Pages:
Author

Topic: Game theory involving Quantum Resistance protocol - page 4. (Read 897 times)

hero member
Activity: 1241
Merit: 623
OGRaccoon

which is why making satoshi's coins unspendable has merit

Really? and who would give you the permissions to do such a thing?

Lets just think for a second what is satoshi is not dead? and actually the coins ARE spendable.

There is so much assumption around the coins but one key thing to remember is if you don't hold it you don't own it.

No one has the right to touch the satoshi coins other than the owner this is not the first topic that has made comments to the effect of lets just burn or revoke the from the chain.

If satoshi coins ever are community moved / revoked some how then bitcoin will fail. no if's no but's it will be a community based attack in my view.

I'm very surprised to see this comment from you Carlton Banks.

legendary
Activity: 3430
Merit: 3080
I think you are talking about Peter Wiulle:


Quote
Any unconfirmed transaction in flight exposes public keys, so if a QC exists, at least moving coins around safely becomes impossible. Further, a massive fraction of the currency supply can be taken. Lastly, you likely have exposed your own pubkey already.

Quote
Given all those hypothetical attack models that pubkey hashing doesn't help with at all, I think it's fair to say that Bitcoin as it exists today is not quantum secure, period.

It doesn't sound good.

yep, although there's at least 1 solution I can think of:

assuming you trust a miner (and it could be yourself if you have the hashing power, of course), you can give your transaction to a miner out of band, then the public key is never exposed until the tx moving your funds to a QC resistant keypair is already confirmed in a block. That would (hopefully!!!) be a one-off event, but hair-raising (and potentially expensive) all the same


Yeah it was theymos and he got hated bigly with his approach. The way I see is that the stash should be re-introduced slowly as mining rewards, or at least that's how I should have coded it since day 1, since if you are the only guy mining in the world, there isn't even a network and you would get a disproportionate amount of coins as the single participant on the system. At the same time I also think he took the bigger risk, so it should be rewarded... tough call.

I think the only solution is to render the whole P2PK supply unspendable, and to do that with a the longest possible period of advanced warning to give the holders of those private keys sufficient time to move their money. See, we're having a civil conversation about this, yet we already disagree!!! tough call indeed.


hashes could never be "reversed" and it is not exactly about efficiency it is about virtually unlimited solutions. think of it like this, if i say i have a big number that is the sum of 10 other numbers you will never be able to guess what those 10 values were because there simply is too many possibilities.

the difference between hashing and ECC is that ECC is pure math so there could some day be a solution to solve that reverse mathematical problem (ECDLP) in a faster way but hashing is a complete chaotic algorithm where we take an input "mutate" it, toss the bits around and come up with a neat result. so the only way to attack hashing algorithms has always been to find collision meaning if i said "a85845e696ee7aac1b012d611edcbd6fbf1884c5" is my SHA1 hash you will never be able to find out what message i hashed but you could find another message some day (you still can't do it today even for SHA1) that could give the same result.

okay, I am aware of the logic underlying all of this, although you are more familiar with the details.

consider though: mathematicians/computer scientists/cryptographers working for powerful companies/organizations are not compelled to release every breakthrough they discover publicly. What if an efficient solution to what appears to be a brute forcing problem has in fact been discovered? Is that not the point of QC's anyway, to provide efficient solutions for which binary arithmetic Von Neumann machines cannot? Maybe some class of hashing algorithm could be developed to be resistant to such a thing, I simply do not know, but it seems to me that few others can really claim to _know_ either.

People always say "that's impossible", until someone pitches up one day and provides the solution. The fact that we are on this forum having this discussion is the result of exactly that happening: cypherpunks tried to create a Bitcoin, and their imagination for designing it failed several times until satoshi. People literally _couldn't_ believe satoshi initially, Hal Finney hung out with satoshi for a while, contemplating the details of his design, in a way to convince himself that there was not something satoshi was missing. Only once people like Wuille, Maxwell and Todd (as well as Szabo, Dai, and Back on the sidelines) arrived on the scene to contribute to validating the concept did people really begin to get over the disbelief.

*** the following is, to the best of publicly available knowledge, NOT POSSIBLE ***
There would be no such luxury under a "SHA reversed by quantum computers" scenario, one minute a single Bitcoin blockchain would exist, the next there would be infinite Bitcoin blockchains, and every Bitcoin client would have their poor little CPUs overloaded trying to figure out which one was the most-worked valid chain Grin
*** the above is to the best of publicly available knowledge, NOT POSSIBLE ***
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

There are quite a lot, actually:

Quote
At least 5M BTC is stored in outputs with known public key that I could identify, and there are probably millions more.

I can't begin to verify the numbers but it sounds like 30-50% of the existing supply could still be vulnerable even if unused P2PKH addresses are safe. With that much loot on the table -- an amount that surpasses the entire global bid side many times over -- anyone with access to this powerful of QC would have incentive to crack and sell outputs as quickly as possible.
Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

I could even propose to pre-empt exposed public keys after a deadtime once the QC resistant fork is activated. It may look reasonable to mitigate the chaotic side-effects of such a robbery and a strengthening measure for bitcoin.
legendary
Activity: 1666
Merit: 1196
STOP SNITCHIN'
OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

There are quite a lot, actually:

Quote
At least 5M BTC is stored in outputs with known public key that I could identify, and there are probably millions more.

I can't begin to verify the numbers but it sounds like 30-50% of the existing supply could still be vulnerable even if unused P2PKH addresses are safe. With that much loot on the table -- an amount that surpasses the entire global bid side many times over -- anyone with access to this powerful of QC would have incentive to crack and sell outputs as quickly as possible.
legendary
Activity: 1456
Merit: 1176
Always remember the cause!
OP,

I think there is and there will be no solution regarding funds in addresses with already exposed public keys in case of a QC cryptographic disaster. Such addresses are not too many thanks god.

Implementing an efficient QC resistant signing algorithm is not much of a hurdle but the problem of 'old' wallets and their owners failing to 'migrate' to brand new QC resistant addresses is a serious one.

I think I have a solution for this later problem which covers the case with Satoshi coins:

The problem
Given the following conditions, find a way to protect people from losing their money:
1-An established QC resistant algorithm being implemented in bitcoin and ready to accept funds from legacy addresses.

2-A number of 'old' wallets with a considerable amount of bitcoins still not migrated to the new scheme.

3-QC technology being matured enough to put wallets with exposed public keys in serious risk even in their transient state of exposure in an unconfirmed txn.


For such a hypothetical situation which by no means is expected to be met in the next couple of decades, I have an idea: Mine Your Own Transaction.

Owners of big enough wallets better rent a hash power and start solo mining bitcoin waiting for a hit in real-time and owners of wallets with fewer coins can simply find a farm with enough hash power and pay them for privately mining his transaction.
legendary
Activity: 3472
Merit: 10611
supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

hashes could never be "reversed" and it is not exactly about efficiency it is about virtually unlimited solutions. think of it like this, if i say i have a big number that is the sum of 10 other numbers you will never be able to guess what those 10 values were because there simply is too many possibilities.

the difference between hashing and ECC is that ECC is pure math so there could some day be a solution to solve that reverse mathematical problem (ECDLP) in a faster way but hashing is a complete chaotic algorithm where we take an input "mutate" it, toss the bits around and come up with a neat result. so the only way to attack hashing algorithms has always been to find collision meaning if i said "a85845e696ee7aac1b012d611edcbd6fbf1884c5" is my SHA1 hash you will never be able to find out what message i hashed but you could find another message some day (you still can't do it today even for SHA1) that could give the same result.
legendary
Activity: 1610
Merit: 1183

supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

That's the reason why Bitcoin "addresses" are not the ECDSA public key, but a RIPEMD160 hash of the public key. Until the BTC is spent, the public key is protected from actual publicity, but spending involves revealing the public key in order to validate the transaction.

So, in the event of QC blockchain-ogeddon, funds stored at addresses that have never been spent from will not (theoretically) be vulnerable. However, at least 1 developer has suggested this assumption is not as safe as was assumed when this was devised, I do not remember the details however

I think you are talking about Peter Wiulle:



I think @theymos actually did bring this up some time ago (and people mostly didn't see what the point was, and accused him of being jealous of satoshi or something or other)

The fact is, early BTC from ~ 2009 did not have a hash to protect the public key, those mined coins have their public key directly exposed on the blockchain right now. A known quantum computing algorithm can be used to efficiently spend those coins, which includes satoshi's stash (it's a guess who it all belongs to, certainly satoshi must own some though). The only thing stopping this is that the hardware doesn't exist. Yet.

which is why making satoshi's coins unspendable has merit, to anyone developing QC's, 1,000,000 BTC is effectively the bounty for keeping the details of progress in their work very quiet. If anyone is in the race to develop cutting edge QCs, the sort of people who ought not to have that much power are definitely in contention. Of course, there will always be loud screeches that "satoshi should be allowed to keep his/their BTC", but in this scenario, satohsi loses it either way if action is not taken well in advance. because the coins haven't moved, one could argue satoshi is either dead or confident it won't happen.

Yeah it was theymos and he got hated bigly with his approach. The way I see is that the stash should be re-introduced slowly as mining rewards, or at least that's how I should have coded it since day 1, since if you are the only guy mining in the world, there isn't even a network and you would get a disproportionate amount of coins as the single participant on the system. At the same time I also think he took the bigger risk, so it should be rewarded... tough call.
legendary
Activity: 3430
Merit: 3080
I really wonder about this pretty much daily

really?


Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe.

supposedly there is no possible way of using quantum computing algorithms to find an efficient solution for reversing hash algorithm outputs. I think that because hashing involves destroying such a large quantity of the original data input, that's a reasonable assumption. I know almost nothing about cryptography though.

That's the reason why Bitcoin "addresses" are not the ECDSA public key, but a RIPEMD160 hash of the public key. Until the BTC is spent, the public key is protected from actual publicity, but spending involves revealing the public key in order to validate the transaction.

So, in the event of QC blockchain-ogeddon, funds stored at addresses that have never been spent from will not (theoretically) be vulnerable. However, at least 1 developer has suggested this assumption is not as safe as was assumed when this was devised, I do not remember the details however


What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.

I think @theymos actually did bring this up some time ago (and people mostly didn't see what the point was, and accused him of being jealous of satoshi or something or other)

The fact is, early BTC from ~ 2009 did not have a hash to protect the public key, those mined coins have their public key directly exposed on the blockchain right now. A known quantum computing algorithm can be used to efficiently spend those coins, which includes satoshi's stash (it's a guess who it all belongs to, certainly satoshi must own some though). The only thing stopping this is that the hardware doesn't exist. Yet.

which is why making satoshi's coins unspendable has merit, to anyone developing QC's, 1,000,000 BTC is effectively the bounty for keeping the details of progress in their work very quiet. If anyone is in the race to develop cutting edge QCs, the sort of people who ought not to have that much power are definitely in contention. Of course, there will always be loud screeches that "satoshi should be allowed to keep his/their BTC", but in this scenario, satohsi loses it either way if action is not taken well in advance. because the coins haven't moved, one could argue satoshi is either dead or confident it won't happen.
legendary
Activity: 1652
Merit: 1483
I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.

1. implement quantum resistant signatures
2. give people 5-10 years to move their coins
3. destroy all non quantum resistant outputs

move 'em or lose 'em! once the fork occurs, all previously lost coins would be permanently destroyed. this provides the added bonus of being a one-time audit of the active supply.

do i see this actually happening? not really, i just think that's the best case scenario. there seems to be a lot of inertia around this issue. a lot people seem to think "no biggie" about a huge chunk of the supply being vulnerable, which boggles my mind.
legendary
Activity: 1610
Merit: 1183
Let's say Google or your favorite triple letter agency (same thing?) come up with a computer of quantum nature which is able to move funds of our guy satoshi. Everyone starts tripping, headlines everywhere, mass hysteria. How would the game theory involved in the necessary changes to protect from this unfold?

Forget about what to do specifically, just think, of all possible candidates, how would the one that gets selected as the fit candidate become the winning fork? We would have people arguing this or that method is the way to go until we are pushed to the limit? It would be segwit on steroids.

I really wonder about this pretty much daily and I don't have the answers. Not only we would have a problem changing hashing algos, eliptic curves and whathaveyou, but we would need to do something about funds which are no longer safe. What do you do with satoshis stack? How does this resolve? There would be people claiming "do nothing with satoshis coins, they are his coins after all" while others will argue the coins are basically a big vulnerability for the ecosystem at that point. Do you have any clear vision of how things would turn out? These things need to be planned ahead and I don't see enough discussion tbh.
Pages:
Jump to: