Hi Gavin,
thanks for the explanation.
You can:
Spend bitcoins once. Then wait for them to be confirmed by the rest of the network as many times as the merchant requires, while secretly working on another version of the block chain where you did NOT spend them. Your secret block chain should be longer than the network's, since you control 51% of the generating power.
So you announce your secret block chain, and instead of sending those coins to a merchant you include a transaction where you send them to yourself. YEAH! you just ripped off the merchant! Wahoo!
Are you saying that:
a) an attacker should announce a block chain where the spend is never acknowledged ?
b) the attacker should announce a block chain where the spend is acknowledged, and where another opposite transaction is, too ?
c) the attacker should announce a block chain where the spend is acknowledged, but the recipient is not the merchant address anymore but the/a attarcker's address ?
You cannot rip off two merchants with the same bitcoins-- one or the other of the transactions will be seen as valid.
And you cannot "unspend" the transaction to the merchant-- if you don't spend it SOMEWHERE, the merchant's bitcoin node will re-announce it to the network and all the other nodes will consider those bitcoins "spent, just waiting to be included in the next generated block."
Would you agree on this description of the attack ?
"So in summary the attack works like this: the first BTCs spend happens in, say, block 105000. After the merchant acknowledges it and delivers the good/service to the attacker, the attacker's malicious network releases a new block 105000 and as many blocks after it as needed to make it the longest chain. Now the whole network (honest clients included) acknowledges that the attacker holds the coin because there is no record of first the transaction according to the majority of CPUs. Then the BTCs are spent again, and the process is repeated many times."
I feel that your point is: the transaction can't just disappear.
If you run the numbers again with the realistic double-spend scenario, you'll see crime doesn't pay. There is no way you can rent enough hashing power to commit a profitable double-spend attack.
If you can steal the hashing power (maybe you're a bot farmer), then if you run the numbers you'll find it is more profitable to just generate blocks and sell the bitcoins rather than try to somehow get stuff trying to double-spend.
Ummm ... are you sure ? Could you be specific as which numbers are wrong in my Quora question ? According to my calculations, the ROI of such attack would be extremely positive.