Topic: please delete - page 6. (Read 2135 times)

I'm not advocating they "vanish" just that they be redistributed to active bitcoin participants. That's all. If an address has no activity for a certain amount of time, it's pretty sure that it can't participate in bitcoin anymore. And that it won't be.

Now as far as secondary storage to me that seems like a very slippery slope. Where they can segregate utxos based on some type of metrics and charge them extra fees to use bitcoin. So what ends up happening is that bitcoin is not really fungible and certain kinds of utxos will be discriminated against. I wouldn't be interested in that at all.

But if someone is not going to use their bitoin for their entire lifetime and another lifetime after that then a case could be made that they dont need it.

I'm just suggesting the "or else" after the advanced warning to be more extra fee because it will be fetched from secondary storage, instead of being those UTXOS r  just trimmed with any coins in them simply vanished

If they "they" you mean a single person then don't worry. 200 years is plenty of time for them to make a transaction. if they haven't done it by then they aint gonna do it.

here's a question for you though. how do you stop someone from setting up automated transactions that would occur every 199 years? because we need to make sure that people are doing these transactions and not computer programs. that might be a big problem, no?

oh and i'm not hugely concerned about the utxo set size but then again, if you're talking about moving older utxos to a secondary storage and charge people fees to use them then i'm against that. but I'm not against the idea of chipping away at peoples stale utxos so that instead of taking the entire thing all at once, you just take parts of it so that over time it goes to zero. that way they get a advanced warning to do something or else.

Riiight, makes sense, thanks! Would there be a concern in sending all utxo's at once to chipmixer and receiving it on multiple addresses in the new wallet?

I agree, but if the old wallet wasn't linked to their identity, the new one won't either. Sure, they'll be linked amongst them, but what's the issue?

Interesting. I found this paper online that compares the koblitz and random versions: http://ijeecs.iaescore.com/index.php/IJEECS/article/view/15610
Apparently, secp256k1 is up to 30% faster than secp256r1 and slightly (but not significantly) less secure. In section 4, they also argue that secp256r1 has some weird constants of itself as well:

Helpful about hard forks/ soft forks & combined here
https://youtu.be/U2yAcsj7P_E
She discusses in min 1:9-15 I think how sometimes people using SPV loses money if wallets wasn't careful about the update (they just see block headers & the Merkle paths they care about)

& interesting in this one u'll see he says Schnorr was known to be better from the beginning, but had a 20yrs copyright that prevented it's use
https://youtu.be/0Q5IimX-AAc
.
Sorry, if this is considered out of scope of this topic.

Someone more knowledgeable than I should comment on that.

Well the exact steps depends on what happens. For example SHA-0 was replaced by SHA-1 almost as fast as NIST published the standard for it because it had a weakness and it was found quickly. Same with SHA-1 but it took a long time (20 years) to break that one.
With the current ECDLP solutions it would take more than our lifetime to break anything but I can't predict what's going to change.

That's the nature of any hard fork and nothing can be done about it! And we aren't touching anyone's money, they would do it themselves.

I mean, it will be in 'their' interest, because else they'll lose all funds.
Contrary to random hacked / stolen / leaked Netflix accounts for example, there is a big financial incentive to crack public Bitcoin keys.

Why so? I myself one day decided to transfer funds from my legacy addresses to bech32 addresses and did it to save on transaction fees in the long run. The old addresses were not tied to my identity, the new ones aren't either. I don't see how anonymity was compromised in the process. This is how migration to new wallets with a new cryptographic scheme could work.

That's what we've written in our wiki. It is also written in this pdf.

You don't have to predict the future. I'm not asking you to tell me the exact steps we'll follow to secure the system after the specific public-key cryptographic algorithm we're using is broken. I'm just telling you that at some point in the future, whether we want it or not, we'll have to demand from “our” users to migrate.

Needless to mention the problems that're created once we touch people's money.

You are talking about stealing or destroying people's money here, what if they're just HODLing???
I definitely do not agree.
Also, if u force a referesh, u will be forcing them to reveal their identity which I think is against Bitcoin main feature of Anonymity

If u worry about UTXOS set size, u could modify the idea in the paper we were discussing here
https://bitcointalksearch.org/topic/is-there-a-fee-utxo-in-every-transaction-5357803

To make an age threshold which  after it UTXOS are kept in secondary storage, and can only be spent with an extra fee like min charge since they will require a disk access to verify.

The min charge fee could be announced before being applied. Although in fact the sudden movement of all old UTXOS could cause some mess in programs that handle the UTXOS Merkle based on the heuristic of old UTXOS r less likely to being spent than newer ones, and in the market metrics data scientist use to predict price & advice their customers so may affect the price not sure how

Were they? I don't think NIST has ever released how they chose any of the domain parameters of any of their curves. Their "r" (random) curves such as secp256r1 have a random seed but that doesn't apply to "k" (Koblitz) curves.

I can't predict the future but most probably there will be a long interval (like a year or two) for people to migrate.
BTW Tarproot (P2TR) uses the public key in pubkey scripts similar to (but more complicated than) P2PK.

The whole point of Bitcoin works if the public key used in the scriptSig cannot be reversed. That's where we'll start. Vulnerabilities in secp256k1 haven't be found and probably will never be as the constants were picked in a predictable way which reduces the odds of having inserted a hidden backdoor into the curve.

This leaves us to acknowledge that your third bullet point could be the only realistic possibility sometime in the future. The question remains: What will happen in case the existing keys become unusable at some point in the future? Shouldn't we take some sort of precautions? The last thing we'd want is to force everyone hastily to change their keys.

It depends on what is broken, and some other details which you'll need an expert.
- If it were the signature algorithm (ECDSA) then choosing a different signature algorithm could solve the issue while still using the same curve (hence the same key pairs). Basically we can only change how OP_Check(Multi)Sig(Verify) OP codes (4 OPs) work.
- If the vulnerability were with the secp256k1 curve, changing curve would be a solution but the same keys may not be on the new curve anymore. I also doubt this can happen on this curve alone and not all 256-bit curves (ie the next bullet point).
- If Elliptic Curve Cryptography itself were broken (eg. private to public key were reversible) it has to be completely replaced by another asymmetric cryptography algorithm which may or may not make the existing keys unusable.

Yes, but I think the question is:  How can we migrate to a stronger algorithm by retaining the private keys of the current ECDSA? In your example, the browsers had to just start using a different hash algorithm, but they weren't concerned on “converting” the old hashes to new ones. In this case, someone who owns money on a P2PK address has to be able to spend them with the same ECDSA private key it was given to him, but switch to a stronger algorithm at the same time.

First of all it does matter if ECC is broken or not. Without ECC being broken it doesn't matter at all if the public keys of those outputs (or any other output such as the case with address-reuse) are known, public keys are meant to be public, that's the whole point of asymmetric cryptography.
So for it to be a concern, ECC or at least 256-bit curve has to be broken and considered weak.

Secondly there shouldn't be any kind of "coin age" involved. If ECC is broken and someone can compute private key from it (or break ECDSA, etc.) in reasonable time then there is nothing stopping them from investing more effort into it so that they can also reverse your transaction from an only once used P2PKH output while it sits in the mempool waiting to be confirmed (you have to reveal the public key then).
As I said before you can no longer say "bitcoin is safe" if ECC is broken. So it has to be replaced completely in the protocol (affecting all coins).

Think of it as what happened to SHA1. At some point it was considered weak, then there was a very long transitional period where all browsers started migrating to SHA2 certificates and then at a certain date they stopped accepting any SHA1 certificate altogether. Today if a website has a SHA1 certificate your browser will block it. Then after all that time, someone (Google) found a collision by spending a lot of computing power.

Guys, I'm not talking about an altcoin, or if a fork is made and it turns out to be an altcoin that no one uses. We stick to bitcoin and if no one likes the idea, and no consensus is reached, then there are no changes. I don't agree with everything the OP said, except the part where unspent coins will remain unspendable.

Currently, they are unspent because they have not been spent, but can one day be spent. Whether ECC is broken or not, the concern is the public keys of those early addresses (P2PK) are known and exposed.

It also doubles as a Canary ... because then everyone will see that those coins get spent one day and we all suspect it's probably not Satoshi who moved them.

My idea was just building up on the OP, who said, if it's not been spent, let's make sure it never gets spent.

I have no issues leaving it the way it is, and this idea is not new, it has been brought up before by other people. We don't want reclaiming coins (and a lot do not want that), but I think unspent coins in P2PK addresses that have remained unspent for 20 years ought to become unspendable in the future.

By the way, does anyone have an idea how much BTC there are in P2PK addresses that have not moved since maybe 2011? (or when did we start not using P2PK addresses?). I read some estimates of about 2 million bitcoin in P2PK addresses that have not moved.

Relevant link: https://bitcoinist.com/bitcoin-worth-usd-40-billion-vulnerable-to-quantum-attacks/

YOu are actually right. The correct timeframe could be more like 200 years.

I had been thinking about this issue and instead of creating a new thread, I decided to just add my proposal to the OP's since he and I have similar ideas. Hopefully satoshi if he is reading this would not only reward the OP but me as well.

It would be an altcoin.

They are using P2PK scripts where the output contains the public key instead of the hash of it and there is no "address" defined for these scripts, they are just outputs without a corresponding human readable string (aka an address).

If by enough you mean a million+ years worth of computing power, then you are right.
Also your argument do not justify your idea simply because if ECC could be broken and bitcoin were still using it, then it would become obsolete as a whole.

How can you say something like that? Of course we should care what his vision was. Now about that little quotations you provided. All I can about that is "my bad". 

No you're right, I didn't think this through at all so far, I don't think OP's idea would work without the 'deleting old utxos' part, I was just thinking maybe it could be possible but it's indeed not going to happen..