The conclusion is tentative, and reasonable. Along the way, the author brings up many interesting facts about Bitcoin, about its supporters, and about its critics.

I think it is especially reasonable to assume that Bitcoin exists with the tacit consent of the United States National Security Agency, even if the NSA didn't invent Bitcoin.

AFTER EDIT: Addition of my FAQ-in-progress about Bitcoin for Hacker New. A while ago I wrote that perhaps the greatest contribution the Bitcoin experiment will make to humankind is to teach you and me and our neighbors more about the realities of economics. And later I added that the Bitcoin experiment will also contribute to greater understanding of attack surfaces and online crime. Many of the ideas about how to mine Bitcoins, store Bitcoins, and trade with Bitcoins as a medium of exchange illustrate both the strengths and weaknesses of any other medium of exchange in a world full of human beings. Seeing the discussion of Bitcoins here on Hacker News reminds me of early online discussions in the 1990s of online payment systems such as PayPal, and the arguments beforehand that PayPal wouldn't have to invest a lot of time and effort (as it eventually did) building defenses against theft and fraud. If a weakness in a system is attached to a lot of money, the way to bet is to bet that someone will go looking for that weakness, even if you haven't thought of it.

This prompts a question for all the security-knowledgeable persons who participate here on Hacker News, a question once asked of the inventor of Pretty Good Privacy (PGP). How expensive do you think it would be for the United States National Security Agency (or a comparable organization from another national government) to crack a Bitcoin store, given that we know that some Bitcoin caches have already been cracked? And if the organization storing Bitcoin data held personal bank account data too, how attractive a target might it be to thieves?

This would be a reasonable 1~2 weeks project for a pentester with less than one year of professional experience, so I'd put a rough upper bound on that at $20k. i.e. it is trivially within the capability of governments, organized crime, and any intermediate Rails programmer who wants a fun side project.

If you 10X the numbers I would not bet against the outcome "Achieve a systemic compromise of the bitcoin client." (Bitcoin, by design, fans transactions out to every client on the network. The transactions contain executable instructions in a language which is interpreted by C code. Do I need to paint a very detailed picture of the risk here?)

Script adds extreme flexibility to Bitcoin, allowing the complete decentralization of services which would otherwise require trusted servers like escrow. It is statically validated and purposefully not turing complete. For extra conservativeness scripts not matching a set of standard forms are ignored by the unmodified reference software until transactions show up in blocks.

This is important because its what makes it possible to build other safe distributed transaction systems on top of Bitcoin... it's also what will allow Bitcoin to backwards compatibly upgrade its signing primitives if ECDSA begins looking weak.

Does that mean you'll take the other side of that bet?

Um, what? There are public addresses with thousands of Bitcoins. Why aren't they getting looted?

How so? If the NSA really hated bitcoin, what would they do? Even if it were made illegal in the US, the United States are not the world, and it would be extremely hard to enforce.

Edit: gavin has a plan (http://gavintech.blogspot.com/2012/05/neutralizing-51-attack...) but my guess is if they did the work to start an attack in the first place they'd have planned for gavin's plan and acquired enough older coins to foil it. It'd be nice if more thought went into other ways to thwart a possible attack but I'm not sure there really are any. Most people seem to discount and completely avoid the issue.

The people who do black ops don't generally do so to help the financial sector. They do so for national security. While the economy (and monetary system) is arguably a national security issue, I can't see them all being on the same page. The guys in treasury would probably rather talk to regulators than intelligence.

Simply banning them, and enforcing that ban would work though.

http://www.washingtontimes.com/news/2012/dec/19/north-korea-...

1) Bitcoin is a p2p distributed network with nodes all over the world. Even if a nuclear attack took out the entire US, the network would continue to work as long as segments of the Internet did (and recall that the Internet was originally designed to protect US data networks from nuclear attack).

2) It's quite simple to spend Bitcoins as long as you have access to a Bitcoin node (see above) and a copy of the 32-byte private key string corresponding to the public Bitcoin address the coins were sent to. This short string of characters can be written on paper, etched into stone, whatever.

Given that the BitCoin community/industry has been getting hacked lots and there is widespread ignorance of security ("unsalted md5s for passwords!"), I don't have faith this'll change.

But heres the question: how long would it take for governmental bureaucracy to amass the resources to execute such an attack without raising a flags from other nodes who then will take proactive measures to not only mitigate such attacks but also alert others nodes on the network?

Do you really thing that purchasing a hundred million dollars worth of ASICs would alert anyone? The government spends far more than that in a given year, and there are government agencies that are good at keeping secret operations of that size secret. I would not rely on the inefficiency of bureaucracy when it comes to equipment procurement, certainly not as a security measure.

Also, what exactly would the honest nodes do to mitigate the attack? They can only buy more computing power to try to maintain control of the block chain. That is the real problem here: the effort needed to run the Bitcoin network is proportional to the effort needed to attack the system.

"It's trivial for an attacker to fill the network with clients controlled by him. This might be helpful in the execution of other attacks. For example, an attacker might connect 100,000 IP addresses to the IRC bootstrap channel. You would then be very likely to connect only to attacker nodes. This state can be exploited in (at least) the following ways: The attacker can refuse to relay blocks and transactions from everyone, disconnecting you from the network. The attacker can relay only blocks that he creates, putting you on a separate network. You're then open to double-spending attacks. If you rely on transactions with 0 confirmations, the attacker can just filter out certain transactions to execute a double-spending attack. Low-latency encryption/anonymization of Bitcoin's transmissions (With Tor, JAP, etc.) can be defeated relatively easy with a timing attack if you're connected to several of the attacker's nodes and the attacker is watching your transmissions at your ISP. Bitcoin makes these attacks more difficult by only making an outbound connection to one IP address per /16 (x.y.0.0). Incoming connections are unlimited and unregulated, but this is generally only a problem in the anonymity case, where you're probably already unable to accept incoming connections. Looking for suspiciously low network hash-rates may help prevent the second one. "

One could even go further to do signal analysis on the network looking for nodes whose hash rates are more similar than others and hash rates per period of time (which will happen if such a large scale operation were in process), point them out to other nodes, and require that that node verify themselves with information which could allow for an independent audit by others before unflagging the node(s) in question.

EDIT: if anyone is interested in possible working on an open source project for rogue node mitigation that miners can install on their rigs, im game :P besides i think it would be more fun than going solo with my algos on the BTCUSD cross exchanges :P

The NSA is one of the largest employers of mathematicians in the world. They don't sit around doing Sudoku all day.

Blacklist the Bitcoin exchanges and any foreign financial institution that transacts with them from the U.S. financial system. The script was updated with the twin salvos against online gambling and Iran.

Well, the NSA couldn't do much, but the federal government could. The CIA could set up Bitcoin exchanges then have them "hacked" for one thing.

So 'tacit consent' is quite likely indeed.

[1] https://bitcointalk.org/index.php?topic=6652.msg146198#msg14...

edit - I mispoke regarding location, it was the CIA HQ. However, the 'emerging technologies conference' was for the broader US intelligence community.

I think it's also worth noting that covert agencies may find benefits of their own in a public global system for moving money around quickly, verifiably, irreversibly, and somewhat anonymously.

"Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the U.S. Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications. Today, it is used every day for a wide variety of purposes by normal people, the military, journalists, law enforcement officers, activists, and many others." https://www.torproject.org/about/overview.html.en

Bitcoins have two major problems stopping mainstream adoption; excessive volatility that isn't managed and the fact that is a deflationary monetary system, with the latter being a much bigger issue.

Fundamentally a currency needs to move around fungible value. That's it. If it doesn't do that - it's useless.

Bitcoin incentivises hoarding - the opposite of value transmission - and that's the main reason it'll remain as nothing more than a mere speculative currency, like modern day tulips, and why it won't ever become an actual alternative to actual cash.

Now - this isn't a knock against crypto-currencies - which are awesome - it's merely a knock at the fact that monetary supply in the bitcoin system isn't adaptive. Bitcoin needs a central decentralized bank that will help to stabilise the system and inflate (punish hoarders) as the economy grows in fits and starts.

I'm sure that one day in the not too distant future, another crypto-currency will come about that takes all the advantages provided by bitcoin, and combines them with stability/incentives of a nation-backed currency such as the US dollar. When that happens, we can finally end the monopoly held by large financial institutions that so clearly have literally no idea what they are actually doing (see Deutsche bank just recently).

Bitcoins are just the beginning of a whole new financial world, free from restriction, fees and abuse (hopefully :).

But they most certainly are not the end.

Imagine a fixed supply of 1.000.000 coins and suppose 99 people managed to nab 10.000 coins initially and are just sitting on them.

The bitcoin economy will then run as though the remaining 10.000 coins is the entire economy, but 99 people will have spending power equal to the value of the entire economy.

Second, a deflationary currency is inherently viral. The more people in it, the more valuable it is.

Third, 99 median powers are better than one government having power over the whole world currency. Power over the economy is linked to the capacity to delay gratification, rather than the ability to maintain a monopoly on counterfeiting dollars through violence against alternate currency providers (see Executive Order 6102, Bernard von Nothaus, e-gold, et alia).

In your scenario, spending by those guys would drive down the value of the currency. But they couldn't do so to an infinite extent; at best one guy could devalue it by 50%. USG by contrast has devalued the dollar 96% since 1913. Moreover, their purchasing power will rapidly decline as they sell more and more off. Finally, the blockchain will show the global distribution of holdings, making "monetary policy" of this kind more predictable than the opacity of the Fed.

People have gotten into this mindset that inflation and infinite debt are good. But I'll go with something backed by computer science over macroeconomic pseudoscience anyday. At best, consider this a controlled experiment, Satoshi vs. Bernanke. I know what side my mine is on.

They're manufactured. Better ones are made. There are so many computers in the world now compared to demand that their value has simply inflated away, making them accessible to everyone.

If the computer market were deflationary, then computers would really only be affordable by the 5 richest men in the world.

You seem to under the mistaken assumption that money itself is an investment. It's not. Investments produce value - which hoarding money does not. Neither does hoarding computers for that matter. The moment you buy a computer it decreases in value, so unless you use it productively it really is just inflated away - much faster then your money is.

True or false: under Moore's law, your dollar can buy K transistors today and 2K transistors in 18 months (ignoring inflation for now). Nevertheless, people do buy and sell computers in immense volume.

True or false: under hyperdeflation, your bitcoin can buy K dollars today and (at least) 2K dollars in 18 months. Nevertheless, people are trading Bitcoin in large and exponentially increasing volume (see blockchain.info/charts).

Now, I agree that the mechanisms behind the deflation in each case are different. Technological improvements are behind Moore's law while Bitcoin's ramp is due to the controlled currency supply. But what I'm getting at is that we've already faced a situation in which people could "hoard" dollars indefinitely to buy an increasingly valuable asset, namely computer power. The empirical result: they don't hoard indefinitely despite this exponential rise. In fact, they buy by the billion.

Deflationary currency is a very different matter entirely. Because the currency gains value relative to every other thing you could spend it on. Money you might spend on a computer, does not.

These situations are not analogous in the slightest.

If you want to treat computers as a currency (money-like object), then the reality is that computers are a currency experiencing hyper-inflation. They don't hold any value at all, to the point that people consume them as commodities instead.

And he also conveniently forgets to mention that computers increasing in power comes from research & technological advancement.

Both these things are possible because of investments. Why would someone build a 2b$ factory to produce new chip when they could sit on their money selling the same chip forever.

The second the hoarders "cash out" prices go up back to normal to cover the increased demand. They only gain insofar as the actual amount of goods in the economy increases (which is natural deflation.)

And in a real economy most people who save money do so by investing it or putting it in a bank, which lends out 90% of it back into the economy anyways. At the end of the day, the loans are paid back and they get the same amount of bitcoins back, so its all the same to them, but they also get interest.

In traiditional currency systems the central back adds more money to the supply by buying financial products

In your scenario the 99 people add currency to the money supply by buying whatever they opt to buy.

The differences are that the central backs can print as much currency as they want rather than being limited to what they bought earlier and that it's many people vs one institution with some mandate to keep the currency and economy stable.

That said, if I was one of those 99 I would be careful and probably collude with the other 98, if I tried to cash out too fast I would collapse the value of bitcoin and the rest of my investment would be rendered valueless. So they do have an implicit motivation to preserve stability.

With sufficient deflation, you end up spending less on necessities (food) then the rate of increase in the value of your horde. Making you the permanent upper class, and making everyone else the permanent lower class. It's a return to feudalism.

The truth, as it turns out, that in a deflationary system rich are only rich as long as they don't spend too much and invest wisely. Thus the incentive is there to continue hoarding, even though this incentive is quite different from the incentive of the poor: for the poor in a deflationary system the incentive to hoard is making money. For rich the incentive is not losing them.

In a fiat system based on devaluing currencies and inflating prices, money shrinks if it is not moved, invested, paid interest on. Why invest otherwise? Just have a feudal-based gold backed system and sit on your gold like a king, loans will lock up creating depression without inflation/interest over deflating reserves to fuel investment.

This is why non fiat currencies or gold backed would put too great a power in mining kingpins like oil does on groups like OPEC. I'd rather have the inflationary system controlled by bankers or algorithms that can keep economies going when they lock up.

A fiat currency where the rates are a throttle mechanism but the throttle has to be watched closely and as public as possible for trust. A currency bound to a physical thing like gold is no longer a good system.

Bitcoins, adjust in currency and value by mining new circulation via algorithm/time/market.

"The money supply is automated and given to servers or "bitcoin miners" that confirm bitcoin transactions as they add them to a decentralized and archived transaction log approximately every 10 minutes." - devaluation built in, we'll see if it is is enough of a lever and who controls the lever or spigot as they say with oil, that sets the price. More importantly, who do you want controlling that?

The article has a great circulation graph that shows it is almost linear, is that enough to make it through large crashes? http://blockchain.info/charts/total-bitcoins?timespan=all... Will it draw slow circulation if there is a crash? Will it pick up circulation if there is too big a bubble? This is where a centralized oversight starts to look good.

Best thing about bitcoin markets, they never close! No after hours shenanigans and rushes at open and close.

  You have to have inflation via devaluation of currency to 
  fuel investment.

When you invest you create bigger dollars. Someone paying interest their actual value of their dollar might be .85-.95 where the person collecting 5% interest is collecting 1.05 during that same period simply by investing rather than money sitting at 1.00 doing nothing or shrinking due to devaluation.

I sum it up as this, poor people pay interest, rich people collect it. Without devaluation of currency and if the currency just naturally grows at a rate at or higher than inflation or deflation for too long, why invest then, why take the risk if your money grows without investing? The feudal gold conundrum - the mere fact of people being born makes you richer because they have less and there is limited supply? Supplies have to increase, thus currencies have to be devalued. Devalued currencies lessen risk of investment because if you aren't investing you are holding smaller dollars over time. This fuels products like the 30 year mortgage even more, without this banks wouldn't loan as easy. People don't invest as much in deflation because they are overpaying or buying high, holding onto cash is better during those times, so increasing circulation and spending actually fuel investment due to devaluation. It is all a balance and has and will continue to evolve, it works for the most part with fiat levers to get through turbulence and momentary irrational behavior.

Now let's analyse the situation: 1) pretty obvious. Everyone who invested into bitcoin loses a bundle. When media attention dies down for some reason, or negative attention comes (e.g. a -partial- hack of bitcoin, last exchange shuts down, ...) the value crashes to zero.

"Debt slavery" continues.

2) Exactly what you claim happens will indeed happen : "People are flooding into bitcoins because they have the opposite trend from dollars". If this is true, then nothing will be able to stop it, and bitcoin will win over traditional currencies.

This will be followed by exactly what you say "the death of the 30 year mortgage, the student loan, and all the other mechanisms of debt slavery. Deflation incentivizes production over consumption, savings over debt".

Now let's assume you're born to parents with average wealth worldwide in a world where bitcoin is the only currency, and loans are impossible, due to the savings imperative of bitcoins. You can't get loans.

Everybody who today can't buy a house without a mortgage will have NO WAY to buy a house (saving houses will be just as imperative as saving bitcoins, and leaving them in your own property will be more valuable than ever selling a house). Result : most of "the 1%" does not even have financial means to buy a house in anything within 50 km or so of any major city.

You can't get student loans ... but that does not lower the cost of getting an education. So what happens ? Again anyone outside of "the 1%" cannot get anything but basic education for their children, if that. Keep in mind that we're not even 50 years removed from a time when my family could only get high school level education for ONE child (and the church paid for my father's university studies), the others would never get anything exceeding 7th grade. Even sending one child to university required both parents to work, work better jobs than most in their town could get, AND 2 children to work. This did not enable them to provide comfortable education (own room was completely out of the question).

The cost of an education beyond 12-13 years of age is essentially 20-25% of whatever wage you earn, not in a year, but in a LIFETIME. (because you'll be studying from 13 years up to 22-25 years, depending, which are years you could be productive. You were expected to be productive from 13 to 55 or so. So it represents ~25% of your lifetime wage to send ONE kid to school).

Even that 20-25% is assuming that everybody earns essentially the same, which is obviously not true. Let's say that you earn 50% less than what you would earn given that every job, president or cow herder, would give you the same amount of money. That makes the cost of sending one kid to university 50% of what you earn in a lifetime, give or take.

In other words : no university education anymore, except for the superrich.

Now in option 2 you might think that you'll be among the superrich. But we've had this situation in history many times, with limited money supplies. It can be summarized easily : it takes 30-50 years for the elite to shrink down to less than 1 in 100000 people, after which there is a revolution where all those rich are decapitated or worse, and we start over with a new set of rich. Are you really sure that when you take the 100000 people around you, that you are the best businessman/negotiator/... whatever makes one rich ? I can believe you can best 10 people, 100 if you're good, 0 if you're a geek. Best in 100000 ? I don't believe that.

Even if you do become part of the superrich, read some accounts of the french, russian, or various eastern european revolutions to read what happens to the rich after maybe a decade of luxury.

Also please keep in mind that the wealth debt slavery provides (the "value", the thing money's supposed to represent, but is not equivalent to) is vastly more than the value that is provided by mercantilist or feudal systems. The superrich in the bitcoin world will not have the standard of living that todays debt slaves enjoy, with one exception : their ability to hire others. Humans (and human life) will be cheap. A private tap with running water (not warm) requires being in the 1% richest. Computer access is effectively limited to 1000 people worldwide. Private computer access will be unheard of (fortunately, this will obviously destroy bitcoin).

Bitcoin represents a return to the monetary system of the dark ages. It may win, but that is not the outcome anyone wants to see, at all.

I'll take debt slavery, thank you very much. So will the rest of the 99%, and if you use bitcoin to drive it to the point where it takes killing anyone who own bitcoin to restore debt slavery, it is a matter of time until we call your bluff.

Of course, knowing human nature we'll pick option 2 and start killing eachother after a decade or so, and then a century later we'll resume the debt slavery thing and know a century of progress again.

  Everybody who today can't buy a house without a mortgage 
  will have NO WAY to buy a house

In the absence of this artificial demand, house prices come back down to much more reasonable levels. And you won't need to go in debt to buy a house (people had houses before mortgages existed, just like college used to be less expensive!). A sharp drop in housing prices is where the market was headed after 2008 until Bernanke started propping up prices with endless rounds of QE (literally endless, QE4 is to continue indefinitely.)

So: do you agree with the premise that housing prices will decline if Bernanke was not printing $1T/year ($85B/month) to buy mortgage backed securities? And if not, why not?

Do you agree that bitcoin massively disincentivizes spending anything but tiny amounts of currency ? Or at least, that it would have that effect if it was the only currency.

Saving generally involves investing, the money is used in a variety of other ways. The money grows (hopefully ahead of inflation) by being used to fuel growth. Savings that are not invested slowly lose value, a good incentive to either invest or spend and keep everything flowing.

Hoarding BTC is much the same as stuffing cash into a mattress, it's totally unproductive. A currency that rewards hoarders is not useful.

Also this is not a left-right issue. You'll find many on the right who are in favour of a small, controlled amount of inflation.

> And now we are finally going to have an empirical test where the left can't wave a gun at the right to force them into inflation.

I thought you were being hyperbolic, and then a few responses down;

> I'll take debt slavery, thank you very much. So will the rest of the 99%, and if you use bitcoin to drive it to the point where it takes killing anyone who own bitcoin to restore debt slavery, it is a matter of time until we call your bluff.

I can't believe that there are people that honestly hold this position and are completely OK with it, give me debt slavery or I will kill you or die trying.

Fuck this species.

But the anti-capitalists need to understand that they are soon to be completely undone by technology. It is going to be impossible for central governments to seize wealth once Bitcoin ramps up, just as defcad.org has made it impossible for them to seize guns. The universities? Nuked by MOOCs. The media? Bankrupted by the Internet. All the left's citadels are aflame.

And it is glorious.

Yeah, no. Cryptocurrency presumes a proprietarian-capitalist legal system in the first place.

Capitalism is about private ownership of the means of production. Its financial superstructure can and will vary.

The result is that putting money into a savings account of a bank does cause the bank to increase its lending volume.

Rather, the amount of bank lending is determined by how many willing and credit-worthy borrowers approach the bank. This in turn depends much more on the overall state of the economy (e.g., whether households are confident enough in the job situation to take on a mortgage, and whether businesses are confident enough of future demand to expand).

Note that saving actually tends to be a drag on those factors, because the first-order effect of increased saving is a reduction of aggregate demand.

The reason some economists believe that saving is good at a macroeconomic level is that they believe interest rates will adjust to such an extent that banks will be approached by more willing borrowers. The problem with that notion is that loan demand is not actually all that sensitive to interest rates. Even worse is the fact that (nominal) interest rates cannot drop below zero, and (real) interest rates cannot drop below minus the rate of inflation. This makes the conservative position on the economy (disregard the demand side and target low inflation) completely untenable, but I digress...

Deflation is the worst nightmare of every government - all governments, pretty much, want low steady inflation so people keep spending money (ie not whats happening in Japan for 10 years - which they are now fixing).

Soon enough people will learn that there is no deflationary spiral. They will also learn that currency can be both deflationary and move around. Bitcoin is divisible, so it doesn't matter if someone hoards a significant amount of it - trade will still flourish and enough transactions will take place precisely because you can divide one bitcoin into smaller parts.

Where I don't agree with you is that the divisible nature of bitcoin somehow makes it viable (most currencies are divisible by the way, 100 cents = $1). The fact is deflation suppress spending (and hence economic activity) because the currency will be worth significantly more in the future than it is now, and therefore, I would prefer to hold onto it rather than spend it. Divisibility does not change this.

Where I am still up in the air, is whether or not a digital currency needs to be inflationary. Gold has some industrial uses, but it's value is largely due to tradition and speculation. It has long been used as a common store of value and is bought by traders as a hedge against fluctuations in the global economy. Bitcoin could become the 'Gold of the internet'. A new way to hedge against the global economy, but other than that, not something that really affects everyday life, except maybe at the fringes (when was the last time you bought something with gold).

I hope this changes your mind.

No, if nobody invests, then there will be NO goods and services at all. That is a recipe for economic calamity, and would create a situation where guns and ammo would end up more valuable than any currency (what is the point of holding a currency if you can't buy anything with it?). I have yet to read a convincing explanation as to how deflation is a good thing. The general premise is that a 'little' deflation is a good thing because it encourages people to save, but the authors always fail to address the fact that deflation leads to more deflation and hence the 'deflationary spiral' that eventually causes things like the great depression. One author actually argues that the Great Depression was a good thing, but I don't exactly agree with that sentiment.

Once again, Gold is a better comparison to bitcoin than any fiat currency, because bitcoin is not a form of exchange for any particular economy and the dangers of deflation do not necessarily apply. More than anything, bitcoin is being used as a store of value. While this doesn't make for a good currency, it does not necessarily mean bitcoin is doomed.

So it isn't just that BTC will (in a hundred odd years) stop growing the money supply, it will probably (sooner than that) start leaking bitcoins from lost wallets, and as the money supply drops deflation grows faster than with a fixed money base.

With a fixed upper limit on the number of BTC ever issued, if wallets are lost at any non-zero rate, there will eventually be exactly 0 BTC that can be spent.

People are drawn to lots of things which are destructive. (Theft, rape, etc.) So what?

> Fortunately, you can't tell people what to do and where to store their money.

You actually can, and, more usefully, you can adopt a social convention in which the generally accepted "money" isn't particularly attractive to hoard.

> Thus, a currency that allows hoarding will always be more attractive to people than the one which doesn't.

Well, to people who are ignorant of its harms or who maliciously seek to cause them, sure.

> Soon enough people will learn that there is no deflationary spiral. They will also learn that currency can be both deflationary and move around.

A deflationary currency (if it was the only one around) might still move around in exchange, especially for necessary consumables, but it creates a disincentive for investment, because the appreciation of the value of the currency makes it compete with investment vehicles, which encourages hoarding over investment -- and the more hoarding that occurs, the faster the money supply shrinks and the faster the exchange value of the currency rises, increasing the incentive to hoard. Its a classical positive feedback loop, which inevitably lasts until the currency is reformed in such a way that removes the deflationary features (impossible with BTC), external social/legal factors are imposed which limit hoarding, or until it is displaced as a currency and reverts to its commodity value (which, for BTC, is zero.)

Every day I would have to work harder or be paid less, all the while my economic output would be increasing the wealth of those who are unproductive but happen to possess currency. No thanks.

Those who by and large run the world right now sit on their laurels letting their money (albeit, in "risky" investments rather than a box growing in value) make them even richer. While their money might be productive, they more or less aren't contributing anything else, and they do it in self-interest.

I'm not trying to argue for deflation, and I do think the design of BTC as a finite monetary supply is fundamentally flawed, but deflation and inflation respectively benefit someone - deflation those who hoard, and inflation economic growth. But both depend on people who have the money in the first place.

Yeah, but you can't. BTC is deflationary because of built-in supply constraints. Its trivially obvious that you can't expect a fixed salary in it unless you have a shrinking pool of employed people.

> If the employer adjusts down, your net buying power doesn't decrease if prices adjust to increased value of money.

If the employer adjust down at or slower than the pace of deflation, your buying power doesn't decrease, just as it doesn't with an inflationary currency if your employer adjusts up at or above the pace of inflation.

Of course, if your employer is paying you in Bitcoins, they need to get them from somewhere, and with a deflationary currency which encourages hoarding and discourages both spending and investment, good luck with your employer having much success with that.

> Those who by and large run the world right now sit on their laurels letting their money (albeit, in "risky" investments rather than a box growing in value) make them even richer.

Investments aren't money, they are things purchased with money.

> While their money might be productive, they more or less aren't contributing anything else, and they do it in self-interest.

Right, currencies managed to be mildly inflationary harness the self-interest of the rich to produce diffuse benefits (which, unfortunately, are often counteracted by things outside the currency system itself, but that's a different issue), while currencies designed to be deflationary harness the self-interest of the rich to produce diffuse harms (which, unfortunately, are often aggravated by the same things outside of the currency system that mitigate the benefits of inflationary currencies.)

I find it very common even here on HN that many people fall for this fallacy that money == value.

As a result anyone with enough old money can parasitise on productive society forever, to the nth generation. And instead of doing so by (at the very least) stimulating the economy through investment, they can do it just by sitting on their mattress full of cash.

Again, why would I participate in an economy where my hard work is of direct benefit to people just sitting on cash?

It's only when money are invested then you have a surplus of things in the economy which deflates the money. By investing, hoarders allow others not-yet-rich people access to capital. Thus, if hoarders want to become richer they will have to make rich others too.

Does it though? I thought we were all addicted to growth? If we continue to have any growth then with a limited cash supply, each unit becomes worth more (deflation).

"By investing, hoarders allow others not-yet-rich people access to capital."

I'm not clear on how you think this works, because (AFAICT) hoarding BTC is just holding on to currency, not any sort of investment?

" Thus, if hoarders want to become richer they will have to make rich others too."

Or they can just sit on it while others do the work and achieve much the same with no risk...

It's a tricky circle, but once you understand it, it all becomes clear.

http://www.forbes.com/sites/jonmatonis/2012/12/23/fear-not-d...

> Contrary to the central banking and political class insistence that deflation must be prevented at all costs, an economy with a monetary unit that increases in value over time provides significant economic benefits such as near zero interest rates and increasing demand through lower prices. Let’s look at some remarks from leading thinkers on deflation.

> Deflation rewards the prudent saver and punishes the profligate borrower. The way a society, like an individual, becomes wealthy is by producing more than it consumes. - Doug Casey

Moralistic pseudo-economical bullshit. Want to know some scandalous borrowers' names? Steve Jobs, Thomas Edison, Warren Buffet, I could go on. The last sentence is so wrong it hurts; a pro-capitalist economist should know very well that, in a market economy, production equals consumption. Shame on him.

> Deflation puts a break–at the very least a temporary break–on the further concentration and consolidation of power in the hands of the federal government and in particular in the executive branch. It dampens the growth of the welfare state, if it does not lead to its outright implosion. - Jörg Guido Hülsmann

Holy fucking shit Batman, you just did not make the case for deflation based on your pet political fringe worldview. For the record: one, the "executive branch" is not a monolithic entity, and the central bank is quite independent from say, the president; two, what you call "nanny state" is my "minimum decency and human rights state", so thanks for the monetary coup d'etát; three, what about constant, steep deflation favouring by nature the concentration of power into a oligopoly of capitalists. But I guess, since it's a oligopoly of capitalists, it's all OK.

> George Selgin rightly distinguishes between malign demand-driven deflation which is an unfortunate secondary effect of a central bank-manipulated, inflationary malinvestment phase and benign deflation which is the result of an increase in productivity.

Yeah, dude should also talk about malign deflation that's designed into your currency. Nothing to do with increased productivity, incidentally. One wonders whom these leading thinkers lead, and where...

Really, I'm most sympathetic with the notion that lowering prices will increase demand. True, however, we're interested here in the matter of lending and borrowing, which is, in my opinion, very worrying. Of course, I'm not an economist, so I might very well be wrong. However, these gentlemens' arguments do nothing to persuade me.

This sounds nice in theory. In practice, prices fall only very slowly, if at all, due to the way that prices are set in practice: Producers decide how much they want to charge, and they are naturally inclined to charge more rather than less. This might be different in a world where the price tags are made by customers, but we have to work with the world we live in.

By the way, this is probably the best argument for tolerating a modest rate of inflation (e.g. 5% or so): For "the market" to work well, relative prices need to change to reflect the changing reality of production and consumption. Since the mechanisms of how prices are set allow prices to rise faster than they can fall, it is a good idea for the average price level to be increasing at a modest pace.

The market currently proves you wrong. This is not an "issue". Everybody knows about deflation, yet spending is massively increasing. BitPay alone recorded a merchant transaction volume increasing from $687k in February to $5.2M in March. (BitPay is the largest Bitcoin transaction processor, providing a very clear indicator of whether people are spending or hoarding).

http://www.marketwatch.com/story/bitpay-eclipses-silk-road-i...

The problem everyone is having is not about coins being used for exchange - any money will provoke people to spend it on the things they value more than the money itself - but on how a deflating currency makes investment less prominent because it requires even higher returns than the rate of the currency appreciating value.

It would hurt people who borrow money, but that's not what bitcoin is primarily used or was intended to be used for, and the interest rate people borrow money at could just be adjusted accordingly. (Which would then encourage people to loan instead of hoard as the amount of bitcoins they get back at the end of the day would be the same either way, but this way they would get interest on top of it. So your "hoarding" problem is self correcting anyways.)

If someone was hoarding bitcoins it doesn't hurt or affect anyone else. Your central bank inflating it wouldn't just punish hoarders, but everyone who used the currency. To the benefit of whatever group controlled it or got the newly "minted" bitcoins.

Bitcoin does have a built in way of inflating the currency by people "mining" more of it, but that was a necessary evil of getting the first bitcoins into circulation relatively fairly. There is no actual benefit of having people wasting vast amounts of computing power otherwise, or making everyone else's money worth less.

http://bitcoin.stackexchange.com/questions/3338/how-does-bit...

As for being deflationary, that hasn't stopped the rapid growth in the number of transactions per day:

http://blockchain.info/charts/n-transactions

I posted this elsewhere, but it applies here:

A gradual rate of deflation didn't stop world markets when they used an international gold standard.

Very few people forgo buying something they need because they could get 2% one year later if they hold on to the currency.

I think deflation IS economically inefficient, but the negative effect of slight deflation has been exaggerated in the popular economic literature.

For a peer-to-peer currency network, a fixed money supply could even be beneficial by creating an incentive for bitcoin holders to invest in the technology.

Bitcoin is working, has created the most powerful distributed supercomputer in the world, and is processing an increasing number of instant global transactions every month.

It works in practice, as a medium of exchange, and that is a better argument for it working as a currency than theories about how deflation affects economies.

I have not looked into the details - but Ripple looks like hitting the nail on the head.

Bitcoin is excessively volatile now, and probably will be for a while. This is due to many, many reasons related to its age as a currency. The exchange rate will never be stable, but will not always be so volatile.

Regarding deflationary monetary systems, there is much debate. However people exchange things of value when there is mutual benefit - when something I have is worth more to you than to me, and vice versa, we will exchange as it is mutually beneficial. If an asset is appreciating, it affects what value I give it and for what I am willing trade, but it does not disincentive trade - it only changes the value calculation.

If I have $100 that will probably be worth $90 in 5 years, I'm willing to trade it for something that adds about $90 of value to me over the next 5 years. If I have $100 that will probably be worth $110, I'm willing to trade it for something that adds $110 of value over the next 5 years.

I think the anti-deflation argument is entirely bunk, and inflation has dire consequences for those who have fewer assets and education to protect themselves.

1) Bitcoin is not anonymous. Its pseudonymous since all transactions take place in public between pseudonyms (ECDSA keys). This is a big difference, one that hasn't been examined too well, and what has been written on it is not encouraging[0].

2) Bitcoin is not the first currency to prevent double spending without a third party. That minimally goes back to 2006 and a paper "Compact E-cash"[0] where double spending a coin reveled the user's identity and allowed for prosecution.

The problem Bitcoin actually does solve is you don't have to trust the bank to not devalue your currency.

3) Bitcoin does not solve the Byzantine generals problem. Bitcoin is assumed to be correct if 51% of the computation power is honest. If everyone is equal, this means that bitcoin only requires that the majority of the generals are honest. The Bzyantine generals problem has no solution if even 1/3 of the generals are malicious[2]: this is a rather famous result.

How is this possible? Bitcoin isn't dealing with a fixed n Bzyantine generals, its dealing with a peer to peer system where anyone can join and you need to prevent sock puppet accounts. It's a completely different problem.

[0]F. Reid and M. Harrigan, “An analysis of anonymity in the Bitcoin system,” in Privacy, security, risk and trust (PASSAT), 2011 IEEE Third Internatiojn Conference on Social Computing (SOCIALCOM). IEEE, 2011, pp. 1318–1326.

[1]http://cs.brown.edu/~anna/papers/chl05-full.pdf

[2]http://research.microsoft.com/enus/um/people/lamport/pubs/by...

I'm pretty sure that wallets associated with service and product providers will be easy to figure out, so you can learn A LOT of sensible information about someone... I guess that the risk will be low, but the consequences could be huge.

In that case two points 1) If you are willing to accepted centralized systems , than my second citation gets you complete anonymity.

2) At least with those systems, your information isn't public to everyone.

Random numbers is just about as close as you can get to true anonymity. In fact, I'd say that it is as close as you can reasonably expect to get no matter how you try to achieve it.

It's also trivial to dis-associate your Bitcoins from a particular cryptographic identity, through the use of mixing services.

The problem is that all your transactions take place with the same public key or set of public keys. Sure, you can add more keys to that mix, but someone can probably always untagle the web.

Contrast this to say Chaum style e-cash where you get complete anonymity. To withdraw a coin , you have the bank signs a serial number in a such a way that they don't know what they are signing. You can then spend the coin by providing the signature and serial number to a merchant who asks the bank if that serial number has been deposited yet. If not, then the coin is neither counterfeit nor double spent. No one in this system can de-anonymize you since they can't know the serial number you used when you withdrew a coin.

There's nothing temporary about it. Unless you voluntarily publish something associating a particular address with yourself, there's basically no way for someone else to make that association. Making the association is completely infeasible if proper precautions are taken.

>The problem is that all your transactions take place with the same public key or set of public keys.

No, they don't. In fact, with the default client, it tries to minimize the number of times you re-use any given public key.

>Sure, you can add more keys to that mix, but someone can probably always untagle the web.

No, they can't. The "web" is comprised of a lot of cryptographically random probabilistic association, so the most you can possibly say is something like "there is a .0001% chance that this address belongs to the owner of this other address, and a 99.999% chance that it belongs to someone else." Nothing that would even remotely hold up in court, or even let someone associate you with a purchase.

It literally does not get any more anonymous than this in a distributed identity-based system.

because identities are a secure system? This also allows for malicious attacks where an innocent third party is made to look like a double spender and have their identity revealed.

There is a good deal of academic research on e-cash schemes and some of it might actually be worth studying (despite the fact that it was never really deployed) instead of ignoring it and thinking Bitcoin is the be all and end all.

Whatever replaces it will needs some sort of more sophisticated measure for keeping the value of a coin from fluctuating wildly; because with the way the currency is wildly deflating right now, I'd be super hesitant to "spend" a bitcoin for fear that it might be worth twice what it is now, while on the other hand, I'm also terribly afraid of buying a bitcoin, because what if they drop back down to earth? Currency only really seems spendable if its value is at least somewhat predictable.

The reason Chaum's digital cash startup failed is complicated, but it boils down to this: digital cash is poorly understood, banks have few compelling reasons to deploy it (their existing fraud mitigation measures keep them well within the realm of profitability), and the US government continues to work against the deployment of good cryptography.

See gwern's article Bitcoin is Worse Is Better http://www.gwern.net/Bitcoin%20is%20Worse%20is%20Better

Satoshi's genius is the ability to combine several well known technologies and figure out the right kind of tradeoffs that would make bitcoin works.

Yes, bitcoin sucks in many way such as not being able to do anonymous trade offline, being forced to store a blockchain, needing enough computation power to counter evil miners, needing the social cooperation of miners and users, and so on. But you have to admit, it works.

The whole point of Bitcoin (http://p2pfoundation.ning.com/forum/topics/bitcoin-open-sour... was to build a zero trust decentralized system.

Chaum's system provides some properties "perfectly" but they aren't the properties such a system needed to have in order to exist, much less be successful.

That is not really true when there is an offline transaction protocol; the bank can only deny access initially (e.g. the bank can refuse to let you open an account), but once you are in the system you can spend money or be paid without the bank's permission. It is also possible to create threshold systems where there is no single bank, so that there is no single point of failure.

"Chaum's system provides some properties "perfectly" but they aren't the properties such a system needed to have in order to exist, much less be successful."

I think protection against double spending is a pretty fundamental property for a digital cash system to be successful. People would not use Bitcoin if they did not believe that it protects them from double spending. My only real point in all of this is that Bitcoin does not provide that protection according to the standard used by cryptographers; in practice, nobody has pulled off a double spending attack yet, but everyone knows how to do it and it is not impractical by any stretch of the imagination.

This isn't really a flaw of bitcoin but rather of markets/people.

Once bitcoin gets near some sort of saturation point in terms of adoption, you are likely to see a much more stable valuation. Now though, it's the wild west and its neigh impossible to separate the speculation from the fundamentals.

I will say though that I don't see wild fluctuations in bitcoins price as a flaw in bitcoin. I see it as inevitable for any currency bootstrapping itself from nothing to something. The path from zero to any valuation is bound to riddled with crazy swings as people get hopeful and then scared.

Consider: if bitcoin had instead had demurrage or increasing rates of inflation, how much less likely would the early adopters have stayed around? It's all well and good to consider ideals, but creating a tradeable, limited commodity out of thin air that people actually want is no small task and it has not been proven that there is another way to do it. If there is no incentive to be an early adopter, there is no reason to take the risk; you might as well just wait until it is widely accepted to start accepting inflato-coin; but with the possibility of dizzying-gains there is a strong incentive for people to use bitcoin before it is proven (which is only slightly less true today than 2 years ago); and this incentive is -- while not part of the technical appeal of bitcoin --inseparable from its success.

I imagine for a currency to work, the incentive has to be at least tilted a little towards spending. Economically, that's essentially why we have inflation -- the system can't reward people for just hoarding dollars, because that's essentially an economic no-op. If just holding currency was more profitable than investing it, than why would people bother to invest in the first place? I'm not an economic keynesian, but all the same, I don't think it's an accident that hiding a pile of money under your bed isn't going to net you new money in a functional system.

Right now owning a bitcoin is a lot more analogous to owning a stock than it is to owning a dollar. Which is to say it lacks liquidity.

A currency without liquidity isn't really a currency, it's just an asset. The whole point of having currency is the liquidity of it, and that liquidity generally comes from a somewhat stable valuation.

I know the bitcoin is going to be worth more, but I still spend it today just like

I know that if I wait just a little bit the laptop will be cheaper and faster but I still buy it today when I need it.

This is literally getting something for nothing.

Does this not assume that Bitcoin remains the only currency of its kind?

I've been assuming that there's an incentive for anybody capable to design a new currency and make sure they're in on the ground floor as it appreciates.

So in x years time there may be dozens (hundreds?) of competing currencies, giving arbitraging and carry opportunities that will contribute to volatility.

And a possible end result (though I can't see it happening outside science fiction) is that somebody designs a way for you to make your own currency, backed by your own labour, potential value, or assets. So everybody has their own currency, and it's priced according to how clever you are, or how many horses you own, or some other fundamental.

The biggest (second only to bitcoin) is LiteCoin. Very similar to bitcoin but with faster transactions, and it uses a different algorithm. Using Scrypt instead of SHA-256 makes it much harder to get a fast FPGA or ASIC to mine quickly. Even top graphics cards are no more than 10-20x faster than CPUs. It's risen in price ridiculously recently, going from 7 cents to 6 dollars, now hovering around 4. People who were mining or bought in around the 7 cent mark have made quite a lot. There was no premining thought which is interesting, and I think has helped raise confidence (pre-mining is where the designers of the currency mine on their own before anyone else gets on the network, so it's a concern that they will dump vast amounts at some point and crash the price).

I think having more currencies might actually improve confidence, as there are a few ways of looking at it:

1) Lots popping up, hmm, bitcoin isn't special so SELL!

2) Lots popping up and falling, hmm, bitcoin looks quite stable comparatively, BUY!

3) Another few stable ones appearing, hmm, crypto-currencies looks like quite a normal idea, BUY!

Could go any way, could all collapse or spike. Maybe $125 is low for bitcoin, and we'll be here thinking "Why didn't I buy in?" or it'll collapse, nobody will think it's worth mining and the network will fall apart. Or it'll remain the same.

All I know is I'm currently making some money to keep my flat warm, and that it's not worth putting in anything I can't afford to lose.

Edit - Formatting.

Personally I'm mining as that seemed like a fairly safe bet, as if everything comes crashing down I still have a computer, and I could afford the cost. At the current prices & difficulty, I'm getting ~$30/day. Sell half and keep half, and then if it shoots up in price I'm quids in, if it goes down then people have still helped buy me a fast computer.

I think it's worth it, but consider it a gamble rather than an investment, and only stick in money that you're willing to lose (not just see drop in value, lose). Set some points at which you'd like to sell, and try and get your stake back. You could win big.

Don't do what some guy on reddit did, which was take 30k in credit cards and loans he couldn't afford and stick it in bitcoin. Granted, it seems like it should have netted him about a quarter of a million, but don't be drawn in by stories like that, people also get rich on the lottery.

You buy that machine which can profitably mine bitcoin. Lots of other people do the same. The bitcoin network then adjusts the difficulty, so that the same number of coins are created per hour despite the increased computation. Now the cost of the machine you need to mine that bitcoin has gone up.

These difficulty adjustments are why people used to mine thousands of bitcoins with CPUs, then had to switch to GPUs, and now are buying custom-built ASICs.

Because of the difficulty adjustment, the total cost of the machines and electricity mining coins is a function of the cost of the coins, not the other way around.

While I'm sure many bitcoins are being hoarded, the proof presented means nothing since by default all change is sent to a fresh address. So if I had a 100 bitcoins and bought an iten worth one bitcoin I would now own a new address with 99 bitcoins and no outgoing transactions giving the impression that I had never spent any of my bitcoins.

See: https://en.bitcoin.it/wiki/Change

=============== Due to the way bitcoins can be repeatedly moved to fresh addresses, some of which can be very recent, we can not claim that all these bitcoins are out of circulation. However, 76.5% of these 78% (i.e., 59.7% of all the coins in the system) are \old coins", dened as bitcoins received at some address more than three months before the cut o date (May 13th 2012), which were not followed by any outgoing transac- tions from that address after they were received.

To be even more cautious with our estima- tion of dormant bitcoins, we decided to ignore all the transactions which took place prior to July 18th 2010, when Mt.Gox started its exchange and price quot- ing services. The sum of the balances of all the addresses which have not been active since that date is 1,657,480 bitcoins. Clearly, by considering all these bit- coins as \lost" rather than \hoarded" we are underestimating the number of bitcoins which are kept dormant in \saving accounts".

By ignoring these very old bitcoins and repeating the same calculation, we found that 73% of all the remaining BTC's were accumulated at addresses which only receive and never send bitcoins, and that 70% of these 73% (i.e., 51%) are dormant bitcoins in the sense that they were received more than three months before our cuto date but after it became easy to exchange them. If instead of summing the transaction values we sum the nal balances of all the addresses that were active after July 18th 2010 but became inactive in the last three months, we get that 55% of all coins in the system are dormant in this sense.

This is strong evidence that the majority of bitcoins are not circulating in the system, and since it is based on the address rather than the entity graph, this conclusion is not aected by possible inaccuracies in the way we associate addresses with users. Note that the total number of bitcoins participating in all the transactions since the establishment of the system (except for the actual minting operations) is 423,287,950 BTC's

This is certainly consistent with the attitudes of miners and enthusiasts I've seen on the bitcoin forums.

Is it equivalent to me just running off with a $100 bill of yours? (A real problem in an anonymous street trade).

I guess you could make change yourself -- splitting your $100 into $99 + $1 and then spending the $1. But for the network, that would look like you sending both $99 and $1 to new(?) addresses.

Anyway, the 7M unspent BTC are all "change" that hasn't been spent yet. So your 99 BTC in your example is hoarded: You got 100 BTC somewhere, and spent 1, but you haven't spent the rest. If you eventually spend your 99 BTC change, it will be sent from the address that was formerly hoarding it. But if you get 98 BTC back in change to a fresh address, that's 98 BTC you haven't spent.

But if you ever really spend that 98 BTC, then the person you send them to may be accused of hoarding -- if they use a fresh address for more anonymity.

So in a sense all BTC ever recieved to privacy-defending users will always appear to be hoarded by their most recent owners. A better measure of hoarding then would be the 7M (owned by non-spenders) divided by transaction volume. But that is still weak, since the dimension of that measurement is Hertz (time^-1), and transaction volume can be boosted by churn across self-owned addresses.

That's exactly what actually happens. When you make a transaction, it takes a previous input to one of your addresses(or multiple if none of them are enough) and splits it, with part of it(the amount you want to send) going to the recipient address and the rest of it going back to a new random address in your wallet.

There's no way to know which output is the recipient and which output is the change going back to the originator.

They also claim that Bitcoin stores its data in HTML files and other crazy stuff that made it clear that the paper must have somehow passed review on the name alone.

I just found it humorous that they titled the article "Are Bitcoins the future?" and then failed the ask or answer that question anywhere in mini novel they wrote following that title.

The Bitcoin as a currency is not a new concept. Right now, Bitcoin is almost exactly like gold. You don't pay your taxes with gold but it could be exchanged for your nation's currency to settle debts.

Some people exchange gold directly for goods and services but very few things are priced in gold. People price things in their local currency so you must exchange the gold for national currency to purchase.

Almost everything about gold is the same as Bitcoin and gold is a very trusted and traditional way to store value.

Interesting collection of information here: https://en.bitcoin.it/wiki/Myths

Well, the other big difference -- and one that drives a lot of the interest in physically holding gold against the threat of a general economic collapse -- is that physical gold plausibly could retain some value as a currency in the event of a general economic collapse that disrupts the viability of major social institutions.

If the USA collapses, bullets may become the new currency. http://en.wikipedia.org/wiki/A_Fistful_of_Paintballs

Because in a collapse in which major institutions fail, the gold you have physically on hand will still be on hand, verifiable as gold, and available for exchange, for whatever value it has.

BTC, not so much.

> If the USA collapses, bullets may become the new currency

Sure, bullets may be even better than gold as insurance against a general collapse, but that doesn't stop gold from being better than BTC in that regard.

Note that palladium, another precious metal that routinely trades at high prices, also has "intrinsic" value as a catalytic agent. Platinum, which is currently trading at higher prices than gold, is one of the least corrosive heavy metals.

Unlike the intrinsic value of gold (which, certainly, is much lower than its current market value), the entertainment value of bitcoin is unlikely to be retained in the event of the kind of crisis that would occur with the collapse in major internationally recognized soveriegn currencies like the dollar and euro. So, while bitcoin might have similar utility to gold on the assumption that major world currencies are largely, themselves, stable, its not better than gold as an insurance against those systems collapsing.

Now, personally, I think that hoarding any type of alternative currencies against major collapse (rather than keeping reserves of simple useful survival items) is foolish, many of the arguments for both gold and bitcoin are premised around a supposedly-inevitable collapse of traditional major sovereign currencies (and, particularly, the US dollar.) And, while I think neither gold not BTC is a good choice to protect against that kind of contingency, I think its pretty clear that BTC is far worse than gold in that role.

I would argue that (among its other problems) Bitcoin has a parallel problem in that it wastes perfectly good computational power (and the resources that go into producing that computational power, both the hardware and the energy inputs) on being the intangible rare thing people hoard for money.

Gold is almost never used for its practical use cases because everyone treats it as money and use its scarcity for trade. I hate that facet, because it ruins a perfectly good metal with practical applications that we could be taking advantage of industrially if there wasn't this artificial "hoard gold because its valuable for how rare it is" economic mess.

But if the economy fell out and gold stopped being traded as a store of wealth and started being traded as an industrial metal, the guy with all his assets in gold is still devastated.

It might well be the case that bitcoin becomes a currency for rapid interchange of funds globally and everyone keeps local currencies for everything else.

Or a million other possible scenarios. In no way is an all-or-nothing approach required.

Really? Just a quick search, and I find: (2007)

http://ieeexplore.ieee.org/xpl/articleDetails.jsp?arnumber=4...

Is that the paper Bitcoin is based on? According to Wikipedia, Bitcoin was introduced in 2009.

Also, the price of a 51% attack is not that high:

http://www.reddit.com/r/Bitcoin/comments/17gqw0/the_price_of...

I've seen a more recent estimate that it would be $20 million to mount such an attack. That's chump change for a power like the US, or even another major industrialized nation. It's about the price of one older fighter jet and a faction of the price of a current one.

That is not to say it is impossible, but there is almost no way anyone in the world could pull it off for $20MM except the people who already have ASIC designs.

Not according to the abstract.

That's not the Bitcoin paper, but it looks interesting. It says the code runs on mostly-trusted servers. I found a copy not paywalled: http://sclab.cs.umn.edu/papers/ecash_ICDCS2007_corrected.pdf

And here's the Bitcoin paper (pdf): http://bitcoin.org/bitcoin.pdf

The point of BTC's resistance to attack is that as it grows as an economy it becomes harder to attack. It is vulnerable now because it's market cap is in the millions while the US gov't deals in trillions. If BTC markets ever came close to rivaling a fiat currency nobody would realistically be able to mount a trillion dollar or more hardware attack on the "good" guys in the block chain.

The problem with this, is that it presupposes opponents with no foresight. If bitcoin was clearly on a trajectory to unkillable, the US might notice and decide to kill it.

As far as I can tell bitcoin is a neo-conservative wet dream, if it gained mass traction anyway.

No government in the first world could realistically try to shut down the Internet. And if BTC gains transaction, it becomes harder and harder (eventually prohibitively so) for a gov't to disrupt the block chain or launch an attack on it.

If all currency is traded anonymously. There will be no tax take.

As soon as bitcoin transactions tend to be over 10K, the FBI and Secret Service and IRS are going to be all over it. Do what you want with your banknotes. Just be warned: The dealer on the corner taking dollar bills is much, much, much safer to deal with than any digital currency.

Bitcoin replaces that trust in banks with fancy cryptography. Assuming the cryptography is up to snuff, there is no reason why people won't come to accept it's value in time, just as we now accept that the "bits" that represent our bank balance denote value.

If yes, why? If no, why do you believe that trust is the reason that fiat currency is valuable?

Consider the following alternative explanation: Fiat currency is valuable because there is demand for it. The prime source of demand for fiat currency is for taxes. The secondary source is from all sorts of contracts (in particular, mortgage and other debt service) that require lots of people to obtain it. Trust comes in only as a tertiary source, at best.

It is why all the people aruging gold is such a better investment than BTC are nuts. If gold dropped its market value overnight by 90%, you would still lose 90% of your potential fiat exchanged currency as if BTC dropped 90%. All gold has going for it is less volitility. If gold ever stopped being a reserve resource rather than a useful metal, you would not get a fraction of what you spent on your gold selling it to industrial plants to make conductive cable out of.

This is false. Karma was a p2p currency that did this in 2004, 5 years before Bitcoin: http://www.cs.cornell.edu/People/egs/papers/karma.pdf

This page claims that it could be a group of people who made it, which seems a bit more likely: https://en.bitcoin.it/wiki/Satoshi_Nakamoto

Does anyone else have any interesting insights into the origin of Bitcoin?

It is not that I mean to insult amateurs -- amateurs can theoretically make secure cryptosystems (though Bitcoin is not secure under the security notions used by cryptographers), but it is usually pretty clear when a system was designed by someone who is not well-versed in cryptography. It is unfortunate, however, that Bitcoin's developers cannot be bothered to search Google:

https://www.google.com/search?q=digital+cash+site%3Aeprint.i...

You're kidding, right? Bitcoin is the single most impressive application of cryptography that I have ever seen in my entire life, and I get to look at a lot of cool cryptosystems. The only entity that could have created Bitcoin is some kind of savant or a group of very talented people.

>ECDSA and SHA256 are referenced but little is said about whether or not they compose securely with the Bitcoin protocol, or even if the Bitcoin protocol itself is secure.

By making only a few basic assumptions about the security of SHA, RIPEMD, and ECDSA, it's plainly obvious to anyone who remotely understands the protocol that the protocol is, in fact, secure. If you don't believe me personally, why don't you ask all the talented cryptographers who could lay their hands on over a billion dollars if they found a critical flaw in the Bitcoin protocol?

>(though Bitcoin is not secure under the security notions used by cryptographers)

You have no idea what you're talking about. Bitcoin makes very strict security guarantees and does not violate them.

After all, there are really only two cryptographic ideas in Bitcoin: One is to used public key cryptography and signatures for transactions, which is completely obvious. The other is to use hashing for proof-of-work to build the block chain. This is certainly less obvious, but it wasn't outlandishly new either. Ideas like hashcash have been around much longer than Bitcoin.

Putting it all together in this way with its appeal to the goldbug mindset was certainly clever. But you are seriously overestimating the amount of intelligence required for developing Bitcoin.

No way. Have you looked at the whitepaper? The entire thing? Even completely ignoring the clever leveraging of cryptography, the sheer genius behind the methodology of the protocol makes me think that someone(s) extremely talented came up with it.

>Ideas like hashcash have been around much longer than Bitcoin.

True, but much of the genius comes from the way transactions themselves work. Right now, we're only leveraging a small portion of Bitcoin's capabilities. Because Bitcoin is really based on scripts assigned a value, the Bitcoin protocol allows for incredibly complex economic interactions in a cryptographically secure manner. The deeper I look into the protocol, the more I realize how genius some of the design decisions were.

And besides, Bitcoin obviously did something right, because it's the only decentralized digital currency to take off.

>But you are seriously overestimating the amount of intelligence required for developing Bitcoin.

I think you're underestimating the elegance and complexity of the Bitcoin protocol. It's much, much more than a few crypto primitives strung together.

Amateurs can be talented. On the other hand, look at how the Bitcoin protocol is described and how its security is analyzed -- no formal definition of security properties, no formal threat model, analysis that is limited to a specific attack strategy, etc. The most talented person in the world cannot be expected to duplicate the decades of research on secure multiparty computation and digital cash single-handed.

For comparison, here is the work of a pair of talented (i.e. Turing award winning) cryptography researchers:

http://groups.csail.mit.edu/cis/pubs/shafi/1982-stoc.pdf

"And besides, Bitcoin obviously did something right, because it's the only decentralized digital currency to take off."

I think the vast majority of Bitcoin users know little about Bitcoin's security properties or what it means for Bitcoin to be "secure." The fact that a system is popular does not mean that the system is secure, even when the purpose of the system is to provide security. Caesar ciphers remain remarkably popular, despite the ease with which they can be cracked.

It is also worth pointing out the Bitcoin is pretty unique in not having a "bank." Most digital cash systems require that currency be issued by an authority of some kind, and seek only to decentralize transactions (i.e. allowing offline transactions). Being the only digital cash system without a bank that became popular is not as big of an achievement as you make it seem -- there was not much competition there to begin with.

Not this talented. And you are aware that it's likely that "Satoshi Nakamoto" was actually a team of programmers, right? You don't get that kind of collaboration with clueless college kids.

>no formal definition of security properties, no formal threat model, analysis that is limited to a specific attack strategy

Why would they do that? Nakamoto wasn't selling the bloody thing, he was sharing the idea. We, the developers, have done this independently after Nakamoto fell off the radar.

>I think the vast majority of Bitcoin users know little about Bitcoin's security properties or what it means for Bitcoin to be "secure."

Maybe in the last year or so, but before that, 90% of the Bitcoin community was well educated on cryptography, and most of the power users still are.

>The fact that a system is popular does not mean that the system is secure

You're leaving something important out; the system is popular and the system has not been defeated in any meaningful capacity. That is a strong indicator of security.

>It is also worth pointing out the Bitcoin is pretty unique in not having a "bank." Most digital cash systems require that currency be issued by an authority of some kind, and seek only to decentralize transactions (i.e. allowing offline transactions).

No kidding! That's the whole motivation behind Bitcoin in the first place.

>Being the only digital cash system without a bank that became popular is not as big of an achievement as you make it seem

Are you shitting me? This is by far one of the biggest achievements in applied computer science in the last 25 years. Do you have any comprehension of the sheer number of previously purely theoretical methodologies leveraged to make Bitcoin happen? I feel like you're kind of dismissing Bitcoin without really completely understanding it.

Why would they do that?"

So that we can determine whether or not the system is secure before we commit to it. Replacing insecure cryptosystems is usually very expensive.

"the system has not been defeated in any meaningful capacity. That is a strong indicator of security."

As far as the Germans knew, Enigma had not be broken in any "meaningful capacity" either. They knew there were weaknesses but they did not believe anyone would go to the lengths required to exploit those weaknesses:

https://en.wikipedia.org/wiki/TICOM

Saying "well it has not been broken yet (as far as we know)!" is not a very good argument for security. Even AES has better arguments for security, based on models and heuristics that took many decades of work to develop.

"This is by far one of the biggest achievements in applied computer science in the last 25 years"

More than CAT scans? More than the Internet? Even if we limit ourselves to cryptography, it is clear that that is untrue. What do you think sees more widespread use: Bitcoin, or Kerberos? What do you think had a wider impact on the world: Bitcoin, or HBO encrypting its satellite feeds (for those who are not familiar, that was a major step toward widespread DRM)?

Bitcoin as an application of cryptography or computer science is not even a blip on the radar of achievement.

Double spending in Bitcoin requires the attacker to do duplicate the work done by all honest parties in the system; that is basically a polynomial time attack. This is documented in the original Bitcoin paper. It falls short of the standard for security that cryptographers generally deal in, which requires that the attacker's work be exponential in the parameters of the system.

Again, I don't mean to be dismissive of outsiders -- at one time, Diffie and Hellman were outsiders. The question that was asked was what can be concluded about Satoshi's true identity; that he (they?) is not well-educated in cryptography seems like a reasonable conclusion given what he published.

Yes, it is. Cracking previous digital cash systems fell into the class of "hire a hacker" difficulty problems, which are significantly less difficult than the P difficulty problem presented by pulling off a 51% attack on the Bitcoin network.

>that he (they?) is not well-educated in cryptography seems like a reasonable conclusion given what he published.

Right, the person/group who published what may be the most significant usage case of applied cryptography in human history is probably not educated in cryptography. Have you even read the whitepaper? Perhaps you would change your tune if you saw what is actually being guaranteed. Nakamoto was perfectly aware of the challenges. When I say "Bitcoin is secure", that's by my standard, not Nakamoto's. I can't speak for him/them.

David Chaum would disagree with you. Cryptographers have published a very large volume of research on how to create provably secure digital cash.

"Right, the person/group who published what may be the most significant usage case of applied cryptography in human history is probably not educated in cryptography"

So you think that someone who made no mention of any of the widely studied notions of security, any of the previous work in multiparty computation, any of the previous work in digital cash, or even the fact that allowing polynomial time attackers is a significant weakness in the design was well-educated in cryptography?

"Have you even read the whitepaper?"

The Bitcoin whitepaper reads like the work of someone who took an undergrad course in cryptography and spent a summer thinking about decentralized payments. Where is the notion of security even clearly defined -- what does it even mean to prevent double spending? What does it mean to control "more CPU power" than an attacker?

Compare the Bitcoin paper to this (just a random result from Google):

http://eprint.iacr.org/2007/148.pdf

Look at how security is defined in Section 3.2; that is typical of cryptography research in this day and age. Those are definitions that can be reasoned about in a rigorous way, without hand waving, without poorly defined concepts like "CPU power," and without having to analyze any specific attack strategy (i.e. the attacker is a "black box"). Where in the Bitcoin whitepaper do you see that sort of analysis, or even a hint that such an analysis is possible, desirable, or commonly used?

The security analysis presented in the Bitcoin whitepaper assumes a specific attack strategy: the attacker will try to compute a longer block chain than the rest of the network. Ignoring for the moment that this can be done in polynomial time, what reason is there to believe that no other attack strategy is possible? Maybe the attacker can adaptively send malicious messages to particular nodes in the network to break the security of the system. In multiparty computation, security analysis is usually based on the "simulation paradigm" -- a model of security based on showing that no polynomial time attack has a higher probability of success in the real protocol as it would in a simulation of the real protocol where a trusted party does all the work (which rules out all polynomial time attacks). That is a widely accepted notion of security, and the cryptographers who first published it recently won a Turing award; while other models may be valid, one would have expected an experienced cryptographer to have at least mentioned that they were using a different model (and perhaps justify their approach).

The whitepaper also includes statements that suggest a profound lack of knowledge of the decades of previous work in the field of digital cash. There are claims that no system with a central authority can possibly allow irreversible transactions, but that is untrue -- cryptographers discovered systems that support offline payments, in a model where the bank takes some action when double spending is detected (and in some systems, the bank can produce a proof that double spending occurred and that it was performed by a specific party, allowing for a trustworthy blacklist). Privacy is mentioned, and again the author makes claims about systems with central authorities that are simply not true -- Chaum's original work on digital cash was motivated by the need for private electronic payments, and that was the first problem to be solved in this field.

"When I say "Bitcoin is secure", that's by my standard"

What is your standard, and why should anyone else accept it?

Bitcoin shipped and that shouldn't upset you so much.

Since you're apparently a professional cryptographer who would have designed a flawless Bitcoin right off the bat; Why don't you share some of your wisdom and point out a few of the amateur problems and how you would solve them?

I'm sure the Bitcoin community would be grateful for your input.

There is no particular need for me to design a better digital cash system; such systems have already been designed. It is not even clear that digital cash without a central authority can be provably secure, since nobody has proposed a security definition for digital cash that does not involve some currency issuing authority (no, Bitcoin's definition does not count -- it does not rule out feasible attacks). Personally, I have no real problem with having a "bank" that issues currency, as long as the bank cannot frame people for double spending or other cheating (which is the kind of protection that was described by Chaum and other researchers in the 90s).

So really, the ball is in the Bitcoin community's court. The research results on digital cash and secure multiparty computation is all publicly available and mostly available at no cost. Let the Bitcoin community develop a definition of security for digital cash without any "bank" if that is their goal; all that I am saying is that the definition must rule out feasible attacks if we are expected to take it seriously.

So far, it works. If BTC stops working, you can expect everyone to jump ship and hopefully a more secure alternative will be developed with lessons learned from the BTC ride. But for now, unless you can produce an attack that can lose people money in the bitcoin ecosystem, ranting about theoretical cryptosecurity in digital currencies and how BTC only being as secure as the majority of the swarm allows doesn't make anyone hesitant to invest in bitcoin.

> I have no real problem with having a "bank" that issues currency

The problem with banks is that they can always act in their own self-interest to fuck over the holders of their currency, and by having the only right to "counterfeit" their currency they have abnormal economic power in the economy their currency drives. It is the reason the US Federal Reserve is so corrupt right now, can wildly print US dollars to their own discretion, which is effectively stealing from anyone holding dollars by devaluing the currency as a whole, and they can do it at their own whims.

This is interesting because if it wasn't secure I wonder why hundreds of millions of dollars have not been stolen yet? You could probably steal 100 million from some top addresses, move to MtGox and sell for a very decent rate before what you did became apparent (of course once what did became apparent Bitcoin would collapse forever)

Or if the addresses are secure and its something else that is not secure what is it? I am on the bitcointalk forum a lot and I have not read anything about the crypto being not secure.

Maybe I misunderstand what you mean by security?

Some are self-executing, by which I mean that they can be enforced "by construction" - if you create an object that doesn't follow the rule, other people will know. Said another way, breaking the rule would also require breaking some crypto.

Some rules, though, are social. For example, why does everyone try to extend the longest branch in the block chain? Sure, the protocol says it's the rule, but why should that mean anything? People don't follow rules because they want to. They follow rules because it's in their enlightened self interest to do so. If you could make money by choosing a different rule, somebody would do that instead. So it must be that these rules get followed because it's in the interest of Bitcoin players to follow them. The natural follow-up question is whether these social/economic rules are stable. That is, why not some other solution? Why not only extend blocks whose (nonce % 0x0d) == 0?

Cryptographers use a very particular notion of security in which they like the security of their schemes to "reduce" to a well-understood assumption. That is, we prefer it you can prove something like "if you can break my system, then you can also solve problem X" where problem X is well-known and widely thought to be very hard. Then either I am forced to believe that your system is secure or that you have found an efficient way to solve problem X. And since solving problem X is unlikely, I should consider your system secure.

As I said, some parts of Bitcoin do reduce in this way to known cryptographic primitives (which in turn reduce to problems we believe are hard). But not all the parts.

You're taking a fundamentally confused position here. Consider: You have UberCoin— it is whatever spherical cow cryptocoin. EvilPal(Inc) then forks UberCoin and replaces its insides with a frontend to their EvilPal website (which then also copies in all the UberCoin ledger). By reduction, all digital currency systems are "social rules". It's not a useful description.

The longest chain rule is a rule that comes about for creating consensus in the system. If you change it in yours you will eventually break off into a private universe. The behavior actually does work by construction— but like my EvilPal example, that doesn't stop a stupid user from changing their own software to break off into another universe.

If you would like a longer formal analysis of the consensus mechanism in Bitcoin please see: https://socrates1024.s3.amazonaws.com/consensus.pdf

But its not set in stone and the lead developers do have a huge amount of control.

Also many disagreements in the forum about the max block size and blocking Satoshi Dice do worry me.

There's still time, but it really is something you don't want to mess up. https://bitcointalk.org/index.php?topic=157141.0

In the case of Bitcoin there's the 51% attack, which is pretty serious flaw even if to carry it out is unfeasable.

We don't know if NSA or GCHQ have broken bitcoin (although they've certainly investigated it); and we haven't seen much crypt-analysis on it; but we have seen very many people trying (sometimes successfully) to attack Bitcoin and the wallets and the exchanges.

There isn't anything magical about the number 51, the original Bitcoin paper gives a program that can be used to compute the success probability for an attacker with a given share of the computing power to reverse transactions to a given depth... At >=50% the probability becomes one but at that point only if the attack is of infinite duration. But, for example an attacker with 40% hashpower can reverse six blocks with a 50% success rate.

Any kind of consensus system is going to be vulnerable to a majority attack of some kind— otherwise you'd have "minority imposes a wrong outcome" attacks.

At least in Bitcoin the "consensus" only controls transaction ordering: a majority attacker can't inflate the supply or spend other people's coins... they can only DOS and remove transactions from the fixed consensus (and thus replace their own). Which is powerful but still limited.

- Sure some of the links in the Google search have lots of complicated schemes for a digital currency, but I think its the simplicity of the Bitcoin system that is unique.

- Also I hear the system itself can only be attacked via brute force, do you claim this is not the case?

The best known double-spending attack on Bitcoin requires work equal to the sum of all work done by the honest parties in the system. That is not a very high security margin; by comparison, attacking many of the systems from the Google search would require work that is exponential in the parameters of the system, while the honest parties only do work that is polynomial in those parameters. Forcing the attacker to do exponential work in the system parameters is the typical requirement for a cryptosystem to be "secure," and thus Bitcoin is not actually secure under the commonly accepted notions of security (at least among cryptographers).

No, No, nO!! There is no Nobel Price in economics, period.

There is a "Nobel MEMORIAL price" made by a central bank to propagate their propaganda as scientific, huge difference.