Well, this discussion was interesting but it died off about 2 years ago and nowhere I saw discussed the possibilities of Bitcoin destruction which I see for more than 2 years. I saw that almost since I first learned about Bitcoin but I didn't pay too much attention to these worries until about now. Essentially the Bitcoin protocol has a critical design flaw that can be exploited to efficiently kill it and I even suspect that it already started to happen. The design flaw is that "Bitcoin difficulty is adjusted every 2016 blocks so that a block is generated roughly every 10 minutes" (source: Description of difficulty on BitCoin wiki). To see why this is a critical vulnerability we need to look at the adversary and his goal.

The adversary is somebody who wants the Bitcoin dead and is willing to do anything to kill it. He has sufficiently deep pockets to accumulate any amount of haspower at a rate much larger than an average Joe could muster. And he is not afraid to empty his pockets just to see the Bitcoin shot down from the sky.

If you think nobody would wants that because "it makes little sense", "it would be more reasonable to just play nice and profit" etc, then I want to show you one such adversary: government.

Why the government would want to kill Bitcoin? For the same reason for which they destroyed eGold and Liberty Reserve. Now speculations exist that Bitcoin might be the next target and rumors exist that "hackers" switch from Liberty Reserve to Bitcoin. Moreover there are analyses about how "anonymous digital currency" is used for money laundering, for example from McAfee and Thomson Reuters, even National Drug Intelligence Center made an analysis on digital currency usage within organized crime circles. The government thus does not like electronic money systems providing anonymous transactions and anonymous accounts and Bitcoin can provide just that. Yes, they can ban Bitcoin, outlaw the mining hardware, prosecute those who operate exchanges, shut down "Bitcoin mixing services" (those are doing the actual money laundering by breaking the links between the source of the money and the current owner) but now with the coins seized from Silk Road 1.0 and Dread Pirate Roberts they have enough resources to destroy Bitcoin without even spending much of taxpayer's money. The attack would be just like this:

1. Buy enough ASIC minig hardware to cover about 25% of the current hash rate using tax payer's money. They have to "borrow" the money from the taxes rather than use the bitcoins directly because they don't want the rest of the world to know what they are doing.
2. Start mining. Use large count of addresses to receive the mined coins so nobody will notice. They even may choose to join one or more pools to further masquerade as "the little guy next door".
3. Use the mined profits and/or more taxpayer's money to purchase more mining hardware.
4. Repeating steps 2 and 3 until you get 99% of the hashing power under your control.
5. Convert as many of your BitCoins as possible to "legal tender".
6. Wait for the next difficulty change and mine a few blocks past it.
7. Switch all your mining equipment off.

During the steps 1-5 the adversary plays according to the BitCoin rules, even participating in the Bitcoin economy. No hacking, no searching for some obscure vulnerabilities somewhere, no overzealous exchanges/mixing services hunting, no seizure of mining equipment. Contrary to that, the adversary tries to hide as much as possible, pretending to be a sizeable bunch of normal people with sizeable bunch of mining equipment. The adversary can even confortably pull its own money off the BitCoin economy before it tanks. The blow of death is dealt at the very last step. To understand why it is the death blow, let's look what happens after the enemy executes the step 7.

So, just before the step 7 the adversary controls 99% of the hashrate and the difficulty is already adjusted to that state (because of the step 6). Now 99% of the hashrate vanishes literally overnight. But the difficulty stays the same because there next adjustment is some 2000 blocks away. Thus a block gets mined in 1000 minutes instead of 10 minutes because only 1% of the hashing power is now left. Transactions take over 16 hours to get into a block and it takes over 4 days to get the recommended 6 confirmations. This is much slower than cashing a check. The Bitcoin is essentially frozen.

The worst hit is dealt to the miners. This is because 120 confirmations are needed to be able to spend a mining reward. This translates into 80 days - almost 3 months. Many miners can't do any mining for so long without getting paid so they quit. This causes the hashrate to be further reduced, leading to even worse situation. Demand for mining hardware quickly abates as the public starts to see it increasingly profitable. People become increasingly disgusted and reluctant as the value of their coins plunders towards zero. Essentially the network will start a downwards spiral to its doom. The coins will become worthless because they cannot be moved at all and the classic fiat money suddenly becomes much more attractive.

And with 2000 blocks to go under these conditions it would take over 3 and a half of year before the network can recover. That is way too much of waiting. Before the next adjustment can happen, the once thriving Bitcoin is nothing but a frozen world at the periphery of Internet. And even if it would survive somehow, the adversary would simply again turn his multi-peta-byte-hashrate mining rig, mine another 2016 blocks and switch it off again, dumping another 3.5+ years of recovery to the poor remnants of Bitcoin economy.

The current design of the difficulty adjustment process is insecure because it trusts the mining nodes to actually want to do the mining and this security hole is exploited by the attack. The malicious "government" node described above is not interested in mining, it is exploiting a loophole in the mining protocol design to achieve its own malicious goal: destruction of the entire network.

I would propose a fix which would be something like "difficulty decay over time". The difficulty adjustment can be left just where it is, but it needs to be fixed a little bit. However the thing that would be (re)adjusted here (and recorded in the blocks) would be something called "baseline difficulty". The actual difficulty would be calculated like this:

1. Immediately after a block is found, the difficulty is "infinite" (a hash of 0 would be the only accepted).
2. In the first X minutes it would gradually decay to the baseline difficulty.
3. The next Y minutes it would stay at the baseline difficulty.
4. The next Z minutes it would gradually decay from the baseline difficulty all the way down to 1.
5. After (X+Y+Z) minutes the difficulty stays 1 until a new block is found.
6. Once a new block is found, the difficulty resets back to "infinity" and starts a new cycle from step 1.

My proposal for the numbers would be X=8, Y=4 and Z=8. So the first 8 minutes the difficulty decays from infinity to the baseline, the baseline stays the same for the next 4 minutes and then it is gradually reduced to 1 in the next 8 minutes. So if no block is found in the next 20 minutes, the difficulty would be reduced to 1.

The baseline difficulty readjustment also needs fixing. First it shall take into account much less than 2016 blocks, maybe only 120 or even 60 blocks. Secondly, it should calculate and account for the real difficulties used to find these blocks. And third, the readjustment shall happen at every block, not just every N-th one (where N is the count of blocks examined during difficulty adjustments).

This would protect the network from both, sudden spikes and sudden blackout in hashing power. A large increase of hashing power will increase the frequency of the blocks but only briefly because of first X minutes when the difficulty is very large (at the beginning it is MUCH larger than the baseline). A sudden blackout would reduce the block frequency to about half of the rate (one block every 20 minutes) due to the difficulty dropping to 1 after the time ellapses. And these transient changes would last only in few hours because on every block the baseline difficulty would get adapted to the new network conditions.

However I have no idea how to realize this fix. The problem here is that this is pretty disruptive change to the protocol and all the older clients would suddenly fail to synchronize to the chain with the new rules (the blocks generated with the lowered difficulty would be considered invalid by them). Essentially everyone would be forced to upgrade his client and "third party" clients would be rendered utterly obsolete. Maybe the best solution would be to prepare the fix in a branch marked as "use in emergency only" and pull it out once the "doomsday" scenario ensues.

I believe that this attack is well underway because of the recent exponential increase in the hashing power caused by the ASIC chips. I suspect that what is really happening here is large amounts of these ASIC chips purchased by some shady "goverment-like" adversary and used to push the difficulty to abnormal height as described in the steps 3 and 4 of the attack. I don't know how much time we have but it seems that not much.

The attack scenario you came up with it incredibly expensive, and then uses that expensive hardware in the most ineffectual way possible.  With all the time, cost and complexity, if the hashrate fell 99% tomorrow, there would be a consensus of support to hard fork the network and adjust the difficulty.  It would take a couple lines of code.  

If an attacker has 99% of the critical resource, there are far more serious attacks possible.  For starters the attacker could mine a never ending chain of empty blocks and prevent any transactions from ever being confirmed again (or at least as long as the attacker is willing to continue).  The reality is that a nation state could kill Bitcoin and probably will be able to for the conceivable future.  Of course we all know the fact that napster was taken down resulted in the world wide abolishment of p2p file sharing as well.   If the US government spent billions to take down Bitcoin, well I can't imagine a more bullish scenario for crypto currency.

5. Realise that the other 75% of miners are already doing exactly that so you're not getting anywhere.
6. Give up.

Your proposal won't work, because there is no centralized timing source.

The proposal is that mining would get easier the more time that passes with no blocks found.  So when a miner submits a reduced difficulty block how do you verify that "enough" time has passed.   Of course if you had provable decentralized timestamps you wouldn't need mining to begin with.  Just check the timestamp of transactions and the first one is valid and the second is invalid.

Well, if that would be true then the difficulty adjustment would also not work. In order to be able to adjust the difficulty you need to know how long it took to generate the last 2016 blocks. So there *is* some knowledge of time. It is not exact, but it is there and it is sufficiently precise to make adjustments of difficulty that keep the block generation from getting runaway.

My idea is to use these ideas from that code that do the difficulty adjustments to implement the scenario described. Regarding the time source I was thinking about some sort of NTP-like time propagation protocol which the clients would use to track something called "current network time". A NTP service could be used by random nodes to obtain the current time but the real NTP queries should be very infrequent and made only by a few nodes, essentially the network should collectively keep track of time. The nodes shall poke throughout the network, asking random node about the time (and JUST only about the time) and then update their clock accordingly.

I don't believe in "provable decentralized timestamps" and I did not expected to have these. I was thinking about some way how all nodes in the network could agree on "what time is it" with reasonable accuracy. The "reasonable accuracy" would be good enough to make near-real-time difficulty adjustments but it would be not sufficient for transaction ordering so you would still need mining. The near-real-time difficulty adjustment would remove the need for "emergency updates" killing the difficulty if 99% of the hash power would suddenly disappear into thin air.

This rebuttal is pretty good! I like it

However, remember that you are THE BIG BAD GOVERNMENT. You can do pretty much anything.

(I don't believe a good government would wish to destroy such a wonderful thing as Bitcoin, this is why you are a BAD government)

So:

5. Seize the factory(ies) of the company(ies) making the ASICs ("We suspect you have hashish here, we are closing down this factory until further notice").
6. Keep the factory running (you don't want all the good people working in it to lose their jobs because you know there is no hashish) and deploy the resulting mining hardware as soon as possible while you are searching for the (nonexistent) hashish. Make sure you are building that mining megarig somewhere out of the way so nobody sees you (especially keep reporters away). The other 75% of miners is struggling as they are looking for another factory(ies) to support their growth while you are growing by leaps and bounds.
7. Continue doing 6 until you capture 75% of the total network hashrate or even more.
8. Returrn the seized ("borrowed") factories back to the owners along with a huge pile of Bitcoins ("we apologize for our mistake, we thought you had some hashish hidden here, took us 5+ years to search it all, please accept this pile of BTC and goodbye"). This helps to cover the tracks of your real intents with the seizure. Everyone will think this is the end of the story except you.
9. Continue growing the covertly established mining megarig as outlined in the scenario.

Additionally the seizure (pardon, "borrowing") would very likely send the cryptocurrency exchange rates into sky very quickly as somebody pointed out, making the step 8 here much easier to do. Especially if big press releases would be made at or around the event ("Government seized the factories of the largest SHA256 ASIC ")

And don't forget to also make big press releases when doing the step 8 to support more exchange rate rise 

Well, as I already said in a previous post, this is bound to fail because of the flexibility of the Bitcoin core developers so the end of the attack is going to look like this:

10. Once you got 99% of the hashrate and you put all your order so you won't get hit by the resulting chaos in Bitcoin economy.
11. Pull the plug.
12. Realize that the chaos dissipates in 2 days because the Bitcoin core developers issued a "critical update" killing your bloated hashrate.
13. Fix your megarig to accept the new rules and then push the plug back.
14. After a while try again by going to 11.
15. After several loops between 11 and 14 realize that the Bitcoin core developers will always fix that damn thing in 3 days or less so you're not getting anywhere.
16. Give up.

Or:

15. After several loops between 11 and 14 realize that the Bitcoin core developers implemented proof of stake and other nasty countermeasures in the Bitcoin protocol so you are hopelessly screwed.
16. Give up.

Ok, BIG BAD GOVERNMENT. Case closed. Maybe it is time to build a nice global Bitcoin address ownership register and require people to register their addresses there. You futile effort already produced that huge mining megarig so financing this should not be problem this time. The only problem is that you still want the Bitcoin network destruction and that is NOT going to happen so you won't get what you want ...

Lol, the gaping hole in the argument pointed out so eloquently.

No, it's WAY off. If the current hashrate is 100TH, you need to add 300TH to own 75% of the hashrate