Topic: Are bitcoins indestructible? - page 3. (Read 7648 times)

Compute the checksum of the pubkeyhash. 

https://en.bitcoin.it/wiki/Technical_background_of_Bitcoin_addresses
Take a look at steps #4 to #7.

My question is how do you know what to add to the end?

sounds like a great design for a hardware wallet.

Not to wander too far off topic, but Grover's solves circuits.  Circuit means the function must be completely unrolled in both time and space, so that there is no memory and no iteration, just logic gates.  A circuit for SHA-256 is far beyond our capabilities, much less double SHA-256.  I'm not sure we are even capable of designing such a thing.

Oh, and did I mention that all those trillions (quadrillions?  pentillions?  who knows?) of logic gates have to be reversible quantum gates?  And that they all have to be kept coherent?

More specifically, using Grover's Algorithm, the time taken to find a preimage of a hash (i.e. a reverse hash) is the square-root of the time for a classical attack. e.g. a 256-bit hash becomes like a 128-bit hash. It's not considered a big problem since the times are still very long.

Could someone please point me to a good description of bitcoin mining for someone that has studied first year uni maths. ie not too dumbed down but not too advanced either.

Well in theory at least the number of coins destroyed in this way could be calculated by scanning all unspent output.  Knowing this number you could then subtract it from the ending total and get a slightly more accurate ending total.

Oh shit, that's right.  There are actually a whole bunch of coins locked up in scripts that have no possible solution.  Not just OP_RETURN, but also garbage from buggy systems over the years.

Guys, you are missing OP_RETURN. If the output of a bitcoin transaction is "OP_RETURN" then the coins are impossible to spend.

Quantum computers do not appear to be particularly adept at hashing.

so... if we aimed all the Hashing power of the Bitcoin network on one address it would take 500 million years? Hey man It's only a matter of time before insane quantum computers just start cracking the codes by the second. I can imagine this will happen one day, when the Bitcoin network migrates to a new protocol based on quantum security. Those computers will tear Bitcoin apart when they finally are able to produce them in mass, and start migrating all the accounts to a new system like a block reward, Or just like the free market migrate by choice to something safer.

I did this up thread here:

https://bitcointalksearch.org/topic/m.3849442

And explained it to you up thread here:

https://bitcointalksearch.org/topic/m.3858534

Normally, a transaction has 1+ inputs and 1+ outputs.  Each block has a special transaction in it that has no inputs, which is used to reward the miner.  Where the input would normally be is a freeform field named "coinbase".  The term is also commonly (but incorrectly) used to mean the generation transaction itself.  (My bad.)

Once upon a time, a guy mined two blocks using the exact same address for the reward.  Both of those generation transactions were identical, so they had the same hash.  In bitcoin, the hash is a, ahem, "unique" identifier, so spending one of them spends both of them.  Thus, 50 coins "destroyed".

This won't happen again because blocks are now required to have their height in the coinbase field, which makes them unique even if they are otherwise identical.

And the network only checks that the generation transaction's value is less than or equal to the subsidy + the fees.  Nothing stops you from making a block that claims less than the full reward, but doing so is silly, and nowadays, expensive.  A few blocks in the past, however, claimed less reward than they could have, so the worldwide total will be slightly less than it could have been.


Any 256-bit string is a private key.  Multiply (in EC math) G by that private key, and you have a public key.  Hash that public key in a particular way and encode it and you have an address.  Neither the multiplication nor the hashing are reversible.  You can pick a random number, hash it and see what the address would have been, even though you don't have a private key that would work for it.  Or, you can skip right to the end and make an address without knowing what the public key should have been, much less the private key.

The address hash is 160 bits.  We do know that for every input, there is one output, but we don't know that for every possible 160-bit number there is necessarily an input that creates it.  The address in my hash, for example, has a pubkey that can be hashed to create it.  But we don't know if there is any pubkey that hashes down to the bitcoin eater address.

I'm not sure if EC multiplication has the same property or not.  I *think* that for every valid public key, we know that some private key matches it even if we don't know what that private key is.  A proper cryptographer could answer that for sure.

What is "coinbase"?  How do you get a block that has "less than the full possible reward"?



How do you get a valid address with a key that "doesn't exist"?  How is an address where nobody ever had the key any different than an address where somebody had the key but has really absolutely permanently lost it.  Let's say they generated it in volatile memory, wrote it on paper, shut down the computer and then burned the paper...  how is that any different to a valid address where nobody ever really had the key?

And on that note how do you make a valid address but without ever getting the private key?  Aren't valid addresses generated from private keys?  I mean when I import a private key it knows the address without me telling it just from the private key.

Bitcoins are very abstract.  The definition of "destroyed" gets fuzzy here.

Blocks claiming less than the full possible reward most closely fit, in my opinion, the concept of destroyed.  These coins can only be recovered by a change in the protocol.*  Also in this category is the permanently unspendable coins from one or the other of the two blocks that had identical coinbase transactions.

Coins sent to keyless addresses are the second best fit.  No one has ever known a privkey that could redeem those coins, and so we have no reason to believe that such a key exists.

Coins sent to keys that were generated but then lost is the weakest fit.  We know that a key to that address has existed in the past, and so there is every reason to believe that the key could be found again.  Thermodynamics blocks us from doing so, but math itself doesn't bar our way.

* Such a change may not be completely crazy, but is still really unlikely.  It wouldn't hurt much to allow miners to claim some fraction of the coins lost through this method in the past.  Of course, it wouldn't help much either...

https://blockchain.info/address/1BitcoinEaterAddressDontSendf59kuE

1.60652869 BTC ($ 1,420.11 at the time of this post)

Ouch.... 

Luckily it only has 1.6 BTC right?  Or did I look that up wrong?

Massively unlikely though given that the pigeonhole priniciple shows that there are on average 2^96 public keys mapping to each bitcoin address.  Quite unlikely (read: impossible) any address misses all of its expected 2^96 hits.

Yes. Correct. I just thought I'd add a little to the discussion. It's not a big issue for almost everyone else. I don't see more than a few thousand coins ever being destroyed that way, even if intentional.

Which wasn't the question asked.

The question was are bitcoins indestructible?  The answer is no.  It would be like asking is cash indestructible?  and someone answers no you can destroy it by burning it then saying, well who would do that?  I don't know who would do that and for what purpose, it may never be done except in accident however none of that changes the answer to the question "are bitcoins indestructible?", that answer beyond any debate is definitively ... no.