I will leave this here:
http://en.wikipedia.org/wiki/D-Wave_Systems#Criticism

Also as Mike points out even if true and even if it could be used to cost effectively break x bit ECDSA keypairs, 128 qubits is insufficient by at least 2 orders of magnitude to break a 256bit ECDSA keypair.   The estimate for researchers (in paper above) is ~6 logical qubits per bit in the keysize of ECDSA.   So 6*256 = 1500 qubits.   Note this is logical qubits.  With only a single physical qubit per logic qubit the amount of error and noise would simply make any results worthless.  A ballpark figure is 12 to 20 physical qubits (to perform error code correction algorithms) per logical qubit is estimated.   So to break 256bit ECDS would require in the ballpark of a single 24,000 physical qubits computer.   A 128 qubit computer could break 2 to 3 bit ECDSA keys.  Then again I could break them with a notepad and a good pencil a lot faster.

If/when massive QC start being built a "simple" interim step would be to make a new address type which uses a larger ECDSA curve.  It would require a hard fork but would remain backwards compatible with existing addresses.  Create a new address standard, give it a new version (first digit of address) and use a 384bit (or even 512bit) ECDSA keypair.    Once the network transistions over users could send funds to these "high security version 2" addresses.

The cost to increase the key size is much smaller than the cost to build increasingly larger QC.  It also has the added bonus that larger QC may simply not be possible (with current tech).  So hypothetically someday it may be possible to break 256bit at high cost but completely impossible to break 384bit one at any cost.  Unlike classical computing you can't combine multiple smaller qubit QC to gain a higher computing power.  They aren't parallel like that.

It is in real terms.  The average annual inflation over prior 30 years was 3.07%.  2.75% - 3.07% =  -0.32% real return.

You don't think the next 30 is going to be less inflation do you?  I mean at this point the best we can hope for would be "only" ~3% inflation.   If we get a period like from 1973 to 1981 in there well ouch. 

http://www.usinflationcalculator.com/inflation/historical-inflation-rates/

As grau pointed out it isn't the number of zeros that matter but the exact target.

For any difficulty the target value can be computed.  They have an inverse relationship.  As difficulty rises the target gets smaller (lower %of hashes will be below the target hence it is "harder" to find a valid hash).

Right now.

The current difficulty is 3370181.7992778
The current target is 00000000000004FA620000000000000000000000000000000000000000000000

So for example a hash beginning with 00000000000005 would be invalid as would a hash beginning with 00000000000004FA63 however a hash beginning with 00000000000003 would be valid despite all three hashes having the same number of zeros.

You example hash is valid because it is smaller than the target

The target for difficulty 1 is:

The smallest hash is:

The largest hash is:

Relationship between difficulty, number of hashes to solve a block, and the target.
You will notice in the range of 0000... to FFFF .... roughly 1 in 2^32 hashes will be below the difficulty 1 target.  It requires roughly 2^32 hashes to find one which is valid at difficulty 1.   Current difficulty is 3370181.7992778 the current target is 3,370,181x smaller than the difficulty 1 target.  On average it will require (2^32) * (3370181.7992778) hashes to find one smaller than the current target.

One thing which could be done but I don't think any miners look for this would be for the repient to include a fee in the tx which uses the no fee 0-confirm tx as an input.

Since inclusion of this tx in the block requires the 0-confirm tx to also be included it would be a protocol compatible way to "pay a fee after the fact".  However it requires the bitcoind or other software used by miners to be "smart" enough to notice that tx X has no fee but the output of tx X is the input for tx Y which does have a fee and thus there is value in including both in the memory pool for the next block.

No there is no such thing as a MoneyPak account.   A MoneyPak is simply a "pack of money" (clever name huh) it needs to deposited into a THIRD PARTY ACCOUNT.   Examples would be PayPal, prepaid credit cards, some legal US gambling sites, some utilities, debt collectors, etc.

The most common use is to fund a prepaid credit card.   There is no account anywhere in the world you can fund which doesn't require KYC information (name, address, at least partial SSN, telephone, etc).   So if you remove funds and the account gets frozen and the MP reversed, the account (in your name and social security number) will now have a negative balance.  The legal fine print in the cardholder agreement has a clause saying something like any negative balances become a debt of the cardholder and can be collected on by the account issuer.  You now owe that money to PayPal or NetBank or xyz corp.   Expect to get a notice of demand, and eventually the debt sold to a collection agency jacked up with collection fees, and slapped on your credit report for the next 7-10 years.  Worst case scenario (probably only reserved for if you had a LOT of MPs reversed) is you would get sued and have a judgement held against you and any future income.  

Pretty much no different than charging up a bunch on a credit card without the intent to pay it.

Because if the are a scammer the next thing they are going to do is call GreenDot report the card either a) didn't work (implying you brute forced attacked the number) or b) the card was stolen.   Of course they have the original card, the receipt, and GreenDot does not condone the resale of MoneyPaks.  Anywhere you deposit a MP requires KYC information so they can and they will instantly freeze your account pending release from GreenDot.   Also note as one buyer found out he a couple months back if you deposit multiple cards and say only 1 out of 20 is reported stolen/hacked they are going to freeze the entire account with the combined balance. 

What will GreenDot ask for  .... drumroll.  Proof you bought it.  No proof?  Well guess that makes you the theif/hacker.  Case solved.  Luckily GreenDot was able to keep another customer's funds safe (not that is the buyer not you).

The wrong way to look at reversibility is as black or white question (Bitcoin is irreversible, PayPal can be reversed).

It is more a sliding scale.   Every payment system in the world can be reversed.  Bitcoin can be reversed by a 51% attack for example.  Bank Wires can be reversed if funds were transferred in the commission of a crime.  No you can't put a gun to Warren Buffet head and have him wire $1B and then say "bank wires are irreversible".  Even cash can be reversed when the buyer pulls out a gun and "asks" for his cash back. 

So the right way to look at the risk of reversed transaction is not YES/NO but more how HARD is it to reverse.  Harder to reverse, less risk to you.
If a 6-confirm Bitcoin transaction is a 10 on the "hard to reverse scale" and PayPal is a 1 then everything else falls somewhere in between. 

Everything can be reversed just some are easier than others.   The good news is Moneypaks are pretty "tough" to reverse.   One can't simply claim "they didn't get the goods, or they didn't like the product" and request a chargeback like a credit card however if someone is willing to commit fraud they can be reversed by claiming the MP was stolen  or it was hacked (usually the conman will claim it just "didn't work".  

Theoretical call to GreenDot.  Who are they going to believe?

One can limit the risk by
a) only accepting MP purchased with cash.
b) only accepting MP purchased that day or relatively recently (someone selling a MP "they" bought weeks or months ago is likely reselling a MP, it probably has gone through half a dozen hands and anyone of them could have snagged the funds).
c) only accepting MP with a scan/photo of receipt (have seller write your name on the receipt).

If you did all that could you still be scammed?  Maybe but the odds are pretty low.  I would say it is probably an "8" (on 1-10 scale) for difficulty to reverse.  Probably safer than just about anything other than Bitcoin, cash, or bankwires.

Just accepting MP from someone online with no rep selling them for 50% off (ask yourself why would they do that) however is just asking to get scammed.

Wow $20?  Don't spend it all in one place.

I have to agree with this one.  It is genuinely hard to tell if this is a really bad troll or someone that stupid.

What would be elite about this group.  If ECDSA is broken wide open without warning Bitcoin is effectively dead anyways.  Massive amounts of wealth would be transfered before any such new address type could be created.  The probability of that happening is roughly zero.  What is more likely is that ECDSA is "compromised" meaning that one can attack it faster than brute force (although still needing massive, massive amounts of computing power).  One would essentially see "mining" of existing addresses a process which probably would take on the order of decades to "confiscate" all of it.

That is far better outcome than some cartel of "elites" forcing their will on the people in order to protect them.  I have enough government already.  I don't need another one to worry about INSIDE my currency.    If the consensus is stupid enough to allow such a rule to be passed they will allow other rules to be passed in the name of "security" and honestly it means the population is too dumb to keep Bitcoin secure.  Bitcoin is dead IMHO if it happens but I hope that will never happen.

I don't think we need to agree to that at all.  Who makes "you" (to mean not just you but anyone who feels they have the authority to control the wealth of others) to decide when wealth should be confiscated in order to protect others.  You are the bitcoin "elite" you need to protect others by confiscating their wealth?  You are talking about the role of a state.  The elite protecting the masses by confiscating wealth through force.  Bitcoin is dead if/when the "self proclaimed elites" out of fear decide they need to protect it by confiscating wealth.

Then Bitcoin is reversible if/when the elites decide a person isn't being secure enough.  Hardly p2p, hardly commerce without a trusted third party.  They day that happens is the day I am done with Bitcoin.  The social contract (written or otherwise) has been broken.  It would be like governments (still on gold standard) outlawing the recovery of gold from shipwrecks and then pretending the price of Gold is set by market prices. 

I don't think they should.  "Expired" coins in any form violate the understanding of irreversible transactions.   It is a major selling point to say Bitcoin is irreversible.   Once you start clouding that up it becomes Bitcoins is "pretty much" irreversible (which means it is kinda like ACH in that most people think it is irreversible but in reality it can be reversed to your destriment.

Proactively stealing wealth because it is in an "insecure" address is still stealing.  If ECDSA is weakened history would indicate there will be significant time to transistion coins to new address types which are more secure.   Most people will transistion their coins.  Some won't due to negligence and some won't because the coins are truly loss.  Eventually those coins will be "stolen" much like "lost" Gold from a shipwreck at the bottom of the ocean is recovered.

The protocol should never try to "protect people" by confiscating their wealth.  That would be a deathblow for Bitcoin.  The state already does a pretty good job of protection via confiscation I don't think Bitcoin can really compete in that arena.

Um no it is a double spend.  A Finney attack is a type of double spend in which the attacker "reverses" a 0-confirm tx by submitting a replacement which is already in a block HE MINED.  There is nothing in the OP attack which makes it is a Finney attack.

Your proposal undermines the principal that transactions are irreversible.  Reversibility is a slippery slope.  The optimal growth rate of a money supply would be the rate of economic expansion.  How far is it from "we must remine coins to avoid losing them" to "we must have a cartel of elite miners adjust the mining (and coin destruction rate) in order to maximize economic output.  We can call this the "federal mining reserve".

You seem to not realize that your proposal as dubious and impossible to implement as it is still wouldn't achieve a stable money supply.  As posted in the other thread. If the money supply shrank by 0.2% per year over 150 years the supply would be ~740K BTC in 2162.  If 200K BTC were lost in the first year (more than that have never been moved after being mined in the first year) you would be looking at a massive annual inflation being forced onto a system which has adapted to gradual deflation of the course of decades.   I can't think of anything which would cause MORE volatility and chaos.  Even after that first year it would be boom and bust cycles as coins weren't lost in a continual basis there were spikes and peaks.  So the money supply would not only NEVER be fixed (it would never reach 21M BTC not once ever) it also wouldn't even be STABLE.  Inflation would not only be high some years it would be chaotic and random.  33% one year, 8% the next, then 27%, then a period of 4-5 years with 1% inflation, then a giant spike up 40%.  Utterly crippling to any economy.  Worse it would be totally pointless.  If Bitcoin is still around in 150 years it means it MADE IT.  It doesn't need fixing.  Ironically after 150 years of success it would likely be the "fix" which killed it.

If Bitcoin can survive and even prosper for 100 to 150 years with the current set of "rules" what would make you think it needs changing?  If the "flaw" is fatal as you indicate it will likely result in the destruction of Bitcoin long before your implemented change would take effect.  I noticed initially it was 50 years, then 50 to 100 years, then 100 to 150 years.  The longer the time horizon the more dubious the change.  Lets say over the next 150 years 0.2% of the coins on a nominal basis are irrecoverably lost.  150 years from one the money supply would be ~0.74 million BTC.  If 200K BTC were lost in the first year it would be introducing >30% annual inflation to the system.   Lets also point out that the system will have "adapted" to the slow attrition of coins (which is meaningless as "money" is simply an accounting system).  The worst possible thing 150 years from now would be to suddenly dump a fortune of new coins into a system which has long since adapted over the decades to a slowly shrinking monetary base.

There is no validity to the claim that the money supply must remain perfectly fixed at 21 million BTC.  The goal of the fixed minting schedule is to ensure that inflation and deflation can't be MANIPULATED for the benefit of a few at the expense of the many (like fiat systems do).  Satoshi could have decided to have minting go on forever at 1 BTC per block.  The small amount of inflation that would occur many many many subsidy havings from now would be negligible and wouldn't be subject to manipulaiton.

Small rate of inflation ~= perfectly fixed money supply (completely unatainable even under your proposal) ~= small rate of deflation.   Inflation and deflation aren't a problem as long as they are low and without volatility. 

Of course it does.  

Say you get 60% of people to agree the protocol should be changed.  Guess what? The old protocol (the one now known and forever known as Bitcoin) still exists.  You just created an alt-coin.  You may attempt to (falsely) market this "confiscation coin" as the "real Bitcoin" but it isn't.  The real Bitcoin protocol continues to exists.  

So hard forks which are incompatible at a fundamental level ARE alt-coins.  The reality is there will never be 100% consensus (as in every single coin holder, every merchants, every user, every developer, etc).  Outside of that impossible situation the forked version isn't Bitcoin.  

The Bitcoin protocol can be extended but even extensions require significant planning, and consensus building simply because the very act of a hard fork no matter how trivial is incredibly risky.  There is a fundamental difference between extending the protocol and invalidating existing rules/addresses/balances.  A hard fork which invalidates the ownership of existing users can't be considered anything other than an alternate.  It isn't Bitcoin.  It will never be Bitcoin.  It "could" someday surpass Bitcoin but it isn't Bitcoin.

Well namecoin is far more secure and the hashing rate far more stable now than it was prior to merged mining.  Namecoin fell out of favor simply because there was no use for it. It is a good idea but an idea without execution has no value.  So it became useful only for squatting on domains, speculating, and to boost the profits of miners.   kinda hard to built a functional economy if those are your cornerstones.

One I don't accept that the money supply needs to be fixed exactly.  The loss rate over time will slow to a trickle and the money supply decreasing by 0.5% a year or (or even increasing by 0.5% a year) isn't a material problem.   For all practical purposes the supply is fixed and price is based on demand (which over the next 100 years or so changes in demand will dwarf any valuation changes due to slowly shrinking supply).  However lets pretend the money supply "should be fixed".


There are three major issues.

First.  Your solution won't make the money supply stable.  Valuation is based on the available money supply.  If anything your proposal will cause rapid fluctations in supply, and mining rates (to potentially cash in on a once in a lifetime windfall in mining profits).   Lets (pulling numbers out of my ass) that in the first 4 years roughly 2 million BTC were lost.   We would expect over time this rate of loss to decline as the obvious value of BTC becomes apparent as well as improved technology and best practices (deterministic wallets, auto backups, hardware wallets, etc).  So the "lost coins" are to a certain extent already price in.     Currently the price is based on effective supply  Nobody needs to know how many are lost the market effect of supply and demand will set the price based on effective money supply.   As the annualized loss rates continues to decline (in nominal BTC terms) the effect on overall valuations will be small.  The difference between an asset whose supply is truly and perfectly fixed vs shrinking at say 1% is immaterial.  The change is price will be driven mostly by changes in demand.   As an example say 10 years from now loss rate is <1% per year and demand is growing at 35% per year.   35% vs 36% does it really matter?  The price is for all intents and purposes determined by increased demand.


However whatever "expiration date" is used means that in roughly x years there will be a massive INCREASE in the effective supply when that window hits.   Say 2M coins were lost in the first 4 years.  That means in 50-54 years the coin supply (which has had slowing inflation for decades now) will supply see a minting explosion of 2M BTC (which could be worth billions of USD or more).   The fear and uncertainty on the true supply would have the exact opposite effect as intended.   As we approached the expiration date a lot of volatility would occur as people try to estimate how much new supply is going to crash into the market.   Another issue is the risk of overmining.   Mining will reach an equilibrium with transaction fees and in 50 or so years should be relatively stable however the expiration of these early 2M coins (which could be worth a small fortune) would cause a massive mining surge.  The network will built out massively as the ROI when including this once in a lifetime bonanza of confiscated coins would warrant expeditures than "normal" mining wouldn't.  What happens if the hashrate jumps 200x and then 99.5% shutoff after that free money window is gone?  Oops.  Network needs 400 weeks to reset and until that happens block times are ~1 day each?

Second.  It is unfair.  There is a social contract in Bitcoin.  Bitcoin is voluntary.  Nobody is forced to use it and the rules are well known.   However what you propose is an "Ex post facto" change.  It is material unfair.  People entered in Bitcoin because on certain proclaimed truths one of which being that (for better or worse) transactions are irreversible.  This is a form of reversibility.  You are proposing to change the social contract after the fact and that is ALWAYS unfair.  A system built from day one with this change (and other hard fork changes) would be different but to impose it upon people after the fact isn't just unfair it is immoral.

Third.  This is all academic.   It simply is NEVER EVER going to happen.  Just like the hundred or so last threads nothing is different.  Making this kind of hard fork is simply "defacto" no possible (although technically possible) due to the consensus rules built into Bitcoin.   Unless a change requiring a hard fork has overwhelming support the other "normal bitcoin" fork will live on.  So either one fork will die off or they would compete directly with each other causing chaos and uncertainty which devalues both forks.   "Can the real Bitcoin please stand up?"  

yes your exact proposal has been proposed at least a couple hundred times in the past.  Nothing novel or unique about it.   It will never happen.  There is no reason for it to happen and plenty of reason for it to not happen.


There is nothing which would prevent this from occuring even tomorrow other than the need for near unanimous consensus among bitcoin users.  You won't get that, it will never happen.  Most users don't support it but even if they did to avoid a hard fork and split of the block chain you would need nearly unamanimous support (i.e. 90%+ of users, 90%+ of merchants, 90% of service/wallet providers, 90%+ of developers, and 90%+ of miners).  The risk of a hard fork and split of the network at this point doesn't warrant any dubious gain from having coins put back into circulation.

TL/DR you are trying to solve a problem which doesn't exist and thus it will never be "solved".