I don't give a crap about the libertarian ideology myself. 

Bitcoin is valuable for commercial reasons.  It's cheaper than processing credit card payments.

The fact that it has potential for reasonable privacy is just a bonus. 

Yah, the price is artificially depressed because of a Mt.Gox bug.  People are mistaking it for a Bitcoin bug, and think the bottom is about to drop out of Bitcoin. 

I call this a buying opportunity.  The bottom is about to drop out of Mt.Gox.  I can deal with that.

You realize, we're now about one half of one tenth of one percent of the way to 21 Million?  This is so ridiculous it hurts.

I like the DCN because it's elegant and comes with an honest-to-goodness proof of security against all traffic analysis.  Even with just two honest participants, nobody else can tell which of them sent a message even if they  can see (and even modify!) every message in the whole network.

I guess I trust anonymity networks less, because I consider them to be potentially fakeable; I can imagine code running on a network of servers that presents all honest participants an interface indistinguishable to them from an anonymity network while compromising their communication.  In an anonymity network, you only need to compromise the two or three or four nodes that your messages are getting routed through.  Or the routing tables that tell you where they are.  Or the messages from the DNS servers that relay that information to you.  Or .... 

I've been reading about the lengths that eavesdroppers are going to, and that just seems like something they'd do.  Or something which, if they haven't done it yet, they eventually will.  Maybe I'm excessively cynical; I just think that if you leave a target surface, then sooner or later someone is going to exploit it.  Massive sybil attacks, fake nodes, backbone router trojans, etc...  They've drawn the line at nothing so far.  The NSA even went so far as to put a zero-day exploit against the browser that TOR is used with at a fake site, intercepted traffic on backbone nodes, and redirected requests at it in realtime from computers where TOR traffic had been detected.  And that's the government - the people who are supposed to be on our side. What the heck are straight-up crooks ready to do?

After reviewing your coinmux code, I can identify a problem.  And a solution.

The good: no evidence appears in the blockchain about whose inputs are associated with which output.  That's part 1 of the solution.  

The bad:  Someone eavesdropping on the protocol messages, including a nonparticipant, can associate both inputs and outputs with IP addresses.  Fixing this is completely necessary before coinmux is viable, especially since the primary attack on network privacy is via traffic analysis.

The solution:  Implement a Dining Cryptographers Network among the participants, and you are immune to traffic analysis.  Here's a wikipedia article about the Dining Cryptographers' problem which it's based on.  

http://en.wikipedia.org/wiki/Dining_cryptographers_problem

In a DCN, topologically the participants are arranged in a circle, where Alice is next to Zebulon and Bob, Bob is next to Alice and Carol, Carol is next to Bob and Estelle, etc.  

Each adjacent *pair* of participants generates a shared key stream - which can be as simple as repeatedly incrementing a nonce and encrypting it to get each new block of the key stream.  You can use Diffie-Hellman key agreement to create a shared secret to key the stream.

Then each participant publishes XOR of the keystreams he shares with his two adjacent participants and the message he wishes to broadcast.  When all of these published messages are XOR'd together, the broadcast message magically appears because each keystream has been XOR'd with it twice thereby cancelling out the keystreams.  Different participants can write on different parts of the block, creating different messages.  And the participants can iteratively publish the block with updates, if they use a different hunk of their shared keystreams each time.  I'm thinking that the obvious implementation here has the 'block' that's getting updated include the image of a transaction.  The participants would each add their inputs and their outputs, then signatures (not valid if anybody changes outputs) in a later round.

The benefit is that nobody monitoring the protocol messages can tell where the messages (or the parts of messages, IE inputs and outputs) originated, even if they saw every last message and every published XOR.  Not even the participants can tell anything about the origins of any part of the message written by someone else.

It has some limitations;  For example if two people both try to write on the same blob of bits at the same time, then the 'message' that appears in that blob is binary garbage.  So there are conventions about 'reserving' blocks in previous rounds, where you agree that whoever reserved the block can write things in it and others shouldn't, and ways to detect which participant has broken the convention so that they can be cut out of subsequent rounds, etc.  Also, it requires O(n^2) overhead where n is the number of participants, so it doesn't scale well past a few dozen people per mux. It's kinda clunky.  

But it does work, and it's completely trustless in that NOBODY can de-anonymize, or even distinguish, the participants.  

That's a fine example of how we fail to communicate.  I thought I was demonstrating the scope and extent of the problem in a more realistic setup and you thought I was showing that it was okay. 

Whatever, it's your call.  Decisions about NXT don't affect me at all anymore.

I think I'm going to drop out of this topic; it annoys me.

Testnet is the proper solution to that.  Let people test it using testnet coins and the problem about the bitcoin private key risk goes away.

Cat food.
Car repairs.
Paid gardeners who rake leaves, trim bushes, cut lawn, etc monthly - twice now.
Speaker fees. 
Most recently, a nice wool peacoat from overstock.com. 
Several other things. 

Doesn't matter.  If all the other nodes know what the junk values will be, then the other nodes will reconstruct the block (at the right size, with junk values) right after the block is transmitted to them (at the wrong size, without junk values). 

Dogecoin has a problem recently. 

Short version of the story; in Doge there are variable rewards per block.  The variability is based on the hash of the previous block.  Some miners (you could call them "cheaters" but they're just exploiting the rules as written) have caught onto this and are only jumping in and mining when a larger reward is upcoming.  The result is that people mining steadily (you could call them "honest") get lower payouts, the miners who are jumping in only for the higher-reward blocks are getting more than a fair share for the amount of work they do, and the network hash rate is swinging wildly up and down. 

One possible "fix" is to throw out variable rewards entirely and go with a fixed block award.  But that sacrifices a feature of the coin that some folks like. 

Otherwise, the problem here is that the miners jumping in for only the higher-reward blocks *know* which blocks are higher reward while they still have time to mine in those blocks.  It's supposed to be like a lottery, you shouldn't be able to count cards.

A simple way to fix it without sacrificing the feature is to base the variable reward on the low bits of the current block's hash.  Because the block is formed when "enough" of the high bits are zero, mining means using all your hashing power to get the high bits right; If miners try to also select for low bits that yield a larger reward, they'll have to throw out (not claim) most of the blocks they find.  And why would they do that?  The odds of finding a high-reward hash, per minute of hashing, are the same whether working on the current block (after throwing out a potential block) or working on the next block (after claiming the current block), so there is no gain to be had by throwing out a potential block.

Anybody see any logical flaws with this?

In theory you could run in another thread something like a SHA256 miner, which has high GPU requirements but low bandwidth requirements.  That said, this is the age of SHA256 ASICs, so you're unlikely to get anything SHA256 mining on a GPU.

That's kind of the point.  Bitcoin, IMO, is valuable precisely because it is a better solution than the current infrastructure in making cheaper and more convenient payments.  It's a better solution to that worldwide trillion-dollar problem. That's the whole reason I identified it as having economic value in the first place. 

In the long run, I expect that nations which issue fiat currencies will co-opt the technology for that purpose and that purpose only, changing nothing else about their control of the monetary system. 

Bitcoin's fiscal policy is set in concrete from the outset.  There is no possibility of responding to an economic disaster - no way to damp a boom before it goes bust, and no way to nurse an economy through a bust without going all the way to the bottom and a complete economic collapse.  The fact that that's *BETTER* monetary policy than some of these kleptocracies provide is nothing short of an indictment, because nations can certainly do better than that (and many do) if they are smart about it.

Others may identify Bitcoin's value as taking monetary control from governments -- but that's only a valid point to the extent that governments do it extraordinarily badly (places like Greenland, Greece, Cyprus, and Argentina to mention a few of the worst offenders).  I don't believe that Bitcoin's economic value derives from that source (although its ideological value might).

Governments that implement fiscal policy well can and do provide economic stability that I wouldn't expect to see in a purely Bitcoin-denominated economy where regulation of the money supply is impossible.  The USA was very slow to wake up and realize the extent of the economic problem its failure to enforce lending laws had caused, but once the disaster was in full swing, it actually did a damn good job of responding and limiting the economic damage. 

Quantitative Easing, for a nation, is sort of like violence; It can be the best option, but only when you've already made some serious mistakes. It's also sort of like violence in that if you rely on it more than you absolutely must, your life is likely to be nasty, brutish, and short.   But in a situation where the mistakes had been made and there was no better option than that very bad one, The Fed was able to understand, analyze, and respond.  The 'dead hand on the tiller' approach of Bitcoin could not have been made to do so. 

The complete absence of economic controls might give a Bitcoin based economy essentially the (different) problems of the old gold economies, which featured huge year-to-year price fluctuations and deep boom-bust business cycles about seven years long, which economies with effective fiscal controls mostly mitigate and could at least in principle avoid. 

Active mismanagement, however can make such boom-bust cycles both longer and worse, as we have seen.


It would be a win for the citizens, because they'd have the ability to make cheap transfers of money.  It would be a win for the governments, because costs associated with transfers are a pure drag on the economy. It would be ideologically a win (though perhaps a pyrrhic victory) for Bitcoin advocates, but not financially a win for Bitcoin holders.

If you want a vision with both ideological and economic wins, consider this.  I think that a Bitcoin-like currency taking advantage of some other aspects of blockchain technology could very actively limit fraud and create an environment that would make it virtually impossible to misrepresent the performance of public companies, derivatives, or portfolios.  An extension, perhaps, of what you're calling "programmable money." -- a powerful idea that hasn't yet had a chance to demonstrate its strengths.  That would be an even bigger win - for everybody.  But the people who misrepresent those things enjoy their financial winnings, are very very powerful, and will fight it tooth and nail. 

In principle, a script could reveal anything that was known to the spender prior to the transaction where the spend was made, or anything that could be derived from that knowledge and examination of the blockchain. A hash preimage, a key to decrypt some other binary blob, an arbitrary  secret encoded to be read by someone else's private key, a "go" signal for some irreversible real-world operation, etc.

It would suck to get a "go" signal from a script, go down to the bank, and prepare to do your part in an escrow agreement by cashing out a bunch of bonds early (at a loss) so you have cash, then come back home and discover that the "go" signal happened in an orphaned chain.  On the one hand, poor logistical planning to do your business that way.  On the other, there are sometimes reasons to do weird shit like that, and doing weird shit like that would inspire attacks designed to have exactly the false-signal effect described.

We think of scripts as returning a single bit.  Either the spend succeeds or not.  But remember the value that success or failure depends on is a binary blob the size of a key, and everybody checking the blockchain can read it.

I agree with you that script would be drastically more useful if a script could examine the blockchain, look for another tx, etc.

But there are logistic issues. 

It's already the case that spends using outputs from other transactions not yet at least (confirmation depth) in the blockchain are assigned low priority. 

But in a universe where a spend of those outputs caused a script with the ability to examine the blockchain to run, I'd want the script to only be able to examine the blockchain up to (mining output confirmation depth) *prior* to the spend.  Which could be long after the transaction containing the script was made, but could not be very soon before the transaction *spending* that output was made.  In any case it would need to be considerably longer than the current "confirmation" time, and spends should outright fail rather than just have low priority.  This is because a script may reveal information pertinent to the continuing blockchain. If it does so in an orphaned block, then that information is revealed when it ought not have been. We don't want information pertinent to the blockchain that's not getting orphaned revealed based on a view of history that might possibly still get orphaned.  Also, the same restriction is necessary because it should not be possible for a valid spend (where the txin scripts return true) to later become invalid based on additional information getting added to the blockchain.

Finally, it makes checking transactions more expensive, and checking tx would require accessing the blockchain out of sequence.

All these difficulties can be overcome of course, I'm just saying the design criteria are actually pretty finicky.

Just as obviously, there are already competing forks.  That's what every altcoin in the world is.  Some of them are developing stronger anonymity tools than Bitcoin, so there are and will be tools for "the informal economy" whether those tools include Bitcoin itself or not. 

I'm with you about considering it interesting where the money goes. 

Anyway, broader success that goes beyond price and investment value, I believe, mostly means success of a bitcoin-like protocol for transfer of value - and that can be achieved through pretty much any cryptocurrency, whether that cryptocurrency is Bitcoin or not.  It would be nice if the cryptocurrency were fully distributed and free from government meddling, but that isn't what I expect will happen.

Long run?  Here's what I expect to happen.  Nation states will produce fiat cryptocurrencies that represent their own brands of fiat digitally, allow people to pay taxes and settle debts with them, and fully distributed cryptocurrencies like Bitcoin and extant altcoins will thereby lose much of their current advantages as trading media over fiat currencies.  And the government-issued cryptocurrencies will enjoy advantages over Bitcoin etc as being "legal tender" for settlement of any debt and payment of taxes, etc.  Governments will manage the "money supply" in those fiat cryptocurrencies exactly the same way they manage the money supply in their present fiat currencies, and banksters and so on will play exactly the same games with cryptocurrencies that they now play with fiat. 

And the present Bitcoin "civil war" will thereby be rendered completely irrelevant. 

Come-from-Beyond, I don't know how to interact with you. 

When demonstrating a bias, the first thing to do is always to identify the case where returns deviate very sharply from expectations.  That was the case you pooh-poohed. 

Then I went on to demonstrate that even in much larger simulations the bias, though its effects are reduced, is still present.  That you took as an admission that I was wrong.

You flatly refused to explain yourself, then later refused again with the claim that you had explained yourself and don't care to do it again.

You're also responding to technical truths as personal attacks, and trying to deal with facts as though they were merely social conventions, with bluff and aggressiveness and fabrications rather than other facts.

It seems to me as if your brain is somehow broken, and I don't know where the edges of rationality that I can converse with might be.  Interacting with you makes me angry and I tend to snap at you; I'm sorry for that, but I can't otherwise seem to communicate with you at all.   

I don't care so much about whether my neighbors or the mainstream use Bitcoin except that if they don't, then the demand for bitcoin never grows to support its present valuation, much less the valuation I'm hoping for. 

Mainstream legal adoption is worth two orders of magnitude in price regardless of whether bitcoin remains available for niche and illegal trading or not.

Did anybody else get spammy-tasting personal messages from this guy? 

I got:

Did he send this form letter to everybody and their dog?  If so can we just brand him a spammer and get the hell rid of him?

Since I've been invited to "let us know what you think," I'm going to say what I think.   

This is utterly dumb.  Unless you give some very convincing reasons why this will see faster and deeper adoption than Bitcoin, which you haven't, nobody is going to believe that it will see adoption as a world's reserve currency.

This is utterly dumb, again.  You're trying to sell something that a dozen altcoins a week give away for free.  If you're trying to sell something more than that, you sure as heck haven't said what else.

This is utterly dumb, a third time.  You're planning to peg this thing to currencies you don't control.  Gresham already explained why that's not going to work, so you're demonstrating a basic ignorance of economics which undermines your credibility even further.

This is utterly dumb, a fourth time.  You're planning on results from an amazingly effective viral-marketing campaign but there is no evidence whatsoever that you have *EVER* run a successful viral marketing campaign, let alone an amazingly effective one.   If Randall Munroe, Philip Graham, or Cory Doctorow said they were going to run an amazingly effective viral marketing campaign, I would believe any of them.  Because they've done exactly that, more than once.  Who are you again, and what viral marketing campaigns should I know you from?

Also, the people whom you'd have to sell this to in order to make it a world reserve currency?  Yeaah, that's going to take a hell of a lot more than a viral marketing campaign.  How many of them already know who you are, care what you do, and are ready to trust you with the future of their nation's economies?  Zero.  Right.  So by what miracle do you expect this to come true? 

In order to fulfil these bonds, you need to win people's confidence.  I mean a lot of cautious people who have been trusted to run national economies.  But that's a problem because your communications as we've seen so far do not inspire confidence.  Reading the things you've written rings a lot of warning bells that say things like "scammer" and "idiot" and "narcissist" and "delusional" and so on.  If this is how well you do at winning people's trust, I would say your efforts at making your bonds actually become valuable (by winning people's trust) are doomed to failure. 

So, anyway, that's what I think.

Yep.  Finally figured it out about a day after I made that post.  Thanks though.

I've been getting used to Git, but it's a very annoying RCS. 

And you have not yet said what that error is.  In fact you flatly refused to on several occasions.  The supposed error does not in fact exist. 

You were right when you said that the artificial situation of just two accounts exaggerated the effect; That doesn't mean there was an error -- the bias unquestionably exists. 


Nope, sorry.  Remember, You flatly refused to explain. You don't get to flatly refuse to explain, and then claim that you did. 

The model is correct; The only question is, does it matter?   And the answer given the broader simulation above is, probably not. With many accounts no one having more than a small fraction of the total money, the bias is very small.  But it definitely does exist.