Researchers were only looking at the blockchain.

Of course governments/exchanges would have more information as you say.

I don't know the details about darkwallet, better things will always come in the future given time.

Coinjoin/similar being deplorable.. I don't know about that, it can be done in a decentralized manor and if done correctly with enough sources and mixed enough times I think even the NSA would have only random guesses to go by.

Coinjoin/similar schemes is supported by the protocol. I believe dark wallet and in the future others will have it enabled as default out of the box.

A research paper on coindesk recently stated that even with NO masking efforts they could only trace 10% of transactions by looking at the blockchain.

Yes and no.

This concern is why my solution would have two different "punish modes":
1. At ~40% of blocks untrusted the client will just not relay another untrusted block for 1 hour.
So longest chain is in this case still accepted even if it is 90% untrusted. However propagation would be slower for the untrusted pools in this case.
2. Outright rejection that you mention. It would ONLY happen if something like ~99% of the last ~100 blocks are untrusted.

So the hardfork situation you describe could happen, but ONLY if the majority of nodes A Do not have ANY trust overlap and B 99% of blocks are untrusted by both partition 1 and 2 clients using your own example.

Mode 1 makes centralization harder and mode 2 prevents a total denial of service by a single player preventing all transactions.

No, because if they are removed from the trust lists then their blocks and all other untrusted / no ID blocks would be counted as one partition w. +50% and these new clients would start to not relay their blocks.

You can still do some double spend attacks in my solution, but there is an upper limit introduced and total control becomes impossible.

Very well this is not critical. There are a multitude of ways to put data such as a signature in the blocks:
1. Coinbase transactions allow arbitrary data in their script.
2. OP_RETURN (experimental though)

I have edited my post to use coinbase data instead.

See above.

I apologize for my tone, I thought he had skimmed my post.

1. I will not.
2. No state license, JUST a cryptographic signature that "TRUST_ADDRESS"-owner created this block - who-ever he is.

1. Yes anonymity is important. That is why no membership is required and its just a signature the pool makes.
2. You can STILL mine with my solution as untrusted. My idea would ONLY really do something if all the blocks came from a single trusted party or from various unknown/untrusted sources.
3. It is not a proof of trust, but just proof a certain perhaps anonymous source made the block and you only care in extreme cases.

1. Since it is only a cryptographic signature you don't know WHO it is. It could be a botnet that no one knows anything about but they just happen to make fairly normal blocks
so they get added to the trust list.
2. Miners can still mine whatever they like, this makes no change to that at all. You can still make 100% empty blocks. Only if it becomes an issue people will remove you from the trust list.

Ok so we put a signature of the block or block height into the coinbase script or somewhere else.

1. The ones adding the IDs to trust lists would be users and client developers. Random new IDs would not be in the lists. Yet there is no central authority.
2.  However if 50-60% of the network is mining with known and trusted IDs then it doesnt matter if a new pool or "attacker" makes blocks with unknown IDs/no IDs they will still be accepted.


1. You still have to follow protocol, it would be impossible to change rules.
2. There is ONLY detriment to ID less miners if they combined make 40% + of all blocks otherwise all are equal.
3. Again users choose which IDs their client should trust so who is ID-ed/trusted miners can change instantly during an attack.

You are 100% incorrect you need to go up and read my post again.

I propose nothing close to what you are describing.
Anyone can mine even with no ID in my system - that includes sole mining. You have quite simply misunderstood like all of it.

I'm confused, I'm pretty sure coinbase coins are the same as other coins and I propose no change to that.. plz read before posting/voting.

Nothing.
Same way I can create a node where I have all 21 million coins.

It's a question of consensus, if the majority of Bitcoiners want a decentrallized Bitcoin during an attack that BECOMES the real Bitcoin.

Pools are not blocked. Its just their blocks that will not be accepted if they make all the blocks.

Its not a blacklist.

The reason it is okay to have "untrusted" blocks in the chain is that you don't care as long as you don't have frequent rollbacks and your transaction goes through.

This is why this solution ONLY cares if ALL the blocks are from an untrusted source.

Hi.

I am the "technical speaker" for the Danish Bitcoin Foundation. I am also currently programming my own project directly interfacing with the Bitcoin protocol.

This is my proposed solution to 51% attacks, centralization issues, selfish mining and any such. This simple solution takes care of them all.
Someone could do this very quickly and I am willing to personally pledge 2000$ towards it.

The reason I don't do it is that I'm already swamped with two "public good" Bitcoin projects, a full time job and a family.

Layman's terms
1. Establish a way mining pools can document they made a block - pool IDs.
2. Let individual full nodes add or remove pool IDs to/from a "trust list".
3. A full node will not relay untrusted/unknown blocks  for ~1 hour IF 40% of the past 100 blocks were from unknown/untrusted pool IDs/ +50% from one single trusted ID.
4. A full node will not accept blocks if 99% of past 100 blocks were from unknown/untrusted pool IDs.
(exact percentages do not matter that much)

What it will do
Basically as the network is now it wouldn't do anything. Everything would be fine.

Once ~10% of full nodes upgrade miners would have an incentive to ID their blocks - simply for faster block propagation.

IF the network however came under attack such as:
A Many targeted double spends by a corrupt pool.
B Selfish mining escalation.
C No transactions in blocks.

THEN the solution would elegantly force the attacker to include at least some few blocks that could not be rolled back by the attacker and that contained transactions.
If the attacker DID not allow for other's blocks the attackers blocks would simply be ignored.

Once a "trusted" block was found the attacker can work on that and again make 99 blocks, so this is NOT a white/black list solution.

Ok so there's a catch right? It's a hard fork? Slow? Bullshit extra chains? Exotic crypto? Tatiana coin infusion? (no offense Tatiana)
No, none of the above.
There are literally ZERO drawbacks.

Technical detail
1. The protocol allows for a coinbase transaction script to have arbitrary data.
2. We can use this to let pools sign blocks with an "ID".
3. A pool would sign say the hashes of non coinbase transactions with their ID (w. SECP256k1).
4. Put the signature bytes in the coinbase transaction script.
5. This should be easy to put and read in blocks.
6. Only the pool has the PRIVATE_ID_KEY and the contents of the block are now signed.
7. The ID_PUBKEY can then be used as an ID.
8. No changes in protocol, zip, nada. Just an optional check for certain data.
9. Add the largest 20 pools to the trust list and no one ever has to talk about 51% again.
10. Its totally organic too, anyone can start a new pool and create an ID for themselves. Even botnets are still in, they just can't take over.

What it would really do:
Skeptic: I heard Bitcoin is under attack and will die?
You: Naw that can't happen because miners would then kill the coin and then... bla bla bla incentives... maybe ... bla bla bla and besides tree chains could fix it.... bla bla.
Skeptic: Huh?

--> To this -->

Skeptic: I heard Bitcoin is under attack and will die?
You: Nodes would reject that and kill it because all blocks would come from like the same dude.
Skeptic: Ah ok... is it still a ponzi though?

Won't the sent amount just all go towards miners fees or is the "correct way" of putting data really to create unspendable dust?

Thank you to all of you for helping me out and special thanks to Etotheipi for making some of the documentation in the first place.
I found that the BouncyCastle library should be able to do DER encoding.

I'm still not entirely sure how the claim script is structured and encoded though.

I have poured over the available information I could find such as:

https://en.bitcoin.it/wiki/File:Bitcoin_OpCheckSig_InDetail.png
https://en.bitcoin.it/wiki/Protocol_specification#tx
https://en.bitcoin.it/wiki/Protocol_specification#Variable_length_integer
https://en.bitcoin.it/wiki/Protocol_specification#Signatures
https://en.bitcoin.it/wiki/Transactions#Pay-to-PubkeyHash

Aswell as mathematical descriptions of how ESDSA works:
http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/

However I have some questions I hope someone knows a resource for or the answer to:
1. In the linked picture what is "script part 4"?
2. Is it correct that script part 1 is R and S concatenated and compressed with DER encoding?
3. Is script part 2 the pub key?
4. If yes, is the  pubkey also DER encoded?
5. Where is the implied script part 3?
6. Can OP_CODESEPARATOR be left out entirely without invalidating the script?
7. Basically what is the byte-wise format of the claim script, this is my own educated guess:
START: DER(RS){approx. 70 bytes} VARINT_PUBKEY_LENGTH pubkeybytes{32 bytes, x coordinate of Qa} :END

(The out script would not be repeated when claiming, but is seen here:
OP_DUP OP_HASH160 VARINT_PUSH_BYTES PUSHEDBYTES{hash160 of Qa/address} OP_EQUALVERIFY OP_CHECKSIG )


A good exact and in-depth explanation of DER encoding would also be nice.

The criteria "fits unknown age, is programmer, is smart, writes english and is reclusive" fits an awful lot of people in this world. (Hal Finney thought Satoshi was young btw.)

We know that the real Satoshi reset the timestamps on his communication to +0 GMT as well as other things to stay hidden - why would such a person use his real name? Even a real name not used in 40 years would still be easily-ish trackable.

This is speculation of my own, but I can't help thinking that the real Satoshi is called something that has nothing to do with "Satoshi Nakamoto".

I know even a genius is not infallible, but his OWN name while trying to stay hidden? Why? Might as well move the Satoshi coins straight to a passport verified exchange account and check out to his personal bank account!

I'll believe it when the name is "Bob Hansen"/"Cheng Hui" and was found via the email/github trail and mail server/NSA records and the person in question is caught with some incriminating evidence - such as known Satoshi private keys.

Actually old old computers frequently broke because of actual living bugs crawling inside and messing with the radio tubes.

Or so I heard.

Hmm yes you have a point, even if it changed and my device could be told I would have to guess the exact format used in the future 10-20 years in advance.

(Say we keep it as integer but 0 becomes = 0.001 satohis (since few will have even 1 btc by then)
OR we switch to some non-int format like string... impossible to know)

This was debated before, what you call  "rolling root" we called "ledger-solution"/"ledger-block".

Same idea; every say 1 year you would take all the 20 years or older transactions and move their unspent outputs to the latest "ledger block". Amounts in the ledger block would be much like coinbase transactions/miners fees.
Barring minor minor data growth from address fragmentation and perhaps block headers, this puts a quite final limit to the blockchain size.

Another idea (of my own) was "swarm clients" that individually would validate only parts of the blockchain, but as a whole would validate the whole thing - all zero trust etc..
This would allow for almost the smallest devices to participate in block validation forever.

You can google these terms, and I do mean google, the forum search is shite.

The main reason nothing has happened yet is laziness and people too busy getting rich off of Bitcoin - and no you can't lump me in with that group I have been hard at work helping Bitcoin for a while now.

What I mean exactly is that right now Bitcoin has 8 decimals going from 1 bitcoins to 1 satoshis or 0.000 0001 bitcoins.

In the future especially, for nano-payments between automatic software using payment tunnels, we will likely add more decimals.

My question is: If a client or device made a mistake today and say sent 0.1 satoshis (assuming this was NOT treated as dust/ignored) which would happen:
(or more realistic maybe: 1.000 0000 1 btc)

1. TX is invalid and simply ignored/could NEVER be in a valid block?
2. TX is valid, amount below satoshis/"rounding error" becomes a miners fee?
3. Amount is lost, goes through as a 0 btc TX (or 1.000 0000 in realistic example).
4. Something else?

Thanks in advance.

Why:
I'm programming a device, similar to say a Trezor, that cannot be reprogrammed later and cannot access the internet on its own.
The device could trust information about decimal places from an untrusted source, but I am just wondering if this could backfire.

This is why I'm encrypting my stash, sooner or later, with whatever excuse the cops will knock down my door.

By then I intend to not be there or at the very least have the pleasure of laughing in their stupid faces.

These technologies already exist, if you have 300K to blow on marketing then:
1. License an app, stick your logo on it.
2. Buy robocoin machines or whatever.
3. Do the marketing.

It's coming; banks and governments are starting to understand and they will regulate harshly, then persecute us all when it fails...

Android qt relied blindly on the java "secure" random function and money was lost. Maybe something similar happened here.