This post is of interest only to those who study Bitcoin. If you have never heard of Bitcoin, read my previous post on the subject.

Shitcoin is to be a distributed network for attaching "dirt" to particular bitcoins when certain conditions are met, in a manner which allows Bitcoin users to post bonds in order to establish trustworthiness. Unlike a conventional bond, these bitcoins could be spent at a later time, without voiding said bond. [1]

A Bitcoin user intent on "putting his money where his mouth is" could post a bond in the following way. He would start by creating a fresh Bitcoin address, publishing it, and transferring a certain number of bitcoins to it. He will prove that he is the particular user who did so by carrying out the transfer in a sequence of amounts announced in advance, or by allowing those whose trust he is trying to win - the bond-holders - to collectively specify the least-significant digits of the total amount. At any rate, he will have proven that he, at that time, was possession of a certain number of bitcoins, and proclaimed just which coins they were. The next step is to generate a certain number of shitcoins. A shitcoin consists of two numbers: J, which is randomly-generated and reasonably-long, and K, which is a cryptographic hash of the concatenation of the bitcoin value and of J. A J is given to a bond-holder, who keeps it secret, while K is posted to the Shitcoin distributed hash table network, along with a time stamp (secured through hash chaining, in exactly the same way as ordinary Bitcoin transaction records.)

If, at some future time, a bond-holder is dissatisfied with his relationship with the bond-issuer, he can invoke his shitcoin(s) by publishing his J on the network. When this happens, the bitcoin is to be considered, for all time, "dirtier by one shitcoin." Anyone with access to the Shitcoin network can verify that a given J is genuine simply by hashing it with the bitcoin value in question to produce the previously-published K. At any later time, anyone can query the network and determine just how "dirty" any given bitcoin is, by counting the number of published valid J-K pairs. Given this fact, users could choose to distrust any bond issuer who posts excessively-dirty bitcoins as a bond.

Just how dirty is "too dirty" would be a matter for individual would-be bond-holders to decide for themselves. A certain amount of dirt may be seen as acceptable, as there will always be bond-holders who are angry at the bond-issuer for a less-than-legitimate reason and choose to maliciously invoke their shitcoins. Naturally, any user who would like to verify the dirtiness of a particular bitcoin will use a Shitcoin network client which verifies that the coin in question was actually held by the bond-issuer at the time K was originally posted.

Additionally, a bond-issuer who wishes to emphasize his honesty may choose to issue multiple shitcoins to each bond-holder, giving him a proportionately-greater power to damage his reputation should he decide to do so.

One possible variant of Shitcoin would allow bond-issuers to attach expiration times to the K values they publish, proclaiming that any J value posted after that time should be ignored by those interested in the history of the particular bitcoin to which K is linked. Users of the Shitcoin network may choose to respect these declarations, or they may not, as it suits them.

The beauty of this scheme is that it requires no modification to the Bitcoin protocol itself, and could exist independently of and in parallel with the existing Bitcoin network. Those who wish to post Shitcoin bonds could do so, and those who care about the dirtiness of a particular bitcoin could query the network, without any cooperation whatsoever from those Bitcoin users who think little of Shitcoin and choose to do neither.

One potential problem with the scheme is that innocent receivers of bonded bitcoins would suffer if the shitcoins attached to said bitcoins are invoked at a later time. The obvious countermeasure is for would-be receivers of a particular bitcoin to check (using automated means, of course) whether an unexpired Shitcoin bond is attached to these coins at the particular time they are about to receive them.

If Shitcoin were to become popular, any dealing with Bitcoin users known to be disreputable - and, by extension, dealing with those who choose to deal with them - would be heavily disincentivized. And this would happen if even only a substantial minority of Bitcoin users chose to use Shitcoin.

Edit: One bit of criticism I got after posting this is that Shitcoin would make bitcoins less fungible. Well yes, that's the whole point! It appears that there exist two kinds of people: ones who believe that theft and fraud should be thought of as parts of the great circle of life; and those who believe that a world in which money turns a tell-tale black when it is stolen or otherwise ill-gotten would be a better world to live in. I belong to the latter category. The beauty of Shitcoin is that both types of person could peacefully co-exist, and recognize one another for what they are at a glance whenever they chance to meet. If you want to freely receive and spend fully-fungible bitcoins, with no regard to where they've been, don't use Shitcoin. If you care about doing business with clean people who only ever do business with other clean people, then use it. But if you'd rather that neither Shitcoin nor anything like it exist at all, you've publicly revealed yourself as a scumbag, and provided a useful warning to your would-be victims - even if Shitcoin is never built - to avoid you like the plague.Edit: The people who commented that a scheme like Shitcoin is unnecessary because one could instead use PGP-style trust identities are missing an important point. In a decentralized system like Bitcoin,. In fact, the only thing which isn’t arbitrarily cheap are. Which is why a reputation system where negative reaction from users threatens anything other than your coins themselves is mostly worthless. If you could literally bet your coins on your reputation, in a completely decentralized and mechanical way, you would be able to establish trust quickly, without having to present any meatspace credentials or giving your customers any hint of your legal identity whatsoever. In effect, a Shitcoin bond issuer would say: “If I were to defraud you, you could set my coins on fire.” (Or at least, “singe” them.) And as far as I can see, Shitcoin or something quite like it is the only possible way to give defrauded parties in Bitcoin transactions some genuine "teeth" without compromising the decentralized nature of Bitcoin or tying users' reputations to their meatspace identities in any way.[1] One could still spend a bitcoin which has one or more unexpired shitcoin bonds linked to it, but users of Shitcoin would be aware of the encumbrance when they consider receiving that particular coin in payment, and said coin would be considered less-valuable than an unencumbered one. Just how much less would naturally depend on the reputation of the bond issuer(s).