Firstly I don't find any relevance in speculating what will happen in a few decades from now. The block bonus will stay above 12.5 BTC for the next decade, and it's entirely possible that bitcoin will run it's course during this decade and fail for unrelated reasons. This is the internet after all. I've expressed my doubts that the "mine for fee" model is sound from a game-theoretical perspective: it seems the users are incentivized to pay a fee as small as possible (maybe 1 satoshi) since there's no way miners can differentiate on the market.

For the purpose of our discussion, in the foreseeable future and without massive growth of the number of transactions, the main motivation of the miners is the block bonus. At current prices the block bonus is over 500$/block and all other things equal it should maintain that $ value even if it drops to 12.5BTC: the miners that don't hoard are the main source of liquidity and if they inject less BTC the price will rise proportionally. So in order to rent 50% of the network you need to pay at least 1500$/h

Secondly, you assume you will be able to amass this hashing power surreptitiously and use it repeatedly without being detected. That's not realistic. Honest miners are unlikely to rent you the hashpower since it's obvious why you needed it. Furthermore, if the average player is small, you will incur a high price in contacting many of them, and you will need to pay way above market rates to attract them. You will need to advertise and attract further suspicion upon yourself. It seems highly unlikely that your criminal endeavor reach the same economy of scale and efficiency the open network has. You will either build your own hardware, a capital intensive task, or buy it off the black market at very high prices in order to maintain discretion, from a handful of players (Large conspiracies inevitably fail). An hour of 50% hashpower will then cost maybe 150.000$, not 1500$

Assuming you finally get to 50%, using it for a whole day will quickly attract the suspicion of the community. It's not reasonable to expect to use it more than a few times without crashing the bitcoin price and halting most bitcoin trades. You can't double spend a few bitcoins many times, you need to double spend many bitcoins a few times in order to recover your fixed costs, and before your attack tanks the exchange rate due to panic.


Assuming you manage to do all of the above and successfully double spend 1 million $ in BTC, the fraud becomes apparent quickly. If you buy a large house you will get caught and be indicted, I have no doubt about that. You need to launder the money quickly and maintain anonymity to pull a double spend. I believe it's much more effective to simply short the market and attack the network directly, assuming you have 50% hash rate (borrow BTC and sell out, then buy back in at pennies, no need be anonymous, just make sure the attack can't be traced back to you).

I was referring to the specific attack described in the paper, rewriting history from block one and assigning to yourself all bitcoins, which is clearly a stupid way to steal bitcoins - they instantly become worthless.
Regarding merely double spending your bitcoins that's even less of a concern: you still need to amass millions of dollars worth of hardware and millions dollars worth of bitcoins - so that you can double spend them a few times and recover your hardware costs. It also means you need to find a trading partner willing to sell you millions of dollars worth of merchandise for bitcoins, and do so in an anonymous fashion preferably over the internet so as to not get caught. Good luck with that plan.

The temporary mining revenue of 50 BTC/block and later 25 or 12.5 BTC will be worth much more if the bitcoin network is regularly used for multi-million dollar transactions as opposed to buying a few grams of hash or an alpaca sock.

This is all reason why profit-oriented attackers are implausible, or at least their profit will be derived from the failure of bitcoins: speculators, governments, banks etc.

The Bitcoin eligible voters are not "the majority of computing power in existence" because computing power is not a fungible, homogeneous substance. You can easily see a 10^4 performance ratio on specialized versus commodity hardware (ASIC vs CPU), so that the Bitcoin network becomes impervious to attack if it makes up only 0.01% of the "computing power of the world" as expressed in transistors*Hz. Rather, Bitcoin, like most other currencies  in the world, is up against any adversary more financially powerful than it's backers (the miners). So if you are willing to invest more than the compounded mining profit, you can take the majority vote and influence consensus, by expanding the computing power of the world in the form of efficient mining machines.

It's pretty clear that rewriting the history is not equivalent with stealing everybody's money, rather it means destroying the system and making the coins worthless, so the likely attackers will not be profit-motivated by any definition of profit expressed in bitcoins. We could talk about governments, banks, competing currencies, lulz etc. It's only a matter of speculation if an attacker likely to act in such a manner exists. Furthermore, as the network expands the window of opportunity closes to exclude small scale lulz-motivated attackers, and allow only governments or large corporations. The hashing power of the network already surpasses what could be accomplished by ~10 million commodity PCs, excluding even the largest botnets as worthy attackers.

Really, resources can be stretched indefinitely without limit ? And the technology to do it will spontaneously emerge when conjured by the high prices in the market ? Let me tell you a little story.

Atlas lives on an libertarian island in the middle of the ocean and he's very good at agriculture. So good that he eventually bankrupts every other grower with his superior productions to the point that he comes to own 80% of the arable land. Enabled by the low food price, the population of the island increases to highest historical values. Atlas lives a long and successful life and is well respected by his fellow islander, but one day he passes away.

Atlas` son, who is a sociopath, is now in charge. He decides to stop production, and deprive the market of 80% of the food production. All within his rights as the owner of the private land.

How can the islanders avoid a Malthusian catastrophe and the death of a large number of people ? They are a primitive society without intercontinental navigation, hydroponics, chemistry, genetics. Sure, those things would enable superior production if available, but how can the primitive society solve these problems while threatened with imminent starvation ?

In a normal society the people will resort to physical violence and regain the natural ownership over scarce land. To deny that natural right is to sentence the people to starvation. Tha fact that Malthusian catastrophes do take place both in the animal and in the human world proves that resources don't actually stretch indefinitely.

A fast enough technical evolution might enable that (it did up to now for humanity as a whole), but there's no guarantee it will happen. It's just wishful thinking to believe eliminating patents will enable arbitrary scientifically progress. In fact humanity it's accelerating towards an ecological catastrophe.

I recommend a work by a bubble-expert: BUBBLES AND HOW TO SURVIVE THEM by JOHN P. CALVERLEY

Available here.

According to his checklist, I would rate Bitcoin about 6/9. You can recognize many of the mantras of the Bitcoin community in his write-up.


RAPIDLY RISING PRICES
First of all, a bubble obviously involves a period of rapidly rising prices. However, a strong rise in prices in itself does not necessarily imply a bubble, because prices may start from undervalued levels. So we should only start to suspect a bubble if valuations have moved well above historical averages, on indicators such as the price–earnings ratio for stocks or the house price–salaries ratio for housing. The extent of this overvaluation probably gives us the best clue as to the exact probability of a bubble. For example, the US stock bubble in the 1990s took the price–earnings ratio on operating earnings (which excludes one-off factors) to over 30 times, well above the long-term average of about 14–16 times.

OVERVALUATION
The issue of valuation is contentious, with many people arguing that we can never be sure that a market is really overvalued. I disagree and believe that we can identify ranges for valuations that are more or less reasonable, such that if a market goes above them, we can say that there is at least a high probability that it is a bubble. Further evidence can then be sought in other characteristics.

ECONOMIC UPSWING
Typically bubbles develop after several years of solid, encouraging economic growth and rising confidence. The traumas of past recessions and bubble crises (at least in the same market) have faded away. For example, the US 1990s stock market bubble came in the last three years of a nine-year economic expansion and following fifteen years of a relatively strong stock market. And the Asian property and stock market bubbles that burst in 1997–8 came after over a decade of breakneck expansion, which had become known as the Asian Miracle.
The current housing bubbles are a little different in that they have inflated at the same time as the collapse of the stock bubble. However, they come 10 years or more after the last housing bubble burst in the early 1990s and they are partly the result of the low interest rates put in place to fight the effects of the bursting of the stock bubble. Moreover, the most intense housing bubbles currently are in Australia, the UK, and Spain, three of only a handful of major countries that avoided a recession during 2000–3.

NEW ELEMENT
As noted earlier, another typical characteristic of a bubble is a new development or change in the economy that can reasonably justify higher prices. In the 1990s it was computers and networking technology and, more broadly, the apparent sharp acceleration in US productivity growth that led to much talk of a “new economy.” In the 1980s in Japan it was the perception that the Japanese economic model, with all its panoply of “just-in-time” inventory management, worker involvement, and “total quality control,” was going to dominate the world. Current housing bubbles in the UK and Australia are often linked to increased immigration.


PARADIGM SHIFT
There is often the perception of a “paradigm shift” and this is usually argued energetically by some leading opinion formers. We shall see later that people seem to have an innate tendency to believe (or want to believe) that current events are entirely different from any episodes in the past. This is a natural characteristic of younger people especially and certainly the 1990s internet boom was very much led by young people. But of course, some people have a vested interest in arguing that “it is different this time”—especially brokers, fund managers, and real estate agents.
I do not for one moment want to sound like someone who has seen it all before and believes that nothing is new under the sun. Economic performance and market behavior do change over time and periods of strong performance and weak performance can persist for a long time, often decades or more. Nevertheless, it is dangerous to extrapolate this into justifying very high valuations, at least without serious caveats.
Even if higher valuations in a market can be justified by fundamental changes in performance, we should expect this to be a one-off move, not a shift to permanently faster price increases. For example, faster growth of profits would justify higher valuations, but once valuations have moved a step higher, stock price gains should then slow down to the rate of growth of profits. It is unrealistic to expect valuation multiples to expand further. The same goes for house prices. If a higher house price–earnings ratio really is justified now, as many people argue, once the step higher has been made house price growth should return to the growth rate of earnings.
The US 1990s experience is interesting in this regard. The acceleration in productivity growth in the 1990s, part of the paradigm shift that accompanied the bubble, continues to be reaffirmed. US productivity growth since 2000—that is, after the bubble—has averaged 4 percent a year, a very high rate. Similarly, the new technologies continue to permeate the economy in ways that many of the new economy enthusiasts correctly predicted. But during the bubble a crucial point was forgotten: Faster productivity growth does not mean higher profitability in the long run. At first it brings higher profits, but this then brings more investment, more competition, and, eventually, lower prices so that the gains flow through to increased real incomes. Profits fall back to normal levels because in a market economy companies cannot hold onto them in the long run.

NEW INVESTORS AND ENTREPRENEURS
Returning to the checklist, a regular feature of bubbles is that new investors are typically drawn in, people who had not invested at all before or had been only very passive players. They are persuaded by the bulls’ arguments and also by the continuing rise in the market. Often they are assisted by the emergence of new entrepreneurs, for example those offering new investment vehicles, like the internet offerings in the late 1990s or the buy-to-let funds in Britain and Australia in recent years

POPULAR AND MEDIA INTEREST
Popular interest in the market becomes intense and this is reflected in greatly increased media coverage. Some stories emphasize the “wow” factor, as big rises in markets make people rich overnight. During stock bubbles, media stories may be tinged with envy for the lucky few, or even hostility toward “speculators.” In the case of housing markets, where often a majority of readers will be gainers, the emotional hook may be glee at the good news. A subtext may be that the reader too can get rich and some coverage will put the emphasis on how to join the party, for example providing information on stock funds or on mortgages and property investment.
Another type of media story will focus on the risk that the market is in a bubble, warning of trouble and usually critical of speculators and, sometimes, of the authorities for allowing it. There are nearly always some commentators who forecast the demise of the bubble. For example, in the late 1990s The Economist and the Financial Times regularly returned to the bubble theme in US stocks. In recent years they have been justifiably pleased with themselves, although too polite to gloat. And they have turned their attention to warning about housing bubbles.

MAJOR RISE IN LENDING
Typically bubbles also involve a significant rise in lending by banks or other lenders. Sometimes this reflects regulatory or structural changes in lending practices and often it involves new entrants to the market.
The housing bubbles in the UK and Scandinavia in the 1980s followed the liberalization of banking systems, which allowed banks to lend far more freely than in the past. Debt tends to rise and the household savings rate tends to fall. Behind all this is often what I would characterize as a relaxed monetary policy. Sometimes this is evident from a rapid rise in money growth. Probably more important, though, is the rate of credit growth; that is, the increase in debt (related to but not identical to the rate of money growth). Sometimes too it can be seen in the level of real interest rates in the economy, which may look unusually low.

STRONG EXCHANGE RATE
A final characteristic of most bubbles is a strong exchange rate or, if the currency is fixed, an inflow of resources. During the bubble money flows into the country, either attracted by the booming asset or drawn in by the strength of the accompanying economic boom. The strong currencythen leads to trade and current account deficits. Indeed, that is the “purpose” in a sense, so that there can be a net capital inflow, by definition equal to the current account deficit.

Not all of the items on the checklist are present in every bubble. Ultimately, deciding whether a particular market boom is really a bubble is a matter of judgment, based on the number of characteristics present and how extreme they have become. If we think back to the internet bubble of the late 1990s, it should have been clear to all at the end of 1999 and the beginning of 2000 that this was a bubble. But by then the bubble was nearing the peak, with the US NASDAQ index rising from about 2,800 at the beginning of October 1999 to its peak of just over 5,000 six months later. It dropped back through the 2,800 level in December 2000 and went to a low of about 1,200 in 2002, the same level as 1996; see Chart 1.2. Ideally we would have identified a high degree of bubble risk
as early as the middle of 1998 and some degree of risk also in 1997.

That's why I said "given the choice". Suppose you are the supermarket, they accept both USD and BTC, and you have a portable BTC e-wallet and some dollar bills. After the novelty wears out, rational people will not pay with BTC. And this is why you will never be able to pay groceries in BTC. Deflation destroys trade.

A divisible and fungible asset like a currency can never be "too valuable to spend", since by definition you get the value of the amount you spend. By virtue of comparative advantage, from your point of view it's at most as valuable as the things you decide to buy.

What interferes with the spend decision of the holders are those pesky deflationary expectations everybody rants about, and that somehow "don't apply" to bitcoin. If an asset is expected to rise, people will hoard it given the choice. It's only human to aim for realizing the gains of your most productive assets. You will always slaughter the old cow, not the gestating one.

For a non-productive asset like bitcoin the expectations are purely speculative (if they were technical the efficient market would have corrected the price up). So the correct title of the thread is Bitcoin too hyped to spend: captures both the deflationary aspect and the speculative mania aspect.

Gresham's law does not apply because the government does not force a certain $/BTC parity (or anybody else for that matter).



I believe the time scale is to small to actually see a direct correlation between the ~0% M1 increase in 2006-2007 and the inflation in those years. Just like deflationary expectations, there are inflationary expectations. People expect to have their paychecks increased yearly, and this eventually goes into the price of goods and services, regardless if no more currency was injected into the market. I think our old friend Milton would say that inflation is always a monetary phenomenon and if printing stops, so will inflation, eventually. So the 2007 inflation was made possible by earlier printing.

IMHO the algorithm that makes sense, outlined by Jered should be this:
1. If the newest order has overlapping offers in the book, than those should be matched, best first
2. If not, it's added to the order book
(the book, by definition, has no overlap; if it somehow shows overlap, orders should be matched at the single price that eliminates overlap)

So the decision should always favor the newest order, on the principle that the current order book is a fair representation of the market state; whoever is bidding against the market is either making a mistake or acting on erroneous information, so he should be protected against his folly.

A bellow-market order means 'give me the best price, now' and the exchange should interpret it in this manner since it's generating volume and business (standing orders don't). Also, a match close to the 'real' market value maximizes the fee earned from both the seller and the buyer.

What they really need is layered security:
 - a distinct authentication machine that is accessible via a narrow API; no "select * from users" !
 - a distinct trading machine that takes in trading requests, responsible for making the market and tracks the BTC/$ ownership of every user in the system; narrow API: enter buy and sell orders, receive callbacks when they are completed
 - distinct withdrawal machines that make actual bank and bitcoin transactions
 - a front-end machine that runs the PHP interface and is responsible for the user interface

Each interface is logged and monitored, and does not allow someone who attacks the front-end machine to access the rest of the system. The backend machines are firewalled and not accessible by other means than the narrowly defined interface.

As long as they are using a single system running a home-brewed PHP + Mysql application, parametrized queries will not prevent the next breakin.

Your definition is wrong. Fiat money is the rational choice of democratic societies (*. Democracy does not require the use force, take for example consensus. Therefore, fiat money is not imposed by force.
If I and my beer buddies agree to settle our drinking debt by marking it in a notebook, we've just created a rudimentary form of fiat. No force required. The notebook has no intrinsic value and is not a binding contract, yet the full faith of the participants give it value.

(* that is, if your renounce 100 year old economic fallacies, and come to accept mainstream economics; I have't expanded on this point and don't intend to in this thread.




So by connecting the two quotes, you are agreeing with what I said all along, that using a currency for tax purposes does not give it value.

Using miners as heaters is pretty insightful. Sadly it can't work in real life. At 60 centigrade internal temperature the GPUs fry, and waste heat from coiling them is probably 40-45 degrees at most. That's not really very useful for heating, maybe only if you blow the heated air directly into the rooms. Electric heating is also very expensive, and is often employed in a heat pump configuration that uses electricity to drive a motor (mechanical work), and achieves much better efficiency than simple Joule heating. It's also not needed year-round.

While we fixate on electricity as the main waste for Bitcoin, in reality the capital costs of designing and manufacturing rigs will be quite high. Allot of resources will go into manufacturing, with the associated environment impact. Electronics manufacture requires rare, pure, toxic substances, precision industrial machinery, world wide shipping etc. If Moore's law holds for mining bitcoins, the old hardware might be tossed before it has a chance to equal the environmental footprint of it's production. This is certainly the case with consumer electronics.

Democracy is not use of force.
Supply and demand does not give value. Only certain relationships between supply and demand give value.

I guess it depend on whether you believe democracy is a valid way to agree on societal issues. Libertarians and anarcho-capitalists reject democracy as violence, and I don't want to open that old debate. The use of a stable fiat currency sure does seem to correlate well with being a successful society, and in the end people will vote with their feet - and that too is a form of democracy. I hear Somalis put good price and gold these days


Taxation is a process, not an event. If the govt. wants 50% of the potatoes you produce at your ranch, they will get it, and it makes absolutely no difference if those potatoes cost 1 govt monetary unit or 1 billion. Sure, taken in isolation, the act of you selling potatoes and paying tax will create demand. But since throughout history the supply of govt money was always higher than the demand, we can safely conclude that the tax process, the process by which govt derives wealth from the productive society, does not give value to tax money. That's why I'm saying "being acceptable for tax" is an incomplete explanation for the value.

I believe this is an incomplete explanation. In order to survive the government has no use for pieces of paper, it needs to derive wealth and resources from the society  it controls. The government will always trade your taxes for goods and services at least as fast as you can pay them.
Denominating taxes in a specific monetary unit creates supply of that unit, usually oversupply (inflation), not demand. As any good with oversupply the value falls fast, so being acceptable for paying tax does not give value to fiat. If you have goods and services, say denominated in another, better, currency, you can always buy the tax currency on the cheap.

To actually give value to it's currency the government needs to refrain from spending it, it's not enough to require it for taxes.

The full faith of the government, which provides a useful service to the society: a commodity specifically designed to facilitate trade. Fiat money is in theory superior to precious metals and societies should switch to fiat currency naturally, not due to coercion.
As all things related to government, it can go wrong in two main ways:
- democracy fails because access to power is severely limited, say by a closed plutocracy that derives wealth from monetary control
- democracy works but the average voters don't understand economics

In most societies these days a combination of the two problems make fiat money fail to meet it's theoretical potential.

Get a clue. Banks need to account for each $ in their balance sheet. To lend out money they need to either:
- have the money they just lent out earlier return to them via another customer (ex. the previous owner of your mortgaged house), to which they must pay interest
- get it from another bank and pay interest for it; the central bank targets a certain level of this interest, which in US is called Federal Funds rate
- get it from the central bank that will freshly print it for them (discount window/Lombard facility), at an interest higher than the market rate, and requiring good collateral, preventing most banks to make a profit out of it, but useful in case of liquidity crises

The common idea is that they must pay interest to others before they can "print".
As long as you understand that putting your money in the bank means making an investment, and taking risks, FRB are ok. It's only when the government ensures all deposits, remove all risks, and manipulates the credit market to very low interest rates, that the moral hazard starts to happen, bankers turn into banksters, and the economy pops.


Up until recently most of the money printed by the federal reserve went indirectly to the government. Recent bailouts made it about 50-50. In 2011 the fed is accumulating govt. debt like there's no tomorrow. Bankers are evil alright, but it's still your lawfully elected representatives that take the cake.



And the sooner you can participate into the glorious achievement of making a few early adopters very rich. Act swiftly, you might be an early adopter too

You don't get better anonymity than simply transferring your coins to another wallet. If the government is able to trace that your coins were spent by your friend, you can be sure they can also beat your identity out of him.

What you need is a laundry service that operates anonymously, and connects random people of the Internet.

I think I've assumed 100.000 keys per second. With the correction, it costs maybe a few thousand $ to break a 40 bit entropy wallet.


Absolutely not. 8 single case alphanumerics can have at most 41.3 bits of entropy (5.17 bits/char), assuming a perfect random number generator and no inter-symbol memory (i.e something not generated by a human). An average 8 character human-generated password has about 18 bits of entropy, and that after allowing the whole set of 94 printable ASCII characters !

I must insist on this point because it's the main takeaway: users don't choose good passwords. The average PayPal user has about 42 bits of entropy, and the majority of PayPal users have even less.



It follows than that if you can increase the asymptotic hardware cost for the attacker with 2^10 or 2^20, as scrypt allows, you are achieving a great deal: moving from a situation where most passwords are crackable for a few thousand $, to a situation where most passwords need a few million dollars to crack. The same can be achieved by forcing users to chose good passwords, but that's hated by users and requires more implementation effort than just dropping scrypt in the source code.

The same GPUs that are used for mining can be easily reconfigured to attack PKBDF - SHA512 (that EVP_BytesToKey uses). The hacker only needs to rent the mining farm for the duration of the attack.  There will plenty of GPU farms available for rent when ASICs put them out of bussines (indeed, ASICs probably can't be configured to attack another hash).

A single 5970 can try 10.000 keys per second of the 100.000 iteration variety, so it can break a 40 bit entropy password in about 100 days. If you can rent a 5970 for a few $/day, than you can break many wallets for a few hundred dollars each. You know from the start what wallet is worth cracking from those you managed to stole, since the public key thus the amount enclosed are stored in plain text. It would be cost effective to crack allinvain's wallet even if he uses a 50bit entropy password, which let's face it not many users do.

Regarding scrypt being too young, from what I've seen in the code it still employs PKBDF2 before and and after the the memory-hard part. So even if it fails at being memory-hard, it will not compromise the password, it will be at least as secure as the current scheme.

FFS, don't gox your own password derivation scheme, especially not one with a fixed difficulty, especially one that the current miners can attack (low asymptotic hardware cost).

Password derivation is a well studied field, please tell me Pieter why would you favor this solution over scrypt ?
http://www.tarsnap.com/scrypt.html