Bitcoin represents a decentralized model of digital currency. In doing so, it avoids the need for a trusted third party, which would constitute a single point of failure in the system. As shown by the examples of eCash, digital gold currencies, and Liberty Reserve, the centralization of a system intending to be an alternative to the existing system inevitably leads to its closure. Bitcoin, however, was not the first concept of decentralized currency to have been proposed. Since the late 1990s, such models have been described by the cypherpunks, who were obsessed with the freedom and privacy of individuals on the Internet and believed (like David Chaum) that monitoring systems led to a dystopian future. They called for "writing code" and considered "electronic money" as an essential element to their ideal. (original: "Cypherpunks write code. (...) We are defending our privacy with cryptography, with anonymous mail forwarding systems, with digital signatures, and with electronic money.")

In this chapter, we will study the emergence of various foundational technical elements later used in Bitcoin: distributed consensus, timestamping, and proof of work. Then, we will talk about b-money, bit gold, and RPOW, respectively designed by cypherpunks Wei Dai, Nick Szabo, and Hal Finney. Finally, we will discuss the case of Ripple, whose model is slightly different, but which has its place in the history of Bitcoin's creation.

With the emergence of computers in the 1950s, the possibility of connecting them appeared. This is how the first computer networks were formed, leading to the development of the Internet, the "network of networks," in the 1970s. The question of the infrastructure of these networks inevitably arose. That's why the Polish-American computer scientist Paul Baran, in his foundational 1964 article (describing packet switching), listed three types of networks: the centralized network, relying on a single node; the distributed network, where each point is a node; the decentralized (non-distributed) network, relying on a distributed network of multiple nodes.

Two pure models can be derived from these considerations: the client-server model, where a central server responds to clients' requests, and the peer-to-peer model, where each node has the same role in the system. This latter model was particularly useful for file sharing in the 2000s, with the creation of BitTorrent and other similar protocols. The Tor network is decentralized, not purely peer-to-peer. A problem encountered in distributed architectures is the issue of distributed consensus, commonly referred to as the Byzantine Generals Problem, which was formalized by Leslie Lamport, Robert Shostak, and Marshall Pease in a paper published in 1982. This problem addresses the challenge of transmission reliability and the integrity of participants in peer-to-peer systems, and it applies in cases where the components of a computer system need to agree.

The problem is stated as a metaphor involving the Byzantine Empire's army generals, besieging an enemy city with their troops, intending to attack and can only communicate via messengers. The goal is to find a strategy (i.e., an algorithm) that can manage the presence of traitors and ensure that all loyal generals agree on a battle plan so that the attack is successful. Here is an illustration (source: L'Élégance de Bitcoin):

Solving this problem is important for distributed systems that manage a unit of account. Such systems require that participants agree on the ownership of account units, that is, who owns what.

Before Bitcoin, the problem was solved in an absolute way by so-called “classical” algorithms that required the nodes to be known in advance and two-thirds of them to be honest. The best known of these is probably the PBFT consensus algorithm (acronym for Practical Byzantine Fault Tolerance), which was developed by Miguel Castro and Barbara Liskov in 1999 and which allowed a given number of participants to agree by handling thousands of requests per second with a latency of less than one millisecond.

With the Bitcoin consensus algorithm, Satoshi Nakamoto solved it probabilistically, allowing for the removal of certain constraints by sacrificing the strict finality of transactions. On November 13, 2008, he wrote that "the proof-of-work chain is a solution to the Byzantine Generals' Problem."

Timestamping is a technique that involves associating a date and time with information such as an event or a document. From a legal perspective, this can, for example, ensure the existence of a contract before a given date. In the real world, there are numerous ways to timestamp something, such as sending a document in a sealed envelope or recording a timeline in a notebook. However, timestamping is particularly useful in the digital world, where files (text, image, audio, or video) are easily modifiable. Timestamping can be performed by centralized services, which are responsible for saving received documents (or their fingerprints) and associating them with the date and time of receipt. This is referred to as trusted timestamping.

In 1991, a confidential and secure timestamping technique was proposed by Stuart Haber and Scott Stornetta, two researchers working for Bell Communications Research Inc. (commonly called "Bellcore"), an R&D consortium located in New Jersey. In their paper, titled "How to time-stamp a digital document", they described how a certified timestamping service could use a one-way function (such as the MD4 hash function) and a signature algorithm to increase the confidentiality of client documents and the reliability of the certification. In particular, the idea was to chain the information by involving the previous timestamp in applying the one-way function.

Example of certified timestamping (source: Wikipedia)

Haber and Stornetta implemented their idea by publishing cryptographic fingerprints (resulting from hashing the useful data) in the classified ads of the New York Times in 1992. They then founded their own company, Surety Technologies, in 1994 to fully dedicate themselves to this activity. They are thus known for creating the first timestamp chain, with the previous fingerprint being taken into account in the calculation of the new fingerprint to be published in the newspaper, which foreshadowed the Bitcoin blockchain. Three papers by Haber and Stornetta were cited by Satoshi Nakamoto in the Bitcoin white paper: the previously mentioned 1991 paper, a paper from 1993 that improved upon the protocols proposed in the earlier one, notably through the use of Merkle trees, and a paper from 1997 that presented a way to name files using one-way functions universally. Also cited was a paper describing a new timestamping system written in 1999 by Henri Massias, Xavier Serret-Avila, and Jean-Jacques Quisquater, three men working for the cryptography research group at the Catholic University of Louvain, in Belgium.

Proof of work is a process that allows a computer device to demonstrate objectively and quantifiably that it has expended energy to be selected for access to a service or privilege. It is a mechanism to resist Sybil attacks, which makes it difficult for an attacker to multiply identities excessively to disrupt or take control of any reputation system.

The proof of work concept was first described in 1992 by computer scientists Cynthia Dwork and Moni Naor, who worked at the IBM Almaden research center, located south of San Jose in California. In a research paper titled "Pricing via Processing or Combatting Junk Mail", they presented a method to combat spam in email inboxes. The model consisted of forcing users to solve a cryptographic puzzle for each email sent, to limit the ability to send mass emails while allowing occasional senders not to be hindered. However, they never went as far as to implement their idea. With the popularization of the Internet in the 1990s, the problem of unwanted email became increasingly pressing, including on the mailing list of the cypherpunks. This is why the concept by Dwork and Naor was implemented by the young British cypherpunk Adam Back in 1997 with Hashcash, an algorithm producing simple proofs of work using a hash function. More specifically, it involves finding a partial collision of the considered hash function, that is, obtaining two messages that have a footprint starting with the same data bits (note: from version 1.0 released in 2002, it involves discovering a partial collision for the zero print, namely finding a pre-image whose footprint starts with a determined number of binary zeros). Since the hash function is one-way, such an achievement can only be realized by testing the different possibilities individually, which requires an energy expenditure.

Adam Back in 2001 (source: archive of Adam Back's personal page)

However, the cypherpunks did not limit themselves to considering proof of work as a simple means of limiting spam; they also wanted to use it to guarantee the cost of producing a digital currency. Thus, in 1997, Adam Back envisaged this idea himself, but he was aware that the proofs of work therefore obtained could not be transferred in a fully distributed manner (because of the double-spending problem) and that it was thus necessary to go through a centralized system like eCash. Similarly, in 1996, cryptographers Ronald Rivest and Adi Shamir described MicroMint, a centralized micropayment system whose coins were supposed to be impossible to counterfeit thanks to the production of proofs of work.

A suitable arrangement had to be found that would enable such a model to function robustly and sustainably. The cypherpunks Wei Dai, Nick Szabo, and Hal Finney attempted to develop this concept through their protocols, including b-money, bit gold, and RPOW, which we will examine next. Satoshi Nakamoto achieved this by incorporating Hashcash into his Bitcoin design.

The first protocol to emerge from the cypherpunk movement was b-money, a decentralized digital currency model conceptualized by Wei Dai in 1998. He was a young Chinese-American cryptographer living in Seattle and working for Microsoft, who got involved in the mailing list starting in 1994. He notably made a name for himself by creating the open-source Crypto++ library, which was later used in Bitcoin software.

Wei Dai published the descriptive text of b-money on his personal page on November 26, 1998, and shared the link to the cypherpunk mailing list the same day. In his email, he described b-money as "a new protocol for monetary exchange and contract enforcement for pseudonyms."

In his concept, the system was based on an untraceable peer-to-peer network. Each participant was identified by a "digital pseudonym," a public key. Each transaction message was signed by the sender and encrypted for the recipient. Each participant maintained a database that listed the amounts of b-money units held by each pseudonym.

Currency creation was open to all participants through proof of work, broadcasting the solution to a known and previously unsolved computational problem. The number of units created depended on the cost of this effort expressed relative to a standard basket of goods (including, for example, precious metals) to maintain the unit's value around a "stable" equilibrium point. The system also offered the possibility to create and execute contracts directly on the network, thanks to a rudimentary escrow process.

Although quite ingenious, Wei Dai's concept of b-money was not entirely functional. It thus had major flaws, such as vulnerability to Sybil attacks on the network (anyone could theoretically add new nodes to the network), network centralization in the case where servers would be pre-selected, and the issue related to the stabilization of the unit of account (who decrees the observable prices on the market?). After its publication on the list, b-money caught the attention of the cypherpunks, and in particular that of Adam Back. However, Wei Dai never implemented his model, not only because it was dysfunctional, but also due to the disillusionment of the cryptographer towards crypto-anarchy. Nevertheless, b-money was cited in the Bitcoin white paper, making it one of its precursors.

The second model to emerge from the ideas of the cypherpunks was the concept of bit gold imagined by Nick Szabo in 1998. The latter was an American computer scientist of Hungarian origin, who had notably worked as a consultant for DigiCash for six months. A Cypherpunk, he is known for having formalized the notion of a smart contract in 1995.

In 1994, Nick Szabo created a private mailing list called libtech-l. As its name suggests, it aimed to host discussions on liberatory techniques, allowing the protection of individual freedoms against the assaults of authorities. Cypherpunks like Wei Dai and Hal Finney had access, as did economists Larry White and George Selgin, proponents of Hayekian currency competition and free banking.

Nick Szabo in 1997 (source: Adrien Chen)

Nick Szabo initially described his concept on the libtech-l list before hosting a draft of a white paper on his personal website in 1999. He then presented bit gold in 2005 in an article published on his blog, Unenumerated.

The protocol was supposed to manage the creation and exchange of a bit of virtual gold resources. Unlike e-gold, which was guaranteed by physical gold, or b-money, which was theoretically indexed to a basket of goods, bit gold was not to be backed by any other asset but possessed an intrinsic, unforgeable scarcity, thus constituting an entirely digital gold. The central element of the protocol was that money creation was done through proof of work: bits of bit gold were created using the computing power of computers, and each solution was calculated from another, leading to the formation of a chain of work proofs. The date and time of production of these work proofs were certified using multiple timestamp servers. The system relied on a public registry of property titles, referencing the possessions and exchanges of users, who were identified by their public keys and authorized transactions using their private keys. The registry was verified and maintained by a network of servers called the "property club," coordinated by a classic consensus algorithm called Byzantine Quorum System.

Bit gold's resemblance to Bitcoin is striking. The three constituent elements of the system (the production of work proofs, their timestamping, and the management of the property registry), which were separate in bit gold, are found in Bitcoin as a single concept: the blockchain. This is why many have seen it as a draft of Bitcoin and speculated that Nick Szabo could be Satoshi.

However, the visions of the two men diverged. In bit gold, the way the pieces of digital gold were produced meant that they were not fungible, meaning they could not be mixed with each other: they therefore had to be valued on a market external to the system to serve as the basis for a real homogeneous unit of account. The bit gold model was thus conceived as a settlement system allowing the management of a rare reserve currency, and above which a free banking economy would be built, if possible using the Chaumian model. Thus, in April 2008, in a comment on his blog, Nick Szabo was still asking for help to implement his concept. However, this implementation never took place.

The third system to emerge from the minds of the cypherpunks is the RPOW system, an abbreviation for Reusable Proofs of Work, developed by Hal Finney in 2004. Hal Finney was an American computer scientist and cryptographer living in Los Angeles. A cypherpunk from the early days, he was passionate about David Chaum's ideas and his famous eCash model. He had been working since 1996 on developing the PGP encryption software with Phil Zimmermann.

To design his RPOW system, Hal Finney took the ideas behind eCash and bit gold. The uniqueness of his system was that it was based on a transparent server that allowed the transfer of work proofs produced by Hashcash. This server used the IBM 4758 Secure Cryptographic Coprocessor, a high-security tamper-resistant element, which allowed, through an authentication process designed by IBM, to verify which programs were running on the machine. An external user could thus ensure that the RPOW server was running the correct program, with publicly available code.

The server managed the reusable proof-of-work tokens and was responsible for signing them using RSA encryption. They were created by producing a proof of work via Hashcash or from a previous RPOW token. During a payment, the sender gave their RPOW tokens to the recipient, who promptly communicated with the server to receive one or more new tokens, whose total value was equal to the input value. The operation of RPOWs was thus similar to that of digital tickets in eCash.

Here is an illustration designed by Hal Finney himself:

Hal Finney not only designed the model but also personally implemented it. On August 15, 2004, he announced the launch of the RPOW system on the cypherpunks mailing list, in addition to documenting its operation on the dedicated website (rpow.net). He then presented it at the CodeCon 2005 conference held in San Francisco, where he discussed the potential uses for proof-of-work tokens, namely: value transfer, spam regulation, commerce in video games, online gambling like poker, and anti-leeching on file-sharing protocols like BitTorrent. However, RPOW had intrinsic flaws that may explain why it did not achieve the expected success:

Thus, the actual use of RPOW was anecdotal. Still, Hal Finney deserves credit for "paving the way" (original: "carried this torch") to Bitcoin by setting up an experimental proof of concept four years before Satoshi Nakamoto's arrival.

Another lesser-known predecessor model of Bitcoin, but significant here, is the distributed credit protocol Ripple, designed by Canadian developer Ryan Fugger in 2004. The young Canadian was inspired by the concept of the local exchange trading system (LETS), something he had experienced in Vancouver before designing his protocol. He published the Ripple white paper on April 14, 2004. Then he implemented it through a proof of concept called RipplePay, which operated on a central server and allowed users to connect with just an email address.

Ryan Fugger circa 2010 (source: Crunchbase)

The concept of Ripple was based on the idea that money was essentially made up of IOUs, that is, credit. It was about establishing a peer-to-peer network whose links would be credit relationships between people. Payments were then made by routing a series of loans, with all participants acting as bankers lending money to each other. Alice could pay David $10 by lending $10 to Bob and asking Bob to do the same to Carole. Carole did the same to David: David's account was credited $10 from Alice's money creation. The system worked somewhat by ripples, which explains the project's name.

Here is an introductory video of Ripple made in 2011:

Despite the enthusiasm of its community and a few thousand users, Ripple had major flaws that prevented it from being successful. In particular, it suffered from the "problem of decentralized commitment": during a payment, participants could not commit in a secure way to ensure the loan chain. Lightning will solve this problem later. (original: "the problem of the decentralized commit")

Seeing that his project was going nowhere, Ryan Fugger handed over the reins of Ripple to the company's leaders, OpenCoin Inc.'s Chris Larsen and Jed McCaleb, in November 2012. The company was renamed Ripple Labs in 2013. They made it into a protocol significantly different from the initial concept, based on a consensus algorithm and a native unit of account, the XRP. Ryan Fugger eventually changed the name of his proof of concept to Rumplepay in 2020 to avoid confusion.

Ripple was contemporary with Bitcoin, and many people interested in the latter were also interested in the former. Indeed, Ripple constituted an innovative model, based on a distributed architecture, a characteristic shared with Bitcoin. On this subject, Satoshi Nakamoto wrote that "Ripple is unique in that it spreads trust rather than concentrating it."

Thus, by the end of the 2000s, all the constituent elements of Bitcoin were known, and several attempts had been made to combine them. However, the proposed assemblies were not convincing. The cypherpunks, in particular, gradually lost interest in this issue, believing that the design of a truly decentralized digital currency was impossible. Satoshi Nakamoto proved them wrong.

Bitcoin indeed constitutes an ingenious assembly of all these concepts. It is based on digital signature, stemming from the asymmetric cryptography proposed by Diffie and Hellmann in 1976. It is "electronic cash" as intended by David Chaum's eCash model implemented in the 90s. Its innovative consensus algorithm robustly solves the Byzantine Generals' Problem, stated by Lamport, Shostak, and Pease in 1982. With the management of its blockchain on a peer-to-peer network, it is a form of "distributed timestamp server," revisiting the concept by Haber and Stornetta from 1991. For selecting transaction blocks and producing units, it uses proof of work, a process similar to Hashcash, proposed by Adam Back in 1997. Finally, in its design, it recalls the projects of b-money, bit gold, RPOW, and Ripple, to which Satoshi Nakamoto paid tribute, in one way or another.

Bitcoin thus forms the culmination of a quest for cybercurrency, a currency existing entirely on the Internet and not at the mercy of states. In the rest of this course, we will recount how it came to life and what were the significant events of its early years. This story is unique and will surely interest you if you have come this far. Be ready!