Of course.  I didn't suggest otherwise.


If so then this is equally true for normal transactions.  There is nothing that links outputs to the inputs they came from.


A matter of interpretation which I will accept here for the sake of argument.  To be consistent, should we not interpret the bitcoins of a transaction's inputs as disappearing into thin air before being regenerated in its outputs?  Now, instead of "Why stop at a coinbase transaction", I ask "Why not stop immediately"?

Why stop at a coinbase transaction?  Coinbase outputs contain the fees of transactions included in its block.  Surely we should repeat the iteration with each one of the block's fee-paying transactions.

Not really.  Bitcoin doesn't work this way.

Suppose I have 1 BTC from 2014 and 1 BTC from 2012.  If I use these to buy something worth 2 BTC then the seller will receive a single 2 BTC output which can be traced back to 2012.  If this seller later sends 1 BTC to a friend then both the seller and the friend will have a bitcoin which can be traced back to 2012.

Chunks of bitcoin are easy to mix up in this way.  Even "freshly mined coins" are indistinguishable from collected fees.

Yes.

Adding to point (2).  To achieve maximum entropy, it is essential that no word is more or less likely to be selected than any other and each select event is independent from any other.  Some people erroneously attempt to think up their own words or select them from random pages of some book.


Agreed.  I made my own version of the Diceware list years ago to counter this problem.  10 000 words is indeed generous.  Even as a native English speaker I wouldn't care to push much beyond 1000 words.

These days I use the English 2048-word list supplied with BIP0039:


Certainly, shortcuts can cost entropy and while method obscurity may increase security, it will typically do so in a non-quantifiable way.  Relying on one's intuition regarding the difficulty of divining an obscure method is to abandon a foundational premise of information theory.

However, I'd like to highlight key-stretching as a fair source of additional security for a true brainwallet.  In essence, one simply forgets the last few words of their passphrase and brute-forces them whenever access is required.

I'd also like to expand on "sufficiently safe" here.

Selecting 12 words randomly and uniformly from a pool of 10 000 words gives 12 * log₂(10000) = 159.45 bits of entropy (2.d.p).  Roughly speaking, there are as many equally plausible 12-word passphrases as there are Bitcoin addresses.  Assuming the entropy of the passphrase is not reduced as it is converted into a private key, such a private key will be no less effective in securing a Bitcoin output than a standard random key.

Selecting 12 words from a pool of just 2048 yields
bits of entropy.  This is less secure than a standard address but is arguably "sufficiently safe" today.  Electrum¹ seeds have 128 bits by default.  Casascius coins used special 128-bit compact private keys.

Even 9 words from 2048 gives 99 bits of entropy.  We're well past the point of general cryptographic recommendation here but as far as a convenience/security tradeoff is concerned, I believe there are cases where 9 words would be a reasonable choice.  Extending your earlier point of reference:  As of block #387287, approximately 2^83.71 hashes have been calculated by miners in Bitcoin's lifetime, and such a hash is computationally cheaper than converting a private key to an address.

---

[1] Most new Electrum seeds are 13 words from the pool of 2048 words I linked to above.  One might expect such a seed to have 13 * 11 = 143 bits of entropy but some of the data is dedicated to a checksum/version-number and the final word is underutilised (usually begins 'ab' or 'ac').

As shorena points out, each wallet contains an effectively infinite* sequence of addresses but the client only lists an initial part of this sequence (enough so that you have 20 unused addresses at the end of the list).  This list will automatically expand as you consume addresses.

If you would like a larger buffer, say 50 addresses, then enter:
into Electrum's console and restart Electrum.

* 2³¹ addresses.

In rough terms:
The guy that solves one problem gets to set the next problem.  In fact, his solution is the next problem and he's free to try and build on it.  Each block is both a problem and a solution and they naturally form a chain.   Satoshi set the first problem on Jan 3rd, 2009.

Will the Devs raise tx-rates in December?

It's rumored to be a "live possibility".

Perhaps a coin flip then.  It would be difficult to be more arbitrary or impartial than a coin.

400 what?  Can you share this "all time chart"?

A person with an honest job is ultimately working to satisfy the wants of others but is usually primarily driven by his desire for money.

Do you feel that such workers of past, gold-based economies were guilty of evil?

But then what would happen were demand for block space to far exceed what can be supplied by the network?

I maintain that a limit should be tied to what can be supplied, not what is being demanded.  A purely demand-driven block size limit would be as pointless as the US debt ceiling.

On the 1 million club (2015):

On the Vladimir club (2012):

Ah, how times change.

Most encouraging.  But what about next year?

The "true price" set by the venue is far more artificial than the prices arrived at through scalping.  This would be like describing the Federal funds rate as the "true interest rate" while viewing the market rate of interest to be an artificial deviation.

With "there is always a shortage of seats at the true price" are you implying that venues always try to leave money "on the table"?  If so, why do you imagine they do that?

Profitable scalping does alleviate artificial shortages created by venues.  It does not increase the number of seats but it does decrease the demand for those seats.

Extracting private keys from an Armory root key without Armory is not as simple as sweeping a private key.  The Bitcoin base-58 private key format is widely used whereas the Armory root key system is pretty much just an Armory thing.

Still, it's not so difficult.  See here for details.

I care a great deal about right and wrong.  I enjoy doing what I think is right and feel bad doing what I think is wrong.

I do not believe that all crime is necessarily bad.  "Crime" is defined by the state and I do not believe that the state is perfect.  If I thought the state were perfect then I would trust its money and have little interest in trustless money experiments such as Bitcoin.

I care little about appeasing those that think "crime = bad".  On the contrary, I care to dispel this myth.

Ideally you'd use an integer type, preferrably unsigned.  I recommend following the good example set by the reference client by working entirely in satoshi (BTC, mBTC, and µBTC are used only for human input/output).

I'd only resort to double precision floating types when true integers are not readily available (e.g. javascript).

What precisely does "harm to Bitcoin" mean?  Are we talking about attacks on the network or a reduction in what is called "market cap"?

In both cases I suspect that our limited historical data will reveal criminal activity being pretty good for Bitcoin in the short term (with the occasional exception).

Of course, there are people that would use Bitcoin were it not for various stories linking it to criminal activity.  I'd argue that many of these people would only harm Bitcoin by adopting it today.  They would be easily scammed, lose money/keys, create volatility, and complain loudly about their negative experiences.

Bitcoin today is usable by more than just crypto ninjas but it is certainly not suitable for the weak-minded, the irresponsible, or the naive.

As for Bitcoin's long-term prospects, other uncertainties surely dominate public perception concerning crime.  If Bitcoin does continue to grow and infrastructure forms allowing even the economically childish to benefit from its use then an advertising campaign declaring an end to Bitcoin's "wild west" should prove a cheap and effective manipulation.

Interesting how fraud is essentially baked into this definition.  This is not a slight on your work, just an observation that the modern state of banking is so warped that failure to balance assets against liabilities is simply assumed.