Is a DIY Mint Possible: Money Creation in a Purely Informational World

This proposal for a radically decentralized informational cryptocurrency was first presented at the COSM Conference ( in Bellevue, Washington on October 23, 2019.

Back when money was gold coin, an economically sound DIY mint was possible. By a DIY mint, I mean a do-it-yourself mint where the individual, acting purely as an individual, could create money from scratch without any insult to the economy. Thus an individual could mine for gold, purify it to the government’s standards, and then, with a suitably engraved coining press, manufacture coins indistinguishable from those of the realm. 

Such coins would be perfectly legitimate except for one small detail, namely, the government, to profit from the making of coins, insisted on minting all coins themselves. Thus the government would charge a premium (or tax) on top of the gold brought to the mint. Such a tax, called seigniorage, ensured that coinage remained a government monopoly. 

Yet except for this small detail, the DIY coins and the government coins would, for all economic purposes, be equivalent. True, to the overly scrupulous, the DIY coins would be “counterfeit.” But precisely because the government mint would otherwise have taken the same gold and turned it into identical physical coins, such a concern is devoid of economic significance (even if it has moral significance). 

In consequence, a DIY mint that uses gold to form coin indistinguishable from government coin is economically legitimate. Not so a DIY mint that uses a printing press to form currency indistinguishable from government paper money. Any such DIY mint is a counterfeiting operation whose economic impact is deleterious. 

Why is a DIY mint legitimate in one case and not the other? With gold, value is intrinsic, embodied in the currency. With paper, value is extrinsic, depending on the trustworthiness and authority of the governing body issuing the currency. Counterfeiting undercuts the latter, but not the former.

With the stage thus set, I want to inquire whether an economically sound DIY mint is possible in a purely informational world. At the same time, I want to see what lessons we can draw from such an inquiry for our own world. In the hybrid world of information and matter that we inhabit, gold has proven monetarily convenient, allowing for an economically legitimate DIY mint of the sort just described. But absent matter, is a DIY mint still possible?

What if gold were merely as an accident of geological history? What if rather than being rare it were abundant? More radically, what if all commodities were abundant and economic value resided in the arrangement of matter rather than in matter as such? More radically still, what if all value henceforth resided in information? What could money look like then? What should money look like then? Would an economically sound DIY mint be possible in such a world? 

I raise the prospect of a DIY mint in a purely informational economy because it takes the decentralization of currency to its logical conclusion. The present state of the art in cryptocurrency depends on peer-to-peer networks that through proof of work or proof of stake reward participants by conferring currency on them. Incremental improvements to aspects of these currencies have occurred over the last decade, such as achieving stronger anonymity of transactions (as with Monero and Zcash). But the root problem of centralization remains. 

Unlike our DIY mint for gold coin, the lone individual cannot simply create money from scratch for such cryptocurrencies. Rather, one must assume membership in a peer-to-peer network or other tech subculture, embracing an entire infrastructure or ecosystem that to varying degrees cedes control of one’s ownership of currency to the collective. Moreover, the creation of such cryptocurrencies is increasingly centralized. For instance, professional mining operations using inordinate amounts of electricity now create most bitcoins and deliver them to fewer and fewer players. 

More disconcertingly, the integrity of these cryptocurrencies increasingly depends on the good intentions (or whim?) of the peer-to-peer network. Ethereum, for instance, in the spring of 2016 experienced a hard fork that divided it into two incommensurable currencies. For a weak analogy, imagine a Brexit where half the currency remains pounds and the other turns to euros. Only with pounds and euros, there is an existing exchange rate. For the two types of ethers, a still third currency (such as the U.S. dollar) is required for commensurability.

If an economically viable DIY mint were possible in a purely informational world, it would allow for full decentralization of money. People could create their own money and trade with it without a centralizing authority required for its continued existence and use. This is not to say that a fully decentralized currency could exist in the absence of all infrastructure, just one that is minimal and depends as little as possible on trusted third parties. Unfortunately, peer-to-peer networks are themselves now assuming the role of trusted third parties, acting much like Rousseau’s general will, benign in theory, but perhaps only a few steps from Jacobin tyranny.  

Let me therefore sketch what a currency residing in a purely informational world is going to need if it is to allow for a DIY mint. I approach this problem as a mathematician trying to discover whether some mathematical object satisfying a list of desiderata exists. Perhaps the list is too much, with no object answering to it. Or perhaps we’re in luck, and the object exists. For the purposes of this paper, let me simply provide a list of desiderata and suggest why they might plausibly be fulfilled in practice.

By a purely informational world, we’ll mean a collection or society of agents (think of the agents not just as persons but also as associations, corporations, and governmental entities) who can act in one of three ways: (1) by creating and modifying information in secure private storage, (2) by transmitting information from private to public storage, and (3) by receiving information from public to private storage. 

In characterizing this purely informational world, we’ll assume (inspired by our experience of the Web) that information can be represented in bits (this is a world of Shannon information), that deterministic and nondeterministic algorithms can manipulate this information (Turing and von Neumann machines therefore exist in this world as well as pseudo and true random numbers), that information can be reliably transmitted using error-correcting codes, and that computation is a scarce resource.

To say that computation is a scarce resource will mean that there are upper limits to the speed of computation (i.e., the rate at which bits can be altered) and to the amount of computation (i.e., the total computational steps possible in the life of this informational world). Note that these limits on computation allow for effective hashing and effective symmetric-key and public-key cryptography. 

In the hybrid world of matter and information that we inhabit, the Planck time of 5.39 × 10^(–44) seconds is the smallest physically meaningful unit of time and sets an upper bound on the speed of computation (accordingly, Moore’s Law must break down at this limit, though in practice it breaks down well before this limit). Moreover, MIT’s Seth Lloyd calculates 10^120 as the total number of computational steps possible in the observed universe, thus setting an upper limit to total computation. For comparison, the currently fastest computer, IBM’s Summit, operates at 200 petaflops, which yields less than 10^25 (or ten trillion trillion) floating point operations over the course of a year. 

One additional assumption will be needed for our purely informational world to allow for a DIY mint, and that’s a clock. For convenience, we can assume that the clock is like our own, keeping track of seconds, minutes, hours, etc. The crucial thing about the clock for our purposes, however, is that it allow for time to be broken into discrete blocks, and that information placed into public storage during any block be faithfully preserved while also ruling out backdating of information to prior blocks. Information within blocks will thus be temporally equivalent, and the blocks themselves will be temporally ordered. 

What’s envisioned here is a public ledger, and something like a block chain will be required to guarantee its integrity. Even so, a full block chain with every item of information hashed in a Merkle tree probably won’t be required. I suspect a “semi-blockchain” will do, where each block, suitably compressed, perhaps gets a single hash, and a global hash then gets applied to the entire sequence of blocks to date. 

The important thing about such a ledger is that it be publicly transparent, that users can download a contemporary version of its completed blocks at any time, and that if the default server that houses the ledger gets compromised, users can reconstruct the ledger from the point where it went awry and restart it elsewhere. How the “default server,” as I’m calling it, is represented in our purely informational world is immaterial (literally and figuratively). It could resemble a cloud server run by a single organization. Or it could be distributed over a peer-to-peer network. As storage needs grow, the ledger might become a family of correlated ledgers, where users can reconstruct the entire family at will.

All this may sound like Bitcoin, but there is a crucial difference. The ledger that I’m envisioning needs simply to provide a reliable record of what has been entered in a given block, each block providing a crude timestamp. The ledger is thus essentially passive, receiving novel information in current blocks, keeping older blocks intact, and doing some automatic bookkeeping. With blockchain-based cryptocurrencies, by contrast, users are actively working with and modifying the blockchain in an effort to generate new currency. This leads to competition among users and incentives that can become misaligned, potentially resulting in hard forks. The ledger I’m envisaging is decentralized because agents are able to mirror it in real time in private storage and reestablish its integrity should it get compromised.

There’s more to be said about this transparent public ledger. Computer scientists will need to work through the details of its construction. It will need to resist spamming and denial of service attacks. There will need to be incentives for its maintenance. Moreover, because blocks inherently limit transactional velocity, any monetary system based on such a ledger will need to be supplemented with a system of credit and clearing that in practice works much more rapidly than block transactions (Bitcoin processes several hundred thousand transactions per day, Visa and Mastercard hundreds of millions). 

With a transparent public ledger in hand, let’s now turn to what ownership, value, money, and a DIY mint might look like in our purely informational world. Let’s start by drawing a crucial distinction between two types of information, namely, dynamic information, or information as a service, and static information, or information as an item. To understand the difference, compare hiring a teacher versus buying a book. The teacher provides information dynamically as a service. Rather than supplying all information at once, the teacher supplies it interactively to suit the needs of the one who hired the teacher. Compare this to a book, in which all the information is delivered at one time as a single static item. Once the item is delivered, it is what it is. 

In our day, well-known suppliers of dynamic information include Netflix, Spotify, and Amazon Kindle. Even though we now readily appreciate the distinction between dynamic and static information, the distinction was underappreciated two decades ago when the first papers about “information economics” began to be written. For instance, in the late 1990s, Bradford De Long and Michael Froomkin wrote articles on information economics attempting to elucidate the difference between conventional material goods and information goods. For them, information goods were static goods (items of information), and they were hard to monetize. Dynamic information, in the meantime, has disrupted the market for static information (witness how music streaming has displaced CDs).

An interesting irony now emerges: even though dynamic information is inherently more complicated than static information, its ownership is more straightforward. Providers of information as a service (dynamic information) can readily claim ownership by distributing it interactively in a controlled stream on condition of receiving adequate compensation for the service. With dynamic information, the owner of information controls a spigot, and users who don’t properly compensate the owner get their spigot turned off.

But what does such compensation look like? One might imagine a barter economy in which information as a service is repaid with information as a service — you teach me to play the piano and I’ll teach you to dance. But ordinarily, we pay for dynamic information with money, which is not a service but a static thing. Accordingly, if money exists in our purely informational world, then we should expect it to be static, an instance of money constituting an item of information. So a prior question needs first to be answered, namely, How does one establish ownership of items of information in a purely informational world? 

Imagine first that our informational world is transparently honest, with no fraud, no misleading data, and no need for cryptography. Ownership of some item of information will thus be indicated by an agent putting that item in public storage and publicly identifying oneself as its creator. Agents who independently create the same item at a later time will, in this world of transparent honesty, willingly cede ownership to the first creator. They will do so because value in this informational world is conceived as intellectual property, and such property is, by convention, reasonably assigned by temporal priority (the analogy with scholarly work being that credit goes to whoever publishes first). Moreover, transfer of property can take the form of a simple performative utterance, in the sense of philosopher J. L. Austin. Thus the owner could simply broadcast, “I herewith give sixty percent of the value of this item to so and so.” The mere utterance makes it so.

Our purely informational world becomes more complicated when populated with dishonest agents. Here we need cryptography. Cryptography does not so much create value as protect value already created. Obviously, this is itself valuable. In a world with dishonesty, we imagine agents having access to effective hashing and public key cryptography. In our scheme, hashing will guarantee data integrity and data origination and public key cryptography will guarantee claims to ownership.

Now for some details. I won’t present a fully articulated protocol, but enough to enable its precise formulation. We imagine an agent A (Alice) creating some item of information V (V for value) in private storage. Alice wants to push V into public storage and claim ownership of it. How can she do that? One approach common in our human world is to use digital data embedding technologies, such as watermarking. Thus V might be watermarked in a way to signify Alice’s identity. A drawback of watermarking, however, is that it ties V permanently to Alice (effective watermarks cannot be eliminated without destroying the essence of V), thereby impeding the transfer of ownership of V to some other agent, which in turn is undesirable for a vibrant economy. Additionally, digital data embedding technologies insert extrinsic information into V, thereby modifying it. 

But what if Alice wants to assert ownership of V exactly as it is? In that case, given our transparent public ledger, she could do the following. First, drawing from public key cryptography, she can set up a public and private key, E and D respectively (E for encrypting, D for decrypting). E is public knowledge, D is known only to Alice. Because D allows Alice to prove that she alone is able to unlock whatever the public key E locks, the public key uniquely identifies Alice in public storage. Indeed, the use of these keys to encrypt and decrypt messages will play virtually no role here, their main use being to identify and ascribe ownership to an agent.

It might therefore seem that Alice need merely upload the ordered pair (E,V) to public storage, pairing E, her unique identifier, with V, the item of information over which she wants to assert ownership. But bad actors might be monitoring Alice’s communication channel, preventing (E,V) from being uploaded, stealing V, and associating V instead with some other public key. 

A less malicious problem arises as well: because the key E is public, meddlesome actors can pair it with V as easily as Alice, potentially showering (or spamming) Alice with unsolicited items of information V. It’s therefore not enough that Alice upload the pair (E,V); she also needs to put her signature on this pair, guaranteeing that the association of E and V in public storage is her doing and not that of some interloper. Alice will therefore append her signature, using her private key D (thus following the standard signature protocol within public key cryptography). 

So really, Alice needs to get into public storage not the ordered pair (E,V) but the ordered triple (E,V,S) where S is Alice’s signature on the pair (E,V), guaranteeing that it was she who associated them for the purposes of claiming ownership of V. Let’s give a name to such orderings that associate informational items of value V with cryptographic markers of ownership, calling them wrappers, or cryptographic wrappers. Wrappers identify and secure items of information.

Even so, the problem of bad actors intercepting and altering anything Alice uploads, whether wrapped properly as an ordered triple or improperly as an ordered pair, remains. To redress this problem, I propose a two-step validation process. Inspiration for this move comes from the use anagrams in the 17th century to assert priority of intellectual work. For instance, Isaac Newton might prove a theorem, form an anagram of the proof, and then make the anagram but not the proof public at time t1. Newton’s rival Leibniz might independently discover the same proof and make it public at subsequent time t2. Newton could then publicly solve the anagram, demonstrating that he knew the proof at time t1, asserting his priority over Leibniz. (In the history of science, this is perhaps more what Newton hoped had happened than what actually happened.)

Although the cryptographic security of anagrams is hardly an exact science, the cryptographic security of hashing is. In place of anagrams, I therefore propose using a hash. Thus, Alice will use the following two-step validation procedure to guarantee her ownership of the item of information V. First, she will upload onto the transparent public ledger a hash H of the wrapper (E,V,S). She will do this while the current block is open. Once the block closes, she can then verify that the block has indeed been validated and that it contains the hash H. We’ll call H an anticipatory hash

Confident that the anticipatory hash H is properly in place on the ledger, she then uploads the wrapper (E,V,S) in a subsequent block, likewise verifying that the block has been validated and contains it. If there is a problem with the latter step, Alice can try again with a subsequent open block. Note that if she is continually stymied in uploading the wrapper onto a validated block, there is probably something wrong with the ledger and it will need to be reconstituted. 

Because, with overwhelming probability, the anticipatory hash H uniquely identifies the wrapper (E,V,S), Alice’s priority in asserting ownership of V is temporally tied to the block in which H was uploaded and validated. Provided no block prior to that one connects V to someone else’s private key, Alice’s claim to own V is secure. We assume the ledger is easily searchable, so clarity on this point won’t be a problem.

How quickly should the wrapper be uploaded after its anticipatory hash appears in a valid block on the public ledger? Newton seemed to take a perverse delight in keeping his scientific results hidden in anagrams, sensing no urgency to make them public. The present attitude to scientific discovery stands in stark contrast, viewing scientific knowledge as an essential good and must therefore be immediately promulgated. Likewise, economics would regard long block lags between an anticipatory hash H and a wrapper (E,V,S) as problematic because economic value can only be realized when the item of information V is made explicit, which the anticipatory hash H does not do. So there may need to be a convention that if the block lag between H and (E,V,S) exceeds a certain number of blocks, then the claim to ownership of V is invalidated. 

What I’ve just described is the creation of ownership in our purely informational world. The transfer of ownership is easier. Let’s say Alice wants to transfer ownership of V to Bob. Bob has a public and private key, respectively E’ and D’. E’ uniquely identifies Bob. Alice therefore forms the pair (E’,V) and signs it with her private key D (let’s denote the signature by SD), uploading the triple (or wrapper) (E’,V,SD) onto the public ledger. Alice can even include another party in the transaction, call her Carol, with public and private keys respectively E’’ and D’’. Thus she might set up an ordered arrangement like ((E’,V,40%),(E’’,V,60%)), and sign it with her private key, forming a nested wrapper that gives 40 percent of the value of V to Bob and 60 percent to Carol. Note that if V is money, this move demonstrates how to make it divisible. Because signatures associated with public key cryptosystems cannot be forged except by discovering the private key, no two-step validation is necessary for transferring ownership. And note that this signature approach allows Bob in turn to sign over his ownership of V to some additional party, and so on. This approach for transferring ownership is thus general.

Sketched just now is a method for establishing ownership of static information in a purely informational world. It can use a name. Let’s call it the DIY protocol. Clearly, it requires elaboration. What if, for instance, Alice and Anna each upload anticipatory hashes in the same block asserting their respective ownership of V (once the corresponding cryptographic wrappers are revealed)? Conventions will be needed to handle such occurrences. Should they share ownership? My preference in such circumstances would be for all ownership of V to be vacated — no one gets to own V. 

Or suppose Alice owns V, but decides in the same block to sign it over entirely to Bob and then again entirely to Carol. In that case, convention could decide that ownership reverts to Alice. Alternatively, convention could decide that for now no one owns V, perhaps assigning its ownership to the winner of a lottery. Some convention, however, is needed to resolve the double-giving problem, or the double-spending problem in case V is money. Of course, if Alice signs over V to Bob in an earlier block and then signs it over to Carol in a later block, ownership needs to be ascribed to Bob (Alice can’t have the power to invalidate her transfer of ownership to Bob by actions in subsequent blocks). 

I’ve described how the DIY protocol for the ownership of static information works in general. Next, let us consider how it works when the item of information V in question is money. As in the actual world, money in our purely informational world comes in two varieties: (1) money that achieves value intrinsically on its own merits; (2) money that achieves value extrinsically because an authoritative agent, such as a governmental entity, ascribes value to it. The latter is fiat money, and public confidence in it depends on the trustworthiness of the issuing agent in constraining the money’s proliferation, guaranteeing its acceptance, and facilitating its use (such as for taxes). 

Fiat money is easily produced in the DIY protocol. An agent U (Uncle Sam) with public key EU and private key DU issues items of information V1, V2, etc. each of which states a currency amount, a unique serial number, and a signature by the private key DU, demonstrating that U issued the currency and preventing its forgery. Anticipatory hashes H1, H2, etc. corresponding to wrappers (EU,V1,S1), (EU,V2,S2), etc. (S1 being the DU-signature of EU and V1, etc.) then get uploaded into ledger blocks. The wrappers themselves then get uploaded in subsequent blocks, after which the money can be transferred to other agents. This currency is divisible and fungible, and it avoids the double-spending problem.

Although such a fiat currency could be implemented on a large global scale, it could also be implemented on a small regional scale, working as much against centralization as for it, even providing a scrip for local and underground economies. Take the example of Woergl. Woergl is an Austrian town of 13,000 residents, about sixty miles west of Salzburg. In the 1930s, it had a population of a little over 4,000. In July 1932, as the world was experiencing a terrible economic depression and with Austrian currency tight, Woergl’s mayor, Michael Unterguggenberger, decided to introduce “certified compensation bills,” a local scrip or currency to pay for town projects, which could then be further circulated locally among the residents.

Before this local currency was introduced, Woergl’s construction business had stalled and its unemployment was high. After the town introduced this scrip, business boomed. New houses, a bridge, a ski jump, and a reservoir were all built as local government projects. Private sector consumption and investment jumped up as well. Employment increased. Moreover, the prosperity witnessed was unencumbered by either inflation or deflation. Certainly no harm was done, and in fact much good was wrought. Nonetheless, the bureaucrats in Vienna decided that this was too much of a good thing and that it undermined the primacy of the official state-sanctioned Schilling. In consequence, on September 1, 1933, the Austrian National Bank ended the Woergl experiment, removing the certified compensation bills from circulation.

Now suppose the Woergl experiment had been conducted in the face of similar economic hardships but with current web technology so that the DIY protocol could be used to issue certified compensation bills and facilitate their exchange. As in the 1930s, all would have been fine, with the economy restored, up to the point that the Austrian National Bank decided to crack down on Woergl’s scrip (why do central banks always seem to crave monopoly?). Nonetheless, given the DIY protocol and current web technology, Woergl residents would not have had to stand meekly by as the central bankers in Vienna decided to retire their local currency. Rather, they could have placed the DIY protocol’s ledger for their scrip beyond governmental control (such as on the Darknet), introducing a security wall, anonymizing the identities of residents, and taking additional safety measures to keep the Vienna authorities off their backs. Short of a police or military intervention by Vienna against the Woergl residents, the “Woergl Miracle,” as it’s been called, might have continued indefinitely. 

That leaves money that achieves its value intrinsically. What might such money look like in our purely informational world? And could an economically sound DIY mint produce it? Since the aim of this paper is to present a proof of concept for an informational DIY mint, it’s enough to present simply one proposal for an informational currency that is economically sound and that allows the lone individual or agent to create it. Perhaps other informational worlds, or even this one, allow for other proposals, but we just need one to make the case for an informational DIY mint.

We consider therefore again our agent A (Alice). As before, Alice has a public key E that identifies her as well as a private key D that she keeps hidden. Alice is going to create an item of information V that she wants to serve as intrinsically valuable money. As an item of information, V is a just a bunch of bits, a file if you will. What then needs to be true about V for the inhabitants of our informational world to want to treat it like money? In creating V, Alice will need to demonstrate that she owns V and that it is worthy to be exchanged as money in the economy of our informational world. Clearly, it will need to cost Alice something to create V if V is to have intrinsic value. Since computation is a scarce resource in our informational world, let’s agree that the cost to Alice will be computational effort. The challenge then is to show how this computational effort can be embodied in V. Here’s one approach (with some inspiration from Bitcoin).

Since computation is a scarce resource and since hashing is a form of computation, number of hashes performed becomes a measure of computational effort expended. For simplicity, let’s assume 

(1)    that there’s only one type of hash in our informational world and that it performs well and is free of defects (for instance, it can’t be gamed by preimage attacks);

(2)    that the computational effort required for hashes is additive (thus, doing 100 hashes at one time expends neither more nor less computational effort than doing 30 and then 70 hashes at different times); and

(3)    that the cost of performing a hash, as an expenditure of computational effort, is unvarying (for instance, there’s no Moore’s Law that, as a function of time, changes the amount of computational effort to resolve the same computational problem). 

Obviously, these assumptions do away with complexities that, if present, would need to be redressed, such as, in point (1) controlling for differences in computational effort to perform different types of hashes or, in point (2) normalizing by the number of hashes that can be performed with the same computational effort over time.   

Alice’s task, then, will be to construct V in such a way as to prove that its construction required  a given number of hashes. Additionally, she needs to be able to prove that those hashes were performed uniquely for constructing V. In other words, it must be clear that the execution of those hashes cannot be in the service of some other item of information. This requirement ensures that all hashes that count as currency cannot serve double duty elsewhere.  

To achieve this end, Alice sets up the following triple: (E,I,N). E is her public key. I is a unique identifier of this instance of currency that she is creating. Think of it as a serial number for her E-based currency. She will need to change I for other items of currency that she creates to guarantee that the hashes performed to gauge the value of her currency are not double counted. Note that it doesn’t matter if the same identifier I occurs in currencies by different agents with different public/private keys — in that case, different public keys will distinguish the currencies. 

With E and I fixed, N will now be allowed to vary. N is a nonce, or cryptographic nonce. Nonces are common in Bitcoin where they are used to influence but not determine the output of hashes. As the nonce N here is varied, a hash of the triple (E,I,N) will be computed, denoted by H(E,I,N). Let’s suppose that hashes are represented as binary digits or bits. It’s typical (in our world) to represent hashes in hexadecimal notation as this tends to be more convenient in practice, but conceptually it will be clearer here to go with bits, so we’ll do that here. 

A hash function, if working properly (and we assume ours is), is supposed to act like a uniform probability randomizer, delivering for any input what appears to be a uniformly distributed random output (albeit for any fixed input it always returns the same hash — hash functions are, after all, deterministic). It then follows from elementary probability theory that for any positive integer m, by hashing 2^m different possible nonces, there will be a better than even chance that at least one of the hashes H(E,I,N) will display m leading binary zeros. Note that from a probabilistic standpoint, there’s nothing special about going with leading zeros — any fixed sequence of leading bits of length m would likewise require 2^m hashes to have a better than even chance of a match. We go with zeros for convenience and in deference to Bitcoin. 

The item of information that Alice now creates as money is V = (E,I,Nm). Here Nm is a nonce such that H(E,I,Nm) is a hash with m leading zeros. Let’s call this a proof-of-work hash, in contrast to our earlier anticipatory hash. As just noted, such a proof-of-work hash with m leading zeros will, on average, be the product of sampling 2^m nonces and computing each of their hashes. In consequence, V = (E,I,Nm) embodies a probabilistic proof of work where the work consists, on average, in the performance of 2^m hashes. V = (E,I,Nm) therefore denominates hashes in powers of 2. The currency, in being created, thus only comes in units of 2, 4, 8, 16, etc. Once created, however, it can be subdivided into arbitrary units of account. 

V = (E,I,Nm) provides clear proof of work ascribable only to E, and thus to Alice. V’s first appearance anywhere on the ledger could, therefore, only be interpreted as an act of money creation by, or on behalf of, Alice, with Alice as the owner. And yet, it’s best here still to go through the usual two-step validation of the DIY protocol in placing V on the ledger. For instance, it’s possible for some third party to perform hash work and then arbitrarily ascribe items V =  (E,I,Nm) so produced to Alice. This could even, potentially, lead to a form of spamming in which multiple items of information ascribable to E are formed such that m is small and thus the value of each item of currency formed is minuscule (think of your bank account being inundated with multiple 1 cent credits). If Alice is to operate a DIY mint, then the money ascribed to her needs to have her authorization. Using the DIY protocol ensures her authorization by affixing her signature S to (E,V) inside the wrapper (E,V,S), albeit first uploading an anticipatory hash of this wrapper.

It’s easy to check that this proposal, call it the DIY monetary protocol, satisfies the usual requirements of money: V =  (E,I,Nm), as embodying a set number of executed hashes, has the usual properties of money, constituting a unit of account, store of value, and medium of exchange. With suitable automated accounting on the ledger, it will exhibit divisibility, fungibility, scarcity, durability, and transferability. And it avoids key pitfall specific to informational items of value, namely, the problem of  double-giving, or double-spending in the case of currencies. 

In closing this paper, let me briefly address two points about the DIY monetary protocol (I may add to this number as the monetary proposal sketched in this paper receives comment and criticism):

(1) In the DIY monetary protocol, all hash work to create DIY currency gets credited. This is fairer than Bitcoin, where most miners (or mining pools) expend computational effort in the form of hash work, yet without recompense in bitcoins. By some estimates, losing Bitcoin miners (or mining pools) account for over 80 percent of all kilowatt hours spent on generating hashes to produce a winning block hash. Add to that that over time fewer and fewer Bitcoins are rewarded for winning block hashes, and the Bitcoin system seems not only grossly unfair and not only highly inefficient, but also perversely incentivized to consume ever increasing amounts of electrical energy to produce hashes. Bitcoin’s annual electricity consumption now (2019) matches that of Austria, at .3 percent of all electricity consumed worldwide annually. 

(2) This paper started by describing a DIY gold currency and concluded by formulating a DIY informational currency. Though both are DIY currencies, there is an interesting difference. With a DIY gold currency, the source of the gold need never be identified. There is no provenance to a DIY gold currency. Instances of the gold coins are all identical, with no serial number or distinguishing mark necessary. By contrast, DIY informational currency will always bear the marks of its history. DIY currency as well as informational items produced by the DIY protocol more generally require provenance, in other words, a chain of transaction events block by block in the public ledger going back to the initial creation event with an anticipatory hash and then its corresponding cryptographic wrapper. This is unavoidable. It’s the nature of static items of information that they can be reproduced at will — they’re just a bunch of bits. Their ownership and security require they be associated with other information that demonstrates continuous path dependence through time — in other words, provenance. Note that provenance need not undercut anonymity. One can imagine new users of the DIY protocol uploading their public key and then verifying their private key to become full-fledged users of the ledger. As long as public keys can’t be traced, full anonymity can be preserved. 


This white paper is my second go at a cryptocurrency proposal. The first is one I wrote up in late 2016 titled “Peerless: A Radically Decentralized Digital Monetary Framework.” It appeared online at (for now removed). It was a long and meandering piece with some interesting economic nuggets (in my view, the concept of “transubstantiation” held considerable promise), but the basic proposal was fundamentally flawed in that economic transactions take place by revealing and thereby invalidating private keys in a public key cryptosystem. This is unrealistic and unnecessary. I’m grateful to Winston Ewert, a computer science professional, for his incisive critique of the 2016 Peerless article, helping me to ground the cryptocurrency proposal in the present white paper in computational reality. What flaws remain, however, are entirely mine. 

For the “experience machine,” see Robert Nozick Anarchy, State, and Utopia (New York:  Basic Books, 1974), 43.

For information economics in the late 1990s, see J. Bradford De Long and A. Michael Froomkin’s 1997 article “The Next Economy?” ( as well as their 1999 update of the latter article titled “Speculative Microeconomics for Tomorrow’s Economy” (

For performative utterances, see J. L. Austin, How to Do Things with Words, 2nd edition (Oxford: Oxford University Press, 1975), 5. 

For Isaac Newton’s use of anagrams to assert priority of his intellectual work without revealing it, see the brief anonymous article titled “The Fundamental Anagram of Calculus” at 

For the Woergl experiment, see David Boyle, The Money Changers: Currency Reform from Aristotle to E-Cash (New York: Routledge/Earthscan, 2002), 236-7 and Eric Helleiner, The Making of National Money: Territorial Currencies in Historical Perspective (Ithaca, N.Y.: Cornell University Press, 2003), 158-9.