Bitcoin Is Broken - Hacking Distributed

Vitalik's response to Tuur

I interlaced everything between Vitalik and Tuur to make it easier to read.
1/ People often ask me why I’m so “against” Ethereum. Why do I go out of my way to point out flaws or make analogies that put it in a bad light?
2/ First, ETH’s architecture & culture is opposite that of Bitcoin, and yet claims to offer same solutions: decentralization, immutability, SoV, asset issuance, smart contracts, …
Second, ETH is considered a crypto ‘blue chip’, thus colors perception of uninformed newcomers.
Agree! I personally find Ethereum culture far saner, though I am a bit biased :)
3/ I've followed Ethereum since 2014 & feel a responsibility to share my concerns. IMO contrary to its marketing, ETH is at best a science experiment. It’s now valued at $13B, which I think is still too high.
Not an argument
4/ I agree with Ethereum developer Vlad Zamfir that it’s not money, not safe, and not scalable.
@VladZamfir Eth isn't money, so there is no monetary policy. There is currently fixed block issuance with an exponential difficulty increase (the bomb).
I'm pretty sure Vlad would say the exact same thing about Bitcoin
5/ To me the first red flag came up when in our weekly hangout we asked the ETH founders about to how they were going to scale the network. (We’re now 4.5 years later, and sharding is still a pipe dream.)
Ethereum's Joe Lubin in June 2014: "anticipate blockchain bloat—working on various sharding ideas".
The core principles have been known for years, the core design for nearly a year, and details for months, with implementations on the way. So sharding is definitely not at the pipe dream stage at this point.
6/ Despite strong optimism that on-chain scaling of Ethereum was around the corner (just another engineering job), this promise hasn’t been delivered on to date.
Sure, sharding is not yet finished. Though more incremental stuff has been going well, eg. uncle rates are at near record lows despite very high chain usage.
7/ Recently, a team of reputable developers decided to peer review a widely anticipated Casper / sharding white paper, concluding that it does not live up to its own claims.
Unmerciful peer review of Vlad Zamfir & co's white paper to scale Ethereum: "the authors do NOT prove that the CBC Casper family of protocols is Byzantine fault tolerant in either practice or theory".
That review was off the mark in many ways, eg. see, and by the way CBC is not even a prerequisite for Serenity
8/ On the 2nd layer front, devs are now trying to scale Ethereum via scale via state channels (ETH’s version of Lightning), but it is unclear whether main-chain issued ERC20 type tokens will be portable to this environment.
Umm... you can definitely use Raiden with arbitrary ERC20s. That's why the interface currently uses WETH (the ERC20-fied version of ether) and not ETH
9/ Compare this to how the Bitcoin Lightning Network project evolved:
elizabeth stark @starkness: For lnd: First public code released: January 2016 Alpha: January 2017 Beta: March 2018…
10/ Bitcoin’s Lightning Network is now live, and is growing at rapid clip.
Jameson Lopp @lopp: Lightning Network: January 2018 vs December 2018
Sure, though as far as I understand there's still a low probability of finding routes for nontrivial amounts, and there's capital lockup griefing vectors, and privacy issues.... FWIW I personally never thought lightning is unworkable, it's just a design that inherently runs into ten thousand small issues that will likely take a very long time to get past.
11/ In 2017, more Ethereum scaling buzz was created, this time the panacea was “Plasma”.
@TuurDemeester Buterin & Poon just published a new scaling proposal for Ethereum, "strongly complementary to base-layer PoS and sharding":
Yay, Plasma!
12/ However, upon closer examination it was the recycling of some stale ideas, and the project went nowhere:
Peter Todd @peterktodd These ideas were all considered in the Treechains design process, and ultimately rejected as insecure.
Just because Peter Todd rejected something as "insecure" doesn't mean that it is. In general, the ethereum research community is quite convinced that the fundamental Plasma design is fine, and as far as I understand there are formal proofs on the way. The only insecurity that can't be avoided is mass exit vulns, and channel-based systems have those too.
13/ The elephant in the room is the transition to proof-of-stake, an “environmentally friendly” way to secure the chain. (If this was the plan all along, why create a proof-of-work chain first?)
@TuurDemeester "Changing from proof of work to proof of stake changes the economics of the system, all the rules change and it will impact everything."
Umm... we created a proof of work chain first because we did not have a satisfactory proof of stake algo initially?
14/ For the uninitiated, here’s a good write-up that highlights some of the fundamental design problems of proof-of-stake. Like I said, this is science experiment territory.
And here's a set of long arguments from me on why proof of stake is just fine: For a more philosophical piece, see
15/ Also check out this thread about how Proof of Stake blockchains require subjectivity (i.e. a trusted third party) to achieve consensus: … and this thread on Bitcoin:
Yes, we know about weak subjectivity, see It's really not that bad, especially given that users need to update their clients once in a while anyway, oh and by the way even if the weak subjectivity assumption is broken an attacker still needs to gather up that pile of old keys making up 51% of the stake. And also to defend against that there's Universal Hash Time.
16/ Keep in mind that Proof of Stake (PoS) is not a new concept at all. Proof-of-Work actually was one of the big innovations that made Bitcoin possible, after PoS was deemed impractical because of censorship vulnerability.
@TuurDemeester TIL Proof-of-stake based private currency designs date at least back to 1998.
Oh I definitely agree that proof of work was superior for bootstrap, and I liked it back then especially because it actually managed to be reasonably egalitarian around 2009-2012 before ASICs fully took over. But at the present time it doesn't really have that nice attribute.
17/ Over the years, this has become a pattern in Ethereum’s culture: recycling old ideas while not properly referring to past research and having poor peer review standards. This is not how science progresses.Tuur Demeester added,
[email protected] has been repeatedly accused of /criticised for not crediting prior art. Once again with plasma:
I try to credit people whenever I can; half my blog and posts have a "special thanks" section right at the top. Sometimes we end up re-inventing stuff, and sometimes we end up hearing about stuff, forgetting it, and later re-inventing it; that's life as an autodidact. And if you feel you've been unfairly not credited for something, always feel free to comment, people have done this and I've edited.
18/ One of my big concerns is that sophistry and marketing hype is a serious part of Ethereum’s success so far, and that overly inflated expectations have lead to an inflated market cap.
Ok, go on.
19/ Let’s illustrate with an example.
20/ A few days ago, I shared a critical tweet that made the argument that Ethereum’s value proposition is in essence utopian.
@TuurDemeester Ethereum-ism sounds a bit like Marxism to me:
  • What works today (PoW) is 'just a phase', the ideal & unproven future is to come: Proof-of-Stake.…
21/ I was very serious about my criticism. In fact, each one of the three points addressed what Vitalik Buterin has described as “unique value propositions of Ethereum proper”.
22/ My first point, about Ethereum developers rejecting Proof-of-Work, has been illustrated many times over By Vitalik and others. (See earlier in this tweetstorm for more about how PoS is unproven.)
Vitalik Non-giver of Ether @VitalikButerin: I don't believe in proof of work!
See above for links as to why I think proof of stake is great.
23/ My second point addresses Ethereum’s romance with the vague and dangerous notion of ‘social consensus’, where disruptive hard-forks are used to ‘upgrade’ or ‘optimize’ the system, which inevitably leads to increased centralization. More here:
See my rebuttal to Tuur's rebuttal :)
24/ My third point addresses PoS’ promise of perpetual income to ETHizens. Vitalik is no stranger to embracing free lunch ideas, e.g. during his 2014 ETH announcement speech, where he described a coin with a 20% inflation tax as having “no cost” to users.
Yeah, I haven't really emphasized perpetual income to stakers as a selling point in years. I actually favor rewards being as low as possible while still being high enough for security.
25/ In his response to my tweet, Vitalik adopted my format to “play the same game” in criticizing Bitcoin. My criticisms weren't addressed, and his response was riddled with errors. Yet his followers gave it +1,000 upvotes!
Vitalik Non-giver of Ether @VitalikButerin: - What works today (L1) is just a phase, ideal and unproven future (usable L2) is to come - Utopian concept of progress: we're already so confident we're finished we ain't needin no hard forks…
Ok, let's hear about what the errors are...
26/ Rebuttal: - BTC layer 1 is not “just a phase”, it always will be its definitive bedrock for transaction settlement. - Soft forking digital protocols has been the norm for over 3 decades—hard-forks are the deviation! - Satoshi never suggested hyperbitcoinization as a goal.
Sure, but (i) the use of layer 1 for consumer payments is definitely, in bitcoin ideology, "just a phase", (ii) I don't think you can make analogies between consensus protocols and other kinds of protocols, and between soft forking consensus protocols and protocol changes in other protocols, that easily, (iii) plenty of people do believe that hyperbitcoinization as a goal. Oh by the way:
27/ This kind of sophistry is exhausting and completely counter-productive, but it can be very convincing for an uninformed retail public.
Ok, go on.
28/ Let me share a few more inconvenient truths.
29/ In order to “guarantee” the transition to PoS’ utopia of perpetual income (staking coins earns interest), a “difficulty bomb” was embedded in the protocol, which supposedly would force miners to accept the transition.
The intended goal of the difficulty bomb was to prevent the protocol from ossifying, by ensuring that it has to hard fork eventually to reset the difficulty bomb, at which point the status quo bias in favor of not changing other protocol rules at the same time would be weaker. Though forcing a switch to PoS was definitely a key goal.
30/ Of course, nothing came of this, because anything in the ETH protocol can be hard-forked away. Another broken promise.
Tuur Demeester @TuurDemeester: Looks like another Ethereum hard-fork is going to remove the "Ice Age" (difficulty increase meant to incentivize transition to PoS).
How is that a broken promise? There was no social contract to only replace the difficulty-bombed protocol with a PoS chain.
31/ Another idea that was marketed heavily early on, was that with ETH you could program smart contract as easily as javascript applications.
Tuur Demeester @TuurDemeester: I forgot, but in 2014 Ethereum was quite literally described as "Javascript-on-the-blockchain"
Agree that was over-optimistic, though the part of the metaphor that's problematic is the "be done with complex apps in a couple hours" part, NOT the "general-purpose languages are great" part.
32/ This was criticized by P2P & OS developers as a reckless notion, given that every smart contracts is actually a “de novo cryptographic protocol”. In other words, it’s playing with fire.
See above
33/ The modular approach to Bitcoin seems to be much better at compartmentalizing risk, and thus reducing attack surfaces. I’ve written about modular scaling here...
To be fair, risk is reduced because Bitcoin does less.
34/ Another huge issue that Ethereum has is with scaling. By putting “everything on the blockchain” (which stores everything forever) and dubbing it “the world computer”, you are going to end up with a very slow and clogged up system.
Christopher Allen @ChristopherA: AWS cost: $0.000000066 for calc, Ethereum: $26.55. This is about 400 million times as expensive. World computer?
We never advocated "putting everything on the blockchain". The phrase "world computer" was never meant to be interpreted as "everyone's personal desktop", but rather as a common platform specifically for the parts of applications that require consensus on shared state. As evidence of this, notice how Whisper and Swarm were part of the vision as complements to Ethereum right from the start.
35/ By now the Ethereum bloat is so bad that cheaply running an individual node is practically impossible for a lay person. ETH developers are also imploring people to not deploy more smart contract apps on its blockchain.
Tuur Demeester @TuurDemeester: But... deploying d-apps on the "Ethereum Virtual Machine" is exactly what everyone was encouraged to do for the past 4 years. Looks like on-chain scaling wasn't such a great idea after all.
Umm.... I just spun up a node from scratch last week. On a consumer laptop.
36/ As a result, and despite the claims that running a node in “warp” mode is easy and as good as a full node, Ethereum is becoming increasingly centralized.
@TuurDemeester Finally a media article touching on the elephant in the room: Ethereum has become highly centralized. #infura
See above
37/ Another hollow claim: in 2016, Ethereum was promoted as being censorship resistant…
Tuur Demeester @TuurDemeester: Pre TheDAO #Ethereum presentation: "uncensorable, code is law, bottom up".
Yes, the DAO fork did violate the notion of absolute immutability. However, the "forking the DAO will lead to doom and gloom" crowd was very wrong in one key way: it did NOT work as a precedent justifying all sorts of further state interventions. The community clearly drew a line in the sand by firmly rejecting EIP 867, and EIP 999 seems to now also be going nowhere. So it seems like there's some evidence that the social contract of "moderately but not infinitely strong immutability" actually can be stable.
38/ Yet later that year, after only 6% of ETH holders had cast a vote, ETH core devs decided to endorse a hard-fork that clawed back the funds from a smart contract that held 4.5% of all ETH in circulation. More here: ...
See above
39/ Other potential signs of centralization: Vitalik Buterin signing a deal with a Russian government institution, and ETH core developers experimenting with semi-closed meetings: …,
Hudson Jameson @hudsonjameson: The "semi-closed" Ethereum 1.x meeting from last Friday was an experiment. The All Core Dev meeting this Friday will be recorded as usual.
Suppose I were to tomorrow sign up to work directly for Kim Jong Un. What concretely would happen to the Ethereum protocol? I suspect very little; I am mostly involved in the Serenity work, and the other researchers have proven very capable of both pushing the spec forward even without me and catching any mistakes with my work. So I don't think any argument involving me applies. And we ended up deciding not to do more semi-closed meetings.
40/ Another red flag to me is the apparent lack of relevant expertise in the ETH development community. (Check the responses…)
Tuur Demeester @TuurDemeester: Often heard: "but Ethereum also has world class engineers working on the protocol". Please name names and relevant pedigree so I can follow and learn.
I personally am confident in the talents of our core researchers, and our community of academic partners. Most recently the latter group includes people from Starkware, Stanford CBR, IC3, and other groups.
41/ For a while, Microsoft veteran Lucius Meredith was mentioned as playing an important role in ETH scaling, but now he is likely distracted by the failure of his ETH scaling company RChain.
I have no idea who described Lucius Meredith's work as being important for the Serenity roadmap.... oh and by the way, RChain is NOT an "Ethereum scaling company"
42/ Perhaps the recently added Gandalf of Ethereum, with his “Fellowship of Ethereum Magicians” [sic] can save the day, but imo that seems unlikely...
Honestly, I don't see why Ethereum Gandalf needs to save the day, because I don't see what is in danger and needs to be saved...
43/ This is becoming a long tweetstorm, so let’s wrap up with a few closing comments.
44/ Do I have a conflict of interest? ETH is a publicly available asset with no real barriers to entry, so I could easily get a stake. Also, having met Vitalik & other ETH founders several times in 2013-’14, it would have been doable for me to become part of the in-crowd.
Agree there. And BTW I generally think financial conflicts of interest are somewhat overrated; social conflicts/tribal biases are the bigger problem much of the time. Though those two kinds of misalignments do frequently overlap and reinforce each other so they're difficult to fully disentangle.
45/ Actually, I was initially excited about Ethereum’s smart contract work - this was before one of its many pivots.
Tuur Demeester @TuurDemeester: Ethereum is probably the first programming language I will teach myself - who wouldn't want the ability to program smart BTC contracts?
Ethereum was never about "smart BTC contracts"..... even "Ethereum as a Mastercoin-style meta-protocol" was intended to be built on top of Primecoin.
46/ Also, I have done my share of soul searching about whether I could be suffering from survivor’s bias.
@TuurDemeester I just published “I’m not worried about Bitcoin Unlimited, but I am losing sleep over Ethereum”
Ok, good.
47/ Here’s why Ethereum is dubious to me: rather than creating an open source project & testnet to work on these interesting computer science problems, its founders instead did a securities offering, involving many thousands of clueless retail investors.
What do you mean "instead of"? We did create an open source project and testnet! Whether or not ETH is a security is a legal question; seems like SEC people agree it's not:
48/ Investing in the Ethereum ICO was akin to buying shares in a startup that had “invent time travel” as part of its business plan. Imo it was a reckless security offering, and it set the tone for the terrible capital misallocation of the 2017 ICO boom.
Nothing in the ethereum roadmap requires time-travel-like technical advancements or anything remotely close to that. Proof: we basically have all the fundamental technical advancements we need at this point.
49/ In my view, Ethereum is the Yahoo of our day - an unscalable “blue chip” cryptocurrency:
Tuur Demeester @TuurDemeester: 1/ The DotCom bubble shows that the market isn't very good at valuing early stage technology. I'll use Google vs. Yahoo to illustrate.
Got it.
50/ I’ll close with a few words from Gregory Maxwell from 2016,:
See my rebuttal to Greg from 2 years ago:
submitted by shouldbdan to ethtrader [link] [comments]

Merged Mining: Analysis of Effects and Implications

Date: 2017-08-24
Author(s): Alexei Zamyatin, Edgar Weippl

Link to Paper

Merged mining refers to the concept of mining more than one cryptocurrency without necessitating additional proof-of-work effort. Merged mining was introduced in 2011 as a boostrapping mechanism for new cryptocurrencies and countermeasures against the fragmentation of mining power across competing systems. Although merged mining has already been adopted by a number of cryptocurrencies, to this date little is known about the effects and implications.
In this thesis, we shed light on this topic area by performing a comprehensive analysis of merged mining in practice. As part of this analysis, we present a block attribution scheme for mining pools to assist in the evaluation of mining centralization. Our findings disclose that mining pools in merge-mined cryptocurrencies have operated at the edge of, and even beyond, the security guarantees offered by the underlying Nakamoto consensus for extended periods. We discuss the implications and security considerations for these cryptocurrencies and the mining ecosystem as a whole, and link our findings to the intended effects of merged mining.

[1] Coinmarketcap. Accessed 2017-09-28.
[2] P2pool. Accessed: 2017-05-10.
[3] M. Ali, J. Nelson, R. Shea, and M. J. Freedman. Blockstack: Design and implementation of a global naming system with blockchains., 2016. Accessed: 2016-03-29.
[4] G. Andersen. Comment in "faster blocks vs bigger blocks"., 2014. Accessed: 2017-05-10.
[5] G. Andersen. [bitcoin-dev] weak block thoughts..., 2015. Accessed: 2017-05-10.
[6] L. Anderson, R. Holz, A. Ponomarev, P. Rimba, and I. Weber. New kids on the block: an analysis of modern blockchains., 2016. Accessed: 2016-07-04.
[7] E. Androulaki, S. Capkun, and G. O. Karame. Two bitcoins at the price of one? double-spending attacks on fast payments in bitcoin. In CCS, 2012.
[8] A. Back, M. Corallo, L. Dashjr, M. Friedenbach, G. Maxwell, A. Miller, A. Poelstra, J. Timón, and P. Wuille. Enabling blockchain innovations with pegged sidechains., 2014. Accessed: 2017-09-28.
[9] A. Back et al. Hashcash - a denial of service counter-measure., 2002. Accessed: 2017-09-28.
[10] S. Barber, X. Boyen, E. Shi, and E. Uzun. Bitter to better - how to make bitcoin a better currency. In Financial cryptography and data security, pages 399–414. Springer, 2012.
[11] J. Becker, D. Breuker, T. Heide, J. Holler, H. P. Rauer, and R. Böhme. Can we afford integrity by proof-of-work? scenarios inspired by the bitcoin currency. In WEIS. Springer, 2012.
[12] I. Bentov, R. Pass, and E. Shi. Snow white: Provably secure proofs of stake., 2016. Accessed: 2017-09-28.
[13] Bitcoin Community. Bitcoin developer guide- transaction data. Accessed: 2017-06-05.
[14] Bitcoin Community. Bitcoin protocol documentation - merkle trees. Accessed: 2017-06-05.
[15] Bitcoin community. Bitcoin protocol rules. Accessed: 2017-08-22.
[16] V. Buterin. Chain interoperability. Technical report, Tech. rep. 1. R3CEV, 2016.
[17] W. Dai. bmoney., 1998. Accessed: 2017-09-28.
[18] C. Decker and R. Wattenhofer. Information propagation in the bitcoin network. In Peer-to-Peer Computing (P2P), 2013 IEEE Thirteenth International Conference on, pages 1–10. IEEE, 2013.
[19] C. Decker and R. Wattenhofer. Bitcoin transaction malleability and mtgox. In Computer Security-ESORICS 2014, pages 313–326. Springer, 2014.
[20] Dogecoin community. Dogecoin reference implementation.
[27] A. Gervais, G. Karame, S. Capkun, and V. Capkun. Is bitcoin a decentralized currency? volume 12, pages 54–60, 2014.
[28] A. Gervais, G. O. Karame, K. Wüst, V. Glykantzis, H. Ritzdorf, and S. Capkun. On the security and performance of proof of work blockchains. In Proceedings of the 2016 ACM SIGSAC Conference on Computer and Communications Security, pages 3–16. ACM, 2016.
[29] I. Giechaskiel, C. Cremers, and K. B. Rasmussen. On bitcoin security in the presence of broken cryptographic primitives. In European Symposium on Research in Computer Security (ESORICS), September 2016.
[30] J. Göbel, H. P. Keeler, A. E. Krzesinski, and P. G. Taylor. Bitcoin blockchain dynamics: The selfish-mine strategy in the presence of propagation delay. Performance Evaluation, 104:23–41, 2016.
[31] E. Heilman, A. Kendler, A. Zohar, and S. Goldberg. Eclipse attacks on bitcoin’s peer-to-peer network. In 24th USENIX Security Symposium (USENIX Security 15), pages 129–144, 2015.
[32] Huntercoin developers. Huntercoin reference implementation. Accessed: 2017-06-05.
[33] B. Jakobsson and A. Juels. Proofs of work and bread pudding protocols, Apr. 8 2008. US Patent 7,356,696; Accessed: 2017-06-05.
[34] M. Jakobsson and A. Juels. Proofs of work and bread pudding protocols. In Secure Information Networks, pages 258–272. Springer, 1999.
[35] A. Judmayer, N. Stifter, K. Krombholz, and E. Weippl. Blocks and chains: Introduction to bitcoin, cryptocurrencies, and their consensus mechanisms. Synthesis Lectures on Information Security, Privacy, & Trust, 9(1):1–123, 2017.
[36] A. Juels and J. G. Brainard. Client puzzles: A cryptographic countermeasure against connection depletion attacks. In NDSS, volume 99, pages 151–165, 1999.
[37] A. Juels and B. S. Kaliski Jr. Pors: Proofs of retrievability for large files. In Proceedings of the 14th ACM conference on Computer and communications security, pages 584–597. Acm, 2007.
[38] H. Kalodner, M. Carlsten, P. Ellenbogen, J. Bonneau, and A. Narayanan. An empirical study of namecoin and lessons for decentralized namespace design. In WEIS, 2015.
[39] G. O. Karame, E. Androulaki, and S. Capkun. Double-spending fast payments in bitcoin. In Proceedings of the 2012 ACM conference on Computer and communications security, pages 906–917. ACM, 2012.
[40] G. O. Karame, E. Androulaki, M. Roeschlin, A. Gervais, and S. Čapkun. Misbehavior in bitcoin: A study of double-spending and accountability. volume 18, page 2. ACM, 2015.
[41] A. Kiayias, A. Russell, B. David, and R. Oliynykov. Ouroboros: A provably secure proof-of-stake blockchain protocol. In Annual International Cryptology Conference, pages 357–388. Springer, 2017.
[42] S. King. Primecoin: Cryptocurrency with prime number proof-of-work. July 7th, 2013.
[43] T. Kluyver, B. Ragan-Kelley, F. Pérez, B. E. Granger, M. Bussonnier, J. Frederic, K. Kelley, J. B. Hamrick, J. Grout, S. Corlay, et al. Jupyter notebooks-a publishing format for reproducible computational workflows. In ELPUB, pages 87–90, 2016.
[44] Lerner, Sergio D. Rootstock plattform. Accessed: 2017-06-05.
[45] Y. Lewenberg, Y. Bachrach, Y. Sompolinsky, A. Zohar, and J. S. Rosenschein. Bitcoin mining pools: A cooperative game theoretic analysis. In Proceedings of the 2015 International Conference on Autonomous Agents and Multiagent Systems, pages 919–927. International Foundation for Autonomous Agents and Multiagent Systems, 2015.
[46] Litecoin community. Litecoin reference implementation. Accessed: 2017-09-28.
[47] I. Maven. Apache maven project, 2011.
[48] G. Maxwell. Comment in "[bitcoin-dev] weak block thoughts..."., 2016. Accessed: 2017-05-10.
[49] S. Meiklejohn, M. Pomarole, G. Jordan, K. Levchenko, D. McCoy, G. M. Voelker, and S. Savage. A fistful of bitcoins: characterizing payments among men with no names. In Proceedings of the 2013 conference on Internet measurement conference, pages 127–140. ACM, 2013.
[50] S. Micali. Algorand: The efficient and democratic ledger., 2016. Accessed: 2017-02-09.
[51] A. Miller, A. Juels, E. Shi, B. Parno, and J. Katz. Permacoin: Repurposing bitcoin work for data preservation. In Security and Privacy (SP), 2014 IEEE Symposium on, pages 475–490. IEEE, 2014.
[52] A. Miller, A. Kosba, J. Katz, and E. Shi. Nonoutsourceable scratch-off puzzles to discourage bitcoin mining coalitions. In Proceedings of the 22nd ACM SIGSAC Conference on Computer and Communications Security, pages 680–691. ACM, 2015.
[53] B. Momjian. PostgreSQL: introduction and concepts, volume 192. Addison-Wesley New York, 2001.
[54] Myriad core developers. Myriadcoin reference implementation. Accessed: 2017-06-05.
[55] S. Nakamoto. Bitcoin: A peer-to-peer electronic cash system., Dec 2008. Accessed: 2017-09-28.
[56] S. Nakamoto. Merged mining specification., Apr 2011. Accessed: 2017-09-28.
[57] Namecoin Community. Merged mining. Accessed: 2017-08-20.
[58] Namecoin community. Namecoin reference implementation. Accessed: 2017-09-28.
[59] A. Narayanan, J. Bonneau, E. Felten, A. Miller, and S. Goldfeder. Bitcoin and Cryptocurrency Technologies: A Comprehensive Introduction. Princeton University Press, 2016.
[60] K. Nayak, S. Kumar, A. Miller, and E. Shi. Stubborn mining: Generalizing selfish mining and combining with an eclipse attack. In 1st IEEE European Symposium on Security and Privacy, 2016. IEEE, 2016.
[61] K. J. O’Dwyer and D. Malone. Bitcoin mining and its energy footprint. 2014.
[62] R. Pass, L. Seeman, and A. Shelat. Analysis of the blockchain protocol in asynchronous networks. In Annual International Conference on the Theory and Applications of Cryptographic Techniques, pages 643–673. Springer, 2017.
[63] D. Pointcheval and J. Stern. Security arguments for digital signatures and blind signatures. Journal of cryptology, 13(3):361–396, 2000.
[64] Pseudonymous("TierNolan"). Decoupling transactions and pow., 2013. Accessed: 2017-05-10.
[65] P. R. Rizun. Subchains: A technique to scale bitcoin and improve the user experience. Ledger, 1:38–52, 2016.
[66] K. Rosenbaum. Weak blocks - the good and the bad., 2016. Accessed: 2017-05-10.
[67] K. Rosenbaum and R. Russell. Iblt and weak block propagation performance. Scaling Bitcoin Hong Kong (6 December 2015), 2015.
[68] M. Rosenfeld. Analysis of bitcoin pooled mining reward systems. arXiv preprint arXiv:1112.4980, 2011.
[69] M. Rosenfeld. Analysis of hashrate-based double spending., 2014. Accessed: 2016-03-09.
[70] R. Russel. Weak block simulator for bitcoin., 2014. Accessed: 2017-05-10.
[71] A. Sapirshtein, Y. Sompolinsky, and A. Zohar. Optimal selfish mining strategies in bitcoin. In International Conference on Financial Cryptography and Data Security, pages 515–532. Springer, 2016.
[72] Sathoshi Nakamoto. Comment in "bitdns and generalizing bitcoin" bitcointalk thread. Accessed: 2017-06-05.
[73] O. Schrijvers, J. Bonneau, D. Boneh, and T. Roughgarden. Incentive compatibility of bitcoin mining pool reward functions. In FC ’16: Proceedings of the the 20th International Conference on Financial Cryptography, February 2016.
[74] B. Sengupta, S. Bag, S. Ruj, and K. Sakurai. Retricoin: Bitcoin based on compact proofs of retrievability. In Proceedings of the 17th International Conference on Distributed Computing and Networking, page 14. ACM, 2016.
[75] N. Szabo. Bit gold., 2005. Accessed: 2017-09-28.
[76] M. B. Taylor. Bitcoin and the age of bespoke silicon. In Proceedings of the 2013 International Conference on Compilers, Architectures and Synthesis for Embedded Systems, page 16. IEEE Press, 2013.
[77] Unitus developers. Unitus reference implementation. Accessed: 2017-08-22.
[78] M. Vukolić. The quest for scalable blockchain fabric: Proof-of-work vs. bft replication. In International Workshop on Open Problems in Network Security, pages 112–125. Springer, 2015.
[79] P. Webb, D. Syer, J. Long, S. Nicoll, R. Winch, A. Wilkinson, M. Overdijk, C. Dupuis, and S. Deleuze. Spring boot reference guide. Technical report, 2013-2016.
[80] A. Zamyatin. Name-squatting in namecoin. (unpublished BSc thesis, Vienna University of Technology), 2015.
submitted by dj-gutz to myrXiv [link] [comments] the first t-shirt biz to accept 31 different crypto currencies! Litecoin grunge design available! Apparel for the discerning crypto miner and enthusiast.

UPDATE: New Bitcoin Miami Vice shirt added and nifty Currency changer!
Join the 51% Attack!
We are causing the equilibrium of the world to teeter, and its people will embrace freedom and liberty through Crypto. The apparel on this site is in celebration of the community who will change the world.
Thanks to the following people. This site hosted by my server “concierge” RK from eDigest. The clothing is being produced by Redditor Josh neverfallindown from Thread Monster Printing. The ingenius multi currency payment system is by
Designs in the works:
submitted by giannidalerta to litecoin [link] [comments] the first t-shirt biz to accept 31 different crypto currencies! Apparel for the discerning crypto miner and enthusiast.

UPDATE: Thanks for all the orders. Pretty exciting to see how international crypto is. Also interesting to see what coins people are using.
Join the 51% Attack!
We are causing the equilibrium of the world to teeter, and its people will embrace freedom and liberty through Crypto. The apparel on this site is in celebration of the community who will change the world.
Thanks to the following people. This site hosted by my server “concierge” RK from eDigest. The clothing is being produced by Redditor Josh neverfallindown from Thread Monster Printing. The ingenius multi currency payment system is by
Designs in the works:
submitted by giannidalerta to CryptoCurrency [link] [comments]

ASIC resistance through minting rate: the Primecoin example

It is known that Primecoin is GPU resistant, and we can speculate that it will be ASIC resistant as well, but what I want to talk about is something else.
Primecoin's block rewards are calculated using the formula: reward = 999/difficulty2. If we assume that ASICs will be 100 times faster than CPU (conservative guess, given the figures for Bitcoin), we can expect difficulty to increase 100-fold as well. Rewards will thus be divided by 1002 = 10,000.
So I think Primecoin made itself economically ASIC-proof, willingly or not: IMHO there is no way such a massive, sudden increase in computational power can be profitable. And if it happened to be, it would mean the value of Primecoin sky-rocketed, which would serve early CPU miners even more than the new ASIC owners.
Does it mean Primecoin is vulnerable to 51% attacks from wealthy entities ready to fund research into Primecoin ASICs? I don't think so: all this would take is to move Primecoin to a new algorithm, and all the attacker's money would have been spent for nothing. Any algorithm would do, even SHA-256: considering the role of CPU coins is fair wealth distribution, ASIC-resistance is not really needed once the minting is over, and Primecoin ASICs would announce the end of minting (and inflation BTW).
Primecoin: the real grass-root crypto-currency? EDIT: well, maybe, but only if you spread the word. People will consider it equal opportunity only if they have heard about it.
submitted by arkanaprotego to primecoin [link] [comments]

Share your top 5 Cryptos and why.

I like to follow and just kinda for fun. I am really interested, like many, in the long term how cryptos will play out as far as real world adoption, values and use etc. Because I have a small amount I play with, and not much to spare, I've decided to arbitrarily limit my crypto investments to my top 5 favorite coins, so these are them.
I'm curious what your top 5 coins are and why you are excited about them? Also which of my choices suck, and why ;-)
  1. Bitcoin: it's the biggest, most used and most accepted. I think it will continue to be the major player or one of several major coins just because of it's primacy and recognition.
  2. Litecoin: it's the 2nd biggest, 2nd most used and 2nd most accepted ( I think? ) and even though it's market cap pales compared to bitcoin's, it still an order of magnitude above all the other alt coins. It's in based on the 2nd largest market cap and all it has invested in it's acceptance and services.
  3. Dogecoin: I actually don't like several things about this coin. Mostly it's inflation and the fact that I can't see it ever being used in a major way by large scale businesses ( can you image a contract for a multi-million dollar skyscraper paid in a "joke" currency? ). But I can see it fulfilling a niche use, and it does have a lot of "fans" and fun publicity. I hold the least amount of this currency between the 5 coins I hold. I keep it on the list because it's funny and likable, and Im guessing it has more users than litecoin or possibly even bitcoin ( I have no data, it just seems a lot of people hold a little ? )
  4. Darkcoin: This one is a little bit "front runner" with the recent rise in price, but I bought just before that so I'm liking it. I'm interested in this coin because it's innovation in mining algorithm, and it's offering anonymity to end users. Yes, I know other coins could add this, but I see significant resistance to BTC or LTC adding this, as they want to participate in more business / government settings where blockchain transparency -can- be a good thing. Maybe Dark Wallet for bitcoin makes this coin less interesting, but I still like the algorithm and it seems to be gaining services and merchant adoption, so Im still watching and waiting.
  5. Myriadcoin: This is the most recent addition to my top 5. I like the algorithm innovation, using multiple algorithms side by side. Unlike the way vertcoin "fights" what is possible with it's n-factor scrypt, Myraidcoin embraces what is possible in terms of mining hardware. ASICs are welcome and not a huge centralization issue. Another a key difference from vertcoin is that Myriad's ASIC coping mechanism is beneficial to the end user, by making %51 attacks another order of magnitude more difficult, vertcoin's increasing n-factor is great for miners, but I think has very little meaning to end users. This is my underdog vote since it is a tiny market cap but I think it has potential.
PS. I recently sold out of positions in Namecoin, Peercoin, Primecoin and Vertcoin PPS. I suck at grammaspelling, sorry.
submitted by starkast to CryptoCurrency [link] [comments]

I (as a non-bitcoin user) believe that Bitcoin and all other Cryptocurrencies will ultimately fail and is not a legitimate currency. CMV

I don't have much experience in Bitcoin, I don't own any and don't know anybody who does, I have been keeping up with it for a while now, however, and really don't believe it will be able to go on for much longer especially since other cryptocurrencies can be made by pretty much anybody.
Firstly, a while ago I read an article where the author compared holding Bitcoin to holding gold bullion, but the thing about Gold is it's tangible, it's useful and it's rare, and I think that without that element of tangibility, Bitcoin and all other cryptos are doomed as the average person does not know enough about computing, encryption and economics to actually understand what Bitcoin is, let alone the fact that most have been raised with a contrary concept of currency imprinted in their minds. I also believe that the only value cryptocurrencies have is their convenience sending large amounts of money, and once regulation kicks in Bitcoin just doesn't have any real worth anymore.
Another thing I have with Bitcoin is that the vast majority of Bitcoins are owned by early adopters or huge investors, which is directly contrary to what Bitcoin is supposed to be, and with huge traders jamming up exchanges, forcing prices up/down, manipulating markets and other coins, it is no different from the flawed system we already have today and is far, far too volatile to ever be considered a real currency (for instance the current volatility/price crash).
The last problem I have with Bitcoins is all the fact that all the wasted energy and processing power mining them. I'm aware that there's other cryptocurrencies whose mining is somewhat useful (Primecoin? Peercoin?), but that processing power could be going to much better use than mining something that isn't even physical. It's just not really doing anything that a lot of companies can't compete with, and also, why is Bitcoin worth more than the more secure (as in less vulnerable to 51% attacks) scrypt coins out there?
Last but not least, I REALLY don't think Bitcoin will survive because of the fact that we know how many there is and ever will be, and once they are lost, they are unrecoverable. We don't know exactly how much gold, silver, or pretty much any other metal there is in the world, and once that last Bitcoin gets mined, the clock starts ticking for Bitcoin, and it's only a matter of time before people realise this and ditch the "currency".
I'd actually really like to get into Bitcoin, but before I invest any of my own money or even start treating it like a legitimate currency, I, and probably a lot of other people need convincing that it's here to stay and not just a fun hobby for the technologically-inclined. CMV
submitted by NotSureAboutBitcoins to changemyview [link] [comments]

Mining hardware constraints in relation to transaction fees: thinking about the future

In a (not so) distant future when block subsidies are no more, miners' income will come from transaction fees only. Assuming everybody behaves the same way and mines to support decentralization, what each person spends on mining is also what each person receives as mining rewards, so the balance is zero. However they still have to pay for their mining hardware and their power bills.
The question is: how much are you willing to spend to support the network?
I would say not much more than regular banking fees. As a rule of thumbs, let's say $10 per month.
Let's study 2 cases.
If you already have the hardware because it is general-purpose (i.e.: the crypto is ASIC-resistant), you can spend these $10 on electricity only. At a rate of $0.15/kWh, this is is 67 kWh, which means you can afford to let a miner of 91W run permanently. This is slightly more than a CPU (without the rest of the system), and only about one third of an AMD 7950 GPU (without the rest of the system either).
If you must buy specific hardware (i.e.: the crypto is ASIC-friendly), assuming it is perfectly power-efficient, you can disregard power costs and spend your whole budget on hardware. Assuming you will renew it every 3 years, this means you can afford a $360 miner. For Bitcoin, as of today, this would be 3 Redfury USB miners.
Now, the important part: since the sum of transaction fees can only support that much hashing power, if anyone mines more than their share, they contribute to centralizing the network, because assuming no one is willing to pay more transaction fees to compensate, someone else will need to stop mining.
Conclusions: in the long run, GPU mining is not sustainable at more than 1 GPU per household. CPU mining by everyone could be sustainable if a CPU-friendly, GPU-resistant and ASIC-resistant algorithm can actually be designed. As of today, SHA-256 is completely dominated by ASICs, Scrypt with N=1024 ASICs are on the horizon, Scrypt with higher N values is vulnerable to DOS attacks, Quark's algos have already been implemented as ASICs by academics and Protoshare's Momentum algorithm is GPU-vulnerable. As far as I know, the only viable algo that has yet to be proven GPU/ASIC-vulnerable is Primecoin's, but given the fates of the others, I wouldn't set my expectations too high.
So it appears that progression to ASICs will be hard to avoid. But big ASICs with power draws higher than 100 watts are definitely a threat to decentralization. They are acceptable as long as the money supply is growing, but are not sustainable, so I advocate the development of smaller ASICs to preserve the decentralization of crypto-currencies in the future.
Coincidentally you can use these calculations to estimate the cost of a 51% attack in the future: let's consider the current global population of 7 billion people, each spending $10 per month to secure the network. For a 51% attack, you would need more than 70 billion dollars per month, or 840 billion per year, 23% more than the 2010 US military budget.
Of course, all of this is assuming a PoW mining system. With proof-of-stake, it would be completely different, as block generation would be nearly free.
submitted by arkanaprotego to CryptoCurrency [link] [comments] the first t-shirt biz to accept 31 different crypto currencies! Apparel for the discerning crypto miner and enthusiast.

Join the 51% Attack!
We are causing the equilibrium of the world to teeter, and its people will embrace freedom and liberty through Crypto. The apparel on this site is in celebration of the community who will change the world.
Thanks to the following people. This site hosted by my server “concierge” RK from eDigest. The clothing is being produced by Redditor Josh neverfallindown from Thread Monster Printing. The ingenius multi currency payment system is by
Designs in the works:
submitted by giannidalerta to Bitcoin [link] [comments]

The need for a universal medium of exchange.

The birth and acceptance of a universal medium of exchange ("UMX") is inevitable. The UMX may follow the Bitcoin protocol or its variants (Litecoin's scrypt), be based upon innovations that include some novel concepts (Peercoin's proof-of-stake) or variants (Quark's multiple hashing functions, Primecoin's 'useful' proof-of-work) or arise from a more general layer of development that uses the Bitcoin protocol to generalize the concept (Etherium).
The current amalgam of fiat currencies and bartering systems controlled by centralized authorities (through taxation and regulation) stifles worldwide growth and impedes progress toward achieving a humanitarian distribution of the planet's resources. Indeed, the hope that a centralized, benevolent authority would eventually emerge as more developed countries increase their wealth to the level that enables them to act selflessly for the common good and cooperate in a mission to improve the world's quality of life, is flawed. History has demonstrated that despite good intention, when a political entity is in a crisis it will act in its own self-interest, as do individuals. Although there are certainly examples of self-destructive and selfless individuals, in the collective humankind has survived because of a deep-seated survival instinct.
Good intention is not sufficient to garner the universal cooperation needed to march toward utopian goals. Beehives and ant colonies are examples of successful, large-scale cooperative behavior in nature that benefits a species. Such cooperation is limited, however, to species whose individuals lack self-awareness. One might argue that a beehive or ant colony is self-aware as an aggregate entity but their physical limitations prevent their spheres of influence from significantly disrupting the survival of other species. So unlike the science fiction staple of a computer operating system run amuck when it reaches self-awareness (and always with negative consequences, although without these there probably wouldn't be material for a story), to-date only humankind has the self-awareness that allows it to recognize and acknowledge the inherent conflict of interest in societal versus individual needs.
After a period of economic success, even if it came at the expense of neighboring societies, centralized authorities steer society on a utopian path by imposing rigid rules or mandates. And to some degree, they have succeeded, as the quality of life has improved in the past few millennia (even though significant resources have been utilized to pursue those that violate the rules). Such well-guided efforts eventually fail, often dramatically, as attempts are made to incorporate divergent cultures. Using religion as a masthead to warrant horrific actions obfuscates the fundamental flaw, namely that human nature, the survival instinct, is at odds with the utopian goal (Karl, can you hear me?).
Another tenet of human nature is neighbor envy, or the perception that someone has undeserved benefits acquired by chance or mendacity. Ultimately this is the root of many conflicts, on small and large scales.
Rather than force cooperation among individuals for the greater good, it would be far more effective - in terms of maximizing survival and quality of life - if universal cooperation was itself driven by self-interest.
The Bitcoin protocol is an exquisite example of the implementation of a decentralized system that is fueled by the benefits of cooperation.
Some argue that since bitcoin wealth may be concentrated in the hands of a few founders or early miners, the notion of a decentralized system is illusory. Note, however, that in order to realize this wealth now the bitcoins would need to be converted into fiat currencies. But doing so on a large scale would, because of market forces, destroy the very wealth trying to be realized. On the other hand, as bitcoin becomes universally accepted, this wealth could be exchanged directly for goods or services, which would benefit economies.
There may certainly be flaws in the initial design, although they very likely surmountable. For example, the existence of large, centralized ASIC mining pools was probably not anticipated. Indeed, an early assumption was that success of the protocol depended on honest miners that would not destroy - via a 51% attack - the very foundation upon which their wealth was being built. Self-interest is the driving force here, as demonstrated by recent events when a major mining pool reached 45% of the bitcoin mining capacity. It self-regulated itself to under 40% very quickly. This happened because it was not being controlled by any one individual: no despotic arch-villain could destroy the protocol.
An UMX is a natural and inevitable development, as it is consistent with basic human nature. It will serve society as a whole. Imagine the implication for the production of basic electronic goods that are used by a significant fraction of the world. Their production and development is currently shared across many borders, each with its own exchange medium or currency, currencies that can be deflated or inflated at the will of the centralized authority controlling them for short term economic or political gain. These actions are often in conflict with one of the other entities in the line of production and can lead to political crises, even wars. Over time, an UMX would eliminate these sources of conflict, the importance of which cannot be overstated.
The UMX protocol is here to stay.
submitted by bhEventHorizon to Bitcoin [link] [comments]

Ben Lawsky asked three questions. Answers and unsolicited comments include ...

(1) What do you personally find as the most useful and/or important current application for virtual currency?
I feel empowered when holding a currency whose scarcity is defined in mathematics where the whims of neither man nor nature shall intercede. Probably not answering the question...
(2) Where do you think virtual currency tech is headed in the medium term and long term.
More and more people will capitalize on the efficiencies it brings to accepting and making payments. Properly regulated, crypto-currencies may lubricate every market on the planet.
(3) Are there particular problems from a consumer perspective you've had in dealing with virtual currency firms that regulators should consider?
It's scary to store value in a currency on the lawless frontier of finance. While the math is a formidable barrier, and may be sufficient protection for the vast majority of users, I still feel an anxiety about the possibility of a 51% attack.
Another concern is the incredible energy usage essentially wasted on trivial math. I want to see currencies tightly integrated with efforts like the World Community Grid. I believe there is more potential beyond Ripple and primecoin.
Consumer education may help alleviate these.
Unsolicited comments
a) not a game theorist, but: the game consists of a series of rounds. The object of each round is to control the blockchain, fraudulently acquire hard assets, and evade capture. If a group of players controls a majority of the game's resources (hashes/second) for a sustained period of time, then that group divides the spoils among themselves, and ends the round with a small number of winners and losers. The vast majority of players continue to the next round of the game unaffected as they did not participate in the irreversibly fraudulent transactions. Is it more valuable to prolong a round or to win one? Effectively, the rules dictate that purely rational self-interested players must choose between winning the game via cooperation and prolonging the game by acting alone.
A regulator could enter the fray by first, generating a "mirror account" valued in fiat to reflect the current value of assets held at a licensed exchange, and second, regulating the value of assets controlled by players with enough resources to win the round. Watch the miners carefully. Leave everybody else alone. If you don't mine, then you're not even playing the game.
If a regulator reverse-engineers the blockchain to construct a network of wallets and players, that network could be leveraged for both consumer protection and anti-money laundering (AML).
b) tumblers: legal to use by licensed exchanges as long as the original blockchain is preserved and available by court order for examination by for a limited period of time. Feasible?
EDIT/tldr: I love bitcoin. It's unstoppable. A tad scary to use at the moment, but consumer education will probably help someone like me. Regulate the miners. Focus on stopping fraudulent use of the blockchain and get AML for free. Tumblers? Sure, but I don't know enough about them to say what is feasible.
submitted by bubfranks to Bitcoin [link] [comments]

51% Attack Explained  How does it work on the Bitcoin ... Why a 51% attack is impossible on Bitcoin - YouTube What Is a 51% Attack? Explained for beginners - YouTube BITCOIN MINING ATTACK! Shadow Mining, Chain Reorg ... 51% Attack Explained  Bitcoin Gold and Verge Recent Hack (Crypto)

This attack is practical right now with any size mining pool: Anyone can launch this attack successfully right now, and make revenues in excess of what they would otherwise make. Under the best theoretical conditions, Bitcoin requires at least 2/3rds of the miners to be honest : It was previously believed that the Bitcoin ecosystem was safe as long as a majority were honest. But a slightly different technique deployed by Primecoin makes it more secure than other currencies and less prone to attacks like 51% attack, which results in manipulating the transaction. Similar to Bitcoins, it offers instant payments all across the world. 33 years ago, miners in the ukraine caused an environmental disaster when they attempted a 51% attack on bitcoin Posted on September 30, 2020 by thomashartman1 The plant operators did their best to resist the dangerous order, but the directive to attack bitcoin came from on high in the communist party. Bitcoin Gold has modified this algorithm and is now adopting parameter set <144,5>. This new algorithm is called Equihash-BTG. The new algorithm requires more memory than the one that was originally developed by Zcash. [5] May 2018 attack. In May 2018, Bitcoin Gold was hit by a 51% hashing attack by an unknown actor. A potential attack on the Ethereum network Classic (ETC) will cost only $55 million and can bring the attackers to $1 billion. This statement is contained in the analysis, which was conducted by Brazilian researcher Husa..

[index] [37529] [10744] [7861] [935] [28851] [4278] [42673] [28118] [25104] [8343]

51% Attack Explained How does it work on the Bitcoin ...

Andreas Antonopoulos - 51% Bitcoin Attack A 51% attack is a potential attack on a blockchain network, where a single entity or organization is able to control the majority of the hash rate, potential... 51% attack is when an individual miner or group of miners manage to control more than 50% of a network’s hashing power. This would allow the attacker to disrupt the network and rewrite history ... Watch live: =====(tradesanta bot hindi)===== Will Bitcoin dump ?!! Etc 51% attack third time and chainlink acquires oracle solution #tradesanta deutsch #tradesanta re...