Bit Gold
Bit Gold is Nick Szabo’s 2005 proposal for a digital money whose value does not depend on a trusted issuer. It chains together unforgeably costly proof-of-work strings, secure distributed timestamping, and a distributed property-title registry, so that scarce digital objects can be created, owned, transferred, and assayed online with minimal trust. It is the closest design predecessor to Bitcoin, even though the Bitcoin whitepaper does not cite it.
The Problem It Sets
Szabo opens with the same complaint that runs through the whole cypherpunk monetary thread: modern money depends on trust in a third party, and that dependence has repeatedly been abused — most destructively through inflation. Private bank-note issue had its own advantages and disadvantages, but it too rested on a trusted issuer.
Precious metals and collectibles escaped that dependence because their scarcity is unforgeable: it comes from the sheer cost of producing them, not from anyone’s promise. That is what once let commodity money hold value independent of any trusted party. But metals carry their own frictions — they are too costly to assay for every transaction (so a trusted mint stamps standardized coins), they are insecure to transport in bulk, and, decisively, you cannot pay with metal online. Szabo’s question is therefore whether a protocol could produce unforgeably costly bits online, with minimal dependence on trusted third parties, that could then be stored, transferred, and assayed with similar minimal trust.
The Proposal: Unforgeably Costly Bits
Bit Gold computes a string of bits from a challenge string using a function Szabo calls variously a client-puzzle function, a proof-of-work function, or a secure benchmark function — one whose distinguishing property is a specific, measurable computational cost. The resulting string is the proof of work. The full scheme runs in seven steps:
- A public challenge string is created (its source is step 5).
- A participant computes a proof-of-work string from the challenge bits using the benchmark function.
- The proof of work is securely timestamped, ideally across several independent timestamp services so no single one must be relied on.
- The challenge string and timestamped proof are added to a distributed property-title registry for bit gold — again with no single server substantially trusted.
- The last-created string of bit gold supplies the challenge bits for the next, chaining the units together.
- Ownership is verified by checking the unforgeable chain of title in the registry.
- Value is assayed by verifying the challenge bits, the proof-of-work string, and the timestamp.
Ownership by Chain of Title
The design’s subtle move is that owning bit gold is not the same as possessing the bits. Anyone can copy a public string; what cannot be copied is one’s lead position in the unforgeable chain of title — the chain of digital signatures recorded in the distributed registry. Ownership therefore lives in the registry’s signature history, not in secret control of the data. The whole arrangement can be automated in software, and its security reduces to how well trust can be distributed across the timestamping and registry steps. This title-registry framing is the part of Bit Gold that most directly anticipates a public ledger of ownership.
Relationship to Bitcoin
Bit Gold sits one step before Bitcoin in the proof-of-work lineage. It already contains costly proof-of-work strings, secure timestamping, a distributed title registry, and digital-signature chains of title — four ideas that reappear, made operational, in Satoshi Nakamoto’s 2008 design. Bitcoin’s decisive addition is to use proof of work not only to create cost but to order a single shared transaction history — replacing Bit Gold’s separate timestamp services and title registry with one chain whose longest, most-worked branch is the agreed history.
The connection is an inference from the texts rather than a citation: Bitcoin’s whitepaper cites Wei Dai’s b-money and Adam Back’s Hashcash, but not Bit Gold. The design overlap is nonetheless close enough that Bit Gold is routinely read as Bitcoin’s nearest conceptual predecessor. Hal Finney built a working variant, RPOW (Reusable Proofs of Work), that explicitly invoked Bit Gold and let a remote, tamper-evident “mint” be audited by remote attestation.
Limits
Szabo is candid about the scheme’s main flaw, which also makes it a sharp illustration of what “unforgeable costliness” requires. Proof of work depends on real machine architecture, not an abstract compute cycle, so an innovator with a far cheaper way to produce proofs could quietly swamp the market with bit gold — a hidden supply glut. Secure timestamping mitigates this: because each unit records when it was made and how hard the work was, the production cost during that period can usually be inferred after the fact.
A second consequence is that bit gold is not naturally fungible. Like collectors’ items rather than fungible atoms of gold, strings made at different times and difficulties have different values, so dealers would have to bundle unequal pieces into larger units of roughly equal value — much as commodity dealers standardize lots today, with the bundle valuations independently verifiable by many parties. Szabo’s closing claim is the monetary thesis the unforgeable costliness concept turns on: all money mankind has used has been insecure in some way — counterfeiting, theft, and above all inflation — and a money made of costly, verifiable bits could offer security from those dangers that earlier monies could not.
See Also
- Nick Szabo - author of the Bit Gold proposal
- Proof of Work - the cost function Bit Gold turns into a monetary object
- Bitcoin Whitepaper - the later design that makes Bit Gold’s ideas operational
- Satoshi Nakamoto - author of the design that Bit Gold most closely anticipates
- Unforgeable Costliness - the monetary primitive Bit Gold is built to recreate digitally
- Hashcash - Adam Back’s proof-of-work cost function, the earlier rung in the lineage
- Hal Finney - built RPOW, a working variant that cited Bit Gold
- Shelling Out - Szabo’s companion essay on collectibles as proto-money, the historical side of the same argument
- Trusted Third Parties as Security Holes - Szabo’s design rule that Bit Gold tries to satisfy
- Hard Money - money hard to produce; the Austrian frame Bit Gold translates into bits
- Cypherpunk - topic map for the thread this proposal belongs to
- Privacy and Cryptography - technical setting for Szabo’s protocol designs
- Adam Back - Cryptographer who created Hashcash, the proof-of-work cost function cited by the Bitcoin whitepaper — the abuse-pricing primitive that became Bitcoin’s mining and consensus mechanism.
- Wei Dai - Cypherpunk who proposed b-money (1998), the pseudonymous digital-money design with proof-of-work issuance and deposit-backed contracts that the Bitcoin whitepaper explicitly cites.
- Bitcoin - Peer-to-peer electronic cash secured by proof-of-work, with a fixed 21-million-coin supply that makes it the first verifiably scarce digital good.
- b-money - Wei Dai’s 1998 proposal for pseudonymous digital money with proof-of-work issuance, signed broadcast transfers, and bonded contracts
Sources
- Bit Gold - Szabo’s 2005 essay: the problem, the seven-step protocol, chain of title, and the machine-architecture limit
- Bitcoin: A Peer-to-Peer Electronic Cash System - the later design used here for the proof-of-work / timestamping / title-registry comparison