Computer science graduate Wei Dai arguably laid the groundwork for cryptocurrencies all the way back in 1998. His outline of the working of b-money, an electronic currency, was posted on an internet mailing list in November of that year and, as Dai told IEEE Spectrum in 2012, it aimed “to enable online economies that are purely voluntary, ones that couldn’t be taxed or regulated through the threat of force.” What’s more, although the system he proposed had certain deficiencies that made it unworkable in practice, it did suggest transactions being verified by a proof of work. This was one of the concepts later used by Satoshi Nakamoto to create Bitcoin, and Nakamoto himself would acknowledge his cryptocurrency’s debt to b-money in a 2008 email to Dai.
PipeNet 1.1 and b-money
- To: firstname.lastname@example.org
- Subject: PipeNet 1.1 and b-money
- From: Wei Dai <email@example.com>
- Date: Thu, 26 Nov 1998 15:33:49 -0800
- Cc: firstname.lastname@example.org
- Sender: owner-cypherpunks@Algebra.COM
I’ve discovered some attacks against the original PipeNet design. The new
protocol, PipeNet 1.1, should fix the weaknesses. PipeNet 1.1 uses layered
sequence numbers and MACs. This prevents a collusion between a receiver
and a subset of switches from tracing the caller by modifying or swaping
packets and then watching for garbage.
A description of PipeNet 1.1 is available at
Also available there is a description of b-money, a new protocol for
monetary exchange and contract enforcement for pseudonyms.
Please direct all follow-up discussion of these protocols to cypherpunks.
Here you can find some software and articles that I’ve written.
- social costs of intelligence:
- Why good memory could be bad for you: game theoretic analysis of a monopolist with memory.
- Why cleverness could be bad for you: a game where the smarter players lose.
- other miscellaneous ideas:
- MobiusLinks, a free service for people to host and manage their link collections
If you wish to encrypt your email to me, you can download my PGP public key here.
Below are 3 emails 2008-2009 between cryptographers Wei Dai & Satoshi Nakamoto; they were quoted in the Sunday Times’s 2 March 2014 article
Desperately seeking Satoshi; From nowhere, bitcoin is now worth billions. Where did it come from? Andrew Smithset off to find Satoshi Nakamoto, the mysterious genius behind the hit e-currency:
…Szabo, an American computer scientist who has also served as law professor at George Washington University, developed a system forbit goldbetween 1998 and 2005, which has been seen as a precursor to Bitcoin. Is he saying that Szabo is Satoshi?No, I’m pretty sure it’s not him.you, then?No. When I said just Nick and me, I meant before SatoshiSo where could this person have come from?Well, when I came up with b-money I was still in college, or just recently graduated, and Nick was at a similar age when he came up with bit gold, so I think Satoshi could be someone like that.Someone young, with the energy for that kind of commitment?yeah, someone with energy and time, and that isn’t obligated to publish papers under their real name.
…I go back to Szabo’s pal, Wei Dai.Wei, I say,the other night you said you were sure Nick Szabo wasn’t Satoshi. What made you sure?Two reasons, he replies.One: in Satoshi’s early emails to me he was apparently unaware of Nick Szabo’s ideas and talks about how bitcoin expands on your ideas into a complete working system and it achieves nearly all the goals you set out to solve in your b-money paper. I can’t see why, if Nick was Satoshi, he would say things like that to me in private. And, two: Nick isn’t known for being a C++ programmer.
Perversely, a point in Szabo’s favour. But Wei forwards me the relevant emails, and it’s true: Satoshi had been ignorant of Szabo’s bit-gold plan until Wei mentioned it. Furthermore, a trawl through Szabo’s work finds him blogging and fielding questions about bit gold on his Unenumerated blog on December 27, 2008, while Satoshi was preparing bitcoin to meet the world a week later. Why? Because Szabo didn’t know about bitcoin: almost no one outside the Cryptography Mailing List did, and I can find no evidence of him ever having been there. Indeed, by 2011, the bit-gold inventor is blogging in defence of bitcoin, pointing out several improvements on the system he devised.
The full emails are being provided publicly by Wei Dai to support his judgment that Satoshi is not Nick Szabo:
…the more important reason for me thinking Nick isn’t Satoshi is the parts of Satoshi’s emails to me that are quoted in the Sunday Times. Nick considers his ideas to be at least an independent invention from b-money so why would Satoshi sayexpands on your ideas into a complete working systemto me, and cite b-money but not Bit Gold in his paper, if Satoshi was Nick? An additional reason that I haven’t mentioned previously is that Satoshi’s writings just don’t read like Nick’s to me.
From: "Satoshi Nakamoto" <email@example.com> Sent: Friday, August 22, 2008 4:38 PM To: "Wei Dai" <firstname.lastname@example.org> Cc: "Satoshi Nakamoto" <email@example.com> Subject: Citation of your b-money page I was very interested to read your b-money page. I'm getting ready to release a paper that expands on your ideas into a complete working system. Adam Back (hashcash.org) noticed the similarities and pointed me to your site. I need to find out the year of publication of your b-money page for the citation in my paper. It'll look like:  W. Dai, "b-money," http://www.weidai.com/bmoney.txt, (2006?). You can download a pre-release draft at http://www.upload.ae/file/6157/ecash-pdf.html Feel free to forward it to anyone else you think would be interested. Title: Electronic Cash Without a Trusted Third Party Abstract: A purely peer-to-peer version of electronic cash would allow online payments to be sent directly from one party to another without the burdens of going through a financial institution. Digital signatures offer part of the solution, but the main benefits are lost if a trusted party is still required to prevent double-spending. We propose a solution to the double-spending problem using a peer-to-peer network. The network timestamps transactions by hashing them into an ongoing chain of hash-based proof-of-work, forming a record that cannot be changed without redoing the proof-of-work. The longest chain not only serves as proof of the sequence of events witnessed, but proof that it came from the largest pool of CPU power. As long as honest nodes control the most CPU power on the network, they can generate the longest chain and outpace any attackers. The network itself requires minimal structure. Messages are broadcasted on a best effort basis, and nodes can leave and rejoin the network at will, accepting the longest proof-of-work chain as proof of what happened while they were gone. Satoshi
The title does not mention Bitcoin, and the abstract is not identical to the final one, which is slightly better written (eg no
broadcasted typo); a word-level diff of the abstracts using Mergeley.com:
The bit about Adam Back has been mentioned before; on 18 April 2013, Adam Back posted to the BitcoinTalk forums a self-introduction mentioning that
…So anyway I know a few things about ecash, privacy tech, crypto, distributed systems (my comp sci PhD is in distributed systems) and I guess I was one of the moderately early people to read about and try to comprehend the p2p crypto cleverness that is bitcoin. In fact I believe it was me who got Wei Dai’s b-money reference added to Satoshi’s bitcoin paper when he emailed me about hashcash back in 2008. If like Hal Finney I’d actually tried to run the miner back then, I may too be sitting on some genesis/bootstrap era coins. Alas I own not a single bitcoin which is kind of ironic as the actual bitcoin mining is basically my hashcash invention…
pre-release draft link is now broken. I have tried to refind it:
- the original fly-by-night filehosting site disappeared years ago, and does not appear to have been renamed or moved
- the filehosting download page & PDF are unavailable in the Internet Archive
- the earliest version of the whitepaper on Bitcoin.org in the Internet Archive is a later draft, using the name
Bitcoin(unsurprisingly); looking at the full list of mirrored files for that domain, there don’t appear to be any other PDFs in the snapshots which might be an earlier draft
- Google searches for queries like
ecash-pdfand variants (sometimes adding in
Satoshi Nakamotosince he was using that nick at the time even if he had not settled on
Bitcoinas a name) have turned up no mirrors or people discussing that version of the whitepaper who might have copies
- a more targeted search on BitcoinTalk did not turn up any copies
- the whitepaper was never checked into the original Subversion repository set up after the alpha code was released, so no revision history there either
- I asked them and learned that early correspondents Wei Dai, Adam Back, and Gregory Maxwell do not have copies. (I also asked Hal Finney but did not expect a reply given his condition & did not receive one before he passed away 28 August 2014.)
If anyone has a copy of it or a tip as to where it might be or who might have it stashed away, please contact me. It would likely shed some further insight on the development of Bitcoin and how Satoshi had his key insight of proof-of-work.
A request on the original
cryptography mailing list yielded a SHA-256 hash of a draft paper earlier than the current
bitcoin.org-hosted version, which then turned up a matching
bitcoin.pdf (rehosted locally). Is this the earliest draft of the paper, the one Satoshi sent to Wei Dai? No:
- Satoshi’s initial email to Dai is dated
August 22, 2008; the metadata for this PDF (
pdftk bitcoin.pdf dump_data) yields as the
20081003134958-07'00'– without getting into the gory details of PDF metadata formatting, this implies 3 October 2008 or a bit over a month later, which is consistent with the local date mentioned in the cryptography ML email. (This is however an earlier draft than the final draft on
bitcoin.org, which is dated
20090324113315-06'00'or 24 March 2009; interestingly, the timezone differs: -7 vs -6.)
- Satoshi says in the Dai email that the URL is
...ecash-pdf.html, which is an auto-link generated by the filehost, suggesting the filename was
- Satoshi says also that the title is
Electronic Cash Without a Trusted Third Party, but in this October 2008 version, the title has already changed to
Bitcoin: A Peer-to-Peer Electronic Cash System
- Satoshi’s pretext is getting the right citation for Dai’s B-money, and he implies there is either no citation to Dai currently (consistent with Adam Back’s claim to have noticed the absence and told Satoshi) or it would be to
2006?(his quoted example citation); however, this file has the full correct citation
1 W. Dai, b-money, http://www.weidai.com/bmoney.txt, 1998.– dated to 1998 (as Dai tells Satoshi), not 2006 (as was Satoshi’s best guess).
Hi Satoshi. b-money was announced on the cypherpunks mailing list in 1998. Here's the archived post: http://cypherpunks.venona.com/date/1998/11/msg00941.html There are some discussions of it at http://cypherpunks.venona.com/date/1998/12/msg00194.html. Thanks for letting me know about your paper. I'll take a look at it and let you know if I have any comments or questions.
From: Satoshi Nakamoto Sent: Saturday, January 10, 2009 11:17 AM To: firstname.lastname@example.org Subject: Re: Citation of your b-money page I wanted to let you know, I just released the full implementation of the paper I sent you a few months ago, Bitcoin v0.1. Details, download and screenshots are at www.bitcoin.org I think it achieves nearly all the goals you set out to solve in your b-money paper. The system is entirely decentralized, without any server or trusted parties. The network infrastructure can support a full range of escrow transactions and contracts, but for now the focus is on the basics of money and transactions. There was a discussion of the design on the Cryptography mailing list. Hal Finney gave a good high-level overview: | One thing I might mention is that in many ways bitcoin is two independent | ideas: a way of solving the kinds of problems James lists here, of | creating a globally consistent but decentralized database; and then using | it for a system similar to Wei Dai's b-money (which is referenced in the | paper) but transaction/coin based rather than account based. Solving the | global, massively decentralized database problem is arguably the harder | part, as James emphasizes. The use of proof-of-work as a tool for this | purpose is a novel idea well worth further review IMO. Satoshi