That was my point about its economic value.  Apart people gambling on it, buying and selling it to one another for cash or other crypto, not many people really USE it economically.  My mom neither, and me, very rarely.  I tried, and for some things it has a meaning (buying VPN services, VPS services... if you don't want a link to your identity).  But that's about it.

My idea is that one should not be able to make a fortune without providing value.  Gambling on seigniorage doesn't look to me like providing value.  "being first adopter" has no meaning.  Creating a useful system, yes.  Becoming rich because one was betting on it, without financing it as such, no.  That's not like a share holder of a company that financed the difficult start of the company.  The fact that first adopters gamble on it, doesn't bring in any specific value to the system or to the creator.  Their seigniorage is economically unmerited because no value was produced.

The only value one should obtain from a crypto, is the value of being able to do commerce where this was previously impossible/difficult/dangerous etc... In other words, by the economic gain of exchange, made possible by the existence of a crypto.  Not by being early adopter and sitting on your stash, limiting market liquidity for commerce.

--> Amen.  The REAL REASON is that the bitcoiners are in it for the greater fool game, and want to become immensely rich because they are from an earlier layer of greater fools than the "rest of the world who needs to adopt bitcoin and only bitcoin".  They are in it for the seigniorage, and so they don't want to share the rest of the supply of greater fools with other coins, even if that means that we are stuck with the oldest and most primitive crypto currency design.

If they were for the economic value of bitcoin, namely "enabling commerce where such was not possible/difficult/dangerous/expensive with fiat means", that is "an internet payment system", then they wouldn't mind having competing tech aiming for different niches.  But they are not in it for the currency usage of bitcoin, they are here, sitting on their stash as early adopters, hoping it will go to the moon, and they will be able to retire early on the seigniorage, paid for by the rest of the world of greater fools.

That said, all of the alt coin scene is mostly also a greater-fool game where you hope to get in early, and others will pay much more later for the stuff you got cheap.

Essentially, crypto largely failed as of today.  Its economic value is minuscule, and it is for 99% a greater fool casino.  I'm not saying it is dead, but it is a laboratory that turned into a casino.  In fact, one can mainly study it to see what doesn't work.

I 150% agree with you.  Decentralisation also means no protocol centralisation and chain centralization, but open competition between variants.  Bitcoin is blocking the scene with its first mover de facto monopoly (for the moment).
Competition between modes of crypto payments, between whale configurations", etc..

--> he is right.  He also tried to force people's hands with a soft fork, and when that was a technical disaster, he conceded a hard fork, and ETC was born


Well, if there's one thing one can say about Vitalik, is that at least, he knows the basic dynamics of crypto well
Something that cannot be said about many bitcoiners...

With a hard fork, the market chooses.

With a soft fork, a majority of miners imposes their view on the whole community.

Uh, I was talking about society in general, not bitcoin

In fact, Satoshi mixed several totally different things into one, to come up with a system that seemed brilliant, and turns out to be seriously flawed.

He wanted:

1) to adhere to a sound money theory in order to get a monetary belief (illusion) going.  Sound money theory in a setting with monetary competition is an illusion (and suffers from a version of Gresham's law).  Sound money theory only makes sense if that money has the monopoly on money and where people are FORCED to use that money, and no other means of exchange, in other words, only under strict economic totalitarianism.  But as such, he wanted a convergent series of coin emission.

2) he wanted newcomers to be able to win coins by anything else but buying them from the original devs.  As such, he needed a way to create coins for non-stake holders from scratch.

3) he needed to solve the decentralized consensus problem.

4) he needed to cryptographically secure the old consensus (immutability), so that one cannot "redo" old transactions.

These 4 totally different problems to be solved are done in ONE SINGLE SOLUTION, and this was a severe error.  Because the requirements are essentially mutually exclusive.  His solution was to get external people do coin creation (2) at diminishing rate (1) in a competitive lottery (3) in such a way that it would cost too much to redo it (4).

However, by doing (1), he caused a need for a squeezed fee market, to pay for the huge amount of work needed to secure the chain (4), in ways that could compromise the permissionlessness of solving the consensus problem (3) by people that may not have vested interests in the system (2).

The 4 problems needed 4 different solutions.  In fact, (1) was a ridiculous assumption, but which is still driving the illusions in bitcoin.  (2) was important at a certain point, but now the miners are not exactly "newcomers" and the way newcomers acquire coins is not by mining them but by buying them.

(3) it is better to solve the decentralized consensus problem by many stake holders, instead of a few concentrated industrials

(4) digital signatures are cryptographically much, much less wasteful and much, much more secure than proof of work.

Yes, PoS can of course be forked from bitcoin.  PoS has some theoretical problems, but at least, it doesn't need to waste $400 million a year on "cryptographic security", because PoS is cryptographically secure with digital signatures, not with "good guys can spend more electricity than an attacker".

PoS has, as a cryptographic security system, far, far more security than PoW.  However, PoS WITH REWARDS (fees and coinbase) is problematic, because you run into the problem of "nothing at stake".  PoS without any reward, purely voluntarily, like the people running bitcoin nodes right now, would be perfectly safe, because nobody has any "stakes" in minting fake blocks, apart from the ones wanting to double spend, but the PoS system can be made such that the probability that they are allowed to mint the block in which they double-spend is extremely small after a few confirmations.

My idea is that a PoS system without rewards is perfectly safe.

The way PoW is centralized in bitcoin, it would be a good thing to go to PoS.  But it won't happen, because bitcoin is "frozen in" now.  Any PoS fork of bitcoin wouldn't be called bitcoin, and as the name "bitcoin" is all it has going for it, that would be the end of it.

Most likely the opposite: centralized systems being more easily manipulated and steered, they will outperform decentralized "random" systems in a highly speculative market any time.

BTW, you see this with ETH/ETC too.

My point is that in your example, your key is encrypted with a "one time pad", which is, by definition, a random number that YOU know, and that the enemy (me) doesn't.  However, instead of "remembering" the one time pad directly, you prefer remembering a (random) password, and you have to TRANSFORM that random number (your password) into another random number of different format.  To do this entropy transformation, you use a hash function, but you don't NEED a hash function for that ; any injective function from the password set into the "one time pad" set is good enough.  You don't need the irreversibility of that function (which is the property of a hash function: practical irreversibility).  As I showed you, my function f(n) = m = (K n) mod M + C, which is a "randomly looking function" that is perfectly reversible, could do just as well for your case.  The fact that f(n) would be "cracked" and made reversible, doesn't alter the security of your key protection, which is simply protected by the entropy of your password, that simply had to be mathematically transformed in the right form factor to be XORed with your key.

Whether I can calculate back from the one time pad to the password, or not, doesn't matter in your case.  So the fact that reversing the hash function doesn't destroy your system, is non sequitur.

I think calling the obvious, "sociopath theories" is exactly the social lie I was talking about.
I'm not excluding empathy, btw.  Empathy is included in joy and suffering, in the same way that eating chocolate is included in joy, and getting a hammer blow on your big toe is included in suffering.

That is exactly what I expect of a decentralized, trustless system: a web of greedy cheating bastards wanting to rip off one another so much that they can only come to the consensus of a working, fair system ; and in fact, of any form of society in general (which, at its most abstract level, IS a trustless, decentralized system, governed by the immutable and non-centralized laws of physics).  I think any picturing of anything else but that is but delusion, with the purpose to misguide the preys at best, and based upon misunderstanding at worst.

This is the essence of living, conscious beings.
Consciousness defining pleasure and suffering, and life defining offspring preference, the obvious behaviour of any conscious, living being is what you just stated.

The negation of this is what I call the social lie.

I don't see the problem.  Why would an arbitrary minter censor you ?  And if he censors you, the next one probably won't.


Who are you going to bribe ?  The guy that just minted a block, but if he changes something, he's not the preferred minter any more, but some other dude ?

The idea is that, if the preferred minter order is a random function, depending on every individual bit in the block, you cannot know who will mint the modified block ! 

As iamnotback said, this is just at high conceptual level and not a "design", but essentially, you take a hash function of the block, and you find the Hamming distance between this hash result and the minter's stake address.  The one with smallest Hamming distance is the preferred minter.  Change one byte in the block, and the preferred minter becomes someone else. Many minters can mint blocks almost simultaneously.  Another function will tell future minters which chain to prefer to mint upon.  This function should be well-designed so that there is almost no way to "orphan" many blocks, by increasing exponentially the preference for the currently longest chain.

I'm not doing anything PROPORTIONAL to stake - you simply have to stake a given amount, somewhat like the master node scheme in DASH - but the amount shouldn't be very high - as there's nothing to WIN in staking, you don't care about your probability to mint, you only do it altruistically to keep the network running.

You have just re-invented a one-time pad encryption which cannot be cracked of course.  The hash function is not even necessary.  You only needed a random number (the one-time pad), and you used the entropy of your password, and the hash function, to use this to generate a random number serving as one time pad.  Even worse, I can NEVER find your keys, even with infinite amount of work, because I will never know when I found them.

You haven't used the irreversibility of the hash function here.  You only used it to transform some entropy (that of your password) into another random number.

It is a pity that you didn't look at the simple math I posted, because it explained exactly what I wanted to illustrate.  Note that you could use my toy hash function in your example, and your system would be just as secure.  Because the irreversibility of a hash function is not needed in your case.

My idea is that sooner or later, bitcoin's growth has to stop.  A greater fool game always comes to an end, but of course, there is still a whole planet of greater fools to be taken.  However, bitcoin's on chain design doesn't allow for orders of magnitude upscaling in the near future.  It might very well 50 years from now, but nobody cares about "50 years from now" if you're serious - only greater fools think that.
If you go to off-scale, in other words banking (with eventually, unavoidably, fractional reserve banking) you:
1) lose all on-line fees
2) you will get effective coin IOU creation offline (fractional reserve banking) that will stop the individual coin price pump.

So even if the whole planet were using "bitcoin" as a reference, there would be so many IOU bitcoin that the VALUE of an individual on chain bitcoin wouldn't rise accordingly.  Like in the fiat system: 95% of bank dollars are not FED dollars but bank IOU.  This is NOT cheating, contrary to what naive monetary theories claim.  The issuing of IOU that are not entirely covered by originals, but are so by debt, is not cheating, and it the origin of fractional reserve banking.

So at a certain point, if there are secondary layers on top of bitcoin, fractional reserve banking WILL emerge, and what people are then using as a currency is denominated in bitcoin, but is not bitcoin, but rather partially covered IOU from institutions that use bitcoin on the lower layer to *settle their differences* --> reserve currency.

This would stop the growth of price of an individual bitcoin, as these IOU can be created at will by several institutions.  Their reserves in true bitcoin only need to be large enough to serve as a collateral for *individual IOU transactions*, not to back up all of them at once.

So *even* if a bitcoin denominated banking money would become world dominant, it would be identical to the current fiat system, apart from the "central banking settlements" between banks.

Bitcoin's value wouldn't increase orders of magnitude, because these banking layers would create as many "bank coins" as there are banks, all simply REFERENCED to bitcoin as a collateral for individual inter-bank transactions.

If bitcoin would have allowed ON-CHAIN world scaling, this would not be the case.  But bitcoin is reaching already right now in order of magnitude, its on chain capacity anyhow, and hence the price rise will be limited to at most an order of magnitude or so, at FULL ADOPTION (which is delusional).  So, for miners, there's not much to take more than there is to take today, and the "orders of magnitude" are much easier taken on fee increase, than on bitcoin's price increase, even if they hope for world adoption.

In other words, the only hope for bitcoin adoption is off-chain, and won't be a big boost for the bitcoin price, because it will be offset with fractional reserve banking.  Miners have nothing to win in that game directly.

However, on-chain bitcoin OWNERS are the guys they want to milk somewhat more.  In as much as these on-chain owners are exactly the banks issuing fractional reserve bitcoin-collateral IOU, they will HAVE TO settle on-chain between them.  But then, the current volume is already enough (SWIFT).  So if there is any hope to squeeze that fee market, blocks mustn't be larger than today.  Those to be milked, are the whales who need to transact.  And honestly, they won't mind too much: if you have to settle 10000 BTC with another bank twice a day, you don't mind paying 10 BTC for the transaction, do you ?


I think that even if it scales off-line, as I outlined above, the individual coin will not appreciate proportionally because of fractional reserve banking.  Bitcoin is essentially an on-chain thing.  Fractional reserve banking is even made safer with bitcoin's chain limited, because there cannot be a bank run !  The chain can simply not follow all withdrawals !

Suppose you have 1 billion of bitcoin IOU users in the world, and there's a bank run.  Everyone wants to have its coins on chain during a week of panic !  They simply cannot be served.  At 10 million transactions per week at most with Segwit, it would take 2 years to process all these withdrawals on chain.   So fractional reserve banking is much more protected with a block chain than with things that can settle quickly and massively. 

Ironically, bitcoin is a dream for bankers !

Of course not.  You are making a circular argument here.  You take for granted the properties of a hash function, to prove that a hash function has these properties.

Let me give you a toy example.  Suppose that my hash function is:

f(X) = (K.X) modulo M + C

This has the "random" properties of a hash function, right ?

You can solve this equation into:

f(n) = m

becomes:

n = (m - C) / K modulo M + L . M

where the division is unique in the field modulo M (supposed to be a prime), or has a few solutions in the ring modulo M if M is not prime or no solution, easily determined by Euclid's extended algorithm.

We now have an ordered solution set for n, where L is the index in the solution set, eventually with a second index in the division solution set if M is not prime and there are multiple solutions to the inverse of K.

Of course this was a trivial hash function.   A cryptographic hash function is way more complicated and supposed NOT to lead to such a solution.  But the principle is possible, as I just showed.  I don't have to spend any work to find the L-th solution to my hash problem:

f(n) = m.

This is what I understand by "cracking the hash function completely": being able to have an algorithm that spits out solution number L of the ordered solution set.

Of course you can.  What is a hash function essentially ?  It is a function f that maps a number in the set A = {0,...N-1} into the set B = {0,...M-1} where M << N ; f(n) = m.

The trick of a hash function is that the calculation of f(n) = m is rather simple, but that there's no way, given an m, to find an n other than by exhaustively trying all elements of A. 

Given that M << N, there are essentially on average Q = N / M elements of A that map onto a given value of m.
If you find a way to find easily the set of these Q elements, given m, without having to scan over all of A, you have cracked the hash function.

Usually, a hash function is already considered cracked when you can easily find ONE SINGLE element of the inverse image of m, but a fully cracked hash function gives you all of them.

If on top of that, I'm able to search quickly  in the set of solutions (for instance, if I can generate them in an ordered way), I don't have to run over each of the solutions, I have only logarithmic difficulty to search in this set of solutions the one that satisfies the conditions I need (for instance, the block header without nonce).

I can work backwards in the hashing tree towards those data points where I have liberty to change things, and search each time, logarithmically, whether a solution exists.

In fact, the solution set I would take would start from m = 0: infinite difficulty in bitcoin: the hash being zero !
Once I have the header solution set, I look (logarithmically) for those solutions that have the right previous block hash and a few other things that need to be fixed, and essentially look for those solutions giving a merkel tree hash and a nonce.

For a found merkel tree hash, I now apply the same technique where everything is fixed except the coinbase transaction: so I calculate backward a/the solutions for this coinbase transaction, imposing (searching) everything that is fixed in the coinbase transaction --> I find the/a solution with the/a right coinbase comment.

I've just produced a correct block with maximum difficulty !  This chain is unbeatable now, nobody can make a chain with more PoW !  My PoW is orders of magnitude bigger than what has ever been done on bitcoin.

Note that even if I fork off 100 blocks ago, the new chain where I orphaned 100 blocks has orders of magnitude more PoW, with a calculation that I can do on my PC, if I have:

1) a simple way to generate the ORDERED set of solutions n to f(n) = 0.
2) a quick way to search into that set without having to "enumerate" it ; that is: if I can generate "solution number p" in that set without having to calculate solution 1, solution 2, ....

Our thoughts seem to be almost parallel.

https://bitcointalk.org/index.php?topic=1837136.msg18344301#msg18344301

I was just thinking loudly of how to make a PoS version for bitcoin

That sounds a lot like the (rough) concept I have of a "web of small coins connected by distributed exchanges".