I am not spreading FUD, rather the FACT that we don't have the usual safeguards as was the case for SHA-1 which had seeds sqrt(1), sqrt(2), etc.
Actually, we have a stronger assurance than for SHA-1.
No you do not! Are you sure you are qualified as a cryptographer?
The parameters in secp256k1 (which is not a NIST selected curve, contrary to your repeated instance) are fixed entirely by performance considerations, similar to the Ed25519 work which you lauded up-thread. There (far) are fewer degrees of freedom in secp256k1 than in SHA1.
I did not laud Ed25519. Performance "considerations" is a human value judgement, assuming the performance domain has not been provably explored to its limits, thus the lower degrees-of-freedom claim is vacuous. (I wonder how many readers have the IQ to comprehend that? I hope many) Additionally the
orthogonal point that focusing on performance is not same as focusing on security considerations. I don't know all the details, but Bernstein did apparently at least include some security considerations (some mention about primes, etc) too, nevertheless that is orthogonal to my first point. Also the third orthogonal point that I see merit in Schneier's logic on not using ECC unless it is necessary (some of his reasons I repeated in my prior post in this thread, yet you should read his words).
This isn't to say that it might not turn out that there are snazzy new mathematical weaknesses possible, but there appears to be no room to have forced the selection of them. ... and snazzy new mathematical weaknesses are possible for anything. As soon as you've gone down the paranoid path of ANYTHING IS POSSIBLE OMG. ... Well, anything is possible, and anything else might be insecure for unknown reasons too.
As Schneier says we play the best odds. And as cryptographers we shouldn't take risks that can be avoided.
ECC has a few reasons to be suspected (read Schneier's words), and specific curves even more suspect and I included suspicion on the k variant used by Bitcoin with the justifications upthread.
And it is not just the mathematical attack, it is that there are 4 or more possible attacks combined:
1. Mathematical attack given shorter keys
2. Quantum Computer with Shor's algorithm
3. NSA possibility planted weak curves in standards
4. NSA possibility attempting to weaken many RNGs (this affects all crypto, but adds to the 3 above giving them more weight)
I am not knowledgeable about how much they can be compressed, yet I think the signatures are larger than ECDSA.
Yes, the signatures are larger. But you were saying
Bitcoin's non-balances design probably doesn't not let it switch (the design and implementation) from 20 byte to 16KB public keys, and to 8KB signatures. This is a major revelation for me about Bitcoin insecurity.
Which is just @#$@#$ nonsense, and I was responding pointing out that public keys would be no larger, and so your invocation of balances is just hysterical jibberish.
It is my understanding that the entire history of unpruned signatures are stored in the block chain.
My current understanding is that a balances design would not require such an extensive history of signatures.
You've continually repeated misinformation in this thread (and in other threads, now that I connect your name). I realize that it's due to your ignorance and not due to malice, but it means that interacting with you is a waste of time. ... and I'm worried that I'm rewarding your poor understanding and poor research by continuing to respond to ridiculous claims.
I will grant you are good at insults and judging others.
Perhaps if you slow down and give others a chance to present their responses to your thoughts, we could get to a conclusion and then know what is what.
It may be that I am entirely wrong, but I don't see you've made all the winning points yet.
And even if you are entirely correct, the entire point of discussion is to help clarify everything. So how is that a waste of time? You ask for donations for helping, yet then hurl insults. I was actually earlier thinking about sending you 0.1 BTC as a token of my appreciation and was even not offended by your initial diatribe about balances that didn't come from anything I wrote in my OP.
I figured you were helping me any way, even if you seem so cocky to assume that others are idiots and must be thinking stupid.
But now you've gone completely overboard with your personality and comprehension defects.
Do your own work for a bit, instead of making me feel like you're just converting every doubt you have into a FUDdy misstatement of fact in order to make other people do the work in refuting you.
Refutation (entertaining potential issues and then proving they are not an issue) is one of the most important jobs of a cryptographer and security analyst isn't it?
You should applaud probing.
Rather I detect that you are angry that you would offer any assistance to anyone who might upset the Bitcoin applecart or create an alternative coin. Sorry if I refuted resoundingly what you probably thought were slamdunks to shut me up. My IQ tends to find the maximum breadth tree of possibilities, so you better make sure there is no stone unturned before you cockeyed (as in cocky) assume you've won an argument with me.
It is necessary that in the process of everything assistance will flow around. That is how open source and academic research works.
If Bitcoin is rock solid, it will all flow back mostly to Bitcoin any way. I want the best coin, and if it ends up Bitcoin, then great.
So far, I think my logic is sound, yet I am open to any convincing logic you can present. But it is clearly becoming very difficult to have any discussion with you that doesn't conform to your biased vested interests.
I am trying to look at this objectively. We shouldn't take risks if there are not tradeoffs to not taking them. Note I did specifically write "need more study" above, so I am not yet asserting there are no counter-balancing tradeoffs.
Why is that example better than forcing all coins to spent entirely and change to be sent to another coin?
Because that is an emulation of exactly what we have now! It's fine but it's effectively what we have now. Jesus.
You conflate orthogonal concerns.
While we may have feature A now, we may still have feature A and get rid of a doubt that we don't need, while gaining other features too. Maybe without tradeoffs, but I am not asserting that "until more study".
You are really frightened of any talk about an alternative coin design.
As for what we might gain with a balances system (more study needed though):
None of these things follow from that premise. You might as well have listed "Peace on earth and goodwill towards men". We can already deploy merkel signatures, with no incompatibility at all—(many) existing clients can already send coins to them, and would deploy them in weeks if there were ever an indication of our current checksig becoming weak. "Balances" are entirely orthogonal.
Then the Bitcoin blockchain bloat will grow worse due to longer signatures and that may be a factor that is driving centralization of pools. And other considerations...
Because that is an emulation of exactly what we have now! It's fine but it's effectively what we have now. Jesus.
So deploy them now to eliminate the doubt if you conflate the tradeoffs because you assert by implication there are none.
And don't wait until after the attack has started, because then weeks will be weeks too late.
Jesus indeed, especially the humorous part about my ignorance. Got a mirror handy?