defending ahead the p2p nature of bitcoin - blending hashcash & scrypt

[gollum]

maybe this is a noob question: why don't we use the computing power of the bitcoin network for something useful (let researches use the computation power) in combination with the current algorithm?

[1715246040]

1715246040

[adam3us]

If a general purpose CPU can do it, then a purpose-built CPU can do it faster.  The best you can do is make it expensive for someone to develop an effective ASIC.  Also, time is money, so if you use a random pool of algorithms, then the only people that will have ASICs are those that can afford to develop them quickly.

Agreed, good synopsis of the problem.

Having a single simple hashing algorithm is better than having a difficult one, or having a pool of them chosen randomly.  The reason is that it keeps the barrier to entry lowish for new ASIC producers.

Building an ASIC for SHA-256 is pretty simple.  At least 3 different groups have already done it, on shoestring budgets and somewhat quickly.  Increase that to maybe dozens if you include the not-suitable-for-bitcoin streaming hasher chips that are commercially available.  If (heh) they abuse their position as first movers, the barrier to their competition is very, very low, on the order of tens of thousands of dollars and several months to get started.

Making ASIC development more difficult will keep out the people that we want to include

Thats a rather good point, I like it.  That might even win the argument if we see ASICs of good quality and efficiency flood the market in the next few years, partly as a result of the simplicity of SHA/hashcash.

and do nothing whatsoever to exclude the people that some would like excluded.

It would do something about the people we want to exclude, that was my point/intention anyway: there are limits to custom hardware optimization where it becomes just too expensive and you're better off buying or making a faster CPU.  Intel is a target you're chasing at the speed of Moore's law.  Particularly if the algorithm is changing every 6 months in interesting and novel ways.  Imagine someone come to you with a mountain of money and says build me this custom CPU in 3 months (so there's three months left to start mining).  Maybe you cant do it in time to repay the investment.  Maybe you cant do it in the timeframe with any amount of money.  Even all of it - there are complexity and science limits for hw gurus and chip fab people etc.

But maybe thats too simplistic a view of the hw response to the challenge, eg maybe they optimize in the direction of reconfigurable flexibility - eg ultra flexible, ultra fast, 22nm FPGAs with more pre-optimized lumpy parts (FP units, cache arrays, integer units, etc).  But then there is an argument that that might however be a rather nice general purpose re-programmable CPU so maybe everyone and his dog will be able to buy cards and racks with them on par with miners.  And if it becomes reusable enough, it becomes a product with general availability, and that becomes a win for dynamic epoch redefinition of mining function.

If the target is too flexible, particularly dynamic over too short an interval, the hw guy either loses to intel, or he builds an intel competitor flexible hw reconfigurable CPU that everyone (supercomputer vendors, scientific computing, dyanmic function miners) will want to take off his hands.  Either way it a win for the dynamically changing mining function approach.

It takes a lot to compete with Intel.  Even AMD cant seem to do it these days - though AMD make real nice GPGPUs.


But your main point simple hashing algorithm ..[as it] keeps the barrier to entry lowish for new ASIC producers stands maybe is more robust than the harder to quantify difficulty of super-optimizing hw for an inventively changing mining function - harder to project what could be done, and anyway if the sheer simplicity of the hashcash mining function is enough to ensure p2p availability of hw, its is a more elegant, simpler solution.  Simplicity I like.

You know there maybe more than hw availability also to consider.  Many GPU miners are mining because they have a GPU.  If some of them had to pay for the miner they may drop off.  But bitcoin could probably live without that if it had to (sad though it would be to have them lose their fun without buying an ASIC.)

Adam

[adam3us]

(Here's a ppcoin like idea I wrote before reading about ppcoin.  I havent quite managed to decipher the ppcoin wiki page finding it hard to find isolate a concise definition of its mechanism and intended low level effects.  Maybe someone who has internalized ppcoin could skim this idea below and tell me if is the same as ppcoin (but simpler?) or not.)

There might be other ways to tilt the field towards p2p control also without changing the mining function.

One could give coins accompanied by first 4 year (50 coin block private keys) from the block chain some definitional hashcash mining boost.  This boost only has value for protocol voting, but NOT coin reward and could be an interesting drag on corporate control.  Would give Satoshi some anonymous power if he is still around and mining.  There'd have to be some coin reward to encourage the GPU miners with old private keys to play and keep the p2p aspect going, other than altruism, but it could be a different payout.  The generation 1 private keys boost level would frustrate subsequent control centraliztion.  Also the boost private keys are the first miner original keys only, the boost cant be transferred bitcoin purchase to the new address private key.

Adam

[gglon]

Well my idea is this aim to get to 50:50 hashcash scrypt [or pool of algorithms]

I can't imagine majority of miners (who are already sitting on ASICs) would accept this kind of fork.

[kjj]

and do nothing whatsoever to exclude the people that some would like excluded.

It would do something about the people we want to exclude, that was my point/intention anyway: there are limits to custom hardware optimization where it becomes just too expensive and you're better off buying or making a faster CPU.  Intel is a target you're chasing at the speed of Moore's law.  Particularly if the algorithm is changing every 6 months in interesting and novel ways.  Imagine someone come to you with a mountain of money and says build me this custom CPU in 3 months (so there's three months left to start mining).  Maybe you cant do it in time to repay the investment.  Maybe you cant do it in the timeframe with any amount of money.  Even all of it - there are complexity and science limits for hw gurus and chip fab people etc.

You are assuming that the investment must be repaid in terms that you understand.  Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

[adam3us]

Well my idea is this aim to get to 50:50 hashcash scrypt [or pool of algorithms]

I can't imagine majority of miners (who are already sitting on ASICs) would accept this kind of fork.

I am anti-fork as bad for mindshare, confidence and dilutive of bitcoin and crypto currency value aggregate.

I was suggesting it maybe in the self-interests of bitcoin to think about that for the main branch.

Obviously ASIC miners wont like it short term.  I ordered some ASIC miners off butterfly also.

But my statement was bigger picture, longer term view: all bitcoiners, including ASIC miners, will like it even less in the longer term and bigger picture if the entire currency gets devolved into a non-p2p corporate controlled network.  That itself would either destroy bitcoin value via loss of interest and/or bitcoin's user-centric properties along the way.

Anyway there was some interesting discussion in this thread, and there are uncertainties about what is the right answer.  So I guess by default we're going to wait and see.

If there even exist lots of ASIC privately held at present, that in itself is an argument for p2p nature surviving ASIC with hashcash mining function.

Adam

[passerby]

Well, if you don't mind, I will provide a few comments without specific quotes:

When you account for pooled mining, ASICS become completely irrelevant - it doesn't really matter whether there are 4000 corporate-owned ASIC farms or 4 000 000 individual GPU miners, because in both of those cases the equipment will be connected to 4-10 "megapools" which will be effectively in control of the network

It thus appears to me that, if empirical evidence is to be trusted, ASIC resistance (or lack thereof) will have little to no effect on "decentralization", primarily due to very strong centralization arising  from "pool" infrastructure.

Well I dont think thats as dangerous a problem as corporate control by a long way.  A pool cant misbehave much.  If it does the users will realize and pull out and it'll go under.

It appears to me that many miners care little about protocol intricacies. As long as dollers keep falling out of the vidjacard, all is fine and dandy to such folks  .

Besides, I do think that you're overestimating corporate malice. Corporations are, by design, fairly sociopathic - but they are just profit driven decision makers, much like pool-ops, and would, just like pool-ops, seek to refrain from doing things that may break the profit model (one could argue that de-pseudonimizing bitcoin or removing the max coin count would drop the price like a giant bag of rocks, and that would not be good for Coinmining LLC, would it ?).

Also, I'm not convinced that "de-ASICing" BTC would necessarily prevent "corporate encroachment". It just so happens that it is much easier to run a large cluster of complicated equipment when you are a small company - and much more comfortable for the proprietor.

P.S.:
My limited understanding of concepts involved suggests that "poolproof" design is possible, but my limited understanding of miner behavior suggests that it would be woefully unpopular.

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

Well, the problem with "mini-mining" is variance, also known as "luck" and occasionally affectionately referred to as "fuck my life"

Miners want their payoff come in stable and predictable intervals (which makes business sense). They want it so much they are ready to pay pool fees in order to ensure that stochastic nature of mining won't throw them under the proverbial bus.

And they will probably ignore a coin that does not allow for such a service to take place - it massively increases their risks without offering any benefit that a for-profit miner would consider "substantial"

ppcoin seems interesting.  I think I reinvented it or something similar, had another post in draft form, though ppcoin seems complicated at least the way its explained on the wiki  (not sure I fully understood it from quick skim of wiki).  Will post my similar idea next.

Adam

Ppcoin is incredibly contrived and opaque - I'm not too fond of it (and also, I have a conflict of interest ) but at least it is kinda trying something new, which is, one has to agree, cool...

and do nothing whatsoever to exclude the people that some would like excluded.

It would do something about the people we want to exclude, that was my point/intention anyway: there are limits to custom hardware optimization where it becomes just too expensive and you're better off buying or making a faster CPU.  Intel is a target you're chasing at the speed of Moore's law.  Particularly if the algorithm is changing every 6 months in interesting and novel ways.  Imagine someone come to you with a mountain of money and says build me this custom CPU in 3 months (so there's three months left to start mining).  Maybe you cant do it in time to repay the investment.  Maybe you cant do it in the timeframe with any amount of money.  Even all of it - there are complexity and science limits for hw gurus and chip fab people etc.

You are assuming that the investment must be repaid in terms that you understand.  Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

You can not stop someone who has so-called "disposable money" in the upper millions/lower billions USD and is, as far as you can tell, insane, with just "merely" sound cryptography and better hashrate, unless this hypothetical opponent is obsessed by the idea of taking you down by hashrate alone.

If he can't out-hash you with superior ASICs, he will lobby for BTC to be banned in USA and EU.

If can't out-lawyer us, he'll directly go after the exchanges.

If that fails, who knows...
...maybe he will buy some BTC and anonymously strongly pseudonymously hire hitmen to go after everyone worth going after in the community, at which point no half-sane dev will touch this code with a ten-foot pole.

"disposable money"  in the upper millions/lower billions USD + batshit insane = IRL Saturday morning cartoon villain.

[adam3us]

Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

I think that is something to think about in byzantine threat models.  Could a big and hostile player greatly out sizing bitcoin in terms of money to burn destabilize via financial exchange manipulation, or mining out the coins with vastly more CPU power, buying and deleting coins etc.  It seems often that some big players prefer covert plausibly deniable or hard to prove action than something overt.  Or alternatively they could find or make an legal excuse to cut exchanges off from the banking interface.

Even competitors like banks themselves if the bitcoins started to eat into profit margins maybe they could drive out the currency by buying all the liquid parts.  (Bad currency drives out good?)

Adam

[Sunny King]

Go the satoshi-quo -- I am not displeased -- you're using my mining function (with pretty much no wikipedia attribution anywhere btw other than Satoshi's paper *), and I am also attached to it, and frankly I did guess that would be the likely, and with some justification, community response.  And indeed as I said in another post I appreciate the Satoshi-quo quite strongly for concept stability that may affect investors confidence.  And I'm game to see how that turns out.  It'll be an interesting ride.

Hey Adam nice to see you hang out here! Don't worry your work is noted and I have hashcash listed in my history of cryptocurrency wiki page: https://github.com/ppcoin/ppcoin/wiki/History-of-cryptocurrency

(Here's a ppcoin like idea I wrote before reading about ppcoin.  I havent quite managed to decipher the ppcoin wiki page finding it hard to find isolate a concise definition of its mechanism and intended low level effects.  Maybe someone who has internalized ppcoin could skim this idea below and tell me if is the same as ppcoin (but simpler?) or not.)

There might be other ways to tilt the field towards p2p control also without changing the mining function.

One could give coins accompanied by first 4 year (50 coin block private keys) from the block chain some definitional hashcash mining boost.  This boost only has value for protocol voting, but NOT coin reward and could be an interesting drag on corporate control.  Would give Satoshi some anonymous power if he is still around and mining.  There'd have to be some coin reward to encourage the GPU miners with old private keys to play and keep the p2p aspect going, other than altruism, but it could be a different payout.  The generation 1 private keys boost level would frustrate subsequent control centraliztion.  Also the boost private keys are the first miner original keys only, the boost cant be transferred bitcoin purchase to the new address private key.

This bears some similarity to what cunicula used to push for (https://en.bitcoin.it/wiki/Proof_of_Stake). In ppcoin I gave full faith and credit to the concept of proof-of-stake and let it fly without the restraint of proof-of-work. That is how ppcoin achieves its design goal of long term energy efficiency. As far as I know I am the only one that gives full respect to proof-of-stake, others kept doubting it and try to make balance with proof-of-work, ultimately failing to produce an actual design and implementation.

[adam3us]

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

Well, the problem with "mini-mining" is variance, also known as "luck" [..] Miners want their payoff come in stable and predictable intervals

Thats because the minimum network accepted virtual "nugget gold weight" is too high for the end user miner.  If the rate of average production for a spec of virtual gold dust was 1 second on a GPU (for some picosatoshi) the rate of progress would be smooooth, so its not the randomness per se, its the size of the minimum mining target.  It'll be acceptably smooth even at 1 microcoin per hour for 500MH miner at a given difficulty.

The problem and reason for big 25 coin blocks I think is p2p network scalability.

You can therefore think of pools like supernodes in a p2p network.  They hand "shares" sized chunks of work, out effectively the microcoin challenge and smooth it out for you, and like supernodes in p2p networks in general, they help the network scalability.  There is healthy competition amongst pools, and the barrier to entry is low.

In an idealized crypto currency you could argue it would be desirable to be able to mine picocoins directly with out pools.  poolproof as you called it.  But I think for now the people working on the code are having enough fun scaling for transaction volume etc with the current parameters absent some interesting new crypto to say allow secure offline combinable and splittable proofs of work.

Adam

[mmeijeri]

The risk is p2p miners arent going to be able to get access to equipment
that can financially compete with this equipment.  Butterfly seems like
a small player - maybe they'll ship.  But what can be done with the
above scale could eclipse their power and efficiency, probably in the
same way ASIC outclasses GPUs and I can see market reasons why
you or I wont be able to buy them.

I'm more worried about the possibility that governments around the world would ban private possession of ASIC mining rigs and would deploy large farms themselves. There are only so many places in the world where you can fabricate ASICs, so that would make them easy for governments to controls. Also, by definition ASICs are application-specific, so there would be no fallout on other applications.

I'd look for a hashing algorithm for which ASICs offer less than an order of magnitude improvement over at least FPGAs, which cannot be suppressed. No such improvement over GPUs would be even better and ideally ordinary desktop PCs should be competitive. Surely it must be possible to find a hashing function that requires the full functionality of a general purpose CPU.

[passerby]

Maybe someone is rich and just wants to mess with the network.  It seems unwise to make ourselves vulnerable to that sort of thing merely because we wouldn't take advantage of it ourselves.

I think that is something to think about in byzantine threat models.  Could a big and hostile player greatly out sizing bitcoin in terms of money to burn destabilize via financial exchange manipulation, or mining out the coins with vastly more CPU power, buying and deleting coins etc.  It seems often that some big players prefer covert plausibly deniable or hard to prove action than something overt.  Or alternatively they could find or make an legal excuse to cut exchanges off from the banking interface.

Even competitors like banks themselves if the bitcoins started to eat into profit margins maybe they could drive out the currency by buying all the liquid parts.  (Bad currency drives out good?)

Adam

Oh, like I said, such an attacker can do a stupidhuge number of devastating non-cryptographic attacks.

Here's another one:

Assume attacker can waste up to 500 mil. USD (I assume that is the ballpark "pocket change" figure for someone who can afford developing ASICs just to "mess with the coin guys")

Attacker creates a highly anonymous offshore structure, in this case I would probably suggest a trust (it's hard, but possible, to set up an offshore in a manner that is literally impossible to trace back to the real mastermind of the affair)

Attacker arranges for about $50 mil moved there.

Attacker locates, across numerous anonymous fora, a programmer that is both highly competent and unethical (not like there ain't places on the net where such folks hang out)

Attacker hires him to enter BTC dev circles, contribute, gain team trust, and eventually sneak a remote code execution vulnerability (disguised as a honest coding mistake, of course) into main. Attacker pays the blackhat a very lucrative salary via the offshore structure.

The attack would be completely devastating, and, in case the exploit is discovered prior to relevant code being accepted into main, the blackhat has plausible deniability (not like anyone can claim to never have made a dangerous coding mistake)

Fighting "Rich Mad" is not fun

Surely thats just a question of mining in much smaller parts, so that rewards are meaured in the Satoshis range instead of 25 whole coins.  I think the harder but probably solveable problem if it was desired would be p2p traffic efficiency.  I do think poolproof would be useful.

Well, the problem with "mini-mining" is variance, also known as "luck" [..] Miners want their payoff come in stable and predictable intervals

Thats because the minimum network accepted virtual "nugget gold weight" is too high for the end user miner.  If the rate of average production for a spec of virtual gold dust was 1 second on a GPU (for some picosatoshi) the rate of progress would be smooooth, so its not the randomness per se, its the size of the minimum mining target.  It'll be acceptably smooth even at 1 microcoin per hour for 500MH miner at a given difficulty.

The problem and reason for big 25 coin blocks I think is p2p network scalability.

You can therefore think of pools like supernodes in a p2p network.  They hand "shares" sized chunks of work, out effectively the microcoin challenge and smooth it out for you, and like supernodes in p2p networks in general, they help the network scalability.  There is healthy competition amongst pools, and the barrier to entry is low.

In an idealized crypto currency you could argue it would be desirable to be able to mine picocoins directly with out pools.  poolproof as you called it.  But I think for now the people working on the code are having enough fun scaling for transaction volume etc with the current parameters absent some interesting new crypto to say allow secure offline combinable and splittable proofs of work.

Adam

Yes, a mining algo that would allow me to mine low-diff mini - rewards blocks alongside "big" miners mining for bigger rewards  without causing a security compromise would be a huge boon (with current PoW, that won't work, at least not straightforwadly)

 It would make the poolsafe concept viable  (currently, you can make pools un-workable, but you need mini-reward scheme to make it lucrative)

Well my idea is this aim to get to 50:50 hashcash scrypt [or pool of algorithms]

I can't imagine majority of miners (who are already sitting on ASICs) would accept this kind of fork.

I am anti-fork as bad for mindshare, confidence and dilutive of bitcoin and crypto currency value aggregate.

Awwww man  

Seriously though, with all due respect (and with admittance of my conflict of interest here) - alt-coins (or rather, truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)

[TierNolan]

Seriously though, with all due respect (and with admittance of my conflict of interest here) - alt-coins (or rather, truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)

Arguably, what you want is one timestamping chain.  All other chains can then use that timestamp service to establish ordering of their transactions.

That is effectively what merged mining actually does anyway.

It would allow the main chain headers to be extremely clean.

[passerby]

Seriously though, with all due respect (and with admittance of my conflict of interest here) - alt-coins (or rather, truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)

Arguably, what you want is one timestamping chain.  All other chains can then use that timestamp service to establish ordering of their transactions.

That is effectively what merged mining actually does anyway.

It would allow the main chain headers to be extremely clean.

Certain practicalities (like "motivating miners of the meta-chain") aside, monoculture is admittedly very comfy.
However, non-monocultural settings are less susceptible to exploits and systemic failures of design.

Monocultures also tend to "calcify", stifling innovation and accruing institutional commitments (the latter isn't always a bad thing, but it can limit the directions project can realistically take - for instance, bitcoin becoming more anonymous would piss off FinCEN by breaking an implied institutional commitment. Or, for a more obvious example, consider the response of people who already bought ASIC units to a hypothetical PoW change )

[TierNolan]

Certain practicalities (like "motivating miners of the meta-chain") aside, monoculture is admittedly very comfy.
However, non-monocultural settings are less susceptible to exploits and systemic failures of design.

True.  Alt chains would have to have some kind of funding system.  The timestamp chain would have a single merkle root.  Alt chains which pay more are placed nearer the top.

Miners would merge miner lots of alt chains at the same time, placing the ones which pay more closer to to the top (assuming the protocol rules give better rewards for doing that).

Speaking of which, it would be nice if bitcoin supported unbalanced merkle trees.  This would allow much faster updates for the extra nonce.

Or, for a more obvious example, consider the response of people who already bought ASIC units to a hypothetical PoW change )

The timestamp chain could still be based on sha256.

[adam3us]

Attacker hires [unethical hacker] to enter BTC dev circles, contribute, gain team trust, and eventually sneak a remote code execution vulnerability (disguised as a honest coding mistake, of course) into main.

I dont think you even need a lot of money for that, the grey/black hat hacker just does it as his own project...  There ought to be some really serious scrutiny of every byte every check-in.  Maybe bitcoin should think about paying a bounty for the bugs out of some slush even.

Some of those guys ranging through black, grey to white hackers are very very smart.  If they can find new 0-days, in highly reviewed code, and sell it on the grey (legit actually) market - they are well qualified to know what a subtle mistake looks like, and how one would create one.

I am anti-fork as bad for mindshare, confidence and dilutive of bitcoin and crypto currency value aggregate.

Seriously though [...] truly innovative alt-coins as opposed to one-two tweak clones) are useful.

They prevent monoculture.

If anything, we need more altcoins pursuing different niches (I feel that there are market niches which BTC, contrary to popular belief, fills imperfectly, allowing for an alt to take that niche without affecting mainstream btc adoption - but that's a long and boring story)

Ok you called me on that.  Your points are valid also IMO.  I was mostly reacting to the 'one-two teak clones' as you put it that are basically 100% bitcoin with paramtweaks.  I should have qualified that with simple no difference forks.  Otherwise why would each person not start the same code or a paramtweak metoocoin etc in their own name and go for the first mover coins until there are 100k coins types and the concept of a cryptocurrency gets weakened by the noise!  Its confusing to the semi-technical viewer and erodes the meaning of a cryptocurrency.  But yes part of an experiment is potentially the economics which maybe you cant really tell without operating it.

There are limitations with bitcoin, things that could be improved, maybe crytpographic and/or p2p optimizations perhaps that could jump scalability up, reduce network requirements of peers, etc

Different mining and decentralization retaining features etc.

The research and experimentation brings value.  Maybe in the longer term bitcoin would merge an innovation to improve.  And worse cast, yes a monoculture defense, if bitcoin lost its way.

The first mover thing is odd though.  No one knows if an alt-coin will perhaps for some unforseen reason overtake, if bitcoin hits a big stumbling block people didnt see coming.

Adam

[ChristianK]

In an age where an attacker can rent a botnet of 1,000,000 PC, you don't want a function that can effectively run on a normal PC.

I dont think you even need a lot of money for that, the grey/black hat hacker just does it as his own project...  There ought to be some really serious scrutiny of every byte every check-in.  Maybe bitcoin should think about paying a bounty for the bugs out of some slush even.

Who's that bitcoin that you want to pay a bounty?

[passerby]

The timestamp chain could still be based on sha256.

And, that would be a kind of "institutional" commitment in a loose sense - informal and unspoken one, but commitment nonetheless.

If you decide to move away from SHA256, you'd have a bunch of very upset participants, who will at that point become fairly confrontational.

Attacker hires [unethical hacker] to enter BTC dev circles, contribute, gain team trust, and eventually sneak a remote code execution vulnerability (disguised as a honest coding mistake, of course) into main.

I dont think you even need a lot of money for that, the grey/black hat hacker just does it as his own project...  There ought to be some really serious scrutiny of every byte every check-in.  Maybe bitcoin should think about paying a bounty for the bugs out of some slush even.

Some of those guys ranging through black, grey to white hackers are very very smart.  If they can find new 0-days, in highly reviewed code, and sell it on the grey (legit actually) market - they are well qualified to know what a subtle mistake looks like, and how one would create one.

Well, having a lot of money allows you to pay the blackhat a really nice salary to ensure he devotes all his efforts to compromising BTC from "team insider" position, and the blackhat gets to keep all the coins he gains from sneaking a remote code execution exploit into BTC.

Which, I reckon, would be an offer few blackhats would decline.

The sheer effort needed to detect - and neutralize - such an attack would be tremendous.

So if we are really consider a non-economically motivated attacker with millions of dollars to spare,  exotic chippery is the least of our concerns (I'd say outright implausible, given the amount of non-cryptographic shortcut attacks a rich monomaniac can undertake)

And yes, we need a "bug bounty" and a generally more robust change review process.

Ok you called me on that.  Your points are valid also IMO.  I was mostly reacting to the 'one-two teak clones' as you put it that are basically 100% bitcoin with paramtweaks.  I should have qualified that with simple no difference forks.  Otherwise why would each person not start the same code or a paramtweak metoocoin etc in their own name and go for the first mover coins until there are 100k coins types and the concept of a cryptocurrency gets weakened by the noise!  Its confusing to the semi-technical viewer and erodes the meaning of a cryptocurrency.  But yes part of an experiment is potentially the economics which maybe you cant really tell without operating it.

There are limitations with bitcoin, things that could be improved, maybe crytpographic and/or p2p optimizations perhaps that could jump scalability up, reduce network requirements of peers, etc

Different mining and decentralization retaining features etc.

The research and experimentation brings value.  Maybe in the longer term bitcoin would merge an innovation to improve.  And worse cast, yes a monoculture defense, if bitcoin lost its way.

The first mover thing is odd though.  No one knows if an alt-coin will perhaps for some unforseen reason overtake, if bitcoin hits a big stumbling block people didnt see coming.

Adam

Well, there won't even necessarily be an overtake.
I expect  BTC and decent alties to specialize to different market segments, with BTC being more mainstream and some altcoins taking up niches that a "mainstream cryptocurrency" doesn't fit quite as well (if at all)

There's no particular reason why There Should Be Only ONE .

And don't get me started on Bitcoinomics...

Having said that, there's you know, a certain gap between "cryptocurrency ideas" and capacity to implement them.

Altcoins need more level-headed professionals, good designers, and perhaps most importantly, cryptography experts involved.

[adam3us]

In an age where an attacker can rent a botnet of 1,000,000 PC, you don't want a function that can effectively run on a normal PC.

Well thats an interesting and valid pro-ASIC friendly argument.  People with ASICs will try to secure them and notice if their coins are stolen. 

But also there is an indirect human utility to having botnets being used for mining - it is a very benign payload compared to other things criminal hacking activities have historically used botnets for.  Maybe spam would even fall if hashcash CPU/GPU mining is a more profitable market than spamming.  It seems to me highly likely that it would be even.  Maybe hashcash beats spammers yet in an incredibly indirect and unexpected way   Thats amusing.

I dont think you even need a lot of money for that, the grey/black hat hacker just does it as his own project...  There ought to be some really serious scrutiny of every byte every check-in.  Maybe bitcoin should think about paying a bounty for the bugs out of some slush even.

Who's that bitcoin that you want to pay a bounty?

Well I would be alarmed if anyone tried to impose that by fiat, as its payment system political interference EU-troika style, but what I meant for example the bitcoin foundation (and/or any other trustworthy organization with a public interest - eg EFF?) might collect donations from bitcoin users to be divided up between the most dangerous 0-day problems in bitcoin code.  And maybe the bitcoin code changes should not even be shipped until it has survived a months and a few $million of the best code analysis minds on the planets best efforts.  In that way it is actually in the bitcoin holder and users mutual and selfish interest to donate to that because if such an attack happens they maybe the losers.

I mean think about it - bitcoin surreptitious hidden code check in attacks, or accidental code mistake attacks - they could be the perfect payout allowing a 0-dayer to retire on Satoshi like money.  Say bitcoin grows by another factor of 100x in transaction volume and market cap over the next few years.  This is a higher assurance code security scenario than society has ever seen, the security of the code and development and review model maybe its only technical security weakness.

Another defensive thought: bitcoin may like to take a leaf from mondex, p2p respendable electronic currency cash card.  They had a hot spare crypto protocol ready and predeployed switched on via peer2peer transfer of signed upgrade notice cards in case of cryptographic or implementation problem.  In a bitcoin world that might more be a spare implementation in another language or something.  (Its a common concept in mission critical systems eg spacecraft navigation computer, to have two or three different implementations in different languages, by different programmers, but from the same spec, voting on what is the correct reaction and course adjustment).

Adam

[TierNolan]

But also there is an indirect human utility to having botnets being used for mining - it is a very benign payload compared to other things criminal hacking activities have historically used botnets for.  Maybe spam would even fall if hashcash CPU/GPU mining is a more profitable market than spamming.  It seems to me highly likely that it would be even.  Maybe hashcash beats spammers yet in an incredibly indirect and unexpected way   Thats amusing.

It could also up the price of botnets causing more of them to happen.

Another defensive thought: bitcoin may like to take a leaf from mondex, p2p respendable electronic currency cash card.  They had a hot spare crypto protocol ready and predeployed switched on via peer2peer transfer of signed upgrade notice cards in case of cryptographic or implementation problem.  In a bitcoin world that might more be a spare implementation in another language or something.  (Its a common concept in mission critical systems eg spacecraft navigation computer, to have two or three different implementations in different languages, by different programmers, but from the same spec, voting on what is the correct reaction and course adjustment).

This is why moving away from "the code is the spec" would be helpful.