This is also related to this "Turing completeness".  You only have untrusted code if there is no systematic way to analyse the code.  For instance, bitcoin scripts are also "untrusted code" but as the bitcoin scripting language is not Turing complete, the number of states of any bitcoin script is always limited (and usually very small) ; as such, bitcoin scripts cannot do much mischief (apart screwing up the transaction they are handling).  There are no "unanalyzable bitcoin scripts". 

If you want to use something that is accepted and in line with legalization, then you should use fiat.  There's nothing better than fiat to be in line with the law, if that is what you want.  Crypto has no use for you in that case.

Now that's funny.  If monero's anonymity would be *totally* broken, that is, if the whole chain would be deanonymized, that would mean that dark markets would be at the same point of exposure as if they had directly used bitcoin, where the chain IS ALREADY de-anonymized.  So even if the whole of monero's crypto were to fail you wouldn't be worse off than if you had used bitcoin from the start.

I agree with you that security and crypto are difficult. As you say, while you want to do something else, you have to make sure that you don't make one single fatal error.  While the attacker needs only one success and can fail as many times as he wants.

However, you forget something.  That is that the attack has to be worth it, because nevertheless, the attacker will have to spend means and effort.  So the higher the barrier, the higher the price before it starts paying off.  If you do not agree with this, then I guess you don't lock doors (after all, a locked door has to have everything perfect, and a burglar only needs one single success), you don't use passwords and you don't use ANY security measure, in computing or otherwise, because the same reasoning will tell you that it is useless: any attacker will only need to find ONE failure, while your security will have to get everything right.

You're thinking too much in absolutes.  Absolute security doesn't exist.  Even if you've never done anything illegal, it is perfectly possible that you have been in the wrong place at the wrong moment, and even the most law-abiding citizen can be convicted to the most severe sentences ; as a mistake, or as some sacrifice for one or other cover-up.  I believe that more than half of the death penalties in the US are on innocents.  So much for "trusting the state for your security".  

And IF you're doing something that might displease someone of TPTB, they will find a "legal" way to make you pay for it and induce subjugation in anyone even thinking the same way... IF YOU MAKE IT EASY for them.  This is why you have to make it difficult for them.  Difficult doesn't mean "impossible".  It means that the price they have to pay to do so, is sufficiently high so that the small crime you're committing by displeasing a member of TPTB isn't worth the effort.

In other words, the more you can make it difficult to have DRAGNET security violations of your privacy, the harder it is for TPTB to silence efficiently EVERY opposing voice.  That is not the same as guaranteeing that you can do what you want behind an iron-wall security that cannot be broken.  It means that they have  to single you out, and really really want you to do so.  And they will get you.  But they won't silence everybody that way.

Illegality is an absolute necessity.  Laws have to be broken, and law enforcement has to be inefficient to a certain point.   Even if you are OK with the idea of a state and law (I'm not, personally, but even if you think that state and law are necessary and good by itself as a concept), there must be room for illegality.

I heard this from the mouth of a lawyer, who made the compelling argument like this.  Back in the 1950ies, homosexuality was illegal in the United Kingdom.   Imagine that law enforcement of that law had been perfect.  Imagine that ALL homosexual activity had been found out, procecuted, and the punishments (prison and "medical treatment") perfectly applied to every one single homosexual in the UK.

There would not have been a homosexual movement.  They would all have been in prison and "medically treated".  There would not have been a WAY to even CHANGE THE LAW, as nobody would ask for it - given that no-one being homosexual would have been around, not in prison.  Illegality is needed for society, even with law and state, to be able to evolve.  Something that is considered illegal at a certain point in time, must be able to exist "underground" in order for it even to have a chance to change law and opinion about it.
Abortion is the same story.  If every single woman having recourse to illegal abortion, and every person helping her, would have been perfectly taken care of by the law as it used to be, there wouldn't have been any case to plead for it to become legal.   Free radio emissions, the same.  It used to be illegal (at least in Europe) to have free radiotransmitters.  If every free radio would have been taken down within the first half hour of emission, the now legal operation of non-state radio transmitters would never have seen the daylight.  

In other words, if law enforcement is perfect, society cannot evolve over ancient laws, because the alternative, demanding for the change of the law, would be so severely exterminated, that the demand would be gone.

My opinion is that "dark markets" are in exactly the same situation, and that one day, most of what is handled there, will be legal, BECAUSE sufficient dark markets existed.

The war on drugs is a lost cause, similar to the war on homosexuality.  But in order for that to change, you have to be able to let it exist in illegality until the laws adapt.

That's also my point.  Market cap mainly measures how much gamblers are betting against one another on exchanges, and has very little to do with the underlying crypto function.  I would even go as far as saying that most big crypto market cap would be the same if we removed the block chain from it, and it were just IOU on exchanges.

The real usage of the crypto, which means for bitcoin: paying to buy stuff or services and get paid to deliver stuff or services, and which means for ethereum: fuel/stake for smart contracts, seems to be only an infinitesimally small part of the transaction activity and the market cap.

You can see that in the following effect: when an exchange gets stolen, bitcoin's price drops.  When there are technical problems on the block chain of ethereum, that hint at possible exploits and so on, this hardly affects the price.  This illustrates, IMO, the fact that what mainly determines the price of these coins, is the reliability of the IOU on an exchange, and has almost nothing to do with the underlying block chain these betters don't really care about.

Yeah, sure.  I know there are a lot of dapps in development, and some are even running.   But how much success do they have ?  How much ether is in there, or do they handle ?

In other words, how much of ethereum's market cap has to do with the demand for ether to use on these DAPPS ?  How much ethereum transactions have to do with these DAPPS ?  My uneducated guess is that if a few percent of the ether market cap, and a few percent of the ether transactions are related to the ensemble of these DAPPS, it will be a lot.

There are no serious dapps running on ethereum.  There are projects, dreams, and betting and ponzi games.  But the nature of ethereum is such, that if there's serious money in these dapps, exploits will be found.  Or it would mean that the ethereum guys have found the very first way of coding in a Turing-complete language that is devoid of exploits unless you're a really ugly, incapable nitwick of a coder, to allow for the only big ethereum contract experience until now: the DAO.
More than 40 years of research in computer science hasn't come up with any language that permits you to code exploitless in such an environment.  So it is almost impossible that not several of those DAPPS will be exploitable.
It is just a matter of time, and a matter of having them enough money in them for it to be worth while.

The market value of ethereum is not made by these DAPPS.  Most ethereum has nothing to do with these DAPPS, and is probably even kept on exchange's wallets ; so you don't even need a block chain.  It is just a betting token on exchanges.  That can go very high.

Exactly like bitcoin, BTW.  Bitcoin's price is also mainly from a betting token on exchanges, and not as a currency to buy stuff with.  Most crypto is nothing else but betting on exchange IOUs.  The actual block chain and usage behind it mostly doesn't matter.

Indeed, it would still be called ETH...

The point is that ethereum is a square wheel.  The square wheel hasn't improved over the centuries.  It has been replaced by the round wheel.  Even though the triangular wheel looked like an improvement over the square wheel (it eliminated one bump per turn), it didn't, in the end, catch on.

The square of ethereum is its Turing completeness.  You will go from bug, to exploit, to bug, to bug to exploit.  Like any other code system has in Turing complete systems, but for stoppable code that's acceptable.  For unstoppable code, that's lunacy.

As I have to re-define them to address the points I'm making, I cannot "misunderstand" them.  It is true that I have to redefine them, because their standard definitions take implicit properties into account, which are not correct.  As such, I cannot use the standard definitions, but I try to find meanings that are as close as possible to these standard definitions.

I consider that "block chain technology" is a cryptographic system which *includes* a sociological part (as in fact, most cryptosystems do, but this one is more involved).  I consider that this technology is designed to achieve a specific property, which I call "immutability":
1) an agreed-upon history of events, such that once they are agreed-upon, this history is never going to change (no early additions, no early removals of events).
2) an agreed-upon set of rules, the "protocol intend", which gives meaning to the recorded events, which are also never going to change.
We call the realisation of these two properties "immutability".  The GOAL of block chain technology (including sociology) is to realize immutability (of history, and of protocol).

There is a technological part to block chain technology, which is all the thing with software, cryptography, hashes, keys, and all that stuff.  And there is a sociological part to it.  Both elements (the purely technological part, and the sociological part) are MEANS to reach the GOAL of immutability.

The sociological "technology" part of block chain technology is "consensus".  Consensus, in this frame, means: not being able to reach a majority between participants over anything else than the correct history, and the original protocol intend.

The cryptographic technology is such that a majority of miners can impose their will ; the sociological technology, called "consensus" is such that no such majority can be found, if it deviates from the correct history, and the original protocol intend.  Both together are supposed to guarantee "immutability", which was the GOAL of block chain tech.

So immutability can fail, if the crypto fails, if a minority can crack, say, the PoW scheme, can do double spending or whatever.  This is a failure of the technological part of block chain technology.  And immutability can also fail if a majority CAN be found that colludes over something else but the correct history of events and the original protocol intend.

If one of these things happens, the block chain technology has failed in its goal to maintain immutability.


I fail to see the difference.  The block chain was intended to maintain immutability by preventing the realisation of a majority over anything else but the original protocol and the correct history of events ; however, such a majority was nevertheless found.  So the consensus mechanism, the sociological pillar of block chains, broke down, as something happened that was supposed not to happen (finding a majority over something that was not supposed to find a majority).


You are perfectly right, but the consensus mechanism is a big part of block chain technology.  One pillar is code, the other is sociology, the famous consensus mechanism, that was supposed to prevent being able to find a majority over anything else but the original rules.


No.  Again, the block chain technology paradigm rests on two pillars: code and sociology.  You cannot put the sociology in the code, but it is nevertheless part of the fundamental hypothesis of block chain tech, in order to achieve its goal: immutability.


Uh, of course I'm talking about "an idealized version of block chain technology", namely its intend and goal.  However, to my knowledge, bitcoin still implements that ideal pretty well.  I have no knowledge of bitcoin ever finding a majority to deviate from the original intend of bitcoin, nor of any history that had been totally altered even though that history was generated perfectly according to the intend of the protocol (i'm not talking about buggy code that generated events that are not correct according to the intend of the protocol).

Nope.  Block chain is slower, clumsier, much less accepted, riskier, more volatile, and isn't CAPABLE of replacing VISA...
If it is to replace normal, law-abiding, official sales with all taxes included, block chain is in almost all cases a worse user experience than just typing in your visa card number on a web site, receiving a confirmation code on your smart phone, and done with it.  And if there are problems, scams, ... you can complain, and get your money back.  That's also why there is a small fee to be paid.

If it is to replace the same functionality in the same circumstances as VISA, hell, bitcoin lost the game even before it started ; so that cannot be the goal.

There's no such thing as a "genuine crypto investor".  A "crypto investor" is nothing else but someone trying to rip off someone else in a zero-sum game.
In other words, if you're in the business of gambling, sorry, "investing" in crypto, you're already an outright scammer.  That said, there's nothing wrong with it, because you're only trying to rip off people that are scammers themselves, and try to do the same.  But this is also the reason why there's nothing wrong with the DAO hacker.  He was just a smarter scammer that understood the game better than the other scammers that tried to rip off one another.  Although.  Finally, these last ones were the winners in the scammer game with something unexpected: they wound back history by breaking the block chain.  But hey, in the scamming business, there are no rules, right ?
(but then, nobody is a criminal, right ?)

BTW, look at your signature: you're making publicity for a Ponzi scheme: an ethereum doubler.
That's essentially what every "crypto investor" is doing.

Honestly, I fail to see the purpose then.  "internet money".  Hell, I can pay everywhere with VISA or Paypal. 

And "clickbetting" on a zerosum game, isn't betclick or the like good enough ?  And then there is the real stock market.  One doesn't need any block chain to bet on "exchange" tokens, no ?

You don't need anon for that, but you don't even need block chain for that.  Only web sites and web site IOU on exchanges.
The game is the same: you can only make money by ripping off someone else ; and in the process, the intermediate agent (the exchange) takes a percentage of your battles.  What's the point ?

Of course.  But then all the others have lost their purpose.  I think it is a great thing if litecoin can include anon features, even though it is a break of the original contract, because that will legitimize to the anon side, which it should have been and is  a fundamental flaw in bitcoin (not making any accusations to Satoshi: you cannot get everything right the first time).

That said, it somehow kills the immutability of protocol intend of litecoin, because anonymity or not is an INTEND, not just a technicality. 

It is not about market cap.  It is about usage as a currency to be free.

I don't find that what he did was wrong.  On the contrary.  However, I will admit that it was not FRIENDLY.

This is like knowing how to beat your adversary in a chess game, but deciding not to do so, just to be nice and friendly.  But playing by the rules and winning, is not "wrong".  Even if your adversary didn't know the rules.

Not so much the developers.  They have to trust the small group of people that will participate in the trusted setup.


I agree with you that zcash has a potentially extremely powerful idea, which is TOTAL anonymity.  That's better than Monero, which has a limited anonymity set, which is growing over time.  With the ideas in zcash, this anonymity set can be total.
However, this is NOT how it is set up in zcash.  And in order to have this total anonymity, you have to introduce compromises with other aspects, like a trusted setup.

So, the way zcash is set up, I wouldn't prefer it, anonymity wise, over monero.  But it ideas in it that are potentially much better than Monero.

It is extremely important and the core of my ethereum critique, which, I admit, only realized myself after the DAO failure ; before, I was a relative ethereum enthusiast, and was only criticising the transparency of the block chain.

Actually, "code" is not Turing complete, but "instruction set" is.  "code" is a list of instructions out of an instruction set.
Now, there is a fundamental theorem in computer science that says that, given an arbitrary list of instructions (of code) in a Turing-complete language, it is *fundamentally impossible* to find out whether the execution of that list will come to an end or not.  It is called the Halting problem.  I give you some arbitrary code, and by looking at the code, or by doing whatever you want with the code, there's NO UNIVERSAL decision procedure that will tell you whether the execution of that code will come to a halt or not.

But that doesn't mean that for *specific* pieces of code, one cannot find ways to demonstrate that it will always come to a halt.   Of course there are pieces of code, for which one can find proofs that they will stop.  But the METHOD for that proof cannot be universal.

An example is the code that implements the Mandelbrot set.  I don't know if you know the Mandelbrot set.  It is mathematically defined as that piece of the complex plane such that an element of that set, C, is such, that the series defined by the iteration formula:

z(n+1) = z(n)^2 + C  and z(0) = 0, does not diverge.

A property is that the series diverges for sure once abs(z) is larger than 2.

If you want to find out whether a particular complex number C is part of the Mandelbrot set or not, you do the following:

put z = 0.
while ( abs(z) < 2 ) do
  {
  z := z^2 + c
  }

If this piece of code stops, then, for the given value of C, C does NOT belong to the Mandelbrot set.  If the code doesn't stop, then C belongs to the Mandelbrot set, but we will never find out !

The trick is that, apart from running the code for hours, days, years, centuries, there's NO WAY to find out if the code is going to stop or not.  And it is only a few lines !

We know mathematical properties of the Mandelbrot set, and because of those properties, we CAN conclude that certain values of C will be such that the code will never stop ; we can also conclude that for certain other values of C, the code WILL stop, and for others, when we enter the "hairy" part, we simply can't say in advance. 

In order to have an approximation to the Mandelbrot set, we apply a "gas limit".  We say that if the code ran for more than, say, an hour, it will "most probably not diverge".  But this is in fact making some errors.  There are points on the Mandelbrot set that diverge *arbitrary late*.  Some will run for an hour before crossing the abs(z) < 2 limit.  Others, a day.  And some points, a million years.

So essentially, the Mandelbrot set is NOT CALCULABLE.

If we were to have a universal solution to the Halting problem (which can be mathematically demonstrated not to exist), then this solution would give us directly the answer to the Mandelbrot set.  We put in the value of C under scrutiny, and apply the universal test to decide whether the program stops or not.

This demonstrates that even very small programs, well written, in Turing complete languages cannot be demonstrated to stop or not.  If a program doesn't stop, it has an "infinite state tree".  You cannot analyse all outcomes.  It can generate an infinite amount of pseudo-entropy.  SO YOU CANNOT VERIFY EVERY CASE IT WILL BE IN, because it is a potentially infinite list.

But of course, another program:

set n = 0;
while (n < 100) do
  {
  n := n^2 + 1;
  }

with natural numbers, this time, will provably stop.  So for SOME programs, you can prove that they stop, and analyse their state tree.

However, the problem with smart contracts is that the contract is given, and hence to be considered as an "arbitrary piece of code".  You can hence not hope to ever develop a tool that will analyse any given existing contract and tell you exactly in what different states it will come out ; what the different possible outcomes are.  For some, you can do so, but not for any given one.

Imagine I put some Mandelbrot-like calculation in a contract, applied to a piece of address.  Whether an address will pass or not will depend on that address, and the gas limit applied.

With non-Turing complete instruction sets, these problems don't appear, and it IS possible to have full state tree mappings automatically from a random piece of code.

As it is essential, in a contract, to "understand all possible cases", it must hence be possible to LIST all possible cases given an arbitrary contract.  And this is only possible if the instruction set is non-Turing complete.

So it is a very, very bad idea to have a Turing complete instruction set (byte code) to write smart contracts.

That's also how I understood it.  This is why you can trust a trusted setup, if you are part of the setup !
For that, you have to have:
1) a medical certificate testifying that you are not schizophrenic and that you can trust yourself
2) being sure that you are part of the setup
3) be sure that you didn't give out your secret part

In other words, you have to have a way to verify that the published setup has actually used your contribution.  I don't know if this can be tested independently, but there is one thing that does work: if you have the public contributions of every contributor, then you can run the "compilation" yourself, and verify that it generates indeed, the published public setup.

It is indeed true that it is sufficient that ONE contributor has not given his part of the golden key (his random number/secret key) to the others to be sure that the golden key has not been generated.  So if YOU are part of it, and you can trust yourself that you didn't give your key, then you know that the trusted setup can be trusted. 

The subtle thing is probably that you are to be sure that that little piece of data has not left your computer.  So you have in some way to be totally master of the software that did the generation.  Best is to have the source code, and verify that it doesn't do any sending, but just a calculation on a console, and do this on an airgapped computer which is physically destroyed (or kept switched off in a safe, the day you want to be part of the conspiration that will have the golden key) once you copied the public results on a piece of paper.


If you are part of the trusted setup, you can trust it.

And if thousands of people are part of it, in the end, that comes down to "the market".  In crypto, you have to trust the market.  If ALL bitcoin holders except you decide that bitcoin has no value any more, then it doesn't matter that the protocol is well implemented.  It is worth zero.  So at a certain point, using a cryptoCURRENCY, you have to trust a market.  If the trusted setup is set up with so many people that they are a serious part of the market, and if you could have been potentially part of it, then I think you can trust it enough.
But best is to be part of it.

The anonymity really works very, very well then    No Such Agency kind of thing 

Then, setting up a system of smart contracts, with *unstoppable code* looks like, eh, a very, very stupid idea, no ?  But if it is normal that "many more dapps will fail" and that this is in the nature of a dapp, and hence is part of the risk assumed when "investing" in a DAPP, why the hell did ETC fork into ETH over this ?

Because if it is in the nature for unstoppable dapps to fail and hence benefit those that exploit those failures, why didn't the DAO holders undergo the price of their risk, and why didn't the DAO hacker get its well-earned reward ?  And more: will ETH now fork over every failing DAPP, or did the DAO users get an unfair privilege that will be denied to the many other losers of failing dapps that you announce ?

Wasn't ripping the DAO hacker of his earned money, to reward the investors in risky things that turned out sour, not a HUGE form of not only injustice, but also of moral hazard ?

Because if ETC hadn't forked into ETH, and the DAO holders were left totally stripped of their money, wouldn't that have reflected much better the reality you announce above that "still many more dapps will fail, and very few will actually work perfectly as intended", and as such have been the HONEST market signal, rather than covering up the books and pretending that all this never happened, which is what the fork was all about ?

How honest is covering up a failure in the market ?