Topic: Game theory involving Quantum Resistance protocol - page 3. (Read 814 times)

This trade-off is a middle ground between two options. Let quantum computing flood the market in a short period of time (freedom approach) or destroy these coins because it's an easy way to preserve and even increase a bit our wealth.

That is not breaking the rules of Bitcoin or how I would prefer to look at it Bitcoins philosophy. Bitcoin was proposed to have a limited amount of Bitcoin to prevent inflation and other issues in the long term however that only includes disallowing new coins from being generated after 21 million and at no point was it proposed that destroying coins would not be allowed. Of course it is allowed and in theory the more Bitcoin that are lost the more valuable and limited it will be. Bitcoin does not have many hard set rules in terms of what you are suppose to do with your money. If you want to destroy coins you can the only limit is you can't generate anymore after 21 million coins has been reached.

If you want to severely limit Bitcoin's potential then you could do this but I would and many others would advise putting any sort of limitations on the Bitcoin technology. Limiting it shows that there is a centralised force trying to control Bitcoin despite it being for a good cause. If you want to transact more than a couple million dollars in Bitcoin in an hour then you should be allowed to do that. Freedom is the best approach here.

That sounds like a real kludge. The idea probably wouldn't gain traction. Theoretically it's also not just unhashed public keys that are vulnerable, but all public keys as they currently exist.

The solution seems rather binary to me. We either lock/destroy vulnerable outputs or we let them wreak havoc on the market. Whether the first option is ethical seems like an issue of time -- how long is long enough?

We have some duty of care not to deprive people of their money, but does that entail going down with the ship?

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

it doesn't. the rule is there can't be more than 21 million coins.

due to the nature of private keys, there was always an implicit assumption that lost coins deplete the supply. i've been operating under that assumption since i arrived 7 years ago. in fact, satoshi explicitly said as much in 2010.

you're telling me that entire monetary philosophy just goes in the trash bin now? lost coins aren't a donation to holders, but rather those with quantum computers?


if QC can break ECDSA, then ECDSA secured outputs should not exist, period. "people should be free to have their coins stolen!!!11!!1!" is not a compelling answer. it's completely against the interest of all bitcoin holders.

destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

not only does that break the 'trust math' theology. because now devs decide they want to go against the rules, so people cant trust that they will always have coins if they just locked their only copy of a private key in a time capsule. they have to trust and hope devs dont go barbaric on code rules

not only does destroying coins destroy many aspects of bitcoin.but the social drama impact of such an act would effect the markets more so than just letting a theif sell coins

think about it once brute forced coins are sold or moved out of insecure keys. drama is over.
its far better to let someone waste their life brute forcing a private key for 50btc and sell them, then repeat 20,000 times until 'satoshi stash' is no longer on insecure addresses... than it is to let devs manipulate the rules to declare more than 1m coined defunct and destroyed in on go. whats next if p2pk keys need destroying, do devs wait a month and declare war on p2pkh p2sh. then when they find an issue with segwit declare a war on p2wpkh. would it ever end

people would prefer to know if they leave their coins its their fault for not loking after them, if they care and there is a output format that is genuinely more secure they can move them. if they dont then they are at risk of someone else spending them.. but never ever should devs ever consider destroying coins..

in business terms. imagine thre is a company in the middle of a merger/liquidation buyout/hostile takeover. is it more beneficial to just let it happen as you know its only a 15minute news item that passes as fast as a price dip would.. or would you call in the military and nuke the facility and shout 'ha ha ha no one gets it' and then go on a mission where nuking businesses is standard practice

the price drama of a user selling 50btc a day is small if they brute forcd a satoshi stash address each day. and it would take 20,000 of thos days to do it to 1m coins.
just think about how little effect on the price 50btc is in comparison to average daily volume.
just think about how little drama it would realistically create compared to breaking some of bitcoins fundemental rules.

more people would be more concerned that devs are coming to dstroy their coins next compared to the worry of someone spending 50btc of satoshi stash a day

I'm not proposing anything, just reminding a possibility.

A few decades later, probably, when QC is no longer sci-fi and bitcoin has successfully implemented QC resistance and most wallets have migrated to the new scheme, there will be a hopefully small fraction of p2pkh UTXOs still untouched. In such a situation, commercially cheap QCs lurking around in shadows, if an owner of such a wallet tries to access his funds by publishing a transaction, the funds are being put in risk in the unconfirmed minutes of the transaction lifecycle. Hence they are practically lost already.

What I'm suggesting is that in such a marginal situation, the poor owner of the wallet who secretly has access to both public and private keys matching the wallet's unused RIPEMD-160 address, still has this option, privately mining her txn, either directly or by buying third party services. Sure it is not ideal but it works and is much more preferred than risking public disclosure of his unconfirmed txn and putting not only his funds but also the ecosystem in danger. Bitcoin will suffer from any kind of robbery as well as lost funds; we all know.

I'm not pushing. Just trying to show that we are ahead of QC threat and there is a lot of possibilities to keep the risks involved very low in the next couple of decades 

What you are proposing is the most popular option I would say at this moment and I think its the only logistical one that I have heard of but I don't understand why you are pushing for it to be done so soon. The second deadline does not need to be months after and could instead be a couple of years to allow those that are less security conscious. The elitist attitude of "that is their problem for not listening" is invalid if we wish for mass adoption of Bitcoin. The decisions made for Bitcoin should appeal to the majority of members and not blame it on them if they are not up to date as we are. Quantum computers capable of threatening Bitcoins algorithm will be around the year 2025 at the earliest. This means we have several years to implement the first stage and then several years to allow for people to change on the second deadline. Moving this along to quickly is not an effective way of making a big change like this.

If this is true like we are both predicting then the second stage can be rolled out over a couple of years and not a few months.

No! 25% is not invented:

https://medium.com/@sashagnip/how-many-bitcoins-are-vulnerable-to-a-hypothetical-quantum-attack-3e59e4172e8

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.

I totally agree with your concerns about how bad the QC issue is treated by the community, it is not the only issue that is open in bitcoin to be fair.
But for now, let's forget about governance problems for the time being and be optimistic about some sort of consensus being reached to handle QC problem, the question would be whether we could do anything serious about it?

My answer is definitively YES:
1- Implement a QC resistant digital signature algorithm in bitcoin with a soft fork.

2- Draw two deadlines in the fork for wallets to migrate:

• ِFirst deadline(n blocks after the fork):
  
  • No legacy format outputs will be included in the blockchain after the n_th block.
    
  • All P2PK outputs should migrate to new addresses within n blocks, otherwise, they are considered void and no miner would confirm transactions with such inputs after n blocks.
• Second deadline(m>n blocks after the fork):
  
  • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

3- Let people with abandoned p2pkh UTXOs with an uncompromised public key that are still active after the second deadline to mine their transactions privately by leasing/installing hash power or by buying private service from known responsible miners/pools.

As of your perception of miners as being anonymous, actually most of the largest mining farms/pools are anything other than anonymous and your point about ordinary people not being able to leas such a hash power can be fixed with providing something like a private transaction confirmation service by pools/miners.

I'm sick to death with these "quantum computers is the end of Bitcoin" type posts. The community is so misinformed about how quantum computers works its very worrying because if quantum computers does not destroy Bitcoin which it wont I think this false propaganda from so called experts will destroy the public opinion about Bitcoin.

If it comes a time where Bitcoin is under threat from quantum computers we will have multiple forks in the chain no doubt because the difference of opinion from the members of the Bitcoin community as well as the miners will cause uncertainty. This will  be problematic in the short term and depending on public perception after the media reporting on it could have a medium effect on Bitcoin acceptance.  
No one on this forum has a clear vision of how we are going to deal with it because there are multiple different routes to take all with their own little side effects on the community and Bitcoin but one thing is for sure we have multiple years to figure this out. This talk about quantum computers destroying Bitcoin and asking what are the steps to countering quantum computers is discussed at least weekly on this forum so there definitely is enough discussion about it.
Force people who use Bitcoin wallet software which is connected to the internet to update to the chain with quantum resistant signatures. However this is not a perfect solution to those that are holding their coins in cold storage and might not follow Bitcoin news regular enough.

Why would we want to emulate gold and become gold 2.0? Quantum computers is a once in life time event and will probably not be an issue for many people because they can simply switch with the chain once all the hard work has been done by the developers. I'm calling it now there will be a massive divide between the developers and each developer will be pushing their own motive induced way of dealing with this and that is the biggest threat of them all and not these quantum computers.

Very good point and thats the only argument I see about quantum computers not being a problem right now and does persuade we a little bit to consider starting the development towards a quantum resistant Bitcoin earlier than I had in my head.  I still think the perfect solution does not exist and whatever way we go there will be instability in Bitcoin and people will lose their coins but I'm talking way in the future.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development. One of the reasons a fork like this should be done over several years is because it'll take that long just for people to gradually update their nodes. If a QC broke Bitcoin tomorrow, no emergency fork could repair the harm done by today's key practices.

This problem is compounded by the fact that quantum resistant signatures Like Lamport are extremely heavy, so we have incentive to delay a fork as long as possible:

I'm not sure what alternatives there are.

Relax, people. No need to build the mining farm yet.

https://royalsocietypublishing.org/doi/pdf/10.1098/rsos.180410

I get your point but mining is supposed to be a neutral thing where you don't have to worry about "picking the correct miner", it should be as simple as sending the transaction, but with a QC machine out there lurking in the shadows you can no longer do this. The problem is miners are anonymous, I can't see a way to rank "good miners" from bad miners. Nobody really has connections with CEOs of big mining farms to really know their agenda. Mining your own transactions is obviously not an option for 99% of users. There's also the theoretical scenario in which miners sense too much of a menace and decide to become bad actors while shorting Bitcoin's price. If we act and plan ahead those cannot happen because the incentives model would still be in place but in a moment of confusion and chaos and the fears of millions of BTC being or not compromised we may see miners freaking out, hence the whole thing must be ready before it happens. The question is right now this is probably sci-fi tier so just like climate change, you'll have a case for both "no need to do anything drastic now" and "start acting now". Result = no consensus, and no planning ahead.

ASICs didn't break sha2 they broke bitcoin PoW, there is a difference that its understanding is beyond your expertise in the field.

Are you a stalker of me?  

No exaggerations there. Any single cryptographer on the planet have been always aware of the vulnerability of ECDSA to technology advancements not mentioning implementation backdoors and the fact that it was originally an NSA product. Actually, instead of bitcoin getting credit from ECDSA, it was bitcoin that promoted it as a reliable digital signature algorithm by providing a huge incentive and tempting adversaries for breaking its secp256k1 implementation of ECDSA.

As you you've correctly mentioned in your post, ECDSA-secp256 has always been understood as a few decades reliable signature scheme and it is why I think that destroying Satoshi's P2PK coins in case s/he wouldn't migrate them to safe wallets in due time, shouldn't be considered unfair. As a cryptographer, he should have been aware of the existence of an "expire-date" for his public keys.

This is an exaggeration because for encryption to work you have to be confident that it will do the job for a number of years and that was true when ECDSA was developed and when it was implemented into Bitcoin. It is currently 'bullet proof' even if quantum computing is making some significant gains in the last couple of years it is still currently bullet proof and saying that cryptographers were never really confident in the protocol used inside Bitcoin is a bit of a overstretch.

you are speaking as the person who infamously claimed that SHA-2 ASICS broke SHA-2:



have you forgot which account you're logged into??

Edit: the above quote demonstrates @aliashraf is a (lazy) liar

Above, Pooya has excelently described why sha is different essentially being a hash function and not a number theory problem in NP not solvable by deterministic sequential machines e.g. Turing machines and vulnerable to quantum computers and Shor algorithm, just a category that  ECDSA belongs to. It is just wrong to compare sha256 with ECDSA.

Please stop posting about topics you have no clue about. If it was ever possible to break sha, bitcoin wouldn't worth thousands of dollars because it would look just stupid to rely on an asset that is subject to a mathematical or technological  development which could occur every moment. To make it crystal clear: Bitcoin will be totally destroyed by such a hypothetical (surely impossible) development.  

On the other side, cryptographers never have been confident about ECDSA to be bullet proof and quantum computing was a surprise just for ordinary users.

^^^ trolling ^^^

you don't really expect me to reply to your out-of-context weak BS, right?


there's a good reason to do it, but I _did not_ even commit myself to it, I presented both sides, calmly

you started an argument, deliberately, where there was no argument.