Great news. The more of these Mom & Pops accept BTC, the more it gets into the public consciousness as a legitimate payment mechanism. It's an important spoke in the virtuous cycle towards acceptance as current money. Let's have more of it.

The problem with a USD colored coin is that it trades forex risk for counterparty risk. You have to really trust the issuer that they'll pay you your FRNs when you go to cash them out.

Of course, the exception is if it's the Reserve/Mint issuing the colored coin; in that case, there's no counterparty risk because your USD-colored coins are USD. But that seems like a bit much to hope for.

Bump.

Current price of a $50 giftcard is only 50 minicoins (0.05 BTC).

Unmodified bitcoind can connect through tor, but it can only have outgoing connections, not incoming ones. Tor hidden services are the only way to be a full peer without revealing to an eavesdropper that you, personally, use Bitcoin.

Also, they're a service to other Tor+bitcoin users, because it means that those users have a peer they can connect to which isn't susceptible to exit node MitM.

At least not yet. When the Winklevoss ETF finally comes out...

Hrm. I would have answered, "how do I know a man in the middle didn't give me their public key instead?" But the same weakness exists with CAs. How do I know a man in the middle didn't add their key as a CA when I downloaded my browser?

It's tricky.

...I wonder if people still use Namecoin.

If you're going to make a user-friendliness argument, the real issue isn't interface, or what signature scheme you're using or whatever. The real issue is: how do you know that Wells Fargo's key is Wells Fargo's key? Or that a particular key identifies George (of George's Baklava), for that matter?

The cert-signed-by-CA approach makes that easy: some CAs are considered to be trustworthy, so if they tell you the key is good, it's good. Of course, if you can't trust the CAs, the system doesn't work.

But PGP doesn't provide an answer here at all. On the contrary, it says "go find someone you trust and see if they believe it". How on Earth do you propose to make that process "user friendly"?

It requires a trusted third party if you want the relationship between the two transactions to be secret. If all you're concerned about is "A gets B's litecoins, B gets A's bitcoins", then the only failure mode, even with a dishonest C, is that the trade doesn't go through, you've wasted a little time but not lost any money, and you find a new C.

Heck, you don't even need a separate person to be C; A or B can fill that role without any loss of atomicity (although, again, it means that A and B know who each other are).

Trading across chains (e.g. Litecoin for Bitcoin) has actually already been solved. Take a look at CoinSwap; the algorithm works even if A->B and C->D are on different chains!

At this point it's just a matter of someone actually implementing the protocol.

Here's the problem with this: in order for A&C's spent UTXOs to remain secret, the A->{ABCD} and C->{ABCD} transactions have to be secret as well, with A and C sharing only their TXID hash. Once you've set up all of this, A and C have to publish those transactions, and whoever publishes first reveals their UTXOs without guaranteeing that the other team will publish their own transaction and let the deal go through.

If you could solve the issue of simultaneously revealing A and C's spent UTXOs, there wouldn't be a need for anything more exotic than SIGHASH_ANYONECANPAY, because you could just make a single transaction with B and D's outputs, A and C could individually write their inputs and prove (using SNARKs or some other zero-knowledge mechanism) that an encrypted form decrypts to some valid input of the proper amount, and then the two teams simultaneously reveal their decryption keys, so the moment either team knows the other team's input, both teams have the full transaction and can submit it at will.

But how do you simultaneously reveal? That's the trick.

I keep thinking I've got a solution, and then keep realizing that it doesn't actually do what you asked for.

This is a bit of a weird use case, though. Could you explain what you're trying to do at a higher level, such that these restrictions are necessary?
Yes, but you can use txscripts to make transactions dependent on each other using cryptographic techniques (e.g. CoinSwap, where hashes of secrets are used to make one transaction contingent on another).

The problem here is that I'm not familiar with any cryptographic techniques for simultaneously revealing information.

I might be misinterpreting your definition of "hacked", but I still disagree.

First off, using it as a store of value is irrelevant; transfer of value is exactly the scenario in which a 51% attack (or a probabilistic 30% attack or so forth) matters. Once the coins are in your wallet and buried hundreds of blocks down, reorgs are not really useful to an attacker except as an act of terrorism.

Second off, a lower-hashpower, lower-confirmation-time blockchain (e.g. nearly every altcoin in existence right now) is more likely to reorg in regular use, which means it's easier to claim (while wearing your mining hat) that it was a bug or an error rather than a deliberate 51% attack to facilitate a double-spend.

For any altcoin to do the job as well as Bitcoin does it, that altcoin must have too much mining power for an attacker to outvote the network.

Are there "many alternative cryptocurrencies" with hashrates high enough that I couldn't get a couple hundred thousand dollars worth of hardware and double-spend with impunity?

Which blockchain are miners throwing computation power at? That's the one that you can actually have confidence is atomic and irreversible.

Right now, that's Bitcoin.

There's a lot of really interesting protocols being developed with advanced Bitcoin scripting lately. CoinSwap, trust-free guessing games, the list goes on. But in a lot of these cases, the protocols are hampered by the "transaction mutability" issue - essentially, the issue that a signed transaction can have its txid changed by any of the participants by redoing their signature, thereby invalidating any pre-built transactions that were supposed to follow on from it (e.g. time-locked cancellation transactions).

The thing is, I've seen various statements attached to interesting scripting proposals that go something like "care must be taken until mutability is fixed", as though (1) we have a plan to "fix" mutability, and (2) until then there's a way to prevent such attacks against schemes like CoinSwap if one is "careful". Searches reveal only fragmented and piecemeal discussion of the former, and almost nothing on the latter.

So I suppose my questions are, what's the plan to fix mutability, and what can we do in the meantime?

"I've got here a program that can win at stocks."

The seller can do a zero-knowledge proof that this claim is true for any given historical period the buyer wants to test. Do enough of these tests for the buyer to be satisfied, then proceed as normal.

The interesting thing about this case is that it's one I've seen in the wild, on this very forum; people sell "trading bots" and "trading strategies" and so forth, and there's always this worry of "why would you be selling it if it actually worked". With this technology, the buyers don't have to trust that the algorithm works; the seller can prove it!

Have you incorporated the Ron-Shamir Entities into this? The paper's a little dated and it's unclear whether the balances on pg. 11 are still accurate, but it'd mean at least two additional billionaires (Entities A and C) who have taken pains to make their large holdings non-obvious.

Peninsula Daily News

Good morning. I'm not normally a bear, but recent events are beginning to bring my ursine side out of hibernation.

I am with my family in rural Washington for the weekend. In the local small-town newspaper, I saw an editorial article about bitcoins. It talked about the price movements of BTC and altcoins for 60% of the article, gave a brief discussion of what it is for another 20%, and spent the last 20% with a brief quote from an economist who mentioned the usual criticisms of any private currency.

Do you see? A small-town newspaper runs an article about Bitcoin, and it's mostly about how the price is going up and up. To me, this is the doorstep of "Aunt Flo buys into this hot new thing without understanding it at all", which - in the traditional path of the bubble - is the beginning of the end, as the last possible pool of buyers are exhausted.

Your thoughts?

I'm totally in favor of SI prefixes starting with micro-bitcoins. But "milli-bitcoin" sounds and looks too much like "million bitcoin", which is a much more "expected" construction in the world of money and finance. (That's why I use "minicoin" myself, although I'm open to better alternatives.)

OP's construction is an interesting one (measuring the value of a blockchain balance by its "percentage of the pie"), but I think it'd be too difficult to introduce at this late stage.

I can answer a couple of these.

(3) The Bitcoin developers have the ability to send urgent alerts to the network, in the case that e.g. there's a zero-day exploit where people need to upgrade immediately. These messages are signed with a key held by the developers. vAlertPubKey is the public component of that key, so that clients can tell that this is actually an urgent alert from the developers, and not someone just trying to spam the network.
(4) Bitcoin starts out with a mining reward of 50BTC per block. After nSubsidyHalvingInterval blocks, this reward halves. After another nSubsidyHalvingInterval blocks, it halves again. Thus, the number of bitcoins in circulation asymptotically approaches 50*nSubsidyHalvingInterval*2.