Topic: Lost coins vulnerable to theft in the future? - page 2. (Read 579 times)

It's closer to 4 million vulnerable coins, according to this study: https://www2.deloitte.com/nl/nl/pages/innovatie/artikelen/quantum-computers-and-the-bitcoin-blockchain.html

It was done around 2 years ago, but you can see from the graph halfway down the page that the number has fluctuated around the 4 million mark for ~8 years, so I suspect it is still around the same. P2PK outputs are essentially constant and unchanging, while reused P2PKH addresses have slowly fallen as reused P2WPKH addresses have slowly increased. And of course we can now add in P2TR outputs as well.

This is the most convincing argument for the opposite position to mine, I think. But it is worth pointing out that nobody's coins were made unspendable when OP_CAT was removed, compared to the millions of coins which would be made unspendable if OP_CHECKSIG is removed.

It can only be seen from this thread that opinions on this are very different (relevant points on both sides).
For this reason, I think that forming a new consensus would not be reached and the default situation (letting the coins be stolen) is the most likely outcome.
Or the situation is resolved by two separate forks and market valuation.

My logic is that if something is considered vulnerable then it must be removed from the Bitcoin protocol. For example if OP_CAT has a weakness then it is removed from the code entirely even if someone had used it in a script. Which is exactly what happened, this OP code and a handful of others were completely removed.
Similarly if OP_CHECKSIG becomes vulnerable then it must be removed from the code not still remain there and let people choose to use it or not!

Yeah, I know, as stated in my post.
Also P2TR outputs are in the same danger.
So maybe altogether 2-3 mil. is accurate.

The damage (of course if that happens at all) depends on the speed of breaking the keys.

That's a big assumption. There are millions of bitcoins to P2PK outputs, many of which get spent frequently throughout the years. Definitely people lost a fortune back in 2009 due to some accident, but it's no way millions. Perhaps few hundreds of thousands have been non-provably lost. Impossible to know exactly nor to approach it effectively.

Note that there are addresses with revealed public keys that do have a balance and aren't P2PK outputs, such as 1P5ZEDWTKTFGxQjZphgWPQUpe554WKDfHQ. Those are in the same danger as well if their owners don't move them to a quantum-safe address.

I agree with that. Let's say there are even 2-3 mil. coins that are lost (nobody has private keys anymore). If the stealing lasts 10 years it's like mining with current block subsidy at that time (approx. 328.500 BTC is currently mined per year). And to be honest, I don't think that many coins are lost and thus would stay on vulnerable addresses.

Of course, if the attacker manages to crack keys from dozens of thousands P2PK UTXOs within a couple of months it could be disastrous (pricewise).
And there are also other UTXOs with revealed pubkeys (reused addresses, P2TR, etc.).
FYI: there is currently 1.73 mil. BTC on 48.000 P2PK UTXOs.

It took me a bit to understand what you were saying, and I thought you might have meant the reverse initially - mostly because my view is the opposite.
 
Such censorship, deleting, and blocking of addresses would make bitcoin obsolete. If the arguments about censoring old coin ever succeed, then bitcoin would have already failed because it would show that bitcoin is not a long term store of value, in which case, the idealogues should move on.

It's not that any reasons for censorship are arbitrary reasons, but they are ones that I don't think will ever result in anything because the results are much more unpredictable than the scenarios in this thread. The product of old addresses being cracked is no different than them being re-engaged in by the original owners (or their inheritors), the latter of which could happen at any time. The very top thread assumes two scenarios which I think would happen in exactly the opposite fashion -- someone who has been holding onto coin for ages has little reason to sell them immediately or quickly because they have 'enough'. Their sale pressure is pretty low, so the scenario given above is unlikely. Even if such old coin are sold by crackers or original owners, then it results in a more distributed coin, which adds long term value to the network and is a necessary part for sustainability and growth.

Which is why I think what will probably happen is the scenario I've described above, where lost coins are gradually stolen and re-enter circulation. If we can't reach a consensus on some other solution, then this is the default position which will happen if we do nothing, as Adam_xx points out above.

I disagree. If the community can decide that you cannot be trusted to look after your coins and move them to a quantum resistant address before they are stolen, then the community can also decide that you cannot be trusted when it comes to any other scenario, and can therefore censor you.

Then move the coins to a quantum-safe algorithm by then. It's your money, your responsibility after all. Freezing P2PK outputs (for example) endangers the significance of self-custody. Nobody should touch any coin, but only inform about the weaknesses. The coins that aren't provably burned, exist, and can, therefore, enter the market at anytime.

Moving the coins, alone, doesn't de-anonymize, though.

Irrelevant arguments here because we are not talking about some "arbitrary reasons" we are talking about a serious one that would make the very thing that made bitcoin secure becoming obsolete.
It's not all about price either, in fact not preventing old UTXOs from being spent would be against the fundamentals of bitcoin where your coins are only yours to spend not everyone's.

Naturally, being a Bitcoin supporter I would lean to yeah. However, these things can be unpredictable, and it really does depend on what's happening in the world, and everyone's view on Bitcoin. There's just so many possibilities that could happen to benefit or even undermine Bitcoin.

What can be said, the idea behind Bitcoin works, and for me has the most appeal out of any other currency on the market. Will that change in the future, who knows.

Yeah, although lets say that a hard fork did occur (either necessary or deemed the best choice) to escape this sort of scenario. Those on the old chain wouldn't be able to easily prove they owned the coins on the new chain. At least, I don't think there would be a easy way of doing it. Maybe, but probably beyond my understanding, at least at this stage. I thin we're still in the stage of thinking of thinking about solutions, since it's too far away right now that there's not a whole lot of urgency needed.

Whatever the circumstances, there's going to be a lot of split opinions when it comes to the proper discussion definitely. I don't want to see old coins released back in, and I don't want to see the destroyed. I probably am of the same opinion of o_e_l_e_o, but I'd rather see them broken into, and stolen than forcibly from a Bitcoin perspective force remove them or redistribute. There's too many worms, and not enough cans.  

Totally agree with that. And Satoshi selling all his coins would be destructive as well.
But we assume it won’t happen (selling, not moving). But would it be the case for anybody else?
Would this selling pressure be recoverable?

It doesn't matter what the consensus is; we can't force whoever owns the private key to these coins to actually burn them, whether that's the real owner or an attacker. The only other option would be for a large entity such a mining pool to buy their own quantum computers to steal and burn these coins, although I would imagine most mining pools would take the coins as profit long before burning them.

The surprise to the system would be similar to Satoshi or some other early miner returning and suddenly moving a few hundred thousand or even million bitcoin which have been dormant for 12+ years. And that could happen at literally any time, and there is nothing we can or should do to prevent it. Assuming that coins which have not moved in a long time are lost permanently is wrong, although I'll concede that many users in the market do assume just that.

Well, I suppose (and hope) that the UTXO set (or basically the "ownership database" in any future form) will be preserved even if there is a completely new technology and this new "system" moves the Bitcoin's UTXO set into it. But that is for another discussion

You are absolutely correct, inflation was not a right word at all. But let's say the market counts non-provably lost coins as provably lost-coins (and might be surprised one day).

Well, it's very unlikely its going to be quick, i.e a few minutes. Besides, you'll have a gradual build up to this. We aren't anywhere near the capability of doing it right now, and even when you factor in exponential growth there's going to be a long, long time before something is capable of doing it within minutes. Despite, the exponential growth, it'll still we somewhat gradual in the time that it takes to break it.

By the time something is capable of breaking it within minutes, Bitcoin could have well have moved on so much, that the old chain is considered obsolete, or alternatives people themselves might have found an alternative to Bitcoin. What I'm saying is there's just too much unknown factors to even realistically talk about it. Hence, why the discussions around it have been what ifs, rather than anything substantial. We'll get there, when we get there.

There's no realistic way an entity suddenly gains power to break ECDLP within a few minutes.

Inflation pressure? There's no inflation pressure, and will never be. Provably lost coins are lost, gone, removed from circulation. Period. Non-provably lost coins aren't removed, they're just trapped. No one should assume they won't return into circulation, and in fact, we, overtime, observe some decade-old, dusted, 50 BTC worth outputs being spent, which reveals that these coins are falsely assumed as lost.

The system begun with the presumption that someday it'd reach a number less than 21 million coins, without any arbitrary monetary policy, and so it is.

But how do you distinguish legitimate users from "thieves"? The legitimate/stealing transactions will both have a valid signature.
If there is ever a consensus to lock the coins I guess the only way would be to block the UTXOs (to block all coins with vulnerable signatures, not just some chosen coins) after a long period of alert (e.g. a decade) before the attack itself, not after the coins have already moved. After some block height, only coins on new and safe addresses will be movable. But even for this scenario I can't imagine reaching a consensus for the reason below:


No one knows if the key break will take minutes, hours, weeks, years but I suppose it won't be one entity takes it all with a single attack in a single day.
And if the stealing lasts years or decades in small chunks nobody can prevent inflation pressure on Bitcoin, unfortunately.


Reaching consensus on burning someone else's coins is hard but "sacrifice" the coins (let them be stolen) doesn't require forming a new consensus. It is what the current code says, basically.

If you can burn or lock coins for arbitrary reasons, then you have proven that you can manipulate the ledger, after which it will never be long until censorship rears its regular head.

Which should in theory mitigate the effect of the short term price hit, due to panic, and the fact there's new coins being reintroduced to the economy. However, it likely means you'll see a smaller effect, for a longer time since they'll be gradually taken, and reintroduce rather than all at once.

Depending on your perspective, both scenarios have their pros, and cons. Ultimately, the very long term probably isn't effected.