It could be even much easier.  You send your contracts, and all funds, to VB by e-mail (or wire transfer), and he publishes his decisions on his web site.

Trump himself  , or his wife ?
 

Then this whole crypto thing is totally useless, no ?  Why bother ?  From the moment there is a King, a Keymaster of God, or a God himself, he can decide what's right and what's wrong, and we need no block chain, only God's signature.  Much easier, no ?

Eh, my previous post told you exactly why.   If you can scam people and in the end you run off with a few million $, then I would say that you've done great, and I think you would think so too of yourself.

The funnier thing is that it was so easy.

As far as I understood it, no.  The public block chain only contains hashes of transactions that are never made public themselves on the chain, but are simply transmitted as a file from payer to payee as a growing individual private chain.  But if you're not in the list of payer-payee along a coin, you normally never get to see this list.  Only nonsense-like hashes from pieces of this growing chain are publicly published on the common block chain.
These hashes are meaningless, and cannot be verified, by people apart from those having access to the private file that is only transmitted from payer to payee.  Once you've given out the file, as payer, to a payee, you can't understand the future of that file either.

Of course, nothing stops a future payee to publish somewhere, say, on a bulletin board, the whole file he got up to that point, which would render the entire history of that particular coin public and would make the relevant hashes on the block chain verifiable.  But then, as it is a single list, the pseudonymous addresses occurring there - as far as one uses unique addresses - cannot be linked to any identity elsewhere either.  In the case of a linear list, pseudonymity is in fact anonymity.

Eh, what's wrong with that ?  Human relations in general, and business relations in particular, are like this, no ?  The idea is that you rip off the other one, right ?  You may simply be amazed at the ease by which this is done, but there's nothing particularly strange about trying, no ?  Isn't that the essence of business ?

I think that VB finally realized (or realized from the start, and this whole mockery was one big, big scam) that exploit-free Turing complete smart contracts are like unicorns: they only exist in fairy tales.
If people knew how to write complex software in Turing complete languages without any bug or exploit, we'd know about it.

VB created "Java on block chain" with 'unstoppable code' and now realizes that this doesn't allow for "pushing security updates", so we need a King or God to stop the act, correct it, and have it run again.  Only a God can do, because if you allow a human to do so, the power will corrupt him.  Or we would need a King, trusted by God.  Like in the old days.  I think that Vitalik sees himself as suitable to be the Keymaster of God.  Like in the old days.

Indeed.  Unstoppable, until the King stops it ; unalterable, until the King alters it.

Like in the old days.  Back to kings and states, privileged that can change the rules versus those mere mortals that have to follow the rules.  Gods, and mortals.

I would agree with you that in a free society, having payments "in the open" is better than allowing for secrecy.  However, we do not live in a free society: there are states everywhere.  States are criminal syndicates that have the monopoly of violence over a territory, and their prime action is to extort people of their production of value, mostly to use that extorted value to buy them more power of violence and extortion.  In most countries, this extortion amounts to grossly half of the value that is created by the people.   You cannot allow to have a new system of payment that is transparent, as this would kill all hopes to hide it from the state syndicate.

Ah, essentially, you mean that the spend proof is in fact nothing else but a "burning transaction".

Ok, it took some time to start understanding it, but I'm starting to see now what you mean (I think).

Correct me if I'm wrong.  The problem that Satoshi faced was to
1) avoid double spending, and for that, it is necessary to have a common, distributed ledger of spending proofs and
2) prove that you have an "original" coin, and not a newly invented one
and the way that Satoshi proposed to solve this was to put *the entire transaction* on the common ledger: you can see when the previous spend happened, and you can trace back each coin to its legit creation.

Indeed is there no way to "transmit a file" where the file is the money, like a bank note, because files can be copied.

What you propose, essentially, is to go back partially to "files are bank notes", and these files are individual transaction histories of the coin.  On the common ledger only needs to be registered the hash of a spending signature.  The "bank note file" itself needs to carry a proof of legit creation (in your proposal, a burning of bitcoin).

That is indeed not a bad idea !   It is of course not very private, in the sense that each individual "bank note" carries with it its entire spending history, but on the other hand, only the people receiving it get that file (and not the entire planet), and because of the linear nature of it, if one uses different signatures for each bank note, there's no "network analysis" that can be performed, so the pseudonymous nature is perfectly anonymous in this case, because no "joins and splits" can happen.

So if I understand correctly, the public block chain is just a "bag of hashes" which cannot be verified or anything by any node or miner.  It is just a block chain of "data".  These data only have meaning for the people receiving "banknote files", which allows them to check the validity of the whole "banknote".  The hashes are in fact nothing else but hashes of "signed transactions", like with bitcoin, except that only the *signature hash* goes on the public block chain, and the actual transaction data remain on the individual banknote file.  Is that the gist ?  In fact, you need, as you say, TWO signatures (or hashes of signatures): one is the transaction signature (including the new beneficiary) and the other is the "spend" signature of simply the previous output.  The first signature (spending signature) makes that you cannot do double spending any more (you have invalidated the file up to the point where you transmit it), and the second signature allows the receiver to have a valid "new address" that he can spend (and only he, because only he has the secret key that goes with it like on bitcoin).

This is indeed a very, very good idea !  Money becomes more "physical" again: it are files !

Now, the question is: how does the mining work ?  Or is this meant as a parasite on top of the bitcoin block chain ?

The thing is, you need to burn a bitcoin to obtain something, irreversibly, that is not a bitcoin at all.  Nobody is going to burn a bitcoin to have a new altcoin.  You would automatically give that altcoin the value of a bitcoin, if you could redeem the whole payment history against a bitcoin again.  But then, what you have constructed, is a *private sidechain* on top of bitcoin.

You "lock up a bitcoin" in the side chain.  The side chain is not public, but is just the private "money file". Any legit owner along the chain can transmit the chain to the next one (as you describe more or less), OR can redeem the bitcoin from the original transaction, and as such, end the side chain.  It is not *entirely* what you propose, but close. 
The redeeming of the bitcoin at the end of the chain is probably somewhat more tricky.

A block chain with superuser access 

I think it must be graved into human genetics to try to become gods once one has tasted the elixir of power.

What is an address ?  e-mail or so ?
How do others checking the block chain know that this private transaction belongs to an address and how do they find out who had send what from which address ?  I think I'm missing something.  If you mean an address on a P2P networks, Kademlia style, then you've undone the anonymity.  Because if the address of the sender is included in the block chain, then, eh, the spending history is just as pseudonymous as bitcoin (your address is associated with all you do).  And it would also mean that your coins are attached to your P2P address private key.

Ok, I didn't quite get what you are proposing then.

Look at the following attack:

I pay you amount X.  Hence I also can calculate the spend proof YOU would have to provide to show that you spent X to someone else.

I can hence post the hash of spending YOUR output to the block chain, which will make it impossible for YOU to spend the money further.

Why would I do that ?  Because if I'm holding still a large amount of BBC coin, the less of it is in circulation, the scarcer it will be and in principle, the higher its price.  In reality, of course, if it is possible for the previous payer to destroy your ownership at any moment, the value will rather plummet.   There may also be another reason why I destroy the money I give you when it is yours: I may not like that our history is transmitted further.  If I kill your money, you won't be spending it and this history will not be transmitted further in principle.

Is my attack valid ?

You are reinventing zerocoin.

There is 1 big resemblance between the way DASH and the way MONERO provide anonymity.  The anonymity in both cases comes from the fact that a genuine transaction to an output A could potentially come from different inputs B, C or D.  This {B, C or D} is what is called the anonymity set (I take 3 elements as an example, it is not 3).  This is different in bitcoin, where an output A comes from an input B.  If you know A, then you know that B paid A.  In monero or in DASH, if you know A, you know that ONE of B, C OR D paid A but you don't know which one.

There are 3 main differences:

1) the anonymity in MONERO is mandatory and automatic, while the anonymity in DASH is an active option you have to take.

2) the anonymity set in DASH are *really spend transactions*, while the anonymity set in Monero consists of *potential* transactions (of which only one is truly happening).

3) the anonymity set in monero is generated by the transmitters' wallet on his own, while th anonymity set in DASH is generated by a trusted party (a masternode) who knows the participants.

It is not because they ask the question that they can know the answer.  Of course you are supposed to declare everything a state can potentially steal, that's why they exist.  There's no way for them to know that you have a private key.  You don't even have to keep it on a computer.  You just have the seed of the wallet somewhere.  Knowing some words is hard to find out.

What is funny, though, is that if they have to give two examples of crypto currencies, bitcoin and monero come to their mind !
That's quite bullish for monero !

Whoops.  Forgot to post. 
Today: ETH: $11.41  ; ETC: $1.47

Sum: $12.88

 

I like this :-)

Indeed, if instead of an expensive business lawyer, you need an expensive Solidity expert to verify your contract, we didn't advance a bit.  The idea of "smart" contracts is that you can easily set up one, it is CLEAR what it can do and will do, and no hassle, it is launched.  If you need a year of testnet validating, 3 independent security audits, and with a hesitating finger you launch it, hoping that the exploits will not be found too soon, a smart contract has lost all its raison d'être.

I think the problem with Ethereum is fundamental, in the sense that the BYTE CODE is Turing complete.  So even if you limit yourself to a subset of Solidity on the source level, the *actual contract* is the byte code running on the VM.  This code is very difficult to analyse, exactly because it has the potential of being Turing complete.  You could limit the instruction set in Solidity to something "provable on the source code level", but that doesn't guarantee that the byte code is going to behave exactly as assumed implicitly by the Solidity description.  The recursion error that occurred in the DAO was on the level of a misunderstood behaviour of a Solidity construct.  You have to check the byte code, and THAT is very very difficult with a Turing-complete instruction set. 
The bitcoin OP code language, although very limited, is much more provable.  I'm sure that one can make tools that give formal proofs of state trees for any bitcoin script (maybe these tools exist already, I don't know).

 

I agree, and the big mistake of ethereum is to have written a software platform, like "java on blockchain" or something, while totally missing the FUNDAMENTAL software engineering problem of smart contracts: NO exploit from day 1 after launch EVER.  Ask any honest software engineer with some experience whether he's willing to bet his children's lives over his ability to write a piece of software in which NO SINGLE EXPLOIT will ever be found, without the possibility of pushing security updates, and he will tell you to f*ck off (or he really doesn't like his kids :-) ).

This is an unheard-of challenge in software engineering.  EVERYTHING should have been designed around that problem in ethereum, and it seems like it was an afterthought.  The very fact of promoting "Turing complete" platform illustrates this.

My idea is that ethereum is fundamentally flawed exactly for that reason, and that re-designing it, this time around provability and security, is a huge hassle if even possible.  Ethereum has been designed around the wrong paradigm (namely "software sophistication made easy" instead of "security and provability").  It is very hard to correct such a fundamental mistake in conception.

As far as I understand, and if I'm wrong, please correct me, the situation is as follows:

On the ETC chain, the DAO still exists, but is essentially drained by hackers using the exploit: the original "first" DAO hacker on one hand, and the infamous RHG / white hat hacker group on the other hand.  So essentially, that ETC DAO is empty of ether, and all the ether has been withdrawn from it through exploits.  

On the ETH chain, the original DAO has never existed, but is replaced by a much simpler "withdrawal" contract, that allows the original contributors to the DAO to extract their original ether contribution.  Many did, and many didn't.

You could still sell the non-withdrawn DAO tokens, but they stand for a certain amount of ether that can be withdrawn from them.  It wouldn't make much sense to sell these tokens: they are just "bags of ether". So there's no reason to trade these things, as they are just "bags of ether".

It depends what you understand by "anonymous".  One should actually read "fungible coins", not "anonymous coins".  If you understand by "anonymous" that "whatever happens, nobody will ever find out that I paid you a sum of money", then this is only partly true, depending on the effort that your enemy and you put into this battle.

However, if by anonymity, one means: "if I pay you with this coin, nobody can know that 20 transactions before, this coin belonged to Jack the Ripper", then yes, monero comes close to that ideal.  If you think about it, it means actually *fungible* coins, just like cash or gold.

Gold is not "guaranteed anonymous", in that one can follow you transporting gold to the other person, take pictures of you when you hand over the gold and so on.  However, one will have a hard time showing that this piece of gold actually belonged to the prime minister of Kazakhstan 2 years ago.  This is the kind of fungible nature that many coins are missing, and which coins like DASH, monero and Zcash try to implement ; calling it "anonymous coins".

It somehow comes together, in the sense that if the money you have, is not traceable to who gave it to you, the person that gave it to you is anonymous (unless you reveal his identity) ; and for sure, the person that paid the person that pays you, is totally unknown and hence anonymous.