid stuff. It’s extremely…you know, it’s best out of there by far. I think I’m extremely enthusiastic about it, and we’ve got a lot of good backing. So, please, yeah, have a look at that, but if you’re wondering about the historical stuff, look at Chaum.com.
And look at the cash museum and the different other things, multi-party computation we didn’t get a chance to talk about. That’s another interesting vector on all this kind of generalizing the smart contracts. Yeah, and the ICR and the history of it and if you’re interested in all that. So it’s all up there, and I guess one aspect that I would like to also draw your attention to is, you know, this kind of cryptographic technology can also be used in elections and voting and online voting and so on, and that is very much related to payments and messaging.
And I think this is an area where I’d like to see a lot more…I think there’s a lot of potential there, and so I’ve been working on that for a long time, and you can read about some of the stuff up on my site that I’ve been doing on that. So, we’re making great strides in that, actually. Yeah, there will be some new work coming out very soon. So, yeah, Chaum.com and xx network, xx.network is the URL.
Laura Shin:
All right, and Adam?
Adam Back:
Yeah, so I have a possible webpage on cypherspace.org, which has, for example, pictures of the t-shirt that you mentioned and various cryptographic libraries and things I’ve implemented over the years, and on Twitter, I’m @adam3us, and Blockstream, which is the company I co-founded some years ago now, is blockstream.com. Yeah, and so I think, you know, we were talking about the Dwork proof-of-work in Hashcash.
So I think that’s been something that there’s been discussions about at various times, and so one kind of question I’ve turned my mind to is, well, you know, why are people using Hashcash for the proof-of-work and not all the proofs-of-work, right? So there’s the client puzzles that Jules and Brainard produced. There’s the original proof-of-work by Dwork and Naor.
David Chaum:
Oh, I see. So the Hashcash mechanism itself is the one that’s prevailed?
Adam Back:
Yes. Well, I think there’s a specific reason in hindsight. So, at the time I did it, it wasn’t used for that purpose. It was just used for one-use stamps, but the result is that you get a compact proof-of-work. It’s a fixed size, whereas the Dwork and Naor’s were like broken asymmetric signatures. The signatures were low key sizes, so I think you could brute force them and create forgeries and things like that. So those three variants.
Two of the variants have progress, so you’d need, like, a Poisson process for fairness, like a level playing field in crypto mining. The third one, which, in Dwork and Naor, is based on the square roots in large prime fields, and there’s an algorithm in that called Tonelli–Shanks, which has some randomness, but it’s not clear if that’s sufficient to have a level playing field, because there may be other slightly less optimal square root algorithms that the single fastest computer can tend to win.
And that would be a problem again, and then the other side effect is that those systems have…they’re not as easy to scale in terms of the difficulty. So, with Hashcash, the stamp was, you know, compute a million tries. So, you know, 20 binary digits of zero at the front, but these days, it’s enormous, right? It’s 70, 80 leading zeroes, and so if you scale some of those in broken signature-based schemes, you end up having to increase the prime size of the Vigenère transform size, and you get an enormous proof.
So, the proof-of-work might, itself, be bigger than the block of transactions you’re trying to prove out. Plus, the fact that then Poisson is like a stumbling block if you see what I mean. Anyway, that’s sort of like in hindsight. So it’s like a curiosity, right? Saying, well, you know, given that they were these parallel, different variants…and the other one by Jules and Brainard is actually interactive. So, it’s not proof with respect to a server. So that’s not amenable to independent verification, let’s say, to the audit function.
David Chaum:
I’m really glad we had a chance to speak. Thanks. That’s so interesting. Yeah. Now I’m glad to hear that that the performance of your proof of work really, really…turns out to be the superior one, and congratulations on that. That’s excellent, and I’m going to mention that going forward. I was unclear. I was looking forward to this chance…you know, and we’d met before, but I’d never…I wanted to ask you about this because I thought it was going to come up.
Adam Back:
Yeah. Yeah. I mean, I think it’s also very simple. So it’s simple things! So, when I was designing it, I was thinking about, you know, should I introduce floating point to make it harder to make an ASIC? You know, so, already, I was thinking about spam as I was very determined economically, they’ll make ASICs. So should I make it complicated? Should I involve memory allotted? Was like, you know what? I think simple is better.
So I kept it to, you know, standard SHA-1 function at the time. So you would be able to verify it even with a SHA script, using the SHA-1 function, right? So, anyway, simple wins, and it happened to have the Poisson function, which I was actually determinedly trying to eradicate because it was a nuisance for spam purposes, but turned out to be an advantage for distributed fairness or something like that.
Laura Shin:
All right, well, you know, I’m not going to even try to pretend to translate all that for my listeners, but hopefully the more technical ones will have understood, and at least now we have an understanding of why your proof-of-work was perhaps more widely used than the original version. Okay, well, this has been so fun chatting with you both. Thank you both so much for coming on Unchained.
David Chaum:
Thank you, Laura. This was great. I really enjoyed it. Thank you again.
Laura Shin:
Thanks so much for joining us today. To learn more about the history of digital currency and David and Adam, as well as their various inventions, check out the show notes for this episode. Don’t forget, you can now watch video recordings of the shows on the Unchained YouTube channel. Go to YouTube.com/C/UnchainedPodcast and subscribe today. Unchained is produced by me Laura Shin with help from Anthony Yoon, Daniel Nuss, and the team at CLK Transcription. Thanks for listening.