Also, I want to point out that Satoshi was not working ex nihilo.

HashCash - a proof-of-work to show that you have irreversibly invested resources into what you're trying to do or asking someone to accept - was Adam Back's invention.

David Chaum developed the idea of block chains using hashes to prove that each was descended from the last and had no modifications of history.

Dozens of people, including David Chaum, had published cryptographically sound digital-cash systems of various kinds - and it had been a sort of holy grail of the cypherpunk crew for decades, starting with James Bell IIRC.  But all digital cash protocols up to that point had required a trusted party, and to the extent they had been deployed, many had been deployed by untrustworthy parties.  There were a number of arrests and charges filed by everyone from the FBI to the SEC to outraged investors.  By the time Satoshi got there, the entire topic of digital cash had reached a sort of scorched-earth status among professional cryptographers;  we'd seen dozens of these systems and every last one had either been a cryptographically unsound construction, a snake-oil solution from a scamster who could abuse the 'trusted party' role to steal stuff, an entrepreneurial proposal which the market more or less ignored because it would involve making payments on pretty much the same order as existing payment networks, or, once in a while, a cryptographically sound proposal that wasn't a scam but which was also never meaningfully deployed.  

Heck, even I had come up with a digital cash system back in 2004, but it didn't achieve Bitcoin's decentralization; there was no proof-of-work involved, but the individual coins were tiny block chains where each block recorded one transfer of that coin between holders.  Holders could transfer coins between themselves offline without communicating with the rest of the system, but those coins eventually had to go back to an issuer (double spent coins had to wind up in the same place for a double spend to be detected and the double spender unmasked, and also otherwise they'd just get bigger and bigger as each one of them dragged its own little block chain around).  Everybody had to have an authenticated identity (which would be revealed for prosecution purposes via a cut-and-choose/split-secret protocol if anybody did a double spend).  And so it required a trusted party to assign and keep track of the authenticated identities.  I never even attempted to deploy it because the trusted parties who do that (CA's) are completely corrupt and useless, but it was at least fun to design.

The cut-and-choose/split-secret protocol I used there was not my own invention either.  Chaum's earlier digital cash system had used it first.  Bitcoin doesn't use it at all because Bitcoin doesn't need to "unmask" anyone to deal with double spends - the shared block chain allows simply ignoring them.

When "Satoshi" the alias appeared in late 2008, his code for Bitcoin was already mostly complete.  I had an archive of it in my inbox less than six days after his first post on the Metzdowd cryptography list.   

There's no knowing how long he spent writing it.  But there was unused code in the first released version relating to even larger ideas which ultimately didn't make the cut -- bits of a market, which looks to have been an attempt to do something like a decentralized version of ebay.  -- bits of a reputation tracking system, which looks to have been something like ebay's feedback system and something like a pseudonymous "reputation capital" system.  Ultimately all of that got cut out and just keeping track of the coins became the sole focus.

It looked like a very big project -- bigger perhaps than we know even yet -- but one that got cut back ruthlessly to what could actually be finished and deployed. 

Anyway - there's no knowing really how long he spent on the code. 

It looks like he put all the compute power at his disposal to work for about six days to get the hash on the genesis block that forms the root of the current block chain though - that's judging by the timing of the headline it refers and the timestamp of that block. 

Before that, there were a couple of testing block chains that came to an end when something about the block format needed fixed. But none that ran for more than a day or two.

As for what Satoshi wanted, I don't know.  He didn't spend much time talking about ideology; that was all Hal.

Other than that, your mistake is in thinking that money has a purpose.  It is people who have purposes.  Money is absolutely the purest form of what it means to be merely the means that people use to achieve their ends. 

no.  Not that easy.  Tho some people still make money doing it, there is a problem that the pump&dump game requires suckers, and the suckers' money has already been taken.  Even if they still have money, they've mostly been burnt once and are a lot more cautious.  

For every winner in something that's pure speculation, there is an equal and opposite loser.  And these days, the winners and losers are both drawn from the same pool of people because the old-style suckers are mostly gone from the market.

Mining is almost never profitable.  Exceptions (and large mining centers) occur in rare circumstances:

* where a building in an area with harsh winters needs heaters and will subsidize your electricity costs in proportion to heat you provide via your miners.  This does extend to putting antminers in your own basement to replace an electric heater.  But this is a bad time of year to do it in the northern hemisphere; this is autumn and soon running your antminers will mean doubling your power costs by running your airconditioner full-tilt too.

* where you can arrange a contract for "off-peak" electricity usage that gives you substantially cheaper electricity because you use power primarily at night or on weekends when other people aren't using much.  Contracts like this are available in most farming areas in the US: farmers use them to run electrical pumps and irrigate their fields at night. 

* where the government subsidizes electrical power or arranges other economic factors in a way that makes it profitable for power companies to provide it cheap (eg, you live in China or one of a few other places that do this).

The setup costs (miners, space to put miners, etc) are minor compared to month-over-month operating costs like power.  If you want mining to be profitable, select your mining rigs for hashes per joule; it's more important than hashes per second. 

Also?  Lots of miners who were exploiting ASIC advantages early on liked to overclock their machines.  Overclocking increases power requirements per hash.  Overclocked machines are now all losing money in a market where they have to compete with identical machines that aren't overclocked.

Notaries are not trusted agents.  They don't make decisions, they just serve as public witnesses to a state of affairs.  A notary signs a copy of the block chain, he keeps the copy, and thereafter if someone attempts to change history the notary can prove that it was changed.  They have literally *zero* ability to make decisions about the content of what they're witnessing.   Nor do they have the option of producing a backdated signature, because their signature is part of the content that other notaries sign. 

Anyway, notaries are "trusted" to about the same extent that the bitcoin network itself "trusts" proof-of-work, which is essentially what they're replacing in the proposed system.  A notary gets about as much input into fiscal policy decisions as an antminer box.

Now, the banks themselves will be making decisions of the sort that the bitcoin community does not desire - they will be choosing, for example, when and by how much to inflate their currency supply.  You can argue that this isn't "ideal money" or that it fails in some ideological way, but why would they give a crap?  Also, whether you like the long-term inflationary effects or not, their adjustments of money supply *do* usually stabilize the value of fiat a lot in the short term.

If it does roll down to the level of consumers, Homer and Harriet Normal, who really and truly don't give a crap about "Ideal Money" and are entirely comfortable with moderate rates of inflation, will find something in familiar denominations, easily convertible at the bank for convenience, accepted on pretty much every payment network, and stable in value relative to the currency they're used to.  For them, it's cheaper than their credit cards and a slam-dunk advance in convenience over Bitcoin.

The important thing to me though, is that the chain of cryptographic hashes, treating "proof-of-notarization" as a basic protocol primitive, ties the central banks to an irrevocable public ledger.  The decisions they make are published, can't be kept secret or later denied, and because notaries have authenticated identity and can go to jail for false witness, "proof-of-notarization" is as hard to fake on a day-to-day basis as proof-of-work on an hour-to-hour basis.  You just aren't going to be able to subvert enough of them, enough of the time, for long enough, to get an attack chain accepted.

Heh.  It only puts you at a disadvantage if you *don't* use it and others *do*.  If it weren't there in the first place, and nobody were using it - all the hashing would still be fair, still distributed according to computing power, etc.

And the optimization is even steeper then recomputing from the midstate.  Having a nonce field in the header also saves you from having to recompute the merkle tree for every hash. 

Bitcoin headers don't really even need nonces. 

You could just set the nonce in the block header to zero, or use that field for something completely else, and do your hashing on the basis of incrementing extranonce instead of on the basis of incrementing the nonce.

We 'extended' the nonce space by embedding an "extra nonce" in the coinbase transaction, but there's no reason why that's an 'extension' rather than a 'replacement' except that incrementing it requires recomputing the merkle tree so it would be slower. 

Think about it:  The coinbase transaction is part of the block - it changes the merkle root of the transaction tree.  And we have space in the coinbase transaction currently devoted to an 'extranonce'.  Extranonces of up to 100 bytes can be used. 

Ironically enough, the central banks want decentralization -- badly -- when dealing with each other.  "who has control" is a very hot potato indeed at that level.  So they're looking for a decentralized solution, not for use by customers, but for use among themselves.

It won't be bitcoin, because that would involve giving a lot of money to people who already have bitcoins and haven't done much of anything for the central banks.  Bitcoin holders are not seen as stakeholders in international finance, and are not entitled to anything by their lights.

They're just going to use the open-source technology to solve a problem among themselves - it sidesteps the burning problem of who has control in a closed-ledger system. 

Their customers, on the other hand, don't see the central banks' control as a problem, and mostly don't give a crap about such esoteric properties.  They aren't ideologues; heck, most of them aren't even idealists. They are what we call the mainstream. 

I don't think so actually.  An open ledger, which anyone can save at any time and compare to the public ledger at any later time, goes a long way toward convincing people that funny stuff ain't happening.  

If Bitcoin actually brings about a degree public accountability and gets central banks using a common, open ledger, then it will have done a hell of a good thing regardless of what happens to bitcoin as an actual currency.

The funny thing about this is that cryptographers have been proposing hash chains to secure ledgers and other history for ~25 years, and been firmly ignored until something like Bitcoin that uses exactly that tech (plus Proof-of-work) got big enough to bring it to the attention of people like IBM.

 

http://www.reuters.com/article/2015/03/12/us-bitcoin-ibm-idUSKBN0M82KB20150312

It looks like Bitcoin managed to get the attention of some large players, and IBM is interested in developing the block chain technology for use by central banks. 

The idea is that there'd be a block chain used to transfer value, denominated in conventional central-bank issued currencies, around between banks.  "Like Bitcoin, but without the bitcoins." 

Amongst other things they'd be relying on a network of authorized notaries (with verified real-world identities and subject to prosecution for nonperformance) rather than proof-of-work, so their chain security costs would be considerably less -- theoretically measured in prosecution and imprisonment costs, but in practice the notaries have approximately nothing to gain and a 100% chance of being caught, so I'd expect the prosecution and imprisonment costs to be far less than Bitcoin's combined investment in mining equipment. 

That makes it more efficient than Bitcoin for doing what Bitcoin does.

Interesting.  I see it all the time.  Start watching and look for it; I'll be interested to hear if actual observation agrees with your impression, then if it does I'll ask which state you live in.


Exactly.  That's why they DON'T stop you from spending the bill, even though they have to track its circulation.  They stop people from spending counterfeits, but not from spending bills that were stolen from somebody six months ago or used in a drug deal six weeks ago.  They want to know where these bills are circulating because it's a clue where the crooks are - but they're not trying to stop individual bills.


No.  The strawman version is where the store actually REFUSES your bill because it's on the list, and outside of actual counterfeits I've never seen that.  What I've seen is grocery store clerks have to write down the serial numbers on a clipboard and, because that's a pain in the ass for them, are happier if you pay with smaller bills - not because there's any risk that the larger bills won't be accepted at the bank, but just because writing down the serials is extra work.  

Unless MP is firmly linked to a real-world identity that can be held legally responsible for non-performance, and I personally can prove in court that the counterparty on that IRC channel has the same legal identity, I will not be paying MP, over a fuckin' IRC channel no less, for any promises of any kind.

Come on, guys, we aren't supposed to be idiots.  Why would we deal with anyone via an unauthenticated protocol for future performance or delivery of anything?

When you actually pay for the car (check, cash, credit card) and take possession of it (by driving off the premises) it becomes your property and cannot be claimed by the seller's creditors.

Also, you have a non-performance claim if you are unable to take possession, and can get your money back in court (that is, you are recognized as having the same legal standing as the seller's other creditors). If you pay by credit card or check, this is easy.  Legally, it also applies to cash, but it is less easy to press the claim with cash payments, because records may be conveniently "absent" in that case.

Professional used-car dealers usually have much more involved rituals involving witnessed, signed contracts and cashier's checks or bank transfers.  

Hah! Our government would never trust us with denominations that large; the biggest bill in circulation in the US is $100. Although larger deniminations have been printed for special purposes in the past, they have never circulated.  

Depending on the store, the cashier may have to write the serial number on a paper list, or may have to scan the bill through a reader.   I don't know whether the blacklist comparison is done by the accepting company, implying that the private sector has the whole black list available, or the list is sent onward to a financial center, implying that the financial centers and/or regulatory agencies have all those transaction records available.  Either implication is somewhat disquieting, but certainly no worse than the publicly readable block chain.  At any rate, I've never seen a real bill rejected on the basis of the comparison.

The only category of "immediate refusal" is if the bill is revealed to be a counterfeit. - something about which we needn't worry with Bitcoin.

Have you noticed that, in the USA, whenever you pay for something with a $50 or $100 bill, the cashier has to record the serial number of the bill?  

Guess what?  Those serial numbers are being compared to a 'blacklist' of bills known to be counterfeited, stolen, or otherwise involved in crimes.  So, no, I don't think blacklisting will affect bitcoin fungibility substantially more than it already affects dollar fungibility.  

What people are scaremongering about here is a strawman version of blacklists, where the coins cannot be spent and are therefore worthless.  The actual USA policy about blacklists, with existing money, does not normally affect its fungibility.  Instead, it is about determining where investigative efforts need to be directed.  

Is anybody here from a country where the strawman version of blacklists has actually been implemented against high-denomination currency?  

The answer is clearly no, because a transaction backlog means people have to wait for their tx to go through and have no guarantee that they'll go through at all, thus they stay away in droves and the miners get no fees. 

There is no law recognizing entities of this category in the United States.  Nor have I ever heard of any nation whose legal system encompasses such a thing.

As such, I have no guarantees of what the law requires of this entity, nor whom to serve papers on if they fumble and fail to deliver my asset as agreed.  The legal ambiguity of an unknown entity type will also make court proceedings drastically more expensive if it becomes necessary to sue them.

The problem with this is counterparty risk.  The guy who "guarantees" to buy back the bitasset in 30 days may go broke first.  And somebody eats the loss. 

Counterparty risk is exactly what you get with IOU's and some types of derivatives, too.  So your "trustless" system involves "trusting" that someone will not have filed bankruptcy, will be able to buy back the asset, and will follow through on the promise rather than disappearing and retiring under a fake name in the tropics or something.   

In my own experience, farmers sometimes trade options in their crops in order to reduce risk from, eg, a year with tough weather patterns.  When they do so, it's usually with the full intent of fulfilling that option, or demanding the actual physical asset it represents, should the market do what they hope it doesn't.

Thus a wheat farmer will place a  'buy' option on some quantity of wheat, and then if his own crops get hailed out (and likely everyone else's as well, driving prices sky-high) he will exercise that option and expect trucks to show up with product he can take to the grain elevator and sell.