Digital Asset Management Requirements

#

1. Talent Reserve and Incentive Mechanism

The explosive development of digital currencies and digital assets has inevitably created a huge gap in professional talent. Digital currencies themselves are cross-disciplinary, spanning at least the IT, finance, and asset management sectors. Even with a solid background in these industries, one needs a sufficient understanding of the development of the digital currency industry to ensure that digital asset management can be conducted in an orderly and secure manner.

As the entire asset management industry increases its investment in digital asset management, it will inevitably lead to a high turnover rate of personnel within the industry, and the loss of professional talent will become a significant bottleneck for corporate development. Whether it is possible to find truly suitable human resources, establish a sound human resource system and reasonable incentive mechanisms, focus on attracting and retaining experienced talent, and actively cultivate a new generation of reserves to form a competitive human resource advantage will be key factors in the future success of digital asset management institutions.

1. Brand Creation

A unique brand advantage and customer stickiness are undoubtedly key to winning in the competitive digital asset management industry. Since digital asset management is a new phenomenon, without any highly recognized brand in the market, it is bound to fall into a chaotic era reminiscent of the Warring States period. We can already imagine that in the initial stages, every company or institution will propose some brand-new strategies to build their own brand. The ability to quickly establish one's brand advantage is crucial for gaining a first-mover advantage in the digital asset management industry. In the asset management business process of "raising, investing, managing, and controlling," the ability to raise funds is particularly important. For such a new product launch, if users cannot fully understand the industry, the brand value of asset management institutions will become an important factor in attracting funds. Therefore, digital asset management companies or institutions need to establish a strong brand system and differentiate themselves from competitors. Specifically, asset management institutions can strengthen their brand through clear positioning, establishing a brand management system, and creating and increasing brand value.

1. Marketing Capability

Marketing capability will also become a key challenge in the digital asset management industry. Unlike traditional asset management, which is very familiar to most clients in any form, digital assets require client cultivation to start from scratch, and the education of marketing personnel must also begin from zero. The ability to first cultivate qualified marketing talent will be a major factor in initially closing the gap. Given the wide-ranging fields involved in digital assets, how to help users better understand digital assets in this new field, rather than being passively inundated with knowledge, and to achieve a good marketing experience and customer experience will be a topic that every company or institution needs to study.

1. Risk Control Capability

The rapid development of the digital currency system is accompanied by the development and application of quantitative tools, and it may also be accompanied by the emergence of complex financial derivatives to meet the needs of different investors. Although digital assets often have unimaginably high returns, they inevitably come with various risks. However, due to the short development time of the industry, there may often not be enough data to analyze and support the analysis of risks and their levels. In this case, risk identification becomes more complex and often requires management personnel's personal understanding of digital currencies and digital assets, including their own asset management literacy, to make judgments. In the development of financial products, effectively identifying risks is the primary condition for reasonable pricing, and in the process of developing digital asset management business, systematic risk control is also an important capability valued by investors. Therefore, whether it is the asset management company or institution itself or the investors, risk control capability must be one of the elements that must be constantly monitored in the process of business advancement.

1. Integration Capability

For asset management institutions that already have a certain scale, they can create new asset management products by integrating traditional asset management products and digital asset management products, thereby redefining the industry chain. Traditional asset management products and digital asset management products have huge differences and complementarities in terms of returns, risks, and regulatory methods. Whether they can combine the advantages of all parties to create new asset management products based on actual customer needs is a significant challenge that tests the capabilities of product manufacturers. Through strong resource and product integration capabilities, while meeting customer needs, companies and institutions can achieve substantial business benefits, which is an essential path to becoming an excellent digital asset management company or institution.

Development Direction of Digital Assets

Digital assets represent a brand new field and are still developing rapidly, with new concepts and models emerging endlessly. We anticipate that there are four notable directions worth paying attention to in the development of digital assets: intelligence, high-end, institutionalization, and globalization.

The context began with the birth of Bitcoin in 2008, when blockchain technology was gradually discovered. Before 2009, blockchain was primarily the main technology of the cryptocurrency circle represented by Bitcoin, marking the blockchain 1.0 phase.

The financial sector began to realize the disruptive potential of blockchain technology, and the application scenarios of blockchain technology gradually expanded from cryptocurrencies to programmable finance, marking the blockchain 2.0 phase.

From 2013 to 2016

As the unique value of blockchain technology began to gradually emerge, governments around the world and some capital-intensive, technology-intensive industries began to venture into blockchain technology research, marking the blockchain 3.0 phase.

Since 2016, commercial, technological, and IT internet giants in various countries have been laying out blockchain, and the scale and application scenarios of blockchain have rapidly developed.

Together with his long-time colleague and collaborator Stuart Haber, W. Scott Stornetta laid the foundation for the emergence of today's blockchain technology revolution. Stornetta and Stuart Haber are respected as the co-inventors of blockchain. Stornetta spent decades providing valuable research and publications in the fields of cryptography and distributed computing and consulting for several universities on establishing startups. He co-authored some important literature in the field of cryptography with Haber. Several foundations of the Bitcoin blockchain architecture are based on Stornetta's work. The third, fourth, and fifth items in the table of contents of Nakamoto's Bitcoin white paper reference his work on cryptographic timestamp protocols.

Scott obtained his Ph.D. in physics from Stanford University and is currently the Chief Scientist at First Digital Capital, an Australian investment company, responsible for evaluating blockchain technology companies and ICO projects.

W. Scott Stornetta is recognized as the "father of blockchain." He is also a well-known figure in the fields of cryptography and distributed computing. In a paper co-authored with Haber, he first mentioned blockchain architecture technology, describing a digital architecture system called "blockchain" that uses "digital timestamps" for commercial transactions. The concept of the blockchain system was later used by Satoshi Nakamoto to develop the widely adopted Bitcoin-blockchain. Together with his long-time colleague and collaborator Stuart Haber, W. Scott Stornetta laid the foundation for the emergence of today's blockchain technology revolution. Stornetta and Stuart Haber are respected as the co-inventors of blockchain. Stornetta spent decades providing valuable research and publications in the fields of cryptography and distributed computing and consulting for several universities on establishing startups. He co-authored some important literature in the field of cryptography with Haber. Several foundations of the Bitcoin blockchain architecture are based on Stornetta's work. The third, fourth, and fifth items in the table of contents of Nakamoto's Bitcoin white paper reference his work on cryptographic timestamp protocols. Scott obtained his Ph.D. in physics from Stanford University and is currently the Chief Scientist at First Digital Capital, an Australian investment company, responsible for evaluating blockchain technology companies and ICO projects.

Value China: Could you briefly introduce how you and Stuart Haber proposed the idea of blockchain during the period from 1990 to 1991? What was your main purpose when you first conceived this concept?

Scott: In fact, many people are surprised to learn that the concept of blockchain technology predates Bitcoin by a long time because when they first encountered the concept of blockchain, it was the emergence of Bitcoin that brought the concept of blockchain into public view. So I will first briefly discuss the history of blockchain technology and then talk about its relationship with Bitcoin.

When I first started thinking about blockchain technology, of course, the term did not exist; it was a word we created later. In 1989, I graduated from Stanford University with a Ph.D. in physics, and I had always been very interested in computer technology and internet technology. At that time, computer technology was rapidly developing, and all documents were gradually being transformed into electronic versions. I was thinking about how we could ensure that the electronic version of the document we had was the original. How could we know if someone had modified the electronic version of the document? At that time, only a portion of documents were in electronic form; most documents, including transfer records and transaction records, were still recorded in written form. Even if these were written documents, they had their own backups to ensure the accuracy of the written records.

As is well known, if these documents can be altered, the records can be changed. At that time, everyone was focused on how to ensure the accuracy of written documents, and no one paid attention to the accuracy of electronic document records. But I thought we would live in a world where all documents would be electronic, and written documents would eventually be eliminated by technology. If we did not solve the problem of electronic document accuracy, we would not be able to distinguish between real records and tampered records.

I was working as an analyst at Bellcore, which was a very open and free laboratory that did not assign specific tasks to employees or tell them what to do step by step. Instead, it encouraged employees to choose problems they were interested in and wanted to solve, providing resources and allowing them to work independently. I was very fortunate to work in this laboratory because I was not very knowledgeable about cryptography and the latest internet technology at the time, but my colleagues were very skilled cryptography experts.

Stuart Haber was one of them. I approached him and said that while I might not know much about cryptography, I knew that the issue of electronic document accuracy must be a crucial problem that we could work together to solve. We could truly do something to change the world. So we decided to research and solve this problem together. Stuart, as a cryptography expert, taught me a lot about cryptography, and we studied this problem for several months. Eventually, we found a solution, but it was not a satisfactory perfect solution. He solved the problem, but it required the existence of a third-party trusted institution, which meant trusting an external channel. However, such a third-party trusted institution could still alter the records, so we decided we should continue exploring other methods to create a way to ensure that digital documents could not be tampered with without needing to trust anyone or any external channel. Then we continued our research, and eventually, Stuart found the key to the problem. He believed we could not solve this problem at all, so he decided to prove that we could not solve it.

Interestingly, in the process of proving that we could not solve this problem, we found a way to solve it. (Laughter...) The fundamental solution was that since we always had to trust someone or some institution to ensure the accuracy of digital documents, we should trust everyone, meaning that everyone in the world should be a witness to the digital document records. We turned the problem upside down and found a solution. We envisioned building a network that would allow all digital records to be transmitted to every user when they were created, so that no one could tamper with the record. This was the birth of the earliest concept of blockchain.

Bitcoin is a wonderful coincidence. One day, I received an email discussing Bitcoin, and the sender expressed great interest in this emerging technology. He noted that my research with Stuart Haber was involved, and then someone named Satoshi Nakamoto made further developments based on my and Stuart Haber's research. People discovered that my research results were cited multiple times in Bitcoin, and since I could speak Japanese, they began to suspect whether I was the original author of that work, Satoshi Nakamoto. In fact, I was not, but I learned about Nakamoto's paper and his research, which was very impressive.

I contacted him, and he told me that someone had emailed him asking about the connection between the Bitcoin he proposed and the digital timestamp I proposed. Nakamoto replied that Bitcoin is a more distributed application of digital timestamps, specifically applied to monetary transactions. So the early relationship between blockchain and Bitcoin is as he said: Bitcoin is an application of blockchain. Bitcoin created a new monetary system, which is an incredible achievement. But blockchain has many other applications; aside from the most attention-grabbing Bitcoin, blockchain still needs further development. I firmly believe that digital currency will have greater development space in the future, but it must be based on blockchain technology, rather than separate from it, although it does not necessarily have to use the technology that is currently referred to as Bitcoin.

Characteristics of Blockchain

Value China: It is well known that the invention of the "digital timestamp" is extremely important for blockchain, as it addresses security issues. Can you explain the relationship between cryptographic digital timestamps and blockchain? Scott: I have already answered part of this question before, so I will briefly elaborate again. Cryptographic digital timestamp technology is the early blockchain technology; they are the same thing. Unlike Bitcoin and blockchain, which have significant differences, many people debate the relationship between blockchain and Bitcoin, but I think the more important thing is to promote the future development of blockchain technology.

First, does the record need to be distributed? The answer is yes; only by ensuring distributed records can we guarantee that the records are immutable, which is the core technology of blockchain. Second, does the algorithm need to be distributed? I believe it is necessary in some cases and not necessary in others; it mainly depends on the primary purpose of the application. Third, do the controllers and leaders of the entire society need to be distributed? I think it depends on the specific situation. Most people may disagree with my view, but I always insist on my view, and I believe my view will ultimately be proven correct.

How to distribute rulers is like how to run algorithms. We individuals are in a disadvantaged position in the market, while the ruling class is in a dominant position. This power dynamic can be beneficial in some cases and not in others. Therefore, I believe these questions cannot be answered with a simple "yes or no"; it depends on the specific situation and specific stance. My company's name is the Japanese word "Yugen," which means contemplation. My intention is to hope to maintain clarity in the tide of development and think about problems from different angles, rather than "going with the flow" to earn profits.

In 1976, the famous economist Hayek published "The Denationalization of Money," proposing the concept of non-sovereign currency and competitive currency issuance, providing a theoretical foundation for the birth of Bitcoin (the earliest blockchain technology). Also in 1976, cryptography masters Bailey W. Diffie and Martin E. Hellman published the paper "New Directions in Cryptography," covering all new areas of cryptography that would emerge over the next few decades, including asymmetric encryption, elliptic curve algorithms, and hashing techniques, laying the foundation for the development of cryptography to date and playing a decisive role in the technology of blockchain and the birth of Bitcoin.

In addition to theoretical foundations, many predecessors' practices provided Satoshi Nakamoto with many references: In 1990, cryptopunk "bishop" David Chaum invented the cryptographic anonymous cash system Ecash. In 1997, Adam Back invented Hashcash, which used a proof-of-work system (POW). In 1997, Haber and Stornetta proposed a timestamp method to ensure the security of mathematical documents. This protocol also became one of the prototypes of the Bitcoin blockchain protocol. In 1998, Wei Dai invented B-money, emphasizing peer-to-peer transactions and unalterable, traceable transaction records. In 2004, Finney invented "cryptographic cash," which used a reusable proof-of-work mechanism (RPOW).

Failure is the mother of success. Satoshi Nakamoto summarized the reasons for these failed cases and integrated these technologies to invent the earliest blockchain technology—Bitcoin. In November 2008, Satoshi Nakamoto published the paper "Bitcoin: A Peer-to-Peer Electronic Cash System" (the Bitcoin white paper). In January 2009, the Bitcoin network officially went live. In 2011, Chinese-American Charlie Lee invented Litecoin. Litecoin has a faster block generation speed (2.5 minutes, four times faster than Bitcoin) and a larger total supply (84 million, four times that of Bitcoin), while making some adjustments in the proof-of-work system.

After Litecoin, a large number of similar currencies emerged, all making some adjustments based on Bitcoin, but these new currencies do not differ fundamentally from Bitcoin; they are all positioned as currencies.

Sister Coin Encyclopedia
"Blockchain" was not proposed by Satoshi Nakamoto. Initially, Bitcoin's currency was represented in lowercase as "bitcoin," while the underlying technology of Bitcoin was represented in uppercase as "Bitcoin." However, due to many people's biases against Bitcoin, the underlying technology of Bitcoin was distilled into a new term—blockchain.

At this stage, the application of blockchain was limited to currency, with a single function. During this stage, blockchain technology faced three problems: the scripting language was too complex, making it difficult to develop an ecosystem; there were not many participants; and the scripting language did not meet "Turing completeness," limiting further uses. The stage when blockchain technology was only applied to digital currency is referred to as the era of blockchain 1.0, with Bitcoin as its representative work.

In 2013, Vitalik Buterin (known as "V God") released the first version of the Ethereum white paper. In 2015, Ethereum released its first official version: Frontier. This version only had a command-line interface, primarily used by developers. In 2016, Ethereum released a new version: Homestead, which added a graphical interface similar to Windows, allowing ordinary users to experience Ethereum's functions. In 2016, Ethereum underwent a hard fork, resulting in ETH and ETC.

Simply put, Ethereum can be understood as an "operating system," akin to Windows. Many people may have heard of the term "blockchain 3.0," but there is currently no consensus on what 3.0 means or what its representative works are. Some say that projects like IOTA, which use DAG technology, represent 3.0 (what is DAG?). Others say that 3.0 means extending beyond the financial sector and applying its technology to various aspects of life. What 3.0 is is not important; what matters is that blockchain technology is becoming increasingly powerful. I believe that blockchain technology will bring tangible benefits to our work and lives in the future.

Pre-Bitcoin Era
Cryptocurrencies may have become one of the favorite investment assets for millennials. However, few people know that the first proposal for digital cash appeared as early as 1982. In the paper "Blind Signatures for Untraceable Payments," researcher David Chaum from the University of California first proposed the concept of digital cash. He founded a company called Digicash in 1990, but this company eventually declared bankruptcy as it moved south. This was the first serious attempt to bring digital cash into the real world, although the penetration of the internet was still in its infancy at that time.

In 1991, Stuart Haber and W. Scott Stornetta began their research on a cryptographically secure chain composed of blocks. On this chain, no one could tamper with the timestamps of documents. A year later, in 1992, they upgraded the system, using Merkle trees to improve efficiency, allowing a block to accommodate more documents.

Digital Gold (E-Gold)
In 1996, Gold & Silver Reserve (G&SR) launched digital gold, a digital currency backed by physical gold. This company released digital gold two years before PayPal was founded, allowing users to see their gold balances and trade digital gold. It introduced the concept of real-time settlement, which is an important theoretical foundation for the emergence of today's smart contracts. It led to a surge in third-party trading services. At the same time, it introduced transactions through encrypted connections and APIs provided for third parties.

In addition, although it was a centralized company, it established a governance mechanism called "e-gold Special Purpose Trust," which is now at the core of governance committees. E-Gold also made international Ponzi schemes and global fraud possible for the first time. At its peak, E-Gold had an annual trading volume of $2 billion, five million accounts, and stored over 3.5 tons of gold.

The demise of E-Gold was due to increasing security issues, including Ponzi schemes and phishing attacks. The company became a target for hackers worldwide, and some common hacking techniques (such as company impersonation and email list attacks) were improved to attack E-Gold. E-Gold was ultimately shut down by the U.S. Department of Justice as an illegal remittance entity. During the litigation process, E-Gold lost a massive user base, as users feared being seen by authorities with their holdings. By 2008, this system rapidly declined.

The Era of Cryptographers
During the same period as digital gold, other innovations emerged. In 1997, cryptographer Nick Szabo published a paper titled "Formalizing and Securing Relationships on Public Networks," in which he proposed the concept of smart contracts, a method for executing agreements between untrusted strangers on a network. In 1998, Szabo designed a decentralized digital currency called Bit Gold, suggesting that users use computational power to solve cryptographic puzzles. Although Bit Gold was never widely used, its theoretical framework influenced the creation of the first cryptocurrency.

Also in 1998, computer engineer Wei Dai published "B-money, an anonymous, distributed electronic cash system." This paper described many characteristics of modern cryptocurrencies, such as collective updates of ledgers, work process incentives, cryptographic authentication, and public key cryptography. Another important contributor was Hal Finny, a developer and active cryptography advocate, who developed the first reusable proof-of-work (RPOW) in 2004.

Entering the Bitcoin Era
There were some clues indicating that something new had arrived in the world, something unprecedented that would have a revolutionary impact. In August 2008, the domain name "Open source P2P money" was registered. On October 31, 2008, the paper "Bitcoin: A Peer-to-Peer Electronic Cash System" was published in a cryptography mailing list. The publisher was Satoshi Nakamoto, a pseudonym for one or more individuals whose true identity remains uncertain to this day.

Here is the original email:
I have developed a new peer-to-peer electronic cash system that does not require a trusted third party. The paper can be viewed here: http://www.bitcoin.org/bitcoin.pdf.

Main features:

Prevents double-spending attacks through a peer-to-peer network;
No mint or other trusted third parties;
New coins are generated through a hash algorithm proof of work;
The proof-of-work mechanism for generating new coins also powers the network to prevent double-spending attacks.
— Satoshi Nakamoto

In January 2009, Satoshi Nakamoto released the open-source software for Bitcoin. On January 3, 2009, when Nakamoto mined the first block on the chain, the Bitcoin network was born. That block later became known as the "genesis block." Embedded in this block is the following text: "The Times 03/Jan/2009 Chancellor on brink of second bailout for banks." At this time, the Chancellor was on the brink of a second bailout for banks. The Bitcoin community and cryptographers interpreted this statement as a timestamp and a distributed storage that would have a significant impact on the banking industry.

Six days later, Bitcoin version 1.0 was released. Anyone could participate. It was released as a Windows program compiled using Visual Studio. The first Bitcoin transaction was sent on January 12, 2009, to Hal Finny, when Nakamoto sent him 10 bitcoins at block 170. Eight years later, these 10 free bitcoins reached a value of $200,000 at their peak.

Suspected Satoshi Nakamoto
In 2009, a small cryptography community engaged in mining and debate. In June, the Chinese legal system released the first legislation regarding "virtual currencies," prohibiting citizens from using any form of digital currency to purchase goods and services. This rule targeted in-game currencies and electronic points, such as Tencent's Q coins, but it also covered Bitcoin. On October 5, 2009, the exchange rate of Bitcoin was first determined. The proposed exchange rate was 1309.03 BTC = 1 USD, derived from the electricity cost of generating Bitcoin on a computer. This exchange rate was reversed over nearly eight years: by April 2017, 1 BTC = 1309 USD.

On October 12, 2009, a dedicated IRC channel for Bitcoin developers was established: #bitcoin-dev. As a result of the establishment of this channel, Bitcoin version 2.0 was born on December 16, two months later. On November 22, 2009, Nakamoto created Bitcointalk and used "Satoshi" as his username. His main thread moved from the previous Sourceforge forum to BitcoinTalk.org. The year 2019 ended with increased mining difficulty for Bitcoin: on December 30, just before the New Year, mining difficulty increased for the first time in history.

In 2009, a small cryptography community engaged in mining and debate. In June, the Chinese legal system released the first legislation regarding "virtual currencies," prohibiting citizens from using any form of digital currency to purchase goods and services. This rule targeted in-game currencies and electronic points, such as Tencent's Q coins, but it also covered Bitcoin. On October 5, 2009, the exchange rate of Bitcoin was first determined. The proposed exchange rate was 1309.03 BTC = 1 USD, derived from the electricity cost of generating Bitcoin on a computer. This exchange rate was reversed over nearly eight years: by April 2017, 1 BTC = 1309 USD.

02 # Core Technology of Blockchain
Blockchain, as a distributed system, includes P2P network technology, consensus mechanism technology, and cryptographic technology.

First, P2P network (Peer-to-peer Network), that is, point-to-point network, serves as a distributed network where each node on the network can directly access each other without going through an intermediary entity, while sharing their own resources, including storage capacity, network connection capacity, processing capacity, etc.

Second, the consensus mechanism, that is, the blockchain as a distributed system must ensure that the system meets varying degrees of data consistency. To achieve data consistency, consensus algorithms are needed.

Third, cryptography, which is used to ensure the integrity and security of blockchain data construction, transmission, and storage, employs a large number of cryptographic techniques and the latest research results, such as cryptographic hash functions and elliptic curve public key algorithms.

Almost all of Bitcoin's technical components originate from academic literature from the 1980s and 1990s (see Figure 1). This is not to undermine Nakamoto's achievements but to point out that he stood on the shoulders of giants. In fact, by tracing the origins of Bitcoin's ideas, we can attribute Nakamoto's true leap of insight to a specific, complex way—a combinatorial innovation (integrating underlying components together). This helps explain why it took so long for Bitcoin to be invented. Readers familiar with how Bitcoin works can gain deeper insights from this historical review (for more information, see Arvind Narayanan et al.'s Bitcoin and Cryptocurrency Technologies). The cultural history of Bitcoin can also serve as a case study showcasing the collaborative relationship between academia, external researchers, and practitioners, providing lessons on how these different groups can benefit from each other.

1 Ledger

If you have a secure ledger, the process of using it for a digital payment system will be very simple. For example, if Alice sends Bob $100 through PayPal, PayPal deducts $100 from Alice's account and deposits $100 into Bob's account. This is generally similar to traditional banking operations, although traditional banking operations do not have a shared ledger.

The concept of a ledger is the starting point for understanding Bitcoin. It records all transactions that occur within the system and is open to all participants in the system, who trust it. Bitcoin converts the payment records of the system into currency. In banking, account balances represent cash that can be withdrawn from the bank, but what does one Bitcoin represent? For now, we can only say that Bitcoin represents transactions containing fixed value.

In an internet environment where participants may not trust each other, how can we establish a ledger? Let's start with the simple part: the choice of data structure. This data structure must meet certain property requirements—the ledger should be immutable. More precisely, new transactions can only be added; they cannot be modified or deleted, nor can existing transactions be reordered. Additionally, a cryptographic hash of the ledger state is needed. The hash is a short string that avoids the need to store the entire ledger. If the ledger is tampered with, the resulting hash will inevitably change, allowing for tampering detection. The reason for needing these properties is that, unlike conventional data structures stored on a single machine, the ledger is a global data structure maintained collaboratively by a group of participants who do not trust each other. This is different from the approach of decentralizing digital ledgers, where participants maintain local ledgers and users query these ledgers to resolve conflicts.

1.1 Linked Timestamping

The data structure of Bitcoin's ledger borrows modifications from a series of papers written by Stuart Haber and Scott Stornetta between 1990 and 1997 (their 1991 paper also had another co-author, Dave Bayer). We know these historical origins because Nakamoto referenced them in his Bitcoin white paper. The main work of Stuart Haber and Scott Stornetta dealt with the documentation of timestamps—their goal was to establish a "digital notary" service. For patents, business contracts, and other documents, people want to determine whether the document was created at a certain point in time or no later than a certain point in time. The document concept of Stuart Haber and Scott Stornetta is very generalized and can be any type of data. They did mention that financial transactions are potential applications, but financial transactions were not their focus.

In a simplified version of Stuart Haber and Scott Stornetta's scheme, documents are continuously created and broadcast. Each document's creator declares a creation time (and signs the document), the document's timestamp, and the previous broadcast document. The previous broadcast document signs its predecessor, so the documents form a long backward chain. External users cannot change the timestamp information because it is signed by the creator; the creator also cannot change the timestamp information without altering the entire chain of information. Therefore, if a particular item in the chain is obtained from a trusted source (for example, another user or a specialized timestamp service), the entire chain prior to that moment is locked, immutable, and temporally ordered. Furthermore, if you believe the system rejects your document due to an incorrect creation time, you must guarantee that the document is at least as old as it claims to be. In summary, Bitcoin merely borrowed the data structure designed by Stuart Haber and Scott Stornetta and redesigned its security properties (by adding proof of work, which will be discussed later).

*Translator's Note: Furthermore, if you assume that the system rejects documents with incorrect creation times, you can be reasonably assured that documents are at least as old as they claim to be.

In the subsequent literature of Stuart Haber and Scott Stornetta, they introduced other schemes to make this data structure more efficient (some of which were hinted at in the first paper). First, hashes can be used instead of signatures to create links between documents; since hashes are simpler and faster to compute, such links are called hash pointers. Second, instead of processing documents individually (which could be inefficient if multiple documents are created almost simultaneously), they can be grouped into batches or blocks, with documents in each block having approximately the same timestamp. Third, within each block, documents can be linked together using a binary tree of hash pointers, called a Merkle tree, rather than a linear chain. By the way, six years after the publication of Stuart Haber and Scott Stornetta's first paper, in 1991, Josh Benaloh and Michael de Mare independently proposed the three aforementioned schemes.

1.2 Merkle Trees

Bitcoin essentially uses the data structure proposed by Josh Benaloh and Michael de Mare in 1991 and 1997 (Nakamoto probably was not aware of Josh Benaloh and Michael de Mare's work), as illustrated in a simplified form in Figure 2. Of course, in Bitcoin, transactions replace documents. In each block of the Merkle tree, the leaf nodes represent transactions, and each internal node consists of two pointers. This data structure has two important properties. First, the hash of the latest block serves as a summary. Any change to a transaction (leaf node) requires the change to propagate all the way up to the root of the block and the roots of all subsequent blocks. Therefore, if you know the latest hash value, you can download the remaining ledger from an untrusted source and verify whether it has been altered. A similar perspective establishes the second important property of the data structure—that is, someone can simply and efficiently prove to you whether a specific transaction is included in the ledger. This user only needs to send you a small number of nodes from the transaction block (this is a feature of Merkle trees) and a small amount of information from each subsequent block. The ability to efficiently prove the inclusion of transactions is crucial for performance and scalability.

*Translator's Note: Ralph Merkle, born in the United States, is a computer scientist who has made significant contributions to public key cryptography. He later shifted his research focus to nanotechnology and human cryonics.

By the way, the Merkle tree is named after Ralph Merkle, a pioneer of symmetric cryptography. He proposed this idea in a paper in 1980. His goal application was to produce a public directory summary of digital signature certificates. For example, when a website provides you with a certificate, it can also provide a brief proof that the certificate appears in a global directory. As long as you know the root hash of the Merkle tree in the certificate directory, you can efficiently verify the proof. This idea is ancient in cryptographic standards, but its power has only recently been recognized. It is central to recently implemented certificate transparency systems. A paper from 2015 proposed CONIKS, applying Merkle trees to public key directories for end-to-end encrypted email. Efficient verification of parts of the global state is one of the key functions provided by ledgers in new cryptocurrencies like Ethereum.

Bitcoin may be the most famous real-world application of the data structure proposed by Josh Benaloh and Michael de Mare, but it is not the first. At least two companies—Surety, which started in the mid-90s, and Guardtime, which began in 2007—utilized document timestamp services. These services had an interesting intersection, which Bayer, Haber, and Stornetta mentioned as an idea to regularly publish the Merkle root in newspapers as advertisements. Figure 3 shows the Merkle root published by Guardtime.

1.3 Byzantine Fault Tolerance

Of course, an internet currency without a central authority requires stricter measures. Distributed ledgers will inevitably experience forks, meaning some nodes will consider block A to be the latest block while others will consider block B to be the latest block. This may be due to attackers attempting to disrupt the ledger's operations; it may also simply be due to network delays, where different nodes are unaware of each other's blocks and occasionally generate blocks almost simultaneously. Relying solely on linked timestamps is insufficient to resolve forks, as demonstrated by Mike in a 1998 paper.

A different research field—fault-tolerant distributed computing—has studied this issue, including state replication. The solution to this problem is to have a group of nodes apply state transitions in the same order—usually, the exact order does not matter as long as all nodes are consistent. For digital currency, the state to be replicated is a set of balances, and transactions are state transitions. Early solutions, including Paxos proposed by Turing Award winner Leslie Lamport in 1989, considered state replication when communication channels are unreliable, where a minority of nodes may experience certain "realistic" failures, such as being permanently offline or restarting and receiving outdated messages sent while they were initially offline. A large amount of subsequent literature has mainly addressed more complex (hostile/adverse) environments and trade-offs regarding efficiency.

A series of related works have studied situations where the network is mostly reliable (messages are delivered with limited delay), but the definition of "failure" has been expanded to include any deviation from the protocol. Such Byzantine failures include both naturally occurring failures and maliciously created behaviors. As early as 1982, Lamport, Robert Shostak, and Marshall Pease published a paper titled "The Byzantine Generals Problem." In 1999, Miguel Castro and Barbara Liskov published a landmark paper introducing PBFT (practical Byzantine fault tolerance), accommodating both Byzantine faults and unreliable networks. Compared to linked timestamps, the amount of literature related to fault tolerance is extensive, including hundreds of variants and optimizations of Paxos, PBFT, and other important protocols.

Nakamoto did not cite BFT literature or use its language in the original white paper. He used some concepts, framing the protocol as a consensus mechanism and considering faults in terms of attackers and nodes joining and leaving the network. This stands in stark contrast to his explicit references to the literature on linked timestamps (including proof of work, which will be discussed below). When asked about the discussion in the mailing list regarding Bitcoin and the Byzantine generals problem (a thought experiment requiring BFT solutions), Nakamoto claimed that the proof-of-work chain solved this problem.

In the following years, other scholars studied Nakamoto's consensus mechanism from the perspective of distributed systems—this remains ongoing work. Some argue that Bitcoin's properties are quite weak; others believe that the BFT perspective is unfair regarding Bitcoin's consistency properties. Another approach is to define well-studied variants of properties and prove that Bitcoin satisfies them. Recently, these definitions have been significantly strengthened to provide a more standard definition of consistency, retaining more realistic assumptions for message passing. However, all this work assumes that the behavior of partially participating nodes is "honest" (e.g., protocol-compatible), while Nakamoto believed it was unnecessary to blindly assume that node behavior is honest, as behavior is incentivized. A comprehensive analysis of Nakamoto's incentive consensus mechanism does not fit past fault-tolerant system models.

2 Proof of Work

Almost all fault-tolerant systems assume that the majority or vast majority (e.g., more than half or two-thirds) of nodes in the system are honest and reliable. In an open peer-to-peer network, there is no registration of nodes, and they can freely join and leave. Therefore, attackers can create enough Sybil or sockpuppet nodes to break the system's consistency guarantees. The Sybil attack was formally defined by John Douceur in 2002, proposing to mitigate it using cryptographic infrastructure—proof of work.

2.1 Origins

To understand proof of work, let's look at the origins of this concept. Proof of work was first proposed and created by Cynthia Dwork and Moni Naor in 1992. Their goal was to prevent spam. Note that spam, Sybil attacks, and denial-of-service attacks are roughly similar problems: attackers increase their destructive power through the network compared to regular users. Proof of work applies to three-party defenses. In Cynthia Dwork and Moni Naor's design, email recipients would only process emails that included proof—that the sender performed a certain amount of computational work—known as "proof of work." Computing the proof of work on a regular computer might take a few seconds. Therefore, it would not pose any difficulty for ordinary users, but for spammers, sending a million emails under equivalent hardware conditions would take weeks.

Note that proof of work (also known as "puzzle-solving") must be specific to the email and the recipient. Otherwise, spammers would be able to send multiple emails to the same recipient (or send the same email to multiple recipients) at the same cost as one-to-one sending. The second important feature is that it should impose only minimal computational burdens on the recipient; "puzzle-solving" should be easy to verify, regardless of how difficult they are to compute. Additionally, Cynthia Dwork and Moni Naor believed that a backdoor function—a secret known to a central authority—could allow the authority to solve the problem without performing proof of work. One possible application backdoor is to open a mailing list for the authority that does not incur costs for sending emails. Cynthia Dwork and Moni Naor's proposal included three candidate problems that satisfied their properties and initiated an entire research field, which we will return to later.

2.2 Hashcash

A very similar idea called hashcash was independently invented in 1997 by Adam Back, who was then a postdoctoral researcher in the cypherpunk community. Cypherpunks are activists against government and centralized institutional power, dedicated to promoting social and political change through cryptography. Adam Back is a practical person: he first released hashcash software, and it wasn't until five years later, in 2002, that he published an Internet draft (a standardized document) and paper.

Hashcash is much simpler than Cynthia Dwork and Moni Naor's idea: it has no backdoor and does not require a central authority; it only uses hash functions instead of digital signatures. Hashcash is based on a simple principle: hash functions behave as random functions in certain practical applications, meaning the only way to find an input that hashes to a specific output is to try various inputs until the desired output is produced. Moreover, the only way to find an input that hashes to any given set of outputs is again to try hashing different inputs one by one. So, if you are tasked with finding an input that hashes to an output starting with ten zeros (in binary), you will have to try a large number of inputs, and you will find that the chance of each output starting with ten zeros is (1/2)^10, meaning you will have to try (2)^10 inputs in sequence, or about 1000 hash computations.

As the name suggests, in hashcash, Adam Back viewed proof of work as a form of currency. On his website, he positioned this currency as one of the choices for David Chaum's DigiCash implementation—a system where banks issue untraceable digital cash to users. He even made some design trade-offs to make it appear more like a currency. Later, Adam Back commented that Bitcoin is a direct extension of hashcash. However, hashcash is not cash because it does not prevent double spending. Hashcash tokens cannot be exchanged between peer counterparts.

At the same time, in the academic field, researchers found that proof of work has many application scenarios beyond spam prevention, such as preventing denial-of-service attacks, ensuring the authenticity of network analysis, and rate-limiting online guessing of passwords. By the way, the term proof of work was first introduced by Markus Jakobsson and Ari Juels in a paper they wrote in 1999, which was also a good overview of this research up to that point. Notably, these researchers did not seem to be aware of hashcash, independently converging towards hash-based proof of work, as mentioned in papers by Eran Gabber et al. and Juels and Brainard.

Sidebar: Sybil-resistant Networks

In his paper on Sybil attacks, John Douceur proposed that all nodes participating in BFT protocols need to solve hashcash puzzles. If a node masquerades as N identities, it will not be able to solve N puzzles in a timely manner, and its forged identities will be eliminated. However, malicious nodes can still have more advantages than honest nodes that only claim a single identity. A follow-up article published in 2005 proposed that honest nodes should mimic the behavior of malicious nodes and claim as many virtual identities as their computational power can handle. By using these virtual identities to execute the BFT protocol, the original assumption of "at most f nodes fail" can be replaced with "the share of total computational power controlled by failed nodes is at most f." Therefore, there is no longer a need to verify identities, and open peer networks can run BFT protocols. Bitcoin just happens to use this idea, but Nakamoto raised further questions: what incentivizes nodes to perform expensive proof-of-work computations? The answer requires a further leap: digital currency.

2.3 Proof of Work and Digital Cash: A Catch-22

You may know that proof of work has not been successfully applied to its originating application as an anti-spam measure. One possible reason is the vast differences in the speed at which different devices solve puzzles. This means that spammers can customize hardware with a small investment to increase their spam-sending rate by several orders of magnitude. In economics, the natural response to asymmetric production costs is trade—that is, a marketplace for proof of work. However, here lies a catch-22, as this would require a digital currency that works. In fact, it is precisely the lack of such currency that has led to the greatest disincentive for the use of proof of work. A crude solution to this problem is to declare "puzzle-solving" as cash, as hashcash attempted to do.

*Translator's Note: A catch-22 generally refers to a predicament caused by mutually contradictory rules or conditions that make it impossible to escape; or an illogical or contradictory problem. For example, this is a contradictory dilemma: no one wants to support you unless you have already succeeded, but if no one supports you, how can you possibly succeed?

Work is currency, and currency requires work incentives, which is the catch-22.

If it is mandated that proof of work is currency, Nakamoto's consensus and incentive logic should be as follows: proof of work is currency, which incentivizes miners to work hard to mine and provide proof of work, and then obtain currency; while using economic principles to set rules that make the input of malicious nodes greater than the benefits, malicious nodes have no motivation to disrupt consensus, thus solving the problem of achieving consensus due to general betrayal in BFT.

In two earlier papers before Bitcoin, clearer schemes were discovered to treat "puzzle-solving" as cash, describing b-money and bit gold. These schemes provide timestamp services to sign the creation of money (through proof of work), and once money is created, it can sign transfers. However, if inconsistencies arise in the ledger between servers or nodes, the papers do not provide clear solutions. Relying on majority principles to decide seems to be the implicit intention of the two authors' papers, but due to the Sybil problem, these mechanisms are not very secure unless a gatekeeper is introduced to control the network or Sybil resistance is achieved through proof of work.

3 Combinatorial Innovation

By understanding all these contributions to the design details of Bitcoin, you will appreciate Nakamoto's truly genius innovation. In Bitcoin, "puzzle-solving" cannot self-construct into cash; instead, it is merely used to protect the ledger. The solution of proof of work is accomplished by specialized entities called miners (although Nakamoto did not anticipate what professional mining would become).

Miners need to continuously compete with each other to find the next "puzzle-solving." Each miner is tasked with solving a slightly different variant of this puzzle, so the chances of success are proportional to the share of global mining power controlled by the miner. The miner solving the puzzle contributes the next batch of the timestamped ledger, or block (i.e., the next transaction). By maintaining and exchanging the ledger, a miner contributing a block will receive a reward of newly mined currency. It is likely that if a miner contributes an invalid block or transaction, it will be rejected by the majority of other miners contributing the next block, rendering the reward for the invalid block void. Thus, due to monetary incentives, miners are ensured to follow the same protocol.

Bitcoin cleverly avoids the double spending problem that plagues the "proof-of-work-as-cash" mechanism by sidestepping the value of "puzzle-solving" itself. In fact, Bitcoin achieves two decouplings of "puzzle-solving" from economic value: the amount of work required to produce a block is a floating parameter (proportional to global mining power), and furthermore, the number of bitcoins issued for each block is not fixed. The block reward (i.e., how new bitcoins are mined) is halved every four years (in 2017, the reward was 12.5 bitcoins/block, reduced from the initial 50 bitcoins/block). Bitcoin includes an additional reward scheme—namely, transaction initiators pay transaction fees to miners who include that transaction in a block, expecting the market to determine transaction fees and miner rewards.

Thus, Nakamoto's genius lies not in any single component of Bitcoin but in creating a complex way—integrating various technologies to breathe life into the entire system. Objectively speaking, researchers studying timestamps and Byzantine protocols did not address the issue of node incentives until 2005, nor did they use proof of work to eliminate node identity issues. Conversely, the authors of hashcash, b-money, and bit gold did not absorb the ideas of consensus/consistency algorithms to solve the double spending problem. In Bitcoin, a secure ledger can prevent the double spending problem, thereby ensuring that currency has value. Only valuable currency can reward miners, and then ensure that the strength of mining power can guarantee the security of the ledger. If there is not enough mining power, an adversary could gain over 50% of the global mining power, allowing them to generate data blocks faster than the rest of the network and double spend transactions, effectively rewriting history, leading to a deficit for the entire system. Therefore, Bitcoin is self-bootstrapping, with a closed-loop dependency relationship among the ledger, currency, and miners.

Sidebar: Smart Contracts

A smart contract is essentially placing data in a secure ledger and extending smart contracts to computation. In other words, it is a consensus protocol that publicly specifies the correct execution of programs. Users can call functions in the smart contract program and comply with any restrictions specified by the program, and the function code is executed in sequence by miners. Users can trust the output without having to redo the computation and can write their own programs to handle the outputs of other programs. By combining with cryptocurrency platforms, smart contracts are particularly powerful because the aforementioned programs can handle funds—owning, transferring, destroying, and in some cases even printing.

Bitcoin implements a restrictive programming language as a smart contract. A "standard" transaction (i.e., transferring currency from one address to another) is implemented as a short script in this language. Ethereum provides a more permissive and powerful language.

The idea of smart contracts was proposed by Nick Szabo in 1994, as it can be analogized to legal contracts (smart contracts have the added functionality of automatic execution), hence the name smart contracts. Nick Szabo foresaw the extension of smart contracts as digital cash protocols (this view has been criticized by Karen Levy and Ed Felten) and recognized that Byzantine protocols and digital signatures (among others) could serve as building blocks. The success of cryptocurrencies has made smart contracts a reality, and research on this topic has begun to rise. For example, programming language researchers have adjusted their methods and tools to automatically discover errors in smart contracts and write verifiably correct smart contracts.

3.1 Public Keys as Identities

This article is based on the understanding that a secure ledger makes the creation of digital currency easier. Let's revisit this assertion. When Alice wants to pay Bob, she broadcasts the transaction to all Bitcoin nodes. A transaction is merely a string: a declaration that "Alice wishes to pay Bob some money," signed by Alice. Ultimately, this declaration is recorded in the ledger by miners, and the transaction becomes a reality. Note that Bob does not need to participate in this process in any way. However, let us focus on the absent parties in this transaction: clearly absent are the identities of Alice and Bob; instead, the transaction only contains their respective public keys. This is an important concept in Bitcoin: public keys are the only identities in the system. Transactions transfer value to or from public keys, and this convention is referred to as an address.

*Translator's Note: The introduction of this address concept is a clever innovation by Nakamoto compared to traditional distributed systems.

To "speak" an identity, you must know the corresponding key. You can create a new identity at any time—the method is to generate a new key pair—without needing a central authority or registration agency. You do not need to apply for a username or notify others that you have chosen a specific name—this is the concept of decentralized identity management—Bitcoin does not specify how Alice should tell Bob what her pseudonym is; this is external to the system.

In stark contrast to most other payment systems today, these ideas are quite "old," tracing back to David Chaum, the father of digital cash. In fact, David Chaum also made pioneering contributions to anonymous networks, and it is in this context that he invented the idea of "digital pseudonyms." In his 1981 paper "Untraceable Electronic Mail, Return Addresses, and Digital Pseudonyms," he stated: "Digital pseudonyms are public keys used to verify whether the corresponding private key's anonymous holder has signed."

Now, knowing the recipient only through public keys is an obvious problem: it is impossible to route the email to the correct computer. This led to the inefficiency of David Chaum's scheme: anonymous transactions could not be eliminated. Compared to centralized payment systems, Bitcoin is similarly inefficient: the ledger containing each transaction is maintained by every node in the system. In any case, Bitcoin chose security while simultaneously choosing inefficiency, thus achieving "free" anonymity (i.e., public keys as identities). David Chaum advanced these ideas in his 1985 paper, proposing a vision of privacy-protecting e-commerce based on universal "pseudonyms" and the key ideas behind digital cash—"blind signatures."

The idea of "public keys as identities" also exists in the earlier discussed pioneering literature of Bitcoin: b-money and bit gold. However, most of the work builds on David Chaum's foundation, and David Chaum's later work (including electronic cash) diverged from this idea. The cypherpunk community had a strong interest in privacy-protecting communications and commerce, embracing what they called "nyms" as pseudonyms. But for them, nyms were not just cryptographic identities (i.e., public keys) but were typically email addresses associated with public keys. Similarly, Ian Goldberg's paper—the basis for subsequent anonymous communication work—supported David Chaum's view but argued that "pseudonyms" should be memorable nicknames bound to certificates. Thus, Bitcoin has proven to be the most successful example of David Chaum's ideas.

4 Blockchain

So far, this article has not mentioned blockchain. If you believe the hype, blockchain is the main invention of Bitcoin. You might be surprised to learn that Nakamoto never mentioned this term at all. In fact, the technical term blockchain does not have a standard technical definition but is used by various parties to refer to systems that are similar to Bitcoin and ledgers to varying degrees.

Discussing example applications that benefit from blockchain will help clarify the different uses of the term. First, consider a database backend for transactions between a consortium of banks, where transactions are presented in a mesh structure at the end of each day, with accounts settled by a central bank. Such a system has a few clearly defined parties, so Nakamoto's consensus would be overkill. There is also no need for currency on the blockchain since accounts are denominated in traditional currency. On the other hand, linked timestamps are clearly useful, at least to ensure consistent global transaction ordering in the face of network delays. State replication is also useful: a bank will know that its local data copy is the same as the data used by the central bank to settle accounts. This frees banks from the costly coordination processes they currently must perform.

Second, consider an asset management application, such as tracking financial securities, real estate, or any other asset ownership documentation. Using blockchain can improve interoperability and lower barriers to entry. We want a secure global document registry, ideally allowing public participation. This is essentially what timestamp services provided in the 1990s and early 2000s. Public blockchains provide a particularly effective way to achieve this (the data itself may be stored off-chain, with only metadata stored on-chain). Other applications also benefit from timestamping or "bulletin board" abstractions, most notably electronic voting.

Let’s continue with the asset management example. Suppose you want to execute asset transactions via blockchain rather than merely storing transaction records. If the asset itself is issued digitally on the blockchain and the blockchain supports smart contracts, transactions can occur. In this case, smart contracts solve the "fair exchange" problem of ensuring that payment only occurs when the asset is transferred. More generally, smart contracts can encode complex business logic, as long as all necessary input data (assets, prices, etc.) is represented on the blockchain.

This mapping of blockchain attributes to applications allows us not only to appreciate its potential but also to inject much-needed skepticism. First, many proposed blockchain applications, especially in banking, do not use Nakamoto's consensus mechanism. Instead, they use ledger data structures and Byzantine protocols (these technologies, as mentioned earlier, can be traced back to the 1990s). This suggests that blockchain is not a new revolutionary technology. On the contrary, the buzz surrounding blockchain has helped banks initiate collective actions to deploy shared ledger technology, much like the metaphor of "stone soup." Bitcoin is also a very clear proof of concept for decentralized ledgers, and the Bitcoin core project provides a convenient codebase that can be adjusted as needed.

*Translator's Note: "Stone Soup" is a work adapted from a French folktale, but Joan Muth sets the story in ancient China. Three monks arrive at a village that has suffered greatly, and the villagers, hardened by years of hardship, are unwilling to accept anyone. However, the monks use the method of cooking stone soup to subtly encourage the villagers to contribute, helping them understand the essence of sharing and happiness.

Joan Muth, an American picture book author and illustrator, studied in Japan and is fascinated by traditional Japanese and Chinese culture. She has created many picture books that embody Eastern philosophical wisdom, such as "Zen Stories."

Secondly, there is a misleading claim: blockchain is generally more secure than traditional document registries. To understand why, it is essential to separate the overall stability of the system or platform from endpoint security (i.e., the security of users and devices). Admittedly, the systemic risks of blockchain may be lower than those of many central institutions, but the endpoint security risks of blockchain are far higher than the corresponding risks of traditional institutions. Blockchain transactions are almost instantaneous, irreversible, and designed for anonymous transactions in public blockchains. In blockchain-based stock registries, if users (brokers or agents) lose control of their private keys—whether due to a lost phone or malware installed on their computer—they will lose their assets. The extraordinary history of Bitcoin hacks, thefts, and scams does not inspire much confidence; it is estimated that at least 6% of Bitcoin in circulation has been stolen at least once.

Sidebar: Permissioned Blockchains

While this article emphasizes that private and permissioned blockchains do not utilize most of Bitcoin's innovations, it does not mean that interesting work occurring in this field is scarce. Permissioned blockchains restrict who can join the network, write transactions, or mine (blocks). In particular, if miners are restricted to a list of trusted participants, proof of work can be abandoned in favor of more traditional BFT methods. Thus, most of the research is a revival of BFT algorithms, and the following questions can be posed: Can we simplify consensus algorithms using hash trees? What if the network can only fail in certain ways?

Moreover, there are important considerations surrounding identity and public key infrastructure, access control, and the confidentiality of data stored on the blockchain. These issues largely do not arise in public blockchains and have not been studied in traditional BFT literature.

Finally, there is engineering work to improve the throughput of blockchains and apply them to various businesses, such as supply chain management and financial technology.

5 Concluding Lessons

The history described here provides rich (and complementary) lessons for practitioners and academics. Practitioners should approach claims of revolutionary technology with skepticism. As previously mentioned, most of the ideas in Bitcoin that excite enterprises, such as distributed ledgers and Byzantine protocols, can be traced back over 20 years. Recognizing that your problems may not require any breakthrough innovation—solutions long forgotten can be found in research papers.

Academia seems to have the opposite problem, at least in this context: resisting radical, external ideas. Many ideas in the Bitcoin white paper, although traceable to their lineage, are more novel than most academic research. Moreover, Nakamoto did not care about academic peer review and did not fully connect it with academic history. Therefore, for years, academia almost entirely ignored Bitcoin. Many academic communities informally believed that although Bitcoin was indeed functioning well in practice, it could not operate based on theoretical models and experiences from past systems.

We repeatedly see that ideas in research literature may gradually be forgotten or overlooked, especially if those ideas transcend their time or exist outside popular research fields. Both practitioners and academics should revisit old ideas and gather insights from current systems. The extraordinary and successful aspect of Bitcoin lies not in its position at the forefront of any component research but in its integration of many old ideas from unrelated fields. Achieving this is not easy, as it requires bridging different terminologies, assumptions, etc., but it is a valuable blueprint for innovation.

Practitioners should be able to identify overhyped technologies and benefit from that. There are some indicators for identifying technological hype: difficulty in determining its technological innovation; difficulty in determining the meaning of so-called technical terms due to companies rushing to attach their products to popular trends; difficulty in determining the problems being solved; and finally, demands for technology to solve social problems or create economic/political turmoil.

Conversely, academia struggles to market its inventions. Unfortunately, the original proof-of-work researchers did not receive credit for Bitcoin, possibly because their work was not known outside academia. In academia, activities such as publishing code and collaborating with practitioners are not adequately rewarded. In fact, to date, the original branch of academic proof of work still does not acknowledge the existence of Bitcoin! Engaging with the real world not only helps gain credit but also reduces wheel reinvention and is a way to find new ideas.

The attitudes of major global economies toward Bitcoin and the historical changes. Why is it important to understand this knowledge? Aside from increasing knowledge reserves, when your work involves blockchain—whether directly engaged in the industry or indirectly investing in it—the policy changes and current situations of various countries will be a very important reference for you.

Globally, the United States and Japan are at the forefront of Bitcoin regulation, while countries like the UK, Canada, Australia, and Switzerland also recognize the positive significance of Bitcoin and are working on regulatory frameworks to regulate industry development. Russia and Thailand have shifted from previous prohibitions to relaxations.

| Germany

The first country to recognize the legal status of Bitcoin was Germany. In August 2013, the German government stated that Bitcoin could be treated as private currency and a unit of currency, with individuals using Bitcoin enjoying a one-year tax exemption, while a certain percentage of tax would be levied for commercial use. In October 2016, a company providing Bitcoin lending services in Germany announced that it had obtained a license from the Federal Financial Supervisory Authority (BaFin). To date, Germany is one of the few countries in the world that has established relatively clear regulatory and legal policies regarding Bitcoin transactions.

Now, regarding the United States, in addition to federal legislative powers, each state in the U.S. has its own legal system. From a regulatory perspective, several major regulatory agencies in the U.S. include the Securities and Exchange Commission (SEC), the Commodity Futures Trading Commission (CFTC), and the Internal Revenue Service (IRS), each of which has different regulatory measures for Bitcoin. The regulatory measures of various states in the U.S. also vary.

| United States

Let’s first discuss the U.S. Securities and Exchange Commission, which has rejected Bitcoin ETF (Bitcoin Exchange-Traded Fund) listing applications at least three times this year. The U.S. Commodity Futures Trading Commission classified Bitcoin as a "commodity," issuing the first Bitcoin derivatives clearing license in July 2017 and approving the establishment of Bitcoin futures exchanges. The U.S. tax authority views Bitcoin as property subject to federal taxes, with different tax types required for different uses.

Various states in the U.S. have also introduced regulatory frameworks for digital currencies, determining the regulatory framework for the digital currency industry. In August 2014, the New York Department of Financial Services issued the world's first digital currency license (BitLicense). New York is also the first government entity in the world to comprehensively propose regulations for digital currencies. Washington introduced Senate Bill 5031 in April 2017, stipulating that all companies conducting Bitcoin trading in Washington must apply for a trading license and undergo third-party audits, providing all relevant data. In other states, some merely define cryptocurrencies as financial instruments and tax them, while others have introduced more detailed business registration rules.

| Japan

Now, regarding Japan, it is a very proactive country toward Bitcoin. In 2016, Japan approved a regulatory bill for digital currencies, and on April 1, 2017, the "Amendment to the Payment Services Act" officially came into effect, granting official recognition to the legality of digital assets such as Bitcoin as a means of payment. In July 2017, Japan officially stopped charging an 8% consumption tax on Bitcoin transactions. Recently, on September 29, the Japanese Financial Services Agency issued the first batch of Bitcoin exchange licenses. Starting in October, the Japanese Financial Services Agency began comprehensive regulation of Bitcoin exchanges in Japan. For example, they will implement measures such as reviewing internal systems and authorizing regulatory agencies to conduct "real-time" inspections.

Since early 2017, the trading volume of Bitcoin in Japan has been continuously rising, and currently, the Japanese yen ranks first globally in terms of trading volume against Bitcoin among fiat currencies.

| Russia

Russia's attitude toward Bitcoin has undergone the most significant changes. In February 2014, the Russian Prosecutor General's Office announced that the use of Bitcoin by any citizen or legal entity within Russia was illegal. However, later, other regulatory bodies expressed differing opinions. The Deputy Minister of Finance indicated that Russia might consider legalizing cryptocurrencies in 2018; however, shortly thereafter, the Central Bank's Financial Technology Center opposed this, stating that it was too early to discuss the legalization of cryptocurrencies in Russia. Currently, there are officially approved trading platforms and mining companies in Russia. The Governor of the Central Bank stated in June 2017 that Bitcoin is a digital asset, not a virtual currency.

After discussing Germany, the first country to recognize the legal status of Bitcoin, as well as the United States, Japan, and Russia, let's take a look at the attitudes of several other countries toward Bitcoin.

| France

France's attitude toward Bitcoin is somewhat different. At the end of 2013, the Governor of the French Central Bank, like many of his international counterparts, issued a warning about the risks of Bitcoin trading, cautioning that Bitcoin prices are unstable and that users may encounter difficulties when converting Bitcoin into real currency after investing in it. According to French law, Bitcoin cannot be considered a legal currency in accordance with the national financial and fiscal code. Additionally, the French government has strengthened the management of trading platforms for fiat currency and Bitcoin transactions, requiring that every Bitcoin transaction must be real-name registered. In France, income generated from trading Bitcoin is also subject to taxation. Of course, France is a romantic country; in May 2017, the left-wing leader Emmanuel Macron was elected as the new president of France, and aside from his story of marrying his former teacher, he also made headlines on the globally renowned social news site Reddit by holding up a Bitcoin hardware wallet, sparking discussions among Bitcoin enthusiasts.

In line with Germany and France, several Nordic countries have a more laissez-faire attitude toward Bitcoin. As early as 2013, the Danish Financial Supervisory Authority issued an official statement, warning of the risks associated with Bitcoin, similar to other central banks. However, they also regarded virtual currencies as unregulated electronic currencies that could also be used for payments. Subsequently, the Danish government issued a surprising announcement: digital currencies like Bitcoin would not be regulated in Denmark, and companies conducting Bitcoin exchange businesses would not need permission from the Danish government.

| Norway

Norway, also a Nordic country, has undergone two drastically different changes in its attitude toward Bitcoin. In November 2013, the Norwegian Tax Administration issued a statement declaring that Bitcoin does not meet the definition of currency and would be taxed as a virtual asset. Any form of Bitcoin transaction would incur a 25% value-added tax, which is quite high. In October 2014, two major banks in Norway announced that they would not provide services to Bitcoin companies. However, two years later, the Norwegian government's attitude toward Bitcoin underwent a dramatic change. In November 2016, Norway's largest financial services group DNB added a feature to its app allowing users to purchase Bitcoin using credit or debit cards. In February 2017, the Norwegian Tax Administration further announced the cancellation of the high value-added tax on Bitcoin transactions in the country.

| China

Finally, let's look at the official stance of China toward Bitcoin. In China, five ministries of the central bank issued a notice titled "Notice on Preventing Bitcoin Risks" in 2013, classifying Bitcoin as a "virtual commodity" and requiring financial institutions not to participate in Bitcoin-related businesses, while also requiring trading platforms to fulfill their obligations for record-keeping and anti-money laundering. Over the years, regulatory authorities and industry parties have been implementing and enforcing this document until September 2017, when regulatory authorities guided various Bitcoin trading platforms to cease domestic Bitcoin trading operations.

Alright, in today's lesson, we learned about the official attitudes of major countries toward Bitcoin. Let's review these key points:

The United States and Japan are at the forefront of Bitcoin regulation globally. Although the policies of major regulatory agencies and various states in the U.S. differ regarding Bitcoin, overall, their regulation of Bitcoin is more advanced and mature. Japan has a very positive attitude toward Bitcoin, officially recognizing its "payment" attribute, stopping the collection of consumption tax on Bitcoin transactions, and issuing the first batch of Bitcoin exchange licenses, while also conducting comprehensive regulation of Bitcoin exchanges in Japan.

Countries like the UK, Germany, and several Nordic countries also recognize the positive significance of Bitcoin. However, France's attitude is somewhat different, as it does not consider Bitcoin a legal currency and has strengthened the management of Bitcoin trading platforms, requiring each Bitcoin transaction to be real-name registered and taxing income generated from trading Bitcoin.

Russia's attitude toward Bitcoin remains controversial, with different departments holding differing views on whether Bitcoin should be considered legal currency. The latest official statement from June 2017 is that "Bitcoin is a digital asset, not a virtual currency."

Finally, China's official policy regarding Bitcoin classifies it as a "virtual commodity," with the central bank requiring financial institutions not to participate in Bitcoin-related businesses and requiring trading platforms to fulfill record-keeping and anti-money laundering obligations.

6 Acknowledgements
The authors are grateful to Adam Back, Andrew Miller, Edward Felten, Harry Kalodner, Ian Goldberg, Ian Grigg, Joseph Bonneau, Malte Möser, Mike Just, Neha Narula, Steven Goldfeder, and Stuart Haber for valuable feedback on a draft.
7 References

Aspnes, J., et al. 2005. Exposing computationally challenged Byzantine imposters. Yale University Department of Computer Science; http://cs.yale.edu/publications/techreports/tr1332.pdf.

Back, A. 1997. A partial hash collision based postage scheme; http://www.hashcash.org/papers/announce.txt.

Back, A. 2001. Hash cash; https://web.archive.org/web/20010614013848/http://cypherspace.org/hashcash/.

Back, A. 2002. Hashcash—a denial of service counter measure; http://www.hashcash.org/papers/hashcash.pdf.

Bayer, D., Haber, S., Stornetta, W. S. Improving the efficiency and reliability of digital time-stamping. Proceedings of Sequences 1991; https://link.springer.com/chapter/10.1007/978-1-4613-9323-8_24.

Benaloh, J., de Mare, M. 1991. Efficient broadcast timestamping; http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.38.9199.

Boyle, T. F. 1997. GLT and GLR: Component architecture for general ledgers; https://linas.org/mirrors/www.gldialtone.com/2001.07.14/GLT-GLR.htm.

Castro, M., Liskov, B. 1999. Practical Byzantine fault tolerance. Proceedings of the Third Symposium on Operating Systems Design and Implementation; http://pmg.csail.mit.edu/papers/osdi99.pdf.

1. Chaum, D. 1981. Untraceable electronic mail, return addresses, and digital pseudonyms. Communications of the ACM 24(2): 84-90; https://dl.acm.org/citation.cfm?id=358563.

1. Chaum, D. 1983. Blind signatures for untraceable payments. Advances in Cryptology: 199-203.
1. Chaum, D. 1985. Security without identification: transaction systems to make Big Brother obsolete. Communications of the ACM 28(10): 1030-1044; https://dl.acm.org/citation.cfm?id=4373.
1. Chaum, D., et al. 1988. Untraceable electronic cash. Advances in Cryptology: 319-327; https://dl.acm.org/citation.cfm?id=88969.
1. Dai, W. 1998; http://www.weidai.com/bmoney.txt.
1. Douceur, J. R. 2002. The Sybil attack; https://dl.acm.org/citation.cfm?id=687813.
1. Dwork, C., Naor, M. 1992. Pricing via processing or combatting junk mail; https://dl.acm.org/citation.cfm?id=705669.
1. Felten, E. 2017. Smart contracts: neither smart nor contracts? Freedom to Tinker; https://freedom-to-tinker.com/2017/02/20/smart-contracts-neither-smart-not-contracts/.
1. Franklin, M. K., Malkhi, D. 1997. Auditable metering and lightweight security; http://www.hashcash.org/papers/auditable-metering.pdf.
1. Gabber, E., et al. 1998. Curbing Junk E-Mail via Secure Classification. http://www.hashcash.org/papers/secure-classification.pdf.
1. Garay, J. A., et al. 2015. The bitcoin backbone protocol: analysis and applications. Advances in Cryptology: 281-310; https://eprint.iacr.org/2014/765.pdf.
1. Goldberg, I. 2000. A pseudonymous communications infrastructure for the Internet. Ph.D. dissertation, University of California Berkeley; http://moria.freehaven.net/anonbib/cache/ian-thesis.pdf.
1. Grigg, I. 2005. Triple entry accounting; http://iang.org/papers/triple_entry.html.
1. Haber, S., Stornetta, W. S. 1991. How to timestamp a digital document. Journal of Cryptology 3(2): 99-111; https://link.springer.com/chapter/10.1007/3-540-38424-3_32.
1. Haber, S., Stornetta, W. S. 1997. Secure names for bit-strings. In Proceedings of the 4th ACM Conference on Computer and Communications Security: 28-35; http://dl.acm.org/citation.cfm?id=266430.
1. Jakobsson, M., Juels, A. 1999. Proofs of work and bread pudding protocols; http://www.hashcash.org/papers/bread-pudding.pdf.
1. Juels, A., Brainard, J. 1999. Client puzzles: a cryptographic countermeasure against connection completion attacks. Proceedings of Networks and Distributed Security Systems: 151-165; https://www.isoc.org/isoc/conferences/ndss/99/proceedings/papers/juels.pdf.
1. Just, M. 1998. Some timestamping protocol failures; http://www.isoc.org/isoc/conferences/ndss/98/just.pdf.
1. Lamport, L., et al. 1982