"Last time Matthew and I had sex, it was quite a hot affair.  
That is why I purchased a subscription of the Bitcoin Magazine!!!"

Edit: woops, forgot the double quotation marks.

Looking sexy 

Yep nice catch.... LOL, never been so good at spelling.

I’ve just noticed that the BitcoinTalk has dragged itself out of the sewer, out of the gutter, and is starting to crawl like a vomiting drunk man again!

Welcome back!

IRC has also improved lots of with good conversations, and insightful comments!

Overall I think that the bitcoin community has started to re-build and become a friendly place again!

Edit: Spelling.

On the cost of having massive offline hashing capabilities:

We are already seeing the significant cost to mining as being the electricity usage.  Even with the massive change per year in hashing efficiency gained by new technologies.
Over time it is likely that the cost to mining will become much more dependent on the cost of electricity than it is now.  The main reason is that the technology isn’t going to progress at the same rate as it is progressing now.

We have seen the 500x improvement from going from CPU mining to GPU mining, 2years ago.
We are now seeing the 10x improvement from going from GPU to FPGA.
And we are just now beginning the 5x improvement from going from FPGA to ASIC.

The trend is clear.  Do you think that the generation 4 ASIC miner is going much, faster than the generation 3?  Then what about the generation 6 or 7 or 10 miners??  The improvement as the technology for hashing for bitcoin matures, always decreases.

This means that while it is ‘better’ to buy the newest generation miners.  The old miners are not completely made oblique.   CPU’s are never going to be useful in hashing for bitcoin again… However FPGA’s may have quite a long life-time.

When it is no-longer profitable to run your FPGA all the time… What happens when a group of insurance companies offer you a quite profitable rate for on-demand hashing?  Do you just say ‘no’ or do you take up the offer for additional income.

The hashing needs of the network are going to become more and more dynamic, depending on the price.  If an attack is happening against the network, there will be many players who will be happy to pay, temporally, a higher price, for more hashing power.  Meaning that the old miners will be dusted off, and switched on… probably automatically via auctions for hashing power.

There still seems to be quite some confusion about some of the potential attacks to a bitcoin network where the vast majority of the hashing power is only used when an attack is detected.

To add some clarity, I’ll go through each attack independently.

Double Spending Attack

The ideal double spending attack involves:
1.   Making a transaction for another ‘hard’ asset; such as physical face-to-face transfer of cash.
2.   As soon as this transaction is complete, secretly mine a chain that spends the above coins to a different address.
3.   Once well-ahead of the publicly known chain, attack release the hidden chain and the network reorganises onto the more-ahead chain.

Now this attack seems pretty fool-proof, until you do the numbers.  If (for whatever reason, I’ll come to that later), the bitcoin network wants to quickly orphan the offending chain, it will do so.

Say that the attacker has 2x the base-load of the network, and waits for 6 blocks of the public chain before releasing.  This means that the attacker (on average) will have a 6-block lead against the rest of the network.
When this attacking chain is released, let’s say 100x the base load hashing power is used to orphan the chain.   When the attacker has completed block number 13, the other chain has just completed 50 blocks, and now has a 43 block lead.  This completely orphans the attacker’s chain.

Effects:
When quite a few attackers have ‘attempted’ to double spend, then quickly get squashed in the 1st or 2nd block after they release their chain, this will naturally ‘raze the barrier’  to attack while no significant continuous  hashing resources are being spent.  Attackers don’t attack ‘just for fun,’ but they attack to win.   If the attacker wants to double spend, and win; they and the network holds 100x hashing resources to defend an attack.  Any-individual attacker must also have 100x the hashing power to win.  (Of course they get a very trivial head-start, by starting the attack in private).

This will make attacks on the network rare.


Supply Blocking attack
(Please note, that this attack must be externally funded to the bitcoin economy, as an internal malicious attacker would never be able to recoup the resources used to conduct this attack from the bitcoin economy itself).

This attack involves having more than 51% of the hashing power of the network, and orphaning any block that doesn’t agree with the attackers goals.  (Be it to kill bitcoin, or force high transaction fees, or regulate bitcoin in some way).

One would do this now by:
1.   Judge how much hashing power there is on the network
2.   Halve that number, and put a bit more on for margin of error
3.   Turn on this hashing power, and orphan any block that doesn’t agree with your rules.

This attack is quite simple to do with the current network.  Also you can be virtually confident that your attack will success if the attacker gathers more than 75% of the current hashing power.

With dynamic hashing power, the base-load hashing power becomes irrelevant; the ‘maximum, sustainable’ hashing power becomes the important metric.

The attacker must ‘guess’ what amount of the dynamic hashing load is sustainable, by the network, gaining much more hashing power than this for a safety margin.  This brings both up the uncertainly of the attack, and the cost.

However, the network will not just say, ‘I’m getting tired now.’ It will become a big game of bluff.  If the attackers chain is orphaned by the network by a significant margin (say more than 2000 blocks), then the network may automatically ‘cement’ into the new chain.

Overall… The same security issues with this externally funded attack remain for either a static hashing load or a dynamic hashing load.  However the dynamic hashing load makes the uncertainties in attacking the network much higher as well as not wasting as much electricity when there is no attack happening.

If only one insurance companies transactions get reversed... Then id expect only that company to pay for orphaning the attacking chain.

If more than one companies transactions are getting reversed, then they all have a vested intrest to work together in orphaning the offending chain.  If one company didn't join in to help; that company would in the future receive less corporation. As well as loosing public reputation.

Electricity is the major cost of a long-term mining operation.
Yes, the hardware is changing rapidly now... However bitcoin is new.  Doing many many Sha256 sums isn't a problem that has been important to do, like it is now.

In 20 or 40 years when the block reward is much much lower... I would expect there would be a huge number of miners who would have already paid off there equipment, but don't mine, as it isn't profitable.

An insurance company could make an application that automaticaly buys hashing power at the cheapest market rate, when it needs it.  When there is an attack,the insurance company could be willing to buy much more hashing than when there is no attack.

Yes.  Cementing has a risk.

However the risk is inversely proportional to the number of blocks you go back.

There are two 'in particular' attacks here.

1. Segmenting a particular client from the rest of the bitcoin network.
2. Trusting 'someone' to declare blocks 'evil'.

The first attack is mitigated by having a basic connection web-of-trust.  Where a client displays a warning when it hasn't got any messages from known good nodes.  This only defends against only being connected to an attacker.  It didn't centralize the core part of bitcoin.  It just makes a network re-org much harder to make without being completely seceret.

You don't need to have an "evil bit".  You can detect a reorganization chain as being malicious uner the following conditions:

Is more than 100 blocks long.
Contains double spending transactions, when compared with the previously accepted chain.
Unspends transactions that were in the previous chain for more than 6 blocks.

While not directly related to how high or low (I think the difficulty will be low).
I have posted a separate thread on why having a low "base load" hashing power isn't a bad thing... Rarther a good thing:

https://bitcointalk.org/index.php?topic=68218.0

Hope my above thread shows why "difficulty" isn't the be-end-all on bitcoin security.

Block rewards are going to be very low, so are transaction fees.  The the only reason to turn your miner on is to defend against an attack.

Insurance companies have a vested interest in making attacks against their customers unprofitable.  (by orphaning a double spending chain that hurts their customers).  So any attack is likely to be killed by the free market.

I'm sorry.  Where is the economic incentive to cheat?

If an insurance company is protecting your transaction, they may choose to let the reorganization happen (cheaper just to pay the lost transactions they cover).  However if it is cheaper to orphan the hidden chain.  Then that choice will be taken.)

However if a few different insurance companies are going to loose money on the reorganization, then they will decide as a team to orphan the offending chain.  This has a feedback where if one of the companies didn't play fair, they will loose reputation.

Also, the more long the hidden chain has been kept, the more obvious it is when it is released.
A WOT based chain locking after 1000 blocks would stop the most long-term attacks.

However it is easy to display a warning when there is a large reorganization... And even if there is a large lead... With much more hashing power 'in waiting' any reorganization is likely to be very short lived; and never successful. (in the long run).

When an attacker publishes a 'seceret' chain that reverses some transactions, the network will detect this and quickly mine enough blocks to orphan that seceret chain.

The network must maintain enough "base load" to make such hidden attacks unprofitable in the general case.

Say the network has 100x dynamic hashing power to use against such double spending attacks.  A 100 block hidden fork will take only 1 block (of time) to reset back to the non attacker chain.

Also clients can be desigened to detect such a reorganizatio, and wait a fewmore bocks for confidence.  

Yes it dose.

1.  The attacker knows how much hashing power is needed to attack the network now.  With dynamic hashing the ammount of power needed is unknown untill untill that attack is atempted.

2.  The network is expending unnecessary resources maintaining a high hashrate when there is no attack.  It is much more efficient to save the resources now, in preperation for an attack.

3.  The network may be able to defend at a much higher hashrate for a short amount of time.  While the attacker dose not know how long or what % of the total defencive power is used.

Edit: Grammar.

So why is this post important?...

Lots of people have been scared of the natural low difficulty bitcoin will have once the reward per block is lowered dramatically, and the block size is increased.

What the above post sugests is th having a constant high difficulty will in the long run be less secure.

Instead it will be much more secure for the network to have lots of hashing power "in the wings" waiting to defend against an attack.

Then I proposes a "bitcoin transaction insurance company" so that the defensive hashing power will not be subject to the "tragedy of the commons" problems that plauge other defensive solutions.

Hello.  I just want to clear up some half-truths about this topic.

First:  Difficulty != Security. -  However generally there lots of correlation between the two.

Security is defined by: Cost of carrying out a successful attack against the bitcoin network v.s. direct gain to the attacker.


Bitcoin has never provided security against attacks that have 3rd party financial gain.
Even with the block reward at 50, bitcoin is not secure against a large attacker whom take their gain from maintain the status co.  For example: a Bank, or a Government.  (This is why it is important that the community designs non-proof-of-work based crypto-currencies as alternatives)
So point 1:  Bitcoin isn’t secure from a power determined attracter, even with the ideal settings that it has now.

Continually-high difficulty will tend to be less secure than ‘very high only when needed’ difficulty.
If the entire network is expending large amounts of resources on maintaining a constant very high difficulty; this will lower the total resources available to the bitcoin economy to defend against a (relatively) short-term attack.
For example, maintaining a difficulty of 1M necessitates that the entire bitcoin community spend the resources to maintain that value.  However an attacker only needs to spend the resources to gain a hashing value of 2M equiv. for two weeks, to do significant disruption to the entire bitcoin economy.
There is a constant loss of 1M equiv. on the bitcoin economy.  However the attacker only needs to budget for a loss of 2M equiv. for a much shorter time… This gives the potential attacker a large financial advantage over the long term.
Point 2:  Continuous high difficulty make the bitcoin economy less well positioned to defend against a real attack.

Attacks against the bitcoin network are statistically easily detectable and can be quickly defended against.
There are two main types of attacks that an opponent with a majority hashing power would carry out; the they are both very obvious.
1.   Double Spending, this attack “re-writes” the order of the transactions, making retrospectively (to the POV of the receiver of the coins), removing the previously agreed to transaction.
2.   Supply blocking.  This attack either the attacker requires a registration of every transaction before accepting them into the block chain… or will just reject every transaction.  This is likely to me a much more damaging attack to the long-term future of the bitcoin economy.
When either of these attacks happen, the bitcoin economy is going to be very away of them happening.  There will be time to mount a significant defence before serious damage has been done to the economy.
Point 3:  Attacks are easily detected, and there is enough time to mount a defence against them.


Vested interest in the Bitcoin economy’s health
Everyone who owns bitcoins, or indirectly is dependent on the bitcoin economy, has a financial (or philosophical) interest to defend the bitcoin network from attack.
This means that there is a very large potential amount of value that can be put behind the bitcoin network in the case that the bitcoin network is indeed actively being attacked.  (50% value is better than 0% value on investment).
This value is NOT dependant on the rewards that the bitcoin network provides to the continuous active miners.  This value is dependent on the bitcoin economy size at-large.
Point 4:  The value behind protecting the bitcoin network is much larger than the value provided by the block rearwards or transaction fees.


With these points in mind, I would like to make this suggestion for the most secure way that the bitcoin network may wish to work:
1.    The block rewards (eg, new bitcoins, + transaction fees), only need to cover trivial internal annoyances that happen when the continuous hash rate is too-low.  I suggest that 0.1% of the bitcoin market cap per year will be about what is required to stop these trivial attacks.
2.   The bitcoin network may have a continuous hashing value as low as 100K or less.  Yet remain generally secure.


Conclusions

Bitcoin Transaction Insurance companies will hold much of the 1st line dynamic hashing power.  The will be companies that sell a service to businesses that will cover any losses due to reversed transaction double spending.
When an double spending attempt is (automatically) detected, against one of the insurances companies clients, they will dynamically decide if it is cheaper to fire up their miners and orphan the offending block, or pay-out the value of the transaction.
For the functional security of their customers they don’t require a very high constant hashing rate.  Rather a known potential very high hash rate.  (Something that it isn’t profitable to attack against).
The free market will bring down the price of the insurance to the minimum cost that it requires to defend against the attackers.

The 2nd line of dynamic hashing power will be bitcoin banks and other bitcoin trading businesses.
These companies will keep very large hashing power offline, unless there a systematic attack against the network is detected.  In that case, they will turn on their miners and out-power the attacker for as long as the attacker has resources for.  Once the attack has been given up the miners turn off, and are ready to turn on again at the drop of a hat.

The 3rd line of dynamic hashing power will be individuals whom have a large stake in the success of bitcoin.  They will work much the same as the 2nd line, however will only turn their miners on when everything else looks about to fail.

TL;DR:
Once the network changes from a static hashing defence, to a dynamic hashing defence; and potential attacker must not only overcome continuous hashing rate, (that may be quite low).  But also overcome a massive hashing power that is only activated in the case of an attack.
The bitcoin economy only needs to expend additional resources _when_ an attack is occurring. (and expending resources in maintaining the offline miners, and purchasing them in the first case; but this is generally a one-off investment, not a continuous cost).
While the attacker must provide a continuously high hash rate, above all the defensive dynamic hash rate available.


Edit: Formating/Spelling

Well for this to happen we need:

1.   Stable OT Market Server
2.   Issuers that issue to the market server
3.   Good library in for easily attaching an OT client to pre-developed trading packages.
4.   Scripts that can automate the certificate generation and basic testing.


OT still needs lots of work, but it is starting to stabilize.
Work in splitting the OT-Client wrapper from the Moneychanger project has only just started, there is still much more work to be done for that. (I was starting that project)
Issuing certificates is all done by hand atm.  We really should have a little python app or something that can automate much of that.

OT has a huge amount of potential, however it just needs lots and lots of work to take it from the proof-of-concept stage it is at now, to a more useable solid solution for finance.

Bitcoin:  "I'm hard and my market cap is getting larger"

Well said... Well said.