"You keep dismissing the incentives that Bitcoin gives, which should also be considering part of its security"
We do not speak of "incentives" in other contexts. When we talk about encryption, we do not spend our time pondering the "incentives" for not attacking our cryptosystems -- we create encryption systems that cannot be feasibly attacked regardless of what motivates the attacker. When we talk about secure multiparty computation, we do not talk about what might motivate the attacker, we only talk about how to prevent attacks.
There are historical counterexamples to the idea that we can analyze a cryptosystem's security in terms of the attacker's "incentives." A famous and well-known example is the German Enigma cipher from WWII. After the war, German cryptographers were captured and interrogated (the TICOM operation), and one of the things they revealed was that they knew that Enigma could be attacked, but did not believe that it would be worth the effort. Even the assumption that the attacker will act rationally is bad -- we should be secure against irrational attackers too.
"We can't know what will happen until it happens"
We can, however, design systems that maintain their security properties regardless of what happens (at least under standard cryptographic hardness assumptions, though sometimes we can even get information theoretic security). ElGamal encryption is secure against any polynomial-time chosen-plaintext attack -- provably so. The GMR signature system is secure against any polynomial-time adaptive chosen-message attack. For a very strange construction that illustrates how we can defend against attack strategies we cannot even imagine, consider this work on non-malleable commitments (the construction is on page 13; it is very strange, but the strangeness is key to the security proof, or in other words there are possible attack methods that nobody is aware of that the construction prevents):
"The field that you want to use to model everything is too narrow for Bitcoin."
Yes, things are very easy when you have no clearly-specified goals, requirements, or constraints. How can there be any technical criticism of Bitcoin if this sort of response is considered valid? Anything anyone says is wrong with Bitcoin could always be dismissed as being "too narrow."
> we should be secure against irrational attackers too
Right, of course it would be better to have something indestructible. But so far it's "good enough" (passes the reviews of its individual components, has resisted for years as a system, but wouldn't resist an irrational attacker). And I much rather have this than the previous system, which is insecure by design (ie: your funds can and are systematically stolen through inflation and other means). Maybe you live in a very good country, where you don't have to worry about such issues (or you live in a regular country but are just not conscious about it?). But most of the world (including myself) doesn't, so Bitcoin is welcome as is.
Perhaps so, but what I was originally replying to was a claim that Bitcoin was rock solid. There is an enormous difference between "good enough" and "rock solid."
"I much rather have this than the previous system, which is insecure by design (ie: your funds can and are systematically stolen through inflation and other means)."
Perhaps so, but as I have noted elsewhere, Bitcoin is not a fiat currency killer. Most businesses that claim to accept Bitcoin payments are actually accepting fiat currency payments. Most adults still need to pay their taxes. There are strong incentives to issue loans in the currency that the courts deal in i.e. fiat currency.
Basically, think of it this way: if Bitcoin exchanges were to disappear right now, what would happen to Bitcoin? What reason is there to think that Bitcoin will ever reach a point where it is not utterly dependent on the existence of exchanges? When even people who want to adopt Bitcoin are only doing so with the help of services that automatically exchange Bitcoin payments for fiat currency, why should we believe that we can ever live in a world where Bitcoin stands on its own two feet?
Finally, let's assume that there is an economic theory that supports a system like Bitcoin i.e. a currency that has no central authority and no intrinsic value. That theory should motivate a security definition. As a point of reference, consider Chartalism (a key part of modern monetary theory), which basically explains why fiat currency works (in a nutshell: the government issues the money and requires you to return some amount later on via taxes), and a key security definition used in the academic work on digital cash (in a nutshell: you have security if it is infeasible to deposit more money with the bank than was withdrawn [this can be stated more formally]). Note the very clear connection: the central authority issues the currency and decides its validity when it is "deposited."
So, to bring things full circle, I give you this challenge: present an economic theory to explain systems like Bitcoin, and use that theory to motivate a security definition that Bitcoin can be tested against (or better yet, proved to meet).
> Basically, think of it this way: if Bitcoin exchanges were to disappear right now, what would happen to Bitcoin?
If Bitcoin doesn't replace all currencies (I don't expect it to do that anyway), it can be used as digital gold (in fact I think you can expect higher price increases from this use case, than from every day transactions). Currently I would love to be able to save in gold, but I can't for many reasons. My government banned it, so I can no longer buy it in a trusted bank (if such thing exists). I can't buy it from other individuals like me, because it's difficult to divide, so you can never get the amount you wanted. You can't import it from other countries because you can't hide it from customs. You can't buy it in the black market either, because they will sell you golden bars filled with tungsten. And all this is for buying. When you want to sell it you will have similar problems. Bitcoin fixes all this, and you don't really need exchanges for this. In fact I never used one (international wires are banned).
Let me think about the security definition. I don't promise you anything, but I'll give it a try when my mind is clear.
We do not speak of "incentives" in other contexts. When we talk about encryption, we do not spend our time pondering the "incentives" for not attacking our cryptosystems -- we create encryption systems that cannot be feasibly attacked regardless of what motivates the attacker. When we talk about secure multiparty computation, we do not talk about what might motivate the attacker, we only talk about how to prevent attacks.
There are historical counterexamples to the idea that we can analyze a cryptosystem's security in terms of the attacker's "incentives." A famous and well-known example is the German Enigma cipher from WWII. After the war, German cryptographers were captured and interrogated (the TICOM operation), and one of the things they revealed was that they knew that Enigma could be attacked, but did not believe that it would be worth the effort. Even the assumption that the attacker will act rationally is bad -- we should be secure against irrational attackers too.
"We can't know what will happen until it happens"
We can, however, design systems that maintain their security properties regardless of what happens (at least under standard cryptographic hardness assumptions, though sometimes we can even get information theoretic security). ElGamal encryption is secure against any polynomial-time chosen-plaintext attack -- provably so. The GMR signature system is secure against any polynomial-time adaptive chosen-message attack. For a very strange construction that illustrates how we can defend against attack strategies we cannot even imagine, consider this work on non-malleable commitments (the construction is on page 13; it is very strange, but the strangeness is key to the security proof, or in other words there are possible attack methods that nobody is aware of that the construction prevents):
http://eprint.iacr.org/2010/483.pdf
"The field that you want to use to model everything is too narrow for Bitcoin."
Yes, things are very easy when you have no clearly-specified goals, requirements, or constraints. How can there be any technical criticism of Bitcoin if this sort of response is considered valid? Anything anyone says is wrong with Bitcoin could always be dismissed as being "too narrow."