That's true.

I think we are discussing different things here. I agree that none of them are resistant to analysis. That's why I keep saying Bitcoin does in no way "provide" anonymity. There are other ways to achieve anonymity, and Bitcoin makes it easy to use these methods. Think about blind-sig DigiCash for a moment. It's almost perfectly anonymous, yet you have to trust some authority constantly. Bitcoin relieves /some/ of this burden; you can use DigiCash equivalent through Bitcoin (e.g. OpenTransactions), and you only need to keep the coins on the server for the brief amount of time you need to transmit the token data. In the end, you have very good anonymity with relatively small counterparty risk.

Agreed. Bitcoin is doing fine currently, and all problems you've mentioned are being actively handled, and I must say quite well. However it really isn't clear how it can scale. Either developers will attempt to scale it to a degree of thousands of transactions per second, or keep it almost as it is and have people implement other payment methods that use Bitcoin as a backbone. I'm currently undecided, as the thought of scaling up is quite scary.

Yeah, of course a cutoff is equivalent to lack of existence.

Trying to generate a SHA-256 hash of some random data is what I would call a pure process. There is no race going on in the algorithm itself, or in other words, there is no information link between competing parties. The competition happens at a higher level. The complexity doesn't change with increasing competition within a 2016 block group.

For instance, currently it takes 3 * 10^16 hashes on average to find a block. This is the total number of hashes you need to get to find it, regardless of how many people you are.

The competition gets to have an influence on complexity every 2016 blocks. If this adjustment was completely dynamic and instant, you would be right. The required number of hashes would scale with the total mining power and you would be able to isolate a portion of the network and fake blocks. Guess, Satoshi already thought about that. :-)

Namecoin (a distributed name system based on Bitcoin) had a problem a few years ago that demonstrated an example to this. Majority mining power just disappeared from the network, and it took miners months to produce 2016 blocks after that, ultimately rendering the network useless (until they found a way to mine both currencies in parallel with 100% efficiency on both, which is very interesting in itself).

Well, to discuss this, we'd first need to agree that faking blocks isn't practical at all.

Bitcoin's fault tolerance is remotely similar to Freenet. You can smuggle large disks through the border to keep an isolated region of Freenet connected. Even "instant message"s would work this way, in theory. With Bitcoin, you would need a much lower latency connection, and every time you leak the block chain, the segmentation should automatically disappear. Assuming you generate a far lower number of blocks within the isolated region, those blocks would get orphaned and the transactions would be carried to the main chain.

I don't think this conflicts with what I said. You need to break the chain of transactions in order to render the history useless.

You can't roll back transactions or double spend without producing blocks, and producing valid blocks don't get easier by isolating the victim from the network. If you agree that brute force attacks on proof of work isn't impractical, this isn't very viable either (i.e. people will realize there's something wrong when confirmation takes hours to days instead of minutes).

I don't get what you mean here. Even if a little information is leaked between the segments, the network will be whole again. Of course you have to have a reasonable leak. For instance, you could send the data on a flash drive and I wouldn't consider it a valid leak because of the latency.

Shannon would think you are being silly. :-)

The problem doesn't get easier to solve because less people dedicate work to it. Difficulty adjustments happen every 2016 blocks, but you can't make it lower without massively increasing confirmation times first and even then it can't go down below a certain coefficient.

Bitcoin is pseudonymous. Addresses can only be connected to your identity through deliberate transactions. I have wallets that I know are impossible to be connected to me. But because of how Bitcoin works, it's very difficult to reason about, that's for sure. There is no foolproof way to achieve reasonable anonymity. However it's also ridiculous to say that it is law-enforcement-friendly.

How come? Even with naive mixing, I don't understand what kind of technique you are suggesting here. With blind signatures, even the trusted parties don't know what goes where.

Why am I so privacy conscious and still don't use a damned https connection? Most privacy conscious people use https over tor, both of which my mom is able to use by herself on an Android tablet.

I don't follow. We were assuming your identity is somehow well known, and you are trying to break the chain of transactions. Each time I need to make a private transaction, I can bounce it through a bunch of such services established in diverse jurisdictions. In turn, I can use the same technique to transfer back to my well known identity.

Like having to hide cash inside oil barrels?

And run to what? Cash in mail?

As I explained, Chaum's scheme (i.e. a central party that can't track transactions) makes transactions perfectly untraceable. However it isn't widely used. I agree that current techniques people find good enough are not good enough (or maybe they are and I'm too paranoid). Even with blind signatures, we would need a lot of traffic to render it unfeasible as a honeypot.

It will take some practical proof to make people switch to such advanced methods however. Regardless of how we think, their techniques seem to be working.

How do you know the money you sent through an escrow is yours? Exactly the same deal. There is a reality outside of Bitcoin.

As I said, Bitcoin makes such solutions more accessible, but it doesn't itself provide them. It's pretty similar to TCP/IP, which has nothing to do with anonymity by design, yet allows and enables it to a great extent.

I think you are looking for ideal solutions where no ideal solution is even theoretically possible. Bitcoin provides a high degree of Byzantine fault tolerance, and a reasonable degree of privacy. Its fault tolerance leads to inconveniences like long confirmation times, which can be traded with least tolerant more convenient solutions implemented on top of Bitcoin. In the same manner, you can increase privacy a great deal by jumping through some hoops.

I don't see the claim that only the data in the chain is necessary for a complete analysis in the paper. :-) Actually, they know the identities of those entities only through publicized external information.

Please keep in mind that convincing me isn't less difficult than convincing the whole network. You still need to produce hashes lower than the target, and even if I am only connected to you and perfectly believe you, every block you need to produce needs the same amount of work as the rest of the network. Maybe you misunderstood the difficulty logic?

Besides, you can't directly steal coins without private keys. However you could roll back transactions or double spend, if you have majority hashing power.

I don't believe the attacker can fool anyone with the methods you propose. What they could do is blatantly censor the protocol itself, e.g. cut the whole region out of the network, thereby causing a network split. I haven't seen any proposals to make it work in such a scenario. In practice, the cut-off region would not be able to continue functioning unless they have major mining facilities (because of the same difficulty logic that prevents you from faking blocks). If they have it (e.g. USA), then there would effectively be two Bitcoin networks. Therefore the arms race would probably focus on the effectiveness of censorship.

The protocol doesn't support anonymity, so this is a redundant discourse. Bitcoin is not anonymous. You need an external trusted entity to break the chain of transactions. This is pretty easy to do and there are numerous services that do that, which aren't shady at all.

In simplified form, let's say you want to send money to address X, but don't want to leave a trace in the blockchain. You send the sum to my address Y, and I send the same amount to address X from a completely unrelated wallet. As long as I don't include your transaction as an input, the transaction cannot be traced. In this case, the only link is the information I have (in my mind, on disk, etc.), which also makes me the weakest link. ;)

Because the transaction data you need isn't in the chain.

I must admit that I don't personally like the popular "mixer" services, as they themselves can track and record your activity, which makes it a requirement to use multiple unrelated ones. This is very backwards, as Chaum's blind-signature scheme already provides a perfectly untraceable way to do this (for the last 25 years), and there are Bitcoin-related services that make it possible (which people hardly use). In this scheme, the only available method the laundry has to track you is traffic analysis, which is very difficult if the tokens are of a set size.

To my knowledge, all such schemes depend on a centralized authority, which Bitcoin by its definition can't provide. It makes it very convenient to transact through such services however.

Yes, proof of work depends on the assumption that the attacker has to have more computational power than the all honest nodes combined. As of now, Bitcoin honest nodes have much more computational power than all the supercomputers combined. That doesn't mean that it can't be overcome with application specific hardware however.

On the other hand, I don't understand most of your description regarding your primary concern.

What is the potential difficulty you see in communication? What is the difficulty in measuring chain length? AFAIK having recent block headers is enough, and it's literally a few bytes of data per 10 minutes on average.

I think your concerns about botnets, etc. are a little late, since the network is about to be dominated by ASICs. Deep pockets could still spend millions of dollars and develop an advanced ASIC based farm, but this will become a lesser threat in the following years. I don't think this is a huge practical concern. With millions to billions dollars at your disposal, you can destroy many things. An attack based on application specific computational power would at most render the Bitcoin network unusable until the developers change the hashing algorithm. Besides, there are many Bitcoin clones out there anyway, so a totalitarian regime doesn't have anything to gain from such an attack.

I don't get what you mean by transparent proxies or eavesdropping. Bitcoin transactions are completely transparent.

Regarding anonymity; Bitcoin transactions are completely traceable and many types of analysis can be made to relate addresses to each other. They don't work very well in practice, but even so, you should never trust obscurity. Untraceable transactions can be and are easily implemented on top of the protocol, though I'm not sure (and don't care) how many SR purchasers use such solutions.

That is an interesting and refreshing perspective, thanks.

I think it is correct to call bitcoins contracts (or maybe notarized statements) in the technical sense, but it is also true that they are not contracts between trading individuals in the sense you use. May seem off-topic but I'll try to describe how Bitcoin works briefly before my opinions.

Bitcoin network doesn't carry around digital tokens. At the abstract level, it's a ledger that keeps which Bitcoin address has what value in bitcoins. However, such a ledger doesn't exist at the technical level. The distributed database itself only keeps track of transactions. A transaction is from a party that is able to prove ownership of input transactions (by digitally signing the transaction for each) to any address or addresses. In turn the network secures the uniqueness of this transaction with proof of work. The concept of final balance of an address doesn't exist, and transactions always consume all input transactions. So basically, the Bitcoin database is only a set of unique statements digitally signed by key owners and witnessed by the network. Therefore, going back to a different abstraction, a bitcoin (the monetary unit) is a contract between the key owner and the network.

As you said, it is far from being a paradigm shift. Actually the whole idea of proof of work is to relieve the burden of centralized authority, and Bitcoin brings this to money and nothing more. You could see it as a stress test of the paradigm, and I myself welcome it as such. It is more likely to bring it to a breaking point than strengthening it. We don't witness such things very often, that's why I think it's very exciting.

On the flip side, using physical scarce resources as currency is wasteful and inefficient. (Also, a bitcoin is more like a contract signed by a network of people. Just as a contract is not only ink and paper, a coin is not only a number.)

Imagine we are stranded on an alien planet as thousands of people and we come to a point where we would like to have individual wealth AND trade freely. Money seems like a good idea (or not, that's debatable). Rather than using the scarce resources lying around, I would probably go with fiat money. It's very easy to manage with minimal need for a supporting infrastructure and doesn't waste lots of resources.

However, as the economic structure grows around fiat, it gets bulky, expensive and corrupt. The reason for this is centralized authority. My view of corruption isn't so much conspiring politicians and rude clerks, though it's certainly a side effect. It's actually the very thing you thing you described, the "fairy tales" and their consequences.

In my opinion, we can't get rid of those "fairy tales" because economic theories themselves are normative. So, to minimize the harmful side effects, I favor something I can more easily reason about. Enter Bitcoin. Granted, it's a complex system that is hard to understand. But it is possible to understand. Everything about it is public knowledge. Of course, one could say that the structure surrounding Bitcoin could also become opaque (gateways, banks and such, though they tend to be much more transparent than their fiat counterparts), but I'm assuming it's not a problem any currency can fix. With Bitcoin, I have at least some material, the fundamentals, to reason about. With fiat, it's completely up to random people I don't and can't even know the names of. And even they don't know how it works.

I would agree that favoring early adopters or clear-cut scarcity is hardly a requirement here. It's mostly because no one would otherwise adopt it. People have created inflationary clones of Bitcoin, which still operate, and I don't see many people using them. With so many people on Slashdot who like the idea but worried about pyramid effect or a deflationary spiral, I would hope for better adoption. It's almost proof that it doesn't work.

As Bitcoin's value rises, it is getting more evenly distributed. Maybe some early adopters will become millionaires. To me, it's hardly a concern. There are many billionaires in this world, and I don't sit around thinking whether they deserved it. These people at least might have caused change to the better.

The fact that all transactions are public doesn't mean that data mining will work. Best case scenario, their heuristics might identify islands of suspected connections. The way common Bitcoin wallets work, it's not very likely that you will discover a decent way to track any person. You might be able to track some people because of their peculiar usage habits, but not the ordinary user.

I can imagine methods of secure login using automatically assigned keys to each site, but they will never be supported by, say, out of the box Windows. It's a pity because Bitcoin clients by default already have an endless supply of unused private keys which gpg software doesn't make easy.

One easy way out of this I have seen is sites that automatically create a login directly when you access the site. Besides the cookie you receive, you are given a URL so that you can access the site on multiple devices. If you use the site regularly and think you need to access it later on other devices, you can just bookmark; otherwise you don't need to care. The account has a deposit address attached where you can make micro-payments. The URL itself could even contain a hash of the said deposit address, so that you can recover it by checking your transactions even if you lose the bookmark.

The downside is, you need to keep this URL private if you don't plan to share the account, but I think the potential damage caused by such an exposure is very low for regular sites. Accounts with higher value could be protected by an optional password feature.

By the way, Bitcoin transactions are cheap, but not free. It's not a big issue currently, but the fees might become prohibitive for minuscule transactions in the future. However AFAIK there is development in the works to reduce the cost of making massive number of micro-transactions, and hopefully it will be available before fees become high enough to care about.

Certainly, but I'm not sure the same dynamics apply to technical failures. This last one was not really a big deal, but even if there were a fork that lasted long enough to be a real problem (e.g. 120 blocks, or 20 hours), I'm fairly certain it would be resolved at the developer level.

A more plausible scenario would be a political dispute between users/miners/developers/merchants/etc. Even if the core developers came up with a radical rule change despite the user base and intentionally forked the chain, the network effect "in theory" should cause that fork to wither away. This is obviously pure speculation though.

Current fork was not a big deal, it's an extraordinary branching but the protocol is very resilient to that. The chain recovered in a few hours and the transactions were automatically merged.

However, there have been many parallel systems almost since the beginning of Bitcoin: https://en.bitcoin.it/wiki/List_of_alternative_cryptocurrencies

What keeps Bitcoin on the top has always been the network effect. As long as there isn't a completely incompatible breakthrough in the technology, it is likely that it will remain dominant, since it can absorb development done on the alternatives. There hasn't been any such proven improvement yet though.

Also, check out Ripple: https://ripple.com/

I can't claim that the bug is not a stupid one, but I don't think your solution would have saved it. It was really an unknown problem at the database layer and it would be decided as reconcilable anyway. And it's at a specific level in the network architecture; clients were never incompatible and transactions were being relayed just fine.

Furthermore, you don't want any method to top-down enforce anything on a network like Bitcoin. Actually a wider variance of software increases network's resilience.

Well, Bitcoin is not a major bank though. Bitcoin's market cap is probably much lower than a major bank's janitorial costs.

My wife is the manager of an operations branch of a major bank, and snickered at your comment though. What I gather is, this sort of nonsense happens all the time in major banks too, but they have several layers that keep it going even if some part is broken. Bitcoin, as a greater structure, isn't quite there yet.

They moved from BerkeleyDB to LevelDB. Apparently it's the right call, though they should have done it far earlier.

Yes.

Branches are a part of the protocol, they are mostly natural. That's why it's recommended to wait for confirmations for higher value transactions. However long branches should be very improbable and this software glitch broke this condition. Even so, since the protocol is built on this, all transactions from the orphaned chain are carried to to the one selected by the highest hashing power. Valid transactions are not lost and double spends are invalidated. However, as you said, a careful attacker can do a double spend far more easily during such a long fork.

Well, Bitcoin is experimental, so I guess risk averse people need to stay away from it until it's stable enough, or at least should not use it "exclusively".

I'm quite happy with Bitcoin being both a currency and a payment network. In time, this will probably change though, and people will use payment systems like PayPal implemented on top of Bitcoin.

The analogy is almost true, but in this case it really doesn't matter which version exchanges use. Transactions generated by 0.8 can be mined by 0.7 and vice versa. I don't know where you got the impression that they were rendered incompatible, but it's wrong.