§5.863 — The final ingredient in the suite of soft technological advances that are drawn together in the initiation of cryptocurrency simultaneously resolves the Byzantine coordination conundrum and secures monetary tokens against duplicitous proliferation. It thus integrates the seemingly disparate challenges of decentralization and deflation. To repeat the point with reverse emphasis, it protects a decentralized monetary system against the twin threats of coalescence (into the enemy ‘city’) and inflationary devaluation. It has, in both aspects, to fully substitute for the function of pseudo-transcendent trusted authority. This requires a production of immanent or intrinsic credibility. The computer science solution was found in proof-of-work.
§5.8631 — Proof-of-work dates back to the final years of the last millennium. The critical step was taken by Adam Back in his proposed ‘counter-measure’ to the exploding Internet spam problem. Proof-of-work credentials could be used to indicate the seriousness – or non-frivolity – of a message. By demonstrating that trouble has been taken, they recommend attention. In the case of the Byzantine generals, they separate committed communications from glib deceptions, without recourse to extrinsic validation. In the case of monetary accounting, they preclude cheap forgeries, and thus eliminate every normal incentive to forge.
§5.86311 — Back quickly realized that proof-of-work credentials (or cost tokens) were intrinsically money-like. “We use the term mint for the cost-function because of the analogy between creating cost tokens and minting physical money,” he notes. They were both earned, and valuable. In fact, all six of the essential monetary qualities could be attributed to them. This insight was formalized – as hashcash – in 1997. Back described hashcash as a ‘denial-of-service counter-measure’, although its potential applications were far wider.
§5.8632 — A cost-function is time-like, or asymmetric. It has the synthetic a priori characteristic, essential to cryptography, of being difficult to discover but easy to check. Back states that it “should be efficiently verifiable, but parameterisably expensive to compute.” The combination defines (valid) work. Concretely, work measures applied computational power. It has the game-theoretic meaning of commitment. While deterministic cost-functions are possible, those adopted by hashcash and subsequently Bitcoin are probabilistic, producing tokens based on the performance tested set by particularly arduous (trial-and-error) exercises, precluding short-cuts.
§5.86321 — Among the practical concepts introduced into monetary history by proof-of-work, perhaps the most important is difficulty. Several points are worth noting explicitly. Firstly, the asymmetry in the difficulty of production relative to checking is so massive that the latter is treated as of negligible difficulty. This comparatively informal side-concept then contributes precision to the idea of convenience. Secondly, and of greater technical consequence, difficulty – while probabilistic – can be exactly quantified. In this second critical asymmetry, the problems posed as proof-of-work tests are fully understood even while completely unsolved. They can not only be finely determined, but also set, and adjusted. This makes difficulty a technical variable. In cryptocurrency, it substitutes for all macroeconomic controls.
§5.86322 — Hashcash catalyzed a theoretical breakthrough in cryptocurrency-oriented computer science during the final years of the last century. Most notable were two sophisticated proposals published in 1998, Wei Dai’s B-Money and Nick Szabo’s Bit Gold. Both were conceived as decentralized money systems based on a proof-of-work function. Compared to Bitcoin, neither proposal was fully realized. Neither, in any case, was implemented. Proof-of-work had, however, securely established itself in principle as the foundation upon which money would come to rest.
 In a 2002 retrospective on hashcash, Adam Back refers to earlier work by Dwork and Naor who had already “proposed a CPU pricing function for the application of combating junk email.”
Dwork, Cynthia and Naor, Moni Naor, ‘Pricing via processing or combating junk mail’, Proceedings of Crypto (1992).
Dwork and Naor: http://www.wisdom.weizmann.ac.il:81/Dienst/UI/2.0/Describe/ncstrl.weizmann_il/CS95-20.Back: http://www.hashcash.org/hashcash.pdf
 ‘Spam’ is used here in an expansive sense. It encompasses the primary explicit object of Back’s concern, which is the Sybil attack. A Sybil attack ‘spams’ online identities, rather than advertising messages, in order to overwhelm systems with voting procedures (which would include pre-proof-of-work consensus mechanisms). The term ‘Sybil attack’ is much younger than spam. It seems to have been coined in 2002 (or earlier) by Microsoft researcher Brian Zill. The term took its name from the book Sybil, a case study in dissociative identity disorder.
 For this and subsequent Back quotes, see: http://www.hashcash.org/hashcash.pdf
 Of the critical computer science components required for the Bitcoin protocol, proof-of-work was the latest to become available. Cryptocurrency predecessors B-money (Wei Dai) and Bit Gold (Nick Szabo) were both formulated in 1998, less than two years after hashcash was introduced. That Bitcoin did not arrive for another decade might, then, be considered a puzzle of interest. It suggests, at least, that momentum in software development is easily over-estimated. It is also possible that the PC hardware and Internet infrastructure conditions for Bitcoin ignition were not earlier in place. Perhaps an accelerated arrival of Bitcoin, even if conceptually mature, would have been practically premature. Additionally, regarding supportive conditions, the socio-cultural context of the 2008 financial crisis and resultant mass disillusionment with central bank monetary competence is suggestive. In the final years of the new millennium’s first decade, the case for an escape from macroeconomically-managed money made itself. It awaited only cogent formulation.
 “The hashcash CPU cost-function computes a token which can be used as a proof-of-work,” Back explains. This cost-function “is based on finding partial hash collisions on the all 0 bits k-bit string 0k,” as would also be adopted later by Bitcoin.
 B-Money remained dependent upon third parties for dispute resolution, while Bit Gold did not employ proof-of-work for Byzantine consensus (but only as generator of value) leaving it vulnerable to Sybil attacks. It is difficult to note these deficiencies without recognizing the economical genius of the Bitcoin synthesis. With Bitcoin it was for the first time shown what proof-of-work could do.