TABLE OF CONTENTS
Abstract: Peerless Digital Currency
Context for This Paper
1 Money in a Purely Informational World
2 Problems with Existing Blockchain Currencies
—2.1 Lack of User Control
—2.2 Artificiality of Mining
—2.3 Revenge of Recentralization
—2.4 Cult of Consensus
3 Claiming and Transferring Ownership of Information
—3.1 Cryptographic Encapsulation of Information
—3.2 Transferring Ownership of Encapsulated Value
—3.3 The Public Ledger, Double-Spending, and Transaction Finalization
4 Capsular Ownership and Its Alternatives
—4.2 Official Ownership Registries
—4.3 Money Creation by Banks
—4.4 Local and Underground Economies
5 Sources of Value
—5.1 Intellectual Property
—5.2 Promissory Notes
—5.4 Proof of Hash Work
—5.6 Units of Account
—5.7 Value in a Purely Informational World
6 The Mechanics of Encapsulated Currency
—6.3 Conjunctive or Joint Ownership
—6.4 Disjunctive or Shared Ownership
—6.5 Conditional Ownership
—6.6 Terminated Cash and Permanent Invalidation
—6.7 TTPs, Escrow, Smart Contracts
—6.8 Additional Security
—7.1 Established Data Structures
—7.2 Home-Brew Technology
—7.3 Verification, Search, and Accounting
—7.4 Government Regulation
—7.5 Enforcement of Agreements
—7.6 Taxation and Government Control
—7.7 Security of Private Keys
—7.8 The Way Forward
Epilogue: Radical Decentralization and Freedom
Abstract: Peerless Digital Currency
Decentralized digital currency that for its creation, value, and transmission depends intrinsically on more than one individual is not truly decentralized. Instead, a group consisting of multiple individuals ends up constituting a problematic monetary authority, however well-intentioned and however small in relation to the state. A radically decentralized digital currency would depend solely on the lone individual for its creation and transmission. Moreover, it would depend for its value on the individual (intrinsic value) or on an assignation of value by a trusted third party (extrinsic value) or on some combination of the two.
Peerless is a monetary framework that enables the single individual to create and transmit money. The framework uses well understood cryptographic tools and can accommodate numerous types of value. Peerless is therefore not a currency per se, but a family of currencies based on different values capable of being encapsulated by them. The currencies within the Peerless framework all operate in the same way and can be organized into tranches capable of being combined, teased apart, and exchanged.
Peerless is not merely a system of credit and clearing based on an arbitrary unit of account. It provides an actual store of value. Though purely digital and though issuing from a single individual, Peerless encapsulated currency operates according to precisely defined protocols by which it is able to exhibit the standard features we associate with money: scarcity, durability, divisibility, verifiability, portability, fungibility, and immunity to double-spending.
But Peerless also exhibits additional desiderata: frictionlessness, globality (indeed omnipresence), complete privacy/anonymity, robust and expandable security, complex ownership relations (conjunctive as well as disjunctive), and automaticity (smart contracts). For Peerless to be able to achieve these results requires hashing, public key cryptography, digital signing, a publicly accessible digital space with permanent storage, and reliable timestamping (the last two items depending on a type of blockchain). Peerless is in fact more than money: it is a cryptographic technology for claiming and transferring ownership of information, money being a key type of information that requires ownership.
Note: Even though I’m a mathematician and might readily have used the mathematical typesetting system TeX to format this paper, in fact this paper is as “anti-TeX” as you’ll find in that it takes an absolutely minimalist approach to formatting. I did this in the interest of dissemination so that this paper could be copied and pasted at will into emails and text editors without loss.
Context for This Paper
This project begins in the aftermath of the 2008 financial debacle, which led me to read widely, if eclectically, in monetary history, monetary theory, and economics. I’m an autodidact in these areas, with the limitations that brings. But it also brings a possible advantage, namely, the ability to look at longstanding problems with a fresh set of eyes, especially if those eyes are informed by experiences and disciplines not customarily brought to bear.
In 2010, the outlines of a radically decentralized cryptocurrency occurred to me, whereupon I discovered that Bitcoin had just been invented. Bitcoin left me intrigued but also unsatisfied. Its method of generating bitcoins by “mining” struck me as highly artificial and also as self-serving to first adopters. Moreover, its peer-to-peer network struck me as a centralizing monetary authority, a no-go in my book.
That said, Bitcoin took a number of off-the-shelf tools from computer science and cryptography and put them together in a way that was nothing short of brilliant. Its idea of a blockchain was groundbreaking. Bitcoin was a huge advance in the field of cryptocurrencies, overcoming many of the dead ends that had stymied earlier cryptocurrencies. Yet despite the significant progress that Bitcoin represented, I became increasingly convinced that it was not the future of money.
The germ of my idea for a radically decentralized cryptocurrency, which I first mooted in 2010, withstood the growing fervor over Bitcoin and other blockchain-based currencies. In subsequent years, I kept raising doubts about Bitcoin and promising friends and colleagues that I would write up my thoughts about a radically decentralized cryptocurrency (radical in the sense that it depends only on the individual owning or transferring ownership of the currency). In the fall of 2016, that finally happened with this paper.
In approaching a project like this about cryptocurrencies, I clearly needed some background in cryptography. Back in the late 1980s and early 90s, I had a reasonable grasp of the field, having sat in on lectures with Adi Shamir (during his year at the University of Chicago) and Silvio Micali (during my postdoc at MIT) as well as having Andrew Yao as a postdoctoral supervisor (during my time at Princeton). But the field has clearly exploded since then, and I had a lot of catching up to do, leaving me largely an autodidact for cryptography as with economics.
Other background that I bring to this project includes: (1) a PhD in mathematics, focused on probability theory and nonlinear dynamics; (2) a second doctorate, in the philosophy of science, focused on the logic of extremely improbable events (the sorts of events needed to break otherwise secure cryptosystems — this work appeared in my Cambridge monograph, The Design Inference); (3) work on information theory and evolutionary computing with the Evolutionary Informatics Lab (evoinfo.org).
Proposed resolutions to problems can take three courses: they can be exactly right, they can be fatally wrong, and they can to varying degrees be salvageable, containing a core that is correct, but requiring some tinkering to get the details right and to make it practicable. I suspect this paper falls in the latter category. Indeed, I’m convinced it is substantially correct, if only because the opening thought experiment analyzes money down to its informational first principles, which in its essential features is the cryptocurrency (or, more properly, the family of cryptocurrencies) proposed in this paper.
1 Money in a Purely Informational World
To set the stage for Peerless digital currency, consider a thought experiment: What would money look like in a world of pure information, where there are no material objects as such but only agents that store, retrieve, and exchange information? Some monetary theorists, especially those who yearn for the days before fiat money, insist that money is gold or some other precious metal, and thus that money presupposes matter. This in turn would imply that money is impossible in a purely informational world.
But there is something too contingent about gold. Isn’t it simply an accident of geological history that we have gold, which can then be used for money? If we lived on a planet without gold or other rare metals, could we not invent a convenient means of monetary exchange? The following thought experiment about money in a purely informational world uncovers the essence of money and demonstrates that money is not inherently material.
To characterize money in a purely informational world, we first need to clarify what we mean by such a world. Not surprisingly, my main inspiration for this purely informational world comes from the Internet, the World Wide Web, the Cloud. Even so, I’ll want to extract and idealize certain key features from our everyday informational experience.
A purely informational world starts with a collection or society of agents (think of these agents not just as persons but also as corporations and governmental entities). The agents possess, individually, three main capabilities: (1) each has a completely private storage for information accessible only to the agent; (2) each can create information, placing it in that private storage; (3) from that private storage each is able to transmit, in secrecy, any information contained in it to another agent’s private storage (in other words, agent-to-agent communication without eavesdroppers is possible; whether this requires effective cryptography or inherently inviolable communication channels I leave open).
In addition to each agent’s private storage, our informational world includes unlimited public storage onto which agents can put any information they like from their private storage, information that is viewable by all. Transmission of information from one agent to another can, as described in the last paragraph, be secret, so that only the sending and receiving agents have access to it (thus either bypassing public storage or using secure encryption via public storage). Alternatively, transmission of information can be open, in which case the information resides in public view (though it may require special keys/permissions to become usable or interpretable).
At the discretion of the agent putting information into public storage, the information can be sourced to the agent or kept anonymous. Note that anonymous information, once its source is revealed, can never become anonymous again.
This characterization of our informational world needs to be supplemented with the following more specific features:
(1) A universal clock that keeps precise time for the entire informational world and that allows for reliable and fully ascertainable timestamping of any information-creation and information-transmission events occurring in public storage (think of an atomic clock keeping Greenwich Mean Time and timestamping everything in public storage).
(2) The ability to represent any information, whether in private or public storage, in bits, bytes, and any alphanumeric symbol system (this is a world of Shannon information).
(3) The ability to compute with this information according to deterministic and nondeterministic algorithms (accordingly, Turing machines exist in this world, as do pseudo- and true random numbers).
(4) An upper limit on the speed of computation (rate at which bits can be altered) and amount of computation (total computational steps possible in the life of this informational world). The purpose of this limitation is to allow for effective symmetric-key and public-key cryptography.
Note: The assumptions of a universally accessible permanent public storage and a universal clock that reliably timestamps everything in public storage, with no danger of backdating, are for convenience. These assumptions, articulated with this degree of stringency, are not essential in the protocols for money creation and money transfer within the Peerless monetary framework as it will be developed in later sections. This is not to say that timestamping or public storage can be eliminated. Temporal priority of information and its accurate continued storage will play a crucial role. But these can occur more approximately and locally, allowing enough tolerance to make Peerless practicable and enough rigor to make it secure, above all eliminating double-spending and the need to trusted third parties.
Given such a world, what does its economy look like? Since this is an informational world, the nuts and bolts of any such economy will of necessity consist of items of information in public storage. One such item of information is, let’s say, a creation of vPicasso (virtual Picasso) that depicts, when exported as a jpeg file into our hybrid world of matter and information, a high resolution image of The Old Guitarist, an oil painting of Picasso’s from around 1904. Let’s call the corresponding digital canvas that resides in the public storage of our informational world vGuitarist (virtual Guitarist). vGuitarist is therefore a bunch of bits in public storage whose source is identified as vPicasso and whose timestamp gives the date and time it was put in public storage.
Now, for vGuitarist to be economically significant, two things are required: (1) its ownership by vPicasso needs to be verifiable, and (2) its ownership needs to be transferrable (say, to vKahnweiler, the virtual version of the early 20th century Parisian art dealer D.-H. Kahnweiler). But, in a purely informational world, how are these requirements to be met?
Let’s first deal with ownership. In a purely informational world, ownership of valued items is always ownership of intellectual property, and ownership of intellectual property is always assigned according to priority. Hence the need for a universal clock to timestamp information in public storage. vPicasso owns vGuitarist because he was the first (and ascertainably so) to upload vGuitarist to public storage. Any exact or approximate copies of vGuitarist that appear in public storage with a later timestamp are thus presumed to be derivative works (i.e., derived from vPicasso’s vGuitarist) and thus not to belong to whoever else wants to claim credit for and ownership of them.
All this makes good sense in our informational world. Nonetheless, things get more interesting when vPicasso wants to transfer ownership of vGuitarist to art dealer vKahnweiler. One way vPicasso could attempt to transfer ownership is simply to make an announcement, timestamped and with his official digital signature, that he herewith transfers ownership of vGuitarist to vKahnweiler. Let’s assume that the conventions of our informational world allow for this type of ownership transfer, which essentially amounts to putting in an authoritative public registry who owns what at which time (much as we do in our day for titles to homes and cars recorded at the county court house) .
Of course, vPicasso is not simply going to transfer ownership of vGuitarist to vKahnweiler without wanting, and indeed getting, something in return, namely, money. But money, in a purely informational world, is itself an item of information in public storage. Let’s call the money that vPicasso is going to receive from vKahnweiler in return for vGuitarist vM (virtual money). Now, as we said, vGuitarist is essentially a set of pixels of sufficiently fine resolution, and perhaps even in 3D. But what is vM? What form does it take? How did vKahnweiler get it? And how does he transfer it to vPicasso in exchange for vGuitarist?
In answering these questions, we need to watch out for features of our hybrid world of matter and information that, if we don’t exercise proper awareness, can confuse us about ownership transference in a purely informational world. In this, our own, hybrid world of the real Picasso and the real Old Guitarist, ownership can be transferred informationally through what philosopher of language J. L. Austin called performative utterances (of the sort “I hereby irrevocably give you such and such”), such an utterance thereby creating a new social reality in which one party no longer owns something and another does. Moreover, this social reality can then be reflected extrinsically (i.e., outside the objects being exchanged) in some sort of public registry, as at a county court house.
But typically ownership in our hybrid world is also transferred mechanically, by moving paintings, moneys, receipts, and other physical objects into different spatial locations and relations. Moreover, how and to what locations such objects of economic significance are moved can make all the difference between whether a transaction is private or public.
The real Picasso, for instance, might paint a painting in his studio, show it to no one but Kahnweiler, who pulls out a wad of bills, pays the artist, walks off with the painting under wraps, and puts it into storage unseen for thirty years. On the other hand, Picasso can exhibit the same painting at a show, Kahnweiler can very publicly buy it from the artist (which gets widely reported in the press), and then likewise puts it in storage. The actions, as actions go, are not that different in both cases, at least in terms of their purely physical movements, but their implications for privacy and for economics are vastly different.
Now, in a purely informational world, anything economically significant is simply an item of information in public storage. An item of information, once placed in public storage, stays put (it is instantly timestamped, cached, archived, kept for all eternity). Information placed in public storage doesn’t disappear. Nonetheless, information placed in public storage, and thus viewable by all, may not be interpretable by all, especially if effectively encrypted, and thus ensure privacy of some information even if it appears in public storage.
So, let’s ask, is it possible for vPicasso to transfer ownership of vGuitarist to vKahnweiler without a public pronouncement of a change in ownership but entirely privately, as would happen in our own world if the actual Kahnweiler simply saw The Old Guitarist right after Picasso had finished it in his atelier (but not shown it to anyone else), whereupon Kahnweiler paid Picasso for it in a totally private transaction and thereafter simply stored the painting away, for no one else to see. Is a parallel to the latter possible in a purely informational world?
To answer this last question affirmatively, we would need to see something like the following in our informational world: vPicasso would upload vGuitarist into public storage, perhaps encrypting it so no one without special access can determine that this item of information depicts The Old Guitarist. Moreover, even though vPicasso could identify himself as the source this upload, allowing it to be traced back to him, for true privacy, he should also be able to keep his identity as the source of the upload hidden. At the same time, he must be able to reveal to anyone interested in acquiring ownership of this item of information that he, though acting anonymously, is indeed the owner. And finally, he must be able to transfer ownership in a way that allows the new owner to assert ownership, yet without revealing the new owner’s identity. In particular, the new owner, acting anonymously, should likewise be able to convince others of this new ownership.
Private ownership and private transfers of ownership in a purely informational world will thus depend on suitably coordinating public and private information placed in public storage. But how? As it turns out, ownership in an informational world is not so much an item of information as a suitable pattern among items of information (both private and public), and specifically a provenance chain. It’s not enough to verify current ownership of an item of information in isolation. Instead, what requires verification is the entire chain of ownership, going right back to the creation of the information and its placement in public storage, all the while making sure that all transfers in ownership along the chain were legitimate.
Suppose, for instance, that vDuveen (the virtual version of the early 20th century British art dealer Joseph Duveen) ended up in turn acquiring vGuitarist from vKahnweiler. Then, to ensure that vDuveen did in fact own vGuitarist would require confirming vPicasso as the originator of vGuitarist (the first owner), then confirming that vPicasso legitimately transferred vGuitarist to vKahnweiler, and finally confirming that vKahnweiler legitimately transferred the work to vDuveen. Such confirmations might keep the identities of vPicasso, vKahnweiler, and vDuveen confidential, but such confirmed transfers along the provenance chain would nonetheless be necessary. Provenance is a big deal in the art world, and rightly so. Works of art can be too easily forged (recall Clifford Irving’s Fake! and Anne-Marie Stein’s Three Picassos Before Breakfast). Provenance puts the brakes on forgery.
Ownership in our informational world would thus be conferred by a provenance chain. This seems exactly right. But note: a provenance chain is not a blockchain (even though our informational world can support blockchains). Blockchains attempt to provide a complete record of ownership transfers for a certain class of items within an entire community of agents. That is more than simply trying to understand ownership transfers of a given item of information within our informational world. A blockchain is a chain of chains; a provenance chain is simply a chain.
Given that provenance chains characterize ownership transfers in our informational world, it follows that keeping ownership transfers hidden (i.e., known only to the parties involved in the transfer) would be a matter of embedding a provenance chain within a cryptographic scheme that permits full transfer of ownership and at the same time guarantees full confidentiality. Let’s call such a cryptographic scheme that ensures confidentiality of ownership transfers a cryptographic encapsulation or simply an encapsulation or capsule. An encapsulation takes an item of information having economic value and, as it were, puts it inside a capsule that at once protects the information’s ownership as well as the proper transference of ownership, all the while maintaining full confidentiality of the parties to the transaction.
What might such a cryptographic encapsulation look like in the example we’ve been considering? vPicasso has created vGuitarist. vGuitarist is at the point of creation merely a set of bits in vPicasso’s private storage. If vPicasso uploads vGuitarist without any encryption to public storage, exhibiting his work of art plainly as well as associating his identity with it, he will get full credit for vGuitarist and be able to claim ownership for this work of art simply in virtue of being its creator. But in that case he will have to forgo confidentiality.
Yet suppose, instead, vPicasso uses a cryptographic encapsulation that does the following three things:
(1) The capsule gives full display and access to vGuitarist, just as much as if vPicasso had simply uploaded it to public storage without any restrictions. The capsule thus does nothing to occlude the item of significant informational value (i.e., vGuitarist) that vPicasso has just created; instead, it is transparent about the intellectual property it contains.
(2) The capsule keeps the identity of the creator (i.e., vPicasso) secret.
(3) In the act of encapsulating vGuitarist, vPicasso gains special knowledge that allows him to demonstrate that he, and he alone, is also the capsule’s creator, yet without betraying his identity in any demonstration of knowledge that shows he is the capsule’s creator.
Note a key point: vPicasso is not just vGuitarist’s creator but also the capsule’s creator, and his creation of the capsule gives him powers over vGuitarist’s presentation in public storage that no one else has. (Anyone having the least familiarity with signature schemes and zero-knowledge proofs will recognize the parallels with what I’m calling encapsulation here.)
With such an encapsulation, vPicasso can assume an anonymous identity and convince anyone that the agent behind that anonymous identity owns the item of information in question. But encapsulation doesn’t just ensure confidentiality in the act of information creation. The same principles that allow it to work in confidentially claiming ownership for information creation also ensure that ownership transfers of information remain confidential, keeping both parties to the transfer anonymous as well.
To see this, suppose that vPicasso wants to transfer ownership of vGuitarist to vKahnweiler. In that case, the task of encapsulation falls on vKahnweiler, the soon-to-be new owner of vGuitarist. What needs to be encapsulated in that case is the transaction between the two, and vKahnweiler’s encapsulation must accomplish three things:
(1) The new capsule, this time applied to the transference of ownership, must continue to display vGuitarist — the item whose ownership is at stake and being transferred must remain perspicuous, or at least accessible via an access code.
(2) The knowledge (private cryptographic key) that vPicasso used, albeit anonymously, to demonstrate creation of the capsule he put around vGuitarist, must be revealed in the new capsule — this revelation invalidates the previous capsule and ensures that vPicasso has relinquished ownership of vGuitarist.
(3) The act of creating the new capsule by vKahnweiler must confer on him special knowledge that allows him, as in the creation of the previous capsule, to demonstrate that he, and he alone, is the capsule’s creator, with the special power over vGuitarist’s public presentation that it gives him, yet without betraying his identity in any demonstration of knowledge that shows he is the capsule’s creator.
A capsule of the sort just described can, of course, mutatis mutandis, be recreated indefinitely to facilitate further transfers of ownership of vGuitarist, in each case keeping the parties to the transaction anonymous. Note that in this example, the value associated with each such capsule was intrinsic — vGuitarist, the intellectual property that was the information (intellectual property) of value, was, as it were, enclosed within each capsule. But the encapsulation method just described can also be applied without enclosing any information of intrinsic value. Instead, the value in encapsulated information may be assigned extrinsically via a trusted third party that guarantees continued value as ownership gets transferred capsule to capsule.
What, then, is money in a purely informational world? Money is the cryptographic encapsulation of value, whether that value resides inside the capsule, and thus is intrinsic, or is assigned to the capsule by a trusted third party, and thus is extrinsic, or some combination of the two. Money is therefore a cryptographic technology for keeping the creation and transfer of value safe. Note that in the vGuitarist example of this section, I never described in any detail the money (referred to as vM) that vKahnweiler paid to vPicasso in exchange for this work of art, but if I had, it would have followed the exact same pattern as the encapsulation of vGuitarist — whatever the value inherent in the money that vKahnweiler would spend for vGuitarist would likewise have had to encapsulate valued information, whether that value derives intrinsically or extrinsically or from some combination of the two.
In a sense, encapsulated works of art by vPicasso (like vGuitarist) constitute money in a purely informational world as much as any other encapsulated item of information with value. Information is information, and in an informational world everything is information or patterns of information. Of course, we like to see money display such common features of money as a unit of account and divisibility (by contrast, vGuitarist’s value is holistic and can’t be divided).
But the purely informational world just described can exhibit such common monetary features because it is a world run on a clock and its computations face complexity limits. In consequence, this is a world where the agents that produce informational items of value invest those items with time-value of labor. Moreover, it is a world where the amount of computational effort expended to produce an informational item of value constitutes a measurable cost. Accordingly, this is a world where proof of value and proof of work can be not only encapsulated but also quantified via a unit of account (the precise outworkings of these ideas will become clearer in section 5).
The challenge in what follows will be to show that the encapsulation of value described in broad strokes here can be precisely characterized and implemented algorithmically in our hybrid world of matter and information.
2 Problems with Blockchain Currencies
Before showing how the purely informational approach to money sketched in the last section works in our world, I want to say something about peer-to-peer based cryptocurrencies like Bitcoin and Ethereum that are highly informational and have the blockchain technology at their center. Bitcoin, which first introduced the blockchain, remains the most influential of these cryptocurrencies (Bitcoin’s market cap at the time of this writing is US$9.7 billion; Ethereum’s is just slightly over US$1 billion).
The original white paper that outlined Bitcoin (by the pseudonymous Satoshi Nakamoto) was a major advance in the understanding and development of cryptocurrencies. Bitcoin eliminated the need for trusted third parties to oversee the currency (a serious drawback with prior cryptocurrencies, TTPs often being less than trustworthy). It substituted for a central monetary authority a peer-to-peer network that actually worked (most of the time). It eliminated the double-spending problem. It was fast and frictionless (minimal or no transaction costs). And, in its implementation of public key cryptography, its private and public keys were short. Once you got the hang of it, sending and receiving BTC/bitcoins was reasonably straightforward.
Still, there were inconveniences. Perhaps the biggest hassle with Bitcoin is that for security purposes, it’s always better to work offline than online (the same will be true of Peerless, but the programming environment to run Peerless is self-contained, whereas Bitcoin is constantly making calls to the Cloud). Bitcoin is full-fledged money, so transactions with it are irreversible. There’s no safety net. There’s no credit card company to take the hit in case of fraud. There’s no FDIC to bail out the bank or exchange that stores your bitcoins. Thus, if someone can hack into your Bitcoin wallet or into the exchange that houses (and supposedly protects) your bitcoins, you can easily be relieved of them.
The resulting predilection for offline over online in Bitcoin security means that syncing the software that handles your bitcoins can be a pain. Simple username and password access is typically not enough. Access instead can require inputting random word phrases of more than ten words (which users are told to write out by hand and not store electronically, certainly not on the Web and not even on their hard drive). Alternatively, each login may require receipt of a security email with links that need to be clicked before login access is granted. Yet despite all such precautions, we still hear reports of bitcoins being stolen or just disappearing (the Mt. Gox debacle remains a black eye for Bitcoin to this day; at its height in 2013, the Mt. Gox Bitcoin exchange handled 70 percent of all Bitcoin transactions — the following year it went bankrupt, having lost close to a million of its depositors’ bitcoins).
But even if we underscore the promised benefits of blockchain currencies and downplay the hassles and security concerns connected with them, it’s hard to avoid the conclusion that blockchain currencies are not the future of money. These currencies have now been with us for close to a decade. If blockchain-based cryptocurrencies like Bitcoin, Ethereum, Zcash, and others were the future, they would have proved themselves by now. As it is, they have not proved themselves, and their failure is both practical and principled. In the end, the problem with such currencies is that they are not radical enough in decentralizing the monetary authority.
The practical failure of blockchain-based currencies is evident: these currencies simply don’t transact a lot of business. Bitcoin is the biggest player, with the biggest capitalization. If you go to blockchain.info, you’ll find diagrams describing the transaction behavior of Bitcoin. Each Bitcoin block constitutes a 10-minute ledger of all Bitcoin transactions in that period. At the time of this writing (October 2016), there are on average 1,500 Bitcoin transactions every 10 minutes. Because each 24-hour period comprises 144 blocks, that means approximately 220,000 Bitcoin transactions occur daily.
This at best qualifies Bitcoin as a boutique currency. To gain some sense of proportion of how little market share Bitcoin actually encompasses, consider that Amazon on a good day does 25,000,000 transactions and that on an average day Visa does 150,000,000 transactions. This is not to say that Bitcoin can’t handle huge transaction numbers. But it is to say that people are not voting with their feet to beat down Bitcoin’s doors, and the reasons have to do with principled failures of blockchain-based currencies, which we consider next.
As I see it, there are four main principled failures associated with Bitcoin and blockchain currencies in general (and I write this as someone who owns bitcoins and ethers). I’ll formulate these objections mainly in terms of Bitcoin, though my concerns apply quite generally.
2.1 Lack of User Control
If you are a seasoned computer scientist who knows and understands the source code underlying the Bitcoin protocols (or related cryptocurrencies) and can program your Bitcoin wallets from scratch, then perhaps this concern doesn’t apply to you. But for the rest of us, myself included, owning and transacting bitcoins means taking off-the-shelf software and running it on our computers and/or in the Cloud.
Now it’s possible at least to some degree to vet the software needed to run Bitcoin, such as through recommendations on social media or reviews on dedicated bulletin boards. But in the end, you are still left having to trust the suppliers of this software not to introduce a Trojan horse or some other nefarious bait-and-switch trap that gets you to put your bitcoins in their wallet only to see it relieve you of your excess digital cash at some convenient later opportunity.
Don’t get me wrong, the Bitcoin community seems to consist of a lot of stand-up folks. My favorite Bitcoin wallet is the one provided by Electrum.org. But despite Electrum’s evident attention to detail, I’m not going to move any significant portion of my wealth in and out of their wallets or any other such wallets. I suspect many users feel the same way. For the unwashed masses, among which I count myself, it’s hard to justify strong confidence in what you’re getting with Bitcoin support software. You always feel at the mercy of experts, who assure you that everything is going to be all right, but, because you yourself are not an expert, some of them might in fact be misleading you.
2.2 Artificiality of Mining
Any currency, if it is to garner trust and make itself economically useful, needs to have limits on proliferation. Scarcity is a necessary condition for money. Bitcoin achieves that scarcity through the device of “mining,” which consists of nodes in the peer-to-peer Bitcoin network attempting to compute, for a given 10-minute block, a hash value beginning with as long a string of zeros as can be computed in the allotted time (actually, Bitcoin difficulty, as the term is defined and as its value is adjusted by the Bitcoin user base, is slightly more subtle, but essentially that is what it denotes, namely, a long initial string of zeros in the block hash, greater length indicating greater difficulty).
Nodes are controlled by a person or group of persons, and so a node whose block hash begins with the longest string of zeros (more precisely, the first block hash that achieves the current level of difficulty) is awarded so-an-so many bitcoins for that block (12.5 bitcoins are the going rate right now; it used to be 25, and 50 before that). Note that all the nodes are competing for 12.5 bitcoins, but only one node (or now pool of nodes — AntPool, the largest, controls over 18 percent of current Bitcoin production) will be the winner (or, in case of ties, the winnings can presumably be shared in some equitable way). But essentially this is a zero-sum game, so if one node (or pool of nodes) wins all the bitcoins on offer in one block, the other nodes don’t. The number of bitcoins awarded for each block will continue to decline until the maximum number of bitcoins is achieved, namely, 21 million.
The device of mining for bitcoins certainly ensures their scarcity. But it seems highly artificial. Early adopters have a clear advantage, with the computational juice needed to obtain bitcoins at the start much less than later on. The difficulty level to mine bitcoins for its first year in 2009 was 1, which merely required block hashes beginning with 8 zeros in hexadecimal notation, 32 zeros in binary. Currently, the difficulty is over 200 billion, which requires an additional 9 or 10 zeros in hex. It also means that the number of hashes per second currently computed is now over 200 billion times more than it was back then.
In that first year, over 10 percent of all Bitcoins ever to be mined were therefore mined under extremely generous conditions to Satoshi and his Internet friends, bitcoins whose total value is currently over $1.5 billion. That’s why Satoshi, whoever he/she/it is, is today a millionaire many times over, having stashed away lots of bitcoins early on via what may be called a “founder’s advantage.” Perverse incentives dog the founders of blockchain-based currencies, and the temptations posed can be hard to resist.
Some founders are not content simply to have the advantage of mining their blockchain currency from the get-go while also opening it up to everyone else. Zcash, for instance, paid its early adopters 10 percent of all Zcash right up front. As explained on Zcash’s blog: “Zcash’s monetary base will be the same as Bitcoin’s — 21 million Zcash currency units (ZEC, or ⓩ) will be mined over time. 10% of that reward will be distributed to the stakeholders in the Zcash Company — founders, investors, employees, and advisors. We call this the ‘Founders Reward’.” (See https://z.cash/blog/funding.html.)
What’s perhaps most troubling in Bitcoin’s mining operation is that the emergence of cash in its virtual economy does not reflect any underlying value in the actual economy. It’s often said that if you have a commodity money (and Bitcoin is now regarded as a commodity by the Federal Government), that it really doesn’t matter how much of it exists because so long as it is infinitely divisible, there can in principle be enough for all transactions (bitcoins are divisible up to eight decimal places). This sort of in-principle argument could also be extended to say hardly any money is ever really necessary because as its velocity approaches infinity, all transactions get cleared. The reality, however, is that an economy needs enough money to reflect the value in it and enough liquidity to reflect the pace of transactions occurring in it. Bitcoin does nothing to help this correlation between actual value in an economy and its artificial creation of value.
In this regard, Bitcoin’s very use of the term mining is perversely at odds with real-world mining. Consider that in the mining of gold, for instance, the number of metric tons mined year by year worldwide has shown a significant positive slope. In 1900 world production of gold was a bit under 400 metric tons. In 2015 it hit an all-time high of 3,000 metric tons. During the entire 1500s, when Spain ravaged the New World for precious metals, the total amount of gold extracted over the entire century amounted to only 154 metric tons, less than half of world gold production in 1900, and a pittance compared to today’s gold production.
The name of the game with real-world mining is to work harder and smarter, and thereby get more. The complete opposite is the case with Bitcoin. Cashing in on Bitcoin was easiest at the start, requiring nothing more than a personal computer. Currently Bitcoin requires pooled nodes that employ server farms. Vendors like Butterfly Labs now sell special hardware to mine bitcoins. Total electricity consumed by Bitcoin mining is ever increasing, with the current electricity cost estimated at more than 10 times the value of bitcoins mined. And those costs will only get worse as the number of bitcoins mined each 10-minute block reduces further (in about three years, it will go down to 6.25 bitcoins per 10-minute block). Yet the computational resources needed to mine them will, if present trends are any indication, only increase.
Aside: Bitcoin bulletin boards can be quite revealing about the return on investment to Bitcoin miners. Consider the following remarks from early last year by one such miner: “I’m currently mining with a KNC Neptune Asic miner since June of 2014. At 20nm silicon it’s the most energy efficient miner currently in use … and currently it produces about 1 BTC per month at current difficulty (I got 1 BTC every 3-4 days for the first few weeks after delivery). It’s pulling a steady 2140 watts at the wall socket (3500 GH/s) so at today’s price (< $200) it’s definitely losing me money. So financially it would be cheaper for me to switch it off and buy from the exchanges. That said if a large chunk of miners actually did this, we would all be in trouble, so I’ll keep it running.” Admirable though this sacrificial behavior is to the Bitcoin cause, it makes no business sense, and it suggests that Bitcoin is more a hobby currency than a real one. (Source: http://bitcoin.stackexchange.com/questions/35449/energy-consumption-while-mining, last accessed October 24, 2016.)
At some point, it will no longer be worth mining for bitcoins. The financial incentives for keeping the Bitcoin nodes running and exchanging bitcoins will thus eventually disappear, perhaps sooner rather than later. Moreover, from everything I’ve seen, transaction fees for sending bitcoins are not big enough to sustain this currency as mining rewards continue to dwindle — unless, of course, these fees are radically increased, but with the effect of disincentivizing the use bitcoins for transactions.
So what happens to the peer-to-peer network when mining and transaction fees no longer offer the proper rewards? One gets the sense, in watching Bitcoin evolve, that it is an intriguing experiment, one users are willing to indulge at least for now, like a captivating and expensive hobby. But in fact, it promises very little real return for the average Schmo, behaving much like a multi-level marketing scheme where all the advantage goes to those who get in on the ground floor.
2.3 Revenge of Recentralization
The next concern is a continuation of the previous one, but even more serious. The problem is that despite its promising beginnings as a currency meant to spur decentralization, Bitcoin has now pivoted 180 degrees and is betraying the very principles of decentralization on which it was founded. It’s one thing to keep the proliferation of a currency in check, even if by artificial means. Perhaps that’s the best we can do. Without a guarantee of scarcity, any currency is dead in the water. But mining of blockchain currencies is not just artificial: it’s also, as alluded to in the last section, highly centralizing.
In the case of Bitcoin, ask yourself which nodes/miners end up winning the newly created bitcoins for each block. Is it the little guy with a smart phone or laptop running a mining app? Hardly. The nodes (and now pools of nodes) that win the competition for bitcoins in one 10-minute interval after another, block after block, are those that invest heavily in server farms (especially in Iceland, with its cheap geothermal energy and free arctic air cooling). These server farms require inordinate amounts of electricity to complete their computations of the bitcoin-generating block hashes that exhibit long initial strings of zeros and thus earn them bitcoins.
At the time of this writing, Bitcoin mining requires the electricity needs of about 300,000 American homes. More disconcertingly, it is estimated that at current trends, Bitcoin mining will by 2020 require the entire electricity consumption of Denmark, a country of almost 6,000,000. Yet my worry is less about the sheer amount of energy expended (wasted?) on Bitcoin mining than in the recentralization it represents. The recentralization evident in blockchain-based currencies is part of a larger phenomenon of recentralization, and one that technology critic Jaron Lanier has insightfully discussed. We are promised decentralization, only to find ourselves more centralized than when we started.
Google, for instance, was going to democratize the web and therewith the web’s advertising; instead it has become the most dominant advertiser in the world. Amazon, in its effort to sell everything, has pushed out many smaller vendors and now finds itself the vendor of last resort. Apple, similarly, was going to remove power from those greedy record companies and shift it to the musicians; instead, Apple’s iTunes has become more monopolistic over the music industry than any cartel of record labels ever was.
As I write these words, I’m also aware of my debts to Google, Amazon, and Apple — my life is much enriched on account of these (re)centralizing forces. But I also think they bear close scrutiny. Centralization always creates a temptation to abuse power, and never more than with money itself. So even if one is willing to turn a blind eye to centralization in the corporations that work for our money, one should be much more wary of the centralization of money itself, which has the potential to destroy our freedom to own property at its core.
Accordingly, whenever some persons tell you that they want to decentralize power and distribute it more equitably, grab for your wallet and make sure it’s safe (do this even for Peerless). Decentralization more often than not is a ruse to recentralize, disempowering one authority only to empower another. We see this pattern now fully realized with blockchain-based currencies. If you look at blockchain.info’s hashrate distribution (last accessed October 2016), you’ll find that the top four mining pools perform more than half of all Bitcoin hashes and thus acquire, on average, more than half of all new bitcoins. Bitcoin mining is now a rich man’s game.
2.4 Cult of Consensus
Blockchain-based currencies depend on peer-to-peer networks to achieve consensus about which transactions have occurred in any given block. Achieving such consensus is absolutely necessary for the integrity of the currency, but it is also not an exact science. To be sure, there is science behind it, and the Bitcoin protocols are generally clear enough to allow consensus to be maintained. But not always. Unanticipated contingencies can arise, which require the community of peers that form the governing authority of the blockchain-based currency to come together and work through their issues.
Block validation and consensus rules are not written in stone but evolve over time. So, on the bitcoin.org website (the domain initially employed by Bitcoin’s founder Satoshi Nakamoto), one finds guidelines that provide Bitcoin developers with “technical details and API information to help you start building Bitcoin-based applications.” Bitcoin is a much more mature cryptocurrency now than when it was first proposed, and its evolution has depended on the insight and programming efforts of the Bitcoin community.
All this seems innocuous enough until one realizes that real money is at stake. How, for instance, is a “hard fork” resolved in a peer-to-peer network? According to bitcoin.org, a hard fork is “a permanent divergence in the block chain” that “commonly occurs when non-upgraded nodes can’t validate blocks created by upgraded nodes that follow newer consensus rules.” At times like this the community needs to band together and decide, for the good of the community, which fork chain to adopt as official.
Good luck with that. Actually, Bitcoin has managed to weather these hard fork storms quite well. But Ethereum has been less lucky. In the spring of 2016, the Ethereum Foundation decided to showcase the power of its currency by instituting a decentralized autonomous organization, which, with a pleasing lack of originality, it called The DAO (“The Decentralized Autonomous Organization”).
The point of a decentralized autonomous organization is that it be run through computer programs that implement so called “smart contracts” — contracts that automatically execute when clearly defined antecedent conditions are fulfilled. The DAO, which was designed to fund projects with venture capital, was launched in May 2016 with $150,000,000 in crowdfunding, converted to ethers. In June 2016, some genuinely smart individual saw how the “smart contracts” implemented by the DAO were not really that smart after all, and quickly diverted $50,000,000 in ethers to an alternative decentralized autonomous organization under his/her/its control.
Side comment: For Bible students, smart contracts are like “the Law of the Medes and Persians” (see the books of Esther and Daniel), according to which any law, once enacted, cannot be altered or rescinded, not even by the king (or governing authority) that enacted it in the first place. This is supposed to be an advantage of these laws, disallowing people from changing the rules in mid-stream or making things up as they go along. But it is also a huge disadvantage when unanticipated contingencies arise (as they always do, such as a wily DAO villain exploiting weaknesses in ether-based smart contracts). Such contingencies need to be sorted out by real intelligences and not by pre-determined computer programs. For this reason, contract attorneys and real intelligences are not going out of business any time soon.
As it is, the problem here was not with Ethereum itself, as a blockchain currency, but with the decentralized autonomous organization placed on top of it, namely, The DAO. The DAO was supposed to showcase the glories of Ethereum. When instead it applied egg to Ethereum’s face, the Ethereum Foundation decided to step in and institute a hard fork with the hope of restoring paradise to its prior pristine state. As Ethereum cofounder Vitalik Buterin explained (https://blog.ethereum.org/2016/07/20/hard-fork-completed/): “We would like to congratulate the Ethereum community on a successfully completed hard fork. Block 1920000 contained the execution of an irregular state change which transferred ~12 million ETH from the ‘Dark DAO’ and ‘Whitehat DAO’ contracts into the WithdrawDAO recovery contract. The fork itself took place smoothly, with roughly 85% of miners mining on the fork.”
This all sound innocuous and matter of fact. But it should actually be read along the lines of “Martin Luther has just pulled 15 percent of all western Christians away from the Roman Catholic Church and formed his own Protestant Christian movement.” Indeed, Buterin’s reference to 85 percent of miners ignores what happened to the other 15 percent. They’re still out there, having decided to go with the other fork chain that maintains the original integrity of Ethereum, at the expense, however, of allowing that wily “Dark DAO” villain to abscond with $50,000,000 in ethers. For the Ethereum purists, it’s better to preserve the integrity of the currency, even if that means condoning the individual who exploited weaknesses in The DAO’s smart contracts.
And so, in the best religious tradition of communities splitting over principle and doctrine, we now find an Ethereum splinter group, consisting of the 15 percent who decided not to go along with Buterin’s arbitrary fix, and who therefore chose instead to institute “Ethereum Classic.” Thus, in addition to the original Ethereum Foundation, we now also have the Classic Ethereum Community (they got rid of the word “foundation” — “community,” presumably, inspires more confidence).
This new community, as the homepage of its website explains, lists the following as its raison d’etre (see https://ethereumclassic.github.io/): “Ethereum Classic is a decentralized platform that runs smart contracts: applications that run exactly as programmed without any possibility of downtime, censorship, fraud or third party interference. Ethereum Classic is a continuation of the original Ethereum blockchain — the classic ‘unforked’ version; free from external interference and subjective tampering of transactions.”
Ethereum Classic’s adherence to high principle is, to be sure, commendable. But if the First Church of Ethereum could, and indeed did, split over a dispute involving church doctrine, what is to prevent Ethereum Classic at some point down the line from being corrupted and engendering further splits? And what does all this say about the safety and purchasing power of the ethers that you and I own?
Ethereum Classic is upset that the original Ethereum betrayed its founding principles, essentially asking for a redo, the equivalent in golf of a mulligan. For Ethereum Classic, it’s like playing a computer game, saving it at a crucial point where one has the advantage, playing it further only to see the advantage evaporate, and then going back to the save point to continue playing again. As far as they’re concerned, that’s cheating, and they have a point. Mulligans and restarts may work for games, but they don’t work for real money in a real economy. But even with its disavowals of restarts, that still doesn’t mean that I’m going to trust Ethereum Classic. Why? Because the same systemic fault lines that led to the Ethereum church split remain in place for Ethereum Classic.
Frankly, I want no part of a community that at any time can change how my money does or does not work, especially when it starts behaving like a religious sect ready to split over disputed doctrines. I want my money to operate like a steel trap. It needs to be air tight and iron clad, leaving nothing to the imagination, and remaining immune to the vagaries of any community.
Call me a curmudgeon, but I see iron-clad constraints on what can and can’t be done with money as sound business. By contrast, with blockchain-based currencies, one gets the sense that some of its advocates adopt messianic roles, seeing in the blockchain the salvation of money. I frankly don’t want a messiah messing with my money. We’re not talking about serving God here, after all, but about preserving Mammon. Spare me about being part of a Bitcoin “family” or Ethereum “community.” I just want my money to work unhindered by any authority other than myself, which is the whole point behind the decentralization of money in the first place.
3 Claiming and Transferring Ownership of Information
Finally, with this stage-setting behind us, we are now in a position to explicate the key idea of Peerless, namely, cryptographic encapsulation of information. Think of cryptographic encapsulation as a virtual technology for claiming and transferring ownership of information. At its base, cryptographic encapsulation, so understood, employs a nonlinear data structure known as an ordered tree. To represent this data structure, nested lists of the sort common in the programming language Lisp will be used.
Much of the notation that follows will look like Lisp (with its obsessive need to match opening and closing parentheses). Still, this quasi-Lisp should be construed as a notational convenience rather than as a formal application of the language, taking inspiration from that classic programming language but not much more. In general, the ordered trees represented as nested lists will just be static data structures rather than Lisp-like programs that execute (there will be a few exceptions, though when a cryptographic encapsulation executes an action, the action will be clearly specified and it will not execute like an actual Lisp program).
Terminological Clarification. The term cryptographic encapsulation appears in the standard cryptographic literature, where it refers to data hiding techniques such as key encapsulation for securely distributing cryptographic keys and also as shell protocols for transmitting data packets so that their content is protected, though without guranteeing protection against traffic analysis. I’ve coopted the term for this paper because it seemed apt. Other terms such as wrapper and shell readily come to mind as well, but these are likewise used in cryptographic contexts. Think of cryptographic encapsulation as developed in this paper, therefore, as expanding the usage of an existing cryptographic term.
3.1 Cryptographic Encapsulation of Information
Cryptographic encapsulation of information, as developed in this paper, depends crucially on two things: (1) effective hashing and (2) effective public key cryptography. Both of these, in turn, depend on the existence of mathematical functions that are easy, in a computational sense, to evaluate, but also difficult, in a computational sense, to invert. The day that such functions cease to exist because inversion of all such functions becomes computationally tractable is the day that Peerless goes the way of the dodo. Of course, much more would fall in that case than the class of Peerless cryptocurrencies — indeed, the entire infrastructure of America would collapse, if the Robert Redford film Sneakers is to be believed.
Hashing and public key cryptography are well understood in the world of computer science and cryptography, and are presupposed in the sequel. Plenty has been written about these that is readily accessible on the Web and addressed to the general reader. Briefly, though, hashing is a way to take arbitrary strings of characters and map them into character strings of fixed length and type so that the output appears essentially random, like sampling from a uniform probability distribution.
But note, these hash functions are fully deterministic, so on the exact same string a given hash function will compute the exact same hash. But on a slightly different string it will, almost always, compute a hash that looks completely different. Essentially, the hashing algorithm so mixes, jumbles up, and disorganizes the character strings to which it is applied that neighboring strings (by any reasonable measure of proximity) end up being sent to completely different looking hash values. Hashing takes the idea of sensitive dependence on initial conditions, which is characteristic of nonlinear dynamics and chaos, and pushes it to the farthest extremity.
To see what this comes down to in practice, consider SHA-256. This Secure Hash Algorithm was designed by the National Security Agency and published by the National Institute of Standards and Technology (it is also the hashing function used by Bitcoin). SHA-256 maps arbitrary strings onto strings consisting of 256 bits, or 64 characters in hexadecimal notation (bit to hex conversion: 0000 = 0, …, 0011 = 3, …, 0111 = 7, …, 1111 = f) . Let’s apply this algorithm to the following text taken from the opening of the Wikipedia entry on double-spending:
Double-spending is a failure mode of digital cash schemes, when it is possible to spend a single digital token twice. Since, unlike physical token money such as coins, electronic files can be duplicated, and hence the act of spending a digital coin does not remove its data from the ownership of the original holder
The hash, in hex notation, returned for this text is as follows (spaces were inserted for readability):
4398fcf1 f9948127 ec8ff6cf c02fbc81
7dc298e6 9e6fe121 1a1f341c 9c3dfe64
But now, take the same text as above, the one on double-spending, but add a comma after the world “holder” (such a comma appears in the Wikipedia entry). Do this but make no further change to the text. Now the hash that gets returned is
9aefa3f9 24183c3a ecc127ef 44b66540
1d74f3ef b50ad583 efb95880 0ca3abcb
Even though the two texts/strings to which SHA-256 was applied here are very similar (semantically as well as by any information-theoretic metric for determining similarity of symbol strings), the outputted hash values are very very different. That’s exactly what we want from hash functions: by being extremely sensitive to changes in inputted values, they can effectively guarantee that if an inputted value outputs to a given hash value, then that hash value was constructed from that inputted value in the first place and not by some other means. Hashing thus guarantees data integrity and data origination.
As for public key cryptography, think of it as making it easy for people to send you secret messages but difficult for them to uncover messages once they’ve been made secret. Public key cryptography is like giving people lockboxes into which they can put things but for which they don’t have the keys to open them. Once they close a box, it’s locked and they can’t open it. Only you can open it because only you have the key.
A public key cryptosystem, at its most basic, therefore consists of a public key/encrypting function, which we’ll denote by E, and a private key/decrypting function, which we’ll denote by D. Technically speaking, this characterization is a bit loose since the keys that determine encryption and decryption are actually separate from the functions that do the encryption and decryption, but for our purposes that causes no confusion. In Peerless encapsulated currency, E will in fact denote the public key and D the private key.
Although cryptographic encapsulations can accommodate any hashing function and any public key cryptographic scheme, I default to SHA-256 for hashing and RSA (Rivest-Shamir-Adleman) public key cryptography in what follows, making clear when there is any departure from these. The focus here is on SHA-256 and RSA because of their solid track record for security and because both are entirely in the public domain, with many libraries of algorithms to support them. SHA-256 and RSA can thus be freely and readily incorporated into any implementation of Peerless currency.
Note that for RSA, the key is in fact an ordered pair of the form (n,e) where n is a product of large primes p and q, and where e is an exponent to which a message m, interpreted as a number in modular (or “wrap around”) arithmetic, is raised, this exponentiation being relative to the modulus n. In other words, raising m to the exponent e relative to the modulus n encodes the message, i.e., E(m) = m^e mod n. The private key, in this case, then is an exponent d such that for an encrypted text k, D(k) = k^d mod n is its decryption. Accordingly, D(E(m)) = (m^e)^d mod n. As noted above, however, we’ll refer to E also as the public key and D as the private key, even though the actual keys have the form just described.
One of the strengths of Peerless is that as ownership of information (and ownership of money in particular) is transferred under its auspices, the type of hashing and type of public key cryptography used can be changed at the discretion of the new owner. In particular, this allows the hash functions and public key cryptosystems currently in use to be continually upgraded as tighter security is required or weaknesses are found in existing hash functions and public key cryptosystems.
Since money is a type of information, as will become increasingly evident in this paper, it follows that Peerless characterizes cryptocurrencies with dynamic security that can be improved over time. If, for instance, SHA-256 is deemed insufficiently secure, one can substitute SHA-512. Likewise, if RSA is deemed insufficiently secure, one can substitute DSA (Digital Signature Algorithm) or ECDSA (Elliptic Curve Digital Signature Algorithm). This is a significant advance over past cryptocurrencies, such as Bitcoin, whose security mechanisms tend to be fixed.
What, then, does a cryptographic encapsulation look like? At its very simplest, it looks as follows:
(H (E V))
Here we use, as referenced earlier, a quasi-Lisp notation. Parentheses thus serve as delimiters, with every open parenthesis requiring a match with a closing parenthesis. Moreover, spaces thus serve as separators. But note, how these delimiters and separators are represented inside a computational device will vary and be at the discretion of Peerless practitioners implementing the ordered-tree data structure of cryptographic encapsulation within a given computational environment.
Here (E V) is a list where E denotes a public key within a public key cryptographic scheme and V denotes an item of information that has value (intrinsically) or lays claim to value (extrinsically) or some combination of the two. V is the information being encapsulated. H in this case then becomes the hash value of (E V), the latter treated as a character string. In cryptographic encapsulations, the root of these lists qua ordered trees is always a hash value.
As we elaborate on this very simplest instance of cryptographic encapsulation, we will likely want to include a few further items along with E and V. Thus we might want a digital signature S indicating that it was produced using the private key D, thereby indicating that the agent responsible for (E V) actually knows the private key or at least received S through a transmission chain with the owner of the private key at one end. The cryptographic encapsulation thus has some causal connection to the owner of the private key and thus was not simply concocted by someone who happened to find the public key of a public-key cryptosystem lying about.
Additionally we might want some commentary C explaining or giving context to a cryptographically encapsulated item of currency. And finally we might want to include some string R, widely referred to in blockchain circles as a nonce, that we may want to vary repeatedly (perhaps randomly, perhaps by an exhaustive search) in order to modify the hash value H so that it exhibits certain properties, such as a repeated string of zeros to start it off (in the manner of Bitcoin block hashes). Including R in this way can show that some computational effort (proof of work) was expended in the generation of the currency and can thus help to undercut spamming. R’s use in this way can also be extended, as we’ll see, to provide an additional source of value to a cryptographic encapsulation (see subsection 5.4).
Thus, in place of (H (E V)), a fuller cryptographic encapsulation might look as follows:
(H (E S C R V)) [D]
Note that what the world sees in this case is (H (E S C R V)). We put D in square brackets to indicate that it is the private key associated with E. For now, however, let’s put S, C, and R to one side and focus on cryptographic encapsulations in their most stripped down form, optionally including the private key D in square brackets to remind us that it is there in the background and crucial for conferring ownership, but that it is also invisible to anyone except the owner of the informational item of value V:
(H (E V)) [D].
3.2 Transferring Ownership of Encapsulated Value
For people to claim ownership of information is nothing new. Our society even dedicates an entire industry to preserving and tracking ownership claims to information: intellectual property law. Still, making ownership of information transferable or negotiable, and doing so in a way keeps confidential the parties to the transfer, requires something like the encapsulation technology presented in this paper.
Consider, therefore, the cryptographic encapsulation (H (E V)) [D]. For now, let’s leave aside any particulars about V, how it attains value, how its value can be divided or augmented, and how accounting methods properly keep track of its value (we’ll take up V’s different roles and functions within Peerless in section 5). V, for now, is just an item of information carried along for the ride in the capsule (H (E V)).
Transferring ownership of V by means of cryptographic encapsulation now presents the following challenge: Imagine that Alice has created or otherwise gained possession of an item of information V that has value and whose ownership she wants to claim. But in claiming ownership, she does not want to reveal her identity as the owner. Moreover, once she is able to claim ownership without revealing her identity, she wants to transfer ownership to Bob. Regardless of how Bob repays Alice for V, Bob, let us suppose, likewise wants to keep his identity as the new owner of V hidden. Yet at the same time, he wants to ensure than when ownership is transferred, the transfer is airtight — that his ownership cannot be effectively challenged and that there are no restrictions on his further transferring ownership to some still other party.
To satisfy these conditions, let’s suppose that Alice and Bob can input any information they like on a publicly viewable ledger, call it L, that records with a reliable timestamp anything that they put on it (one can think of L as the Web or Cloud, but with suitable restrictions on reliable storage and timestamping). Let’s also imagine that the ledger has a search function that allows for checking whether any given item of information is on it. Additionally, let’s assume some sort of backup service exists for the ledger so that if any information is tampered with or erased, it will nonetheless still exist somewhere on the ledger, and verifiably so, in its original form with its correct timestamp. Finally, let’s suppose that no information on the ledger can be backdated — if a date and time is associated with an item of information on the ledger, it was put there at that date and time or later. With these quite minimal resources (much fewer than Bitcoin, which requires a far more extensive infrastructure), Alice is able to transfer V’s ownership to Bob with perfect anonymity for both. Here’s how:
=====BEGIN OWNERSHIP-TRANSFER PROTOCOL=====
STEP 1: Alice, in isolation and secrecy, identifies public key E and private key D, forms (E V) and from there the hash H of (E V). V is an item of information that she has created or otherwise gained possession of, and whose ownership she can claim via the first public presentation of V, or of its hash, on the ledger L. Alice now places H on L and waits for this hash to take hold and gel. Thereupon Alice confirms that H appears nowhere on L with an earlier or identical time-stamp. Note that if Alice puts all of (H (E V)) on L at once, someone monitoring her communication channel might grab the entire capsule, extract V, and put (H1 (E1 V)), a substitute capsule, onto L a moment before (H (E V)) appears there, thus, because everything is timestamped, claiming priority for V. So, to forestall such a preemptive attack, Alice simply puts up H on L. Having put H on L, Alice has no worries that some intellectual property thief is able to put H on L at an earlier time because only Alice knows that H is a hash for (E V). If for any reason H does appear on L at an earlier time, that shows she is being monitored and the hash was stolen (though the thief won’t know the string (E V) used to form the hash). In that case, Alice needs to modify (E V) — say with a nonce R, i.e., (E R V) — and then form its hash and upload it, making sure this time that she is not being monitored. By taking sufficient precautions Alice will be able to upload a hash that has clear priority.
STEP 2: With H having had time to establish its priority on L and with no thief able to put an alternative substitute capsule (H’ (E’ V)) or its hash H’ on L with a timestamp even close to that of H, much less earlier, Alice now puts all of (H (E V)) on L. If anyone claims to have uploaded H’ or (H’ (E’ V)) on L earlier than (H (E V)), it’s now enough for Alice to note that these have a later timestamp than H, thus establishing that (E V) was known and in existence at the moment indicated on the timestamp for H. (H (E V)) is thus shown to be temporally prior to (H’ (E’ V)). The priority of V within the capsule (H (E V)) is therefore now established as well. Why all this emphasis on priority? Information can always be construed as a form of intellectual property, and with intellectual property, priority is everything in claiming ownership. Note that in both this and the previous step, Alice has done nothing to betray her identity (short of something in V itself identifying her, but in that case Alice presumably wants her identity revealed).
STEP 3: Bob next wants Alice to transfer ownership of V to himself, keeping his role entirely confidential. We may assume that Alice and Bob have a secure communication channel that no one else can tap into. Alice therefore conveys to Bob, with complete secrecy, the private key D.
STEP 4: Bob now forms the new public key E1 and the corresponding new private key D1. Given that (H (E V)) is public knowledge and given that he has D, he now forms the following capsule:
(H1 ((H D) (E1 V))) [D1]
This looks a bit different from the simpler capsule that Alice uploaded, adding the hash/private-key pair (H D). This pair serves a two-fold purpose: (1) the inclusion of H links this capsule directly back to the previous capsule (H (E V)) and (2) the inclusion of D invalidates the previous capsule, by divulging the private key that kept the previous capsule safe. At the same time, this new capsule is also validated with the new public key E1 and new private key D1. Finally, H1 is the hash of ((H D) (E1 V)). In general, with cryptographic encapsulations, regardless of what complications exist below the root, the root of the ordered tree that represents such a capsule is a hash of what follows below in the tree, which we represent as a nested list.
STEP 5: Paralleling STEP 1, Bob now takes H1 and uploads it onto L, keeping his identity secret in the upload and letting H1 take hold and gel so that there’s no question about its timestamp and no way that the divulgence of D can be dated to an earlier moment than the timestamp of H1. D’s role in both invalidating the earlier capsule, i.e., (H (E V)), and in validating the new one thus becomes unequivocal and secure.
STEP 6: Paralleling STEP 2, Bob now uploads all of (H1 ((H D) (E1 V))) onto L thereby claiming ownership of V, and yet without divulging anything about his identity.
=====END OWNERSHIP-TRANSFER PROTOCOL=====
Mutatis mutandis, Bob can now transfer ownership in the same way and with complete confidentiality to Carol by giving her the private key D1 (secretly of course), in which case she can now form the new capsule
(H2 ((H1 D1) (E2 V))) [D2].
Provided that Carol has not helped to invalidate this last capsule by divulging the private key D2 to Dan (or anyone else for that matter), the following sequence of Peerless capsules then constitutes a full provenance chain:
(H (E V)) —> (H1 ((H D) (E1 V))) —> (H2 ((H1 D1) (E2 V))).
Here (H (E V)) is a genesis capsule — no other capsules are prior to it and invalidated by it.
One final point needs to be made here in closing this and the last section: in any Peerless capsule, wherever it appears in any ledger (and even on the Cloud or Web as a whole), it’s important that its public key E be unique. This is easily guaranteed by forming encryption/decryption keys with some randomization from a pool of possibilities so large that no amount of computation by humans till the heat death of the universe is likely to lead to a duplication of keys (this is easily accomplished computationally by choosing the keys sufficiently large and complex). Uniqueness of keys is important because it guarantees that ownership of a Peerless capsule doesn’t get diverted by users who accidentally happen to own another capsule with the same key and thus can apply the key to invalidate and transfer ownership of the other capsule even when they have no legitimate claim to it.
3.3 The Public Ledger, Double-Spending, and Transaction Finalization
Readers who have read up to this point will be justifiably concerned about the public ledger L. In order for Peerless to work, it would seem we need a ledger that is immutable, timestamped, and searchable. From a computer science perspective, that’s a demanding list of requirements since any server on the Internet can either change its records or backdate a timestamp.
So far, especially with the opening thought experiment regarding money in a purely informational world, I’ve supposed that such a ledger is available. It’s therefore time to expound the details of how such a ledger can be made to work. Without that, the foundation of Peerless falls apart, and I’m building in a swamp. The next order of business, therefore, is to clarify that such a ledger isn’t a pipedream, and that it is in fact a practical possibility. Further, it needs to be made evident that such a ledger prevents double-spending and ensures transaction are finalized.
In discussing the ledger, I’ve hinted in places that it might be a trusted third party. At the same time, in stressing the decentralization of Peerless, I’ve left the door open to the ledger possibly even be a blockchain. And then I’ve also suggested that the ledger might be a system of search engines, archives, and caches that keeps everyone honest. All these possibilities have inspired my ideas about the sort of ledger needed to make Peerless work, but what we need now is a concrete proposal that could actually be implemented.
By way of negation, let me indicate some directions that I’ll not take the ledger. The ledger needs reliable timestamped data storage. Distributed data storage protocols run by a peer-to-peer network could, it seems likely, satisfy this requirement. That said, I think the incentives for such a network are all wrong. Unlike Bitcoin, where mining rewards those running the peer-to-peer network, the value embedded in encapsulated currency is not, in general, subject to mining rewards. I therefore don’t see the incentive for users to run such a network. Also, unlike Bitcoin, whose currency is generated in controlled amounts and where transactions must pivot off existing currency, in Peerless, where currency can be created by the user at will, the possibility of a Peerless peer-to-peer network (I’m aware of the terminological irony) being overrun by spammers creating valueless currency might be difficult to control. And finally, a peer-to-peer network becomes a governing authority, which can change the rules by which the network operates, making for a currency that is less than fully decentralized.
Another direction I won’t go is invoke a system of search engines, archives, and caches that keeps everyone honest. I think such a system might work for a local scrip, and thus provide proof of concept of Peerless encapsulated currency as a way of handling currency transactions. Perhaps such a scrip would need to be put behind a security wall. But against determined spammers, hackers, and cyberthieves, such a system quickly becomes vulnerable. Moreover, as a general solution to the problem of money, it evidently fails — the current resources of the Internet simply cannot support such a ledger without some additional infrastructure.
And finally, another direction I won’t take Peerless is to consign its ledger to a trusted third party. If the trusted third party were totally trustworthy in protecting the private keys of encapsulated currency and totally competent in maintaining security against spammers, hackers, and cyberthieves, that would be another matter. But if such trusted third parties existed, cryptocurrencies would never have needed to be invented in the first place. It’s precisely because trusted third parties can prove untrustworthy and incompetent that cryptocurrencies attempt to bypass them. Talk about the revenge of recentralization: to put the ledger under the control of a trusted third party destroys any of Peerless’s claims to decentralization.
Cryptographic encapsulation in Peerless yields not a single currency but rather a family of different cryptocurrencies depending on the types of value encapsulated. This will become especially clear in the next section, which catalogues different types of value capable of being encapsulated. Thus, in fact, Peerless will approve many different ledgers, some of which may be commensurable, others which may not. In any case, we need to ask what must characterize any such ledger if the Peerless encapsulated currency recorded in it is to be secure, immune to double-spending, and in general successful at facilitating financial transactions.
This last question is really asking for the infrastructure needed to run a Peerless ledger. While I expect other proposals can work, let me outline the proposal that, in my view, promises to work most effectively in concert with cryptographic encapsulation. The infrastructure that I want to propose for running Peerless ledgers can be dubbed transparent third parties (abbreviated TpTP). Yes, there is a third party. But it is not trusted — it needs in every transaction to earn the users’ trust. Moreover, it has to be transparent in the sense that its entire database of encapsulated currency and the entire backend software for running it has to be freely available so that with sufficient storage and download time anyone could replicate the entire infrastructure on one’s own computer.
As a TpTP, a ledger L for Peerless encapsulated currency would have the following features:
(1) It allows users to upload hashes and cryptographic encapsulations. These must obey certain standard forms or else be rejected, as an aid to combat spamming. As another aid to combat spamming, users wanting to upload a hash or cryptographic encapsulation, need to watch an ad, answer a short questionnaire, or do something that ensures that a robot is not uploading the data or that human users are overtaxing the system. Moreover, this delay in upload will serve as a revenue stream (advertising), thus providing an incentive for the TpTP to stay in business.
(2) Any hash or cryptographic encapsulation uploaded is immediately timestamped in a way that the user can see online that what was uploaded and the time of upload are bound together. The time of upload listed will be as taken from the NIST-F2 atomic clock, accurate to 15 decimal places, thus allowing every upload to be timestamped with a distinct time, however great the transaction volume (identical timestamps, per impossibile, having the tie arbitrarily broken).
(3) To ensure data integrity, the TpTP uses a blockchain, so that all uploads within a given time interval are hashed (using a Merkle hash, depending on transaction volume), with the hashes for all these separate time intervals themselves being hashed (using a linear hash chain). In deference to Bitcoin, let’s take these intervals to be ten-minutes in length, though the precise length chosen may need to be adapted to transaction volume.
(4) All these hashes and all the data uploaded need to be perspicuous, so that anyone can search for any item on the data base and find it and its timestamp, and where all the hashes that confirm data integrity and ensure non-repudiation are evident and can be verified on the underlying data as well.
That, in essence, is the TpTP for the ledger L. The entire TpTP site can, in principle, be replicated (scraped) and moved elsewhere (to a private computer or other public server) at the first sign of any shenanigans. That said, unless the site gives evidence of compromise, all the incentives are to continue using it. That’s because the hashing that guarantees data integrity, and especially the reliable timestamping of the TpTP, means this site can’t be mirrored in real time on another site. If the site gets compromised, the clock, as it were, needs to be stopped, and the TpTP frozen at that instant needs to be migrated and restarted at a new site. This is doable because the site is transparent and backups to any given time up to the present will always be available.
Although the site is transparent, it is not trusted. At no time do users of encapsulated currency give the TpTP newly activated private cryptographic keys. In every case, what is revealed to the TpTP are at most old private cryptographic keys for encapsulated currency that is being invalidated. Moreover, such keys are revealed only after their revelation can do no harm, namely, after a hash for the capsule with the revealed key has already appeared, been timestamped, and added irrevocably to the blockchain. Interestingly, whereas all Bitcoin transactions occur within blocks, for cryptographically encapsulated currency to be safely transacted, it is necessary for the transaction to occur across blocks. This is to ensure that hackers or TpTP administrators can’t revoke a hash and thereby steal encapsulated currency.
To see how the TpTP works and how it circumvents cyberthieves, start with a genesis encapsulation (H (E V)) [D]. The first thing we do is upload H. For security purposes, its helpful to make sure that H is a unique hash, never before seen. To this end, let’s introduce a special nonce U, which we’ll call a uniquifier, that is a sufficiently large random number so that with overwhelming probability, the hash of H of (E U V) is unique. In the sequel, we’ll suppress U. Once H is uploaded, it is immediately timestamped. Because the TpTP is transparent, it will instantly be possible for the user to view H along with its timestamp on the site. That said, the user will wait until the current block is complete and a block hash as been verifiably assigned before doing anything else.
With the block hash in hand, the user next uploads all of (H (E V)), which likewise gets timestamped. The TpTP’s search function then reveals the connection between H with an earlier timestamp and (H (E V)) with a later timestamp. So far, there are no possibility of shenanigans because no public keys have been revealed. The user now waits until the next block hash is computed guaranteeing that both H and then (H (E V)) have been properly uploaded, timestamped, and irrevocably made part of the blockchain.
Let’s call the user that uploaded H and then (H (E V)) Alice. Alice now wants to transfer ownership of V to Bob over the TpTP ledger L. Alice therefore gives Bob the private key D associated with E. Bob now forms the capsule (H1 ((H D) (E1 V))) [D1], using a uniquifier to ensure that H1 is unique, and keeping D1 confidential. Next Bob uploads H1, waits for it to be properly timestamped and placed under a block hash. Finally, Bob uploads (H1 ((H D) (E1 V))). Once the block in which this last capsule resides is assigned a block hash, and Bob confirms that it is now irrevocably part of the blockchain, the transfer of ownership of V from Alice to Bob is complete.
I submit that given the procedure just outlined, albeit with one slight adjustment, double-spending is eliminated and the transfer of ownership is finalized. To see that double-spending is eliminated, let’s focus on the handoff from Alice to Bob. Alice has secretly given Bob the key D. If Eve spotted D and could get to the TpTP sooner than Bob, she could upload H1e for the capsule (H1e ((H D) (E1e V))) with private key D1e before Bob could upload H1, and then she could upload all of (H1e ((H D) (E1e V))) in a future block.
How far into the future? We imagine that if Eve got hold of D without Bob’s knowing, Bob would go ahead and upload H1 and then all of (H1 ((H D) (E1 V))) in successive blocks (or at least closely successive blocks), thinking that he had transferred ownership of V to himself from Alice. But because Eve got there ahead of him H1e will have an earlier timestamp than H1, and so (H1e ((H D) (E1e V))) will have priority over (H1 ((H D) (E1 V))), invalidating the latter. It will, of course, be up to the TpTP to enforce priority in this way. But note, until Eve uploads (H1e ((H D) (E1e V))), Bob, having uploaded (H1 ((H D) (E1 V))), will think that he has in fact validly transferred ownership of V to himself.
This, then, is where that slight adjustment comes in: the full upload of capsules following uploads in a prior block of the corresponding hash can’t be left to go on indefinitely, because otherwise it will never be certain that a transaction has been finalized. The easiest thing, therefore is simply to require that any hash must be followed by its corresponding capsule in the next block (or within a fixed number of successive blocks, say ten). In that case, once that block has its block hash computed (or the last of these fixed number of successive blocks has its block hash computed), Bob is assigned ownership of V unless Eve has uploaded (H1e ((H D) (E1e V))) in that block or a prior block. If she lets it go beyond that, she’s out of luck, with ownership defaulting to Bob.
As for double-spending, it’s simply not going to arise, especially with the requirement that full capsule uploads follow in blocks immediately succeeding (or very close after) the block in which a corresponding hash was first uploaded. Of course, when private keys are compromised, ownership may be transferred to the “wrong” owner. Had Eve, for instance, uploaded (H1e ((H D) (E1e V))) in the block immediately following the block in which she uploaded H1e, she would have assumed ownership of V.
Uploading a hash in one block and then its corresponding capsule in a successor block guarantees that users can monitor whether the TpTP is doing everything it’s supposed to be doing. If not, the TpTP will be provably compromised, calling for its dismantlement and its reinstatement on another server (or distributed servers). This separation of hash and full capsule uploads into successive blocks also prevents malicious agents from using clock skew and other communication delays to try to compromise the claiming and transferring of encapsulated currency. The neat thing about always first uploading hashes is that by themselves they mean nothing to anyone except the user who knows the capsule of which it is a part.
Bottom line: By making the ledger L a TpTP with the properties described above, full data integrity, reliable timestamping, and transaction finalization are all ensured, which is precisely what is needed for the success of Peerless encapsulated currency. Given that the TpTP has at its heart a blockchain, a technology that is now well understood and has been widely implemented, building such a TpTP seems straightforward.
Coda: By going with a third party, in the form of a TpTP, has Peerless therefore compromised its commitment to radical decentralization. I would say not. The TpTP at no point is trusted — it continually has to prove its trustworthiness, and the moment it doesn’t, it is discarded, to be replaced by a successor that respects the requirements needed to ensure data integrity, timestamping, and user priority in assigning ownership and finalizing transactions. The TpTP, when it does what it’s supposed to do, provides a sufficient condition for Peerless to succeed, and when it fails, it allows a backup to step into its place. It’s precisely because the TpTP is dispensable that its use as infrastructure for Peerless poses no obstacle to decentralization.
4 Capsular Ownership and Its Alternatives
In the provenance chain (H (E V)) —> (H1 ((H D) (E1 V))) —> (H2 ((H1 D1) (E2 V))) of the last section, Alice is able to claim ownership of V because she knows the private key D and has uploaded the capsule (H (E V)) onto the public ledger L. Bob in turn will claim ownership of V because, after Alice gives him D, he uploads onto the public ledger the capsule (H1 ((H D) (E1 V))), at the same time knowing the private key D1. Mutatis mutandis for the handoff from Bob to Carol.
The obvious question, now, is why this capsular form of ownership works? What makes it true that Alice owns V initially, and what makes it true that Bob owns V after he has uploaded a capsule that reveals Alice’s private key, thereby invalidating her capsule and validating his own? Ownership in this case is a matter of convention, but it is a convention whose underlying encapsulation technology greatly assists the determination of ownership. Conventions depend on agreement and could be otherwise. Their success is gauged by how wide a following they gain and how effectively people are able to achieve their ends with the use of the conventions, in this case claiming and transferring ownership of information with the use of cryptographic encapsulation.
Consider an analogy: Driving on the right or left side of the street is a convention. Moreover, it’s not clear that one convention is better than the other, some parts of the world preferring to drive on the right, other parts on the left side of the road. But it would also be a convention if every time one starts a car, one flips a coin and drives on the right side of the road if heads, left side if tails. The latter convention would be catastrophic for safe and effective driving. The success of cryptographic encapsulation as a practical method for facilitating economic transactions will depend on the degree to which it constitutes a beneficial convention for claiming and transferring ownership of information, significantly improving the efficiency, security, and confidentiality of such transactions.
With capsular ownership, a prime challenge for its success is not only to get a critical mass of people to implement it but also for it to be true that, so implemented, it works well in practice for claiming and transferring ownership of information. Speaking for myself, I’m optimistic that cryptographic encapsulation will work well in practice. Still, potential early adopters need more than optimism to come on board with this virtual technology. Indeed, before they take the plunge, even if initially with only a small part of their wealth, they need convincing grounds for thinking that this technology will indeed be successful at effectively administering their wealth and keeping it safe.
To appreciate capsular ownership’s virtues, it will help to note some ways in which ownership of money, and of valued items generally, tends to get subverted and how the encapsulation technology outlined in this paper offers a way forward. My thoughts here will be unsystematic, examining what I regard as inadequacies in existing monetary and ownership schemes. I make no claim to completeness. Nonetheless, I believe that even at this early theoretical stage in the formulation of cryptographic encapsulation (much more to follow), capsular ownership of information shows great promise at overcoming deficiencies in existing ownership schemes.
I remarked earlier that gold is an artifact of natural geological history and thus should not be regarded as essential to money. Nonetheless, if natural geological history has blessed us with gold, why not make the most of it and harness gold for monetary purposes? Ownership of gold seems straightforward enough: if you have it on your person or under your direct control, it is yours (unless there’s evidence you’ve stolen it, in which case you may be forced to return it to the rightful owner, though disputed claims to ownership may prove tricky to determine given the fungibility of gold). Nonetheless, gold’s basis for a monetary system is not quite so straightforward.
To listen to some economists, gold is, or promises to be, the savior of money. According to them, an ideal economy would have its money operate on a gold standard. Other economists take a different view, thinking that gold would unduly shackle policy makers who need a free hand to address and redress the challenges that invariably arise with modern-day economies (it’s in this context that John Maynard Keynes referred to the gold standard as a “barbarous relic”).
Nonetheless, what convinced me that gold by itself can’t serve as the basis for a monetary system wasn’t so much economic theory as reading Aleksandr Solzhenitsyn’s Gulag Archipelago. There, Solzhenitsyn recounts how, under Stalin, gold was systematically extorted from the population. Add to that the concurrent extortion of gold under Franklin Delano Roosevelt (FDR’s extortion was milder than Stalin’s, but it was extortion nonetheless), and gold’s role as a monetary standard lost much of its appeal, at least to me. This is not to say that a gold unit of account may not fruitfully be combined with Peerless encapsulation technology (I’ll explore that possibility later). But it is to say that the usual low-tech approach to a gold standard, which identifies money directly with gold or notes redeemable in gold, and insists that such a gold standard receive full approbation from the state and central bank, is inherently problematic.
According to Solzhenitsyn, Stalin needed hard currency and so forced people to give up their gold. Stalin’s henchmen indiscriminately tortured people for their gold. For those who had gold and gave it up, the torture ceased or was mitigated. For those who didn’t have gold, the torture continued (after all, they might just be holding out). Under FDR, by contrast, people were forced to turn in their gold at the going rate, roughly $20 an ounce. Unlike under Stalin, they were paid for their gold. But once all the gold was in, the price went up past $30 an ounce, upon which the Federal Government had a nice windfall. In both cases, however, the ordinary person was ripped off.
Gold is just too easy to steal, regulate, and outlaw. In larger quantities, it quickly becomes cumbersome, not easily moved from place to place. This means that negotiable instruments offering redemption in gold will invariably rear their heads in a gold-based economy. The promises that form the basis for these instruments can, however, always be broken, even by (or especially by) the state. Yet short of an economy backed by the full weight and authority of the state, whereby gold could be made the monetary standard of the land, gold will at best play the role of a gray- or black-market money.
Advocates of gold as money therefore don’t want gold merely to supplement existing money but want it to constitute money itself. Speaking for myself, I find the idea of money as information far more exciting and appealing, with many more opportunities for revitalizing economies. But leaving such optimism aside, let’s turn the question around: how realistic is it to hope that state economies will return to the gold standard? Such a return seems needed to make gold work as money.
But first-world economies are addicted to fiat money and to the control of such money through central banks. Advocates of gold point to a looming economic collapse that will bring people to their senses and return gold to its rightful place as the monetary standard. But the corruption of governments and their politicians, and the addictive pleasure of creating money, especially from nothing, all conspire to make the return to the gold standard a pipedream. Even if a crisis precipitates a return to the gold standard, expect another crisis to undo it (Nixon’s closing of the gold window in the early 1970s is a case of undoing; FDR’s soft confiscation of gold in the 1930s is another).
Underlying much of the advocacy for a return to gold is an idealism that says “If only we can get back on the gold standard, everything will be all right economically.” But the obstacles to satisfying the antecedent of this conditional are formidable, and even if it could be satisfied for a time, there’s no guarantee for how long. In place of this idealism, let me suggest a hard-nosed realism that sees governments and politicians as largely corrupt, that sees their love and control of money as the main reason for their corruption, and that attempts to transcend this corruption by opting for a radically decentralized form of money that is completely outside the control of anyone save the individual who actually owns it. This is the promise of Peerless.
4.2 Official Ownership Registries
To the owners of information, cryptographic encapsulation provides a powerfully liberating technology. Consider what it means for Alice to say that she owns the informational item of value V embedded in the capsule (H (E V)) [D]. Alice is justified asserting ownership of V not because some third party agrees with her that she owns it but because V is embedded in the capsule (H (E V)), its hash is properly timestamped establishing priority, and she knows the private key corresponding to E. To anyone confronted with (H (E V)), she is able to demonstrate that she knows D, yet without divulging anything about D (e.g., to test Alice’s ownership, people can send Alice encrypted messages and she can decrypt them). Moreover, no one else has this power.
Indeed, the whole point of public key cryptography in Peerless is not to encrypt and decrypt messages per se. Rather, it is to use cryptographic encapsulation as a way of giving owners of information a unique demonstrable power that no one else has. Specifically, by knowing the private key of a public key cryptosystem, the owner has the power both to demonstrate ownership and to transfer ownership (through the process of invalidation and revalidation).
Peerless ownership thus means possessing a unique power of demonstrating ownership, a power of demonstration that no one else has. Such a power is absent from just about every method of assigning ownership in past and present societies. Instead of the item owned having an unmediated connection to the owner (as cryptographically encapsulated information does), a third party plays the role of an arbiter that, as it were, draws arrows from object capable of being owned to owner, updating those arrows periodically as ownership changes. This system can work respectably, though perhaps not efficiently, so long as how the third party draws the arrows reflects equitable assignments of ownership over time. The third party’s collection of arrows connecting objects to owners is, of course, a registry, often an official registry that is the final court of appeal in determining ownership.
We see such registries in ancient Babylon, with its temple accounts, inscribed on tablets, of commodities credited and owed. We see them in the Bible, where elders at the city gate witnessed and ratified transfers of land and other property. We see such a registry at any county court house in the United States, which records titles to the homes and automobiles owned in the county. Even preliterate societies have such registries, though instead of them being written down, they take the form of an agreed social memory. Thus, in a favorite example cited by monetary theorists, the Micronesian Yap islanders assign ownership of their circular limestone money (the fei) not necessarily by moving it around (some of the stones are too heavy, and one is even at the bottom of the sea), but simply by agreeing that so-and-so now owns that particular fei in place of the previous owner. Even our banking system can be seen as a third-party registry, in which individual banks play the role of a registry assigning dollars to owners.
In all such examples, the registry that determines ownership is controlled by some third party. Now, the biggest problem with third parties is that they may prove unreliable, whether through corruption or incompetence or both. But even if they are reliable, they tend also to be inefficient — transfers of ownership must be mediated through them rather than handled directly between the parties to the transfer. In particular, wherever there are mediators, there are transaction costs. Trusted third parties invariably want a cut. Frictionlessness is possible only in their absence. And finally, third parties obviate anonymity of transactions because they need to view all transactions in their ambit and sign off on them.
By encapsulating ownership, Peerless dispenses with all such third-party registries. This is a huge advantage to Peerless, anticipated to some degree by Bitcoin and the blockchain technology, but with the promise here of being carried to fruition. Peerless removes the need to rely on trusted third parties because the individual can handle the task of reassigning ownership directly without their help.
More is true: registries are powerless to determine ownership of Peerless digital currency. Imagine a parallel universe in which Stalin heads the Soviet Union but where Peerless digital currency provides the means of storing wealth in place of gold. Suppose Aleksandr is held in a Soviet prison, and Boris is tasked with torturing him for his Peerless digital currency. Let’s say Boris knows that Aleksandr owns (H (E V)) but has yet to extract the private key D from him.
Suppose Aleksandr somehow bears up under torture, refusing to reveal D. Or better yet, perhaps Aleksandr was able to give the private key to a trusted third party, which then invalidated it and validated a new one, keeping the new key safe until Aleksandr got out of prison, upon which the new key, conferring ownership of V, would go to him. Or perhaps the third party would wait until it got proof of Aleksandr’s death, in which case the new key, conferring ownership of V, would go to his nearest relative not in prison. Faced with such eventualities, what’s Boris to do? Stalin might be angry with him for not extracting from Aleksandr the cryptographic information needed to claim ownership of V.
To avoid Stalin’s wrath, Boris could try a different tack, advising Stalin to opt out of Peerless: “Hey, you don’t need no stinkin private key. Just tell everyone that you own (H (E V)). Make it legal tender. Force people to accept it in exchange for whatever you want.” Fair enough, Stalin could do this, essentially setting up a new registry that draws ownership arrows to himself from any cryptographic encapsulations (H (E V)) that he happens to desire. And who could stop him? With the power to terrorize his people, he could employ (H (E V)) as money, or at least as negotiable value, anywhere within the Soviet Union (though probably not outside). It’s like playing chess and making up new rules as you go along to ensure victory. Or like putting a gun to your opponent’s head and forcing him to make bad moves. But temporary expedients like this are just that, temporary.
The game is still the game, and the rules are not up for grabs. Indeed, what happens the day Aleksandr goes free and Stalin pushes up daisies? On that day, Aleksandr can revert to Peerless, transferring ownership of (H (E V)) by giving the private key D to the new owner, who then uploads (H1 ((H D) (E1 V))), keeping secret the new private key D1. In other words, the economics of cryptographically encapsulated currency picks up precisely where Aleksandr left it off. Without the private key, even Stalin can’t successfully steal Peerless currency. Rather, Stalin’s attempts to control Peerless will at best seem ham-fisted, imposing a registry approach to ownership onto a monetary technology (Peerless) that inherently defies it.
4.3 Money Creation by Banks
With fiat money like the U.S. dollar, it’s natural to think that when the U.S. government needs money, especially when the amount needed exceeds collected tax revenues (when was the last time that didn’t happen?), it simply prints it. Money creation in that case would simply be to get the printing presses going and then to find some reasonable expedient for bringing this extra cash into the economy.
In fact, when the U.S. government (through its central bank, the Federal Reserve, or Fed for short) creates money, what it overwhelmingly does is create electronic deposits in the accounts of banks. Paper and coin currency together constitute a distinct minority (less than 10 percent of money in circulation), and there are forces to eliminate it entirely. Harvard economist Kenneth Rogoff, for instance, has recently proposed moving to a cashless society in which all money is held as deposits by banks, invoking cashlessness as the cure to crime and terrorism, and regarding the curtailment of people’s monetary freedom as a small price to pay in exchange.
By contrast, I’m on the side of cash and the freedom it engenders. Paper currency, even if printed at will by the Fed, would be tangible and thus not as easily manipulated and multiplied as electronic bank deposits are now. Of course, the aim with Peerless is to develop a robust currency that, among other things, redresses the fiscal irresponsibility behind central bank generated fiat paper money. But among the sinners against fiscal responsibility, fiat electronic money, as held by banks, is even worse than fiat paper money. I want therefore to review fiat electronic money and outline how Peerless could provide a counterblast to it.
To see how our economic system creates and circulates the majority of its money, i.e., fiat electronic money, let’s return to our friend Alice. Alice needs money and is willing to work for it. So how does she get it, and what is its source, both ultimately and proximately? Here’s how it works, and when I first learned it years ago, I thought it better than any fairytale I had heard as a kid:
The U.S. Treasury needs some money, say $1 billion dollars. So it approaches the Fed, having drawn up bonds whose face value totals $1 billion, with varying interest rates and maturity dates. Ideally, the Fed can sell those bonds on the open market and then hand the money thus received over to the Treasury. But that’s just shuffling around existing moneys. To actually create money, especially as required in these days of huge government deficits, the Fed just keeps the bonds and makes a deposit for $1 billion in the Treasury’s bank account. The Treasury now owes the Fed $1 billion plus interest (or to whomever the Fed is able to sell the bonds — the bonds are negotiable instruments).
But where did the Fed get that $1 billion to deposit in the Treasury’s bank account. Here’s where the fairytale begins. As the Boston Fed explained in a 1984 booklet, “When you or I write a check, there must be sufficient funds in our account to cover the check, but when the Federal Reserve writes a check, there is no bank deposit on which that check is drawn. When the Federal Reserve writes a check, it is creating money.” That was in 1984, when people still wrote lots of checks. These days, there’s less need to write checks — one often deposits money directly from one account into another electronically.
With the Fed, no money need be in its account for it to add money to other accounts. That’s the magic of the Fed: it can deposit money into other accounts without any in its own. People these days think themselves enlightened compared to bygone eras with its superstition and magic. As a result, the world is no longer an enchanted place. But the miracle of money creation by the Fed ought to elicit as much astonishment as any marvel that captured the imagination of people in times past. Of course, the Fed expects, or at least makes a pretense of expecting, that the money it deposited with the Treasury will eventually be repaid (with interest), at which points the bonds get retired and the money that was created disappears. But with a $20 trillion deficit, that’s all it is, a pretense.
In any case, with $1 billion now in hand, the U.S. Treasury is able to pay for various obligations the Federal Government incurs. One such obligation, let’s say, is to pay Alice $10,000 for consulting services that she has rendered to some branch of the Federal government. The U.S. Treasury thus takes $10,000 out of its newfound $1 billion and deposits it in Alice’s bank account.
But the wonder of money creation is not yet over, far from it. In fact, any money that the Fed creates can be multiplied ten-fold, if not more, by your local banks through the further miracle of fractional reserve banking. Here’s how that works. Imagine that Alice, though with only $10,000 in hand, wants to buy a house from Bob. Bob has put his house on the market and his asking price is $100,000. The price seems fair to Alice and she is willing to buy it for that price provided she can get financing from the bank. For convenience, let’s assume both Alice and Bob do their banking at the same bank. This is not strictly speaking necessary to illustrate fractional reserve banking since all banks are in bed together and honor each other’s deposits provided credits and debits properly cancel. But it makes the example a bit starker and more memorable, underscoring how creation ex nihilo is not just a theological concept but also an economic one.
Alice, to buy Bob’s house, therefore goes to her local bank, deposits $10,000 into her account, and makes that amount available as a down payment on Bob’s house, for which the asking price is $100,000. To make the example even starker, let’s imagine that the bank is entirely new, with Alice and Bob as its first customers. Alice has deposited $10,000, but Bob’s account is at zero (or close to it). One would think that this bank would have to tell Alice, “Sorry, we can’t loan you the $100,000 quite yet. We’re so new that we just don’t have enough depositors. Please come back in a month or so when more money has been deposited with us, and we’ll get you fixed up right away with that $90,000 loan.”
In fact, what the bank will say to Alice is, “No problem, we can get you fixed up right now.” In fractional reserve banking, a bank is barred from loaning only a fixed percent of what’s deposited with it. Let’s say that amount is 10 percent for Alice’s and Bob’s bank. In that case, the bank could loan 90 percent of whatever is deposited with them. But Alice has deposited $10,000 with the bank. So the bank can loan out $9,000 of that deposit. And to whom do they loan it? Why to Alice of course, since she needs the money to pay for Bob’s house. And what does Alice do with that loan of $9,000? She deposits it back in her account. She now has $19,000 in her account, and owes the bank $9,000.
But note, Alice has made a new deposit of $9,000 in her account. The miracle of fractional reserve banking thus allows the bank to loan her 90 percent of that most recent deposit, or $8,100, which she promptly deposits, giving her $27,100 in her account and a total loan from the tank of $17,100. But Alice and the bank’s fractional reserve dance doesn’t stop there: Alice just deposited $8,100 in her account, so the bank is able to loan her 90 percent on that, or $7,290. This gets promptly deposited in her account, upping the money in her account to $34,390 and her total loan from the bank to $24,390.
Round and round the fractional reserve dance goes. Where does it end? Do the math, and it ends with $100,000 in Alice’s account, and a debt from her to the bank of $90,000. With the $100,000 in her account, she now pays Bob for the house and takes possession of it, though as collateral for her $90,000 loan, the bank has a claim against the house so that if she defaults on her loan, the bank will take possession of it from her. Oh, and one more thing: the bank also collects interest from Alice on the $90,000 loan. At 5 percent interest, that would be $4,500 in the first year. That’s almost a 50 percent return on Alice’s deposit of $10,000, which they are graciously keeping safe for her.
Anyone’s first reaction to this account of money creation ought to be “How do I become my own bank?” If Alice could be her own bank, she could multiply her initial $10,000 by a factor of 10 (if the reserve fraction is 10 percent) and then give the resulting $100,000 to Bob for his house. Moreover, the $90,000 debt she incurred would then be owed to herself and could thereafter be handled at her discretion, as debts owed to oneself always are. But of course, no individual can be his or her own bank. Banks become banks because they are authorized to be banks by the government, which gives its central bank the power of creating money from nothing and its local banks the power of multiplying money so created.
Why go through this exercise about money creation? My point is not to raise moral qualms about the inherent rightness or wrongness of how our money system operates. I personally tend to react quite negatively to attempts to get something for nothing, having even written a book titled No Free Lunch, though in a completely different context. My natural disposition is to think that fiat money creation by the central banks is at the very least shady and that fractional reserve banking is downright sleazy.
Still, on what grounds do we regard the system we have as, on balance, better or worse than other systems with tighter constraints on money creation? I tend to be a pragmatist, and it’s not clear to me that a morally superior monetary system, whatever that might be, would produce better outcomes, however those might be gauged. Moral rectitude and good intentions offer no sure guide to superior outcomes. As Harry Lime put it in The Third Man: “In Italy, for thirty years under the Borgias they had warfare, terror, murder, bloodshed, but they produced Michelangelo, Leonardo da Vinci and the Renaissance. In Switzerland they had brotherly love. They had five hundred years of democracy and peace, and what did that produce? The cuckoo clock.”
Sure, our banking system may be bent. But does it and the culture it has engendered equate with Italy or Switzerland? And should we prefer Italy? Who’s to say? Perhaps the dichotomy here is false. Yet whatever the relevance of Lime’s comment for contemporary banking, one thing is patently obvious: banking in the U.S. enjoys exorbitant privilege. That was in fact the point of this exercise about money creation, to point up the privilege and temptations our banking system faces, and to underscore how Peerless promises to bypass this entire system. Indeed, Peerless encapsulated currency, subject as it is to individual control, can always maintain an identity separate from any banking system. Even if Peerless currency makes up the nuts and bolts deposits in a banking system, it can, short of outright confiscation by banks, always be withdrawn back into private hands. That’s because Peerless currency always resides in provenance chains whereas deposits created through fractional reserve banking are mere blips on a screen.
To see this, consider that any system of credit and clearing built over top of Peerless will have to keep the resulting credits separate from the underlying Peerless currency. Why? Because Peerless currency is cryptographically encapsulated information whereas credits/debits are just numbers next to names on a ledger. Any banking system that accommodates Peerless will thus face tighter constraints on responsible lending and solvency than a pure fiat/fractional reserve system. Constraints on responsible lending and solvency can largely be ignored in the present banking system because of FDIC insurance and the practical indistinguishability between money placed into a bank account and money created through debt via fractional reserve banking.
Central to the preservation of our freedoms is the ability to move cash out of the banking system and away from government control. Peerless offers a way out. The current banking system has increasingly become a hydra that consumes all forms of money, transforming them into electronic deposits that the government and bankers can track and control at will. This is why we are increasingly discouraged, if we want to avoid IRS audits, from taking out lots of cash from our accounts. Even more seriously, if we want to avoid the charge of racketeering, we are advised to avoid making lots of small cash deposits into our bank accounts, behavior like this being characteristic of drug dealers.
Increasingly, the Federal government is cracking down on cash. Cash gives us the ability to engage in the transfer of value without outside control. It thus breaks the government monopoly over value, allowing ownership of value to proceed without Big Brother’s permission. Such a monopoly, to the degree that it is exercised, threatens to suffocate human freedom and personal sovereignty. In this regard, consider the oxymoron “negative interest rates,” a concept now mooted by economists. Who in their right mind would subject their savings to negative interest? “Hi, I’m Fred, the president of Fred’s Bank. Leave your money with us, and at a 5 percent negative interest rate, your $1,000 deposit with us will, in twelve short months, be down to $950.” Any right thinking person would take that $1,000 and hide it in a mattress if all banks were like Fred’s.
But in a cashless society, all banks would be like Fred’s and we could do nothing about forcibly imposed negative interest rates. Absurd as it seems, negative interests have a compelling, if unsound, rationale: In order to spur a sluggish economy, any government that has eliminated cash and has full control over our deposits could introduce negative interest rates so that money kept at a bank diminishes over time unless it is spent. Negative interest rates would thus incentivize consumers to spend more money more quickly (the velocity of money would go up), with the lofty aim of energizing the economy, albeit with our freedoms taking the hindmost.
Or consider what a cashless all-money-resides-in-banks economy entails for failing financial institutions. Of course, failing banks could simply be allowed to fail as a proper reward for irresponsibility and ineptitude. But if, in the eyes of the government (a government whose vision, shall we say, has been skewed through bank lobbying efforts), these banks are regarded as too big to fail, then government could, as we’ve seen in recent history, bail out such institutions with tax-payer money. In such bailouts, moneys for the bailout are taken from existing tax revenues, and thus the burden of the bailout is distributed uniformly among the populace and therefore felt minimally by any particular tax payer.
But in a cashless all-money-resides-in-banks economy, to shore up failing banks, the government could also enact a “bail-in,” where creditors of these financial institutions (the depositors) see their money taken away (in part or in whole) in order to help these financial institutions, the justification for this removal of funds being that these institutions are, here we go again, too important to fail. (Note, as a further salve for their uneasy consciences, government regulators who call for such a bail-in might justify it as a redistribution of wealth, perhaps trimming those bank accounts that exceed a certain amount, a reverse to the FDIC, which insures for any loss up to $250,000 — the government might simply take anything over $250,000.) We’re not quite there yet in the U.S., but the rip off of depositors at Cyprus’s Laiki Bank in 2013 via a “bank deposit levy” illustrated this threat to deposits kept in banks.
Bottom line: Money is too important for human freedom to rest at the mercy of governments and banks. Peerless places money at the mercy of the individuals who own it, which is where all financial mercy needs to reside.
4.4 Local and Underground Economies
Woergl is an Austrian town of 13,000 residents, about sixty miles west of Salzburg. In the 1930s, it had a population of a little over 4,000. Like the Micronesian Island of Yap, with its fei money, Woergl is the subject of widespread monetary legend. In July 1932, as the world was experiencing a terrible economic depression and with Austrian currency tight, Woergl’s mayor, Michael Unterguggenberger, decided to introduce “certified compensation bills,” a local scrip or currency to pay for town projects, which could then be further circulated locally among the residents.
Before this local currency was introduced, Woergl’s construction business was in the dumps and unemployment was high. After the town introduced this scrip, business boomed. New houses, a bridge, a ski jump, and a reservoir were all built as local government projects. Private sector consumption and investment jumped up as well. Employment increased. Moreover, the prosperity witnessed was unencumbered by either inflation or deflation. Certainly no harm was done, and in fact much good. Nonetheless, the bureaucrats in Vienna decided that this was too much of a good thing and that it undermined the primacy of the official state-sanctioned Schilling. In consequence, on September 1, 1933, the Austrian National Bank ended the Woergl experiment, removing the certified compensation bills from circulation.
Now, what would have happened if the Woergl experiment had been conducted in an age of Internet and Peerless? In that case, all the scrip could have assumed the form of cryptographic encapsulation, with value residing simply in the promise and authorization of the local Woergl government to honor this scrip as money. Accordingly, given the way Peerless encapsulated currency has been characterized thus far in this paper, encapsulated Woergl scrip taking the form (H (E V)) [D] would simply be uploaded with full transparency onto the Cloud. And this would have been fine, with totally adequate security, up to the point that the Austrian National Bank (why do central banks always crave monopoly?) decided to crack down on Woergl’s scrip.
Nonetheless, with Peerless technology in hand, Woergl residents would not have had to stand meekly by as the central bankers in Vienna decided to retire their local currency. They could simply have moved the currency to a private server where it would have been much harder to monitor the local transactions. Thus capsules of the form (H (E V)) [D], instead of being on the web for all to see, could have been placed behind a security wall protected by usernames and passwords. If more security were required, individual items of Peerless capsular currency of the form (H (E V)) [D] could further have been encrypted, either “above the hash,” namely (encrypt (H (E V))), or “below the hash,” keeping the hash unencrypted and hashing the encryption of (E V), namely (H (encrypt (E V))).
Note that in this quasi-Lisp dialect, I’m using lower-case terms to indicate actions performed on what follows. Thus (encrypt (H (E V))) means take (E V), form the hash H, and then for the entire string/ordered tree (H (E V)) encrypt it, which can then be made public or put on a privately secured server. Similarly, (H (encrypt (E V))) means take (E V), encrypt it, and then form the hash, which can then be made public or put on a privately secured server. Peerless allows at least these three types of security, at the server level, at the above-hash level, and at the below-hash level, and it can combine all three. Just how much of this additional security is necessary will depend on one’s needs and what in practice is found to provide the desired level of security.
It’s interesting to imagine what the Woergl experiment would have looked like if it had used Peerless with such additional security. Ideally, the authorities in Vienna would not have known what was happening. In terms of what they would have observed, they would simply have seen efficient economic exchanges happening that increased the prosperity of the community. But they would have witnessed no financial transactions. Those transactions would have been taking place, but only within the perceptual horizon of the Woergl locals. Empirically invisible to outsiders, the role of money here would have been to spur trade and ensure its fairness. To outsiders, it would truly have seemed like an economic miracle. And to this day, people still refer to “the Woergl Miracle.”
Peerless promises to be a boon to local economies, especially those plagued by rampant government mismanagement and corruption (Zimbabwe? Argentina?). But with some further security and encryption, Peerless also promises to be a boon to underground economies. These can be economies that started as local economies, but were pushed underground because the government and bankers decided that their monopoly over money was too good to give up. Indeed, one will be hard pressed to find a state government or central bank that thinks their monopoly over money is unwarranted and thus needn’t be preserved at all costs.
But what about underground economies run by criminal enterprises or terrorist networks? Won’t Peerless, especially when wrapped in still further security, be a boon to them? Peerless, like any technology, can be used for good or ill. My own sense, however, is that on balance it will do far more good than ill. Its overwhelming effect will be to decentralize and democratize money. This will empower the average person against coercion, whatever its source, whether from crime, terrorism, or government.
I’m no anarchist, happy to accord government a legitimate place. But I also see government and society’s respectable institutions as easily corrupted, easily deluded, and easily complicit in crime and terrorism, despite invocations of high principle and assurances of moral rectitude to the contrary. We can thank Al Capone to intemperate temperance workers, evangelicals like Billy Sunday and William Jennings Bryan, who saw in the 18th Amendment a close second to the Gospel (and who, if they followed the logic of their position, would have jailed Jesus for turning water into wine). We can thank Pablo Escobar and Joaquin Guzman to the War on Drugs. We can thank much of the terrorism we see today to governments in the Middle East turning a blind eye to, and even funding, jihadist academies that teach world domination as a legitimate aim of religion.
Notwithstanding, I see Peerless as of limited appeal to criminals and terrorists, who typically require more than local currencies to meet their needs. Such enterprises tend to be national and even international in scope, so their money must be widely acceptable. Criminals who need to shift money across borders often want to launder it. But legitimizing Peerless currency through laundering won’t be easy if its origins are suspect. Peerless currency always emerges in a provenance chain, so it will be difficult, if not impossible, to sanitize it of suspect origins. Moreover, further encryption will only add further suspicion. Encryption for local currencies, such as at Woergl, makes sense because the currency was meant to circulate within narrow confines. But large criminal enterprises want to move money widely and without restriction. Ditto for terrorist networks.
That’s not to say Peerless may not provide a convenient monetary system for rogue powers (criminals, terrorists, tyrannical governments). But it will also make it more difficult for rogue powers to steal from and enslave people. Stalin, though head of state, was also a criminal who stole people’s gold by forcing them under torture to disclose where they had hidden it. But what if the people he was trying to force to part with their wealth had it stored in Peerless? As noted in subsection 4.2, he would have had to try to get them to identify their private cryptographic key(s). But it’s easy enough to attach smart contracts to Peerless currency, where proof of life or proof of non-coercion becomes necessary to keep an item of Peerless digital cash in its current state, and where absent such proof, it gets invalidated, with a newly validated successor item of Peerless digital cash falling into the hands of a trusted third party (whether such a third party is truly worthy of trust may be debated, but any such party would surely be better than a Stalin, a Pablo Escobar, an Osama bin Laden).
Local and underground economies based on Peerless will exhibit a certain degree of recentralization because they are invariably reactions against existing, and often failed, monetary policies, thus requiring that agents in those economies unite more closely than they might if they were totally free agents without a reason for uniting. But in the end, any item of Peerless currency, short of being invalidated and confiscated by the local central authority, can always be reclaimed by the individual from that authority.
Peerless would, in my view, have enormously benefited the freedom movements behind the Iron Curtain during the Cold War. I believe Peerless can also shield the earnings of people who must try to make a living under extortionist political regimes and crime syndicates. As always with monetary frameworks, it’s hard to predict how Peerless will play out. Money, whatever its form, tends to take on a life of its own. Yes, there’s possible risk for society with Peerless, but there’s also promise of reward, in which unhealthy concentrations of financial power give way to decentralization and democratization.
Example: A friend of mine relates the following story: “It was the summer of 1992, less than a year after the collapse of the Soviet Union, that I spent several weeks in Moscow… On the street markets, we could purchase everything from groceries to exquisite hand-made crafts. One day, while I was shopping with one of my Russian friends, I commented on how exciting it must be for these people to be able to make a living doing their crafts. My friend explained to me that the people who worked so hard to make their crafts and then spent hours in the market selling them actually only made about five to ten percent of the sale. The vast majority of the sale price went to the Russian Mafia, which controlled the street market.” Thankfully, all this corruption has now been thoroughly banished under Vladimir Putin.
Seriously, though, imagine that these vendors had Peerless escrow accounts where proof of life and proof of non-coercion were necessary to cash in those accounts. Buyers, like my friend, could transfer Peerless cash to those accounts but then also, perhaps, to distract the Mafia, make a pro forma payment in rubles for the items purchased, which the Mafia would then essentially confiscate, leaving only five to ten percent to the vendor. But any payments in Peerless would be outside the control of the Mafia, invisible to it, and claimable at some convenient time in the future.
The societal risks associated with Peerless will seem well worth taking to anyone who places a premium on human freedom and who understands human freedom as beginning with the individual and not with a paternalistic state or other misshapen authority eager to advance its interest at the individual’s expense. Economists like Kenneth Rogoff, who push for a cashless society, will, of course, disagree, and are free to disagree. The beauty of Peerless, barring any fatal flaw in it, is that it doesn’t really matter what Rogoff thinks or what the bureaucrats who want to implement his ideas about cashlessness do. Peerless, if it works, is going to be extremely difficult to corral. Compliance under Peerless cannot be coerced. Peerless is at base a home-brew technology, and thus will exist wherever people want it to exist.
5 Sources of Value
Money, if it is to hold value, must be scarce. So far, however, the characterization of Peerless currency given here, as cryptographic encapsulations of the form (H (E V)) [D], has prescribed no limits on proliferation. Given any item of information V, any public/private key E/D, and any hash H of (E V), (H (E V)) [D] constitutes an item of Peerless currency. Spammers could have a field day, proliferating as much Peerless money as they like ad nauseam. So how is scarcity to be imposed on Peerless currency? Obviously, by placing restrictions on the types of values V that get embedded in Peerless’s cryptographic encapsulations. Not every item of information is also an item of value suitable for Peerless encapsulation. The focus in this section is on those items of information suitable for containing value and being encapsulated.
This section will therefore run through several different ways that value can meaningfully arise and be embedded within Peerless currency. The following list attempts to provide a brief catalog of value within Peerless. It makes no pretense at completeness — indeed, my hope is that others will expand on and fine-tune the sources of value that may be encapsulated within Peerless currency. Some types of value listed here will make immediate and perfect sense. Some will seem promising, but will need to be implemented and tested to see whether they really pan out. And others may seem a bit of a stretch. What will become evident, however, is that Peerless can accommodate many types of value.
In what follows, it will be helpful to think of the item of value V that’s embedded in a cryptographic encapsulation (H (E V)) as a set of email attachments. Each attachment in email is its own self-contained file. For encapsulated money, each “attachment” is its own self-contained contribution of value. These contributions of value cumulate, so that different value additions at different points in a provenance chain will simply add together.
Using lower case Roman numerals to identify different pieces of value, we can therefore think of an encapsulated value V as the (merealogical) sum Vi + Vii + Viii + Viv + etc. The plus signs here merely indicate amalgamation of distinct items, with each item in the sum indicating an independent piece of value contributed to the total, denoted by V. This understanding of encapsulated value helps keep the accounting of Peerless reasonably straightforward, though some fine points will need to be considered in the next section where we consider the merging and branching of Peerless currency.
In the ensuing discussion about types of value capable of cryptographic encapsulation, it needs to be borne in mind that the key issue always is the negotiability or transferability of the value V being encapsulated. It’s not enough simply to claim ownership of V. That ownership must be transferable. That’s the point of Peerless cryptographic encapsulation and that’s where it gets its power.
5.1 Intellectual Property
Suppose V is a clearly encoded and interpretable item of information that constitutes intellectual property. It can be a photograph taking the form of a high-res jpeg file. It can be a high-def video recording. It can be a book or poem or other text appearing as a Word or pdf file (perhaps original with you, the author). It can be a file for a 3D printer to produce a tool or work of art. It can be a set of architectural blueprints. It can be a wav or mp3 music file (perhaps of original material that you recorded).
For any V like this, cryptographic encapsulation of the form (H (E V)) [D] asserts ownership of V by the person uploading and timestamping this capsule (provided V has not been uploaded before in some equivalent form, whether encapsulated or unencapsulated). Moreover, cryptographic encapsulation allows that ownership to be transferred by the process of invalidation and revalidation described in subsection 3.2. Note that the value V encapsulated in this way is intrinsic — it does not depend on an outside party to guarantee value but comes entirely from information residing in V.
If V is a memory-intensive item of intellectual property, it, and any cryptographic encapsulation that contains it, can quickly become unwieldy, consuming many bits of information, especially if V is a music or video file. In that case, it becomes easier to locate the information V in a suitably encrypted form independently on the Web and then reference it in the encapsulated currency (V thus essentially becomes a link to the intellectual property rather than the intellectual property itself).
Here’s one way to do this: Let IP denote an item of intellectual property. Form an encryption-decryption pair E* and D*, and let E*(IP) denote an encrypted form of the intellectual property. Now upload (H* E*(IP)) on the web, where H* is a hash of E*(IP). Then, let V = (H* D*) and make sure the (H (E V)) is timestamped later than (H* E*(IP)). This effectively establishes ownership of IP through (H (E V)), making V a secure link to IP that decrypts it.
Employing a linkout approach like this for value embedded in cryptographic encapsulations is similar to asserting priority of an idea by first publishing it in an encrypted form and then, if someone else comes along with the same idea and explicitly publishes it later, decrypting the earlier encryption, thereby verifying that one had the idea first. Isaac Newton, for instance, established priority for some of this work by using anagrams, thereby proving at a later time that he knew something at an earlier time.
5.2 Promissory Notes
Most financial value these days takes the form of a promise, whether conditional or unconditional. The problem with promises, of course, is that they can be broken. That’s where reputation and evidence of solvency comes in. Promisors regarded as better in these respects are, other things being equal, judged more likely to keep their promises. Value that takes the form of a promise is extrinsic — it depends on a trusted outside party making a promise to guarantee value.
Unconditional promises that hold value and are negotiable include debts, in which the promisor promises to pay back a certain amount over a certain time with certain payouts (this includes everything from mortgages and car loans at one end to conventional and bearer bonds on the other). Unconditional promises also include equity stakes in business ventures, such as stocks in a company, where the promise guarantees that you own a certain percentage of the company and are entitled to certain benefits (the benefits, however, can be conditional on the performance of the company).
Conditional promises include all manner of derivatives, in which the occurrence of certain contingent events decides whether a financial advantage is gained or lost. Conditional promises also include gambling outcomes, in which a payout depends on the occurrence of a chance event.
For promises, whether conditional or unconditional, to be negotiable within Peerless, we will need to define a variant of the cryptographic encapsulation given in sections 3 and 4. Specifically, it will be necessary to describe how promises that have a well-defined value can themselves be encapsulated, with such an “encapsulation of a promise” in turn being embedded in a cryptographic encapsulation of the sort defined earlier. There are some new elements here, involving embedded hashes and signature schemes, which will be described next.
To make clear how this all works, let’s consider again our friends Alice and Bob. Bob, let us say, is willing and ready to make Alice a promise P that has value to her and that would have value to others, provided it is transferable. This can be as simple as an IOU for a fixed amount of money initially made out to Alice. The thing is, Alice wants this promise to be negotiable, so that Bob’s promise applies not just to her but to anyone she chooses to assign his promise. How is she going to make Bob’s promise negotiable using cryptographic encapsulation? Here’s how:
=====BEGIN PROMISE-ENCAPSULATION PROTOCOL=====
STEP 1: Alice uploads the encapsulation (H (E Ø)) [D]. The symbol Ø here denotes an empty value. The reason for having an initial capsule with no value inside it is that Alice needs Bob to make a promise not to her individually, but to a capsule so that it, through a process of invalidation and revalidation, can be transferred in ownership to others. If Alice simply uploaded (H (E P)), where the promise P is to her specifically, this capsule would be non-negotiable. It’s the difference in an IOU between “I promise to pay Alice $100” versus “I promise to pay the holder of this note $100.” The device of first creating an empty capsule is to accommodate the latter.
STEP 2: With (H (E Ø)) [D] in place, properly uploaded and timestamped, Bob now formulates a promise not to Alice but to the holder of this genesis capsule and of its successor capsules via invalidation/revalidation. Specifically, he forms the item of value V = (Sb (H Eb P)) [Db]. Here H is the hash of the initial (value-empty) capsule that Alice just uploaded. Eb is a public key with private key Db known to Bob (enclosed in square brackets as is customary). P is the promise or promissory note, made out not to Alice but to the holder of the item of encapsulated currency whose starting or genesis capsule has, as its very first hash, H. Finally Sb is Bob’s signature on the triple (H Eb P), using the private key Db, to ensure that Bob really did make this promise and that it applies to the owner of (H (E Ø)) as well as the owners of any successor encapsulations resulting from ownership transfers. Usually with such a signature, it is done by first hashing and then applying the decryption function associated with the private key Db, a combined process that together renders the signature more secure than simply using the decryption function associated with Db. In any case, reliable signature schemes are well known, and we can count on Sb being a fully binding and authenticated signature by Bob attached to the triple (H Eb P).
STEP 3: With Bob’s promise of the form V = (Sb (H Eb P)) now turned over to Alice, she forms a successor item of currency to (H (E Ø)) [D] that fully incorporates Bob’s promissory note, namely (H1 ((H D) (E1 V))) [D1]. Normally, a move like this is designed to transfer ownership from one agent to another. But in this case, Alice transfers ownership to herself. She does this in order to create a public record of Bob’s promissory note in the provenance chain. This chain began with the empty-value capsule (H (E Ø)) and then was followed with (H1 ((H D) (E1 V))), having Bob’s full promissory note embedded in it (i.e., V = (Sb (H Eb P))).
STEP 4: If Alice now wants to transfer Bob’s promissory note to Carol, she secretly sends Carol the private key D1, whereupon Carol forms the public and private keys E2 and D2 respectively, and then uploads the new capsule (H2 ((H1 D1) (E2 V))) [D2]. Bob’s promissory note can therefore no longer be claimed by Alice (her claim has been invalidated with the disclosure of her private key D1) but can instead be claimed by Carol. Carol can now approach Bob to make good on his promise given that his promise is embedded in the following provenance chain and given that she can claim ownership of its terminal node:
(H (E Ø)) [D] —> (H1 ((H D) (E1 V))) [D1] —> (H2 ((H1 D1) (E2 V))) [D2]
where Ø signifies empty value and V = (Sb (H Eb P)) [Db]. (For students of monetary history, this cryptographic approach to transferring ownership of IOUs parallels Britain’s old tally stick system for tracking and transferring debts.)
=====END PROMISE-ENCAPSULATION PROTOCOL=====
The ability of Peerless to encapsulate the value in promises and then transfer ownership of such value means that Peerless cuts a wide swath. In particular, it means that cryptographic encapsulation can accommodate any redemption currency. For instance, U.S. Federal Reserve notes from the 1920s included the following statement: “redeemable in gold on demand at the United States Treasury or in gold or any lawful money at any Federal Reserve bank.” This was a promise. Similarly, gold certificates these days, whether backed fully or fractionally, constitute a redemption currency promising to pay the bearer in gold. If you want to get on a gold standard, a bimetallic standard (silver and gold), or any other standard in which money is redeemable according to that standard, cryptographic encapsulation can handle it. Provenance chains of cryptographic encapsulation therefore readily serve as currency in the broad sense of negotiable value; moreover, depending on the value encapsulated, these chains can serve specifically as digital cash.
One type of promise whose commercial possibilities Peerless stands to enhance is the gift certificate. These days, when Amazon, for instance, provides a gift certificate, it is by giving a code to a given individual, who then with the code can redeem the gift. Security here is minimal, and no safe mechanism exists for transferring ownership of these gift certificates to others (once a code is divulged, it is fair game for anyone to use). Accordingly, as things stand now with these gift certificate codes, if their ownership is transferred at all, it is usually within a circle of family and friends, any of whom can then redeem the codes.
All the same, a gift certificate is a promise of value (e.g., a promise by Amazon to honor it as payment for products of a certain dollar value that the vendor has on offer). And since cryptographic encapsulation is, as we’ve just seen, able to handle promises and their negotiability, it follows that Peerless can handle both the assignment and transfer of ownership for gift certificates.
The negotiability of such gift certificates raises them to the level of money, or close to it. With a slight adjustment, such gift certificates also offer a means of inflation abatement not available to ordinary government-generated fiat currencies. Consider a generalization of the U.S. Postal Service’s “forever stamp” applied to gift certificates. If you buy a stamp to send a one-ounce envelope within the U.S., you get a stamp with no dollar amount written on it but only the word “forever,” indicating that the USPS will forever honor this stamp to send a one-ounce envelope, regardless of when you choose to send it, whether now, or in a year, or in a decade.
The postage amount to send such mail has consistently risen over the years (in 2000 it was 33 cents, currently in 2016 it is 47 cents). The forever stamp has several obvious advantages: it assures the delivery of one-ounce envelopes regardless of when the stamp was purchased, so it’s a convenience to the sender; as the underlying rate changes, senders won’t have to find creative ways to dispense with old stamps displaying rates that are no longer valid; moreover, with stamps never displaying outdated postage rates, senders won’t need to buy strange denomination stamps to supplement older stamps that now no longer work.
What the post office has done on a small scale, major retailers like Amazon and Walmart could, in principle, do on a grander scale. Thus, instead of merely providing negotiable gift certificates in fixed amounts (e.g., a fixed-value $100 gift certificate), they could use Peerless to do something like the following: pay the vendor $100 now, and the vendor in turn will promise you a fixed percentage p of the cost of a basket of goods that accurately gauges inflation, where the product p x b = $100 (b being the dollar value of the basket of goods at the time the gift certificate was purchased). Then, when you, or someone to whom you’ve transferred that gift certificate, redeems it at a later date, the dollar value will be p x b’ where b’ is the dollar value of the same basket at the time of redemption. Such a variable-rate gift certificate is easily handled in Peerless. For the purchasers it provides a hedge against inflation. For the vendors, it provides an influx of immediate cash.
A fantasy scenario for such gift certificates would be “forever” tuition payments. The University of Chicago, when I started there as an undergraduate in 1977, charged right around $6,000 a year for tuition, room, and board. The National Center for Education Statistics indicates that for the academic year 2015-16, those same total costs came to $70,100. That’s almost a 12-fold increase in just under 40 years. The Bureau of Labor Statistics’ Consumer Price Index indicates that just under a 4-fold increase in general inflation occurred during that same time (my $6,000 total costs at the University of Chicago in 1977 come to a mere $23,847 in 2016 according to the BLS’s CPI calculator). It would be great, therefore, if elite universities, whose prices tend to be comparable with my alma mater, offered such “forever” tuition payments, especially if they were negotiable. Pay $6,000 x 4 = $24,000 in the mid-1970s for four years of college, and then in the mid-2010s send your kid or grandkid to the school with no further costs (assuming they get through college in four years), thereby staying way ahead of inflation. As the Aerosmith song from that era put it, Dream On.
As described in section 1, performatives are utterances that suitably authorized agents employ to create new social realities. “I now pronounce you man and wife” creates a marriage when a preacher or judge utters these words. “I declare the United States to be at war with Country X” creates a state of war when Congress utters these words. “I declare this piece of paper to be legal tender” creates a fiat currency when the Federal Reserve utters these words. Of course, these utterances need not be audible, but can as well be inscribed by the authority in question.
Not all performatives create social realities that can be owned and whose ownership can be transferred. Marriages and wars can’t fulfill that role. But fiat money created by governments can. So too can legacies left in a will, as with the words “I hereby bequeath all my possessions to X.”
The encapsulation of performatives whose newly created social realities can be owned operates in exactly the same way as promises. It’s therefore convenient that the word “performative” starts with the same letter “p” as “promises.” In the previous subsection, it’s therefore enough simply to substitute for any promise or promissory note (denoted by P) a corresponding performative (again denoted by P) that is authorized by an agent capable of bringing into existence via an appropriate utterance the new social reality in question, a social reality capable of being owned and having its ownership transferred.
In the case of fiat money, for instance, let’s imagine that Alice wants such money from Bob, but that Bob in this case is the Federal Reserve. Alice therefore forms the empty encapsulation (H (E Ø)) [D]. Bob qua the Fed then declares in an utterance P, whether recorded or written, that he herewith assigns to the hash H, and any successor Peerless capsules, the amount of US$100. We assume the Fed/Bob has public key Eb and private key Db. The Fed therefore signs (H Eb P) with signature Sb, forming the value V = (Sb (H Eb P)) [Db]. Alice thereupon forms a successor capsule to (H (E Ø)), namely, (H1 ((H D) (E1 V))) [D1], which then becomes a negotiable item of fiat currency authorized by the Fed, monetarily equivalent to Federal Reserve notes bearing Benjamin Franklin’s image.
Does such fiat currency have any “real” value? I put “real” in scare quotes because this word can be interpreted variously. Certainly, fiat currency is not redeemable in terms of something having intrinsic value, such as gold. But it does seem that fiat currency can have value depending on the agent who utters the performative to create it. If that is the government or an agent empowered by the government (such as the Fed), then something of value (even if merely of social value) can be created. Of course, if the government or central bank behaves irresponsibility, hyperinflating a currency, the currency will lose trust and become worthless. But if the currency is officially sanctioned, declared to be legal tender, and accepted in payment for taxes, it will be treated as valuable. Value perceived is value achieved. It may not be ideal value and it may not be really real value, but it is value nonetheless.
5.4 Proof of Hash Work
To explain the next source of value for encapsulated information, which will be based on proof of hash work, it will help to review how Bitcoin awards currency to its miners (this was touched on in section 2.2). The mechanism Bitcoin uses to generate winning block hashes that gain bitcoins for its miners will require some technical exposition, but once that is done, it leads quite naturally to a way to assign value to Peerless encapsulated currency based on features of its hashes.
Whether this way of assigning value within Peerless will appeal to people and make them want to create and exchange this sort of value is another matter, but I’ll argue that it has at least as much merit as how Bitcoin itself creates value. More importantly, this proof-of-hash-work approach mirrors a more general approach to Peerless value, which will be the topic of the next section, namely, what I call transubstantiation (inspired by, but no direct relative of, the corresponding theological concept).
First, however, let’s back up for a moment. In defining cryptographic encapsulation in subsection 3.1, I noted that (H (E V)) [D] was a minimal capsule that could be elaborated by including (at least) three additional items:
(1) Comments and/or conditions relevant to V and its encapsulation, perhaps binding or perhaps not on V’s negotiability, denoted by C.
(2) A cryptographic signature based on D to ensure that the owner of V has some causal connection to this capsule, the signature being denoted by S.
(3) And finally what we called a nonce, namely, a string of bits varied at will and used to affect the (random looking) output of the hash H, denoted by R.
A full-orbed encapsulation of V could, therefore, look like (H (E S C R V)) [D]. In this section, we’ll focus on R and leave aside C and S. Thus we consider Peerless currency taking the form (H (E R V)) [D], where H is the hash of (E R V) and R is a nonce.
The inspiration for nonces within cryptographic encapsulations comes from Bitcoin. In Bitcoin, a nonce is 32 designated bits used to affect the output of the block hash (all such hashes being computed through the hash function SHA-256, outputting 256 binary digits, or 64 hex digits). When Bitcoin was officially launched as a peer-to-peer network in 2009, its difficulty was set at 1, which in effect ensured that the first 32 bits (or, equivalently, the first 8 hex numbers) making up the block hash were all zeros. For instance, the block hash of the very first block in Bitcoin history, block 1, was the following in hex (all such historical data about Bitcoin are available at blockchain.info):
Each leading zero here is the equivalent of four zeros in binary. This means that the first 32 numbers in the binary representation of this hash were all zero. This level of difficulty continued for about the first year of Bitcoin’s public existence.
Fast forward to 2016, and the difficulty is over 200 billion times greater than it was in 2009, with block hashes now having a much longer leading string of hex zeros. Here’s the block hash for block 434185, which entered the Bitcoin blockchain on October 13, 2016 (AntPool, the most prolific mining pool currently, gained 12.5 bitcoins for computing this hash):
This hash has an additional nine leading zeros (in hexadecimal notation), and thus adds another 36 zeros to the front end of this hash when represented as binary digits. But note, the first non-zero number in this hash is a 1. This is a hexadecimal 1, so it corresponds to the four binary digits 0001, which means still another three zeros lead this hash in binary, making a total of 32 + 36 + 3 = 71 binary digit leading zeros in this hash.
So, how were all these leading zeros incorporated into this block hash? If we go back to 2009, when the difficulty was set at 1 and only 32 zeros in binary, or 8 zeros in hex, were required to gain, at that time, 50 bitcoins per block, it was (on average) enough simply to vary the nonce, which consists of 32 binary digits. The rationale was as follows: the hash function, in this case SHA-256, is supposed to act like a random oracle, delivering for any input string what appears to be a totally random output (albeit for any fixed input string it always returns the same hash — it is deterministic, after all). There are 2^32 or approximately 4.3 billion binary digits of length 32.
If follows from elementary probability theory that if SHA-256 acts like a random oracle, then there’s a better than even chance that by hashing all these 2^32 different possible nonces, that at least one block hash will display 32 leading binary zeros. This holds more generally: by hashing all of 2^n different possible nonces for nonces of length n (assuming n < 256 in this case since we’re using SHA-256), at least one block hash will, with better than even odds, display n leading binary zeros.
As the difficulty level to mine bitcoins rose over time and the number of leading zeros increased, varying a nonce of 32 bits was therefore no longer enough to achieve ever greater lengths of leading zeros. Fortunately for Bitcoin, there were other places to vary block inputs to form hash outputs. Notably, miners could vary the transaction set, the block timestamp, and the coinbase. Exactly what these are in the Bitcoin universe is less important than realizing that these give added degrees of freedom to compute hashes with ever increasing numbers of leading zeros.
The math here is straightforward: to output a block hash with n leading zeros (in bits) requires being able, on average, to run through 2^n different possible hash inputs. So, even though the Bitcoin nonce no longer gives sufficiently many degrees of freedom to generate hash values with the currently required length of leading zeros, there are other ways to get there by varying other inputs to the block hash.
Hashes that display long sequences of leading zeros represent effort, that effort correlating precisely and positively with the number of leading zeros. Such effort, when displayed in the leading zeros of hashes, provides a proof of work as well as a gauge of value (cf. Hashcash). Effort here can be understood in practical terms as the expenditure of actual computational resources, calculated in terms of the number of hashes computed to obtain a “winning” hash exhibiting a certain number of leading zeros. This computational effort in turn requires measurable amounts of electrical energy to run the processors that perform the computations.
How much electricity do Bitcoin miners use to try to gain the bitcoins on offer in any block? The estimated hash rate for the Bitcoin network as a whole is measured in TH/s, i.e., number of terahashes per second (trillions of hashes per second). In late 2015, the Bitcoin network was performing around 500,000 TH/s. The Bitcoin hash rate, at the time of this writing in the fall of 2016, is now up to around 2,000,000 TH/s (i.e., 2 exahashes per second). This impressive increase in the hash rate in just one year corresponds to the rise of ASICs (Application Specific Integrated Circuits), mining machines built specifically to compute hashes for Bitcoin blockchains.
A top of the line ASIC miner is currently the Antminer S9, costing between $2,000 and $3,000. It draws 1,350 watts and computes an impressive 14 TH/s. At a global hash rate of 2,000,000 TH/s, that means 142,857 Antminer S9 machines could, in principle, handle the totality of Bitcoin mining, with a draw of 142,857 x 1,350 Watts = 192,856,950 Watts or 192,856 kW. Extended over 24 x 365 = 8,760 hours in a year, that comes to 1,689,418,560 kWh (i.e., kilowatt-hours, the kWh being the most commonly used unit for billing energy by electric utilities). This last amount is the total electricity that the entire Bitcoin network, if operating at peak efficiency, would use in one year (granted, this estimate is a bit artificial since the hash rate keeps going up; nonetheless, Moore’s law keeps working to bring the energy consumption down, so the estimate puts us in the right ball park).
What’s the cost of a kilowatt-hour? It depends where you live. If you’re in Denmark, which charges on the high end for electricity in the industrialized world, it’s over 40 cents. If you’re in Iceland, which is on the low end in the industrialized world, it’s 5.5 cents. Argentina has its electricity heavily subsidized, so the cost to consumers there is cheaper still. In parts of India, electricity is virtually free, though the average cost comes to 7 cents per kWh. In the continental U.S., it’s between 8 and 17 cents, though the cost per kWh in Hawaii approaches that in Denmark. In any case, let’s take 10 cents as a lower bound estimate on average kWh cost worldwide. This seems reasonable.
In that case, 1,689,418,560 kWh of total annual electricity expenditure on Bitcoin comes to roughly $170 million. With 12.5 bitcoins mined every ten minutes, that means 12.5 x 6 x 24 x 365 = 657,000 bitcoins are mined annually, and so, at roughly $600 per bitcoin, the total annual value of bitcoins mined comes to around $400 million. These estimates are rough but revealing. They are rough for three reasons: (1) not everyone is using state-of-the-art mining equipment; (2) the cost of that equipment is not being factored in; and (3) kilowatt-hour costs vary widely as well. By some estimates, the actual costs incurred by Bitcoin miners exceeds the value of bitcoins mined by a factor of 10.
Now the incredible thing about all these costs (from purchasing mining ASICs to the electricity to run the Bitcoin peer-to-peer network) is that they are all in the service of computing blockchain hashes of a given form, namely, hashes having a certain number of leading zeros. This is incredible because by any objective measure of meaning or importance, the form of these hashes is utterly arbitrary and trivial. Yet within the Bitcoin universe, this entire exercise becomes crucially significant because it maintains scarcity of the currency and distributes it equitably.
Yet there is a broader lesson here: When we see a long sequence of leading zeros in a hash — any hash, whether it is the winning hash in a Bitcoin block, or a losing hash, or a hash unrelated to Bitcoin — it represents an expenditure of computational effort (measured in number of hashes executed) and, since such computation requires energy, it also represents a precisely correlated expenditure of electrical power (which can be measured in kilowatt-hours).
But note, even though the correlation is precise, it is also time-sensitive, depending on the computing speeds readily available at the time (such as through the Antminer S9 in October 2016) as well as the going rate for kilowatt-hours. Given Moore’s law, speed and efficiency of computing continue to double at regular intervals (are we still at every 18 months?). The cost of kilowatt-hours, on the other hand, has tended to be more stable. The net result, however, is that it’s possible now, in 2016, to compute, for the same electricity cost, hashes with much longer leading sequences of zeros than in 2009, when Bitcoin opened to the public.
All this suggests that an item of currency identified by a hash could be assigned value depending on its number of leading zeros (or any sufficiently improbable pattern in the hash), and specifically on the cost of electricity required to achieve a given sequence of zeros at the time the hash was computed. With Bitcoin, all this value from the expenditure of computational effort and electrical energy goes to the party responsible for computing the winning block hash. But this seems inefficient and unfair: the winning block hash essentially results from a lucky lottery ticket, where the high-powered computing pools of Bitcoin nodes in effect get to buy the most tickets and thus have the best odds of winning bitcoins. The reason this is inefficient and unfair is that “losing” nodes and pools also expend a lot of computational effort and electrical energy to win bitcoins; yet because they are losers in the lottery, they win no bitcoins and thus expend computational effort and electrical energy in vain. But why should expenditures be in vain? Why not also give them credit for it?
Here’s how such a system for crediting (all) hash work might operate. We imagine, at a given moment of time T, that 2^n hashes require a given number of kilowatt-hours to compute, say kWh(T,n). Because a hash with n leading zeros in bits requires on average 2^n hashes to be performed, every addition to n by 1 doubles the amount of hash work and thus the cost in kilowatt-hours. Accordingly, kWh(T,n+1) = 2 x kWh(T,n). We could, now, place further restrictions on the hashes, as Bitcoin does with its technical measures of difficulty. But with Bitcoin, such restrictions simply ensure that the blocks in the blockchain resolve every 10 minutes. Without that sort of time pressure on hash computations, which won’t exist in general, it’s enough simply to count leading zeros in a hash, so that each additional leading zero (in bits) requires twice the computing time/kilowatt-hours of a hash with one fewer zero.
Given this connection between hash computations and kilowatt-hours, it’s now straightforward to set up a cryptographically encapsulated currency that takes its value from the kilowatt-hours needed, on average, to produce a given number of leading zeros for a hash. Thus, for a desired value V of kilowatt-hours, simply choose n so that V = kWh(T,n) (if V falls between kWh(T,n-1) and kWh(T,n), it will be necessary to choose one or the other for V — this method does not allow continuous variation for V). For a fixed encryption/decryption key pair E/D, compute the hashes H for the string (E R V), varying R over a space of at least 2^n possibilities. Stop when R yields a hash H with n leading zeros. Then form (H (E R V)) [D] and upload it with a timestamp that is close to T (close enough so that there’s no question that the value assigned to kilowatt-hours at the time has not changed substantially). Such an item of Peerless digital cash then has value V in kilowatt-hours.
Whether people are actually going to want to engage in economic transactions where value is determined in kilowatt-hours is unclear. That kilowatt-hours could, in principle, be used as a measure of value in a monetary scheme like this seems at least plausible. But some tight controls will need to be in place to make this work in practice. For instance, kWh(T,n) needs to assign a lower kilowatt-hour bound according to the technology at time T capable of computing hashes. If, say, slower machines with higher energy usages were allowed to set a higher bound, then there would be an arbitrage opportunity here for people with faster machines, who could compute hashes with longer leading zeros for less than the going rate in kilowatt-hours.
Also, there would need to be controls on keeping the value of such encapsulated currency from varying unduly by geographical location. It wouldn’t do, for instance, for such kWh-encapsulated currency to have substantially greater value in Denmark, where the cost per kilowatt-hour is highest, at over 40 cents. For in that case, an arbitrage opportunity presents itself: buy Danish kroner with kWh-Peerless at the going kWh rate in Denmark, exchange to a currency where the cost of kilowatt-hours is low, create more kWh-encapsulated currency there, return to Denmark and keep the arbitrage cycle going. A kWh-encapsulated currency will need to be pegged to a global kilowatt-hour value (average? lowest?) if it is to serve as an economically viable currency. In any case, production of all such kilowatt-hour based currencies will naturally be driven to those places where kilowatt-hours are cheapest, as is happening now with Bitcoin mining in Iceland.
The approach just outlined assigns value to Peerless cryptographic encapsulations insofar as they exhibit hashes with a certain number of leading zeros. The value in this case comes from the kilowatt-hours expended to generate such hashes. Whatever the ultimate merits of this kWh-based encapsulated currency, it seems more equitable than Bitcoin. Whereas Bitcoin only rewards one such hash over a ten-minute time interval and gives nothing to the losers during that same interval, kWh-encapsulated currency distributes value fairly in terms of a measurable and verifiable expenditure of kilowatt-hours (electrical energy being used to search for hashes of predefined difficulty as gauged by number of leading zeros). Unlike Bitcoin, all users engaged in hashing to produce kWh-encapsulated currency (Peerless miners?) thus stand to gain some value.
Still, a big caveat looms over this energy-expenditure approach to currency value: economic merits aside, kWh-encapsulated currency, even more so than Bitcoin, threatens to become an energy hog. Because Bitcoin, despite all the interest and press, still has a limited user base, relatively speaking, its energy usage is still not totally out of control. Moreover, the inherent diminishing returns associated with Bitcoin mining offer some hope that its energy usage will never get totally out of control. But if any and all kilowatt-hours can potentially be siphoned off for creating value in kWh-encapsulated currency, the temptation to overuse and even steal kilowatt-hours (e.g., secretly tapping into powerlines) may become great, and the energy usage to create such currency might indeed get totally out of control.
For such reasons, I have mixed, and on balance negative, feelings about kWh-Peerless becoming a major currency for economic exchange. Indeed, there’s something unworthy about throwing so much computing power and ingenuity at something so trivial as computing hashes with increasing numbers of leading zeros (or whatever improbable pattern in hashes one chooses). Sure, as proof of work to prevent spamming (cf. Hashcash), this approach has merit, but in that case a small fixed number of leading zeros suffices. Or, as another possible bright spot, perhaps the world of computer hardware is a richer place for the invention of ASIC Bitcoin mining machines that do hashing at unprecedented rates. But surely we can find more productive ways to use computing power. Why then spend so much ink here examining this source of value for Peerless? Because it inspires the next source of value, transubstantiation.
When one considers a piece of Bitcoin currency, wherein ultimately does its value reside? Sure, there’s a lot of hype surrounding Bitcoin, and its exchange value into dollars is at least in part the result of that hype. In other words, bitcoins are valuable, at least in part, because people are intrigued with this currency. It’s cool to work and play with bitcoins. Ownership of bitcoins confers a reflected glow of sophistication and prestige. Subjective factors thus play a role in Bitcoin’s perceived as well as traded value.
But ultimately the value in a piece of Bitcoin currency resides in the expenditure of computational resources to produce it (at the very least, this is a necessary condition for its value). Thus, when we see a long string of leading zeros in a winning Bitcoin block hash, the computational effort to produce it is what gives value to the bitcoins awarded for that block. Similarly, for the kWh-encapsulated currency described in the last subsection, the value would reside in the computational effort expended to produce a hash with a long sequence of leading zeros, though with this instance of Peerless currency the connection between computational effort and its infusion of value into the currency is clearer because the hash is actually part of the currency whereas with Bitcoin it is merely associated with the block hash for which bitcoins are then awarded.
In either case, however, scarcity, and thus value, resides in computational effort, which, in practical terms, is convertible into kilowatt-hours. But note, in cashing out the currency in terms of electrical energy costs, we need to be careful to factor in Moore’s law (thus keeping track of the limits of computational performance at a given moment in time), optimal use of existing computational resources (as through ASIC mining machines), and running the computations in places where electricity costs are low (as in Iceland). The key point to understand, however, is that all this computational effort, however its value is conceived or articulated, is swallowed whole by the currency and does no one any good in any other context. If you will, something of real value (e.g., kilowatt-hours) is sacrificed (or some might say wasted) in the service of the currency. Moreover, this sacrifice is without remainder, absent in the service of any other tangible good.
This way of looking at the value of Bitcoin and kWh-encapsulated currency suggests a more general approach to embedding value within cryptographic encapsulations, namely, sacrificing something of known value and thereupon assigning the value of the thing sacrificed to the relevant capsule. Of course, this approach will require safeguards. There’s obviously the issue of verifying that the sacrifice was actually performed. With Bitcoin and kWh-encapsulated currency, the verification is in the long sequence of leading zeros in a hash — it is built into the currency. But, in general, the verification will depend on a trusted third party verifying that the sacrifice was indeed performed (precluding “pretend sacrifices” in which items claimed to be sacrificed were in fact purloined or perhaps never even existed). Also, just as double-spending is a problem for some currencies, so “double-sacrificing” could be a problem (i.e., the same sacrifice being assigned to two items of currency). Thus, once the sacrifice is verified, it also needs to be confirmed that it only gets assigned to a single cryptographic encapsulation.
This investing or infusing of value into cryptographic encapsulations by sacrificing things of recognized value and thereafter treating the currency as though it had that value may be called transubstantiation. In the case of Bitcoin and kWh-encapsulated currency, their transformation of value through sacrifice might be characterized as follows: kilowatt-hours as produced by a power company to generate electricity are transubstantiated into virtual kilowatt-hours now residing entirely in the currency as evidenced by a hash exhibiting a long sequence of leading zeros. Transubstantiation, as the term is typically used, is of course a theological notion and refers to an object that exemplifies one substance taking on a new substance (specifically, it refers, in Catholic theology, to ordinary bread and wine becoming the actual body and blood of Christ during the mass).
Regardless of transubstantiation’s theological merits, I want to argue that this notion, as developed here, has economic merits. We live in a crassly materialistic age, so the idea of sacrifice automatically elicits the charge of profligacy and waste. But sacrifice in the form of monetary transubstantiation, as described here, can be anything but wasteful. It might even signal sound economic judgment. To clarify this economic sense of sacrifice, I’m going to present an unconventional window into economic and monetary history. I’ll go back 4,000 years, to ancient Babylon, with its distinction between the temple and the altar, a distinction we also find in Scripture.
Ancient Babylon is famous, among other things, for giving us the science of accounting (I’m using Babylon a bit loosely to refer to Sumerian and Akkadian culture generally). Wealth, once created (and back then it could take the form of everything from precious metals to livestock), needs to be kept track of. This means at once keeping wealth safe, keeping it organized, and keeping a record of what’s there. The temple served that purpose, both in Babylon and later in the Bible. Indeed, we find long catalogs in Scripture of the various items of value contained in the temple, everything from candle holders to lavers.
Wealth, once created, needs to be maintained. But maintenance can only take you so far, especially when there are deities to be addressed. The owner of the temple’s wealth, after all, is not the priests that administer the temple. They are merely stewards or keepers of the wealth, which properly belongs to the deity associated with the temple (Marduk in Babylon, Yahweh in Israel). To make clear the ultimate owner of temple wealth, associated with any temple is also an altar, on which portions of that wealth periodically get sacrificed to the deity qua owner.
In this secular age, with theology taken less and less seriously, we tend to think of sacrifice as nothing more than a vain and outdated exercise to placate an otherwise disgruntled deity. In other words, sacrifice is what we do to keep God or gods off our backs. But in fact sacrifice has a deeper role, namely, to take something material and by destroying its material form to convert it to a higher reality. The ultimate impulse behind sacrifice is thus alchemical, taking something base and transforming it into something higher.
In this context, it is worth recalling Jesus’ remarks about not laying up treasures on earth, where the forces of corruption can destroy them, but rather laying up treasures in heaven where they lie beyond the forces of corruption (Matthew 6:19-20). Note that what’s not being said here is the simplistic “you can’t take it with you.” Rather, what’s being said is that you can take it with you if you can get it from here (earth) to there (heaven) by suitable means and in a suitable form. Sacrifice is the way this happens, taking something material and turning it into something spiritual.
Now, as sophisticated westerners, we tend not to care much for the distinction between the material and the spiritual. Yet as sophisticated westerners living in an information age, we are ready to embrace the distinction between the material and the virtual. Thus, on the one hand, there’s hopping on a plane and actually visiting the island paradise of Bora Bora in order to be materially present there on the beach. On the other hand, there’s slipping on a pair of VR goggles and going to Bora Bora virtually. The ultimate goal of VR (virtual reality), of course, is to create virtual experiences so realistic (not just sights, but also sounds, smells, and bodily feels) that they are indistinguishable from experiences in the material world that inspired them in the first place (recall philosopher Robert Nozick’s “experience machine”).
So, to bring this discussion back to wealth and money, once wealth is created, our first impulse is to store and keep track of it. This happens at the temple, whose job is to maintain the wealth. Maintained as it is there, it can play the role of a bank backed by real assets, offering credit, clearing, and redemption. Indeed, temples back then did serve the role of banks (why else did Jesus drive out the money changers from the temple?). But maintenance can be hard and even dangerous work. Wealth that’s maintained can also be stolen or looted (how many times was the Jerusalem temple sacked?). But at the altar, that same wealth can be transformed, making it available, valuable, and secure in a higher dimension.
In this light, it’s interesting to reflect on the “trinities” one finds in various religions. I’ll focus on two, Hinduism and Christianity. In Hinduism, one finds the Trimurti, the three-fold form of God as Brahma, usually described as the creator; Vishnu, usually described as the preserver (aka maintainer or sustainer); and, perhaps best known in the West, Shiva, usually described as the destroyer. But note, Shiva is also understood as the transformer, who in an act of destruction also transforms the thing destroyed, bringing it to a higher level. To a crass materialism, destruction is the same as vandalism. But in the Hindu religious tradition, destruction is a means of transformation. (Schumpeter’s “creative destruction” is worth citing in this context, though it needs to be informed more by Hegelian Aufhebung than straight-up Marxian dialectical materialism.)
The Christian Trinity bears some similarity to the Hindu Trimurti, though the analogy is loose and the underlying theology is different. Father, Son, and Holy Spirit are not three gods but one God understood as fully coinhering in each other (the formal theological term to describe this relation among members of the Trinity is perichoresis). Thus, in Christian theology, we’re never talking about three gods or even three mutually exclusive roles that different members of the Christian Trinity take to the exclusion of others roles. Christian theology teaches that in any divine act, all three members of the Trinity are fully active.
Nonetheless, Christian theology typically does assign priority to one member of the Trinity over another with certain roles or activities. Thus Christians tend to think of the Father as the ultimate source of everything, the creator. They think of the Holy Spirit as the nurturer, the sustainer, the one who providentially guides and governs. And finally, the Son, through the Incarnation, in taking on both divinity and humanity, is seen by Christians as the means by which the physical is transformed into the spiritual, as exemplified in the bodily resurrection, in which Jesus’ earthly body is transformed into a spiritual body. Even the role of destruction is evident here, because the transformation through bodily resurrection happens at a cross where Jesus’ physical life is destroyed.
My aim in presenting this idiosyncratic history of temple and altar is not to get sidetracked with theology, but instead to point out that these very theological concepts of destruction and transformation have economic counterparts in monetary theory that are largely unexplored and that fit quite naturally with Peerless cryptographic encapsulations. If some material item M has value and is irrevocably destroyed, that value could be uniquely assigned to a cryptographic encapsulation. Moreover, because any such capsule is informational and transmits value via a provenance chain, that value, once assigned, endures. Indeed, it becomes (essentially) indestructible because information, by its very nature, cannot be destroyed.
This last claim may seem a bit strong, but not by much. It is spoken as the Platonist that I am. But even if you’re a materialist, there’s a practical indestructibility to information on the Web. Whatever appears there gets cached and archived; it never ultimately disappears, though it may recede from the search engines. Only the end of the world, conceived as all the world’s servers crashing and burning, would destroy information, a possibility that for the purposes of this discussion we can exclude (the demise of Peerless in that case would be the least of our worries).
How, then, would cryptographic encapsulations handle transubstantiation in practice? Let’s consider our friends Alice and Bob again. Alice owns a material item of value, call it M. Bob is a trusted third party in the business of destroying such items and (re)assigning their value to cryptographic capsules (in times past, Alice might be the owner of an unblemished sheep, and Bob would be a priest sacrificing it on the altar). Here, then, is how it works (we’ve seen variations of these steps before):
=====BEGIN TRANSUBSTANTIATION PROTOCOL=====
STEP 1: Alice owns M, a material item with a clear value. She wants to transubstantiate M’s value into a cryptographic encapsulation. To begin the transubstantiation, she uploads, with the correct timestamp, the following genesis capsule of empty value: (H (E Ø)) [D].
STEP 2: Alice next takes M to Bob, who then utterly and irrevocably destroys M. Having done so, Bob issues a guarantee Pm that he has in fact so destroyed M, describing M precisely as well as the precise time and location of its destruction, and averring that he will credit M’s destruction only once in its transubstantiation into encapsulated currency. To ensure that this guarantee is negotiable, he forms the item of value Vm = (Sb (H Eb Pm)) [Db]. Here H is the hash of the initial (value-empty) capsule that Alice uploaded in the last step. Eb is a public key with associated private key Db known to Bob (enclosed in square brackets as is customary). Pm, as just noted, is Bob’s statement guaranteeing M’s destruction. Finally Sb is Bob’s signature on the triple (H Eb Pm), using the private key Db, to ensure that Bob really did make this guarantee.
STEP 3: With Bob’s guarantee of the form Vm = (Sb (H Eb Pm)) now turned over to Alice, she forms a successor capsule to (H (E Ø)) [D] that securely incorporates Bob’s guarantee, namely, the capsule (H1 ((H D) (E1 Vm))) [D1]. Normally, a move like this is designed to transfer ownership from one agent to another. But in this case, as with promissory notes and performatives, which were discussed in subsections 5.2 and 5.3, Alice transfers ownership to herself. She does this in order to create a public record of Bob’s guarantee in the provenance chain. This chain, initiated with the empty-value capsule (H (E Ø)), then succeeded with (H1 ((H D) (E1 Vm))), has Bob’s full guarantee embedded in it (i.e., Vm = (Sb (H Eb Pm))).
=====END TRANSUBSTANTIATION PROTOCOL=====
As is evident in this protocol, Alice and Bob’s efforts to encapsulate value from transubstantiations parallels, point for point, their efforts to encapsulate value from promissory notes and from performatives (see subsections 5.2 and 5.3). Yet the similarity runs deeper. Even the guarantee of M’s destruction, which is here denoted by Pm and which lies at the core of the item of value Vm, can be construed as a promise. To be sure, it is not a promissory note to give something of value (whether unconditionally or conditionally), nor is it a performative that in its utterance creates a new social reality of negotiable value. It is, rather, a promise that one has indeed performed a given act of destruction, the sacrifice of M.
In the three-step transubstantiation protocol just described, Bob’s role as a trusted third party needs to be very hands-on. He actually has to get his hands on the material item of value M. He has to destroy it. And he has to know that he has destroyed it, and then he has to give solemn testimony to this fact, that it is indeed a fact. This is not to say that even with such safeguards for sacrifice in place, Bob may not be tempted to retain some of the value of the sacrifice for himself. But without such safeguards, no party could legitimately count as a trusted third party in economic transubstantiation of the sort described here.
Imagine, for instance, that Bob, or the people on his TTP staff, didn’t actually have to perform the sacrifice. Hearsay of a sacrifice or even witnessing a sacrifice without actually performing it offers too many opportunities for subterfuge. For instance, it then becomes way too easy for an illusionist like David Copperfield to pretend that a sacrifice has taken place when in fact it has not.
Leaving aside moral concerns over the theft of a supposedly sacrificed item, such pretend sacrifices would be ruinous to the integrity of transubstantiated capsular currency, removing any effective constraints on its creation. Indeed, without real verified sacrifice, supposedly transubstantiated items of currency could be mass produced, without the restrictions on currency proliferation that are always necessary for preserving a currency’s value. Accordingly, transubstantiation with only pretend sacrifices merely makes a fiat currency. Say what you will about transubstantiation, but if performed honestly, it guarantees scarcity to the transubstantiated currency, indeed, the very same scarcity of the things sacrificed.
Even if we leave aside fraud by an illusionist, it’s important for economic transubstantiation that when an item is destroyed in order to convert it to value in a cryptographically encapsulated currency, that the act of destruction be intentional and not accidental. It’s not enough, say, to see an item of gold irrevocably destroyed in an unexpected explosion, and then credit the value of this gold to an item of cryptographically encapsulated currency. Sacrifices, whether of old in the service of God or gods, or presently in the service of cryptocurrencies, need to be intentional.
If the destruction of value is accidental, the temptation to double ascribe the same destruction to different items of capsular currency will be doubly hard to control and resist. Imagine, for instance, two TTPs seeing the same accidental destruction of material value and ascribing it to two items of capsular currency. This becomes possible if the TTP that guarantees an instance of transubstantiation can avoid actually having to perform the required sacrifice. This would, obviously, entail a currency proliferation problem, undermining the value of the currency.
Yet another concern with transubstantiation, if it were to allow accidental destruction, is its fairness of assigning ownership to items of cryptographically encapsulated currency. Obviously, like seigniorage of old, where you took a precious metal to the mint and got back that same metal transformed into the coin of the realm, the owner of the material object to be transubstantiated should be the one who owns the currency resulting from the object’s destruction. But ownership becomes much more difficult to assess when something is accidentally destroyed (it’s why insurance for accidental loss is rife with fraud).
And finally, quality control becomes a serious concern if transubstantiation were to allow accidental destruction: how do we know that the thing destroyed really was as good as claimed? One of the tasks of any TTP responsible for destroying material objects to transubstantiate them into encapsulated currency would be to accurately appraise the value of the objects destroyed. If it’s gold that is to be destroyed, for instance, its actual purity and actual weight need to be determined precisely, something that won’t happen should it be destroyed by accident. (This parallels the priests of old scrutinizing the quality of the animals sacrificed on their altars.)
Readers who have followed the discussion of transubstantiation thus far may wonder about its practical value. Indeed, they may wonder if they haven’t followed Alice into Wonderland. Who in one’s right mind wants to destroy something of value, only to transform it into an information-theoretic entity of supposedly identical value? If you’ve got something of value, hold on to it, or trade it. But don’t destroy it. That’s just stupid, or so it would seem. But what if you can’t hold on to it? Or what if you want to make it totally portable? Or what if you really do want to move it from a material to a virtual plane?
Suppose, for instance, you’re Elon Musk. You want to colonize Mars, and in doing so need to transfer wealth from Earth to Mars. Let’s say you want to start out Mars’s economy on the right foot with a gold standard. But moving a lot of gold from Earth to Mars is prohibitive (it’s expensive enough to send gold on Earth via FedEx). And even if Mars has gold to be mined, that’s hardly the first thing you want to do in colonizing the Red Planet. In consequence, why not simply take some gold M that’s on Earth and have a trusted third party destroy it utterly (e.g., conduct a controlled nuclear blast, dump it in a live volcano, put it in the blast furnace of a coal-powered electric plant, distributing it unrecoverably into the atmosphere).
Through M’s destruction, it can now be transubstantiated into Peerless encapsulated currency. Thereafter, the colonists of Mars can run their economy with virtual Peerless gold — such Peerless currency, by residing in the Cloud, is omnipresent, transubstantiation making it instantly available on Mars or wherever anybody is wired or has wifi. In particular, there will never be the need to redeem this currency by transporting the gold to Mars or returning to Earth for it. The gold has, after all, been destroyed — no redemption is possible. Nonetheless, it is permanently preserved in the capsular currency into which it has been transubstantiated. Talk about frictionlessness — you’ve just moved virtual gold instantly at no cost tens of millions of miles. Beat that FedEx!
Or suppose you’re Ray Kurzweil and his transhumanist/singularity disciples. Your fondest hope, in that case, is to achieve immortality by uploading yourselves onto a computer while at the same time dispensing with your original, and now outdated, wetware. Whatever the merits of this dream, it does beg what you’re going to do with your material possessions. Even if you can’t directly enjoy them in your new computational heaven as you did when you were flesh and blood, you might at least be able to export some of their value. Presumably, as you begin life afresh in Turingland, you’re going to be meeting and transacting business with other uploaded people. Peerless transubstantiation will thus allow uploaded people also to upload their wealth, a clear refutation of the adage “you can’t take it with you.”
In applying Peerless transubstantiation to Mars colonization and transhumanist immortality, I’m clearly having a bit of fun. Still, these examples suggest a more serious undercurrent. The fact is, maintenance is always harder than destruction. Sure, you can set up a Peerless gold fund, in which value consists in cryptographically encapsulated promissory notes that promise redemption in terms of actual gold. But such gold will need to be stored somewhere. Precise accounts of it will need to be kept. Redemption protocols will need to be followed exactly. Governments and potential thieves (did I just repeat myself?) will be watching the fund closely, looking for opportunities to claim its wealth for themselves. So how secure is the fund? How long can it be kept intact?
No doubt, there’s something disconcerting about the irrevocable destruction of gold, even if in the service of transubstantiated capsular currency. Gold is just too pretty, too hard won, to be destroyed thus. But consider another item that, in most minds, will seem far more worthy of destruction, namely, fiat paper currency that is rapidly losing value as a result of hyperinflation. This eventuality actually has personal significance to me: I have a set of grandparents, whom I knew reasonably well, that fled Germany in the 1920s, settling in Shanghai China, to escape the economic craziness of billion-fold inflation. We also have the more recent example of the Argentine peso, undergoing less extreme inflation than 1920s Germany to be sure, but which against the U.S. dollar has lost five-fold of its value in the last ten years (2006 to 2016).
Imagine, therefore, living in a country whose irresponsible monetary policies result in rapid declines in the value of state money. Let’s assume further that government controls prevent citizens from exchanging this money into more stable currencies or precious metals. In that case, transubstantiation offers a possible way out: burn the currency and make sure its destruction is verifiably transubstantiated into cryptographically encapsulated currency. With a timestamp on when the destruction occurred, placed there by a trusted and trustworthy third party, the value of the money at that time may be invoked as the value of the newly formed capsular currency.
A more radical transubstantiation would burn the existing problematic currency and then reindex it to a more stable currency. For instance, “I just burned 1,700 Freedonian pesos, which would have bought me 100 U.S. dollars on the open market if I had been able to exchange it, but through government controls was prevented from doing so. Therefore, the transubstantiated capsular currency that I just formed from those 1,700 pesos will now be counted as 100 U.S. dollars.” Here we see a happy melding of transubstantiation with a performative utterance in which the performative guides the transubstantiation into one type of social/virtual reality (e.g., “count this as a U.S. dollar”) as opposed to another (e.g., “count this as a 2010 Freedonian peso before inflation got too out of control”). More on such reindexing in the next subsection.
Whether such acts of transubstantiation block inflation and bring stability to commercial transactions, especially in countries exhibiting failed monetary policies, will depend on whether, and the degree to which, others are willing to honor the resulting capsular currency. As with all money, consensus and convention will in the end rule the day. Perhaps destroyed currency that was otherwise hyperinflating and that has now in fact been transubstantiated will see its resulting capsular currency trade at a discount, knocking off 10 or 25 percent of the value at the time of destruction. Perhaps people will be reluctant to trade it at all. Perhaps those stuck in countries with failed economic policies will embrace such an alternate currency as an island of sanity in an ocean of foolishness.
When a new form of money is created, it’s hard to predict how it will behave and be received (would anyone have predicted in 2009 what Bitcoin would be doing in 2016?). That said, I wouldn’t underestimate the power of transubstantiation in chaotic monetary circumstances, where people are increasingly disgusted with the ability of their state currency to maintain value. A transubstantiated capsular currency could easily become a protest currency, emboldened by ritualistic sacrifices of a state currency that is quickly losing confidence. Indeed, transubstantiation lends itself readily to ritual, and ritual remains a powerful human motivator.
What material items of value are fair game for transubstantiation into capsular currency? I’ve suggested that gold and kilowatt-hours could work. I’ve also suggested that rapidly inflating currency might work. But certainly there are limits. Perishables need to be handled with care and special scrutiny because they always have a “sell-by date,” so any sacrifice of them will need to be done while they are still in their prime (e.g., an unblemished lamb rather than an older sheep good only for mutton).
Moral and legal considerations also need to be addressed here. Imagine drug kingpin Pablo Escobar with access to the tools of cryptographic encapsulation and economic transubstantiation. Let’s say he’s got a thousand kilos of top grade cocaine. Instead of exporting it to the American market, what if he decided to destroy it and thereby transubstantiate its value into encapsulated currency? In principle, such a transubstantiation could take place. But its economic viability seems highly dubious.
Who would the trusted third party be that oversees and verifies the destruction of those thousand kilos of cocaine? We are, after all, talking about a criminal enterprise here that owns and wants to transubstantiate cocaine. In general, with transubstantiation, the worry exists of finding trusted third parties that would indeed be trustworthy in handling the sacrifices needed for economic transubstantiation (the temptation to “pretend sacrifice” and keep the spoils may be hard to resist). But with Pablo Escobar, give me a break: how could any proposed TTP in such a case be indeed trustworthy?
Another problem facing capsular currency from transubstantiated cocaine would be its negotiability. A cryptographic encapsulation always exists in a provenance chain, so its unsavory roots, in this case, would be eternally inescapable. Indeed, why should anyone want to accept this form of currency? That’s the whole point of money laundering, to wash away the taint of bad associations that money has acquired. With capsular currency from transubstantiated cocaine, nothing will wash away that taint. If economic transubstantiation should ever become common and transubstantiated gold should ever circulate widely, no sane person would want to trade transubstantiated cocaine.
5.6 Units of Account
Every currency is based on a unit of account for assigning prices to things of value. Specifically, a price in the currency equates to a certain number of units in that account (whether whole or fractional) and is supposed to reflect the value of the thing to which the price is affixed. The main unit of account in the United States is the dollar, which is represented with the symbol $. For Bitcoin, the unit of account is the bitcoin, which is represented with the letters BTC or by the letter B with two little lines sticking out at the top and at the bottom. Thus we can refer to 100 dollars as $100 and 100 bitcoins as 100 BTC. But what about Peerless cryptographically encapsulated currency? What is its unit of account? If we were to let the Greek letter pi denote Peerless currency, what would pi100 or π100 denote?
This question is ill-posed. Cryptographic encapsulation does not supply a currency per se but a monetary framework capable of representing other currencies. Take the U.S. dollar, and specifically the amount $100. Normally, this amount is represented either as a Federal Reserve note with Benjamin Franklin’s face on it or as an electronic deposit in a bank. But it could also be represented as a cryptographic encapsulation whose value consists of a signed promissory note by a trusted third party to pay $100 to the capsule’s owner (namely, the agent who knows its private key). In principle, it would be possible to convert all U.S. dollars to such capsular currency: encapsulate signed promissory notes from a trusted third party to pay X-amount in U.S. dollars, where X ranges over the entire U.S. money supply. Even the fiat money creation of U.S. dollars could be represented within Peerless by the use of performatives embedded in cryptographic encapsulations (recall subsection 5.3 for representing fiat money by capsular currency).
Cryptographic encapsulation that’s at the heart of Peerless is therefore a technology for representing, in purely informational or virtual terms, any monetary system. This claim may seem a bit strong, but I challenge anyone who doubts it to come up with a monetary system that can’t be assimilated into Peerless. Even Bitcoin can be assimilated into Peerless: simply let the peer-to-peer network serve as the trusted third party and create (by fiat) items of Peerless currency denominated in the amounts that Bitcoin awards for winning block hashes, transferring ownership to those nodes or pools of nodes who are the winners. These awards of “virtual-bitcoins” would precisely mirror the actual awards of bitcoins, but, instead of being run through the Bitcoin blockchain, could now be run over the entire Cloud.
Of course, there’s now a double-spending problem here in that every actual bitcoin would match a virtual-bitcoin (the irony of actual bitcoins and virtual-bitcoins both being virtual is not lost on me). Coordinating these two currencies might be a challenge, at least for now, while the Bitcoin blockchain remains in full swing and all actual Bitcoin transactions are taking place over it. But what happens when the number of bitcoins awarded for a given block diminishes to the point that Bitcoin users are no longer incentivized to serve as nodes for Bitcoin’s peer-to-peer network? In that case, I could readily imagine the virtual-bitcoins coming to the fore and taking the place of actual bitcoins. The virtual-bitcoins, taking the form of Peerless encapsulated currency, could be readily exchanged without presupposing the original Bitcoin peer-to-peer infrastructure that would presumably become obsolete once users no longer found it profitable to keep it going.
To talk about Peerless as representing an existing currency suggests something like a corporate take-over: there’s the old currency using an outdated technology, and we’re going to capture all its essential features, encompassing both its actual money supply and its mode of money creation, mapping it isomorphically onto a newly encapsulated currency that works better — one that is more secure, operates frictionlessly, has better security, etc. And granted, there is something to be said for the improved efficiencies that cryptographic encapsulation promises to bring to existing currencies. But if all this technology does is redo existing currencies, which typically are highly centralizing monetary regimes of central banks, then it’s going to fall far short of its promise.
Thus, in describing cryptographic encapsulation as capable of representing currencies, I find it helpful to think in terms of not just taking over an existing currency but also running, in parallel with the existing currency, a simulated version of it. Currency simulation via Peerless as I’m imagining it can be a way of helping the needy at the expense of the greedy. Suppose, for instance, you are stuck in a monetary hellhole, i.e., a country whose government has implemented foolish and irresponsible monetary policies resulting not just in rampant inflation but also in extremely tight controls over what you can and can’t do with the very money that you find so problematic (such as not being able to exchange it for hard currency from another country). Reflecting on your predicament, you look longingly at those currencies that you respect and wish could be yours to use. Suppose the Swiss franc catches your eye, a bastion of monetary solidity, exhibiting low inflation year after year.
With cryptographic encapsulation you can form a simulated Swiss franc. Currency exchange markets, notwithstanding the restrictiveness of your own government in limiting exchange of its currency with others, will nonetheless list what your currency is worth against the Swiss franc (on the supposition, or pretense, that you could exchange it). Note that you’ll need to go with the floating exchange rate, as set by supply and demand in foreign exchange markets. The fixed or nominal exchange rate, as set by your monetary authority, will in all likelihood be bogus, valuing the currency you want to exchange way above its real worth (in an effort to gain hard currency at a discount). I had this experience in what was then communist Poland in 1973, where the Polish zloty was nominally trading at about 35 zloty to the U.S. dollar whereas on the black market you could get 70 or even 75 zloty to the dollar. The black market rate was the floating exchange rate.
To create a simulated Swiss franc with cryptographic encapsulation, you could therefore do the following: take out money in your currency and transubstantiate it into Swiss francs, sacrificing X number of units in your currency for the floating exchange-rate equivalent of Y units in Swiss francs. True, a trusted third party will be needed to confirm the transubstantiation and you will need a community that is likewise disheartened with the existing state currency and willing to sacrifice it, transubstantiating it into value captured by cryptographic encapsulation. Once done, however, you can thereafter declare yourself to be operating on the “Swiss standard.”
This recommendation bears an uncanny resemblance to fantasy sports leagues, in which you recruit real players onto virtual teams, and where the performance of the virtual teams depends on how the real players perform in reality. Likewise, with such simulated currencies, their performance would depend entirely on how the underlying real currencies perform. If the Swiss currency takes a tumble, that would need to be reflected in the corresponding simulated currency. But if your state currency really really sucks (think 1922 Germany, think Zimbabwe, think Argentina), then conducting business with such “fantasy currencies” can’t be any worse than what you have now and will in all likelihood constitute an improvement. And as long as we’re indulging in fantasies, I imagine, as a gesture of solidarity with monetarily oppressed peoples who implement simulated Swiss francs via Peerless, the Swiss government will occasionally offer to exchange the simulated Swiss francs for the real thing!
If cryptographic encapsulation can represent any currency, and if at least part of the reason for its invention is to bypass the fiat currencies of states and their central banks, then why not simply cut to the chase and use it to represent what historically remains the premier currency bar none, namely, gold? In other words, why not use cryptographic encapsulation to represent a full-fledged gold-backed currency, whether through a gold fund that maintains actual reserves or, more radically, through transubstantiated gold?
Transubstantiated gold would, presumably, redress the concern raised earlier about real physical gold being too easily stolen (theft of such gold reserves, and even the threat of such theft, undermining any gold-backed currency). But it remains to be seen just how far transubstantiation of valued material objects, and of gold in particular, can be successfully used in the creation and exchange of cryptographically encapsulated currency. Absent a significant amount of gold being transubstantiated, I don’t give gold much hope as a widespread monetary standard, the threat of confiscation of gold reserves being too real and present. I might be wrong and I might wish to be wrong about the vulnerability of gold for a gold-backed currency, but the history of gold over the last 100 years doesn’t inspire confidence for its impregnability as a monetary standard.
A more practical concern about gold needs also to be addressed in this context. Gold is constantly touted as a bastion of sound and stable money against an irresponsible monetary authority that creates fiat currency willy-nilly. But gold in the last decades has shown much volatility. Gold in 2006 was around $600 an ounce. Now in 2016 it’s at about $1,300 an ounce. And in 2011 it hit a decade high of $1,900 an ounce. By contrast, inflation, as gauged by the Bureau of Labor Statistics’ Consumer Price Index, has for that decade averaged under 2 percent annually, with prices in 2016 representing only a 20 percent jump compared to 2006, not the over 100 percent jump for gold.
Thus, in relation to the CPI, prices over the decade have shown a steady but gradual rise. On the other hand, in relation to gold, those same prices are all over the map. That’s not good news for gold given that price stability is a necessary condition for economic prosperity. Now it can be argued that the CPI, as calculated by the BLS, is skewed, and systematically underestimates actual inflation. But even if you look at what some might regard as a more realistic CPI, as computed for instance by ShadowStats.com, you will find an average annual inflation rate of about 5 percent and an inflation rate over the ten years from 2006 to 2016 of about 60 percent. That may not be good news for the American dollar either, but it still suggests a significantly less volatile dollar than gold.
Worth remembering in all this is that the fiat currencies that so outrage the gold bugs are also used to buy and sell gold, so the gold market is easily manipulated by the very forces that gold bugs want to defeat. To be sure, my sympathies lie with the gold bugs. And there have been times in history when gold has served to stabilize economies and minimize inflation. But even with a broader view of history, gold leaves something to be desired as a stabilizer of money. Take the 16th century, when gold and silver was flowing out of the New World at the hands of the conquistadors. During that time, with money and precious metals being largely synonymous, Europe saw a consistent annual inflation rate of 1 to 1.5 percent and a consequent trebling of prices between the start and end of the century. Such an inflation rate certainly seems tame by present standards, but it hardly represents a rock of economic stability. At a 1.25 percent inflation rate, $100 put in a mattress is, 30 years later, worth only $69 when adjusted for inflation.
Of course, that’s why we’re encouraged not to hide our money but to invest it, making sure, minimally, that it receives no less than the interest offered from standard debt instruments (savings accounts, bonds, etc.), and better yet, that it yields the more substantial returns from equity stakes in profitable enterprises. But the standard investments can themselves be quite volatile. Gains accumulated over years can be quickly wiped out: recall the Black Monday crash in October 1987, the dot-com collapse of 2000, and the housing crisis of 2008. But even if we leave aside such savage market retrogressions, leave aside inflation, and leave aside unrealistic expectations about upward trending market returns, investments also face the steady attrition of financial intermediation. As investor John Bogle puts it: “net return is reduced by the costs of our system of financial intermediation — brokerage commissions, management fees, administrative expenses — and by the taxes on income and capital gains.”
The risks associated with investing in the market and the certainty of conventional money losing value if uninvested begs for the invention of “forever” money. This would be money you could put in a mattress, go to sleep on it like Rip Van Winkle, and wake up 30 years later to find that its value is substantially unchanged. Sure, there would be a lot of newfangled goods to be bought when you wake up, but the old items that are part of a standard CPI basket of goods should still cost the same. Is something like this doable, like the forever stamp or the forever gift certificates described in subsection 5.2? With the creation of a novel currency, it’s never possible to know precisely how it will fare — whether users will trust it, want to use it, and assign one value as opposed to another to it. Expect the unexpected.
Nonetheless, if such a forever currency were possible, I suspect it would take something like the following form. For definiteness, let’s assume we want a forever currency in U.S. dollars indexed to the year 2000. Choose a representative basket of goods and calculate in dollars its price b in 2000. For subsequent times t, let bt denote the price of that same basket in (later) dollars. Note that the method of appraising the price bt of the basket at time t needs to be well-defined, rigorous, independent of biases (such as wanting for political reasons inflation to be up or down). Someone who puts up d dollars at time t gets credited d x (b/bt) in 2000 dollars, in cryptographically encapsulated currency.
What happens to those d dollars that you put toward the forever currency? If the economy is sufficiently in shambles, transubstantiation of d (i.e., burning it in the presence of a trusted third party and crediting this sacrifice to an item of capsular currency) is probably the way to go. If wealth funds can be maintained with minimal government interference, a treasury of items that maintain their wealth and whose prices have tended to correlate positively with the price of the chosen basket of goods may be the way to go. In the latter case, the forever dollars will also constitute shares in a wealth fund and thus the issue of redemption will need to be addressed (to incentivize use of the currency, there may need to be penalties on redemption; alternatively, redemption may be an option only if a majority of fund investors decide to discontinue the currency).
It’s unclear how such a forever currency would trade against the currency on which it is based. If the base currency is rapidly losing value, it might even happen that the forever currency would trade at a premium against the base currency (even with the price index factored in). On the other hand, to the degree that the base currency is maintaining its value and is easier to handle in commercial transactions than the forever currency, it could happen that the forever currency trades at a discount against the base currency.
In this discussion of forever currencies, it needs to be borne in mind that such currencies would simply not arise if the base currency were stable and unproblematic. Forever currencies would be introduced to redress instability, to stop the bleeding, to put the base currency out of its misery. The use of Peerless to foster such forever currencies should be seen as part of the larger effort to redress the centralization of money by states, which invariably results in abuses of power inflicted against ordinary citizens. Whether forever currencies ever gain popularity and widespread use is for me less the issue here than laying out ways that Peerless can be used as a force for decentralization, especially against irresponsible states and their central banks. Laying out such possibilities for Peerless was the point of this subsection.
5.7 Value in a Purely Informational World
Before leaving this section on the sources of value in Peerless, I want to return to the thought experiment with which this paper began. There we considered what ownership of money and its transfer would look like in a purely informational world. Money in such a world, we said in section 1, is essentially intellectual property, represented as information and cryptographically encapsulated. In the informational world laid out there, a timestamp marked all events in public storage and cryptography became possible because all computation required effort, such effort faced limits, and those limits made decryption, and in particular the inverting of certain mathematical functions, difficult if not effectively impossible.
We ended that section by noting that money in such an informational world could be denominated in units of account based on expended computational effort and also on time spent laboring by information-producing agents of that world. The first of these calls to mind the terahashes-per-second complexity measures associated with value in Bitcoin, and cashed out in subsection 5.4 in terms of kilowatt-hours, though in our informational world a purer measure of computational complexity will need to determine monetary value (e.g., number of floating-point operations). In our hybrid world of matter and information, calculating the amount of electrical energy needed to run computations suffices. As for the second possible unit of account for our informational world, time spent on labor, this calls to mind everything from Marx’s labor theory of value to minimum wage laws. Presumably, well-defined values attach to fixed intervals of time spent working on given tasks by agents in this informational world. Such time intervals can then serve as a unit of account.
Although money with its usual features (divisibility, fungibility, etc.) can thus be realized in the purely informational world of section 1, that world also displays some differences worth being aware of, difference that are interesting on their own but also notable for rounding out what it means for currency to operate in an information economy. Back in the late 1990s, before the Web really took off, but when it nonetheless became clear to prescient minds that the Web was going to revolutionize economics, Bradford DeLong and Michael Froomkin wrote some articles on “information economics,” addressing, among other things, the difference between conventional material goods and information goods.
DeLong and Froomkin noted that information goods exhibit two key features not shared with material goods: (1) An information good is “non-rivalrous,” meaning that its consumption does not prevent others from consuming it (unlike the taco on your plate, which if you eat it means someone else is not eating it; information can be used and reused with no attrition and no marginal costs). (2) An information good is “non-excludable,” meaning that once it is known, it requires concerted effort to exclude others from it (unlike the information in a hardcopy book, which excludes those who are not in physical possession of the book, if the book takes the form of pure information, it is easily accessed and transmitted unless special security measures are implemented).
Of these two features of information goods, the second has become far more significant economically, an outcome unanticipated by DeLong and Froomkin at the time. They seem not to have appreciated the extent to which information goods could be made excludable. In fact, we might say that the information economy has flourished by making information goods not just accessible but also extremely convenient to paying customers, who are by definition not excluded; at the same time, it has rendered information goods, if not completely inaccessible then certainly inconvenient, to non-paying customers, who are meant to be excluded.
Take Netflix. It’s all so convenient to pay Netflix to be able to stream movies and TV shows. The service keeps track of where you are in viewing a program. In consequence, you can readily move your viewing from one computer platform to another, picking up where you left off. There’s a convenience and portability here that’s absent from DVDs. And even though you could use video-capture technology to form your own library of bootlegged videos, the convenience and social propriety of working with Netflix’s service outweighs, for most of us, trying to circumvent it to save a few dollars.
So the lesson of information economics for the purely informational world of section 1 is that value resides in the ability to exclude access to information. Exclusion here should not be seen as all-or-nothing but coming in degrees. It may be possible with Netflix, for instance, to work around its security and gain access to its video offerings, but at a cost of inconvenience, and that inconvenience itself constitutes a form of exclusion. Also noteworthy here is that exclusion, as it has evolved in our hybrid world of matter and information, and as it provides insights into a purely informational world, centers less on single items of information than on information services that promise to deliver successive items of information of interest to users. If, for instance, Netflix only offered one film for viewing (say, Casablanca), it would quickly go out of business because video-capture technology would ensure that its service could easily be replicated. But by offering an array of informational possibilities that users desire and that they must engage with interactively and sequentially, Netflix is able to thrive in an information economy.
The claim that value in a purely informational world resides in the ability to exclude access to information certainly applies to cryptographic encapsulation. It’s not that an item of value V that sits in a capsule (H (E V)) [D] need in any way be excluded or rendered inaccessible to users (recall the running example in section 1 where V was vGuitarist painted by vPicasso — V was available for all to see and enjoy). But the claim to ownership of V by means of this capsule is certainly exclusive — only the knower of the private key (denoted by D) will be able to claim ownership. Moreover, with that knowledge, the present owner can transfer ownership exclusively to a new owner, excluding all other potential owners in the process.
The informational world described in section 1 obeys strict computational limits. It therefore runs on computational scarcity and thus allows for money to be denominated in measures of that scarcity. Our hybrid world of matter and information also runs on computational scarcity. It’s therefore possible to represent money in both worlds in terms of computational scarcity, which can serve as a unit of account. In consequence, many features of money as they exist in our hybrid world will also exist in the purely informational world (divisibility, fungibility, etc.).
Nonetheless, a feature of money that does not appear to translate readily from our hybrid world to a purely informational world is transubstantiation. The point of transubstantiation is to take something of obvious material value, destroy or sacrifice it, and thereafter ascribe the value that was sacrificed to an item of Peerless transubstantiated currency. Transubstantiation is thus supposed to move money from the crasser material plane to the higher informational plane. But if we’re in a purely informational world, we’re already operating in the informational plane, and so it seems that transubstantiation has no role to play in a purely informational world.
This conclusion seems right, but it’s worth pondering a bit more closely. Transubstantiation depends on destruction and transformation. It works in our hybrid world of matter and information because material objects can indeed be irrevocably destroyed. Such destruction is possible also for information embedded in matter, where the information is lost once the matter that contains it is destroyed. But in a purely informational world, where items moved to public storage remain forever, such destruction is not possible. Still, a variant of such destruction is possible, and it underscores that value in an informational world resides not in static items of information but rather in the potential for ongoing information-creation by agents in that informational world.
To see what’s at stake here, recall the film Good Will Hunting. Will Hunting is a 20-something math genius (played by Matt Damon), who works as a janitor at MIT. Gerald Lambeau (played by Stellan Skarsgard) is an MIT math professor and also a Fields medalist (the math equivalent of a Nobel laureate). Lambeau is therefore no slouch, but Hunting is way beyond him in mathematical ability. At a crucial point in the film, Lambeau commends his own efforts to advance Hunting’s career in mathematics and at the same time berates Hunting for not making the most of his talent:
I think you could show me some appreciation.
A little appreciation? Do you know how easy this is for me? Do you have any f—– idea how easy this is? This is a f—– joke. And I’m sorry you can’t do this. I really am because I wouldn’t have to f—– sit here and watch you fumble around and f— it up.
Then you’d have more time to sit around and get drunk instead, wouldn’t you?
You’re right. This is probably a total waste of my time.
You’re right, Will. I can’t do this proof. But you can, and when it comes to that it’s only about … it’s just a handful of people in the world who can tell the difference between you and me. But I’m one of them.
What just happened here? Why did Lambeau back off? What’s not evident in the script but is from watching the film is that Hunting was about to destroy the piece of paper on which he had proved a theorem whose proof was beyond Lambeau’s ability. Presumably, if Lambeau had seen and understood the proof, he could have reproduced it, and so it wouldn’t have mattered if Hunting had destroyed the piece of paper on which it was written. But in our hybrid world, where information inheres in matter, Hunting’s threat to destroy the proof was real. Hence Lambeau’s change of tune.
Question: In a purely informational world, could vHunting (a virtual version of Will Hunting) pull off the same threat? Could he in fact destroy vProof (the proof of the mathematical proposition that he threatened Lambeau with destruction)? The answer to this question is No. Once the proof is in public storage, as we’ve stipulated about our purely informational world, it is there to stay. So its destruction is not possible, and thus neither is its transubstantiation. Transubstantiation is thus something reserved for our hybrid world, not our purely informational world.
Nonetheless, a threat similar to the one made by Hunting in the film would be possible in our purely informational world. vHunting, instead of threatening to destroy the proof of a theorem that he had recorded in public storage, could inform a testy vLambeau that he had, in his mind (in private storage), proved the theorem, but that he would never make it public if vLambeau didn’t get off his back. In a sense, instead of promising to destroy existing static information, vHunting would threaten to shut off the spigot of creativity, refusing to provide the mathematical world at large with proofs of interesting mathematical propositions, proofs of such difficulty that only he, vHunting, could deliver them.
Such a move by vHunting is reminiscent of the running joke between British mathematicians Godfrey Hardy and John Littlewood. Hardy, who had a deathly fear of crossing the English Channel by boat would, when ready to board the vessel, dash off a postcard to Littlewood claiming that he had just solved the Riemann Hypothesis (or some other hugely important unsolved problem in mathematics), with details to follow. Hardy’s rationale was that God would not let him drown at the bottom of the English Channel with the mathematical community thinking that he might indeed have solved so famous a problem (God wouldn’t permit Hardy that distinction). The analogy here with vHunting is that Hardy’s spigot of mathematical creativity was threatened to be turned off, not intentionally, as with vHunting, but on account of Hardy’s premature death in crossing the channel. In any case, having successfully crossed the channel, Hardy would let Littlewood know that he was just kidding. An additional irony here is that Hardy was an atheist.
The failure of transubstantiation in a purely informational world points up that value in such a world resides not in static items of information but in the potential of its agents to create interesting and novel information. Exclusion does factor in here, but it is an exclusion not of items of existing and publicized information, but an exclusion of restricted access to the spigot or tap of creativity of the agent in question. vHunting can turn off the tap to his mathematical creativity. vPicasso can turn off the tap to his artistic creativity. That ability to turn on and turn off information is economically significant. Economics always presupposes scarcity, and the scarcity in this case is access to the information-creating potential of its agents.
Note that this last point about scarcity and limited access to the creative potential of agents holds even in an informational world not subject to limits on computing power. We need such limits for cryptographic encapsulation. Accordingly, transfers of ownership by Peerless technology would fall by the way in a world of unlimited computing power. But in an informational world of unlimited computing power, an economics of information is still possible. In that case, it would depend on the ability and willingness of agents to serve up information that only they are capable of producing.
In such a world (comprised entirely of information with no limits on computing power), ownership would depend not on cryptographic encapsulation (cryptography being impossible unless computation is constrained) but on authorship imparting a unique stamp or mark of identity on informational creations. Christos Yannaras put it this way about the artistic creations of Vincent van Gogh, but his point applies quite generally to a purely informational world unconstrained by computing limits: “We know the person of van Gogh, what is unique, distinct and unrepeatable in his existence, only when we see his paintings. There we meet a reason (logos) which is his only and we separate him from every other painter. When we have seen enough pictures by van Gogh and then encounter one more, then we say right away: This is van Gogh. We distinguish immediately the otherness of his personal reason, the uniqueness of his creative expression.” (Quoted from his Elements of Faith.)
Signatures in the conventional sense, whether written in cursive or as part of cryptographic signature schemes, thus become unnecessary in such an informational world of unlimited computation. The agents populating such a world put their unique imprint on their informational creations. Their identities become clear from the information they create. Ownership of information thus takes place automatically. This is ownership as authorship, where the authorship is unmistakable.
Where does such a world end? Obviously, it need never end since agents could, in principle, keep producing and communicating information indefinitely. But it is a world that can become boring if its agents don’t keep creating novel and interesting information. Indeed, we might say that hell for such a world is agents who keep repeating themselves, never able to rise to new heights of creativity. The flip side, of course, is a world of endless creative possibilities, where novelty and insight, and possibilities of communion, continually grow and are enriched. This would be heaven.
Theologian Gregory of Nyssa (335-395) would have agreed. In his understanding of heaven and eternity, created beings engage in a perpetual progression (Greek epektasis), reaching ever greater heights in striving to reach the unreachable God, thereby having their natures transformed into that of the divine (Greek theosis or Latin divinization). In this perpetual progression (the exact opposite of Sisyphus’s vain striving, in which he continually stumbles backwards and never gets anywhere), God is unreachable not because God deliberately blocks efforts to reach God, but because God’s infinitude makes God inherently unreachable to finite created beings like us. Perpetual progression makes God as reachable as God can be to us, and in so doing keeps eternity interesting (we might even say economically viable). Such an economic proof of God’s existence is of course not necessary to the formal description of Peerless, but it shows where the logic of any purely informational currency ultimately leads.
6 The Mechanics of Encapsulated Currency
Money is meant not simply to sit around but to be used to do things. For instance, if we have some money, we want to be able to divide it, giving part of it to one person, the rest to another. Conversely, if we have two pieces of money, we want to be able to merge them into a single entity whose value is the sum of their two values. This section shows that the things we ordinarily want to do with money can also be done with cryptographically encapsulated currency. More is true: it shows that cryptographic encapsulation allows us to do novel, and perhaps hitherto unsuspected, things with currency.
The following treatment of the money mechanics of cryptographic encapsulation makes no pretense at completeness. The mechanics of encapsulated currency can surely do a lot more than described here. The purpose of this section is to give some sense of the currency’s scope and power. Note that in what follows certain simplifying assumptions will be made, whose generalizations can be implemented straightforwardly:
(1) This section defaults, wherever convenient, to cryptographically encapsulated currency in its simplest form, largely ignoring different types of value and additional features, such as nonces, that could be incorporated into it (the mechanics described here can readily be extended to such elaborations of capsular currency).
(2) Whenever some action in the mechanics of capsular currency could involve an indefinite number of items, the focus will simply be on two such items, the generalization to more than two being straightforward.
(3) For ease of notation, the focus will, where possible, be on “genesis” encapsulations of the form (H (E V)) [D] rather than “successor” encapsulations of the form (H1 ((H D) (E1 V))) [D1], which record an invalidation and revalidation. Everything in the sequel done for genesis encapsulations applies, mutatis mutandis, to successor encapsulations.
Suppose Alice owns an item of value V embedded in the encapsulation (H (E V)) [D], where D is the private key associated with E that is known only to Alice. Assume that V = Vi + Vii, that is, V can be decomposed into two items of value, Vi and Vii, which, according to established accounting principles, jointly have the same value as V. Suppose further that Alice wants to transfer ownership of Vi to Bob and Vii to Carol. Here’s how she can do it:
=====BEGIN DIVISIBILITY PROTOCOL=====
STEP 1: Alice uploads (H (E V)) [D], thereby asserting her ownership of V.
STEP 2: Alice selects two pairs of public/private keys, E1i/D1i and E1ii/D1ii, and uploads the encapsulation (H1 ((H D) ((E1i Vi) (E1ii Vii)))) [D1i D1ii], where H1 is the hash for the list that follows, (H D) invalidates the previous capsule, and ((E1i Vi) (E1ii Vii)) decompose the value V into Vi and Vii inside two subcapsules (E1i Vi) and (E1ii Vii) respectively. Note that Alice knows both private keys [D1i D1ii].
STEP 3: Alice sends the private key D1i to Bob and the private key D1ii to Carol, upon which Bob forms and uploads (H2b ((H1 D1i) (E2b Vi)) [D2b] and Carol forms and uploads (H2c ((H1 D1ii) (E2c Vii)) [D2c], the private key D2b being known only to Bob, the private key D2c being known only to Carol.
=====END DIVISIBILITY PROTOCOL=====
This completes the division of money on Alice’s end as well as the transfer of these divided values to Bob and Carol respectively. Note that this approach handles not just the common problem of “breaking a hundred dollar bill” but also more general problems such as separating out tranches in collateralized debt obligations.
Suppose Alice owns items of value Vi and Vii, embedded respectively in the encapsulations (Hi (Ei Vi)) [Di] and (Hii (Eii Vii)) [Dii], where Di and Dii are private keys known only to Alice. Suppose V = Vi + Vii according to established accounting principles and that Alice wants to transfer ownership of V to Bob. Here’s how she could do that:
=====BEGIN MERGEABILITY PROTOCOL=====
STEP 1: Alice uploads (Hi (Ei Vi)) [Di] and (Hii (Eii Vii)) [Dii], thereby asserting her ownership of Vi and Vii respectively.
STEP 2: Alice selects the public/private key E1/D1, and uploads the encapsulation (H1 (((Hi Di) (Hii Dii)) (E1 V))) [D1], where H1 is the hash of the list that follows, ((Hi Di) (Hii Dii)) simultaneously invalidates the two previous capsules, and (E1 V) merges the values Vi into Vii into V from the two previous subcapsules (Ei Vi) and (Eii Vii). Note that Alice knows the private key [D1].
STEP 3: Alice sends the private key D1 to Bob, upon which Bob forms and uploads (H2 ((H1 D1) (E2 V))) [D2], the private key D2 being known only to Bob.
=====END MERGEABILITY PROTOCOL=====
6.3 Conjunctive or Joint Ownership
If Alice tears a hundred dollar bill down the middle and gives half to Bob and half to Carol, who owns the hundred dollars? Both Bob and Carol do. And since the tear is down the middle, neither can use the money unless they join their two parts of the bill. Cryptographic encapsulation can likewise be used to represent this type of joint ownership.
Suppose, therefore, that Alice wants to give to her two children Bob and Carol an item of value V, but wants them to own it jointly so that if they decide at some point to give it to Dan, it’s because they both agreed to do so. Here’s how this might work:
=====BEGIN JOINT OWNERSHIP PROTOCOL=====
STEP 1: Alice uploads (H (E V)) [D], asserting her ownership of V.
STEP 2: Alice chooses a pair of private/public keys E1b/D1b and E1c/D1c, and uploads the encapsulation (H1 ((H D) ((and E1b E1c) V))) [D1b D1c], where H1 is the hash of the list that follows, (H D) invalidates the previous capsule, and the pair of keys E1b and E1c conjoined by the logical operator “and” (conjunction) ensures that any successor capsule can invalidate this one only by displaying both the private keys for E1b and E1c, namely, D1b and D1c.
STEP 3: Alice sends Bob the private key D1b and Carol the private key D1c. Bob now uploads (H2b ((H1 D1b) ((and E2b E1c) V))) [D2b]. Note that Bob alone knows the key D2b.
STEP 4: Carol next takes this last capsule, and uploads (H3c ((H2b D1c) ((and E2b E3c) V))) [D3c]. Note that Carol alone knows D3c. Because D1b and D1c have now both been revealed and the earlier capsules invalidated, Alice has no more claim on V. But because Carol does not know D2b and Bob does not know D3c, neither can transfer ownership by oneself.
STEP 5: Suppose Carol and Bob now want to transfer ownership of V to Dan. In that case, they must each send Dan their private keys, namely, D2b and D3c. Once they do this, Dan can upload (H4 ((H3c (D2b D3c)) (E4 V))) [D4], asserting full ownership over V.
=====END JOINT OWNERSHIP PROTOCOL=====
6.4 Disjunctive or Shared Ownership
If Alice puts a hundred dollar bill in a drawer with a lock, and gives Bob a key to the drawer and also Carol an identical key, destroying all other keys, who owns the hundred dollars? Both Bob and Carol do. Yet in this case their ownership is shared in the sense that either can spend the hundred dollars. Cryptographic encapsulation can likewise be used to represent this type of shared ownership.
Suppose, therefore, that Alice wants to give to her two children Bob and Carol an item of value V, but wants them to share its ownership so that if either decides at some point to give it to Dan, either can do it with or without the approval of the other. Here’s how this might work:
=====BEGIN SHARED OWNERSHIP PROTOCOL=====
STEP 1: Alice uploads (H (E V)) [D], asserting her ownership of V.
STEP 2: Alice chooses a pair of private/public keys E1b/D1b and E1c/D1c, and uploads the encapsulation (H1 ((H D) ((or E1b E1c) V))) [D1b D1c], where H1 is the hash of the list that follows, (H D) invalidates the previous capsule, and the pair of keys E1b and E1c disjoined by the logical operator “or” (disjunction) ensures that any successor capsule can invalidate this one by displaying either of the private keys for E1b or E1c, namely, D1b or D1c.
STEP 3: Alice sends Bob the private key D1b and Carol the private key D1c. Bob now uploads (H2b ((H1 D1b) ((or E2b E1c) V))) [D2b]. Note that Bob alone knows the key D2b.
STEP 4: Carol next takes this last capsule, and uploads (H3c ((H2b D1c) ((or E2b E3c) V))) [D3c]. Note that Carol alone knows D3c. Because D1b and D1c have now both been revealed and the earlier capsules invalidated, Alice has no more claim on V and Bob and Carol now share ownership of it.
STEP 5: Suppose Carol or Bob now want to transfer ownership of V to Dan. In that case, either can send Dan his/her private key, namely, D2b or D3c. Once either does this, Dan can upload (H4 ((H3c D2b)) (E4 V))) [D4] or (H5 ((H3c D3c) (E5 V))) [D5], asserting full ownership over V. Note that invalidation of the capsule in the previous step requires only one of the private keys (i.e., D2b, D3c) because the two public keys (i.e., E2b, E3c) appear under the disjunction “or.”
=====END SHARED OWNERSHIP PROTOCOL=====
6.5 Conditional Ownership
Suppose Alice owns an item of value V and wants to make the giving of this item depend on the occurrence of two future contingent events Xi and Xii that are mutually exclusive and exhaustive (the number two here is, as remarked in the preamble to this section, not required; any number of mutually exclusive and exhaustive events or states of affairs whose occurrence or satisfaction can be determined unequivocally will do). Let’s say, further, that Alice wants Bob to own V if Xi happens and Carol to own V if Xii happens. Here is how she could handle this:
=====BEGIN CONDITIONAL OWNERSHIP PROTOCOL=====
STEP 1: Alice uploads (H (E V)) [D], thereby asserting her ownership of V.
STEP 2: She next uploads (H1 ((H D) ((cond (Xi E1i) (Xii E1ii)) V))) [D1i D1ii], where H1 is the hash of the list that follows, (H D) invalidates the previous encapsulation, and the pair of keys E1i and E1i are conditionalized by the logical operator “cond” relative to the events/states-of-affairs Xi and Xii respectively. These events are assumed to be mutually exclusive and exhaustive and to be guaranteed to occur before a clearly set deadline.
STEP 3: Alice sends Bob the private key D1i and Carol the private key D1ii. Bob now uploads (H2i ((H1 D1i) ((Xi E2i) V))) [D2i] and Carol now uploads (H2ii ((H1 D1ii) ((Xii E2ii) V))) [D2ii]. Next, they wait to see whether Xi or Xii happens. Let’s assume that Xi happens.
STEP 4: Since we assume Xi happened, ownership of V passes to Bob. Bob now claims possession of V by uploading (H3i ((H2i D2i) (E3i V))) [D3i], the encapsulation with top hash H2i being now valid because Xi obtained. By contrast, if Carol uploads the corresponding encapsulation (H3ii ((H2ii D2ii) (E3ii V))) [D3ii], this encapsulation will be invalid because its predecessor in the provenance chain, namely (H2ii ((H1 D1ii) ((Xii E2ii) V))) [D2ii] was invalidated by the occurrence of Xi, which is mutually exclusive of Xii.
=====END CONDITIONAL OWNERSHIP PROTOCOL=====
With conditional ownership like this, it’s worth having a safety net for Alice in case something goes wrong. For instance, suppose a coin is to be flipped. Heads and tails are for most practical purposes mutually exclusive and exhaustive. Yet what happens in case the coin lands on its edge?
It might thus be useful for the original owner to be able to reclaim V. Suppose therefore Bob uploads (H2i ((H1 D1i) ((Xi E2i) V))) [D2i] and Carol uploads (H2ii ((H1 D1ii) ((Xii E2ii) V))) [D2ii], but that by the appointed time neither Xi nor Xii happens. In that case, both these encapsulations are invalidated, for lack of Xi happening with Bob’s encapsulation, and for lack of Xii happening with Carol’s encapsulation. It therefore seems reasonable that Alice could simply form the new encapsulation (H2 ((H1 (D1i D1ii)) (E2 V))) [D2], invalidating the last known valid capsule in the provenance chain, namely, (H1 ((H D) ((cond (Xi E1i) (Xii E1ii)) V))) [D1i D1ii].
6.6 Terminated Cash and Permanent Invalidation
Bitcoins, once created, can never be destroyed, short of crashing the entire peer-to-peer Bitcoin network. Ordinary cash, on the other hand, can be destroyed. Take a $100 bill, burn it, and that cash no longer exists. The last subsection hinted at the possibility of encapsulated currency being invalidated with no revalidation in case conditional ownership, based on supposedly mutually exclusive and exhaustive events, runs aground because some outcome occurs that doesn’t fall under any of those events, at least one of which is supposed to be guaranteed. In that case, we went back to the last valid instance of encapsulated currency and did an invalidation/revalidation to update it.
But suppose it’s desirable to retire an item of encapsulated currency, period. This might happen, for instance, if the currency in question is a gift certificate that has been redeemed. Upon redemption, rather than reissuing it, the vendor may simply want to retire it. The most obvious way to do this is simply to invalidate the currency but also offer no revalidation, i.e., no new public/private key nor statement of value.
Thus to permanently invalidate a genesis encapsulation (H (E V)) [D], simply form (H1 ((H D) Ø)) [Ø], and for the successor encapsulation (H1 ((H D) (E1 V))) [D1], form (H2 ((H1 D1) Ø)) [Ø]. In both these successor encapsulations, the predecessor encapsulation has been invalidated, and yet the empty set symbol Ø confirms that no revalidation is on offer. The invalidation is therefore permanent and the cash value V has been terminated or destroyed.
This approach to permanent invalidation seems natural in light of how cryptographic encapsulations work. That said, it does seem to invite “monetary vandalism,” in which hackers who find valid private keys can use them to destroy currency.
An alternative approach might be never to let encapsulated currency die, similar to Bitcoin, so that any invalidation must include a revalidation of value, the accounting being consistent with past value. Thus, suppose Alice uploads (H (E V)) [D] and that Bob steals the key and uploads (H1 ((H D) Ø)) [Ø]. If revalidation is necessary for valid encapsulated currency, this would allow the first agent who uploads (H2 ((H D) (E2 V))) [D2] to assert ownership of V, where (H (E V)) [D] is its immediate predecessor in the provenance chain since (H1 ((H D) Ø)) [Ø], for lacking a revalidation, would not in that case constitute a legitimate form of cryptograhically encapsulated currency.
6.7 TTPs, Escrow, Smart Contracts
Imagine, in line with the example in subsection 4.2, a quasi-Soviet society in which use of encapsulated currency is widespread. Boris, let’s suppose, holds Aleksandr in prison and intends to torture him to reveal the private key D to (H (E V)) in order to take ownership of this item of encapsulated value and move it into the coffers of his tyrant boss, whom we’ll call Stalin. Now, if Aleksandr knows D or knows where D can be found, he may be out of luck, depending on Boris’s skill as a tormenter. Aleksandr’s challenge, in that case, will be to hold out under Boris’s torture in the hopes of maintaining D’s privacy.
But suppose prior to being arrested and imprisoned, Aleksandr had deposited (H (E V)) [D] in escrow with a trusted third party, making the private key D known to this TTP, and with clear instructions that if they didn’t hear from him with clear proof of life, or better yet proof of non-coercion, the TTP would transfer ownership to itself, using a new private key D1 and uploading the new capsule (H1 ((H D) (E1 V))) [D1], keeping this capsule and the private key D1 in reserve until such proof of life/proof of non-coercion could be established, at which point the TTP would divulge D1 to Aleksandr, enabling him to upload (H2 ((H1 D1) (E2 V))) [D2], thereby reasserting ownership of V. Of course, instead of requiring proof of life/proof of non-coercion, Aleksandr might simply have stipulated that the TTP transfer the new capsule (H1 ((H D) (E1 V))) [D1] to some friend or family member, thereby removing ownership of V entirely from Aleksandr’s reach (and thus from Boris’s reach as well insofar as Boris was hoping to extract from Aleksandr under torture the now invalidated private key).
This sequence of actions by the TTP could, it seems, also be carried out by a smart contract. Thus a program running in the Cloud could have (H (E V)) [D] uploaded and timestamped, have access to D, require some input serving as proof of life/proof of non-coercion to keep from invalidating this capsule, but then automatically invalidate (H (E V)) [D] absent that proof, establishing the new private key D1, uploading the new capsule (H1 ((H D) (E1 V))) [D1], and keeping it in reserve or sending the private key to some party designated by Aleksandr. If kept in reserve, the smart contract would do so until such proof can again be established.
Although the smart contract could in principle carry out the same actions as a conventional TTP, I’d be more inclined to trust the TTP. The problem with the smart contract is that Boris could, if a sufficiently able interrogator and tormenter, extract from Aleksandr not just the private key D to (H (E V)), which by that time would no longer be valid, but also the exact type of proof that would convince the smart contract that everything is okay with Aleksandr and thus turn over to him the newly validated (H1 ((H D) (E1 V))) [D1] that now contains the value that Boris, and his boss Stalin, are after. With a live intelligent agent at a conventional TTP, I suspect it would be much harder to provide convincing proof of life or proof of non-coercion when it really doesn’t exist.
Strictly speaking, this section doesn’t address the mechanics of cryptographic encapsulation per se since it doesn’t describe any new functionality of cryptographic encapsulation or variants of it. Rather, it addresses a superstructure that can be built on top of this technology, as through TTPs or smart contracts. It describes, therefore, a supplemental mechanics capable of working in tandem with the inherent mechanics of cryptographic encapsulation.
6.8 Additional Security
In subsection 4.4, while discussing the monetary miracle of Woergl, we raised the possibility of supplying Peerless encapsulated currency with additional security. Even without additional security, encapsulated currency can maintain complete anonymity about its ownership and its transfer of ownership. Nonetheless, without additional security, there remains a disconcerting transparency to encapsulated currency: cryptographic encapsulations are uploaded to a public ledger for all to see, and the values embedded in them are likewise perspicuous. Indeed, the capsules, without additional security, provide a transparent window onto the value they contain.
Suppose, for instance, (H (E Ø)) [D] is an uploaded empty capsule and V denotes $1,000,000 in bearer bonds issued by Bob, taking the form V = (Sb (H Eb P)) (see subsection 5.2 for how such promissory notes work in encapsulated currency). Suppose next that the owner of (H (E Ø)) [D] (i.e., the person who knows the private key D) now uploads (H1 ((H D) (E1 V))) [D1], knowing the private key D1 and thereby claiming ownership of the $1,000,000 bearer bond issued by Bob. Even if the owner responsible for these two capsules remains anonymous, the value V is there for all to see. Would-be thieves are going to be drooling over how to get their hands on V.
Additional security can now be introduced in various ways. One approach is to go with security above the top-level hash. Thus one can put all these capsules behind a security wall (requiring, for instance, username and password). Alternatively, one can encrypt all these capsules, e.g., (encrypt (H1 ((H D) (E1 V)))) [D1], as described in subsection 4.4.
The one worry about this high (i.e., above-hash) level of encryption is that it renders encapsulated currency a local currency, accessible only to those with access to the additional encryption. Moreover, revealing the encryption at some later time is unlikely to move such capsules from a local to a global currency in that by having been effectively created behind a security wall, it will be hard to confirm reliable timestamping and honest invalidation/revalidation sequences. Such above the top-level hash encryption therefore seems to ensure that a local encapsulated currency will forever remain local, credible only to those in the community invested in it.
Nonetheless, for encryption below the top-level hash, it does seem that the mechanics of encapsulated currency can proceed uninhibited, and that moving from a limited-audience currency to a wide-audience currency is much more feasible. Suppose, for instance, a community agrees to an encrypt/decrypt scheme below the top level hash. Thus, a known encryption device, which we’ll denote by “encrypt,” will be used for all the encapsulated currency in play within this community.
So, for instance, instead of (H (E V)) [D], the owner will upload (H (encrypt (E V))) [D] and transfer ownership by giving D to the new owner, who then uploads (H1 (encrypt ((H D) (E1 V)))) [D1]. Because everyone party to such transaction is in the community and knows encrypt/decrypt (the community might include as few as two agents), all the capsular currency mechanics as outlined earlier in this section continue to apply. Indeed, because the community can readily decrypt anything that’s encrypted, what’s under the top-level hash will be as readable to the community as fully transparent encapsulated currency that lacks additional security is to the outside world.
With such below-the-top-level-hash security, what the outside world sees are hashes applied to unreadable (encrypted) strings. If at some point those strings become readable because the method of encryption/decryption is made public, then those instances of encapsulated currency will become transparent to the world. Moreover, because the top-level hashes are totally public and timestamped, divulging the encryption/decryption method ratifies the entire provenance chain from the start.
This is like publishing an encrypted journal article that establishes priority for a solution to a given problem. Because of the encryption, there is no clarity at the time of publication about what has really been published and solved. But later, once the method of encryption/decryption is revealed, it will become clear when the solution was actually first known and, presumably, who the original author was (provided author information is included in the encrypted form of the journal article).
In case an encrypt/decrypt method is used in a provenance chain for additional security, as for instance in (H (encrypt (E V))) [D] —> (H1 (encrypt ((H D) (E1 V)))) [D1], it’s easy to disclose and make public the underlying non-encrypted provenance chain. To do this, let E* denote the key to encrypt below the top-level hash and D* denote the key to decrypt below the top-level hash (the cryptography here can be symmetric or asymmetric). In that case, by uploading (H2 ((H1 (D* D1)) (E2 V))) [D2] one simultaneously asserts transparent ownership of V and also makes transparent the prior capsules in the provenance chain.
To make a provenance chain that was previously encrypted below the top-level hash public by revealing its method of encryption and decryption is an irrevocable act: it turns a secret into public knowledge, and once public, it cannot be made secret again. That said, such encryption/decryption below the top-level hash does nothing to compromise the underlying encapsulated currency in its assignment and transfer of ownership. Provided the private keys are kept secure, it doesn’t matter whether there is additional encryption below the top-level hash and whether its method of decryption is revealed or kept secret. Additional security for encapsulated currency is just that, additional security. Its success or failure at maintaining its own security leaves the intrinsic security of cryptographic encapsulation unaffected.
As a cryptographically based monetary framework, the encapsulation technology described in this paper, and dubbed Peerless, makes certain technical demands. Are these demands so elaborate and complex as to make widespread implementation of this technology difficult? I want to suggest that cryptographic encapsulation as a technology for handling currency is in fact eminently practicable, reducing the complexities of cryptocurrencies to the bare minimum and extending their applicability as widely as possible. In this final section, I want therefore to take a wider view of cryptographic encapsulation, especially for turning it from a theoretical possibility into a practical enterprise.
7.1 Established Data Structures
Encapsulated currency uses well understood and well defined data structures from computer science. An item of encapsulated currency, or capsule for short, is, as noted, an ordered tree, represented throughout this paper as a nested list of the sort encountered in the programming language Lisp. Moreover, given that the mechanics of encapsulated currency allows for capsules to divide and to merge, it follows that what is called a provenance chain is really a directed graph (i.e., a collection of nodes with edges between nodes that show a direction from one node to another). Note also that the directed graphs that form provenance chains are connected in the sense that for any two nodes, there is a path consisting of contiguous edges that connect the two.
The nodes in such a directed graph qua provenance chain are thus items of encapsulated currency (cryptographic encapsulations or capsules, as we have been calling them). Nodes that have no edges leading to them are genesis nodes (items of encapsulated currency created from scratch). Nodes with no edges emerging from them are live nodes (items of encapsulated currency that have not been invalidated and represent current value). Moreover, any predecessors to such live nodes (nodes that by a direct path of edges lead to such live nodes) are invalidated nodes.
In any case, both the directed graphs (provenance chains) consisting of nodes joined by edges as well as the ordered trees (cryptographic encapsulations) that constitute these nodes are well understood and readily programmed. Moreover, given where computing power is and the room it has still to grow (Moore’s law keeps chugging along, at least for now), the computational tractability of using encapsulated currency on a worldwide scale seems eminently feasible, with far less waste per unit of currency than Bitcoin. Thus, it makes sense to think that the operation of Peerless encapsulated currency can readily be implemented on a large scale.
7.2 Home-Brew Technology
Cryptographic encapsulation is at base a home-brew technology. What I mean by this is that with modest knowledge and easily procured digital resources, you can make an item of encapsulated currency all by yourself. You don’t need to go to a store to buy it. You don’t need a factory to produce it. You don’t need a peer-to-peer network to establish elaborate and evolving protocols to implement it. Down the road, if this technology of cryptographic encapsulation takes off, support software of increasing sophistication will no doubt be written for it. But such software will be supplemental, improving efficiency; it won’t be fundamental to the technology itself.
If, for instance, you wanted to construct a cryptographic encapsulation around an item of valued information right this moment, you could do it. Here’s one approach (there are many):
Download Anaconda, the open data science platform running off Python (do this at https://www.continuum.io/downloads). Open the Jupyter notebook, which comes with Anaconda, and do so in the Chrome browser (it doesn’t work properly in Internet Explorer). Note, once Anaconda/Jupyter is downloaded, you can run it entirely offline, so you can have the offline security that is vital to Peerless security. Anaconda is big and contains a huge number of computational tools, among them hashing and public key cryptography.
Therefore, once you have Anaconda/Jupyter in hand and you’ve opened a Jupyter notebook, import the hashing functions and public key cryptosystem functionality that you want to use to form Peerless cryptographic encapsulations. You can do this by entering “import hashlib” to use SHA-256 or SHA-512 and by entering “from cryptography.hazmat.backends import default_backend” and “from cryptography.hazmat.primitives.asymmetric import rsa” to use RSA.
Next, form a public/private key pair E/D, represented in bytes. In addition, represent in bytes an item of valued information V that you own or can legitimately claim possession of. Take the string (E V), suitably represented in bytes, and form its hash H. For definiteness use SHA-256 and represent it in hex. Upload H in a place on the web where it can be timestamped (perhaps your own blog). Give it some time to gel. Then upload (H (E V)), also time-stamped, keeping D secret. If you have any questions, look up YouTube videos on Anaconda and Jupyter and go to docs.python.org for Python tutorials and libraries.
Caveat: The procedure just outlined may not attain the high level of security needed for Peerless to be truly secure. For instance, on the Python library page describing pseudo-random number generation, one reads, “The pseudo-random generators of this module should not be used for security purposes.” That may be. The above exercise gives proof of concept. If the Python library doesn’t cut it for truly secure cryptographic encapsulations, there are libraries that do. The algorithms that will do the heavy lifting for Peerless are free and readily available.
The exercise just described shows that cryptographic encapsulation is, at base, a DIY, or do-it-yourself, technology. More importantly, it shows that all the important computing in cryptographic encapsulation can be done offline. As far as the Web or Cloud are concerned, cryptographic encapsulation only needs static content, simply requiring items of data to be uploaded to online storage for viewing and timestamping. Cryptographic encapsulation does not require dynamic content, such as online computing by client-servers or peer-to-peer networks. In short, the computing necessary for cryptographic encapsulation to be successful can be done entirely on the individual user’s end, after which the resulting capsules can be uploaded as static data files. This keeps everything simple, under user control, and completely decentralized!
7.3 Verification, Search, and Accounting
Even though items of encapsulated currency can be uploaded by lone individuals using home-brew techniques, if such a currency is really to make a difference (where people will vote with their feet to use it, invest their wealth in it, and vastly expand the transaction volume beyond blockchain currencies like Bitcoin), then cryptographic encapsulation needs to be embedded in an infrastructure that makes its use smooth and efficient. This will require verification, accounting, and search.
Verification here denotes a clear means of deciding whether a given data structure is indeed an item of encapsulated currency or a provenance chain. This may require introducing some further conventions (e.g., conventions about concatenating strings and representing them via bencoding). It may also encourage conventions to block spamming by requiring proof of work via nonces that produce a certain length of leading zeros in the top-level hashes of Peerless capsules. Such a feature of capsular hashes might also provide a rough identifier of encapsulated currency, allowing false positives, perhaps, but eliminating much on the Web that, because of such a convention, will be excluded for evidently not constituting a cryptographic encapsulation.
Once a convenient means of verification is in place, it would be natural to index all encapsulated currency and subject it to search. Existing search engines could certainly handle this, and through their caching could also provide additional confirmation of timestamps. Moreover, web archives, such as at web.archive.org could provide a permanent record encapsulated currency, acting as further backup and maintaining the currency’s integrity in the face of a web that is constantly changing.
With verification and search in place, it would also be useful to have an accounting tool/app that can check on a provenance chain and determine that the numbers in its value positions all add up properly. This could presumably also be done by a search engine, but conceptually it may be useful to keep such accounting separate. The accounting in a provenance chain needs to make sense at each step along the way. If it doesn’t, some conventions are going to be needed to handle discrepancies, whether invalidating the entire provenance chain, invalidating it from the point of failure, or even downgrading the currently live nodes to a least common denominator that the immediately prior nodes equal or exceed.
In the accounting of encapsulated currency, it may be useful to employ, as a regulative principle, a Markov convention. The inspiration here comes from the theory of stochastic processes in probability theory, where a stochastic process is said to be “Markov” if the probabilistic properties of its present state are mediated entirely through the immediately prior state and not through the entire memory of past behavior of the process. Thus, imagine that an item of encapsulated currency is live and belongs to a provenance chain that reaches back tens or even hundreds of invalidated predecessor capsules. Given a Markov convention, all the accounting for this item would only depend on its immediate predecessors in the provenance chain rather than on the entire chain.
A Markov convention is not strictly speaking necessary to encapsulated currency, and nothing in the prior exposition demands it. But for encapsulated currency to operate according to a Markov convention would make its accounting significantly easier. Of course, even with a Markov convention, it is necessary for the accounting at each node in a provenance chain to be correct. But that correctness would be determined at each node by looking at immediate predecessors in the provenance rather than at the entire chain back to the initial genesis capsule(s)/node(s). As provenance chains grow and ramify, and as their accounting is vetted along the way, a Markov convention would thus ensure that correctness need only be determined locally rather than globally. The usefulness of such a convention seems self-evident.
7.4 Government Regulation
Any encapsulated currency is unlikely to submit to government regulation. For instance, consider the conditional promissory notes described in subsection 5.2. Cryptographic encapsulation allows conditional promissory notes to be transacted with complete confidentiality and full generality. This sounds innocuous enough, but let me put it in starker terms. Barring any fatal flaw in the Peerless technology, it means open season for derivatives and gambling of all sorts (since these all fall under conditional promises, with strong obligations to make good the promises if the antecedent conditions are satisfied). It means that derivative markets, for instance, have the freedom to run amuck and make whatever mess they like (especially when channeled through smart contracts), and that the mess may be so large that no federal or world government can clean it up.
Is the Peerless technology therefore the financial equivalent of giving everyone a gun and letting them shoot themselves and others? Frankly, when I reflect on the regulative capture of the SEC, the ability of Bernie Madoff to rip off tens of billions of dollars under the SEC’s noses (even when Harry Markopolos and his colleagues provided utterly compelling mathematical evidence of Madoff’s fraud a full decade before his public exposure), the marvelous ability of members of Congress to defy all probabilistic odds and consistently come out on top in their investments, the bailouts of the big banks and investment/insurance houses that were too big to fail, etc. etc., I say let the games begin.
People will learn and correct their behaviors or they will crash and burn. But facing the full consequences of one’s (financial) actions beats the constant handholding and handwringing and paternalism of those who know what’s best. Being treated like children by an elite that knows and is intent on enforcing what it regards as best is debilitating to any society and people. The fact is, the experts have shown themselves expert mainly at being able to cow nonexperts into submission, not in providing a healthy way forward. Better to sin boldly and pay the price than live a bloodless life of regulation and expert approval.
7.5 Enforcement of Agreements
Suppose two parties agree how an item of encapsulated currency is to be transferred and/or recompensed. Can such an agreement be enforced? Yes and no. If encapsulated currency is moved to a trusted third party or smart contract to be held in escrow until certain conditions to a transaction are fulfilled, enforcement is straightforward: either the third party/smart contract handles the transaction properly, in which case there’s no problem. Or it handles the transaction improperly, in which case there will be a provenance chain (and presumably electronic paper trail) and thus evidence for seeking legal redress (in the case of smart contracts, the redress would be from the organization running its software).
Absent such a third party or smart contract, enforcing the proper transfer or recompense of encapsulated currency may be possible if the identities of the parties to the transaction can be determined and a contractual arrangement between them indicates what was supposed to happen with some item or items of encapsulated currency. If a violation of the contract occurred, then there may be grounds for redress, though it may be that a whole new set of laws covering cryptocurrency transactions need first to be enacted (perhaps existing laws may be enough, but there’s a lot of uncharted territory here, especially if we’re talking cryptocurrency transactions on a grand scale).
Nonetheless, as soon as the parties to a transaction are anonymous, as cryptographic encapsulation allows them to be, there’s nothing to be done to counter the improper transfer or recompense of encapsulated currency. Once a private key is transferred from one party to another and a prior cryptographic capsule is invalidated only to have a new one validated, the transfer is complete and irreversible. Of course, we need to be talking true anonymity here, of the sort possible with the Tor anonymity network (not a seeming anonymity that upon closer scrutiny reveals an IP address and thereby the party in question).
While strict legal enforcement of anonymous-to-anonymous Peerless transactions may not be possible, incentives to do right may still exist. When people exchange cryptocurrencies anonymously, it’s not that the parties to the transaction are complete blank faces. They typically use pseudonyms, avatars, identifiers that, even if these do not explicitly name them, still assign to them a history and reputation. Social approval and disapproval will thus come into play, and parties that misbehave will quickly find that no one will do business with them. This is perhaps better described as moral suasion than enforcement, but it can be a powerful force for keeping a Peerless economy honest.
7.6 Taxation and Government Control
The prospect of taxing encapsulated currency raises an interesting challenge not for the Peerless encapsulation technology but for governments. Consider how difficult it was for the U.S. government to track down Ross Ulbricht and disable his Silk Road, whose transactions were conducted with Bitcoin over the Tor anonymity network. Presumably, none of the transactions there were taxed. So long as Peerless transactions are truly anonymous (the anonymity applying not only to the parties to a transaction but also to any third party that guarantees value to items of encapsulated currency), government will have no way to claim a piece of the transaction, much less to hinder or divert it. This is doubly true if the encapsulated currency used is encrypted below the top-level hash and its encryption is so secure that government can’t even identify the item of value embedded in the currency.
Of course, the more wealth gets transferred under the Peerless umbrella, the more eager government will be to get its slice of the Peerless pie. Clearly, some taxation of Peerless would become unavoidable as encapsulated currency is increasingly used to pay for items, especially those that fall under government scrutiny (everything from utilities to cars and homes to medicines and medical care). Insofar as Peerless can stay under the radar, facilitating payment for things that government cannot monitor, it should be able to avoid taxation. Whether it actually should avoid taxation is another question. At the entrance of the IRS building in Washington, D.C. are these words by Oliver Wendell Holmes: “Taxes are what we pay for a civilized society.” I agree that taxes have this role in society. The challenge in our day is for taxes to be just.
But how to decide what’s a just tax? Certainly government thinks it’s in a position to make that decision and to enforce it. At the same time, government is ever intent on maintaining a monopoly over money through its central bank. It follows that government would want to pass laws that require value encapsulated as Peerless currency to be taxed, assuming Peerless ever gets popular enough. Yet leaving aside the use of Peerless encapsulated currency to purchase items directly under government scrutiny, enforcing such laws will be difficult, short of a police state. One possibility I could envision here is a soft police state in which an “internet of things” is mandated so that every device that could possibly be used to produce the private keys needed for the Peerless technology to work is somehow connected to wifi and subject to government monitoring.
Manufacturers of all hardware would thus be required to install what essentially are listening devices in everything from the computers we use (capturing everything on screen and in memory) to the very keyboards we punch (recording every keystroke). In that case, say goodbye to all secrets. But also say goodbye to all privacy and all freedoms. Such a scenario would surely issue in an arms race where advocates of freedom from government scrutiny would find ways to bypass these controls (disabling the wifi directly, working in Faraday cages, adding layers of cryptography to prevent government snooping, etc.).
Government could then, perhaps with Kenneth Rogoff in the lead, wring their hands and assure us that such invasive surveillance is necessary not so much to ensure that they can properly tax Peerless encapsulated currency as to stop criminal and terrorist networks from abusing cryptocurrencies and thus from achieving their nefarious ends. Do you like your freedom merely crushed or do you prefer it pulverized? Rest assured that government, with the NSA in the lead, will want to see Peerless and all cryptocurrencies that compete with the central bank compromised.
My best guess is that it will be impossible in the end for government to control Peerless against determined users of the technology who insist on freedom over convenience. That said, I can see governments incentivizing the use of their fiat currencies, offering ever increasing entitlements through their currencies, and as much as possible penalizing those who use “alternative” currencies, perhaps even shaming their users as giving cover to rogue powers.
Monetary theorists differ on whether money is inherently a creation of the state. I’m clearly on the side of those who say the state has no essential role in money creation. I’d go even further and say that given current technology, government has no legitimate role in money creation — its role in money creation is unnecessary and counterproductive. I see history as on my side in making such a claim. That history is long and runs from Croesus through Constantine through the present, but it’s enough for my purposes to focus on U.S. monetary history. This is not to say that the state has no interest in money creation and may not assist in its creation. But it is to say that the state is unnecessary.
Now it’s certainly true that the U.S. Constitution empowers Congress to coin money and disallows the states from doing the same. Thus, from Article 1, Section 8: “The Congress shall have Power … to coin Money, regulate the Value thereof, and of foreign Coin, and fix the Standard of Weights and Measures.” And from Article 1, Section 10: “No State shall enter into any Treaty, Alliance, or Confederation; grant Letters of Marque and Reprisal; coin Money; emit Bills of Credit; make any Thing but gold and silver Coin a Tender in Payment of Debts.”
But note that the money we’re talking about here is silver and gold coin. To obtain silver or gold coin back in the late 18th and 19th centuries, you took your silver or gold to a mint and then, perhaps after paying a fee known as seigniorage, had the mint return it to you in the form of silver or gold coins.
Now ask yourself this: did you really need to take that silver or gold to the mint? If you could have formed the silver or gold into coins indistinguishable from those produced by U.S. government mints, in purity and form, would you have done anything to upset or defraud the U.S. money supply? The same question about today’s fiat money results in a very different answer: if you could produce paper currency on your own that is indistinguishable from the fiat paper currency printed by today’s mints, you would be guilty of counterfeiting, upsetting the money supply, debasing the currency. But if you turned your silver or gold into coin indistinguishable from the coin of the land, your sin would not be against money but at most against the conventions by which the state said that money should be produced. The coins would function identically in either case.
Peerless, I submit, is in the same boat in this regard as silver and gold coin. It is not inherently a creation of the state. It doesn’t have to be and it’s probably better if it’s not. Moreover, Peerless encapsulated currency is impossible to counterfeit or defraud, short of a blanket refutation of public key cryptography, because the only way to become part of a provenance chain is by knowing the private key of a currently valid node (monetary capsule) in the chain.
Bottom line: If you like your money controlled by the state and the restrictions on freedom thereby imposed, then Peerless is not for you. On the other hand, if you want a form of money that the state can’t touch, short of the state crashing the Internet or introducing draconian measures so extreme that its control of money becomes the least of your concerns, then you seriously need to consider becoming a Peerless user.
Coda: The book of Revelation in the Bible contains a passage that is perennially popular in this age of information and government surveillance. It describes, in Rev. 13:16-17, a “Beast” that “forced all people, great and small, rich and poor, free and slave, to receive a mark on their right hands or on their foreheads, so that they could not buy or sell unless they had the mark, which is the name of the beast or the number of its name.”
Regardless of any underlying theological or historical truth to this passage, it raises the disconcerting prospect of all economic transactions occurring at, and only at, the permission of government. Specifically, the Beast (representing tyrannical government) needs to authorize individuals before they may engage in even the most basic economic transactions. Moreover, these same individuals, in return for government permission to trade, need to offer homage to the Beast (in the form of a mark on their persons).
If money is, in essence, a creation of government, as it is with fiat money, and if such money is entirely digitized and deposited in banks authorized by government, then every transaction will occur with government scrutiny and thus at the discretion of government, which can permit or veto any transaction at will. We may call it our money, but we can spend it only if government says we may spend it.
Economic tyranny like this becomes entirely feasible once government assumes complete control of money. On the other hand, Peerless, by radically separating government from money creation, derails government control of money and thereby defangs the Beast.
7.7 Security of Private Keys
Aside from the invention of a time machine or the discovery of some way to universally defeat public key cryptosystems, the security of encapsulated currency depends on one thing and one thing only, namely, the ability to keep private keys safe, period. Keep the private keys safe, and the currency remains safe. Compromise the security of the private keys, and encapsulated currency becomes fair game to fraud and theft.
Where then to store the private keys? The options are many and their safety varies. Storing them on the Cloud or on a computer that is connected to the Cloud is, of course, an option. Any such storage is, for minimal safety, going to require that the keys themselves be encrypted. But where are you going to store the encryption/decryption method that provides access to the private keys you are using for your encapsulated currency? Online? You may get lucky and keep your private keys safe in this way, but you are also inviting hackers to use all the tricks of their trade to steal your keys.
Better, therefore, is to keep your private keys entirely offline, or, if sending the keys over the Internet to someone as part of a capsular invalidation/revalidation transfer of ownership, doing so with heavy encryption, used momentarily, only to take the private keys offline as soon as possible. But if storing the keys offline, how should you do it? Options include a dedicated offline computer, flash memory, polycarbonate disks (CDs, DVDs), and more. Such measures may keep your keys safe from online hackers, but what about more energetic hackers who invade your physical space and hack from your very own terminal (perhaps hackers who have formal titles as government agents intent of reining in your use of encapsulated currency)?
If we think of encapsulated currency not merely as a short-term means of handling financial transactions, but rather as a store of value that we might want to hold onto for years to come, then the usual digital means of storage all suffer serious drawbacks. Consider the following data storage lifespans (from storagecraft.com): “magnetic data such as tapes (10 to 20 years); Nintendo cartridge (up to 10 years); floppy disk (10 to 20 years); CDs and DVDs (5 to 10 years unrecorded, 2 to 5 years recorded); Blu-Ray (not certain, probably over 2 to 5 years recorded); M-Disc (1,000 years, theoretically); hard disk (3 to 5 years); flash storage (5 to 10 years or more, depending on write cycles).”
The one storage medium that stands out here is the M-Disc, to which we’ll return shortly. The rest, however, have shorter lifespans than the books on your shelf. Of course, higher lifespans may be possible if these media are stored in hermetically sealed environments. Thus estimated lifespans for DVDs run as high as a hundred or more years. But with use, as anyone who owns DVDs knows, especially in the hands of small children, DVDs and polycarbonate discs in general are fragile and degrade easily. And even if the degradation is gradual by some measures (many of my old music cassettes from the 1980s still sound okay, though not great), degradation of digital information that allows no room for error is another matter, and that’s what we’re talking about with private keys needed for encapsulated currency.
Is the longevity of the M-Disc for reliably storing data really two to three orders of magnitude better than the other media listed above? The M-Disc is an optical media storage disc, like a DVD, but with the information engraved on metal and thus advertised as able to preserve data for 1,000 years (the “M” in M-Disc is for “millennium”). But stress tests performed on these disks by the American and French governments suggest that these disks do not perform well under high temperature and high humidity (80 degrees centigrade, 85 percent humidity), and that their longevity under such conditions cannot be counted on to be much better than that of DVDs.
The forces of entropy thus make reasonably short work of all these media, and the only way to ensure that the data recorded on them are not lost is to continually renew them by recopying. But the forces that contend with these media can also be more intense than entropy. High temperature, for instance, can ruin all of them instantly, and that includes the M-Disc, whose engraved metal information can readily be lost because it is bonded to the same polycarbonate that’s also in DVDs and that readily melts and burns at comparatively low temperatures.
What, then, is an exacting Peerless user to do who wants to preserve — really preserve — the private keys to one’s encapsulated currency. Human ingenuity is certainly capable of solving this problem effectively in multiple ways. What follows is an approach that intrigues me, inspired in part by physical Bitcoin wallets, which employ metal surfaces, sometimes taking the form of coins, sometimes even made out of precious metal, onto which Bitcoin keys are inscribed. Most of these physical Bitcoin wallets strike me as pretentious, some of them even coming in display cases, proclaiming to the world “Look, I own bitcoins.”
Nonetheless, engraving the private keys of cryptocurrencies on sturdy metallic substances has, in my view, much to commend it, bypassing electronic snoopers, along with providing an impressive durability to crucial data, a durability unseen in electronic computing, which is too easily compromised through physical insults (everything from fire to EMP weapons). My proposed method for securing the private keys of encapsulated currency employs tungsten carbide. Before laying out this method, a brief overview of tungsten carbide is in order.
Tungsten carbide is relatively cheap, for the last 10 years averaging about $15 a pound. It is capable of being machined to high tolerances and readily etched with precision by lasers (laser-etched tungsten carbide jewelry is becoming popular). It is also extremely hard and durable. It is twice as stiff as steel and has twice steel’s density. Its hardness is comparable to corundum, which on the Mohs scale of mineral hardness puts it at a 9, ahead of topaz, which scores an 8, though behind diamond, the extreme end of the scale, which scores a 10. Best of all, tungsten carbide is extremely resistant to heat, having its melting point around 2,870 degrees Celsius / 5,200 degrees Fahrenheit. Steel, by contrast, melts around 1,400 degrees Celsius / 2,500 degrees Fahrenheit. Private keys recorded on tungsten carbide should therefore survive most fires — an average campfire is 930 degrees Fahrenheit, and an average house fire is 1,100 degrees Fahrenheit.
=====BEGIN METHOD FOR SECURING PRIVATE KEYS=====
STEP 1: Form a private key with a computer that’s offline, and copy the key into a thumb drive. (For multiple keys, simply repeat this and the following steps for each key.)
STEP 2: Take the thumb drive and attach it to an offline laser-etcher, which inscribes alphanumeric characters in three sizes: large (visible to the naked eye), medium (visible with a low-powered microscope), small (visible with a high-powered microscope).
STEP 3: Insert a carefully machined, extremely smooth-surfaced piece of tungsten carbide. I’m imagining a square wafer with 1 to 1 and 1/2 inch sides, or 3 to 4 centimeters, but the precise dimensions can be varied in light of user needs and convenience. This square piece of tungsten carbide can be written on front and back. It can look like a flash memory card.
STEP 4: Laser-etch the key onto the tungsten carbide square. Using a second tungsten carbide square, do this again, making a backup.
STEP 5: Confirm that the key has been accurately recorded onto the tungsten carbide square: the laser-etcher should also come with an optical reader; read the key from the square and confirm that it matches the key recorded on both the thumb drive and the offline computer you used to generate the key in the first place.
STEP 6: Completely erase the thumb drive, turning all its bits to zero (the laser-etcher should have this “zeroing-out” capability). Likewise, make sure that the key is thoroughly erased from the offline computer you used (simply putting the key into “trash” won’t do it — you’ll need to thoroughly scrub any place in this computer’s memory that might have held the key).
STEP 7: Store the two squares each in a different safe place (safety deposit box? home safe? hole in the ground?).
STEP 8: When you need to recover the key, retrieve one of the tungsten carbide squares with it, put the square in the etcher, attach a thumb drive, and have the optical reader transfer it from the tungsten carbide square to a thumb drive. Confirm that the digital sequence that’s now on the thumb drive and that’s etched on the square match up.
STEP 9: Use the thumb drive to do what you need to do with the key. If you are using it to transfer ownership of encapsulated currency associated with that key, then you’ll be sending the key to someone else, who will then invalidate it, validating another key in its place. Thus, you’ll no longer need to keep that key, which has now been invalidated, secure. In that case, provided there are no other currently valid keys on your tungsten carbide square, you can recycle it, having it scraped and smoothed for reuse (in the tradition of the palimpsests of ancient times, which scraped scrolls of writing to reuse them).
=====END METHOD FOR SECURING PRIVATE KEYS=====
This, in broad strokes, is the method I would use, or at least would like to see tried, for long-term secure storage of Peerless private keys. Of course, there are details to be worked out. Stress tests will need to be performed to determine just how durable these tungsten carbide squares really are at preserving various types of laser-etching. Moreover, it may be advisable to supplement this method with additional layers of security.
For instance, it may be wise, in some circumstances, to add password protection to keys formed and read by the laser-etcher. Adding such password protection, however, would have the disadvantage of making the tungsten carbide squares not totally self-contained — if such passwords are lost, the keys on the squares may be unrecoverable. Then again, a known private key will compromise any valid item of encapsulated currency exhibiting the corresponding public key. So there are tradeoffs to be considered.
The general method just outlined for secure long-term storage of Peerless private keys certainly seems doable, but it is going to require some research, development, and manufacture. Reliable laser-etching devices will need to be invented and mass produced. Optimal means of etching will need to be determined to ensure that keys are not “rubbed out” through handling, body oils, dirt, high temperatures, and other stresses. The laser-etching method needs to record keys quickly and reliably, without consuming too much energy. Optical character recognition of the keys also needs to work quickly and reliably. It should be possible to add keys to tungsten carbide squares that already have keys recorded on them but that still have room for additional keys.
Ideally, each person who is serious about owning and operating encapsulated currency should have such a laser-etching machine. Indeed, you don’t want to be using someone else’s machine unless you totally trust the person. An untrustworthy third party whose laser-etcher you are using may introduce a secret reader that captures your keys into a hidden memory as you are recording them on the tungsten carbide squares.
Whether this do-it-yourself method for securing Peerless private keys takes off remains to be seen. I think it can be made reasonably convenient. That said, its convenience will never rival the convenience of using an exchange that offers to take your keys, handle their security, and allow you to transact encapsulated currency without them (the keys being in the background and controlled by the exchange). Such exchanges will require much more elaborate security than just described and most likely will base their security entirely on cryptography operating electronically (no purely physical media to record the private keys).
I personally am not convinced that the convenience of the exchanges will be worth it. If Bitcoin exchanges are any indication (e.g., Mt. Gox), these exchanges pose grave risks. If a Peerless exchange gets hacked and your encapsulated currency gets ripped off, there won’t be any insurance to make it up to you. Like bank runs before FDIC insurance, hacked Peerless exchanges will become insolvent and fold, and you’ll be out on your ear. The DIY laser-etcher, whether realized as described above or inspiring some other DIY technology for recording and reliably preserving private keys, promises the better safety in the long run. But beyond that, exchanges claiming to obviate such DIY technology represent a recentralization of financial authority. A DIY technology for securing private keys is therefore going to be superior for advancing the ideal of decentralization.
7.8 The Way Forward
In The Prince, Niccolo Machiavelli remarked, “It must be considered that there is nothing more difficult to carry out nor more doubtful of success, nor more dangerous to handle, than to initiate a new order of things. For the reformer has enemies in all those who profit by the old order, and only lukewarm defenders in all those who would profit by the new order, this lukewarmness arising partly for fear of their adversaries, who have the laws in their favor; and partly from the incredulity of men, who do not truly believe in anything new until they have had actual experience of it.”
Machiavelli is absolutely correct here about the difficulties of reform. Yet the beauty of Peerless is that his insights about reform are irrelevant. Peerless is not about instituting a reformation, it is not about getting people to come on a bandwagon, it is not about everybody coming together, seeing the light, and making the world a better place (Who doesn’t want to make the world a better place? Who actually does make the world a better place?). Peerless is about decentralization, it is about separation, it is about opting out of failed and corrupt systems. Peerless says “Don’t tread on me.” It says “Let me tend my garden without your meddling.” It says “Stop constantly looking over my shoulder, telling me what I can and can’t do with my money, and taking a cut on top of it for your unwanted advice.”
The greatest challenge to our freedom is the centralization of power. We live in a technocratic age in which the centralization of power is easier than at any time in the past, where technology, everything from surveillance by the NSA to nudges by behavioral economists, can gently but firmly guide us to do the things that centralizing elites know we should be doing, all for the benefit of some greater global good. The technologies that today compel compliance are kinder and gentler than the ham-fisted torture implements of past tyrants and benighted ages, but they crush freedom and the human spirit just the same.
Peerless encapsulated currency represents a counter-technology to the technocrats. As I finish writing this paper, the latest emails posted on Wikileaks include the heartwarming sentence, “We’ve all been quite content to demean government, drop civics and in general conspire to produce an unaware and compliant citizenry.” In the same vein, MIT professor Jonathan Gruber boasted some time back that in the passage of the Affordable Care Act, “Lack of transparency [was] a huge political advantage. And basically, call it the stupidity of the American voter, or whatever, but basically that was really, really critical for the thing to pass.” Bottom line: the unwashed masses are morons who need to do as they’re told.
But the unwashed masses don’t need to do as they’re told. And they don’t need to be morons provided they educate themselves. The world of money and banking is not rocket science. With a few more years, Moore’s law will guarantee that anyone with a personal computer can keep track of all the world’s financial transactions. So why do we need bankers? Why do we need politicians making monetary policy? Why do we need regulators whose overriding desire is to be hired by the very financial concerns that they’re supposed to be regulating? A key lesson of Peerless is that money needs to embody real value. If it does that, it will take care of itself. When politicians and economists engage in machinations over money, it is because our fiat moneys don’t embody real value. Precisely because the money is bogus, it needs constant care and shoring up.
If Peerless ever “takes off” (an expression I’ve used more than once in this paper), it will not be because of any generosity of spirit or broadness of vision on the part of our technocratic elite, who like statism and central banks just fine. It will be because individuals decide that they’ve had enough of self-dealing monetary authorities, and see in Peerless some possibility of economic and financial freedom. I expect things will start out small, with local and underground Peerless economies, that steadily gain steam as statist currencies become increasingly difficult to prop up, based as they are on unpayable debts, and especially as these mount to unprecedented levels so that even the pretense of paying them off or refinancing them becomes unsustainable.
Who gets to use Peerless? I debated with myself whether to make this virtual technology available through a Creative Commons license, but decided against it, at least for now, because I wanted to forestall efforts by established financial concerns from using this technology to centralize financial power at the expense of ordinary individuals and communities, especially those in the majority world that would like to use this technology to redress poverty and escape corruption. Given that Peerless was invented with the avowed aim of decentralizing money, such concerns should be unwarranted. Notwithstanding, we live in a world of unexpected consequences. Harboring such suspicions, I therefore assert my copyright of this paper and have applied for a nonprovisional utility patent with the USPTO for its subject matter.
Yet despite availing myself of such protections, I desire to see this technology widely deployed in ways where I could not assert my rights to it or enforce payment for its use even if I wanted it. Indeed, if this technology does what it is supposed to do in keeping ownership of information and its transfer completely confidential, then any rights to this technology become unenforceable provided it is applied in a fully decentralized way that advances individual human freedom. My gauge for the success of Peerless will be how widely it is adopted and how thoroughly it is decentralized, the latter being measured by its immunity to enforcement and regulation.
Epilogue: Radical Decentralization and Freedom
Note: I wrote the essay that comprises the epilogue below back in 2010 at the request of a Washington Times editor for their “Communities” blog. The essay (or at least part of it) was posted there for a time, but with a change in editors and reorganization of the blog, it was without notice removed. I’ve updated the essay here slightly in order to bring it in line with the preceding paper. As I was writing the essay below six years ago, the Peerless monetary framework was already clear to me in broad outlines. Bitcoin had just come on the scene, but I remember talking with some computer scientist colleagues of mine at Baylor University about its inadequacies — that its peer-to-peer network and use of the blockchain technology failed to make Bitcoin sufficiently decentralized. This epilogue, therefore, describes my motivation for developing Peerless.
In the 1980s, as a mathematics graduate student at the University of Chicago, I had a friend with an odd reason for studying molecular biology. Most graduate students that I knew got into the sciences because they had a talent for it, enjoyed it, and stood to make a living at it. I was one of them. By contrast, my friend’s overriding concern was to do an end-run around irresponsible bureaucrats and corporations. As he put it, “Instead of fighting them politically to stop polluting the oceans, better to spend my time developing biological agents that will clean up their mess.” He said this well before the Exxon-Valdez and BP disasters.
Last I was in touch with him, he had left the University of Chicago, joined the Marines, and then went on for a law degree. Perhaps he wasn’t quite as politically unconventional as he made out (looking him up on LinkedIn, one finds that he now practices intellectual property law). But his aim, even if weak on follow-through, left an impression on me and inspired a principle that now, in an age of increasingly irresponsible bureaucracies, monetary authorities, and special interests, seems particularly urgent: instead of trying to get the wrong people to do the right thing, make it impossible for the wrong people to keep the right people from doing the right thing. Let’s call this the Principle of Radical Decentralization. More on the name of this principle as we proceed.
This principle may sound a bit convoluted, but I’m not sure it can be made simpler. Strunk and White, in their Elements of Style, recommend against the overuse of negatives, and in general they are right. This principle certainly piles one negation on another. But negation can bring clarity and closure where positive formulations leave loopholes that are too easily exploited. “Thou shalt respect other people’s property” seems a bit weak. “Thou shalt not steal” is more to the point and closes off rationalizations that attempt, for instance, to redistribute other people’s wealth.
Or take our First Amendment: “Congress shall make no law respecting an establishment of religion or prohibiting the free exercise thereof…” The negation in this statement makes clear that government is to keep its hands off religion — period. Compare our First Amendment to the Canadian Charter of Rights and Freedoms. The Canadian Charter purports to guarantee certain “fundamental freedoms,” such as “freedom of conscience, religion, thought, belief, opinion, and expression.” Isn’t it nice that Canada cites these fundamental freedoms explicitly and extols them?
But what happens when my freedom of religion conflicts with yours (religions have been wont to disagree)? More to the point, what happens when I regard the negative things you say about my religion as a violation of my human rights. Having made a positive statement guaranteeing religious freedom, Canada now assumes the obligation to settle such conflicts, which it has done through its Human Rights Commission, with its fourteen tribunals scattered throughout Canada. These, in turn, have systematically undermined freedom of religion and expression throughout Canada — as Ezra Levant makes clear in Shakedown.
Give me our First Amendment, with its blanket negation, any day over Canada’s piffle about guaranteeing freedoms. If you have no authority to legislate my freedoms, then I’m truly free, at least from you. But if you are a guarantor of my freedoms, even a well-intentioned one (whatever that means), you can also abridge my freedoms. And what guarantee do I have that you won’t abuse that power? Who’s guaranteeing the guarantors?
To underscore the clarifying power of negation, consider this advice by the Roman rhetorician Quintilian: “Write not so that you can be understood, but write so that you cannot be misunderstood.” The problem with merely writing so that you can be understood is that the wrong people, in advancing their agendas, are only too ready to misunderstand you. Writing so that you cannot be misunderstood anticipates and preempts those who would willfully distort what you are trying to say. It would seem our Founding Fathers took Quintillian’s maxim to heart. If they hadn’t, activist courts would be much further along in dismantling our nation’s freedoms.
The Principle of Radical Decentralization, as here formulated, keys off a remark of Milton Friedman: “I do not believe that the solution to our problem is simply to elect the right people. The important thing is to establish a political climate of opinion which will make it politically profitable for the wrong people to do the right thing. Unless it is politically profitable for the wrong people to do the right thing, the right people will not do the right thing either, or if they try, they will shortly be out of office.” Writing as an economist, Friedman presses for a changed political climate that incentivizes right action, even among “the wrong people.”
The difficulty with Friedman’s approach, however, is that our present government systemically attracts the wrong people, who then further debase the political climate, which then further attracts the wrong people. To say that our present government systemically attracts the wrong people may seem overblown. After all, don’t we live under a democratic form of government that is at least somewhat responsive to the will of the people? But in fact, much of what we call democracy these days is window dressing. Unelected bureaucracies are increasingly calling the shots. Moreover, elected public office faces so many temptations to do the wrong thing that many who start out as Friedman’s “right people” end up as “wrong people.”
The dilemma facing Friedman is how to achieve the right political climate that will induce the wrong people to do the right thing. Why is this a dilemma? The reason Friedman is even concerned about establishing the right political climate is that the wrong people have gotten into power and subverted the political climate. But as long as the wrong people hold power, how can the right political climate even arise? The wrong people will do everything in their power to guarantee that the wrong political climate will continue. It seems, then, that the wrong people ensure the wrong political climate and the wrong political climate ensures the wrong people. How then to break free of this vicious circle?
Even with the right political climate, would the wrong people refrain from doing the wrong thing? The wrong people are, by their very nature, loath to give the right political climate an opportunity to succeed. But even if it succeeds, Friedman is depending on the wrong people, suitably cajoled by the right political climate, to do the right thing. Yet what happens if the cajoling fails? What if the wrong people, taking a principled stand on the wrong principles, decide that they will continue to do the wrong thing? Friedman, it seems, is leaving too much to chance. The Principle of Radical Decentralization bypasses the wrong people entirely.
Friedman might have denied that there really is a dilemma here. After all, he didn’t say that we need to create the right “political climate” as such but rather the right “political climate of opinion.” Friedman, as an academic who wrote books and lectured widely, saw himself as an effective shaper of opinion — the political climate of opinion. And he was. His Chicago School of Economics did much to return credibility to free markets and has significantly impacted official economic policy.
But was Friedman merely suggesting that, as leaven diffuses through dough, the right ideas need simply permeate the culture to transform the political climate of opinion and therewith bring the wrong people to heel? Reality check: How’s that working out for society at large? Are the wrong people doing the right thing because academics have come up with bright ideas for bringing about the right political climate of opinion? Have the wrong people stopped doing wrong things, such as passing laws that undercut our freedoms or imposing regulations that suffocate small businesses? Are the wrong people still rewarding indolence and apathy, penalizing talent and industry? To pose these questions is to answer them.
At points where the ivory tower is touted for its far-reaching impact on the public square, it is customary to quote Keynes: “The ideas of economists and political philosophers, both when they are right and when they are wrong, are more powerful than is commonly understood. Indeed the world is ruled by little else. Practical men, who believe themselves to be quite exempt from any intellectual influence, are usually the slaves of some defunct economist. Madmen in authority, who hear voices in the air, are distilling their frenzy from some academic scribbler of a few years back. I am sure that the power of vested interests is vastly exaggerated compared with the gradual encroachment of ideas.” But Keynes is here talking about situations in which one set of ideas wins out. Indeed, Keynes is talking about himself, an academic scribbler par excellence who saw — in his lifetime — his ideas on economics become the reigning orthodoxy.
Nonetheless, Keynes fails in this passage to address what happens when ideas clash and no coherent political climate of opinion can be established. This is the state of contemporary democracy. Different politicians with different constituencies are listening to different academic scribblers and coming to conclusions so drastically different that effective government becomes, if not impossible, then difficult. Where government should be responsive to the exigencies of the moment and the will of the people, there is deadlock. Where government functions at all, it is through bloated bureaucracies that trundle along by inertia, expanding their numbers and reach, like bacterial colonies in a petri dish that multiply until they have consumed all productive resources.
You might think that the absence of a coherent political climate of opinion renders government ineffective, inept, and wasteful but, in the main, harmless. After all, in such an environment, with so many clashing ideas, some good, some bad, won’t the good and the bad, the right and the wrong, simply cancel each other out? Ineffective, inept, and wasteful, yes, but not harmless. The problem is that in a political climate with a wide diversity of opinion, the wrong people will always have a constituency that enables them not just to do the wrong thing but also to profit from wrongdoing. Simply put, in such a climate, the wrong people always find enablers. Conversely, without a unified political climate of opinion, there is little or no political profit in doing the right thing.
The presumed benefits of establishing the right political climate of opinion are overblown not because such a climate of opinion wouldn’t be a good thing if it could be realized but precisely because available evidence suggests that it is unattainable. Where have we heard those words, “There is not a liberal America and a conservative America — there is the United States of America. There is not a Black America and a White America and Latino America and Asian America — there’s the United States of America.” Hope of unity springs eternal, yet we live in a society deeply riven on the most fundamental issues. We are nowhere near establishing the right political climate of opinion that can hold the wrong people in check.
Let me therefore propose that we stop wasting effort to establish the right political climate and instead cut to the chase. By all means, let the academic scribblers write their treatises and so attempt to move the political climate of opinion in wholesome directions. I myself was such a scribbler until recent years, when my enthusiasm for academic scribbling waned because I became increasingly skeptical of its merits and at the same time found the world of business and technology a better fit for my changing interests.
I’m now of the view that the day is far spent and stronger medicine than climate control is required. Establishing the right political climate of opinion, for Friedman, was a means to an end — to get the wrong people to do the right thing by making it politically unprofitable for them to do otherwise. Instead of taking this indirect path, I want to propose shifting the focus directly to preventing the wrong people from undermining the freedoms of the right people.
But who are the wrong people? And who are the right people? Whenever there’s an Us and a Them, Us views Them as the wrong people, and Them views Us as the wrong people. The wrong people will thus treat the right people as the wrong people, and likewise the right people will treat the wrong people as the wrong people. From this grammatical equivalence, however, it doesn’t follow that the wrong people are morally equivalent to the right people. To see this, we need to define what it means to be the wrong people.
Wrong people are wrong not because they commit felonies and misdemeanors. Wrong people are wrong not because they are sinners. Wrong people are wrong not because they believe that abortion is right or that it is wrong. Wrong people are wrong not because they think marriage should or should not be confined to one man and one woman. Wrong people are wrong not because they embrace certain religious beliefs or reject them.
Wrong people are wrong not because of their faults but because of their presumed virtues. Wrong people are wrong because they think their high ideals give them the moral authority to impose their ideals on the rest of us. Wrong people are wrong because they presume to know so much better than the rest of us what is best for us and are eager to force their conception of what is best on us. “The purpose of freedom,” wrote Bernard Malamud, “is to create it for others.” Wrong people are wrong because they use their freedom to deny it to others. Wrong people are wrong because they make themselves masters and the rest of us slaves.
Slavery in enlightened liberal democracies is more subtle than in times past, but its marks are readily discerned: An indignant minority identifies a problem, real or imagined, whose solution it regards as absolutely critical to humanity’s well-being. The minority is indignant because the unwashed masses (of which I’m a card-carrying member) are seen — through their greed, inattention, or waste — to be significantly contributing to the problem. The unwashed masses need to change their ways. The solution the minority lights upon, however, entails significant costs, which the unwashed masses are not eager to bear. Bypassing the will of the people, the minority use the power of the state to extract those costs, rationalizing that this violation of freedoms is justified because the problem is so severe. Marxist socialism, liberal progressivism, and extremist environmentalism all follow this pattern.
Now it would seem that this encroachment on our freedoms by the wrong people has a straightforward solution: if the wrong people are using the power of the state to limit our freedoms, get the right people into government so that they can use the power of the state to restore our freedoms. There are two problems with this proposed solution: (1) the attractor factor and (2) the bureaucratic ratchet.
The attractor factor refers to the unfortunate fact that government, by its very nature, tends to attract the wrong people. Because government has tremendous power, it attracts people who are eager to game the system, obtaining by force of law what they could never achieve through consensus. Thinking that the best way to change the world in their image is through government, they compel the masses to alter their ways under threat of the state. These worshippers of government are the wrong people. By contrast, people not attracted to government are typically more interested in getting on with productive activities. These are the right people, but it usually takes a shockingly bad state of affairs to rouse them to take part in government.
The bureaucratic ratchet, the other problem with getting the right people into government to restore our freedoms, is that by the time they get there, bureaucratic structures and regulations are in place that make it far more difficult to recover our freedoms than it was at the first to remove them. Bureaucracies are self-perpetuating. It’s in their interest to swell their ranks and inflate their importance. Once a government bureaucracy is in place, it gets a budget. Year by year, members of that bureaucracy, convinced that their work is of signal importance to the well-being of our nation, lobby for an increased budget, which they almost always get. And so, as the ratchet keeps turning, it becomes increasingly difficult to unturn it.
Many of our government bureaucracies range from largely useless (wasting productive resources) to downright destructive (steadily eroding our freedoms). If enough of them could be reorganized or even removed, the public might at last experience a balanced federal budget and certainly a sudden surge of freedom — there would be no downside here except for the out-of-work bureaucrats who now need to find new jobs. But the eradication of these bureaucracies as we presently know them is not about to happen.
The problem is that these bureaucracies have become entrenched. If the political will is there, by all means put them out of business. But the track record of our politicians, even those who cast themselves as freedom’s valiant defenders, is not good. The more conservative politicians are usually happy if they can simply slow the growth of freedom-undermining bureaucracies. To end them outright has until recently been off their radar. Perhaps that’s changing with the ongoing economic distress, but let’s not hold our breath.
The eradication of power structures that undercut our freedoms will always be a regulative ideal — something that the right people aspire to even if it cannot be fully realized. The point of this essay, however, is quite different. The aim is not reform. Reformation assumes that something of intrinsic value has been bent out of shape and needs to be bent back into shape. But the structures that compromise our fundamental liberties don’t fit that bill. They are irredeemable. Nor is the aim anarchy. Government has a legitimate sphere of operation. The problem arises when that sphere continually expands, encompassing areas where government lacks legitimacy. Nor is the aim revolution, as in a complete overthrow and reconstruction of existing structures. The basic framework for government as outlined in the U.S. Constitution is not easily improved.
The watchword for recovering our freedoms is decentralization. Decentralization breaks up illegitimate concentrations of power. A fundamental principle of warfare is concentration of forces — to win at war, your forces need to be effective, and for them to be effective, they need to be concentrated. The flip-side of this principle, more widely known, is “divide and conquer,” which seeks victory by preventing the other side from concentrating their forces. Decentralization can employ a divide-and-conquer strategy, but it is more general. Its aim is to break up concentrations of illegitimate power by whatever legitimate means on hand.
Given a government responsive to the will of the people, decentralization would be part of the ordinary political process. For instance, government organizations with worthy goals might be instituted and then, when found to have fulfilled their mission, would be disbanded. But when such organizations transmogrify into self-perpetuating bureaucracies, mere decentralization is no longer enough. What’s needed instead is a radicalized form of decentralization.
What, then, is radical decentralization? The word “radical” comes from the Latin word meaning root. Its use here plays on two senses of that word: (1) getting to the root of the problem; (2) empowering the grass roots (the unwashed masses) to take effective action in reclaiming our freedoms. Radical decentralization is what we can do, either by applying effective pressure to government or by doing an end-run around government, to break up freedom-eroding concentrations of power. Radical decentralization does not lament or wring its hands about the abuses of power that it finds. It is not interested in mere words. Nor does radical decentralization merely strive to look busy. It is not interested in activities that show our heart is in the right place but that in the end make no real difference. Rather, it attempts to discover and then implement effective ways to break up unhealthy concentrations of power that undermine our freedoms.
What does radical decentralization look like? Imagine an out-of-control fire that’s inflicting large-scale damage and that’s fed by a gas pipeline. You can, with deep emotion, bewail how bad the fire is. You can even throw some water on the fire. But neither of these activities will dampen, much less put out, the fire. To fight the fire effectively, you need to figure out some way to turn off the gas coming through the pipeline. Until you do that, that fire will continue to rage. That may require ingenuity, to figure out where the pipeline is and how to turn it off. And it may require courage, to take the necessary measures to stop the flow of gas once you’ve figured out how.
The gas that lights our political fires and undermines our freedoms takes varied forms. In upcoming projects I intend to explore specific proposals for breaking up illegitimate concentrations of power that undermine human freedom. In so doing, I will attempt to take radical decentralization from the drawing board to the next level, what engineers call “proof of concept.”
The first item of business in this project of radical decentralization is money. Those who control our money control us, which makes it incumbent on each individual to control his or her own money. And for that to happen, money must be removed from all but the owner’s hands. Money is a social technology, but its technological sophistication has lagged even though computers rather than abacuses now count it. The point of this paper has been, by laying out Peerless, to propose a radically decentralized, information-based form of currency that owes nothing to the state, or to any peer-to-peer network, or to any monetary authority other than the lone individual.