Project Hamilton is a high-performance payment processing system designed for Central Bank Digital Currencies. The highly anticipated technical paper is not complete and it is a toy. It is a proof of concepts, not a complete system. However, it’s a toy that can be used by adults. The accompanying code and paper demonstrate the technical feasibility of a system that can solve payments on a scale similar to that of the United States. The system can process more than 100 thousand transactions per second, with each transaction taking less than five seconds. The Hamilton team came up with the number based on the observed payment rates for credit cards and other payment systems. There is also a provision for future expansion. Hamilton’s second challenge is to be cash-like without physical cash. This allows users to pay other people with CBDC without having to rely on banks or credit cards companies. It also gives them the privacy of cash. In order to ensure system resilience, and wide usability, the payment transaction must be stored on multiple computers in an “all or nothing” fashion. The property known as atomicity, which is the proof that the payment was made, must be updated in all locations. Another challenge is to create a flexible system that can apply policies that are not yet decided.
Privacy is considered one of the most important characteristics of such a system. In order to achieve this, Hamilton’s layered architecture has a highly modified payment transaction model which is based on the Unspent Transaction Output (UTXO), as described in the bitcoin paper. This privacy-focused transaction model is called the Unspent funds Hash Set (UHS). It is difficult to understand the UTXO model because accounts are what we are accustomed to. Only the UHS is kept in the core system. The system must also be resilient and resistant against malicious attackers as well as bugs. Some of these problems are solved, while others are deferred to phase II. The system was tested in two architectures. One architecture orders the payments, while the other does not. The first is a fast blockchain, called the atomizer model. The second is a 2 stage commit model without rollbacks, called 2PC. The 2phase commit model is well-known in distributed databases. The entire system was made available by the Hamilton team in open source. thru github.
I am a coder and forked the source. I have been trying to grok I am currently writing this article in an Integrated Development Environment. This code is stored on my laptop. It is written in C++. This language is almost like my mother tongue. However, it is slightly rusty because Hamilton code uses C++17 which is a slightly older dialect than I am used too. It is important to get used to the coding style. Like any complex system that is complex, accessing the code alone is not enough. You need to spend time understanding the logic and the architecture to make sense. Hamilton Phase II invites all to participate, even the combative.
This article was difficult to write because technical details had to be presented in an organized manner without losing any of the nuances. The main thrust of this article is what the project means for the story about money in the United States and around the world, especially to generalists. Sometimes technical material can overshadow the story. We welcome comments, especially via social media, on the presentation, so that it can be made more accessible to the public.
The Two Hamiltons
Although this section may seem to be a distraction from the main theme of the article, you will see its relevance. Hamilton is meant as an ode to Alexander Hamilton, the first Treasury secretary who wrote a fifteen thousand word report in 1790To push for the creation of the First National Bank (FNB), an equivalent to the Federal Reserve. He argued for paper currency that was backed by FNB, which would unleash the economy’s power by encouraging private enterprise. The First National Bank would function as an independent Central Bank with large private participation. Hamilton recognized the advantages of freeing paper currency (gold or silver coins, bars) from specie. He also supported it with a true public-private partnership. This allowed for decentralization of investment to allow capital and credit to be invested more easily through local decisions made by individuals. Hamilton’s genius was in imagining dead stock (specie) fluttering alive through its transmutation into paper currency. Hamilton, like any genius, had a great idea. a confederacy of dunces Hamilton was faced with opposition. Hamilton defeated this opposition in 1790 with his seminal papers, but the charter for the National Bank didn’t survive Hamilton’s untimely death in 1811.
It is not known what the economic potential for America in the nineteenth-century, if Hamilton had lived longer. The nation was stuck in a fratricidal dispute, its causes and aftermath, and a century of unproductive infighting and economic malaise. Today, these echoes resonate. This sequence of booms and busts continued up to 1913, when the Federal Reserve was established following the Hamiltonian plan. This launched a century economic growth and American primacy. The Hamiltonian idea of untethering currency led to the end of the gold standard. Now, the Fed is still opposing a CBDC. However, there are still many people who favor a private solution (stablecoins, for example) over a digital currency. Hamilton is the right name for a currency poised to enter the digital realm. However certain interests are holding back this currency. This contest and the features of the emerging money will determine if the American economy will be safe, stable, flexible, and profitable for all.
Jim S. Cunha from the Boston Fed, animator of Hamilton project, made it clear that Hamilton was not his real name. was also meant to evoke Margaret Hamilton was around the same age in 1776 as Alexander Hamilton when she made ground-shifting contributions for Software Engineering, a term that she helped to coin. Margaret Hamilton A recruit from MIT, he was the software director of the Apollo Command Module. Eagle, the first portable computer that traveled a long distance to land at the moon, was his first assignment. He was the inventor of fail-safe computing, an autonomous system which came through in the face of seemingly failing hardware at a critical moment for the Lunar Landing. Without Margaret Hamilton, the Eagle might not have landed on its first moon. Project Hamilton requires her to be the patron saint (even though it is still possible for her to live), in order for a CBDC moon shot success.
Two messages can be found here. The first is how the Apollo Programs were developed. These included the ones that went from Low Earth Orbit to orbiting and landing on the moon, and then those that returned safely to Earth. Apollo was the successor to the Mercury, Explorer and Gemini programs. USA is not even at Explorers CBDCs. China launched its Sputnik in eCNY. Pilot programs that rippling from MIT’s college campuses, or even multiple foci, must address the growth of knowledge and confidence that comes with real CBDCs. No amount of sandbox testing can match the experiences gained from the wild. CBDCs in a country such as the US should not arrive with a bang.
The second message is about failsafe computing and self healing systems. Margaret Hamilton’s obsession about the what if scenarios that seem unlikely, saved the mission when they improbably happened. One third to one quarter of any code today must be about error handling or recovery. Complex CBDC systems have emerging properties that must be considered. Margaret Hamilton spent the majority of her adult life working on a CBDC system. Universal System Language, and its implementation in 001, a toolkit to enforce the Development Before the Fact (DBTF) concept. Avionics design patterns are also important in high risk solutions such as the Digital Dollar. They help protect against a low-probability but high-risk outcome.
I created a graphic of mine that incorporates Margaret Hamilton into their official image, since the graphic that announces the technical paper on Boston Fed was missing the reference.
A Digital Dollar for the People
The Central Bank is the Counterparty of Last ResortThe Fed is the only bank that can take care of all your financial needs. The CBDC is the only digital currency available from the Central Bank. This instrument has the lowest credit risk. Economists have proposed most of the CBDC designs. They enshrine intermediaries in the distribution vectors of the CBDCs. Their main fear is the disintermediation credit creation. Most Dollars, Euros Pounds Renminbi, Rupees, Pounds, Pounds, Renminbi and Yen are generated when commercial banks make loans to individuals and businesses. The economists are familiarized with cash, so they propose a similar distribution scheme for CBDCs. The economists who design these systems also offer a choice between an account and a token system. Project Hamilton demonstrates how their imaginations are limited. “CBDC design choices are more granular than commonly assumed”. It would be especially helpful if economists collaborated to technologists before presenting technical designs to the rest of the world.
Project Hamilton demonstrates how technical design can bridge seemingly binary choices to provide new capabilities. The Hamilton design shows an instrument that can be used as both an account-based and token-based instrument. Dual view: An asset that is modeled with UHS (a la bitcoin) does not make it a token-based system. The paper explains that this is dependent on who is looking. An opaque token-based system can be transformed into an account-based view in digital wallets. It is not tokens or accounts, it’s tokens AND accounts.
Other technical design options are to create a modular public system that can be expanded as necessary to implement regulatory, policy and legal directives. The foundation for building capabilities is a solid base. The Phase I Hamilton project is all about creating a solid foundation. The whitepaper suggests there are many areas in this design where private intermediaries can get involved. You have many options when you build on top of public substrates.
The technical whitepaper explains the transaction model in both atomizer (or blockchain), and 2PC (a distributed data base) models. The transaction model, which is the data model of a payments, is at the heart of everything. It describes how a payment from one user to another transforms into a UHS through the validating layers. Private data is removed and stored in duplicated storage as a proof that payment. This is powered by one-way haveh functions. The transaction model determines the transaction flow, the scale, finality, and other core models. Users have digital wallets that keep their means of proving they are authorized to spend the CBDC. They also provide a way to check how much CBDC they have. This wallet interacts directly with the transaction validation layers. It consists of two layers. The sentinel verifies transaction inputs, and forwards the validated transaction to the core layer. The transaction validation layer is separate from the core storage layer. This pre-validation feature is a feature of Hyperledger Fabric, a popular enterprise blockchain that also uses UTXO as its core. The transaction validation layer compresses the payment transaction so that only the proof of the payments are deposited in the central system. However, most data, including amounts and numbers, does not end up in this system. These are the layers, the wallet, transaction validation layer, and the core systems. The transaction processing layer is comprised of the core system, the transaction validation layer, and the core layer.
The design could result as a self custody digital wallet. This is the ultimate in privacy control and control. All operations, including the creation of new money and transfer of funds, rely on the public/private key pair. The private keys are only kept at the edges of the wallets. The only way to identify yourself is through the public key. The choice can lead to multisig (where multiple signatures will be required to spend) capabilities, and hierarchical determinaistic (a way to create multiple key) wallets. This is another way to manage keys.
This expansion of capabilities looks like the fusion of Layer-2 architectures into a solution right from the start. Two of the most important contributions to this project are privacy and the ability to have self-custody wallets. This empowers everyone, the payers and the payees as well as the users of the system. The system is more private that bitcoin and allows for self-custody wallets.
This and the construction of the transaction flow have been key architectural decisions. There are still many unanswered questions. This could be necessary to collect economic statistics such as the velocity of money and recover a wallet that was lost. The enforcement of money flow limits, counter-terrorism, anti-money-laundering and other regulatory controls that are meant to be systemic safeguards become more challenging if not impossible. These choices can be solved by implementing privacy-preserving architecture deeper into core infrastructure and wallets. These include homomorphic encryption protocols or zero-knowledgeproofs. These are worthy goals for Phase 2.
Blockchain or not to Blockchain
Some statements in the Executive Summary are highlighted and others in the technical report are not. These lines concern the suitability for a blockchain architecture to be used in a system managed by one entity, the Federal Reserve. This is the repudiation the blockchain philosophy for CBDCs. These statements are not about the suitability for such a mechanism to manage a system managed by one entity. This is especially true since coordination in a Blockchain requires higher costs, time, and complexity. Most blockchain-based consensus algorithms ensure that all copies (replicas, in distributed system parlance), are atomically consistent. Slow replication down. Hamilton uses Raft as a distributed systems practice classic algorithm. This algorithm is available in Hyperledger Fabric. These algorithms are called Byzantine Fault Tolerance or BFT because they allow for the presence of malicious or imperfect actors within the inner circle. They are used to generate trust from a group of untrustworthy participants. It is based upon a classic distributed system problem called the Byzantine Generals Problem. Phase II also promises a BFT algorithm.
The most basic understanding of a blockchain is one that refers to a data structure. A chain of blocks as Satoshi’s bitcoin paper says, the paper never mentions the word blockchain. A block is made up of a series of transactions. A chain, on the other hand, refers to a sequential order of blocks. Once the chain is forged, it should be unbreakable. A new block is continuously being added to the chain, expanding the chain. Project Hamilton uses bitcoin for most of its payment transaction ideas. The UHS and the idea for cryptographic custody and transfers are both derived from bitcoin. Protection against replay attacks and double spending is the outcome. Each transaction in the UHS model creates microledgers. Each transaction carries references to all transactions before it, in the form a chain. The same theme is present: the design creates a transaction system that is a Blockchain, and not a 2PC model.
Three operations are essential in a transaction system for a payment system: mint, redeem and transmit. These operations are responsible for controlling the money supply and allowing the money to be used for payments. Money can be transferred from one wallet or another to spend it. Double your spending When the same amount of money is used twice. Replay attacks (when an observed transaction is resubmitted, in other words spending other people’s money that has already been spent) are prevented by the transaction model. Because these operations are sensitive, the model has not properly modeled redemption and minting. Perhaps Phase II will be the right place.
Hamilton Phase II
As the story unfolds it becomes clear that many of the features required for a functioning CBDC are missing in Phase I. Many of these features are difficult to model and implement. It is possible that some cannot be implemented without changing Phase I’s basic design and feature constructions, such as Privacy Safety, Auditability, Auditability, and the Transaction Model. It is common and necessary to kick the can down the road in academic settings and papers. However, it is a bug as well as a feature of open inquiry. CBDC has not found a solution that allows for the open source code to be inspected and, more importantly, to be built on top of. Bitcoin has done it, as has Ethereum and many public blockchains. These are not CBDCs. Hyperledger, which houses many enterprise blockchains, is an Open Source project. It hosts many variants, including Fabric, which is a widely utilized Enterprise blockchain. There are some CBDC projects in production. Hyperledger includes Besu, an Ethereum implementation and a widely-used public blockchain.
Phase II promises to address
- Privacy and auditability
- Offline payments
- Minting and redemption
- Denial of service attacks
- Quantum resistance
This product is a mixture of capabilities and features from various disciplines. Some features can be considered very basic and without them no CBDC can function (Minting or redemption, for example). All of these are required for a fully functioning CBDC, with the exception of quantum resistance. Some are missing: upgradeability; a fully functioning wallet digital, security, and monitoring.
The entire source code for Project Hamilton Phase I has been made open-source by the MIT team. It contains all the code required to run and interact on the two core architectures.
The code is not only open-source, but also relies on a number of open-source libraries and components. These include the llvm clang compiler and tools, LevelDB (Google), NuRaft (Paypal), and cryptography components from Bitcoin. The test setup uses AWS servers and AWS internal network. These AWS components can’t be used openly. It should work on any Linux or Unix system, as Unix sockets are used for communication.
Project Hamilton’s most significant decision was to open source the cbdc program. Many companies, large and small alike, use open-source software (oss). Open source software is used by 98% of businesses, though only a few contribute. This is the freerider problem with OSS. The example of opencbdc.tx shows that the project couldn’t have been completed as quickly without OSS. Statistics favor OSS. There are only.19 bugs per 1000 lines of OSS, compared to 20-30 for every 1000 lines of proprietary off-the-shelf software. OSS is faster to fix and easier to coordinate.
Even though we can complain that it is too little and too late, several breakthroughs have been made, the most significant of them is the creation of a framework in which privacy is paramount, achieved with the principle “can’t be evil” not “don’t be evil”. It is yet to be seen how long that purity can be maintained when auditability enters the picture in Phase II. The segregation of the data at the edges is a significant development that will give primacy to the devices that are in everyone’s hands and thus control will be decentralized back to the people. Project Hamilton Phase I has not prioritized investment in user interface design or improvements in usability. This is an important aspect that Phase II must not overlook. The design of the digital wallet’s front and back ends on a mobile device is essential for widespread adoption. This is not an easy task. Online access is required for disconnected settings with low or no internet. It can be used on different types of devices, including cards and feature phones. Phase II planning should include a pilot program with a gradual rollout and easy feedback, rapid updates, and releases.
The Digital Dollar will only succeed if the legislators get off the fence, and endorse the move to legal certainty as well as the affirmation of a CBDC-project. This outcome is unlikely to be possible given the current state of tension and division in government and the country as a whole.