[betterunix]

Formal definitions of security depend on the security goals of the system. Bitcoin may utilize secure hash functions, secure signature systems, and secure ciphers -- but Bitcoin is not a hash function, a signature system, or a cipher. The security goals of Bitcoin are: (1) it should be hard to counterfeit the currency and (2) it should be hard to double-spend the currency. The meaning of the word "hard" is what matters here: formally, "hard" is captured by complexity theory, and means that no polynomial time algorithm exists for the problem e.g. for (1), there should be no polynomial time algorithm that can counterfeit the currency.

If you want an example of this approach to digital cash security (scroll down to the bottom of page 15 and see Definition 3):

http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.46.4...

[caf]

I wonder whether it makes sense to define a weaker class of "economically secure" digital cash systems, where it is merely uneconomic to counterfeit and double-spend the currency.

Of course this means that such a digital cash system may be vulnerable to non-economically motivated attackers, and I suspect it is also a class that is harder to precisely define.

[zanny]

This is the argument for btc - even though you could try to fake the transaction chain, you are fighting a losing battle against the active market the second you try to generate one, and the longer chain always wins, and it only takes a bad transaction record to be parsed for your chain to be rejected. And controlling the transaction chain is everything in BTC. It relies on the coefficient of the polynomial of running the hashes to generate coins to add to the chain and the transactions taking place therein to get so large that it is infeasible to contribute the computational power necessary to catch up, and it would just be better to mine bitcoins with that computational power anyway.

[betterunix]

Using the word "infeasible" like this is probably a bad idea, since in the crypto world it refers to problems that cannot be solved in polynomial time. Also, do not assume that controlling the transaction chain is "everything;" there may be some other part of the protocol that can be attacked, even if it is non-obvious.