Sorry I had it phrased as a sentence. 

Is it correct that bitcoind will always exhaust the keypool and not refill it under any circumstances when it has an encrypted and locked wallet?
Is is correct that bitcoind will always return an error when requesting a new address when the keypool is exhausted and can't be refilled?

Essentially the security (against lost) of funds depend on those two conditions always being true.  

For a standard node you are right there likely is very little use to store the full blocks in a database.  For efficiency full nodes generally just validate the block, store the header, and use the block to update the UXTO. In essence using full blocks just to build the UXTO.  Full nodes normally never need the historical blockchain except to build the UXTO in a trustless manner.  For most nodes a flat file is more than sufficient and this why the reference client does just that.

However I think it IS useful as a development platform to parse and store the blockchain in a database.  This is useful to building higher level tools for analysis.  I imagine that is how sites like blockexplorer and blockchain.info work. 

Maybe we are speaking of different things but doesn't ECDSA allow creating a composite key by simply adding the two private keys together.   The signature (which would be the same size as the individual keys) can be verified by completing the same ECC arithmetic on the public keys.  For example say a hypothetical transaction (not in Bitcoin network and not necessarily in the same format) has the following information in the transaction.  At this point the format/structure isn't really important.

Transaction Body:
Version
NumInputs
ArrayOfInputs[]
NumOutputs
ArrayOfOutputs[]

Each Input is in the following format:
PrevTxHash
PrevTxIndex
PubKey

So far this is very similar to Bitcoin however there are no scripts in the tx inputs.  Each input simply consists of the information necessary to identify and authenticate it (tx id, index, and public key).  At this point lets ignore the format of the outputs as it isn't particularly important for this discussion.  Now unlike Bitcoin where each input has a signature (the simplified tx is signed w/ private key corresponding to the pubkey listed for the input) could we instead have a single signature for the entire transaction.  Also lets ignore coinbase/generation tx for the moment.

So for a transaction with more than one public key in the inputs we first create a composite key by performing ECC arithmetic.  Lets call the composite key the tx key.  We would take a list of the inputs, remove the duplicate private keys and create the tx key by adding the private keys together.

tx.privkey = privkey[0] + privkey[1] + ... privkey[2]

Then we sign the entire tx once with the tx key.    The single tx signature would be appended to the tx.

Version
NumInputs
ArrayOfInputs[]
NumOutputs
ArrayOfOutputs[]
Signature


To validate we would take the list of inputs, remove duplicate pubkeys, and create a composite in the same manner as the privkeys.

tx.pubkey = pubkey[0] + pubkey[1] + ... pubkey[2]

The tx (composite) pubkey will validate the signature created by the tx (composite) privkey.

This method would be more limiting than the Bitcoin script system however it would (with a few other changes) result in an up to 50% savings in terms of bandwidth and storage requirements.  The computing power requirements should be roughly the same.  Given that over 99%+ of the transactions to date on the Bitcoin network are "standard" pay to pubkeyhash we are sizable savings.  With the use of versioning other more advanced tx would still be possible so it would be possible for an alternative crypto-currency to have the best of both worlds.  For "simple" transactions a significant reduction in resource requirements while still having the ability to create more complex transactions.

Is there any security risk to a format like this?  Any reduction in key strength?  I can't seem to find anything that would indicate it is the case but this really isn't my area of expertise.


I assume by "compose" you mean ECC addition of the private keys (as well as a separate ECC addition of the pubkeys). Right?  I agree there is a need for public key for each input to validate the signature however the signature is significantly larger.  For Bitcoin the pubkey is 34 bytes for compressed pubkey (66 bytes for uncompressed pubkeys).  An alternative CC could simply mandate the use of compressed public keys in the protocol.  The signature is 72 bytes.

Bitcoin Tx Input Format
TxOutHash - 32 bytes
TxOutIndex - 4 bytes
ScriptLength - variable (1-9 bytes, 1 most common)
Signature - 72 bytes (including encoding)
PubKey - 34 bytes (compressed keys)
Sequence - 4 bytes
Total: 147 bytes (Signature is 48% of Input size)


Agreed.


Interesting.  Can you provide information or reference on public key recovery?


I read this a couple of times and still couldn't conceptualize how hash tree in transaction would add security.  I bookmarked it though.

If you are a casual user unable to keep the client online why not just use a SPV client.  You aren't contributing to the decentralization of the network if your node has an uptime of ~3%.

Well since we have covered everything except the question in the OP I am going to assume there is no flaw in the work around logic.

From the getinfo() RPC Call


The "keypoolsize" reflects the current number of keys in the keypool not the desired size.

You can verify this with the following sequence:
walletlock()
getinfo()
getnewaddress()
getinfo()
getnewaddress()
getinfo()
walletpassphrase()
getinfo

The user was registered at the time they created the post however since then at some point for some reason the user's account was deleted.  When that happens all posts created by the user are assigned to "Anonymous guest".

Goldenblocks are identical to superblocks in everything but name.  The code used to generate them is almost identical to LuckyCoin which was released two months ago and is dead/dying at this point.


First golden block wasn't a great idea so likely your next great idea won't be a great idea either however you can't encrypt source code.  You could release the client as a closed source binary but nobody with half a brain would install a closed source program on a computer.  For all they know you "great idea" is to record keystrokes and steal any other coin's wallet on the computer.


Yeah because you wrote your coin from scratch.  Er wait you didn't it was 99% copied from Litecoin which was 99% copied from Bitcoin.  You wouldn't even have a coin (as crappy and short lived as it will be) without the power of open source projects.

The MIT license does allow you to release as closed source however it is a dead end.  Of course you never listen to anyone so go ahead and release the updated client as a restrictive license.

This would be an incompatible break, and I harbor no illusions it would ever be used for Bitcoin.  Lets consider this mostly theoretical possibly for some future altcoin.  The transaction structure would not necessarily need or be the same.  You can assume the d is the same for all inputs.  One method would be that the entire tx is signed (all inputs, all outputs) but the exact structure is not that important.

Doing a little more research I believe it is possible to use elliptic-curve arithmetic to add the private keys together to create a "master" private key for signing and this master private key can be verified by adding the public keys together to form a master public key.

I was going to do some testing with OpenSSL but I need some sleep.

If your coins are at MtGox (or anywhere you don't have the private key) then you don't have ANY Bitcoins.   MtGox has your Bitcoins and MtGox has given you an IOU which you can see on your account page.  If MtGox disapears, gets sued into oblivion, gets hacked, has their servers seized by the Japanese govt, etc then THEIR coins are gone and the IOU is worthless.

Now for some people this risk is acceptable only you can decide.  If having an IOU from a company you know almost nothing about on the other side of the planet where if they don't pay you have almost no recourse to recover your funds "good enough"?  If yes then sure you don't need a wallet.

It is comments like this which make you lose all credibility.  Despite how poorly your coin launched.  How would people have coins ... I don't know maybe they mined them?  Kinda weird that the "miner's coin" would have miners who have coins.  I just deleted the rest of your comment because if you took even the slightest bit of time or effort to educate yourself you would know it is impossible and not need make stupid accusations.

What 3rd party server.  I run my own node and will be able to for at least a century at this rate in blockchain growth.

Bitcoin signs each of the inputs for tx with a separate signature.  This adds significant size to the overall transaction size. The size of the most common Bitcoin tx can be computed as the following:

Size (in bytes) = 10+147*NumIn+34*NumOut

This applies to tx with standard outputs, scripts of less than 256 bytes each, and all inputs use compressed public keys.  If the public key for the input is uncompressed the size is 32 bytes larger.

The largest portion of a balanced (number of inputs and outputs are equal) comes from the input portion and the largest component of the input is the signature which is 72 bytes with encoding.  If we assume the average tx consists of two inputs and two outputs that makes the average tx size 368 bytes.  Roughly 39% of that or 144 bytes is from the two signatures for the two inputs.  However a tx is only valid if all the signatures are valid.

Is it necessary to store each signature separately?
Is there some ECDSA operation which could allow verification that data was signed by multiple private keys with a single signature and multiple public keys?

Given:
private keys a & b
Public keys A & B
Data to be signed d

Is it possible to create a signature S such that it can be verified given only A, B, and d?

Satoshi believed from day 1 that not every user would maintain a full node.  That is why his paper includes a section on SPV.  Decentralized doesn't have to mean every single human on the planet is an equal peer in a network covering all transactions for the human race.   tens of thousands or hundreds of thousands of nodes in a network used by millions or tens of millions provides sufficient decentralization that attacks to limit or exploit the network becomes infeasible.

UXTO ~0.24 GB and growing linearly by about 0.1 GB per year.

Seeing as my workstation has 16GB of RAM and 3TB of storage I will probably need to upgrade my system by the year 2130.  I put it on my google calender.

Nonsense.  If 6GH/s rig would be profitable then buying 10x 6GH/s rig would be equally profitable or renting a small amount of commercial space and buying 1000x 6GH/s rigs.  CPU and GPU rigs are constrained by the cludginess of trying to scale out.  Rigs which communicate with a host over USB lack any such constraint.

Either way the network is going to grow to where it is barely break even for new hardware (including electrical cost) from there it is only going to grow if/when either the exchange rate rises or more efficient devices are produced.

Nobody said it it is all clumped one end however as pointed out even w/ 1 trillion ASIC address generation machines, each producing (and checking) 1 trillion addresses per second all running non stop for the next 1000 years AND all Bitcoins are evenly divided into the maximum possible addresses with 1 Satoshi each the odds that any machine will find any collision with  funded address in less than 1% in the next 1,000 years.

Sure all public key cryptography is based on "odds".  You could in theory generate a private key in ONE ATTEMPT that matches the one used by google and produce a fake gmail site which validates SSL properly.  However the odds are vanishingly small.  The same thing applies to Bitcoin address collisions.

The odds of anyone finding any collision via brute force in their lifetime is essentially 0%.

Depends on how unrealistic you think Bitcoin will "take off".  The entire planet uses ~$4 trillion USD worth of currency, if we included demand deposits (M1) that number is still only ~$19T.  If Bitcoin replaced all other forms of currency (and demand deposits) on the planet (likely requiring some many wars to force the last of the resistant to bend to the Bitcoin overlord government) 1 Bitcoin would be worth ~$904,000 USD (in 2012 dollars purchasing power) and 1 satoshi would be worth ~0.9 US cents (2012 dollars purchasing power).  I think as unrealistic as this is (and the every address holds only 1 satoshi) we can consider them the theoretical upper bound.

http://www.bullionbullscanada.com/guest-commentary/dollardaze/5640-growth-of-global-money-supply


Even the M3 is only ~$60T.  This is not an apples to apples comparison because it includes non-currency financial accounts but lets say Bitcoin replaces those as well (there is no good reason just giving you the benefit of the doubt).  Even then 1 S would be worth about 3 US cents (2012 dollars purchasing power).  All private wealth on the planet is ~$135T that isn't even remotely close to currency including everything from real estate, to equity in companies, to debt ownership, to tangible goods (cars, planes, fine art, etc).  Still even if for reasons that escape comprehension the Bitcoin money supply was greater than all wealth on the planet we are still talking about 1 Satoshi is ~ 7 US cents.  The idea that a satoshi would ever represent a significant amount of wealth is just silly. 

This.  Also even if we look at addresses with a trivial amount of funds there is an upper limit at the number of funded addresses @ 2.1x10^15 addresses.  That would be the rediculous scenario of all Bitcoins mined, all of them in a seperate address holding one satoshi each and the attacker owns none of them. 

Still for the sake of argument 2.1x10^15 addresses in use.  Compared to 2^160 (1.5x10^48) it is a negligible number.  Say 5th of november's trillion addresses per second ASIC did exist and say a trillion idiots bought one and they all ran their machines for the next thousand years.  There is still a less than 1% chance that a single collision worth 1 satoshi would occur.

If collissions do occur it won't be because someone brute forces the addresses it will be because of an as of yet undiscovered flaw in ECDSA or one of the hashing algorithms which allow attacks at many dozens of magnitudes faster than brute force.

Not sure if it is done here but any future expense over time can be expressed as a net present value.