Hell, I don't care.  I'll go right ahead and disclose information about myself to the FBI.

And, It's nothing they don't know already.  We went over all of this in great boring detail when I got my clearance as a security contractor.  They know exactly who I am.  So does the NSA for that matter.  The Treasury department would be new to me, but not terribly unexpected given some of my specialties.

So, yah, full disclosure.  I'm not a fed, but I do work semi-closely with some subsets of feds. It's even possible that via one of the security contracts I might get called as an expert witness in a Bitcoin case.

Only problem is, I doubt that I'd be able to scrape up enough money at one time to make any significant purchase.  Hmm, well, there is this one job that might make me US$10K by the end of the year, but it's a bit of a long shot. Still, that's not a very big drop in a $20M (or possibly $60M) bucket.

C'mon, let's fill in the gaps.

I think that I have a solution for the homomorphic encryption problem that I started this thread with.

The solution lies in choice of exponent for the Benaloh system.  In order to convert coins from previous to subsequent exponent, it is necessary to know all the factors of the exponent.   To verify that it has been done correctly requires only one.

Given X = A * B * C, the coin holder (who knows all these values) can easily convert JX to KY where Y = A * B * D  =  D * (X / C).  He can reveal C and D allowing others to verify that it has been done correctly, even though others don't know A and B.  However, in order to derive J or K, any others would have to first *know* whichever one they weren't trying to derive, and second would have to be able to factor the residue AB.

In practical application, a coin that was created with the exponent X in the original transaction can be converted to the exponent Y, where the previous transaction has revealed C and the current transaction reveals D.

This requires the exponents to be uncomfortably large, making each coin a minimum of 1/2 kilobyte to represent.  But it's reasonably practical I think.  I will have to scribble and do proofs for a day or two in order to figure this out in detail.

I have to admit that I can understand more readily the difficulty of modular factoring than the difficulty of reversing ECC.  ECC is easiest for me to think of as sort of a modular discrete geometry problem, although usually presented and explained as a Groups problem.  If I can show rigorously that this idea works via modular factoring, I will look at ECC and see if I can find the appropriate analogue in its structure.  If so that should reduce the required representation space by about an order of magnitude.

We care what this guy thinks why?

By the way, here is a youtube link for anyone who wonders how I picked Ivan's name. ...

http://www.youtube.com/watch?v=jLb4SOLxHPA

(Amusing, but more than an hour long).

Okay, we've all read the news where the Dread Pirate Roberts and his "auction" site on Tor have been taken down.  And we all know that many more petty but ambitious crooks are rising up in hopes of taking his place.  

Now, here is an interesting but horrible thought; what if one of these enterprising young agents of entropy is Chairman Ivan Dragomiloff?  And Ivan sets up a "gambling" site on Tor with much the same regard for the law that Roberts' "auction" site displayed?  

And, having in his misspent youth read a hypothetical proposal by Mr. Jim Bell (which I will *NOT* link here) he sets up a site that takes bets on the dates of death of public figures?  Simple enough, you pick a person and a day, place your bet, and if the day passes with your proposed death not occurring, your bet gets added to the jackpot.  If the death does occur on that day, you (and anyone else who bet on that day) get all the coins that were bet on other dates of death in bets smaller than yours, and the house keeps the money that was placed in bets larger than yours.  On the other hand, should death occur on a date no one has predicted, the house keeps the whole jackpot.  

So, if for example President Ween of Lower Slobovia has really ticked you off, you might bet a bitcoin that he'll die tomorrow.  If he's ticked off enough people who all bet a Bitcoin on a date of death, and he survives through all those dates, then suddenly we're looking at a situation in which someone who guesses correctly might bet one coin and harvest a few thousand.   And that kind of situation could influence a certain kind of mind, inspiring them to take steps to firm up their prediction and "improve the odds" on their particular bet.  

Welcome to the world of assassination politics.  It really isn't possible to hold any noticeable political office anywhere, or run any large business, or even to be what's called a celebrity, without pissing a lot of people off sooner or later.  Possibly even through no fault of your own.  But with Chairman Dragomiloff's Tor site running, suddenly there is an immediate reason to *fear* pissing large numbers of people off.

Just a random thought.  

Are you serious? An all out attack on bitcoin would be a stupid and pointless thing for them to do.  Consider this. Bitcoin allows some privacy but not too much.  That is probably the best scenario for law enforcement purposes in the USA.

The point is that it's possible to catch people like DPR, but still private enough for most people to use most of the time.  A "hard" crypto currency that used full link encryption and message mixes as part of the basic protocol would probably replace it and that would be a full on disaster from their point of view.

Bitcoin is law friendly enough to regulate and tax and they'll only lose that quality if they press an attack.

@BCNext; It sounds very much like we're contemplating a very similar coin launch, even including some of the same longer range goals.  (native support for multiple issues in the block chain that goes well beyond 'colored coins', pure proof-of-stake, awareness of other block chains and supporting cross-chain decentralized trading, point-to-point encryption, etc). 

I'm not ready to announce a launch date though; I'm still in the process of organizing my own fork of the code  (I chose to start with Litecoin because it's simpler than most) and I don't know when it'll be ready. 

Just BTW, if you're serious about a billion-coin issue, you should be aware of exactly how wide the number you're using to record the amounts is.  Given the 1 Bitcoin / 10M Satoshi setup of Bitcoin, you don't have enough bits there to handle that many coins. 

I already ran into that when I was adding a field to keep track of coin-type.  Explanation: the basic "Crypto-Credit" coin in my system is coin type zero; but users could issue other coin types with different names, different sets of rules, and different sets of standard transactions, sharing the same block chain.  They could be other cryptocurrencies, or company stocks, or bonds, or whatever, and by default that would allow a distributed market in which issues could be traded for one another.

Anyways, I'm pointing this out because if you're amenable and have the same vision, we could cooperate. 

Yes, that's basically the same plan I was talking about, except that I want to fix it so people can't tell in advance when they're going to get "lucky."  In the protocol I'm describing, there are two effects as time passes: The difficulty comes down (the target you have to meet gets larger) and you get more chances (the number of nonces you can use goes up). 

So, yah, you can solve your few hundred hashes and see when the two will meet in the middle as soon as the block starts; but someone else's chances may meet in the middle first, and you don't know when. 

Also, there's a point in sending your block around to signatories first; that's so you can't have a "winning" block (ie, one with a lower timestamp or hash than the current accepted block) that will cause a chain reorg, unless you have announced it in a timely way.  And also, it allows six different people to submit lists of all the tx they've seen, which you cannot then leave out of the block. So unless six randomly chosen stakeholders are cooperating with you, you cannot leave a chosen transaction out of the block.  That ought (I hope) to put a cramp in the style of those who want to double spend, or keep transactions out of the blockchain. 

Finally, it allows the idea of an explicit "rejected" message.  In the bitcoin protocol, a transaction which conflicts with one that's already been seen simply never confirms.  Somebody waiting for a transaction to mature might not realize there's a problem when waiting more than an hour for a transaction to mature.  But if you get explicit lists of transactions that must be included from various sources, then you are likely to get conflicting transactions in the same block.  That means that if you accept one, you have to accept the other but mark it "INVALID" or "REJECTED" or whatever, and that is likely to happen in the very first block after a double spend is made, so there's no question what's going on or complaint that the miners aren't picking up transactions fast enough, etc, when a transaction just fails to confirm. 

Anyway, as I see it, even if you're holding 50% of the stake, the odds of getting away with a double spend for even a single block, or successfully choosing to leave a particular transaction out of your block, are only about 1 in 64. 

It's not just you.  The more the police do their job in controlling the criminal element, the better the news will become.   

Yay for the police. 

I have lived in bad neighborhoods.  When the number of police officers on the beat went up enough, they quit being bad neighborhoods.  The troublemakers, thieves, scammers, dopeheads, gangbangers, and dealers all decided they would have better odds pursuing their chosen professions in other areas, leaving the law abiding citizens happy and satisfied and owning property that tripled in value as that element was finally driven away.   Seriously, three cheers for the cops!

The only thing I'm even remotely upset about is that the ladies of negotiable affection went away too.  They were harmless.  Some of them were savvy businesspeople entirely happy with their choice of profession or paying their way through college as independent operators (hey, it beats the hell out of fast food jobs), and some of them were essentially slaves and victims of coercion, not allowed to keep their earnings, and ought to have been regarded more as the victims of criminals than as criminals themselves.   But that's the way it's gonna be until the law changes. 

Still, you know how to change the law, right?  If you live in an area with democracy, you change it by participating in the process and voting!  You do not change it by making trouble for the cops, because believe me when I say that no matter where you live, they can make far more trouble for you than you can make for them, and besides making trouble for the cops gets in the way of their very valuable work keeping the nasties out of the area. 

Bitcoin can use some serious police efforts, IMO.  Keep your damn nose clean and celebrate a little victory and a better world every time they take a dangerous criminal away. 

What gets logged at the CA is not the transaction and IP address; it's the *hash* of the transaction and IP address.  Essentially the same hash Bitcoin uses to secure the integrity of its blockchain, which works because nobody can find a preimage.  IE, given a 256-bit hash value, you can't find the original message (in this case the transaction and IP) without doing 2²⁵⁶ work.  Which nobody can do, or the difficulty threshold for mining would be around 115792089237316000000000000000000000000000000000000000000000000000000000000000 instead of around 267731249 right now.


So what happens is that you and the other party/parties to the transaction both/all know about the transaction.  The CA signing the hash doesn't mean anybody else (not even the CA itself) can find out about the transaction, because nobody can find a preimage; what it means that either/any of you can choose to prove what you know by revealing the transaction record and showing that it is the preimage for the CA's hash.

Essentially, there's little risk that there wasn't before.  A party to the transaction can let other people know about the transaction.  All that changes with the CA is that you (or they) can prove when they reveal it that it's the same thing the CA signed.

Well, not quite all.  If someone has hacked, burgled, extorted, blackmailed, bribed, or served the CA with a court order, and is able to spoof your traffic when you're making the transaction,  they will be able to eavesdrop on or alter the transaction unless you develop and deploy better channel security than the users of the payment protocol have so far developed and deployed.

An observation about that plan is that you wind up with a number of tx (per block) equal to the total number of coins in the universe.  And each block puts more coin into the universe, so the bandwidth requirement  per block grows linearly, and if they stay in the blockchain, then the space required by the blockchain grows geometrically.  

Hmmm, that said, until Moore's law hits the wall, bandwidth is growing exponentially, so a linear growth in bandwidth requirements isn't a huge problem.  Also, no money changes hands when someone mines unsuccessfully, so it ought to be possible to prune them from the blockchain when they get old enough.  All that needs to be remembered at a given moment, if you're regulating via coin age, is when the *last* mining attempt for (or transfer of) a given coin was made.  So the blockchain itself need not grow geometrically in the long run.

It's a good idea to regulate stake via coin age, but doesn't really solve the problem of people simultaneously mining in more than one version of the blockchain.  After all, they have the same coin age in both versions, and coin age can only be destroyed once (assuming only one chain survives) no matter in how many chains they mine.

However, the idea of having miners announce their intention with a special tx does make anti-cheating measures enforceable.  If we assume that the "I am mining" tx must announce which chain it's mining in, then that transaction can be entered in that chain for a possible mining reward, and also in other chains as a guard against cheating.  Essentially, if anyone announces mining in more than one version of the block that's at a given height, then that person is clearly cheating.  The coin they were using to mine could be simply destroyed by the protocol, or transferred to the winning miner, or whatever.