The idea of sending public chain codes to people to be used into the future hasn't been sitting well with me because if your wallet is lost or compromised, then you'd have to go around to everyone you've given one out to and revoke them.  Or build an entire key revocation infrastructure around them.

The payment protocol makes a lot more sense to me too.

This would require the same kind of double spend preparation from the winner that the attacker made, before even knowing about the first bounty, but perhaps rational^TM miners would prepare such double spend bounties at all times just in case.  Seems more realistic that it's the attacker that just broadcasts another prepared bounty after seeing the winner's block (assuming rational^TM miners have decided to overcome the double spend broadcast censorship).

Regarding the long-term repeatability of the attack, I suppose if the attacker was high enough profile with deep enough pockets, they could create a chilling effect without actually having to continually pay bounties in repeating the attack; miners wouldn't dare disobey because they know they'd be made examples of and have their blocks orphaned.

Then wouldn't the miners who didn't win the bounty just ignore the winner's chain, since they can just work on the honest chain which is just as long, and avoid fucking up Bitcoin?

Sorry if this is getting annoying

I guess then he'd have to be including such a transaction in every block, just in case, but that's only a couple bucks a day.  OTOH, he'd also have to be able to mine a parallel block pretty much on demand.  He's unlikely to be able to do that.  And this is impossible to repeat indefinitely, so his blacklisted transaction will eventually make it in the chain, will it not?

If he broadcasts this transaction, then what's stopping the rest of the miners from just including it in their chain, and claiming the bounty in the same block?

Oh cool.  The phonemic names seem like an improvement on this (shorter and more memorable), but you can credit the Urbit developers for them.

IIUC, for an n level tree, you'd save yourself from storing

(1 - 2^-n ) / (2 - 2^-n)   ~  1/2

the nodes in the tree.  So could you could just assume everybody is cheating and require an extra level?

I might as well pile on too while we're all at it  Just some thoughts I've been having about this problem I wanted to share.

Using namecoin strings alone as identities is clearly crazy - they're first come first serve, and anyone can come and register one after you whose typesetting only very subtly different, opening the door for phishing.  So you need a PKI built on top, which is much more difficult to do than namecoin itself.  Not to mention, as retep did earler ITT, it can't do lightweight clients without trust.  Even with the complex UTXO commitments he mentioned, you have to trust that miners won't rewrite history (because lightweight clients won't be able to check a UTXO proof for every block for every name they're interested in).

If we slightly temper our expectations of a secure, decentralized naming system, then we can solve these problems very easily (or define them away, depending on how you look at it).  And the result is Good Enough IMHO.  Essentially, if we give up on names being meaningful (but still keep them short, pronounceable and memorable) then they can be used alone securely as identities - no PKI needed.  The idea is that there are a relatively small number of transactions in the Bitcoin blockchain (< 2^25 currently), so you don't need very many bits to encode a transaction's location in the blockchain uniquely.  You then run these encodings through an universally agreed upon cipher to make them dissimilar, and encode the result into some phonemic base.  By encoding a pubkey fingerprint in a transaction, you have a secure name to pubkey mapping.  This can build directly off of Jeff Garzik's identity protocol: https://en.bitcoin.it/wiki/Identity_protocol_v1.

For example, with a large set of CVC phonemes (consonant - vowel - consonant), you only need three to describe a 32 bit name: ~reb-mizvig.  Wisely selecting a smaller set of phonemes may make for more readable names in general at the expense of needing another phoneme: ~bitlyr-worwyd.  Might be worth it.  And you could have lots of different "languages" for different styles of names.  Or different alphabets even.  The guys working on Urbit are currently developing some of these phonemic bases and said we can just copy what they come up with if we like.

Note that all a lightweight client needs to resolve a name to a pubkey fingerprint is the block headers and a merkle path, which encodes the transaction's location via the ordering of hashes.  Also, names done this way would be very dissimilar, so you could safely use them alone as your identity.  This is probably best for identities that live purely online; if people know you only by this name, then key verification comes for free.

Regarding transfer of names, I wonder if that really makes sense.  I can wholeheartedly vouch for a person, but can I really sell your trust in me to to them?  The names are sufficiently throwaway, so I say don't bother with this.  System's much simpler without it.

Of course this all glosses over the need for good key management.  Maybe devices like Trezor could be useful here.  Some random thoughts on a distributed key revocation blockchain:
- Identity protocol's miner sacrifices makes this hard to spam.
- Authenticated prefix trees instead of merkle trees could make it so you only have to pay attention to small subsets of each block containing (or not containing) names you care about.
- We only care about unjammability, so we can pay attention to, say, the 5 longest branches to make it more difficult for miners to suppress revocations.

Thoughts?  Is this all crazy/expecting too much of people?  Am I misunderstanding the problem?

Did you mean *doesn't?

A somewhat related idea that I've always liked is for transactions to optionally include a block hash such that the transaction fees are claimable by the miner only if his chain builds upon the included block hash.  This would allow users to specify block construction policies that miners must adhere to if they want to receive the transaction fees.  The net effect would be for miners to enact policies that make the most (paying) users happy, else they be put at a competitive disadvantage to miners that do.

This isn't currently relevant, as transaction fees are insignificant, but in a future where they aren't, this idea could be used to distribute some of the power that miners currently hold to the users.

Though, I suppose it's not entirely clear that users would enact better policies than miners.  And perhaps the users would just carelessly delegate away this power, with it becoming more consolidated than it was with the miners.  Violating the Iron law of oligarchy is quite the engineering challenge

Perhaps it was just sounding weird to me, but I've always heard a proof that a conjecture is false referred to as a counterexample.  When I read "existence proof", it made me think "existence theorem".

Here are my edits to the rest of the FAQ:

Isn't Bitcoin mining a waste of energy?

Spending energy on securing and operating [to secure and operate] a payment system is hardly a waste. Like any other [payment] service, the use of Bitcoin is implying [entails] processing costs that are covered by the usefulness of the services offered. Services necessary for the operation of currently widespread monetary systems, such as banks and credit card companies[, credit cards, and armored vehicles], also spend [use] a lot of energy. So does any goods or services people are using or buying every day. However as opposed to [Although unlike] Bitcoin, this global [their total] energy consumption is not transparent and cannot be [easily] measured publicly.

Bitcoin mining has been designed to become more optimized over time with specialized hardware using [consuming] less energy[,] consumption and the operating costs of mining should continue to be proportional to the demand. When Bitcoin mining becomes unprofitable, some miners choose [miners tend to] to stop their activities.  [Furthermore, all energy expended mining is eventually transformed into heat, and the most profitable miners will be those who have put this heat to good use. An optimally efficient mining network is one that isn't actually consuming any extra energy than would otherwise be consumed if no Bitcoin mining were taking place. While this is an ideal, the economics of mining are such that miners individually strive toward it.]

How does mining help secure Bitcoin?

Mining creates the equivalence [equivalent] of a competitive lottery that makes it very difficult for anyone to consecutively add new blocks of transactions in [into] the block chain. This allows to protect [protects] the neutrality of the network by preventing any individual to gain [from gaining] the power to block certain transactions. This also prevents any individual to replace [from replacing] parts of the block chain to roll back their own spends, which could be used to defraud other users. Additionally, mining [Mining] makes it exponentially difficult to reverse previous transactions because it would require to rewrite [a past transaction by requiring the rewriting of] all blocks following this transaction.

What do I need to start mining?

In the early days, anyone could find new blocks using standard computers['] CPUs. As more and more people started mining, the difficulty of finding new blocks has greatly increased to the point where the only cost-effective method of mining is using specialized hardware (ASICs). You can visit BitcoinMining.com for more information.

Security

Is Bitcoin secure?

The Bitcoin technology - the protocol and the cryptography - has a strong security track record[,] and the Bitcoin network is probably the biggest distributed computing project in the world. Bitcoin's vulnerability is in user error. Bitcoin wallet files that store the necessary private keys can be accidentally deleted, lost or stolen. This is pretty similar to physical cash in a computer or mobile. Fortunately, users can employ security practices to protect their money or use service providers that offer good levels of security and insurance [against theft or loss]. Bitcoins are not covered by insurance schemes or depositor insurance like the FDIC, but users' wallets could be with a service provider that offers that provision. Note: I just deleted this sentence because it just repeated what was said in the previous sentence, and it introduced confusion with the mention of deposit insurance, a solution to a much different problem than risk of theft or loss.

Hasn't Bitcoin been hacked in the past?

The Bitcoin protocol in itself has never suffered from a security breach and is still working great after [more than four] years, which is a fairly good indication that the concept is well designed. However, security flaws have been found and fixed over time in various software implementations. Like any other form of software, the security of Bitcoin software depends on the speed with which problems are found and fixed. The more such issues are discovered, the more Bitcoin is gaining maturity.

There is [are] often misconceptions about thefts and security breaches that happened on diverse exchanges and businesses. Although these events are unfortunate, in [during] none of them [has] Bitcoin has been hacked, [-] just like a bank being robbed doesn't mean that the dollar is compromised. However it is true that a complete set of good practices and intuitive security solutions need [needs] to be developped [developed] around Bitcoin to help [give] users having a better control and protection of their money[,] and continue to reduce the general risk of theft and loss. Over the course of the last [few] years, such security features [have quickly] developed at a fast rate like [, such as] wallet encryption, offline wallets, multi-signature [transactions] and hardware wallets.

Could users collude against Bitcoin?

It isn't possible to change the Bitcoin protocol with a majority of users or miners. Any miner that doesn't comply with the protocol immediately generates a chain fork[,] as the rest of the network [- non-mining nodes included -] is rejecting [rejects] blocks from these miners [this miner] , including all Bitcoin nodes that are not mining. As per the current specification, no double spending is possible on the same block chain[,] nor [and neither is] spending bitcoins without a valid signature. Consequently, it is not possible to generate uncontrolled amounts of bitcoins out of thin air, spend other users['] funds, corrupt the network or anything similar.

However, a majority of miners could arbirarily choose to block or reverse targeted recent transactions. This could be used for censorship purposes or to defraud targeted [particular] merchants. But this can also be used for legitimate purposes, like applying a collaborative emergency action to help fixing [fix] a problem with the network like the march 2013 chain fork[.]

Is Bitcoin vulnerable to quantum computing?

Yes, and so are all systems relying on cryptography in general[,] including current banking systems. However, quantum computers don't yet exist and probably won't for a while. In the event that quantum computing could be an imminent threat to Bitcoin, the protocol could be upgraded to use new algorithms. Given the importance that this update would have, it can be safely expected that it would be highly reviewed by developers and adopted by all Bitcoin users.

Can't Bitcoin be cracked or shutdown?

Bitcoin is likely to survive almost anything. The real question is to know where it will [where will it] prosper. Bitcoin has been designed to be a very resilient technology in order to be reliable as a global financial tool. The way it works is very similar to other decentralized networks such as the Internet. No individual or developer have [has] control over Bitcoin[,] and as long as some users and miners remain, the network will continue existing. This high level of resiliency and redundancy is unmatched in the payments space and represents an important breakthrough for the protection of financial systems.

Even though technical failures are possible, Bitcoin has demonstrated its ability to withstand various forms of attacks for years[,] and the discovery of new technical issues would likely only lead to further improvements. Bitcoin use could however be made difficult by restrictive regulations, in which case it would be hard to determine what percentage of users would keep using the technology. A government that chooses to make Bitcoin illegal would prevent many domestic businesses and markets from developing, shifting innovation to other countries.

Just gave the FAQ a read-through, content looks pretty good.  Here are my notes (they're in order, but ctrl-f should find the relevant spots - sorry, I would've edited the full document in retrospect):

• "with millions of dollars [worth of bitcoins] exchanged daily"
• "then succesfully [successfully] reverse [reverses] the transaction"
• "Bitcoin payments are easier to make than existing banking or credit card process [debit or credit card purchases, and can be received without any special merchant account]."
• "and directly deposit [depositing] the funds to the merchants [merchant's] account daily"
• "This protects merchants from losses caused by fraud or fraudulent chargebacks[,] and there is no"
• "No individual or organization can control or manipulate [the] Bitcoin protocol."
• "still needs to grow in order to benefit from networking network effects."
• "make Bitcoin more accessible to the masses[,] but some user tools"
• "Most Bitcoin businesses are new[,] and most of them don't offer any insurance."
• "no organization or individual can control Bitcoin[,] and the network remains secure"
• "is no garantee [guarantee] that Bitcoin will continue"
• "each individual to make a proper evalution [evaluation] of the costs"
• "as physical coins like the Casascius coins[,] but paying with a mobile"
• "stored in a large distributed network[,] and they cannot be fraudulently altered"
• "bitcoins cannot vanish [just] because they are virtual"
• "However, it is worth to note [noting] that Bitcoin will undoubtedly be subjected"
• "it is not likely to prevent criminal investigations to be [from being] conducted"
• "there is no chance for anybody to find the private key that would allow to spend them [them to be spent] again"
• "when fewer bitcoins are available[,] the ones that are left will be in higher demand"
• "So, as bitcoins are lost, bitcoins [they] will eventually increase in value to compensate."
• "being done to lift current limitations[,] and future requirements are well known"
• "maturation, optimization and specialization[,] and it should be expected to remain"
• "will use lightweight clients[,] and full network nodes will become"
• "severely restrict or ban all foreign currency[,] like Argentina"
• "Bitcoin is money[,] and money has always been"
• "significant innovation in payment systems[,] and the benefits of those innovations"
• "such as backups, encryption and multi-signature [multiple signatures]"
• "The use of Bitcoin will undoubtedly be subjected to similar regulations that are already in place inside existing financial systems[,] and Bitcoin is not likely to prevent criminal investigations to be [from being] conducted"
• "[The] Internet is a good example among many others to illustrate this observation."
• "The Bitcoin protocol in itself cannot be modified"
• "doomed not to succeed and would rather [only] end up creating a new"
• "It is however possible to regulate the use of Bitcoin in a similar way than [as] any other instrument. Just as [like] the dollar, Bitcoin can be used for a wide range [variety] of reasons [purposes], some of which can be considered legitimate or not as per each jurisdiction [jurisdiction's] laws."
• "process called mining. This process involves that individuals are rewarded by the network for their services. More specifically, miners [Miners] are processing"
• "no more than a fixed amount of Bitcoin can be created approximately each [every] 10 minutes"
• "completely halt with a market cap [total] of 21 millions bitcoins"
• "Technically speaking, Bitcoin have [has] all the attributes"
• "physical properties of a rock [substance] like gold"
• "amount of bitcoins in circulation[,] and this amount is owned and divided between all Bitcoin users"
• "price increases[,] and when there is less demand"
• "demand must equate to [follow] this level of inflation"
• "Because Bitcoin still hold [is still] a relatively small market"
• "Bitcoin prooved its reliability [has proven reliable] for a few years "
• "no one is in a position to predict what will be the future [will be] for Bitcoin"
• "This is very similar to investing in a [an] early startup that is either gaining value through its usefulness and popularity over time, or [one that] just never break [broke] through. Bitcoin is still at [in] its infancy[,] and it has been designed with a very long-term view, [;] it is hard to imagine how it could be less tilted towards early adopters[,] and today's users might or might not"
• "As the average transaction size reduces [decreases], transactions can be denominated in sub-units of a bitcoin[,] such as"
• "Bitcoin is an existence proof that the theory [counterexample to the theory, showing that it] must sometimes be wrong"
• "Despite all this[,] Bitcoin is not designed to be a deflationary currency"
• "allowing them to profit of [from] the advantages of Bitcoin"
• "Bitcoin will succeed to mature and develop to a degree where price volatility will decrease [becomes limited]"
• "What if someone bought up all the existing Bitcoins [bitcoins]?"
• "This situation doesn't [isn't to] suggest, however, that the markets aren't vulnerable to price manipulation. It [; it] doesn't take significant amounts of money to move the market price up or down[,] and thus Bitcoin remains a volatile asset."
• "As for [of] now, Bitcoin remains by far the first and foremost private decentralized virtual currency[,] but there can't be any guarantees"
• "Bitcoin in terms of esthablished [established] market"
• "Most transactions can be processed without fees[,] but users are encouraged to pay a small [voluntary] fee by their own for faster confirmation"
• "If you are receiving [a] large number of tiny amounts, then fees when sending will be higher[.] because this [This] payment could be compared to paying a restaurant bill using only penny coins [pennies]."
• "shared between all software [the computers] on the network"
• "when your wallet client program is not running, and you later launch the wallet client"
• "catch up with any transactions it did not already know about[,] and the coins will eventually appear "
• "What does "synchronizing" means [mean] and why is it taking so long?"
• "This step can be resource consuming and requires to have enough bandwidth and storage for the full block chain size [to accommodate the full size of the blockchain]."
• "Mining is the process of spending computation [computing] power to process transactions, secure the network[,] and keeps [keep] everyone in the system synchronized together."
• "Mining is called this way [This process is referred to as mining as an analogy to gold mining] because it is also a temporary [the] mechanism used to issue [new] bitcoins in a very similar way to a scarse commodity like gold. However as opposed to gold, [Unlike gold mining, however,] Bitcoin mining provides a reward in exchange of a [for] useful work required to operate a secure payment network."
• "broadcast through the peer-to-peer network and perform [performs] appropriate tasks to process and confirm"
• "transaction fees paid by customers for faster transaction processing[,] and newly created coins, issued into existence according to a fixed formula"
• "proofs are very hard to generate because there is no way to create them other than [by] trying millions of random calculations"
• "ensure that the average time to find a block remains equal to 10 minutes on average"
• "very competitive business where no [individual] miner can control what is included in the block chain"
• "Proof of works [Proofs of work] are also designed to depend on the previous block"
• "because this would require to recalculate [recalculating] the proof of works [proofs of work] of all following [the subsequent] blocks"
• "corrupt the Bitcoin network because all Bitcoin node [nodes] would reject any block that contains"

I only made it to the "Is Bitcoin mining a waste of energy?" section.  I have to go to bed now, but I'll try to finish the rest off tomorrow if nobody else does.

Thanks for writing this blockgenesis!

@dacoinminster, if you're still intending to give me those 3 BTC for pointing out that problem with your proposal, could you please send them to 1GMaxweLLbo8mdXvnnC19Wt2wigiYUKgEB

@gmaxwell, thanks for your efforts.

Get majority hash power, steal all the coins?  (Or at least a very large amount, potentially.)  This creates a huge incentive to commit a "51% attack", does it not?

Time limited ones seem useful to me too.  For example, secondary markets for bets - outputs whose ownership is ambiguous before a specified time (dependent upon an oracle releasing secret before this time) could be transferred on the blockchain by the individuals involved without requiring signatures from the others, but while preserving their potential claim to the output.

Even if you want to ensure the deposit goes to a (fair) miner sacrifice?  I'm thinking of this for the case of sybil attack prevention in p2p networks where the deposit isn't placed with anyone in particular.  In this case, if the deposit is claimable by the first person to present the fraud proof, then it will simply be claimed by the attacker, as he will have the advantage of surprise.

I was thinking a potentially useful application of this could be security deposits, where an output can be spent before a specified block height only if cryptographic proof of fraud is presented, and in this case, it can only be spent to a miner sacrifice output (anyone can spend 100 blocks after the specified block height).  After the specified block height, the output can be spent like normal by the depositor.

Thanks!  PM me for an address if you like.

Keep in mind that the price of the backing is uncorrelated with the price of the pegged-to asset, and it's just a matter of time before their ratio randomly walks below 1.  Plus, capital costs money, so there are limits to how overcapitalized the currency can be (fees have to remain competitive).