When the design is such that the coin creators have no way to get coins cheaply and no way to profit from it, how can it be a scam?

You can design against scams:

* Proof of Work
* Coins can only be obtained by mining (i.e. no premine/mining tax etc)
* High initial difficulty
* Optimized miners available at launch
* Emission not too front loaded
... etc

There is already a thread about favourite Alt coin, but sadly the arguments there are all about
what is popular, what has been profitable, what is perceived to be good for investing, and what parties are involved.
I see practically *no* arguments about how the alt-coin is designed, i.e. its technical aspects.

So in this thread in contrast let's focus purely on design, and not talk about price, profitability, popularity, people/parties involved. Design aspects include

* consensus model
* protocol
* proof of work algorithm
* difficulty adjustment algorithm
* smart contracts
* utxo/account model
* block size
* block interval
* block chain or graph
* codebase
* security
* censorship resistance
* scalability
* use of zero knowledge proofs
* resource consumption for full nodes or light clients
     * disk usage
     * memory usage
     * bandwidth usage
     * sync from scratch
* decentralization
* emission
* fees
* spam resistance
* (avoiding) wealth concentration
* supply auditability
* cryptographic assumptions
* quantum resistance
* design complexity
* privacy aspects like
     * confidentiality (hiding amounts)
     * stealth addresses
     * tx graph obfuscation/hiding

Note that many of these properties are at odds with each other.
E.g. if you allow 1 GB blocks every minute then resource costs will be huge and you end up very centralized.

Which alt coin do you think made the best design choices and why?

40% of all (soft) supply emitted in just the first year? Launched with a crippled PoW? Not my top choice of fair mining.

I vote the the coin that has the fairest emission: 1 coin per second forever.

https://phyro.github.io/grinvestigation/why_grin.html

You're missing a crucial detail. As Robin has said elsewhere:

"this uses no bisection at all. it just dumps the entire hash function into a single "jet leaf". this is the dumb version of implementing it. we'll optimize that later. and focus on completing the bisection over the VM's state transitions first, as that's what gives scalability"

It will be MUCH smaller with bisection, where the only witness data is the root of a Merkle tree whose leaves are all the gates of the hash computation and whose script allows for anyone who notices a wrong computation result to enter into a challenge/response back and forth that will let them slash the funds of the prover.

This huge tx was just made to demonstrate the CAPABILITY of BitVM to perform arbitrary computation (such as SHA3). It was not meant to demonstrate any efficiency. That will come in due course.

Hash functions are a poor example of reversible computing, as they are irreversible by design.
The fact that many hash functions are composed of Addition, Xor, and Rotation is not that relevant.
Sure, these operations are reversible when you fix (or replicate in the output) one input. But hash function
constructions have no fixed inputs and don't replicate.

A good example of reversible computing is symmetric encryption, such as AES.
Here we have functions E(k,x) for encrypting plaintext x with key k, and D(k,y) for decrypting cyphertext y with key k
such that D(k,E(k,x)) = x. And for fixed k, or with k preserved in the output, this is all perfectly reversible,
and could in principle be computed with arbitrarily low energy expenditure.

That's exactly what a "theoretical QC" is. Hence, your claim of "not vulnerable to QC even theoretically" being wrong.

Now you're just talking nonsense. Shor's algorithm factorizes n-digit numbers on a theoretical QC in time O(n^2 * log n * log log n) [1]. Which can in theory factorize numbers of tens of thousands of digits.


The only thing you got right. The current QC factorization record of 21 = 3 * 7 even used some shortcuts for numbers of a special form. So it's fair to say that we have yet to successfully run Shor's algorithm on a QC.

[1] https://en.wikipedia.org/wiki/Shor%27s_algorithm

The strongest chain is the one that takes the most energy to completely rewrite.

Here's a number with more than 10¹⁰⁰⁰ decimal digits:

10¹⁰¹⁰⁰⁰

And here's its factorization:

2¹⁰¹⁰⁰⁰ * 5¹⁰¹⁰⁰⁰

My capital cost was not even $1

While that's usually the case, it's not required.

Each non-taproot UTXO requires its script to be satisfied, while a taproot UTXO can be satisfied either by signature or by its script. Scripts don't have to check signatures.

No; the Discrete Logarithm Problem is not one of them.

The closest problem on the list is P vs NP.
P = NP implies that DLP is easy, but the reverse implication need not hold.

No! Not if you want asymptotic time complexity to have any meaning at all.

That aims to study how running time changes as a function of (ever growing) input size.

So all these examples you quote of hash functions and curves are only amenable to asymptotic complexity analysis if you assume that they are defined on arbitrarily large sizes.

When people say that finding a hash with d leading 0s takes 2^d time, they specifically *ignore* the fact that d is bounded by 256, and instead pretend that the hash function somehow generalizes to arbitrarily large inputs.

You can argue that any running time on Earth is limited to the time until the heat death of the Universe and therefore is O(1), but that just makes the notion of time complexity completely useless.

You're confusing two things. An algorithm in general works for arbitrary input size n. A computation would be running an algorithm on a specific input. Of course the latter runs in some fixed time, since you just fixed n.

But when talking about the time complexity of an algorithm, you need to consider the running time as a function of input size n. Almost no algorithms run in time O(1), since you cannot even examine all of the input in constant time.

There are none if it turns out that P = NP.
In that case nearly all cryptography is broken (only information theoretically secure constructs like one-time pads will survive).

That also means the end of SSL, TLS, HTTPS and all forms of secure online communication.
That will impact society in far bigger ways than just the downfall of all cryptocurrencies.

So let's hope and pray that P != NP ...

(some people may argue that P=NP has no practical effect if solving NP-hard problems like SAT requires time
Ω(n^100) to solve, but most complexity theory experts believe that if SAT is in P then it will be solvable in
a much more reasonable time like O(n^6)).

There is no issue there. Satoshi decided 15 years ago that this fraction of a satoshi of block subsidy, which will be completely insignificant compared to the miner fees that make up most of the block reward, is to be ignored, as a natural consequence of having finite precision. Just like your computer computes 1/9 in 32-bit floating point as 0.11111111

It's not. The Hashcash [1] Proof-of-Work system is. There are other PoW not based on hashing [2].

While you ponder about quantum attacks on SHA256, which are considered extremely unlikely, you overlook the fact that Bitcoin's PoW algorithm, namely Hashcash [1], is itself known to be vulnerable to quantum attack, independent of the choice of hash function in Hashcash (SHA256D in bitcoin).

Using Grover's algorithm [3] for quadratic speedup, a quantum computer can find a hash pre-image with 2*k leading 0s in (very) roughly the same amount of time that a classical computer needs to find one with only k leading 0s.

[1] https://en.wikipedia.org/wiki/Hashcash
[2] http://cryptorials.io/beyond-hashcash-proof-work-theres-mining-hashing/
[3] https://en.wikipedia.org/wiki/Grover%27s_algorithm

A tail emission is an everlasting *fixed* block subsidy, that keeps on growing the supply beyond bound, and that guarantees a minimum level of security regardless of fees.

Adding digits forever to spread out the last 210000 satoshis (i.e. 2.1 mBTC) of supply over infinitely many blocks is *NOT* a tail emission. It's just pointlessly wasting bandwidth on unnecessary precision.

You're describing Grin's pure linear emission, except that Grin has 1-minute blocks with 60 Grin reward so the emission is 1 Grin per second forever [1].

[1] https://john-tromp.medium.com/a-case-for-using-soft-total-supply-1169a188d153

In the proposed soft-fork, pre-softfork nodes don't see Alice sending coins to Bob, since they will see each block as *only* containing a coinbase transaction. It will look to them like Bitcoin has become permanently untransactable.

What the proposal shows is that the notion of soft-fork is not as clear cut as it seems at first, and is really more
of a spectrum, based on how much of the new rules are being verified, or even visible, to old nodes.

No; that's not a good idea. If Alice can have tx1 A -> A1 relayed to all mempools for fee f,
and then have tx2 A -> A1 -> A2 relayed to all mempools, and so on until
txn A -> A1 -> A2 -> ... -> An for the same fee, then this one time fee f was used to generate
an arbitrary amount of network traffic, which amounts to a DOS attack.

That's why you want replacement txs to have enough fees to cover both the cost of their own relay,
as well as the relay of the tx they're replacing.