Bump.  I've updated the article above on Difficulty Adjustment, and also posted it to a blog so now there's a link to the online article.

You really think the bitcoin foundation can arbitrate and make informed decisions about hundreds, or thousands, or millions, of chargeback disputes every day?  You really think they should?  You gonna pay salaries since you've just advocated them hiring a few dozen to several thousand people depending on transaction volume?  You think everybody should have to trust (ie, be potentially betrayed by) exactly the same agency anyway?

The problem with chargeback is that someone has to make the decision about whether to do/allow it, and both of the parties involved are self-interested.  If there were agreement, then there is no problem; the "chargeback" is just another mutually-consenting transaction.  If there is disagreement, then you need someone to decide.

So, any protocol that permits chargebacks must involve a third party whose decision about the chargeback can screw over either the payee or the payer.  And people don't want to negotiate an arbitrator or escrow for every fricking online purchase of a watch.  

What *could* be done in protocol I suppose is for someone to establish "superior claim" on a set of coins and then let people use inferior claims on them to make transactions. When there is a dispute, the person with the superior claim can just invalidate the inferior claim held by the disputant whom *THEY* hold to be at fault, and issue a new inferior claim to the complainant (or the defendant, as the case may be).  

If people want the "safety" of something that courts can seize and redistribute according to the judgements, there is a way to give some agency power over particular assets, without requiring that such power be granted over any other asset.  But it would by definition be a "Trusted" agency - meaning one that can completely screw the security of those assets.  The only benefit of this is that it could be done, for example, to make legal compliance possible where needed, while not impairing the ability of people to trade in assets that *AREN'T* inferior claims.

So you could have, for example, a decentralized stock market, where all the traders are trading digital stock certificates which are inferior claims on stocks where the corresponding superior claims are held by the SEC or other regulatory agency.  So if the SEC really needs to step in and sieze the assets because Bernie Madoff or something, it can exercise the superior claim.

Or if a bunch of merchants can be convinced to accept inferior claims on bitcoins as payment, you could have a bank or other agency which owns the superior claim on money that's in an "account" so they could authorize and unilaterally implement chargebacks against merchants who get the inferior claim in payment.  

It is an interesting but solvable cryptographic problem, although it is not at all clear that the result would be any improvement over fiat.  

If MD5 were used for bitcoin it would not be possible to steal coins, or at least not directly.  That would require preimages.

What would be possible would be constructing txOuts that could be spent by any of several different keys.  Which could be interesting, but doesn't lead to any immediate capability of theft.

It could be used in some kind of scam or confidence game though; two different keys capable of spending the same BTC25 could coexist in a wallet and most software would think the wallet had BTC50 in it, for example because neither key would appear to be a multisig or shared key. 

For what it's worth, the MD5 break is of a very particular kind.

MD5 has a collision vulnerability, but it does not have a meaningful preimage vulnerability.

What that means is that it is now easy to construct two  or more documents that have the same MD5 hash (a collision), but given a hash value it is still damned hard to construct something which hashes to that value (a preimage). 

It's preimage resistance isn't quite perfect mind you; an attack has been found that takes 2^123.5 operations to find a preimage, when it ought to take 2¹²⁸ if its preimage resistance were as good as it was supposed to be.  So MD5, while completely broken in terms of collision reistance, is only about 1/24 as hard to find a preimage as it ought to be. In practice finding a preimage is still far beyond the amount of computing power that could be produced by a computer the mass of Earth in a time less than the expected lifetime of the sun. 

Of course, attacks never get worse ... and it's possible that the preimage attack can be extended somehow. 

Bump.  I edited the post adding code for the MIDAS difficulty adjustment system. 

As I understand it, (and I could be wrong here) what is actually absolutely required to spend energy for, is the output.  IOW, you could at least in theory design a system that answers the one-bit question, "is there a nonce meeting the difficulty target within <some range of nonces>" by actually spending the energy to write exactly one bit.  Everything else can be reversible, so the greater the amount of computation you can do without any external effects required the more of it can be done "free" (albeit at ridiculously high complexity) but no matter what, you have to write the output. 

This is serious, people.

A lot of the folks coming to Bitcoin (and altcoins) these days are newbies. 

And there's a serious problem for newbies with keeping their computers secure.  They need all the help they can get.  And yes, some of them haven't learned yet that they oughtn't download crap without checking it thoroughly before running it.  But that doesn't mean they're bad or stupid people; it just means they need help.  Raising awareness of the issue by posting warnings in-thread whenever you see something intended to rip them off is a good start.  Deleting posts that contain malicious links is important too. 

I would recommend that such posts ought to be replaced by a message that says exactly why the post got deleted, as a warning to newbies reading the thread that this is a thing that happens.  Newbies probably do not know what things they need to be alert for.

start here:

http://dillingers.com/blog/2015/04/18/how-to-make-an-altcoin/

If you get stuck AND you're doing something legal, I can be hired. 

Doesn't matter to me.  I have a REALLY good spamfilter.  So go ahead!  Odds are thousands-to-one against me ever seeing any particular spam.   

They are different in that no single address appears in both sets, but there is no discernible difference in the statistical distribution of any bit or any pattern of bits.  There is literally no way, given an address, to guess which of these set it's in.  Except, you know, by iterating through all the possible private keys and seeing if it matches. 

No.  It isn't.  There is no way that is "much easier:"  In fact it's every bit as hard as reversing the hash operation in the first place.

Ya, I think Germany was first; it announced that Bitcoin would be treated the same as a foreign currency, which is largely the same rules:  Tax on stuff bought and sold with it, but no tax for exchanging it.

Exactly.  While I think that the acceptance of Bitcoin has reached a tipping point where legit institutions will eventually deal in it, right now there is huge reluctance because of all the scammy associations that rise out of silk road (just plain illegal), Gox (incredibly stupid or incredibly crooked, doesn't matter, either way is bad), Butterfly, and dozens of imploded exchanges.  

Facing facts, if you were going to investigate the prospects for opening a Bitcoin business right now from a businessman's perspective, you'd be noticing that Bitcoin exchanges have a tendency to go broke in a spectacular way losing a lot of money they'd been trusted with.  And given that apparent risk, it just doesn't seem like a good idea to get into that business.

Now, if the apparent risk is really illusory, and the string of failures has been caused by incompetence or crooked behavior, then the real risk isn't nearly that bad.  Which, you know, is what we all hope.  And that's why the whole scene needs to be "rehabilitated" with honest and competent businessmen accumulating a much better track record than these early unregulated and largely incompetent-at-business people have done, before the wall street guys can sell investors on it.

Yeah, it's a lot like cash.  I think that's his point.  Aside from bitcoin speculation transactions 99%+ of which are done on exchanges (that are not regulated enough for them yet), You see BTC1000+ transactions in roughly the same set of circumstances you'd see transactions that require a steamer trunk full of $100 bills.

Which, mostly, aren't legal transactions.  How often do steamer trunks full of cash change hands outside of contraband smuggling, trafficking, etc?  And that's what the cops are looking at.

It doesn't matter, in their minds, if 99% of the transactions are perfectly legal <BTC1 transactions where somebody is buying a dozen pairs of socks from overstock.com or equivalent; what they're looking at is that half, possibly more, of the bitcoins changing hands in private user-to-user transactions are doing so in illegal deals. 

The same reasoning probably applies to cash, except more like 99.99% of transactions are legal and %10 of the cash that changes hands does so in illegal deals.  And the banks where people exchange cash are already regulated to a degree that they're comfortable with. 

Any non-anonymous address serves as a receipt for Bitcoin; Everybody can read the block chain and see that the payment was made. 

Yeah.  The worst part about it is that Bob is the one who decides when the nLastTime transaction goes onto the network, so he can very deliberately aim for the very last block it can get into, do an immediate spend to some merchant who accepts zero-confirmation transactions, and some fraction of the time, without Bob even needing any mining power, it'll happen to be an orphan block. 

So, yes, nLastTime definitely needs OP_CHECKLOCKTIMEVERIFY to be anything reasonable. 

Okay, I've got the new edits in the blog post now.  So linking to it will get you a better version. 

We need to compile a list of businesses that sell for bitcoin things useful to other businesses (office supplies, machinery, commercial kitchen equipment, wrappers/containers/cups, dishes/flatware/plates,  uniforms, safety shoes, etc) and distribute the list to all businesses that accept bitcoin.  

If they can avoid a 2% "tax" for conversion to fiat and get their purchases done anyway, they'll probably like that idea.

I have a lot of rules about investing my money. 

One of them is that I avoid investing money where an anonymous person breaching an agreement could profit by causing my money to be lost.  Anonymous people can't be taken to court and held liable for losses, and therefore are not to be trusted, especially where a profit motive is involved.

And, really, that one rule has been enough to keep me out of almost all the scams around here.  The few that weren't just tossed out because of that rule, all hit one of the other rules, or just my natural pessimism about their prospects. 

So...  woop, woop.  I haven't been scammed, and I haven't profited from scams.  And I've probably ignored a few things that weren't scams, but I'm okay with that because betting that they were scams was still the bet with the best odds.