Regarding credit card security (or lack thereof)--protection lies mainly in the massive fraud prevention efforts of the credit card companies (hence the large fees). It gives more protection to consumers than merchants (it's easy to request chargebacks). Bitcoin offers an alternative security model, known as caveat emptor. There's no way to reverse a transaction. All consumer protection devices, such as escrow, are outside the scope of the protocol. So bitcoin by itself may or not be an acceptable means of payment, depending on the use case.
I understand the risk of a single party attacker who controls more than half the network. But at this point, what kind of attacker can muster up that much computing power? Only a nation-state, billionaire, or large corporation could conceivably do so. And it's daily growing beyond their reach. Not only that, but their motive must be not just to make gains. They would have to want to destroy the bitcoin economy. Interestingly, the bitcoin economy has already survived a 24-block split without major calamity[1].
I had a look at the papers you linked to. The Canetti paper certainly seems more rigorous and formal. But the Danish Beet Auction paper actually doesn't seem too far from the Bitcoin whitepaper. The bitcoin paper is certainly the most concise.
Amateur or not, bitcoin may be the "worse is better"[2] solution to low transaction fee, decentralized, online payments. If a better solution comes out, I'd love to hear about it.
"at this point, what kind of attacker can muster up that much computing power?"
There is already a single mining pool that nearly controls that much computing power. In general, though, it is a bad idea to ask these sorts of questions; what is really important is not "who might amass this much power" but rather, "what will the honest users do about it?" In the case of Bitcoin, once an attacker amasses enough computing power for the attack, the honest users would have to increase their own computing power to prevent the attack -- but the attacker would only have to add as much to their own computing power as the honest users add to theirs.
By comparison, Mixmaster uses 1024 bit public keys. Suppose someone amassed enough computing power to compute the corresponding secret keys, thus breaking the security of Mixmaster. Without adding any additional worker nodes, Mixmaster could be updated to use 2048 bit keys, or 4096 bit keys, or even larger keys. This would result in an exponential increase in the work needed to attack the system, at the cost of only a small increase in the work needed to run Mixmaster (small to the point of probably not requiring any new hardware).
"Not only that, but their motive must be not just to make gains. They would have to want to destroy the bitcoin economy."
I would also be wary of trying to guess an attacker's motives. The attacker may only be interesting in blocking confirmations on transactions involving a specific party (e.g. maybe the US government wants to prevent Wikileaks from receiving donations). The attacker may have some goal that we cannot even imagine without knowing the attacker's particular circumstances.
"Interestingly, the bitcoin economy has already survived a 24-block split without major calamity[1]."
Yes, but that incident was (apparently) accidental. The fact that such a thing can accidentally happen is pretty bad news. To borrow Bruce Schneier's analogy, a house can accidentally burn down; an arsonist will maliciously cause that to happen, and will do so in the worst way possible. An attacker will try to trigger such a fork, whether by spending a large amount of computing time or by exploiting some implementation bug (e.g. maybe the attacker will do only slightly more work than other miners, searching for that one block that triggers a subtle bug in some version of Bitcoin).
Compare this to a secure multiparty computation system in the malicious model. In such a system, a node cannot accidentally break a security property -- because no node can deviate from the protocol in a way that breaks the security property.
"the Danish Beet Auction paper actually doesn't seem too far from the Bitcoin whitepaper"
There are a few key differences:
1. The security model is precisely defined: the adversary corrupts a minority of the worker nodes, any number of clients, and no node will deviate from the protocol.
2. While the security model is weak, the authors (a) acknowledge that it is weak, (b) give a justification for choosing a weak security model, and (c) explain how to strengthen the security model and what the trade-offs would be.
3. There is a formal proof of security, which rules out all polynomial time attacks within the security model.
The Bitcoin paper has none of the above. There is no clear security model, no justification for accepting the attack described in the paper itself, and no evidence that other attacks do not exist. The paper does not spend any time considering an attack conducted by some colluding subset of nodes, not even to explain why such an attack is unlikely or will not be considered.
"Amateur or not, bitcoin may be the "worse is better"[2] solution to low transaction fee, decentralized, online payments."
Perhaps, but so what? The point was that Bitcoin was almost certainly not designed by a mathematics or cryptography researcher. Amateurs can certainly create systems that become popular. The Linux kernel was originally written by an amateur; if this were 1993 and someone tried to tell you that Ken Thompson was behind the Linux kernel, would you have believed it?
I appreciate your thorough responses and patient explanations about the weaknesses of bitcoin. I agree with you that bitcoin is not perfect, nor is Linux, but I enjoy using both. By your standard, we may have to wait a very long time to enjoy decentralized digital currencies. Bitcoin could go the way of Linux and over many years see gradual improvement in security and usability. Or it could suffer a debilitating attack and cause a massive loss of confidence. Either way, it's here today and that's better than potential currencies with formal security proofs that are years off.
I understand the risk of a single party attacker who controls more than half the network. But at this point, what kind of attacker can muster up that much computing power? Only a nation-state, billionaire, or large corporation could conceivably do so. And it's daily growing beyond their reach. Not only that, but their motive must be not just to make gains. They would have to want to destroy the bitcoin economy. Interestingly, the bitcoin economy has already survived a 24-block split without major calamity[1].
I had a look at the papers you linked to. The Canetti paper certainly seems more rigorous and formal. But the Danish Beet Auction paper actually doesn't seem too far from the Bitcoin whitepaper. The bitcoin paper is certainly the most concise.
Amateur or not, bitcoin may be the "worse is better"[2] solution to low transaction fee, decentralized, online payments. If a better solution comes out, I'd love to hear about it.
1. http://bitcoin.org/chainfork.html 2. https://en.wikipedia.org/wiki/Worse_is_better