Unchained - Why Bitcoin Now: David Chaum and Adam Back Reflect on the Crypto Wars - Ep.186
Episode Date: August 18, 2020David Chaum, the inventor of eCash and CEO of xx network, and Adam Back, the inventor of Hashcash and the cofounder and CEO of Blockstream, discuss their involvement in digital currency well before Bi...tcoin existed. In this episode, they discuss: how they each became enamored with the idea of digital currency years before such an idea was widely discussed the crypto wars of the 1990s and the U.S. government’s attempts to control access to advanced cryptography Digicash, the creation of eCash, and the difficulties of implementing the system with the technology available at the time the innovation of blind signatures used in eCash what caused the demise of Digicash, and David's role in that the development of Hashcash and the problems Adam was trying to solve by creating it their initial reactions to learning about Bitcoin for the first time how they think Bitcoin might improve in the future the stock-to-flow Model, and where they believe the Bitcoin price might go next why the Hashcash proof-of-work mechanism became so widely used Thank you to our sponsor! Crypto.com: https://crypto.com/ Episode links: Adam Back: https://twitter.com/adam3us Blockstream: https://blockstream.com Adam's website: http://www.cypherspace.org David Chaum: https://twitter.com/chaumdotcom Elixxir: https://elixxir.io XX Network: https://xx.network Previous Unchained episode on the history of digital currency: https://unchainedpodcast.com/why-bitcoin-now-the-history-of-digital-currency/ Wired article on “e-money”: https://www.wired.com/1994/12/emoney/ Translated Dutch article on why DigiCash failed: https://cryptome.org/jya/digicrash.htm Aaron Van Wirdum's Bitcoin Magazine series on the history of digital currency: https://www.whatbitcoindid.com/podcast/the-beginners-guide-to-bitcoin-part-3-bitcoins-pre-history-and-the-cypherpunks-with-aaron-van-wirdum David Chaum's e-Cash: https://bitcoinmagazine.com/articles/genesis-files-how-david-chaums-ecash-spawned-cypherpunk-dream Hashcash: https://bitcoinmagazine.com/articles/genesis-files-hashcash-or-how-adam-back-designed-bitcoins-motor-block Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
Hi, everyone. Welcome to Unchained, your no-hype resource for all things crypto. I'm your host, Laura Shin, a journalist with over two decades of experience. I started covering crypto five years ago and as a senior editor at Forbes was the first mainstream media reporter to cover cryptocurrency full-time.
Subscribe to Unchained on YouTube, where you can watch the videos of me and my guests. Go to YouTube.com slash C-unchained podcast and subscribe today.
Crypto.com is waiving the 3.5% credit card fee for all crypto purchases until the end of September.
Download the crypto.com app today.
This is the fourth installment in the Y Bitcoin Now series, which takes a closer look at Bitcoin
in the context of larger macroeconomic forces, such as the pandemic and geopolitical moves happening
in crypto. My guests for today are Adam Back, the inventor of hash cash and the co-founder
and CEO of Blockstream, and David Shawm, the inventor of e-cash, and the inventor of e-cash, and
the co-founder and CEO of Elixir. Welcome, Adam and David. It's great to be here. We're nice to see you.
Yeah, likewise, good to be here. So just a quick note before we begin, I've been a little bit under the
weather. I've managed to gather the fortitude to do this episode. Hopefully, it will all turn out
fine, but I just wanted people to know that's what was happening while I was trying to prepare for
this. All right. So let's start with the first question. How did
you both become enamored with the idea of digital currency at a time when that was something
that wasn't even really on the radar of anybody in the world and the internet wasn't even
really a big thing. And why don't we start with you, David? Well, sure. Yeah, so, well, in
In 1977
in the spring, I moved to Berkeley to start my PhD in computer science.
And I, well, I was transferring.
Actually, I had a Regents for your graduate fellowship in UCLA,
but I decided that Berkeley was more my kind of place.
So I moved to Berkeley and I really focused on privacy.
and the
trying to foresee how the
digital world would play out
and I realized that privacy was a key ingredient
in that
and I started developing
you know a few technologies
to see
where this would all go
and the first one I started with was actually voting
and which more or less immediately led to
what's called
mixed networks today, and that's something I published in 79 as my master's thesis and then
appeared in CACM in 82, I think, but it's pretty well referenced work, and many people have
implemented this over the years. It was put it in the public domain, and it's the only real way
that's practical at all to create what we call a large anonymity set, which is the figure of merit
in any kind of privacy system, right?
It's like how many people are you actually anonymous among,
assuming that the bad guys can see everything
that everyone sends to everyone else?
That's the threat model, you know,
and we learned from Snowden now that that's the real threat model.
So that was kind of where I started.
I thought, yeah, this is really important.
If the government can see who talks to who and when,
then you don't really have a basis
for being a participant in a democracy.
This could be a kind of a chilling thing.
And so then the next step,
to come to your question about money,
was, well, then I thought,
well, great, so I can participate in this upcoming Internet thing
or this, you know, the future digital world.
We didn't know exactly how it was going to play out in the late 70s.
But I'll need some way to pay things
and be paid to do things.
And if, you know, that payment system allowed the linking of who's paying who to be recognized, you know, by people listening in on the network, then it would undo all of the, the, what we call traffic analysis protection, now called metadata shredding, the hiding of who talks to who in the messaging system would be obviated, it would be undone.
by learning who pays who because then you'd know anyway.
So I thought, well, we need a payment technology that will work in this privacy
protective metadata shredding sphere.
And so that's when I, let's say in the early 80s, I had, I invented e-cash, which was a
privacy-protecting digital bearer instrument.
And that's something that I think people have really recognized.
I mean, at some sense, you could call it Bitcoin zero because, but it was, it has certain
advantages over Bitcoin and that, of course, there was very strong privacy that you couldn't
break even with unlimited computing power.
And then it also had the property that when you had this money, no one could take it away from you.
So, you know, nowadays you could take, you could change.
things on the chain if you really want to, sometimes it happens, but with eCast, there'd be no way
to take money away from you because you would have these digital signatures on serial numbers
that you chose at random, and no one would see them, even if they had quantum computers or
unlimited computing power, they couldn't figure out which serial numbers you chose at random
and have the signatures on. So you would be protected in the holding of your money. So it was a
digital bear instrument that, you know, no one had ever thought of anything like that.
And that was a really big deal. So that's how I, that's how I came to it. Okay. Yeah. Let's,
we'll dive a little bit more into eCash in a moment. Adam, what about you? How did you get into
digital currency so early on before anything like Bitcoin was on the scene? So I started a PhD in 1991.
and I guess the year before that I had a friend who's doing a master's degree and this is at
University of Exeter we had a distributed systems group with some parallel hardware so you know lots of
processors high speed interconnects and it's a kind of interesting challenge to program those things
and that was the topic of my PhD actually initially was more about distributed systems so I came to
know about the Byzantine general's problem and things like that
before other people who maybe heard about that topic first in the Bitcoin or cryptocurrency context.
So in any case, my friend there was trying to accelerate the RSA encryption algorithm on these parallel hardware
because at the time, CPUs were a lot slower than they are now,
and even to encrypt messages was somewhat slow on a general desktop process,
or that kind of thing.
So I got interested in, got to do the technology before the kind of,
of, you know, the very interesting balance of power change of being able to have
end-to-end secure messaging that governments couldn't encrypt and so on.
So it wasn't long after that that PGP came out and PGP had that very interesting property.
I think the internet itself brought a lot of kind of freedoms and more direct participation,
for example, in media and blogging and conversations.
is less hierarchical.
Initially some government friction and adapting to the concept that,
you know,
while they could maybe influence a large media organization,
it's very difficult to influence millions of independent voices with their own views on things.
And, you know, of course, that's progressed a lot since, you know,
the 80s and 90s.
But from the interest in PGP, I joined the Cyphepunk's list,
which is basically a group of people interested in technology like that.
So internet technology with some kind of privacy benefit or change in a balance of power.
So the kind of things that Snowden came to blow the whistle on, people were suspicious of.
And these were the kinds of people that were suspicious, you know, is the government really actually recording all this stuff?
And there was a whole, like a political battle about the banning of encryption, actually,
or the banning of export of encryption from some countries
or discussion about countries banning encryption software
that the national security apparatus couldn't decrypt.
And some of those things pop up even decades and decades later.
So it's kind of disappointing that that's still ongoing.
But I think my view was that we have in laws and regulations
established rights and it's a kind of
natural balance in society that for, you know, respect and privacy and personal independence
and so forth that you have various rights, but they become harder to enforce or eroded by the
mechanisms of the internet. So those are some of the things that David was talking about,
that, you know, actually to even hold onto the rights that you naturally assume and expect in a physical
world, some of those start to get eroded because ISPs are keeping logs. Initially for other,
you know, for service reasons, but once they're recorded, then people start to ask for access
to the logs, you know, different law enforcement and so on. So I got interested in privacy technology
and, you know, spent much of a time when I should have been, you know, working on distributed
systems, actually reading all kinds of applied cryptography papers, including David Choms,
some of David Chum's papers, and implemented some of them in cryptographic libraries and actually
I implemented an e-cache library that implements David's e-cash protocol, the online version,
not the more complicated cut-and-chews, offline version, and also a related system by Stefan Brands,
which is just another variety of that. So I implemented both of those systems in a library.
And there was a great deal of interest in privacy technology, but all of the networks were
operated by volunteers.
So, you know, the cost of the servers,
the cost of the bandwidth was volunteer.
And it was a big gap in the technology
that there was nobody to pay for anything.
And as David said, you know,
as soon as you whip out your credit card
and pay for something,
now all the privacy has been undone and gone.
So clearly electronic cash was needed.
So there's a lot of excitement about David's company,
digit cash at the time,
which was deploying the technology
that he talked about,
some decades after he first published the blind signature paper.
People wanted to see that deployed in some way or other,
and that was for a time deployed in a kind of demo server.
But it was, I think Bitcoin, which came very much later,
struck, you know, approached from from a different angle,
which is it was more distributed but less private.
And the reasons for the distribution or decentralization
are sort of censorship resistance,
so it didn't depend for its viability on any
group of individuals or companies, right?
It would just keep operating as a fabric.
So there's not really a new prospect of the internet disappearing
because there are so many different service providers and operators.
And so it is with Bitcoin that there are,
you know, so many different companies offering integration services
and wallets and doing mining
and providing various infrastructure services.
So Bitcoin becomes much more of a,
fabric and so more survivable, but it's not as good from a privacy point of view.
So with my kind of interested in, interest in applied cryptography, when I saw Bitcoin
and start taking more of an interest in it, it struck me that, you know, now that it was here
and it addressed robust survivability, that maybe there would be some way to improve the privacy.
And of course, there have been incremental improvements over time,
but I've proposed something called confidential transactions,
which is a way to encrypt the values of the,
so how many coins are being transferred,
but still have it be publicly auditable.
So it turns out you can do that using zero knowledge proofs
and challenges to make it compact and efficient.
So that has been implemented in sort of related systems.
So like side change to Bitcoin,
so kind of modular.
layer two to Bitcoin and some other systems.
And there are a variety of privacy technologies in surrounding cryptocurrency currencies,
which are interesting.
And I hope that, you know, one day as a technology matures,
Bitcoin itself will incorporate more strong privacy,
either in a layer one or in a layer two.
So it's kind of came out from a privacy technology perspective.
I think Bitcoin adds one other dimension,
which was not something I was focusing on before.
I mean, I think that, you know, in the early to mid-90s onwards,
there are a lot of people interested to try and find a way to deploy electronic cash,
either, you know, using Torms protocols or other protocols or independently,
and finding difficult, like technically challenging to do that.
And so I was part of that kind of group of researchers like Hal Finney and Nixarbo
and other people that were discussing those.
things. One thing that Bitcoin adds that wasn't, to my mind, the major concern at the time
is a digital gold-like aspect, right, that it would have also some kind of monetary reform
or return to a gold standard, but in a digital format. You know, we were looking at it from
the point of view, we need electronic money with strong privacy and bearer properties, but if that
would have been denominated in US dollars or, you know, some of the stable large country
currency, we'd have been very happy and felt that we'd achieved the objective. So Bitcoin,
adding that is a new dimension. And I think likely helped its, you know, popularity in adoption as well.
Yeah, super interesting points. And we'll dive into some of these a bit more later. But one other
thing I wanted to ask about those early days was, was there a sense at that time?
that it was kind of like an active group of people that were all working on this,
or did it have this feeling more of people that were kind of loosely connected on the internet
and then each of you were sort of tinkering on your own?
Like, you know, I'm just trying to get a sense of the feeling during those days,
whether or not it was something that felt like it was almost imminent,
or if it really felt like, well, all these people are trying different things,
but, you know, it's probably kind of far off in the future.
Let me, maybe I could speak to that, Adam, because I think we're talking about two different
time frames here totally, right? Adam's talking about the 90s. I'm talking about, you know,
I invented all this stuff in the late 70s and published it in the early 80s. And I did another
thing, which was, you know, really fundamental that opened up this whole discussion. Adam mentioned
the crypto wars without calling them that, but that, you know, governments were in this mode of,
you know, saying that you couldn't export cryptographic software or that you couldn't.
In fact, they were putting secrecy orders on researchers in the United States.
People I knew independently created ideas and the government would come to them.
You can't talk about that.
It's a national security, you know, they're going to put you in prison if you talked about.
Well, Adam, I mean, you have your famous t-shirt, the RSA T-shirt. Can you talk about that for a second?
Yeah, it's related to what David just mentioned. Yeah. So, well, I was living in the UK at the time. And so the, I mean, you know, various countries had different export controls and regulations. But the U.S. was the largest exporter of software. You know, the nexus of a lot of Internet software development. And so the fact that it's had this.
non-expert policy on cryptography was a concern.
It struck me as kind of silly because,
so I just said about making a very small program that would nominally be unexportable.
And it's, you know, it's like three lines of pearl code or something.
So it's very small.
And I made a t-shirts and sold some T-shirts.
And people did other things with it, you know, like got a tattoo or, you know,
put it as a signature line on the email and so on.
And I think there was a law professor who there was a procedure where you could ask
if your software was exportable.
So there was a law professor who was trying to fight this export regulation through U.S. courts,
and he asked for approval to export this, you know, three lines of pull, and they said he couldn't.
And it's also very anachronous because there's the very strong U.S. free speech,
and it particularly applies to written, you know, to books.
You shouldn't, you know, ban books and things like that.
And so there were people that, you know, put the PGP source code in books and freely export
them, but to do it electronically would have been illegal or something. So it struck me as kind of
silly, but at the same time, serious, you know, it was hampering business and it was meaning
that de facto a lot of software wasn't as secure as it could have been. So it was a way to sort of
put some political commentary on it. Like, you know, here's the de minimis thing that they would
apparently consider to be unexplorable. So anyway, so continue with your line of thought there, David.
Well, but just to make clear for people, like you printed it on a t-shirt and then so if people
flew internationally with that t-shirt on, then they were breaking this law. Is that the case?
I don't know. I mean, if you can export a book and you export a t-shirt, it's a bit of a gray area,
I guess, but at least people thought it was an amusing kind of way to protest something that
they were quite unhappy about. It was a serious thing, you know, because it was impeding
internet commerce, basically, because people didn't feel they could trust encryption, and it was
also pushing jobs away from the US. Now there were people in Europe writing cryptographic libraries
because their US counterparts wouldn't be able to export them or, you know, international
companies saying up offices in Europe to do apply cryptography implementations and things. So it was
quite the inconvenience and it eventually got overturned, but not before there were, you know,
test cases and a lot of drama. So the, you know, crypto wars, as David called it, yeah, that was a
real thing in the 90s.
And so David, yeah, we interrupted your line of thought.
What were you going to finish?
Oh, well, I'd like to let's, let me just turn the big old heavy TV camera back to, you know,
when this all was really in place.
So as I was saying, a number of my colleagues and friends had secrecy order placed
on them by the United States government, which made it a federal crime to reveal what they
were researching, even though they had.
They weren't drawing in any classified sources.
So that's a doctrine that's sometimes referred to as born classified,
which we have as an official policy in the United States
when it relates to nuclear weapons technology.
It makes a certain amount of sense to me, I guess.
But, you know, to apply that to cryptography seemed a bit out of range.
And so actually, so I was a graduate student at Berkeley,
thinking about, you know, liberty in the digital world and what it would be like,
because, you know, it's a lot more kind of by stable, you know,
because if everything's digital, you could spy on everything pretty easily,
or I developed these technologies that would allow you to protect your privacy.
So it could go sort of one of the two ways,
but all the privacy technology was based on encryption.
And special kinds of encryption,
I developed, you know, and so I really pioneered a lot of that stuff, and I think that's what
inspired the cypherpunk movement.
I mean, that's what everyone says.
But the other thing that I think really is very significant is that this all could have gone
a very different way because the national security agency, which is our main cryptographic
authority in the United States, you know, for protecting secrets and breaking codes, they
got a new director, and this fellow came in, and he started writing letters to all the scientific
associations, like that, you know, the ACM and the ICCLE, which are the main ones for computer
technology, telling them that they should not have conferences or even sessions at conferences
that covered cryptography, because this was, you know, an illegal export, and
that they would, you know, he was going to throw the full force of the U.S. government at them.
And, you know, unbelievable penalties would accrue to them because this was totally illegal.
And with my perspective, how important all this encryption would be to deciding which way the world would go.
and, you know, being a relatively, I don't know, Berkeley young guy caught up in the whole atmosphere there,
and everything I thought, there's only one thing to do, and that is to organize a conference on cryptography,
but to do it secretly, not to use the phone.
So I did it all by in-person conversations and by, and I mailed out invitations to a bunch of, you know,
basically a guy named Len Edelman was a researcher from the RSA name,
he had a list of,
we got a print out in those days,
you know,
and me and my girlfriend sat in the apartment,
you know,
and we cut those out and glued them onto these envelope,
you know,
and we mailed these things out in the paper mail.
And so there was a conference.
And most people interested in the field came to it.
And it was incendiable.
Barbara. I stood up there on the stage and thanked everyone for showing up, and I announced that if they,
you know, since they paid 100 bucks or whatever it was, 80 bucks for the registration fee, that now they were,
that was a membership fee and a new international association for cryptologic research.
International scientific associations are protected by the United Nations. And so, you know,
there was a bunch of people in the front row all who registered for the conference at
as private individuals, not affiliated with any institution,
but they all happen to live in Laurel, Maryland,
which if you know anything about the NSA, that's where they are.
So when I said this, they just, you know, these people all turned green.
It was, that was it. It was over.
I said, okay, we're having our next event. It'll be in Udina, Italy,
and here's Henry Becker. He's going to be the chairman of that.
That'll be in the spring. And, you know, it was over.
So, you know, the government tried to make cryptography born classified, and they threatened these big organizations, and that scared them.
Because those bureaucrats didn't have a lot of skin in the game, but I felt it was just too important.
So I risked spending the rest of my life in jail to set cryptography free, which I did.
And I'm very proud of it.
And at that conference, I published the e-cash paper.
and that conference, that association, by the way, is very robust and exists to this day.
It is probably the only real organization in the field of cryptography.
It publishes a journal through Spring of Verloc.
All of its proceedings are published.
It has three annual conference, three conferences every year in different parts of the world,
plus half a dozen workshops.
So it's the International Association for Crucese.
cryptologic research is called.
And it has enough money in the bank, you know, to whether the pandemic, even if it has to pay for
conferences for like a year or two, if no one comes, it still can afford that.
So we resisted like joining these other scientific associations.
So it's maintained a very independent and robust position and done a great deal to, you know,
facilitate and build up the scientific community in the fields.
So this was a pivotal, pivotal thing.
It's so fascinating.
I love that story.
So in a moment, we're going to talk more about e-cash as well as hash-cash.
But first, a quick word from the sponsors who make this show possible.
The scorebed app here with trusted stats in real-time sports news.
Yeah, hey, who should I take in the Boston game?
Well, statistically speaking.
Nah, no more statistically speaking.
I want hot tapes.
I want knee-jerk reactions.
That's not really what I do.
Is that because you don't have any knees?
The score bet.
Trusted sports content, seamless sports betting.
Download today.
19 plus, Ontario only.
If you have questions or concerns about your gambling
or the gambling of someone close to you,
please go to conicsonterio.ca.
With Amex Platinum,
$400 in annual credits for travel and dining
means you not only satisfy your travel bug,
but your taste buds too.
That's the powerful backing of Amex.
Applied.
Local news is in decline across Canada, and this is bad news for all of us.
With less local news, noise, rumors, and misinformation fill the void, and it gets harder to
separate truth from fiction.
That's why CBC News is putting more journalists in more places across Canada, reporting on the
ground from where you live, telling the stories that matter to all of us, because local
news is big news.
Choose news, not noise.
CBC News.
How much in fees are you paying for your crypto purchases?
Crypto.com is waiving the 3.5% credit card fee for all crypto purchases,
which means you can buy crypto with a 0% fee.
Apart from your crypto purchases, you can also get a great deal on food and grocery shopping too.
Get up to 10% back on Uber Eats, McDonald's, Domino's Pizza, Walmart, and many more when you pay with your MCO Visa card.
No card.
On the crypto.com app, buy gift card.
and get up to 20% back from merchants like Whole Foods, Safeway, Burger King, Papa Johns, and Dominoes.
Download the Crypto.com app today and enjoy these offers till the end of September.
Back to my conversation with David Shom and Adam back.
So David, you did allude to this briefly earlier.
You created the eCash system, which had as its currency cyberbucks.
How did eCash work?
and you can also explain DigiCash.
Okay, well, that's a lot of stuff.
But if you go to Chom.com, scroll down to those projects,
and one of them is the E-Cash project,
and you can see there's a whole DigiCash Museum there.
And so you can see all about the history of it
and pictures of the people and all this stuff.
And you can see, interestingly, the banners
of the original CyberBucks,
accepting shops on the internet.
And so there's a whole bunch of them.
Do you want to list some of those for people?
I don't really remember them off the top of my,
but you go there because you can click,
if you hover over them.
You know, if you're on a laptop,
then you can, it'll show the name.
And if you click through,
you can see like from the Wayback Machine
what their homepage looked like.
So you can see all the more people selling interesting stuff.
So the deal was,
if you put up a shop and accepted e-cash,
we would, I would give you a hundred cyber bucks.
And there was, okay, it wasn't, wasn't, you know, we just said, well, we're going to have a million.
It was limited.
So the idea of a limited issue was something that a lot of people had talked to me about, you know,
because it's a lot of people feel that's very important to do.
So we did that and, you know, it was a pretty successful thing.
But I think Adam will recall this back in those days, you know, it wasn't that easy to install the client's
software and get it to work and everyone have different versions of different operating systems.
And it was computers were very slow for processing that, you know, all this. And, you know,
we were using modems and all that. Back in those, it was not easy, it wasn't easy for us to
make it a seamless, you know, experience on your smartphone or something. It was, it was really
something you had to want to do. So it was kind of hard to compete with credit cards and all that when,
And, you know, as the Internet just, you know, accelerated.
But what we did license and build for different banks, also their own system.
So the largest bank in Europe at that time was Deutsche Bank.
And I went over there and I talked to their board and they were all excited about it.
And they decided to back us.
And, you know, people say, did you cash failed?
Well, it's not really true.
it was taken down because they were willing to invest, you know, quite a lot more money in it.
And the people who got control of the company didn't want that.
They wanted to kill it.
So it was a sad thing.
But Deutsche Bank was a very tough customer.
You know, if you can imagine, a German bank, you know, the biggest bank in Europe.
Their data center was in an old bunker.
It was several stories underground.
And they wanted every kind of backup and, you know, recovery.
and everything.
So we had to build all this stuff for them.
We satisfied them,
but I think it's quite an achievement.
So it was a very industrial strength,
e-cash banking system, if you will,
that attached to their, you know,
what it called current accounts
to their, you know,
regular consumer bank accounts.
And there were shops that were accepting.
And in those days, of course,
it was before the euro, right?
It was Deutsche Marks.
And so you could use Deutsche Bank issued Deutsche Marks
and buy things online
with, and so we made all that for them, was all Deutsche Bank branded.
And then we had Mark Twain Bank in the U.S., which offered U.S. dollars.
And so they were an international currency bank, so they had some other, they could do various conversions.
So that was great.
And then we had Advanced Bank in Australia, which I think was like the number two or three bank at that time.
Now it's been merged in.
They were issuing in Australian dollars.
And we had bunches of people wanting to use it and starting to use it in various.
countries and I mean I think my congressional testimony in the U.S. is, you know, maybe noteworthy,
but I also spoke to a bunch of other governments and visited many central banks around the
world. And, you know, I told people at that time, what I really told them was, you know, if your
country would take the initiative and issue its money in e-cash, you could be the electronic
commerce leader of the world. This would be a tremendous economic opportunity for your country.
And that's what I was pitching when I had that chance to speak to those, because I was invited
to a lot of central banks and, you know, Visa International and Citibank and all these. I was
sitting there in the boardrooms and meeting the executives that'd come to visit me and, you know,
all this stuff. So, I mean, there was a lot of interest in what we were doing. I have boxes of press
clippings from those days because when I
announced, you know, I did the first
e-catch payment, the first World Wide Web
Conference from CERN to
Amsterdam and
then a web,
more little press release and this guy sent it out
from the company and it was, the New York Times picked it up
and it was all over the global
media in about 48 hours and there was so much
interest in the idea that a number itself
could be worth money, you know,
that I was interviewed in all kinds of languages.
I don't even know what languages.
I have a whole archive of videotapes,
you know, those big old videotapes of TV shows where I was interviewed.
And it was so much interest in it.
Yeah.
And let's just look under the hood and talk a little bit about eCash.
So I know, I believe that blind signatures were one of the breakthroughs.
Yes.
Yeah.
So can you just explain that?
Sure.
Yeah, absolutely.
So, I mean, there's, you know, there are many,
kinds of digital signature. Digital signature is a pretty general term these days in its usage,
but we have one type is blind signatures, and I invented them especially for payments and e-cash.
Now, actually, I was hoping that they would be used in a whole range of other applications
to do with what I call credential mechanisms, and I wrote this paper that appeared in, you know,
it was mentioned on the cover of Scientific American.
It was also on the cover of the best journal of computer science CACM at that time.
You can see it on my website.
There's another one of the little project things there at charm.com,
but I created a whole concept for how you could use the mixing to have perfect privacy
and who you talk to and eCash to make your payments.
And then the blind signatures could be used to basically prove things about you
without revealing who you are.
And so like, you know, classic say, if a kid's at a bar and they want to or somewhere they want to get in,
they would say to prove that they have a old enough or they have a driving license or they're from a different state or whatever,
but they don't want to give their address and all this other stuff.
Well, that's what you could do with the credential mechanism.
You can prove exactly that you qualify according to whatever, you know, to one way,
but you wouldn't have to reveal which way that was.
You would just reveal the exact one bit that you work.
qualified, you'd give a signature that would prove that irrefutably.
And that was, so that I found a way that basically turned the databases that companies would
have about you inside out so that now you maintained your own information about yourself.
And whenever they would normally ask their own database of query, they would have to ask you
and you would prove the answer was correct.
You'd give the answer and prove it was correct if you wanted to answer it.
So that was a whole comprehensive thing.
So blind signatures went a little bit beyond.
I was hoping that E-Cast should be like a Trojan horse, you know.
People would start using it for payments.
And they started to say, hey, wait a minute.
I don't have to reveal my identity to make payments.
But if I want to, I can prove that that shop got my money.
So that's pretty cool.
Maybe I could use that to check out library books or, you know, maybe for these other things.
And then the credential mechanism would kind of grow organically.
And that's why I went to a lot of effort to publish it in these mainstream publications,
to try to really distill it and work with artists to get the concepts across and all that.
But so the idea of a blind signature is very, very simple.
In those days, we had carbon paper.
I don't know if people these days know what carbon paper is.
I know what it is.
Yeah, we have carbonless carbon paper, I guess.
You know about that.
It copies through.
So basically, the easy way to understand, E-Cache,
and it's very close to the reality of it, the blind signature is that, let's just say,
I take a piece of paper and I write a random serial number on it that only I know,
and I put an envelope with some carbon paper inside or carbonless lining or whatever,
I give it to my bank and they say, here, it's me, you know,
take the money out of my checking account and validate this with your special worth $1 stamp,
where it's like a signature that they can make.
but on the outside of the envelope,
they return the envelope to me.
Then I can remove the envelope.
Now I have my own random serial number
with the carbon image of their
unforgeable worth of dollar stamp on it.
So now I have this dollar,
but no one knows the serial number.
And so I'm sure I have the money.
And so when I go and I, you know,
no one can take it away from me.
They can't, you know, screw with my account or anything.
So then I take it to a shop
and they say that looks nice, you know, but we got to check that you haven't spent that serial number before.
So they check with the bank.
That's the so-called, you know, what I called the double spending problem in those days.
And you hear a lot about it these days, right?
So the bank would then say, oh, yeah, that's our signature.
But we haven't, and we haven't accepted that number before.
And so we will honor this and put the money on the shops account.
But, of course, we have no idea who the payer is.
However, you know, the user is very well protected.
So I didn't mention this, but that serial number is actually the result of applying a hash function.
So if the bank says, oh, we already saw that number, you know, it's not valid.
Then the retail, the shop would say, oh, that's interesting.
Can you please show me the number that when you hash it gives you that serial number.
And, of course, they wouldn't be able to do it.
So only once they sign and say, okay, we'll accept it.
Then I give that hash pre-image, and then they know.
And so it's totally secured in that way.
But the privacy is, let's say, asymmetric.
And I was very happy with this.
And in those days, it really worked well.
You know, there's something called the Bank for International Settlements,
which is the central bankers central bank.
You know, I visited and then I spoke there.
It's a whole thing.
They promulgated.
They have a publication of those days called, you know, definition of criminal use of payments,
and they listed them, and they were, you know, very striding about it all.
And it was basically extortion, black markets, and bribery.
And so it turns out in any of those scenarios, as the, if you used e-cash, instead of a suitcase
full of $20 bills, right?
But if you used e-cash, then no criminals would accept it.
Because since you knew the serial number that you created, you could always kind of tell the bank
or the government or something, look out, these guys are going to be spending that.
So no blackmailer would take payment by check or, you know, no black market's going to accept Fed Wire or, you know, these things.
So it was a way to protect the privacy of the individual.
And we said unconditionally because the blinding and the blind signature is not just cryptography.
It's what we call information theoretic statistical security.
With unlimited computing power, quantum computers, whatever, you cannot learn anything about what's blinded in there.
So it's unconditionally, as a consumer, your privacy was, and the protection of your money that you held was perfect.
But on the other hand, it wasn't really a suitable currency for, you know, paying bribes to politicians and things like that.
So I felt it was a really superior form of money.
In fact, if we could get rid of paper money and switch to this, we could get rid of a lot of corruption and problems which are, you know, pretty big deal.
Let's also briefly just go over what happened with Digit Cash.
You did talk about that a little bit.
You know, it had offers of investment from places like ING investment.
There was even a plan, I think, for ING bearings in Goldman Sachs to bring Digit Cash to the stock market.
And Bill Gates expressed interest in integrating it with Windows 95.
NetScape Express Interest, Visa wanted to invest $40 million.
And none of these potential deals happened.
And in subsequent reporting, I guess, some sources say that you wanted too much control.
And employees also felt you were too paranoid or greedy or stubborn.
And that's why these deals fell through.
Well, that's your...
That's our great...
What's your...
Yeah, what's your...
No, look, I'm doing this to make the world a better place.
And that's why I put my life on the line.
And that's what I've been working on all along.
And, you know, I think it's really true that the powers that be wanted to kind of, you know,
stop this from being what it could have been.
And I really want to give it a chance.
Do you mean Microsoft and Visa and Netscape or what do you mean by the powers that be?
Because they were interested in, you know, using this and integrating it with their businesses or investing in it.
Well, I mean, what about like policymakers,
things like that, I presume it'd be more.
I don't think they were the ones you stopped these deals, were they?
Well, I think it's a, you know, one thing I'd like to say is that it's a testament
to the significance of the ideas that I developed and that there was so much interest.
And we had very serious conversations with a number of these organizations.
It's true.
And, you know, we were represented by investment banks and, you know,
and so forth and so on.
But if there was ever a scenario in which I felt that the potential of this was going to be taken forward
and used to really plant that seat of privacy that I'd hoped for,
you know, that was the last thing in the world I'd want to do would be to stop that.
So, yeah, when you start to really see the, you know, we're invited into the corridors
of massive power, it's quite an eye-opening experience.
And, you know, I was at the, invited to, I spoke at a conference of central banks in Milan and, I mean, in Rome.
And they told me that, you know, I mean, that was the airport was clogged up.
It was like their private planes.
I mean, they closed off avenues.
And we walked across a bunch of streets.
Police had blocked it all off.
We walked right in the Vatican.
You know, it was only for us.
I mean, they said no, us non-central bank had ever been to.
even allowed to attend any of their means.
And I haven't you speak there.
I mean, people recognized the significance of what this was,
but I'm not sure that anyone was really interested in the disruptive power of it.
Yeah.
And it's not like I had a monopoly on this.
As Adam mentioned, there were other kinds of blindable signatures that were contorted in a way
that they didn't really fall under our control.
So I think that, I mean, this is, you know,
I don't want to get too broad a perspective
to answer to your specific question,
but what I would say is that the,
I mean, just a little bit more generally,
you know, if we want cryptography to rise to its potential
to make the world a better place for,
people, then probably we need to do that in a way that is a more of a works in a more
comprehensive manner and is not more or less a guerrilla action on the side. And that's kind of
what I've been really trying to do. And that puts the burden on us to figure out how you
could really use this in a way that would address legitimate issues in society. And at the same
time, you know, liberate people and human potential, you know, this is the thing that will
take civilization to the next level.
Yeah.
It's interesting because that description of a guerrilla action on the side is almost a description
of Bitcoin.
But anyway.
No, no, no, no, it's not at all.
I wouldn't say that.
No, no.
I'm a huge fan of Bitcoin.
I think Bitcoin changed the whole landscape.
Yeah, I would say e-cash is Bitcoin Zero.
Bitcoin won, is Bitcoin.
Made a lot of people rich.
No question.
and Bitcoin too, that's coming.
And maybe it needs to be a little more hard to take down
and a little bit real privacy
and maybe integrated with some other features.
Yeah, so just to give people a sense of the timeline,
so you left Digicash in 1996,
Digit Cash went bankrupt in 1998,
and meanwhile, right in the middle there, in 1997,
Adam sent an email to the Saferpunk mailing list
about hash cash cash. So David, do you want to dispute what I just said there? I'm sorry. Laura,
it's just a timeline, right?
It's a pleasure of speaking with you, but I'm not sure. I feel like I'm being cross-examined.
You know, a lot of what you said has been said, none of it's exactly accurate and what you said
is not exactly accurate. I don't want to be put a position to criticize any of this, but I mean,
I mean, if I don't have the facts. I didn't leave Digicash in 96. Oh, you didn't? Okay.
No, in 94. I don't know what you're referring to. I mean, the hash cash cash was just something that Adam developed, as you know, to protect against spam by using computational cost. And this was something that was already, you know, remember I mentioned the cryptography conferences that I created? So years before Adam's mention of that, it was already, you know, published by Dwark and Noor at the conference.
Well, proof of work, proof of work for preventing spam.
So, yeah, it was already, you know, I was so, I mean, what do you mean that Adam wrote a letter to what?
I already know about this years earlier.
I was there when Cynthia presented, you know, Moni Norr was my co-author on the offline e-cash article.
Right.
So just for listeners, Cynthia Twark and Moni-Nor wrote the proposed proof of work much earlier than Adam wrote the hash, you know, proposed hash-cash to the cyberpunk mail.
list. I'm just making... They presented it at the flagship conference. Yeah, I believe they presented in
1993. I was there. I'm just trying to make a transition for us to talk about hash cash,
that's all, and to show that all of these things were happening right around the same time.
Yes. That's all. That's fine. You know, it's really true. But yes, proof of work.
You know, let me say that there were a lot of people, you know, a lot of cypherpunks that I invited to visit us and work for us.
It was a very open company.
We had a research component.
So I had a lot of interaction with people like Gus.
Zuku, you know, was there for quite a while.
Zucco will talk with him.
Yeah.
Yeah.
To, on, you know, try to help him develop his own competing systems while he was
there in my, under my employee on my nickel.
And, I mean, later, Zuku wrote to, he wanted to come to crypto.
He had no money.
I said, sure, I'll pay for you to come.
Yeah.
And, you know, and I picked him up at the airport or whatever it was.
I help him out.
I mean, you know, and Nick was there.
Yeah.
And Nick Zobo.
Yes.
It was a very open process.
Now we're going to talk about hash cash.
So Adam, in 1997, you sent an email to the Safer Punk mailing list for opposing
hash cash cash.
What problem were you trying to solve and how did hash cash cash do that?
Yeah.
So I was running remailer, so a way to send.
anonymous email and communicate on Usenet discussion groups with anonymity.
And as I mentioned earlier, the technology for these things was basically operated by volunteers.
So the problem, or one of the problems as an operator of these things, it wasn't that expensive to operate in terms of bandwidth and civil resources.
But it seemed that some people didn't like free speech or ability to communicate privately or anonymously and had taken it upon themselves.
to spam through these systems.
And it wasn't even commercial spam.
It was just, you know, random numbers, just trying to be disruptive.
And we think, because it was happening to multiple remailers,
probably about 30 to 50 of them at various times,
that the people doing this were trying to annoy system administrators
who operated Usenet servers.
So the Usenet is distributed discussion group,
and they use a lot of bandwidth, like a university site or a big ISP,
it would use enormous amounts of bandwidth and say,
it would start to annoy the system administrators if people were spamming through the remailers.
The reaction would be maybe to block remailers or something like that,
and I think that was what they were trying to achieve.
So it occurred to me that it would be good if there was a way to combat this spam problem,
and because it was involved in privacy,
I had to think about it in a different way
because the usual anti-spam technique,
the system of mischiefs...
But Adam, can I just interrupt you?
I've heard you get the same presentation before,
but I'm just wondering, I mean,
but Dwarke and Nord already published
group of work as an anti-spam mechanism.
Sure.
And this was at the premier conference,
everyone in the field knew about it.
It was published in the Springer lecture notes,
and it was in every library
computer science library in the world practically.
It's very widely disseminated.
So why did you have to think so deeply about it?
Well, there's two things here, right?
One is...
But I have one of the questions for you.
I'm sorry, I don't mean that.
I know you've made some...
Look, I value what you were doing,
and I know it's tough to operate a remailer in those days.
Were there also Mixmasters?
Were those running in those days?
And so in the real deal?
That was...
Right.
That's so because you put yourself
in a very difficult position.
knowing the linkings, right?
But if you had cooperated with others in a more open system using the mixing technology,
you would have been maybe...
There were two generations for remilers.
So hopefully you wrote the first one, which was just a kind of nested onion,
but because it didn't standardize the message sizes,
you could say that a globally, you know,
that wasn't very good for passive traffic analysis, if you like.
I get you.
Yeah, I see.
I get it.
The second generation was.
was a Mixmaster. So I was running, actually, it's backwards compatible, but I was running a Mix Master
email for a few years. Oh, great. And yeah, and I mean, so in terms of Hash Cash, I was not aware
of Dwork's paper until somebody sent me a link to the publication in a couple of months after I
posted the source code for hash cache. And so some years later, I got around to kind of write in a paper
about the experiences of people using hash cache for various things.
And in there, I cited a number of things.
Obviously, Dwark's paper, as I was aware, at that point.
But also, there were some other related things.
I think in a way of thinking the sort of very invention or public key cryptography with
Merkel puzzles is a kind of proof of, I mean, it's not exactly proof of work, but it's related.
That's very interesting.
Yeah.
Yeah.
You know, if you look around, there's a lot of link to.
Gis and reinventions in this space.
You know, so there have been other things where people have published something.
There were, for example, client puzzles, which was another kind of hash-based proof of work
by Ari Jewels and Brain Art.
I was probably also in one of the cryptography papers.
And they were not aware of hash cash, for example, right?
So the original Dwork and the ore was using asymmetric techniques.
There's a lot of reinvention.
Of course, I didn't publish it in academic papers.
So I just published on a website, so, you know, fair enough, they wouldn't have been aware of it.
But just to say that there's a lot of kind of reinvention.
And in my experience, the building things in an applied way sometimes brings together new ideas, right?
So you can have an idea.
Necessity is the mother of invention, right?
Exactly, right.
So that was a kind of general thrust of it.
So I have, you know, done general publications and things, but more in the,
distributed system space.
So because it was a kind of applied thing for remilers,
I just put it on a, you know, like a tech report on a website kind of thing.
So anyway, oh, yeah, go ahead, finish.
Yeah, so, I mean, the idea there was to think about it in a way that could preserve privacy.
So there are a few features about it that are privacy related.
So it adds, it has a timestamp, but there's some randomization of a timestamp so that you
wouldn't reveal, you know, from a black box. If you're looking at from the outside,
see what the messages are going in. You wouldn't reveal who's likely sender by looking at a timestamp.
So I had some features like that. So, I mean, just the idea is to, as the same as to walks in,
in the kind of concept level, which is to create cost. That's the basic observation, right?
The problem with commercial bulk spam is that it costs effectively zero. But I think the advantage
of that kind of system is that it doesn't, you know,
It's not as attractive because it's not respendable, but it's more scalable.
It doesn't require any infrastructure, really.
You can just attach it to an email.
And actually, much later in 2004, Hal Finney kind of got a bit closer to assembling these different parts together.
So he used hash cache as the proof of work, and he used a Chorm Blind Signature-based token server.
and he assembled it in an IBM tamper-resistant secure processor,
but he ran.
So it kind of had the central point of failure risk,
but he introduced mining effectively into the conversation.
So he was using hash-cash,
so I guess it was a,
you can find a website online somewhere somebody's archived it.
So basically you would do some work,
you would send it to this IBM processor that was running in his server,
and it would send you back a Choram token.
in. And because of the kind of trustworthy computing aspect of this card, if you assumed that
he wasn't colluding with IBM, which would be a big stretch to say that they designed this card,
colluded with him, right? So it's a serious piece of hardware that banks buy. And it can provide
a kind of signature of execution. So you get, you can verify what code it's running with reasonable
security, not as much as the Bitcoin network, because that's, you know, anybody can fully verify
and you don't depend on this kind of, you know, trusted hardware sequence.
But nevertheless, it's kind of interesting assemblage of parts.
So you can call that kind of Bitcoin 0.5, if you like,
you know, the Bitcoin Zero without a proof of work.
Well, he's got proof of work in there, and he's bridging the technologies, right?
So it's centralized.
It's got the strong privacy because you get in exchange for your work,
a Chorn token and the scarcity is there. So it's introducing digital scarcity. And I think that
Halvini and Nick Zappa and a few people were more interested in monetary reforms. So, you know,
returns to a gold standard or reestablishing something like that. So people were looking at the electronic
cash problem from different directions, some from monetary reform perspective, some from the privacy
perspective. I was a little bit more on the kind of privacy bearer cash perspective. I would have been
okay with, you know, dollars or any reasonably stable currency. But then Bitcoin, you know, if you scroll
forward to Bitcoin, it, you know, it loses some of the privacy, but it does plus or minus what
how finney's, he called it RPA, reasonable proof. So it basically does that, but in a distributed
setting, and the privacy it loses is, is a side effect. I think, you know, most people who are involved
would like to establish a way to bring it back, but it's more technically challenging to do that,
as David would have a lot of experience in protocol design around, to do that in a way,
you end up with bigger zero-knowledge proofs or more cryptographic assumptions.
So Bitcoin is using actually quite basic cryptographic assumptions.
So it doesn't really do anything, you know, advance with zero-knowledge proofs and things like that.
And so for both of you, when did you hear about Bitcoin and how, and what were you?
your initial thoughts. So do you want to go, David? Well, you know, I'd rather not comment on that
exactly. I don't think I've done so publicly. Could I, we just go back before we ask,
answer that off and ask question, because I think it's very interesting conversation about,
you know, these early days. And, you know, one of the things that's colored my thinking at him on
this, and I'm curious on your thoughts on this, but was really, you know, in the, in the mid-90s,
as I think you've pointed out, the computing power and the network connections and all this,
you know, it wasn't really up to doing a lot of stuff.
And the idea that, you know, you'd have all these servers running all around the world, you know,
supporting payments.
I think that wasn't quite inconceivable to us.
We were, we were happy that we could get the client side, you know,
to just make a payment in a couple minutes do any cash payment and that we could
get the servers to be able to handle their side of it.
So instead of having, you know, replicating that server, so to speak, many times.
But what we did consider, and I think it's not, I don't believe it's ever been discussed
publicly, but several of us in the Digitcash company were working on a more distributed
version of eCash that was not, you know, it was somewhere in between.
So it was, I mean, you can think it's very easy.
easy to imagine distributing e-cash in a simple-minded way, right, where you say, well,
we've got, you know, 10 servers now. And if a majority of them agree that it has, you know,
they all sign and then they all check the double spending. And if a majority say it's okay,
then it's okay. You know, if you were to combine that with, you know, what I publishes my
dissertation at Berkeley, right, which was the blockchain, everything about blockchain,
except for the proof of work part, right?
Then you, you know, because that was a majority rule network, right?
So that's kind of what we were thinking of as a step to distribute this process because there wasn't really the resource to just, I don't think, you know, at that point.
So that would have been something that would have been achievable to make them somewhat more decentralized, you know, more in the,
classic BFT kind of model.
Right.
Yeah.
I mean,
I think...
I never heard of talk about it.
We didn't.
That's our,
it's on us,
I guess.
No,
yeah.
So we,
I think Greg Maxwell
had a look at doing that as well.
So just,
just to kind of make a threshold,
you know,
like K of N.
Yeah.
Yeah.
And you can see in a straightforward way that that work.
I mean,
that should work.
And if you can do a single,
single blind signature,
you can make K of N inefficiently,
maybe more importantly,
and some more thought.
And I think state chains,
which is another kind of Bitcoin layer two,
is contemplating doing the same thing.
I think Greg had some source code
but hadn't published it for the
kind of threshold blind signature approach.
But I think the challenge,
and the blockchain actually has a kind of federated blockchain,
which is also K of N.
So it kind of fits into our thinking
for a layer two security.
but the advantage for Bitcoin itself in the layer one is it's kind of, we published a paper on
sidchains and coined the word dynamic membership signature because you could think of the
proof of work as sort of evolving and signing in some way with the work, the most work,
the longest chain with the most work, signing off, the majority of the work signing off.
and, you know, each signature or each addition of a proof of work, you can have a freshly anonymous participant.
So I think Bitcoin stumbled across, and nobody knows who Satoshi is or how he hit upon this idea,
you know, whether he came at it from the Byzantine General's fixed membership, BFT protocols,
or whether he started, you know, straight from anonymous proof of work.
But it doesn't have the membership challenge.
And something with a membership is not a point as commissionless.
That was the, that's the big breakthrough of, of Bitcoin.
And thank God that it happened.
And it's a fantastic, you know, it's changed the world in a dramatic way.
So, yeah.
So let's talk about Bitcoin because we're well over time and we're running out.
So, yeah, just how did you learn about Bitcoin?
When was that?
And what were your initial thoughts?
So I learned about it in, I think it was like August 2008.
Got an email from Satoshi Nakamoto with, you know, the abstract and asking for the correct citation for hash.
And I sent him a couple of other papers to look at, one of them being B-Money.
And I looked at it in more detail.
Actually, when Hal Finney started posting his experiences running.
it and, you know, understanding how it works. So he posted some longer commentary on, I think,
the cryptography mailing list or the Seifunk's mailing list. You know, I suppose for somebody
who's, you know, spent much of his professional career working on applied cryptography,
you know, libraries and privacy enhanced technologies and things, the thing that will strike
you initially until you've become accustomed to it is, well, that hasn't got very strong
privacy assurances, at least compared to the previous systems, and that the security margin
on a double spending is kind of 50-50, right? So you're sort of trusting that the economic
majority is honest, to some extent. Not in all, it depends on the aspects of the system
you're protecting. And so, you know, from the normal cryptographic, kind of asymmetric
crypto, you typically have an enormous benefit as a defender versus the attacker. You know,
you're going to do some computation that takes a fraction of a second.
The attacker is going to sit there for, you know,
thousands of years with using a enormous amount of compute
and probably going to fail to decrypt your message.
So you're used to this kind of enormous asymmetry.
And Bitcoin is like, well, it's, you know,
it's the good guys versus the bad guys.
It's a fair fight kind of thing, right?
So it takes you a while to get, to get over that.
But, you know, then you reflect on it.
You say, well, you know, on the other hand,
it has proposed a novel, new solution to the kind of dynamic membership,
was Anton General's problem space.
And as I mentioned, I was somebody who'd read Leslie Lamport's paper while I was
in my computer science PhD.
There's something interesting and new in that space.
And it's here.
It's bootstrapped.
You know, after a while it had a value and so forth when there were exchanges, I guess,
over a year in before there was a price at all, right?
People playing with it start with.
The bootstrap story is kind of interesting.
But, you know, the fact that it's deployed and it's decentralized
So there's no really identifiable nexus of, you know, a company or an individual that you would ask to switch off a server or, you know, block something.
So I think it's an interesting trade-off, right, because with a digit cache and related blind signature-based protocols, you've got a very strong assurance that you can't selectively block transactions.
And the only thing that a party operating it could do is shut down, right?
they could say, well, I refuse, I mean, I can't block anything selectively, so what do you want me to do?
Like, they're all indistinguishable to me, assuming that the sender wants privacy.
Whereas Bitcoin is not so much in that vein.
It's more that, you know, people are transacting the sort of pseudonymity.
The coins are kind of pseudonymous.
There's no kind of wallet, identifier tracking it all.
It's kind of imperfect.
But there's a de facto fungability and privacy and an assumption that there's an economic
consentive that sooner or later, some might or somewhere will process your transaction, even if
the first one chooses not to for policy reasons. And it's like plus and minus held up. It's
been of a gray area. You know, there are the companies that specialize in tracking coins that have
been stolen. So those ones are kind of a bit gray. But, you know, some of them move once in a while
in small numbers. And there are mixes in the network doing kind of coin mixes or coin joins and
things like that. So it's an interesting system in which to try and deploy privacy improvements.
So, you know, the Lightning Network, which is another layer two, has some mix like onion routing
technology and the layer one coin joins. And Liquid, which is a layer two that my company Blockstream
is working on, has confidential transactions, so a different kind of privacy, not sort of
linkability privacy, but privacy of the amount of value being transferred.
And David, what about you? Just briefly. We're going to move on to some other questions in a moment.
Like I said, you know, I was pretty familiar with all the different aspects of it.
So I don't really comment on that. But what I could say would, I'd like to say, I think, is that, I mean, to Adam's point, yeah, you know, I think there are now the technical.
is out there both on the bad guy side because of the quantum computers and all this,
possibly percolating.
And then, you know, some of the new stuff that has been done to speed up mixing by pre-computation very dramatically
and to make real quantum secure BFT, you know, those things can come together and create
It's something that has all the real goodness.
It's much more definitive, far higher barrier against being taken down and even by a national adversary.
And the privacy, then you get the full anonymity sets.
And you might have also privacy in the messaging.
Who talks to who?
That's a great thing.
So I think there's a whole, there's another shoe to drop in this space.
But, you know, I would never want to be thought of as someone diminishing the significance of Bitcoin.
I mean, to me, that's like this game changing, world changing thing.
And it's, you know, technologically, it's quite a complex beast.
And I think it's showing, it's pointing the way to, you know, different things that we could try to improve.
and I appreciate the way you're tackling it, Adam.
It's like, you know, trying to add things on to it to make it better.
And I think that's promising.
But one could also, you know, take it all to the next level.
And that's something that I think is also, you know,
Laura, your viewer should, you know,
keep their eyes open for something really dramatically different.
You know, I think there's another,
there's room there to really take it to the next level.
So, yeah.
So Bitcoin has gone from a value of nothing, basically, to currently having a market cap of over $200 billion.
And meanwhile, we have this pandemic going on, which is causing this economic freeze that has led to governments printing more money.
And there's all kinds of other factors going on like China launching its own digital currency and these other central banks, you know, eyeing the same idea.
So when you look at these different forces, where do you think Bitcoin is headed next?
To the stratosphere?
Adam, did you recently say $300,000?
Yeah, I mean, actually there's been some recent discussion on a different track,
which is this stock-to-flow model, which is a kind of just a curve fit on previous year's price movement.
But actually, the 300,000 comment was before, which was just,
You know, you can't make predictions about these things, but just looking at the use case and the similarity with digital gold.
So I was just looking at, well, you know, go look up the metrics.
Well, how much gold is there in the world?
And people are not exactly sure how much physical gold there is in the world, but they have a rough idea.
And, you know, so what's the market cap of gold and defied that by the eventual supply of Bitcoin?
And you come out with a number that's like 300 to 500,000 per coin.
But then that depends on the gold price, which is also the moving target.
And of course, with all this pandemic, economic uncertainty, gold is typically a kind of macro hedge.
So gold prices up, surprise, surprise.
But, you know, Bitcoin price is up too.
And I have to suppose that while a lot of people have heard about Bitcoin, there's probably, you know, many people who haven't taken the plunge.
Bitcoin has differences to gold.
You know, you can send it at distance.
You can verify it.
a lot of more transactional value, utility value, I guess.
So we'll see.
I mean, I think it's certainly a very interesting experience to, you know, send some Bitcoin.
I think, you know, in our company, we sent Bitcoin transaction, I don't know, like $100,000 or something.
It involves multiple people, you know, decrypting and signing different things.
And you end up with a small blob of text and you're like, wow, this is, you know, $100,000 of fairer money.
It's just an amazing phenomena, right, to contemplate as somebody from a computer science background.
That's really a very interesting artifact for the world.
So as technologists, we're very enamored by, you know, the potential of this building block, I think,
and what it can do for society to have, you know, kind of dependable electronic money from a monetary reform perspective.
Of course, it seems that the economic commentators are saying that even if there's been a lot of money printing, it hasn't translated into much price inflation yet.
Obviously, there's more money in the system, but the economic downturn has suppressed price inflation.
People are not spending money.
So the suppliers are having to coax people to buy things by reducing prices to what they would do in a robust economic situation if you printed this quantity of money.
So we don't know if and when that will take effect.
I think the experience in Japan has shown that countries can have, you know,
low inflation rates for a very long period of time.
So, you know, some people are looking at the U.S., for example,
as a major economic factor in the world to say that might be in the future.
But I think more recently the U.S. has even said that it has an economic,
is considering an economic policy of creating a economic policy of creating,
or targeting the creation of price inflation.
So I don't know.
We live in interesting times, I guess, is the thing we can say there.
Yeah, and just for listeners who don't know, I have mentioned this before on the show,
but Stock to Flow is this ratio of the existing supply versus the new supply.
So, for instance, with Bitcoin, you know, it's relatively small,
but actually it's still greater than the ratio for gold.
But after the next tapping, it will actually drop below that of gold.
However, one interesting thing is that somebody took that and applied it to the price of gold over the course of history, and there was not a correlation.
So then they felt that that has proved the stock to flow theory.
So we will see how this bears out.
I'm not sure whether or not that will apply to Bitcoin.
But David, what about you?
Where do you think this is all headed?
Well, I'm extremely optimistic about the future.
I mean, all the trends that you mentioned, Laura, seem to indicate that, you know, I mean, if you're afraid to go places in person, you want something you can transact with online.
And, you know, there's a ton of crazy stuff going on with governments, you know, these days.
So it must all be pointing in a very positive direction, but we're not seeing it right now that dramatically because,
you know, as was said, people weren't really spending that much.
So I think it's, yeah, this bodes extremely well for the whole space,
Bitcoin, especially.
And, yeah, so this is, I mean, it's a, you know, it's sad to have to,
I mean, I'd rather not think that something that I care about, like Bitcoin is,
is going to benefit from, you know, all these bad things that are happening to the planet.
But in fact, yeah, I think it seems that it will really, yeah, it's all should be very positive for it.
But yeah, I'm also, I'm rooting for the planet, too.
Yes.
I think we all are.
And for humanity so we can all go out and hang out.
Yeah.
Yeah.
Yeah.
So we can get ethereal next time.
Yeah.
Okay.
Well, this has been so fun chatting.
and I really enjoyed learning about your early work in digital currencies pre-Bitcoin.
That was very fun.
Where can people learn more about each of you and your work?
Well, I would like to suggest people also could look at the XX network.
You know, we're live in beta, and we've got a lot of good stuff running,
and look at the white papers.
It's really solid stuff.
I'm extremely, it's best stuff out there by far.
I think I'm very extremely enthusiastic.
about it, and we've got a lot of good backing.
So please, yeah, have a look at that.
But if you wonder about the historical stuff, look at atcham.com
and look at the ECHASm museum and the different other things,
multi-party computation we didn't get a chance to talk about.
That's another interesting vector on all this,
like kind of generalizing the smart contracts
and the ICR and the history of it.
If you're interested in all that, it's all up there.
And I guess one aspect that I would like to also draw your attention to
is, you know, this kind of cryptographic technology can also be used in elections and voting
and online voting and so on. And that is very much related to, you know, to payments and
messaging. And I think this is an area where I'd like to see a lot more, I think there's a lot
of potential there. And so I've been pushing, working on that for a long time. And you can read
about some of the stuff up on my site that I've been doing on that. So we're making great.
great strides in that, actually. There will be some new work coming upwards.
So, yeah, trom.com and X-X network.
XX-X-R-network is the URL.
Yeah.
All right.
And Adam?
So I have a personal web page on cipherspace.org, C-Y-P-H-E-R-S-P-A-C-A-C-E-R-P-A-C-E-O-G, which has, for example, pictures of the T-Sirt that you mentioned and various cryptographic libraries and things I've implemented over the years.
And on Twitter, I'm Adam 3-U-S, and Blockstream, which is the company I co-founded some years ago now, is,
is blockstream.com.
I think, you know, we were talking about the
Dwark proof of work in hash cache.
So I think that's been something that's been discussions
about various times.
And so one kind of question I've told my mind to as well,
you know, is there, you know,
why are people using hash cash cash for the proof of work
and not other proofs of work, right?
So, you know, there's the client puzzles
that Jules and Brainard produced,
there's the original proof of work by Dwork and AOR.
Oh, I see.
So the hash cache mechanism itself is the one that's prevailed.
Yes.
Well, I think there's a specific reason in hindsight.
So at the time I did it, it wasn't used for that purpose.
It was just used for one use stamps.
But the result is that you get a compact proof of work because it's fixed size, whereas the Dwork and
the Dwarke and ails were like broken asymmetric signatures.
signatures with low key sizes so that you could brute force them and create forgeries,
and things like that.
So there's three variants.
Two of the variants have progress.
So you need like a Poisson process for fairness, like a level playing field in crypto mining.
The third one, which is based on in Dwork and Neurr is based on square roots in large prime
fields.
And there's an algorithm in that called Tonelli Shanks, which has some randomness.
but it's not clear if that's sufficient to have a level playing field
because there may be other slightly less optimal square root algorithms
that the single last fastest computer can tend to win,
and that will be a problem again.
And then the other side effect is that those systems have,
they're not as easy to scale in terms of the difficulty.
So with hash cash cash,
the stamp was, you know, computer million tries.
So, you know, 20,
binary digits of zero at the front, but these days it's enormous, right? It's 70, 80 leading zeros.
And so if you scale some of those broken signature-based schemes, you end up having to
increase the prime size or the Featjeaner transform size, and you get an enormous proof.
So the proof of work might itself be bigger than the block of transactions you're trying to
prove about, plus the fact that they're not puyce on is like a stumbling block, if you sort of
So anyway, this is sort of like in hindsight.
So it's like a curiosity, right?
So, well, you know, given that there were these parallel different variants,
and the other one by Jules and Braynard is actually interactive.
So it's not, you know, it's proof with respect to a server.
So that's not amenable to, you know, independent verification, let's say, to the audit function.
So anyway.
I'm really glad we had a chance to speak about it.
Thanks.
That's so interesting.
Yeah.
So now I'm glad to hear that the proportion that you took is really, really, it turns out to be the superior one.
And congratulations on that.
That's excellent.
I'm going to mention that going forward.
I was unclear.
I was looking forward to this chance that, you know, we've met before, but I wanted to ask you about this because I thought it was going to come out.
Yeah.
I mean, it's, I think it's also, you know, very simple.
So simple things win.
So when I was designing it, I was thinking about, you know, should I,
introduce floating point to make it harder to make an ASIC.
You know, so already I was thinking about spammers are very determined.
Economically, they'll make ASICs.
So should I make it complicated?
Should I involve memory?
I loved that time.
I was like, you know what?
I think simple is better.
So if I kept it to, you know, a standard shaw one function at the time,
so you'd be able to verify it even with a shell script using a shard one function, right?
So anyway, simple wins, and it happened to have the Parson function,
which I was actually determinedly trying to eradicate
because it was a nuisance for spam purposes,
but tend to be an advantage for distributed fairness
or something like that.
All right.
Well, you know, I'm not going to even try to pretend
to translate all that for my listeners,
but hopefully the more technical ones will have understood.
And at least now we have an understanding
of why your proof of work was perhaps more widely used
than the original version.
Okay.
this has been so fun chatting with you both. Thank you both so much for coming on Unchained.
Thank you, Laura. This was great. I really enjoyed it. Thank you again.
Thanks so much for joining us today. To learn more about the history of digital currency and David and Adam,
as well as their various inventions, check out the show notes for this episode. Don't forget,
you can now watch video recordings of the shows on the Unchained YouTube channel. Go to
YouTube.com slash C slash Unchained podcast and subscribe today. Unchained is produced by me,
Laura Shin with help from Anthony Youne, Daniel Nuss, and the team at CLK transcription.
Thanks for listening.