A thought experiment: PROVE you own a bitcoin

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: vit05 on May 17, 2018, 06:17:35 PM

Quote from: Spendulus on May 17, 2018, 05:44:59 PM

Quote from: Wind_FURY on May 17, 2018, 02:02:36 AM

....what is the point of this exercise? I believe we should be disproving that we have Bitcoins than prove that we do. Lips sealed

It's impossible to "disprove that you have Bitcoin."

That's an irrefutable hypothesis.

Like...."Disprove that guy walking down the street has a bar of gold."

Cannot be done.

Carrying this a step further, hypothetically, say in a divorce case where it was alleged by one party that the other had one bitcoin.

Wife: He's got two bitcoins! I should get one!

Husband: I have bitcoins? Can you prove that?

The court should do the same procedure it does with the thousands of offshore firms that some people use to hide the money. Demonstrate the path they have taken. At some point, fiat was transferred to an account that in exchange received BTC. This negotiation would need to be demonstrated.

Unless he has memorized the seed entirely in his head, with a search warrant and seizure, after proving the path that the negotiation made, it is quite possible that justice would have access to this portfolio containing the Bitcoins......

The chain of custody.

You would have to track the transactions down to the current address that contained the bitcoin which had been bought in the past with a fiat transfer that I made. Then you would have to show that current address had other transactions that were linked to me. Preferably both plus and minus.

And today we are urged to not reuse receive addresses. Want to guess why?

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: HCP on May 17, 2018, 10:48:54 PM

Quote from: Spendulus on May 17, 2018, 05:39:59 PM

I believe that once could sit down with a computer and another person, and demonstrate to his satisfaction that I have a private key that holds one bitcoin, which nobody else has access to.

This would be by creating a new private key in his presence, in some way where he does not see it or all of it.
...

But how do you prove that the key "generated" is "unique" and that no-one else has access to it? Huh

I know it's a bit of a stupid argument really, because proving the absence of something is always difficult... but just because they see you "generate" it... doesn't mean that someone else doesn't have access. Although given that this is a "thought experiment" and therefore we're free to dream up all sorts of theoretical scenarios... I suppose if you were both in a sealed room with dice and an offline device that could convert the dice rolls to private key/public key/address, you could be fairly certain the key you generated is "unique"... So as long as the other person had no access to a transmitting device, you could send 1 BTC to the address... show the confirmation and they could be fairly certain you had sole access to that 1 BTC at that point in time... and you wouldn't have to worry about them stealing it as they have no way of "using" the private key.

The problem then would be that to ensure they don't steal your 1 BTC, you either have to leave them in the sealed room forever, kill them... or move the 1 BTC to another address. At which point, they can no longer be certain you have sole access Tongue

Yes this is all correct. RE the bolded above, an example would be if the key I presented was part of a heuristic chain, for which another party had knowledge of.

This reminds me of playing cards, where in normal conditions one assumes that a party other than the dealer cuts the deck, and randomness is established. That's knowing that cutting the deck is insufficient if a talented mechanic is the dealer.

Suppose that I generated a private key, and then allowed the other party to see and to change ten digits of it. He can be certain its then secure from 3rd parties at that moment. I then generate a public key, and show that it contains zero. Then I put this private key in my wallet, move a bitcoin to it.

You mentioned, "The problem then would be that to ensure they don't steal your 1 BTC, you either have to leave them in the sealed room forever, kill them... "

That's kind of funny. "Okay now I've proved I have one bitcoin, but you have to die..." It's like the joke about the spy who says "If you find the secret I'll have to kill you."

But the other party, in the above scenario, does not know the key, only ten digits of it. He cannot find it from just ten digits.

buwaytress

legendary

Activity: 2800

Merit: 3443

Join the world-leading crypto sportsbook NOW!

Interesting that I never actually thought of how to prove sole ownership. Interesting also that even I couldn't prove to myself that no one has knowledge of my private keys and isn't just waiting one day to access it (is there?).

Signing specific messages for intended recipients has always been enough but I wonder if some of these impossible concepts such as sole access/ownership are being looked at.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: Spendulus on May 17, 2018, 05:39:59 PM

I believe that once could sit down with a computer and another person, and demonstrate to his satisfaction that I have a private key that holds one bitcoin, which nobody else has access to.

This would be by creating a new private key in his presence, in some way where he does not see it or all of it.
...

But how do you prove that the key "generated" is "unique" and that no-one else has access to it? Huh

I know it's a bit of a stupid argument really, because proving the absence of something is always difficult... but just because they see you "generate" it... doesn't mean that someone else doesn't have access. Although given that this is a "thought experiment" and therefore we're free to dream up all sorts of theoretical scenarios... I suppose if you were both in a sealed room with dice and an offline device that could convert the dice rolls to private key/public key/address, you could be fairly certain the key you generated is "unique"... So as long as the other person had no access to a transmitting device, you could send 1 BTC to the address... show the confirmation and they could be fairly certain you had sole access to that 1 BTC at that point in time... and you wouldn't have to worry about them stealing it as they have no way of "using" the private key.

The problem then would be that to ensure they don't steal your 1 BTC, you either have to leave them in the sealed room forever, kill them... or move the 1 BTC to another address. At which point, they can no longer be certain you have sole access Tongue

RGBKey

hero member

Activity: 854

Merit: 658

rgbkey.github.io/pgp.txt

Quote from: lianghwajou on May 17, 2018, 03:37:32 PM

...Even when someone can move bitcoin or sign a message with private key, it still doesn't prove ownership. He can simple ask the owner of the key to do these operations for him.

But the thing is that's exactly how you "own" bitcoins, you posses the ability to sign a transaction. You can ask your friends to do a lot of things for you, but there's a line somewhere.

vit05

hero member

Activity: 672

Merit: 526

Quote from: Spendulus on May 17, 2018, 05:44:59 PM

Quote from: Wind_FURY on May 17, 2018, 02:02:36 AM

....what is the point of this exercise? I believe we should be disproving that we have Bitcoins than prove that we do. Lips sealed

It's impossible to "disprove that you have Bitcoin."

That's an irrefutable hypothesis.

Like...."Disprove that guy walking down the street has a bar of gold."

Cannot be done.

Carrying this a step further, hypothetically, say in a divorce case where it was alleged by one party that the other had one bitcoin.

Wife: He's got two bitcoins! I should get one!

Husband: I have bitcoins? Can you prove that?

The court should do the same procedure it does with the thousands of offshore firms that some people use to hide the money. Demonstrate the path they have taken. At some point, fiat was transferred to an account that in exchange received BTC. This negotiation would need to be demonstrated.

Unless he has memorized the seed entirely in his head, with a search warrant and seizure, after proving the path that the negotiation made, it is quite possible that justice would have access to this portfolio containing the Bitcoins.

Of course, there are still thousands of ways to hinder access to this seed. But a normal person would hardly take such precautions.

https://www.theguardian.com/news/2016/apr/03/what-you-need-to-know-about-the-panama-papers

Quote

The hidden owners
Where does the money flowing offshore come from? The information is hard to discover because real owners usually hide behind nominees, people with no real control and no assets in the company who simply lend their signature.

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: Wind_FURY on May 17, 2018, 02:02:36 AM

....what is the point of this exercise? I believe we should be disproving that we have Bitcoins than prove that we do. Lips sealed

It's impossible to "disprove that you have Bitcoin."

That's an irrefutable hypothesis.

Like...."Disprove that guy walking down the street has a bar of gold."

Cannot be done.

Carrying this a step further, hypothetically, say in a divorce case where it was alleged by one party that the other had one bitcoin.

Wife: He's got two bitcoins! I should get one!

Husband: I have bitcoins? Can you prove that?

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: lianghwajou on May 17, 2018, 03:37:32 PM

It's impossible to prove ownership without some out of band mechanism because the only relationship maintained by bitcoin network is between bitcoin and (pub/pri) keys. There is no way to tie an id to a key. Even when someone can move bitcoin or sign a message with private key, it still doesn't prove ownership. He can simple ask the owner of the key to do these operations for him.

I believe that once could sit down with a computer and another person, and demonstrate to his satisfaction that I have a private key that holds one bitcoin, which nobody else has access to.

This would be by creating a new private key in his presence, in some way where he does not see it or all of it.

Then I would show that I was able to move one bitcoin to the public key of that address.

Then sign a message from that private key and send it.

But if the other party was not in the same room, but was across the internet, then the proof seems far less certain.

lianghwajou

newbie

Activity: 4

Merit: 0

It's impossible to prove ownership without some out of band mechanism because the only relationship maintained by bitcoin network is between bitcoin and (pub/pri) keys. There is no way to tie an id to a key. Even when someone can move bitcoin or sign a message with private key, it still doesn't prove ownership. He can simple ask the owner of the key to do these operations for him.

xIIImaL

legendary

Activity: 1372

Merit: 1005

Quote from: Spendulus on May 15, 2018, 09:00:15 PM

Quote from: ranochigo on May 15, 2018, 08:10:34 PM

Its inherently difficult to prove the sole ownership of your Bitcoins. A,B,C,E,F,G requires trust on either or both of the party and D just won't be sufficient.

The most accurate way is to sign a message with the address and the message must contain relevant information. However, this would just prove that you could have control of the address and the BTC associated with it. It is of course, possible for them to get someone else to sign a message using their address.

C does not require trust, does it?

A person verifies a public address, then he sees that one bitcoin has moved to a new address, that was previously specified by you.

There is no way he could know whether you were the sole owner of the old address.

Now, how could a proof be devised that you owned the new address?

Some years before we see most of the wallet providers giving the static address to receive the bitcoin from one person to your wallet. Nowadays due to security concern and want to more anonymous most of the wallet providers giving the dynamic wallet address whenever you go to see your bitcoin public address.
However as the above person said, you can use the same address to receive the bitcoin and you can use it to track the complete transaction with the block explorers.

HCP

legendary

Activity: 2086

Merit: 4314

Quote from: Kakmakr on May 17, 2018, 02:18:23 AM

If you do not trust the second party, then just make use of a trusted Escrow.

I think you're missing the entire point of a "trustless" system...

Quote

Why would you go through all the trouble to sign a message and not knowing if the owner has sole access to those coins. If the coins were send to a third party, you would be certain that the owner has sole access to those coins. Roll Eyes

But how do you know that the Escrow (who is now technically the "owner") has sole access to the coins? Tongue

Quote

The whole point of proof is to make sure that the recipient receive their promised coins, right? This is where the trusted Escrow comes into play. Wink

But as mentioned, that breaks the entire "trustless" system... you're still having to trust *someone* with something.

You can never really prove "sole" ownership or access to coins... at best you can prove you have the ability to spend coins. Whether or not you have exclusive access is not really the point in the "Ride on Mower" scenario. You just want to be able to provide evidence that you have access to the funds... a (specific) signed message should be adequate in this scenario.

Kakmakr

legendary

Activity: 3430

Merit: 1957

Leading Crypto Sports Betting & Casino Platform

If you do not trust the second party, then just make use of a trusted Escrow. Why would you go through all the trouble to sign a message and not knowing if the owner has sole access to those coins. If the coins were send to a third party, you would be certain that the owner has sole access to those coins. Roll Eyes

The whole point of proof is to make sure that the recipient receive their promised coins, right? This is where the trusted Escrow comes into play. Wink

Wind_FURY

legendary

Activity: 2898

Merit: 1823

OP, post your seeds on the internet and hope that no one will steal your coins. Hahaha.

But what is the point of this exercise? I believe we should be disproving that we have Bitcoins than prove that we do. Lips sealed

RGBKey

hero member

Activity: 854

Merit: 658

rgbkey.github.io/pgp.txt

Quote from: Coin-Keeper on May 16, 2018, 08:04:51 PM

Quote

If Spendulus has 1 BTC and achow101 has 0 BTC, but is telling me that he has 1 BTC, then Achow101 could trick Spendulus into signing a message that says:

That is true but most experienced BTC users wanting proof would require text that is specific to a transaction they are going to make. e.g. "Coin-Keeper is able to send 1 BTC to DannyHamilton on May 16 from X address". At least that is what I would require on a sig scenario where my being convinced is involved.

Yeah, most people won't sign vague statements, and most people won't accept vague signed statements. They're usually very specific.

Coin-Keeper

hero member

Activity: 758

Merit: 606

Quote

If Spendulus has 1 BTC and achow101 has 0 BTC, but is telling me that he has 1 BTC, then Achow101 could trick Spendulus into signing a message that says:

That is true but most experienced BTC users wanting proof would require text that is specific to a transaction they are going to make. e.g. "Coin-Keeper is able to send 1 BTC to DannyHamilton on May 16 from X address". At least that is what I would require on a sig scenario where my being convinced is involved.

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: DannyHamilton on May 16, 2018, 11:28:50 AM

Quote from: achow101 on May 15, 2018, 08:21:37 PM

If you want proof of "I can spend coins associated with this address", you can sign a message with the address (or specifically with the private key whose public key hashes to the hash encoded by an address).

This is insufficient.

It requires more than simply "any signed message". The mesage MUST be phrased in such a way that it is extremely unlikely that someone else could be tricked or convinced into signing the message for the person claiming to hold the bitcoins"

If Spendulus has 1 BTC and achow101 has 0 BTC, but is telling me that he has 1 BTC, then Achow101 could trick Spendulus into signing a message that says:

Code:

As of 2018-05-16 this address contains at least 1 BTC

Then Achow101 could forward to me the message that Spendulus has signed.

Furthermore, a signed message only demonstrates that you are ONE of the people that have access to the bitcoins. It does not prove that you have SOLE access.

I don't think there is ANY way to prove that nobody else has access to the coins.

Quote from: Spendulus on May 15, 2018, 09:00:15 PM

C does not require trust, does it?

It does.

I must trust that you aren't asking someone else to move that bitcoin on your behalf.

I had noticed that when a pre existing private key was in use, there is no recorded history of it's having single or multiple users or "owners." The phrase "no recorded history" is meaningful, because now we must rely on trust.

Hence it appears that any means of proving ownership of a bitcoin must involve the creation of a new private key.

A wishes to buy something from B with 1 bitcoin, and B asks for proof.

A sits down with B and tries various ways to prove he has coins.

Maybe he logs into Coinbase and shows B the screen.
B raises the objections listed above....

Maybe the answer is something like this.

"Yeah my wife also has access to the account but she also has access to our credit cards and bank accounts. So what? If you had verified those you verified the presence of funds at that instant and you didn't care about multiple people having access to them. Why are you demanding a higher standard here?"

Karartma1

legendary

Activity: 2310

Merit: 1422

Quote from: Spendulus on May 16, 2018, 07:41:37 AM

Quote from: Karartma1 on May 16, 2018, 02:53:58 AM

I don't have bitcoins. I am simply able to control and use the private keys associated to my UTXOs that give me the opportunity to transfer thouse outputs onto other addresses that will become new UTXOs for the next guy on the blockchain.
Again, I have NO bitcoins. I HOLD keys Wink

This is an important distinction, but in the context of the question, the problem simply shifts to "Prove you hold keys."

Like, "Dude. If you think I'll drive 50 miles to trade my riding lawnmower for your bitcoins, you gonna have to show me you have them first."

Kudos

I tried mine, I'll turn my head around this some more but I don't think I'll come up with your answer. Therefore, I'm waiting for others to crack the code you have here.

DannyHamilton

legendary

Activity: 3388

Merit: 4615

Quote from: achow101 on May 15, 2018, 08:21:37 PM

If you want proof of "I can spend coins associated with this address", you can sign a message with the address (or specifically with the private key whose public key hashes to the hash encoded by an address).

This is insufficient.

It requires more than simply "any signed message". The mesage MUST be phrased in such a way that it is extremely unlikely that someone else could be tricked or convinced into signing the message for the person claiming to hold the bitcoins"

If Spendulus has 1 BTC and achow101 has 0 BTC, but is telling me that he has 1 BTC, then Achow101 could trick Spendulus into signing a message that says:

Code:

As of 2018-05-16 this address contains at least 1 BTC

Then Achow101 could forward to me the message that Spendulus has signed.

Furthermore, a signed message only demonstrates that you are ONE of the people that have access to the bitcoins. It does not prove that you have SOLE access.

I don't think there is ANY way to prove that nobody else has access to the coins.

Quote from: Spendulus on May 15, 2018, 09:00:15 PM

C does not require trust, does it?

It does.

I must trust that you aren't asking someone else to move that bitcoin on your behalf.

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: Karartma1 on May 16, 2018, 02:53:58 AM

I don't have bitcoins. I am simply able to control and use the private keys associated to my UTXOs that give me the opportunity to transfer thouse outputs onto other addresses that will become new UTXOs for the next guy on the blockchain.
Again, I have NO bitcoins. I HOLD keys Wink

This is an important distinction, but in the context of the question, the problem simply shifts to "Prove you hold keys."

Like, "Dude. If you think I'll drive 50 miles to trade my riding lawnmower for your bitcoins, you gonna have to show me you have them first."

Spendulus

legendary

Activity: 2898

Merit: 1386

Quote from: achow101 on May 15, 2018, 08:21:37 PM

If you want proof of "I can spend coins associated with this address", you can sign a message with the address (or specifically with the private key whose public key hashes to the hash encoded by an address).

Yes, that's the correct answer.

Quote from: nc50lc on May 16, 2018, 01:46:42 AM

Paper Wallet? Show an edited picture of the printed paper wallet with covered private key and prvkey's QR code.
There are too many workaround to fake this like printing a bitcoin-loaded address paired with a random prv key but,
Paper Wallets' private keys are meant to be hidden and offline, the user didn't want to tell others that he own a bitcoin in the first place.

With this, leave Paper Wallets out of the available options.

Quote from: Spendulus on May 15, 2018, 07:49:34 PM

LOL - on the last two....

No, LOL to this:

Quote from: Spendulus

E. Show the requestor your private key and it's value therein.

Other wallets? achow101 already replied with the best answer.

Yes, (E) is pretty funny.

Note that I pose both an interesting and practical question. You might want to meet up with someone from Localbitcoins to make a purchase, or want to sell something with bitcoin. Is the other party capable of making the transaction?

It's not uncommon in many transactions to require "show proof of funds."

Topic: A thought experiment: PROVE you own a bitcoin (Read 377 times)