How about using ECC point multiplication and AES:

1. Get recipient's public key R (R = r*G, r is private key)
2. For each message, generate unique keypair S,s: S = s*G.
3. Create a shared secret: K = R*s
4. Compute 256-bit encryption key out of that shared secret: key = SHA256(SHA256(K))
5. Encrypt the message with that key and send the message together with unique pubkey S.
6. Recipient gets the message and computes key using his private key r and S: key = SHA256(SHA256(r*S))
7. Recipient's key turns out to be the same because r*S = R*s = r*s*G.

I like this scheme more because it allows to efficiently encrypt messages of arbitrary sizes.

It is wrong. Next difficulty is adjusted based on mean speed of the previous 2016 blocks. When hashpower monotonically grows, it means that blocks will still appear quicker than 10 minutes, but not that much quicker than before the adjustment.

Notice how difficulty is always behind the growing hashpower.



PS. Those who think 10 min interval is sacred and typical intervals of 8 minutes are "evil" do not understand anything and should go and re-read bitcoin.org/bitcoin.pdf multiple times. 10 min interval is a good enough approximation that makes miners waste less than 1% of CPU time while newly mined block is being propagated. 10 min is also good for sending blocks over partisan radio networks or to the satellite (or a google baloon). In itself, 10 or 8 minutes per block it does not matter at all. When the inflation rate drops to small numbers (<5%), it won't matter how fast blocks are actually appearing: every 10 minutes, 7 or 5.

If bitcoin demand grows, the price will grow. If it doesn't (market is saturated), then price stops growing.

With more than 50% coins already mined and quite low annual inflation (12% in 2013 comparing to 50% in 2011), supply does not affect prices much (in 2011 if you remember the price was slowly going down as miners were steadily selling their coins). Today demand is defining the price much more.

If we are doing optimistic estimation, it depends on the target market. If Bitcoin takes half of gold market as a distributed ledger of wealth, then its price has to be more than 10-20K USD. If it takes 10% of the global black market (estimated size is 1800 bln USD), its price must be around 8000 USD per BTC. Choose your market and figure how much BTC must be worth if it's used on X% of that market. If BTC replaces all currencies on global scale, each BTC would be much more than 1 million of today's dollars. I believe this can happen, but it may take a generation or two.

I don't care when the last satoshi will be mined. What really matters is this:

90% of all coins will be minted by 2023 (in ten years).
98% of all coins will be minted by 2033 (in twenty years).

In 2023 the annual inflation rate will be around 2-3%.
In 2033 the annual inflation rate will be less than 1%.

So in just 10-20 years the inflation will be so insignificant, newly minted coins won't make any difference on the market. If fiat money happen to survive for the next 20 years, miners won't be able to produce 10-20% price volatility due to selling BTC to pay for equipment.

Illustration by Matt Whitlock:

Lets suppose Bitcoin continues growing and captures meaningful portion of worldwide market and grows beyond that. What would be the reason for people to have X% of their transactions go via LTC, where X is not close to zero and is not going towards zero? In other words, what would be incentive for to use LTC over BTC? If there will be LTC-only merchants, why wouldn't they also accept BTC? If there are no LTC-only merchants, but some BTC-only merchants, why would anybody keep LTC? Why would BTC merchants care to also accept LTC if BTC is accepted wider? Or, what are the dynamics that could lead to parallel acceptance of BTC and LTC throughout the market?

Another question: 500 years ago, would people use silver side-by-side with the gold as a currency if gold was easier to divide in smaller (cheaper) pieces and reassemble? In other words, if the main physical limitation of gold wasn't that limiting for small daily transactions? Wouldn't network effect of the gold eliminate any need in silver-as-a-currency then? If not, why?

PS. I don't accept argument "because there are miners mining it". Miners mine *because* somebody will trade their goods for minted coins (or they speculate that it will be the case in the future), not the other way around. Early bitcoins were mined and purchased because of the expectation of future worthiness and similar recognition of fundamental properties by other early adopters.

This.

Litecoin will grow as long as there are bored teenagers with free GPUs mining it. While the rest of the industry deciding where to invest $: in BTC mining hardware or LTC mining hardware will all go to BTC as it is more expensive. In the end, the hashing power of LTC will be laughable comparing to BTC and overall support among non-geeky merchants will be in favor of BTC (because there is network effect).

Fundamentally, LTC provides no extra security or features over Bitcoin (I think it's not worse either, except for shorter block intervals lead to 4x more of wasted computing time — during block propagation). "Max amount of coins" is nonsense — it's just a measure of divisibility of the total supply. With 2100 trillion BTC units we won't need any more divisibility any time soon. Time for first confirmation is nonsense. It still does not help with instant transactions and provides 4x less security than 1 BTC confirmation. You have to wait *time*, not *blocks* to get some level of security. Scrypt is different from double SHA256, but it's irrelevant for mining. The only meaningful thing it does is that it protects weaker network from Bitcoin ASICs that may try 51% attack or temporarily increase difficulty way too much (like what happened with Terracoin).

Litecoin is here only because CPU/GPU miners who lose to ASICs, play this game in the meantime. If it does not fade out in a couple of years, it will still be very limited speculative game while BTC will grow further and expand to more and more merchants. Economically, there is no reason for people to use both LTC and BTC and have both markets constantly expanding.

I'm not preventing anti-squatting for a sake of it. I want to manage it only during a bootstrap period, so people can jump on the registry easily. When it's taken off and most names are picked by existing "owners", it's a totally free market and you can squat the hell out of it.

You cannot please everyone, but you can minimize unhappiness. If you try giving "Orange" to those who are supported by economic majority (or already have "orange.com" name, for instance), then you will have less voices saying you are not "fair". The open question is whether the system takes off even in the best possible scenario. My bet it is quite possible provided the system is a *part* of authentication on some popular service(s). E.g. if instead of OpenID, some big guys like Google or Twitter, accept such a system and validate initial registrations, then it might grow bigger than them. Or you make your start-up super popular and have this as an authentication. Others may or may not accept it themselves. So it will be parallel to existing names, some people won't get nice names, but overall there will be "honest distribution".

Again, I'm not trying to prove a philosophical point here, just wondering about economics of name registration and figuring out a most pleasant way to establish a global registry without too many people being upset.

I use "own" not in a moral sense (like "I have a moral right to this name and will go to court to claim it"), but in a sense of global naming system. In some cases we are okay with local name systems (an address book), in others we would love to have easy to use global ID. Not UUID, but something like "www.mything.com". It is important because it allows us to talk about the same thing and easily check identity. I as a consumer do not care if the Apple website is apple.com or appleinc.com, I just care that it is not d6e58d64-ce2b-f60e-2ce9-20e5eef3b0f6 which is impossible to verify or express verbally. I'm not arguing we can't leave without global names at all (if UI is done right, even UUIDs, like BTC addresses can be quite usable), but it would be kinda nice to have global names to stay on the same page. It also applies to trademarks that surround us. If we all can peacefully agree that Bob uses "McDonalds", then we won't have to argue who has right for what. The first one to register is the winner.

I agree with domob that it might be interesting as an extra registry, on the same level as DNS and others. It would be useful even in that way.

But here's another idea: imagine for a second that, for instance, I register all .com names in my fancy protocol and give them out only to proper owners. So there is zero possibility of squatting. (Bonus track: I may decide not to give those names right away to current squatters.) This way, if everyone agrees that only proper owners are holding new names, they can slowly ditch central authority registries in favor of blockchain-based registry. All the newer names will be free to register after giveaway. So everyone has the same names, but now has full control over them without NSA spoofing VeriSign certificates or censorship. Isn't this outcome worth something to every name holder? The question is only how exactly to execute such transition so it does not come to dead end.

Thanks for your comments.

Let me back up a little and explain my perspective on Names vs. Coins. Maybe it'll help understanding what I'm up to.

1. Every coin is the same as any other one. If you don't mine this coin, you can always mine some other one. You can lose some coins forever without much worry — you'll have identical coins somewhere else.

2. Names are unique and personal. Some people put a lot of meaning in certain names. For me "Oleg Andreev" is very personal name which my friends use to identify me, while "John Doe" means almost nothing to me (but may mean something to someone else). Names have different value as perceived by different people. Probably no one would want to squat my name to sell it to me, but they sure would want to squat some well-known name like McDonalds. No program can know which names are more valuable and which are less.

3. For a truly decentralized name system there must be a way to "own" a name available for everyone. Every user can see who owns certain name and any user can be an owner of some name. This is essential to eliminate trust in any single authority like SSL CA or DNS registrar. Both Namecoin and my suggestion are doing exactly that: once you own the name, no one can spoof it and everyone can validate it.

4. The second requirement for decentralization is ability for everyone to register any available name without going to any authority. If I want a name "olegandreev12345" and it's not taken, I'd love to simply claim it and move on with my business. This what we all want in an ideal (or, long-term) scenario. Also, it must have as little friction as possible. I don't want to "mine" a name. It will not protect anyone from squatting, but will only add useless overhead.

5. As I said earlier, all names are valued differently and mean different things to different people. To get from the current state of affairs to the working stable state of global name system with millions of names, we need to deal with human nature. In other words, we need to figure out how to avoid a dead-end and earn the trust of users in the system.

I see two ways to do it:

1. Either anyone can register anything without control (with or without "mining" anything).
2. Or there is a short-term bootstrap scheme to censor "unfair" squatting to increase credibility of the network. But still allow unstoppable ownership, editing and selling of the names.

First approach is the most easy one, but I bet it will never work. As soon as it starts taking off meaningfully, anyone would be able to squat valuable names and get to a situation when many good names belong to resellers. Free market argument does not really apply here because within a single name (e.g. "McDonalds") there is always one reseller. Even if he competes with another guy who squatted "Burger King", for McDonalds it does not matter, they want *their* name, not *any* name (unlike with money units).

Perfect fairness is never possible. There are tons of Oleg Andreevs in the world and any one of them can claim "fair" ownership of that name. But if I have to compete only with other Oleg Andreevs, it highly increases my chances of getting what I want and even if I lose, I will see that all other names are taken by more or less appropriate owners. So the whole thing makes sense and does not look like a chaotic reseller territory.

Registrars will decide on a basis of the "most fair" perception by the market. If they benefit from "Apple" being given to Apple inc., not to Apple Corps, then they'll give it to Apple inc. It may piss off some people, but probably would piss of more people otherwise. If registrars try to piss off as little amount of people as possible, it will grow. If not, it's not a big deal, it will leave room for some other protocol. Either legacy one, or a more "fair" one, or Namecoin, or something else.

Again: in the long run free decentralized registration makes sense only when all established names are already in possession of the people associated with them. E.g. when McDo owns "McDo", Apple owns "Apple" etc. In other words, free land grab is okay with everyone when everyone already has at least their own personal name. But to get to this condition, we probably need some intermediate decision-maker (but he won't be able to censor your use of the name after you got it: you can edit it, sell it, etc).

If you have a better suggestion to avoid chaotic squatting, let me know.

PS. I don't care much about how to distribute metadata. It could go via any sorts of servers, as I mentioned. I just need to use the main blockchain as the most robust ledger to timestamp the data. It's an interesting technical discussion, but is probably irrelevant to the core problem of achieving network effect in claiming the names.

In result, it may take off provided:

1. We have all necessary software ready for a particular standard implementation. All necessary libraries in nice C and a couple extra languages, plus a couple of nice end-user apps that allow managing this stuff.

2. Names are given out fairly.

3. Names are given out cheaply enough (or for free, as a part of a service bill).

4. Bootstrap period is chosen correctly (not too short to avoid squatters, not too long to have FUD about oppressive monopoly)

5. We have at lease one nice service that implements this scheme from the start. Even better, if there are two services that use the same standard.

Having those 5 points we can release the protocol and software and go inviting more services to join it and seek for extra trustable registrars to improve credibility. If it goes well, we can build a true single replacement for all name registries around the world which will fix issues with SSL, disable censorship, wipe out international trademark mess and other related issues.

PS. I don't see this system as a thing in itself that will allow making some significant amount of money to anyone. It is decentralized uncontrollable network, after all. Data-storage nodes will make some money, but mostly to cover up expenses (there will be huge open competition among them). The way to make meaningful money is to provide unique services that may use this name system as one of the selling points. If they charge too much for participating in such naming scheme, it only detracts customers and won't help the system to take off. So it's mostly semi-charitable auxiliary service, but with wonderful side effects to everyone's satisfaction.

No, namecoin takes wrong approach (imho). First problem: it started with its own blockchain (however they realised they'll never convince ppl to mine as hard as BTC, so they essentially thrown it away via merged mining). Economically, only one blockchain will ever be considerably big, while all others — realm of the hobbyists. Second problem: they propose new registry for names when many people already got some names used, but do not address cybersquatting in any way. If anyone suggests a more "fair" scheme, it might be more viable.

My suggestion for a name system:

0. Think of it as a global name system, not only "domain name" system. For usernames, website names, trademarks, anything.

1. Use bitcoin blockchain for timestamping without funny merged-mining. Keep and distribute actual data outside the chain. Using existing DNS servers, or via p2p gossip protocol, or on known servers like torrent trackers, or any mix of those.

2. Start with a one or several of actual new services that sell idea "you own your identity". In other words, your login will be fully interoperable between multiple services, just like your domain name is separate from physical IP address. Except, it's totally yours (FBI cannot seize it) and your identity cannot be spoofed via root certificates.

3. This service (or services) will provide initial usefulness to such name system and fill it with early users, even if they don't care about such system themselves. They can also agree to implement a "bootstrap period" when only signed names are valid (keys will belong to such services). This is to prevent cybersquatting. It's similar to how App.net started giving usernames to existing Twitter users during some bootstrap period to make platform more attractive by guaranteeing your name to be preserved.

Economically, it will play out like this: if services are giving out names unfairly, people in general will not recognize this name system as global one. This does not hurt anyone, just does not take off. But if the names are given out "fairly" (as perceived by people), then it may grow outside initial services (other services will recognize it). E.g. "oleganza" and "apple" are not given to random dudes, but to those who display ownership of such names in a reasonable name space (e.g. DNS, twitter, facebook, google+, trademark bureau etc.)

The bootstrap period can be limited by the protocol. E.g. after block number XXXXX no one checks if the signature of the name is valid. This way people will see that it's guaranteed that original name registrars are not going to wait till network takes off and then charge monopolistic prices. Secret keys held by registrars will not allow revoking the name, only registering it for the first time. Once it's given to you, it's fully yours. If the secret keys leak, then it's equivalent to an end of bootstrap period. If it's too early, it might attract cybersquatters and make the scheme less interesting to everyone. We may use N-out-of-M signing scheme to prevent single registrars from accidents. Bootstrap registration can scale by adding extra registrars with good reputation and incentives to support the cause.

Names will require heartbeat transactions. If you lose your keys to your name and do not update (ping) it within, say, 1 year, it becomes free to anyone to claim (during bootstrap period it should still be given out by a registrar).

To distribute the data, we can imagine a payment protocol using BTC: you pay nodes to store and propagate your name data to other nodes. This way you will sponsor directly most efficient guys who will keep all clients up to date. "Semi-trusted" nodes will emerge that will validate data for users, without them having to check blockchain themselves. Client apps can request short blockchain excerpts to validate correctness of name history, or talk to several independent nodes and compare results.

Absolutely. You can timestamp your own name or identifier in the blockchain. Then, anyone can see who owns that place and trust only the associated public key. Blockchain would be a "central certificate authority" in that matter, with every user being a registrar themselves.

I even have some ideas how to solve cybersquatting issue if we are to build a name system to build alternative to DNS, trademark registries etc.

Can you expand on cash/change problem? What's wrong with it?

Merged mining is just a fancy name for "a protocol on top of main chain". I can equally start advertising my timestamps entered in main chain as "blocks" on "altchain" that is "merge-mined" with Bitcoin. Except that my chain would be much less costly, but produce the same functionality.

It's the same thing as money itself. Some people do not understand that market players tend to come up with the single, most liquid, most cheaply stored and transported money. Gold had silver only because gold was never easy to divide in small everyday units. No one needs "local" currency or "national" currency. IMF talks about myriads of national currencies as natural state of affairs while it's economically irrational for people to pay for currency conversion risks. Everyone on a global market wants single common unit of exchange, be it USD, gold, Bitcoins or whatever. Different moneys exist either for objective limiting reasons like gold's weight or for political reasons of controls and threats.

Same way economically everyone will mine only one chain. And 0.01% of hobbyist will do whatever they want to do, but they don't matter on global scale. So forget about altchains and build on top of main one.

Your comment confused me. Let me clear up some of my ideas.

1. Any talk about differences in *amount of coins* is nonsense. "21M" is not a measure of "amount", it is a measure of "resolution" (divisibility). Total possible bitcoin supply is divisible to 2100 trillion units. And still anyone can divide it further for their purposes. Or the whole network can switch to a bigger format to fit in smaller subunits. Since 2100 trillion is so huge, it does not really make any difference if it is 210000 trillion or 99 trillion. In practice it does not matter to anyone. You can always rename 1.56 BTC into 156 mycoins and claim that you have 100 times more mycoins.

2. There will be only one blockchain. It is economically stupid to people to throw meaningful amount of electricity to altchain and not in main chain. See my previous comment above for more details. Anyone can start their altchain, but it will never be useful comparing to any protocol built on top of existing Bitcoin main chain.

3. I am neither advocating nor advocating against storing actual documents in the blockchain. Blockchain is expensive and we have tons of data. If your document is small enough, or you are willing to pay for storing all of it in blockchain — please go on. In many cases it would be cheaper to store megabytes of data somewhere externally and keep in blockchain only 256-bit references to this data.

4. About contracts. I see it this way: people sign contracts, store them somewhere, replicate among several computers. They may make them public, or keep it secretly with trusted partners, does not matter. They will put only SHA256 fingerprints into blockchain to prove to any dispute resolution organization that those contracts were created on particular dates and in particular order.

In the long run there will be only one blockchain and individual opinions of people do not matter (like yours). Only economical incentives matter. Here are my arguments:

1. Miners will devote electricity and time to the most valuable line of work. If one chain is even 1% more profitable than another, all resources will be thrown there if possible. Today we have some guys with GPUs and cheap electricity, so they mine some litecoins during speculative game. But Bitcoin will continue growing while all altchains will remain hobbies or simply die.

2. Users will always trust the most powerful chain. Be it for timestamping monetary transactions or any other transactions.

3. Whoever building a specialized altchain will need to make it a currency in itself to make incentive for miners to mine it. Think about this to realize that if Satoshi wanted to build a thing to timestamp any document, it *would be used as a commodity anyway* (or not take off). So he simply designed and marketed it to be more friendly for early adopters: as a currency.

4. Opinions on the "right" or "wrong" use of blockchain are as irrelevant as opinions on who can pay for what with BTC. At best people will learn that some transaction was used in shop X or fancy protocol Y only *after* the fact. Before, everyone sees normal transaction as any others.

5. Given inability to judge (see #4), no one really cares what transactions are doing. Miners simply prioritise txs based on simple heuristics to maximise their profits (physic and monetary) and that's it.

TL;DR: Bitcoin will be the only blockchain, others will be useless. If you want to build some interesting stuff, do it on top of blockchain. To lower your costs, keep data outside the chain and only insert hash references into it.

Was it you at Bitcoin 2013 conference talking about issuing shares via colored coins?

http://www.youtube.com/watch?v=SH5OUtWMeZc

Like with any asset, you can:

1. Lend it out physically at whatever rate you want. Like, give a gold bar in hands of a borrower. Or send BTC to someone's own address.
2. Lend out a paper receipt (or a digital receipt) which is basically a promise to deliver something (gold, bitcoin, apples or oranges) in exchange for that paper.

Fractional reserve banking was made possible during gold standard because gold was expensive to move, store and cut. So everyone ended up using paper promises issued by banks. Before banks organized in a central bank there were frequent bank runs putting a hard limit on how much you can print over your reserves. Once the central bank was established, it was ultimate printing organization within a nation-state. To make a bunk run on it, one would have to move money between countries (this happened before/during great depression when european banks asked U.S. for physical gold in exchange for U.S. paper). Today every country has promises only within its own gold-less currency and hands out IOUs to other partners.

With Bitcoin fractional reserve banking is very limited because real BTC is as easy to move and verify as paper IOU. Every single wallet is a bank in itself. People just don't need to trust anyone to handle their assets. You can trade directly in this digital gold.

If some bank decides to issue BTC-backed IOUs, it will face constant withdrawal demands every single day and will have very little BTC in reserves. If they overprint their IOUs people will quickly get all their coins out and bank will shut down. Some people would lose money, but it won't affect anyone who was trading in BTC directly without that bank's paper. Not only directly, but also indirectly. If prices are set in BTC, not in IOUs (think: in gold grams, not USD), then global depressions won't be possible because of a single fractional reserve bank printing IOUs. Prices will remain stable in sound money (gold, BTC) and will grow in USD or whatever IOU is currently in use.

How is that a problem?