Pages:
Author

Topic: Game theory involving Quantum Resistance protocol - page 3. (Read 897 times)

mda
member
Activity: 144
Merit: 13
A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.
If you want to severely limit Bitcoin's potential then you could do this but I would and many others would advise putting any sort of limitations on the Bitcoin technology. Limiting it shows that there is a centralised force trying to control Bitcoin despite it being for a good cause. If you want to transact more than a couple million dollars in Bitcoin in an hour then you should be allowed to do that. Freedom is the best approach here.
This trade-off is a middle ground between two options. Let quantum computing flood the market in a short period of time (freedom approach) or destroy these coins because it's an easy way to preserve and even increase a bit our wealth.
legendary
Activity: 1232
Merit: 1080
destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

That is not breaking the rules of Bitcoin or how I would prefer to look at it Bitcoins philosophy. Bitcoin was proposed to have a limited amount of Bitcoin to prevent inflation and other issues in the long term however that only includes disallowing new coins from being generated after 21 million and at no point was it proposed that destroying coins would not be allowed. Of course it is allowed and in theory the more Bitcoin that are lost the more valuable and limited it will be. Bitcoin does not have many hard set rules in terms of what you are suppose to do with your money. If you want to destroy coins you can the only limit is you can't generate anymore after 21 million coins has been reached.

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.
If you want to severely limit Bitcoin's potential then you could do this but I would and many others would advise putting any sort of limitations on the Bitcoin technology. Limiting it shows that there is a centralised force trying to control Bitcoin despite it being for a good cause. If you want to transact more than a couple million dollars in Bitcoin in an hour then you should be allowed to do that. Freedom is the best approach here.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

That sounds like a real kludge. The idea probably wouldn't gain traction. Theoretically it's also not just unhashed public keys that are vulnerable, but all public keys as they currently exist.

The solution seems rather binary to me. We either lock/destroy vulnerable outputs or we let them wreak havoc on the market. Whether the first option is ethical seems like an issue of time -- how long is long enough?

We have some duty of care not to deprive people of their money, but does that entail going down with the ship?
mda
member
Activity: 144
Merit: 13
A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.
legendary
Activity: 1652
Merit: 1483
destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

it doesn't. the rule is there can't be more than 21 million coins.

due to the nature of private keys, there was always an implicit assumption that lost coins deplete the supply. i've been operating under that assumption since i arrived 7 years ago. in fact, satoshi explicitly said as much in 2010.

you're telling me that entire monetary philosophy just goes in the trash bin now? lost coins aren't a donation to holders, but rather those with quantum computers?

think about it once brute forced coins are sold or moved out of insecure keys. drama is over.

if QC can break ECDSA, then ECDSA secured outputs should not exist, period. "people should be free to have their coins stolen!!!11!!1!" is not a compelling answer. it's completely against the interest of all bitcoin holders.
legendary
Activity: 4424
Merit: 4794
destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

not only does that break the 'trust math' theology. because now devs decide they want to go against the rules, so people cant trust that they will always have coins if they just locked their only copy of a private key in a time capsule. they have to trust and hope devs dont go barbaric on code rules

not only does destroying coins destroy many aspects of bitcoin.but the social drama impact of such an act would effect the markets more so than just letting a theif sell coins

think about it once brute forced coins are sold or moved out of insecure keys. drama is over.
its far better to let someone waste their life brute forcing a private key for 50btc and sell them, then repeat 20,000 times until 'satoshi stash' is no longer on insecure addresses... than it is to let devs manipulate the rules to declare more than 1m coined defunct and destroyed in on go. whats next if p2pk keys need destroying, do devs wait a month and declare war on p2pkh p2sh. then when they find an issue with segwit declare a war on p2wpkh. would it ever end

people would prefer to know if they leave their coins its their fault for not loking after them, if they care and there is a output format that is genuinely more secure they can move them. if they dont then they are at risk of someone else spending them.. but never ever should devs ever consider destroying coins..

in business terms. imagine thre is a company in the middle of a merger/liquidation buyout/hostile takeover. is it more beneficial to just let it happen as you know its only a 15minute news item that passes as fast as a price dip would.. or would you call in the military and nuke the facility and shout 'ha ha ha no one gets it' and then go on a mission where nuking businesses is standard practice

the price drama of a user selling 50btc a day is small if they brute forcd a satoshi stash address each day. and it would take 20,000 of thos days to do it to 1m coins.
just think about how little effect on the price 50btc is in comparison to average daily volume.
just think about how little drama it would realistically create compared to breaking some of bitcoins fundemental rules.

more people would be more concerned that devs are coming to dstroy their coins next compared to the worry of someone spending 50btc of satoshi stash a day
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
...
3- Let people with abandoned p2pkh UTXOs with an uncompromised public key that are still active after the second deadline to mine their transactions privately by leasing/installing hash power or by buying private service from known responsible miners/pools.

I don't understand you suggest this part. There aren't many pools/solo miners and you'd create big dependency towards them (pools and solo miners).
I'm not proposing anything, just reminding a possibility.

A few decades later, probably, when QC is no longer sci-fi and bitcoin has successfully implemented QC resistance and most wallets have migrated to the new scheme, there will be a hopefully small fraction of p2pkh UTXOs still untouched. In such a situation, commercially cheap QCs lurking around in shadows, if an owner of such a wallet tries to access his funds by publishing a transaction, the funds are being put in risk in the unconfirmed minutes of the transaction lifecycle. Hence they are practically lost already.

What I'm suggesting is that in such a marginal situation, the poor owner of the wallet who secretly has access to both public and private keys matching the wallet's unused RIPEMD-160 address, still has this option, privately mining her txn, either directly or by buying third party services. Sure it is not ideal but it works and is much more preferred than risking public disclosure of his unconfirmed txn and putting not only his funds but also the ecosystem in danger. Bitcoin will suffer from any kind of robbery as well as lost funds; we all know.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
  • Second deadline(m>n blocks after the fork):
    • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.


... I don't understand why you are pushing for it to be done so soon. The second deadline does not need to be months after and could instead be a couple of years to allow those that are less security conscious.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.
If this is true like we are both predicting then the second stage can be rolled out over a couple of years and not a few months.
I'm not pushing. Just trying to show that we are ahead of QC threat and there is a lot of possibilities to keep the risks involved very low in the next couple of decades  Wink
legendary
Activity: 1232
Merit: 1080
  • Second deadline(m>n blocks after the fork):
    • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

What you are proposing is the most popular option I would say at this moment and I think its the only logistical one that I have heard of but I don't understand why you are pushing for it to be done so soon. The second deadline does not need to be months after and could instead be a couple of years to allow those that are less security conscious. The elitist attitude of "that is their problem for not listening" is invalid if we wish for mass adoption of Bitcoin. The decisions made for Bitcoin should appeal to the majority of members and not blame it on them if they are not up to date as we are. Quantum computers capable of threatening Bitcoins algorithm will be around the year 2025 at the earliest. This means we have several years to implement the first stage and then several years to allow for people to change on the second deadline. Moving this along to quickly is not an effective way of making a big change like this.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.
If this is true like we are both predicting then the second stage can be rolled out over a couple of years and not a few months.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development.
No! 25% is not invented:

https://medium.com/@sashagnip/how-many-bitcoins-are-vulnerable-to-a-hypothetical-quantum-attack-3e59e4172e8
This problem is compounded by the fact that quantum resistant signatures Like Lamport are extremely heavy, so we have incentive to delay a fork as long as possible:
Quote
The size of Lamport public key and signature together is 231 times (106 bytes vs 24KB) more than the ECDSA public key and signature.

I'm not sure what alternatives there are.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
OP,
...
For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.


I get your point but mining is supposed to be a neutral thing where you don't have to worry about "picking the correct miner", it should be as simple as sending the transaction, but with a QC machine out there lurking in the shadows you can no longer do this. The problem is miners are anonymous, I can't see a way to rank "good miners" from bad miners. Nobody really has connections with CEOs of big mining farms to really know their agenda. Mining your own transactions is obviously not an option for 99% of users. There's also the theoretical scenario in which miners sense too much of a menace and decide to become bad actors while shorting Bitcoin's price. If we act and plan ahead those cannot happen because the incentives model would still be in place but in a moment of confusion and chaos and the fears of millions of BTC being or not compromised we may see miners freaking out, hence the whole thing must be ready before it happens. The question is right now this is probably sci-fi tier so just like climate change, you'll have a case for both "no need to do anything drastic now" and "start acting now". Result = no consensus, and no planning ahead.
I totally agree with your concerns about how bad the QC issue is treated by the community, it is not the only issue that is open in bitcoin to be fair.
But for now, let's forget about governance problems for the time being and be optimistic about some sort of consensus being reached to handle QC problem, the question would be whether we could do anything serious about it?

My answer is definitively YES:
1- Implement a QC resistant digital signature algorithm in bitcoin with a soft fork.

2- Draw two deadlines in the fork for wallets to migrate:
  • ِFirst deadline(n blocks after the fork):
    • No legacy format outputs will be included in the blockchain after the nth block.
    • All P2PK outputs should migrate to new addresses within n blocks, otherwise, they are considered void and no miner would confirm transactions with such inputs after n blocks.
  • Second deadline(m>n blocks after the fork):
    • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

3- Let people with abandoned p2pkh UTXOs with an uncompromised public key that are still active after the second deadline to mine their transactions privately by leasing/installing hash power or by buying private service from known responsible miners/pools.

As of your perception of miners as being anonymous, actually most of the largest mining farms/pools are anything other than anonymous and your point about ordinary people not being able to leas such a hash power can be fixed with providing something like a private transaction confirmation service by pools/miners.
legendary
Activity: 1232
Merit: 1080
I'm sick to death with these "quantum computers is the end of Bitcoin" type posts. The community is so misinformed about how quantum computers works its very worrying because if quantum computers does not destroy Bitcoin which it wont I think this false propaganda from so called experts will destroy the public opinion about Bitcoin.

I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
If it comes a time where Bitcoin is under threat from quantum computers we will have multiple forks in the chain no doubt because the difference of opinion from the members of the Bitcoin community as well as the miners will cause uncertainty. This will  be problematic in the short term and depending on public perception after the media reporting on it could have a medium effect on Bitcoin acceptance.  
Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
No one on this forum has a clear vision of how we are going to deal with it because there are multiple different routes to take all with their own little side effects on the community and Bitcoin but one thing is for sure we have multiple years to figure this out. This talk about quantum computers destroying Bitcoin and asking what are the steps to countering quantum computers is discussed at least weekly on this forum so there definitely is enough discussion about it.
1. implement quantum resistant signatures
2. give people 5-10 years to move their coins
3. destroy all non quantum resistant outputs

move 'em or lose 'em! once the fork occurs, all previously lost coins would be permanently destroyed. this provides the added bonus of being a one-time audit of the active supply.

do i see this actually happening? not really, i just think that's the best case scenario. there seems to be a lot of inertia around this issue. a lot people seem to think "no biggie" about a huge chunk of the supply being vulnerable, which boggles my mind.
Force people who use Bitcoin wallet software which is connected to the internet to update to the chain with quantum resistant signatures. However this is not a perfect solution to those that are holding their coins in cold storage and might not follow Bitcoin news regular enough.

It doesn't sound good. The thing with Bitcoin is that in order for it to be "gold 2.0" we must avoid clusterfucks like this, or if they happen, it must be at least an once in a lifetime event. Moving huge sums is a big PITA for serious permahodlers.
Why would we want to emulate gold and become gold 2.0? Quantum computers is a once in life time event and will probably not be an issue for many people because they can simply switch with the chain once all the hard work has been done by the developers. I'm calling it now there will be a massive divide between the developers and each developer will be pushing their own motive induced way of dealing with this and that is the biggest threat of them all and not these quantum computers.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development. One of the reasons a fork like this should be done over several years is because it'll take that long just for people to gradually update their nodes. If a QC broke Bitcoin tomorrow, no emergency fork could repair the harm done by today's key practices.

Very good point and thats the only argument I see about quantum computers not being a problem right now and does persuade we a little bit to consider starting the development towards a quantum resistant Bitcoin earlier than I had in my head.  I still think the perfect solution does not exist and whatever way we go there will be instability in Bitcoin and people will lose their coins but I'm talking way in the future.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development. One of the reasons a fork like this should be done over several years is because it'll take that long just for people to gradually update their nodes. If a QC broke Bitcoin tomorrow, no emergency fork could repair the harm done by today's key practices.

This problem is compounded by the fact that quantum resistant signatures Like Lamport are extremely heavy, so we have incentive to delay a fork as long as possible:
Quote
The size of Lamport public key and signature together is 231 times (106 bytes vs 24KB) more than the ECDSA public key and signature.

I'm not sure what alternatives there are.
mda
member
Activity: 144
Merit: 13
Relax, people. No need to build the mining farm yet.

https://royalsocietypublishing.org/doi/pdf/10.1098/rsos.180410
legendary
Activity: 1610
Merit: 1183
OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

Implementing an efficient QC resistant signing algorithm is not much of a hurdle but the problem of 'old' wallets and their owners failing to 'migrate' to brand new QC resistant addresses is a serious one.

I think I have a solution for this later problem which covers the case with Satoshi coins:

The problem
Given the following conditions, find a way to protect people from losing their money:
1-An established QC resistant algorithm being implemented in bitcoin and ready to accept funds from legacy addresses.

2-A number of 'old' wallets with a considerable amount of bitcoins still not migrated to the new scheme.

3-QC technology being matured enough to put wallets with exposed public keys in serious risk even in their transient state of exposure in an unconfirmed txn.


For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.


I get your point but mining is supposed to be a neutral thing where you don't have to worry about "picking the correct miner", it should be as simple as sending the transaction, but with a QC machine out there lurking in the shadows you can no longer do this. The problem is miners are anonymous, I can't see a way to rank "good miners" from bad miners. Nobody really has connections with CEOs of big mining farms to really know their agenda. Mining your own transactions is obviously not an option for 99% of users. There's also the theoretical scenario in which miners sense too much of a menace and decide to become bad actors while shorting Bitcoin's price. If we act and plan ahead those cannot happen because the incentives model would still be in place but in a moment of confusion and chaos and the fears of millions of BTC being or not compromised we may see miners freaking out, hence the whole thing must be ready before it happens. The question is right now this is probably sci-fi tier so just like climate change, you'll have a case for both "no need to do anything drastic now" and "start acting now". Result = no consensus, and no planning ahead.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment.

you are speaking as the person who infamously claimed that SHA-2 ASICS broke SHA-2

have you forgot which account you're logged into?? Grin
ASICs didn't break sha2 they broke bitcoin PoW, there is a difference that its understanding is beyond your expertise in the field. Wink

Are you a stalker of me?  Cheesy

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.


This is an exaggeration because for encryption to work you have to be confident that it will do the job for a number of years and that was true when ECDSA was developed and when it was implemented into Bitcoin. It is currently 'bullet proof' even if quantum computing is making some significant gains in the last couple of years it is still currently bullet proof and saying that cryptographers were never really confident in the protocol used inside Bitcoin is a bit of a overstretch.
No exaggerations there. Any single cryptographer on the planet have been always aware of the vulnerability of ECDSA to technology advancements not mentioning implementation backdoors and the fact that it was originally an NSA product. Actually, instead of bitcoin getting credit from ECDSA, it was bitcoin that promoted it as a reliable digital signature algorithm by providing a huge incentive and tempting adversaries for breaking its secp256k1 implementation of ECDSA.

As you you've correctly mentioned in your post, ECDSA-secp256 has always been understood as a few decades reliable signature scheme and it is why I think that destroying Satoshi's P2PK coins in case s/he wouldn't migrate them to safe wallets in due time, shouldn't be considered unfair. As a cryptographer, he should have been aware of the existence of an "expire-date" for his public keys.
sr. member
Activity: 334
Merit: 275
On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.


This is an exaggeration because for encryption to work you have to be confident that it will do the job for a number of years and that was true when ECDSA was developed and when it was implemented into Bitcoin. It is currently 'bullet proof' even if quantum computing is making some significant gains in the last couple of years it is still currently bullet proof and saying that cryptographers were never really confident in the protocol used inside Bitcoin is a bit of a overstretch.
legendary
Activity: 3430
Merit: 3080
If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment.

you are speaking as the person who infamously claimed that SHA-2 ASICS broke SHA-2:

Actually ASIC is a crack against cryptography, it has always been since WWII and nothing has changed, when a cryptographic algorithm get ASICed, it should be considered a failure and fixed instead of being justified as 'inevitable', 'not a big deal' or even 'a good thing'!
It is just ridiculous how is it possible to have a cryptographic system of any kind being cracked by a specialized circuit and considered safe meanwhile?



have you forgot which account you're logged into?? Grin

Edit: the above quote demonstrates @aliashraf is a (lazy) liar
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
consider though: mathematicians/computer scientists/cryptographers working for powerful companies/organizations are not compelled to release every breakthrough they discover publicly. What if an efficient solution to what appears to be a brute forcing problem has in fact been discovered? Is that not the point of QC's anyway, to provide efficient solutions for which binary arithmetic Von Neumann machines cannot? Maybe some class of hashing algorithm could be developed to be resistant to such a thing, I simply do not know, but it seems to me that few others can really claim to _know_ either.
Above, Pooya has excelently described why sha is different essentially being a hash function and not a number theory problem in NP not solvable by deterministic sequential machines e.g. Turing machines and vulnerable to quantum computers and Shor algorithm, just a category that  ECDSA belongs to. It is just wrong to compare sha256 with ECDSA.

Please stop posting about topics you have no clue about. If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment. To make it crystal clear: Bitcoin will be totally destroyed by such a hypothetical (surely impossible) development.  

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.

legendary
Activity: 3430
Merit: 3080
^^^ trolling ^^^

you don't really expect me to reply to your out-of-context weak BS, right? Roll Eyes


there's a good reason to do it, but I _did not_ even commit myself to it, I presented both sides, calmly

you started an argument, deliberately, where there was no argument.
Pages:
Jump to: