These weird coincidences along with bitcoin's very strange start (the pseudonym, the fact that it seems like a group worked on it) are really interesting. I'm surprised there's not more discussion about who really created it.
The person that wrote the paper probably wanted it to go along with the idea of decentralization that bitcoin is all about. More then likely it's someone on the bitcoin.org board or perhaps even a group of people on that board.
New Yorker article from October 2011 about Bitcoin and its mysterious creator. Found two possible candidate for Satoshi Nakamoto's true identity from clues in his posts and his code.
>The cost of regulating any network actually goes up exponentially with the number of nodes that must be monitored (you need a hierarchy of systems to perform ‘guard labor’ to make sure systems are behaving within declared parameters).
This is at the core of the argument and doesn't make any sense. Worst comes to worst, the cost of monitoring all interactions between n nodes is O(n^2) even when adding monitors on top of monitors etc. The way banking is organized, it's even less. Alice doesn't transfer money directly to Bob: she talks to her bank, who talks to Bob's bank, who then talks to Bob. The banks have to monitor one-on-one interactions with their customers and the government monitors interactions between banks. This all is well within O(n), where n is the total number of customers.
I'm not saying Bitcoin doesn't have any advantages, but easier monitoring of fraud is not one of them. How do you even know the coins were indeed stolen?
Even limitations legislation will allow stolen Bitcoins to eventually re-enter legal circulation.
For example, under New Zealand law, if someone (party A) stole BitCoins from someone else (party B), kept them for 6 years, and then used them to buy something from someone else (party C), party C would have be the sole legal owner of the Bitcoins, because Party B lost their legal right to the property (i.e. right to use the Bitcoins) by losing possession for more than 6 years. Party A could be charged with theft even after the 6 years, but Party C could not be charged with possession because they did not have possession at any point in the first 6 years. Party C could be compelled to identify Party A if they had evidence about Party A's identity.
With Bitcoin, Party C and Party A might be the same people, but using different Bitcoin addresses, and it might be hard to definitively prove that they are not the same, especially if Party C puts forward a credible and difficult to disprove transaction in which they obtained the Bitcoins.
I believe he was stating that it's exponential as designed when used P2P. Large exchanges acting as banks reduces this, but by reducing some of the benefits of the design/protocol.
You know, after looking into this some more, I'm not sure my assumptions about how the system works are founded in much, so you can safely ignore me (I didn't intend my second sentence to come across as authoritative as it may seem).
I was thinking that the exchanges act as verified sub-networks, reducing the amount of verification and policing requires if transactions were within or in some way linked to those networks. I do't really have enough knowledge about how it works to be making any such assumptions though, so I should have kept my mouth shut...
Premise here is pure madness - I'm sure I could ask a random security researcher to hack Chrome and he would surely fail. But at the next Hack-a-day or similar, Chrome WILL be cracked wide open when the whole world gets a shot. So no - your inability to hack Bitcoin is not some grand statement of security on Bitcoin, only a statement that you didn't manage to hack it. I'm sure you didn't manage to hack thousands of other things that other did manage to hack, too (unless you've somehow hacked just about everything else including Ruby - not RoR?).
His point about how easy it is to monitor Bitcoin is unfortunately turning out to be true, which is incredibly unfortunate as Bitcoin is currently being used to purchase illegal drugs and similar. Once the FBI/NSA gets in on it, we're probably going to see a bunch of pointless arrests.
Dan may be random, but he's no "random security researcher". And he has, in fact, hacked "just about everything" a time or two by discovering and exploiting common mode vulnerabilities.
His point of view is certainly worth listening to, but Dan should know better than anyone that the fact that even he can't break something is still not an argument for (or even a suggestion of) its security.
If an audit by a talented, experienced, and motivated security consultant isn't "even a suggestion of its security", than what is?
He didn't say "it's is perfectly 100% secure", he said "BitCoin surprised me" and "the core technology actually works [] to a degree not everyone predicted".
Isn't that overstating his accomplishments a bit? Unless by "just about everything", you mean the DNS bug and the media, sure...
None of his published work seems consistent with the skillset that would qualify one to thoroughly audit bitcoin. He tends to stick to higher-level, less technical vulnerabilities.
In fact, there was actually a really interesting vulnerability he'd missed which was discovered by the developers shortly afterwards. Due to a flaw in the merkle tree Bitcoin used to calculate block hashes, you could trivially create a new invalid block with the same hash as almost any valid one. If you managed to feed the bad block to a node before it heard the good version, that node wouldn't ever accept the correct version because it "knew" that block was invalid. Do that to an exchange or wallet and maybe a couple of big mining pools and you could fork the exchange onto a different version of the blockchain, convincing them you'd sent them bitcoins when you hadn't. I don't think it would have required much in the way of resources to pull off either.
But BitCoin doesnt need a sponsored hackathon for people to start finding flaws in it. As the author pointed out, there is a huge reward already waiting for anyone who can cheat bitcoin. That should guarantee that many have already tried and failed along with the author.
Unless of course they succeeded but kept it to themselves for strategic reasons.
His point on trace-ability is true, and one that lots of Bitcoin supporters don't fully appreciate. The system is not anonymous. It is pseudonymous, which is not nearly the same thing.
Here's some interesting work on getting to real anonymity:
I'm no bitcoin expert, and you seem to be more knowledgeable than me, so I have a question regarding this trace-ability. As far as I understand it, every transaction is essentially a digitally-signed source/dest/amount tuple. Where source and dest are bitcoin wallet addresses. These wallets/addresses can be created and destroyed at any time. So if I transfer bitcoins to a wallet/address I generated that we'll call wallet1. And then later transfer those bitcoins to another wallet I generated we'll call wallet2. If I now delete wallet1, how is the flow of bitcoins traceable?
It's entirely possible that were discussing two types of traceability here. The traceability of bitcoins from wallet/address to wallet/address will always be possible. But the wallet/address to owner traceability seems impossible. But maybe I'm misunderstanding.
Wallet/address to owner is potentially traceable when you sell coins for cash, as that money has to go to a real account somewhere. I think that's the point the author is making when he says none of the stolen coins have been spent yet. I'm wondering though, if there's anyone watching these stolen coins to see when they change hands. It seems like it would be fairly simple to flag certain addresses as "in possession of stolen goods" and ban them from trades on major hubs.
But that "real account" is no more than numbers and letters, i.e 1AfGbnmksjdk. Or do you mean once they transfer the sold bitcoins to a real bank account?
Following your example, the act of transferring bitcoins from wallet1 to wallet2 is made public, as part of the blockchain.
Put simply: when sending bitcoins, you must send from the address that received them. You cannot, for example, receive bitcoins on one address, create a new address, and then send those same coins from that new address. You have to essentially "pay" that new address from the first address, and that action is public and traceable.
At the very end, Kaminsky says that large financial actors and nation states have the ability to deploy massive mining farms, and that somehow this is a bad thing.
I do not think so.
These actors would merely compete between each other, thereby enhancing the security of the Bitcoin network, making it harder for an individual actor to perform majority attacks ("51% attack") and rewrite the block chain. A successful attack, with large actors already participating in the mining industry, would require collusion, which I think is unlikely.
Perhaps Kaminsky simply meant that deploying massive mining farms would help them profit from Bitcoin more efficiently than the average user. This would be false. Contrary to other industries, there is no economy of scale in Bitcoin mining. I witnessed this first hand when expanding my GPU ops from 2 Ghash/s to ~60 Ghash/s in 2011. Indeed, the smaller you are, the more overhead costs become negligible and eventually effectively "free". The student mining in his university dorm, or the individual mining on his mini desktop ASIC or computer at work, have zero mining costs when operating: free electricity, free hosting, free A/C, free network connectivity. However, the ones managing huge farms have to pay for data centers, maintenance technicians, electricity, etc. This is why Bitcoin mining is a long-tail system: most of the mining power comes from a large number of small-time miners.
(I should add that at this moment, in 2013, there is a small window of opportunity for a large actor to dominate mining. ASICs are barely starting to hit the network, so in theory a large actor could deploy many of them and represent more than half of the mining capacity. However this window is rapidly closing. Most people estimate the network hash rate is going to grow by 10-50x in the next 12 months.)
I recently calculated the cost of 50% hashing power in ASICs, and it was something like $1M.
Even if the hash rate grew 10-50x it would cost less than $50M. Well within reach of governments or large corporations.
That said, as adoption and thus the value of Bitcoin increases, the incentive to mine and thus secure the network rises, so there's a nice feedback loop.
Firstly, your numbers are off. If the hash rate grew by 50x, we would be at 3.5 Phash/s, so the attacker would need to deploy another 3.5 Phash/s to attack the network. And Butterfly Labs's ASIC price is $50 per Ghash/s. So it would cost $175M.
Secondly, you cannot buy $175M of ASICs from BFL; they are too small of a company.
Thirdly, by the time you design, build, and deploy ASICs yourself (12 months+[1]), the network would have grown again, maybe by another 2x/5x/10x, who knows... you would have needed to account for this by spending respectively $350M/$875M/$1.75B !
So effectively by the time the network reach 3.5 Phash/s, it will be too late.
[1] For comparison it took more than a year for the DOE to deploy the #1 supercomputer, Titan, out of commodity hardware.
Well, my calculations used BFL's Mini Rig SC, which was $20 per GH/s before they increased prices ($30k for 1,500 GH/s).
You would certainly need to fab your own ASICs, and at that volume economies of scale would come into play, so I don't think $20 per GH/s, or even less, is an unreasonable estimate.
Current hash rate is 65,000 GH/s (I think calculated around 40 or 50), so 65,000 * $20 = $1.3M. 50x that would be $65M.
Avalon didn't take 12 months to ship, and I know someone who claims to have one of them making money, so they appear to work. Why butterfly labs is so late, I dunno.
If someone with money wanted to build asics for a 51% attack, it's possible. I'm just not sure anyone with money wants to do it right now.
It's because they originally designed around a QFN packaged chip - later switching to a flip chip BGA (FCBGA) package.
There was (and is) hardware on the market that could be adapted to work - but the folks who sell hardware based AES256 applications tend to deal only in the financial/military circles.
Being 'first to market' in btc ASICs didn't seem to be their top priority (much to many peoples dismay).
You don't need to build more hardware than everyone else if you combine a denial of service attack at the same time. The block chain has already had issues, perhaps it will never happen again but don't assume it's impossible.
Rumor has it that Butterfly has been sitting on their preorders and using it to build a massive ASIC fleet. Whether or not these are true, as you suggest, building a 51% fleet is not out of reason if you take the right path and keep your mouth shut. There has already been forks of the blockchain due to powerful miners.
These forks are not caused by powerful miners. They are caused by miners mining 2 blocks almost at the same time. And the fork of March 14 was caused by a bug.
They are not obligated to play by the rules and fairly compete with each other; if their goal is not to acquire bitcoins by mining but to disrupt the system by publishing problematic blocks, they don't raise the difficulty factor.
There are absolutely economies of scale for mining (it's just making and running custom hardware, a classic economy of scale business), it's just the combination of low profitability and a small market [1] means it's not worth doing unless you're getting paid to attack the network.
[1] at the very peak pre-crash price, $341 million/year of revenue for mining every single block.
Imagine a graph where the x-axis represents the size of your mining farm (from small to big), and the y-axis the percentage of the mining income spent on operating costs.
For small values of X the curve is close to zero. As we move to the left the curve suddenly jumps, and then decreases and decreases but without ever coming back close to zero.
This illustrates my point: small miners have operating costs close to zero, above a certain size you suddenly start needing to spend quite a bit on operating costs (first rack, first A/C unit, etc), and as you scale up and up yes there is some amount of economy of scale, but never enough to reduce your operating costs close to zero.
I say "economies of scale do not exist" but what I mean more precisely is that they are not sufficient to cause big miners to push small miners out of the market.
The risk is not in governments profiting from adding hashing power to the network, the risk is in them obtaining a majority of the hashing power and doing a 51% attack.
As an additional point to this, something I often don't see acknowledged is that ASICs have to be produced by chip fabs, which due to their nature are capital intensive and centralized, and hence relatively easy to bring under government control.
I guess that as a result, it'll always be possible for governments to get majority hashing power, by taking control of where the ASICs are produced.
>When $50K of BitCoins is stolen today, and is $500K of BitCoin five years from now, every last cent of that filthy lucre can be monitored with acute cryptographic precision until the end of time.
Unless I am mistaken we can also see Bitcoins get stopped dead in its tracks after the user loses their wallet file due to data loss, no?
Also, on your quoted statement:
I do not believe the author consider money laundering with bitcoins. Say I steal $500k worth of bitcoins. I contact launder XYZ and he places my $500k worth of coins with $5.5mil worth of coins, then, funnels using smaller amounts to a multitude of addresses back to the thief. Since there are so many transactions to/from in the Launder's wallet, it would be hard to trace past that point where the $500k actually went.
So what does the launderer gain for the risk of taking the loss/blame for the theft? Surely he must impose a healthy fee? Surely this fee would be negotiable based on the good provenance of the coins.
A quick Google of 'bitcoin laundry' shows a typical commission rate of 1.5-3.5% and portion of bitcoins per transaction (to cover the costs of transferring).
I wonder what is to stop a launderer from accepting stolen bitcoins, but then just keeping them. Who would the thief go cry to? Even if the thief complained to the community to harm the launderer's reputation, they would have to tell the community what coins were involved before anybody would listen. Physical retribution, as could/would be used "in meatspace" no longer helps.
>When $50K of BitCoins is stolen today, and is $500K of BitCoin five years from now, every last cent of that filthy lucre can be monitored with acute cryptographic precision until the end of time.
Thats just false. Its easy to convert Bitcoin into other altcoins. And then convert those alt coins into other altcoins. And then convert those alt coins into Euros/Rubles/USD. And in the future some of these alt coin chains will vanish totally and it will take a miracle to recover the block chain history.
OK what you said is literally true, but I interpreted the spirit of your comment, because it has few implications for the end user. It's technically relevant, but eventually will be abstracted away.. (.. because "if the project continues to succeed into the future")
For the record I link all of my transactions to my personal identity. And intend to in the future. I just like to think about the project a lot, because its feature as a de facto black market currency is one thing that will guarantee usage (not necessarily /USD price appreciation) in the at least short term future (until a better technology supplants it).
*
#Its easy to convert Bitcoin into other altcoins.
btc-e, cryptonit make it easy
#And then convert those alt coins into other altcoins.
btc-e, cryptonit make it easy
#And then convert those alt coins into Euros/Rubles/USD
btc-e, localbitcoin
#And in the future some of these alt coin chains will vanish totally
have you looked at the namecoin project. it hasn't been updated in 8 months. the price has gone down over time (but it's really fucking hard to get historical price data for namecoin unless someone sells it to you). honestly if you just wash through one of these fledgling currencies there is a speculator market on all of them, one of these projects will wend its way into obscurity. the market has a limited number of actors, not enough to guarantee that anyone is recording data. the exchange probably has books of its rates, but how are you going to get data from them? these also drop like flies.
# and it will take a miracle to recover the block chain history.
that's what i'm saying. the initial transaction will be logged, and tied to you if you aren't careful. the last transaction will be logged, and tied to you if you aren't careful. but putting together all the links in the middle and linking it to someone's identity? it's possible, if you knock on enough doors, and have aggressive enough resources. but there's no process for it currently, and so many things would have to come together in the most serendipitous way to conspire against you.
Thanks for this explanation. I misunderstood your statement to mean "technically" impossible to trace, rather than "realistically" impossible. I understand much better now!
I don't know all the specifics, but they've pushed a patch in March for this accidental hard-fork of the blockchain with a couple months of grace period before the fix allows larger block sizes which will not be able to be processed by older clients with the bug present.
Of course no software is bug free, but this is a pretty good track record.
As far as I know, none of these vulnerabilities have actually resulted in money being lost (perhaps with the exception of some mining rewards in the forks). Most of these are denial of service.
I have a noob question if someone can answer it. It seems to me that mining is a computationally wasteful exercise.
Why don't crypto-currencies just reward the computations needed to keep and confirm transactions, which is actually an economically beneficial service?
> the computations needed to keep and confirm transactions
AFAIK, that's effectively what mining is. From my understanding, transactions exist in a limbo state (where they're relayed around the bitcoin network) until they're included in a mined block and become part of the blockchain. A "mined block" is basically just a list of transactions (including a coinbase transaction, which is the new bitcoins), the merkel root of the previous blocks, and some other data such that the hash of the entire thing is suitable, as determined by the network difficulty. Thus, mining and confirming transactions are effectively one and the same.
Sorry for the poor (and possibly incorrect) explanation, I'm still wrapping my head around it too.
1) The hashing difficulty automatically adjusts to match the network throughput, so that new blocks are found once every 10 minutes. New blocks introduce new Bitcoins, so this controls the total supply.
2) New blocks extend the last agreed-upon block. If an attacker forged a block, they would have to do so faster than the rest of the network combined to control the entire block chain (clients agree the longest block chain is legitimate). While you could do this without the same computational expense, it would rely much more on Internet connectivity.
An older AMD GPU can calculate ~250 million hashes per second. With no difficulty, a transaction could be verified on the network as fast as miners could broadcast their agreement. This would mean attackers could more easily control the block chain with DDoS and other network-related tricks. Even now, the largest mining pools are sometimes targeted to slow down transaction processing.
as lcampbell said, the point of mining is actually to keep and confirm legitimate transactions. Mining needs to be a 'difficult' (but otherwise useless) problem like cryptographic hashing in order to make it difficult to fake transactions. Computations which might be useful in some other way are too easy - only cryptographic hashing is 'difficult' enough to stop the fakes.
It's kind of like captchas - a seemingly pointless pain in the ass on purpose to weed out the spam.
I have a question. I read on the bitcoin site that currently the transaction rate is limited (at 7tps). This seems like a good precaution, as otherwise someone could try to flood the network, but what enforces that limit? Is it that by and large miners use software with that limit, so transaction floods are ignored?
This article really isn't that good or that interesting. I understand people who hold bitcoins upvote anything that says something positive about the currency, but come on, not this.
The bit about stolen money being forever traced is very interesting, and leads me to an idea: can an ethics flag be added to the mining software to make your client refuse to process transactions on stolen bitcoins?
Although now that I think about it, one could allege that your bitcoins, which really belong to someone else, have been stolen, and thus effectively prevent that person from spending those bitcoins. So you would need to have a very high bar for determining those bitcoins were really yours.
>Modern languages like JavaScript and Ruby are great, in that they do a huge amount for you under the surface, but then you don’t actually know what they’re going to do. Ruby got burned pretty badly recently when some systems listening on the network were a little too … friendly. Engineering is a game of tradeoffs. So, of course, is business.
That sounds... a bit... confused. Was there really such an issue with Ruby or is he getting his wires crossed with the Rails problems of recent?
Basically, someone who has the computing resources needed to do the same work as the rest of the network combined could create malicious forks of the block chain. They could then "reverse" transactions they had made, prevent other transactions from being confirmed, and interfere with "mining."
This is polynomial time in the parameters of the system: it is just the sum of the work done by the honest parties. The constant factor is small, and the attack is not at all impractical; even if we generously assume that it would take $100 million of ASICs to carry out the attack, the US government spent 10 times as much on one NSA datacenter in Utah.
And you seriously assume an attacker with that kind of resources (be it millions or billions) would be dumb enough not to realize that a crash of bitcoin would merely spawn the next, more resilient crypto currency?
That would have to be quite a large irrational player because this isn't compatible with today's corporate and government firmware (game theory) at all.
> And you seriously assume an attacker with that kind of resources (be it millions or billions) would be dumb enough not to realize that a crash of bitcoin would merely spawn the next, more resilient crypto currency?
That could actually be what the attacker wants.
> That would have to be quite a large irrational player because this isn't compatible with today's corporate and government firmware (game theory) at all.
While governments may be against cryptocurrency gaining traction, if it seemed inevitable that cryptocurrencies were going to gain widespread traction, assuring that any that had wide open attack vectors were crushed before they became economically significant would be a gain from most government's points of view, even if it just meant encouraging a more stable cryptocurrency.
An unstable cryptocurrency is a ticking time bomb whose yield increases as it gains transaction.
Is there some reason to think a more "resilient" protocol is even possible? Can you even give a rigorous definition of the security properties these protocols are trying to achieve?
That aside, do you really think the government would not try to destroy Bitcoin even if it meant a new system replaced it? Have you not been paying attention to what happened with Megaupload? Governments are perfectly willing to attack systems even when they know the systems will be replaced, just to disrupt the users of the system and pressure people to avoid them.
Is there some reason to think a more "resilient" protocol is even possible?
I'm not a bitcoin researcher but the first thing I'd have to note is that so far it's holding up not bad at all. At non-trivial scale and under permanent attack. Not a small feat for the first impl of a global, cross-platform P2P crypto money system, don't you think? Just consider the history of infinitely simpler systems (e.g. twitter).
Furthermore there are various efforts underway (e.g. SolidCoin) to address the known weaknesses, even before we know whether any of them turns out to be a bigger problem than the issues that we take for granted in our current banking system (e.g. "too big to fail" or the perpetual banking crisis that has been going on for the past 10 years).
That aside, do you really think the government would not try to destroy Bitcoin even if it meant a new system replaced it?
Personally yes, I doubt any half-sane government will equate bitcoin with software piracy.
Bitcoin addresses one of the core mechanics of society (money exchange). That's not even in the same ballpark as people downloading vampire movies without paying for them.
just to disrupt the users of the system and pressure people to avoid them.
This is where I think the average government would be smarter than you.
You can't kill demand for something so useful unless you utterly convince a majority that it can not possibly work - here your piracy-analogy holds water again.
They may indeed pull a Napster (we've seen how that played out) but I think it's much more likely they would try a very long-term, elaborate stealth attack to erode trust in p2p money systems as a whole.
But just as with piracy this seems like a losing proposition. Unless a truly insurmountable flaw is discovered that renders any system with the features of bitcoin infeasible.
"Unless a truly insurmountable flaw is discovered that renders any system with the features of bitcoin infeasible."
Be careful with words like "infeasible." That has a meaning in cryptography and in complexity theory, and it is not quite what you mean there. I think what you are trying say is, "There might be no protocol like Bitcoin that is secure against polynomial time attacks."
That is not such an outlandish scenario. It has been proved that Merkle's Puzzles cannot be secure no matter how they are instantiated; in fact, Merkle's original system is optimal. I would not be surprised if the a similar statement were true of digital cash systems without central authorities: that there will always be a polynomial time attack, no matter how you instantiate them.
Of course, before such a statement could be proved, you would first need a rigorous security definition for Bitcoin. What does it even mean for Bitcoin to be secure? "Double spending" is not even well-defined for Bitcoin; the existing rigorous definitions of double spending in digital cash systems invoke a central authority. Without good security definitions, it is hard to say whether or not Bitcoin is secure or could be secure.
I doubt that even a minority of Bitcoin users are terribly concerned with the lack of rigorous definitions or analysis. If they were, the system would never have gained any traction. As you say, it would take a sustained attack on these systems to really erode the trust in them (although by the second or third system that was attacked, I think most people would just give up).
It is also worth pointing out that the end game might not even be to destroy the system, but just to use it to cut off organizations like Wikileaks. The same attack that can be used to double-spend in Bitcoin can be used to prevent transactions from being confirmed; the government might just stop select targets from using Bitcoin. This would probably shake people's trust in the system, but perhaps not -- maybe the government would be very judicious, or would try to frame the target and make it look like they are trying to cheat.
We could sit here coming up with possible motives for an attack all day long, of course. That is yet another reason that rigorous definitions and formal analysis are valuable: if we can show that no feasible attacks exist, then we do not need to try to guess what the attacker's purpose might be.
Well, all your concerns may very well be provably correct, from a purely academic perspective.
I just think the question you keep missing is: Does it matter in practice?
Our entire world runs on imperfect systems. Can we really already tell whether bitcoin is worse?
Where is your mathematical proof that the current monetary system is secure against polynomial time attacks? Where is your rigorous security definition for the current monetary system?
Could it be we are witnessing attacks on the current system right now, resulting in enormous concentrations of wealth through interactions that we barely understand[1]?
Could it be we are witnessing the authorities abuse the current system to cut off organizations like Wikileaks[2]?
You seem to demand a system that is perfect in every sense on day 1 and replaces the US Dollar on day 2.
Yet couldn't it be that it is actually the academic imperfections, the pragmatic approach of bitcoin that make it a success?
Who knows whether airtight mathematical security is even the most important requirement? Perhaps the known attacks are "hard enough" already, or will be after a few more patches? Perhaps bitcoin will fail spectacularly in a few years due to scalability instead of security issues?
My point is: We simply don't know. We have no precedent, nothing even remotely close (please correct me if I'm missing it, I honestly can't think of one).
Thus I disagree the case is nearly as clear cut as you make it out to be.
It is important to remember that Bitcoin is not a hash function or a signature system. Unfortunately, there seems to be no rigorous definition of "security" for Bitcoin, so it is somewhat difficult to understand what it means to "attack" Bitcoin. I suspect that any rigorous definition of Bitcoin's security would require a definition of money that lacks both authority and intrinsic value.
Do you refer to the "40% attack" also? You know, the one where the attacker only does 40% of the work of the entire network, and has a 1/2 chance of successfully forking the block chain.
There is nothing wrong or misleading about calling it a "polynomial time attack," because that is what it is.
Polynomial in terms of what? It's linear in terms of the current hash rate. 'Polynomial' implies some kind of direct assault on the protocol with difficulty not based on other actors.
And 'forking the blockchain' is also misleading. You can fork the blockchain with even the smallest slice of power just by always working on the previous block instead of the current one. The proper explanation is that if you have 40% of the power you have a 1/2 chance of forking a 6-block-old transaction. This does not scale in any unexpected way. If you wait 12 hours for a transaction then it becomes nearly impossible to fork with a minority of the network. This is not a clever insight in any way. It's obvious that since blocks are randomly timed that there is no sharp transition between 49% and 51% between no control and total control. So an attacker only needs to get close to 50%. This barely changes the math wrt taking over the network. Perhaps it adds a factor of two, being generous.
A doomed financial farce can still be fascinating, and can still be a huge milestone in mankind's history. In fact, I would say a huge percentage of our history is made up of doomed farces. The more spectacular the failure, the bigger the impact. Bitcoin, doomed or not, is starting to become pretty spectacular.
It's all fun and games until someone's economy gets Really Unalterably trashed and then the guns come out.
The Bitcoiners live in some digital utopia where no one ever pulls a real gun because of politics, but the rest of us are going to have to pick up the pieces for their hubris.
I like his "Security Inversion" slide:
> Normal Code:
> * Looks like it might be OK up front
> * Scratch the surface, it's actually really bad
> Bitcoin:
> * Looks really bad up front
> * Scratch the surface, it's actually surprisingly good
> * We aren't used to systems with these characteristics
> * This code has the mark of having been audited by People Like Us