Pages:
Author

Topic: Theymos: “Bitcoins Belonging to Satoshi Should Be Destroyed” - page 7. (Read 18595 times)

legendary
Activity: 1176
Merit: 1017
But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.
The owner had best get on with securing his stash before they are taken.  Does it take a quantum computer to take them?  Can a classical computer take them in a reasonable amount of time/effort?  Should I be making an effort to take them?  In the meantime, the market participants should take the risk into a account and discount the exchange rates.  Or are we saying they already have?  I doubt it.  If/when a Satoshi coin moves then the markets will react.  Until then the working assumption is they won't ever move.  Since the movement would likely wreck havoc then there is something to talk about.  If enough "voters" want to eliminate this risk then they can.  Don't sit on a pile and expect the rest of humanity to ignore it.  If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.

If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.

That /\ would actually be the result of this \/.

If enough "voters" want to eliminate this risk then they can.

LOL
legendary
Activity: 1092
Merit: 1001
The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern.

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).
Oh.  What does it mean to be "paid directory to a public key, not an address"?  Let's compare https://blockchain.info/tx/0e3e2357e806b6cdb1f70b54c3a3a17b6714ee1f0e68bebb44a74b1efd512098 to https://blockchain.info/tx/4d32d3caa4fc7121e48c59e895ff50aa4a80763aea107e7fc82749885aac5e99 and try to see the difference.

There is a security difference. See the following.


https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses


Instead of destroying Satoshi's stash, how about if we create an address and move the vulnerable coins there for safekeeping?

That has been proposed as well, but the problem is that ultimately you are locking those
coins indefinitely, which is the same as destroying or burning them.

The bottom line is, if users do not move their coins to a more secure cryptography in the future,
they risk losing them through theft from more advanced systems. Plain and simple.
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
humanity can abandon Bitcoin for something else without that particular risk.
If that is what they want I invite humanity to do just that.  Bitcoin will still be Bitcoin no matter what Nanny coin is developed for the "humanity" you speak of.
hero member
Activity: 709
Merit: 503
But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.
The owner had best get on with securing his stash before they are taken.  Does it take a quantum computer to take them?  Can a classical computer take them in a reasonable amount of time/effort?  Should I be making an effort to take them?  In the meantime, the market participants should take the risk into a account and discount the exchange rates.  Or are we saying they already have?  I doubt it.  If/when a Satoshi coin moves then the markets will react.  Until then the working assumption is they won't ever move.  Since the movement would likely wreck havoc then there is something to talk about.  If enough "voters" want to eliminate this risk then they can.  Don't sit on a pile and expect the rest of humanity to ignore it.  If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.
legendary
Activity: 3038
Merit: 1660
lose: unfind ... loose: untight
With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.
Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?

Perhaps you missed the 'with today's technology...'. Are you proposing that it would be valid to do so today? For that is the analogy.

But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.
legendary
Activity: 1176
Merit: 1017
With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.
Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?

The root of this very question has been dissected many times in philosophical debates.  Here is one such debate that illustrates the reasoning: https://birajbahadurbista.wordpress.com/2013/12/10/concept-of-justice-in-platos-republica/
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
My question in this debate is becoming:  Even if the Secp256k1 algorithm becomes exploitable by quantum computing, where does pruning the block chain by burning unsecured ledger entries fit into the consensus protocol? I think this is where the bigger leak in this argument can be demonstrated.
This is the actual crux of this and any other argument that has the form "I think we should do X to enhance/change/fix Bitcoin"

This has been proposed thousands of times on this forum:  change the block reward, 21M cap is stupid; decrease the block time, 10 minutes is too long for me to wait; prune out the old coins, they might get stolen and dumped; and my all time favorite:  recycle the "lost" coins so we can mine them again and bring the total back up to 21M.

All of these hypothetical desires fail right out of the gate based on the fact that any fork of this nature creates a new coin and this new coin is no longer Bitcoin.

As long as there remains a small number of miners and nodes on the original protocol that side of the fork is Bitcoin - the other side of the fork is something else.
hero member
Activity: 709
Merit: 503
With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.
Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?
legendary
Activity: 3038
Merit: 1660
lose: unfind ... loose: untight
So from this perspective, which I agree with, the risk of losses from other people's insecure coins is part of the risk I assume when I buy into bitcoin. If this is the consensus of the bitcoin community (and I think it is), then I am much more agreeable that no action should be taken to destroy coins that could be lost due to a QC-event or similar loss of security.

Thank you for your reconsideration.

For the record, the charge of im-/a-morality was meant more to shock people into reexamination of the issue. In general, I tend to accord people as intending to behave in a moral manner unless there is concrete evidence to the contrary.

But to seal the deal for others on the sidelines:

With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.

legendary
Activity: 1176
Merit: 1017
(Hmmmm....I must be on the collectively biased midget minded ignore list....)
(I will save that argument for another time.)

My question in this debate is becoming:  Even if the Secp256k1 algorithm becomes exploitable by quantum computing, where does pruning the block chain by burning unsecured ledger entries fit into the consensus protocol? I think this is where the bigger leak in this argument can be demonstrated.
hero member
Activity: 709
Merit: 503
The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern.

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).
Oh.  What does it mean to be "paid directory to a public key, not an address"?  Let's compare https://blockchain.info/tx/0e3e2357e806b6cdb1f70b54c3a3a17b6714ee1f0e68bebb44a74b1efd512098 to https://blockchain.info/tx/4d32d3caa4fc7121e48c59e895ff50aa4a80763aea107e7fc82749885aac5e99 and try to see the difference.

Instead of destroying Satoshi's stash, how about if we create an address and move the vulnerable coins there for safekeeping?
legendary
Activity: 1092
Merit: 1001
I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?
Perhaps the quality of the private keys are in question.  If a private key is generated with good randomness then it shouldn't be vulnerable.  If a private key is generated with poor randomness then it is vulnerable.  If the Satoshi (or anyone else's for the matter) private keys are at risk then having them age out seems like overkill.  Let the lucky bad actors take them.  The owners of such can move them before they are stolen to an address derived from a superior private key.

If the quality of the private key isn't in question then what the heck are we talking about? ...

The following is what Theymos stated the issue is centered around.
Early mined coins are more vulnerable since public keys were used then.
See the below quotes from earlier in this thread.


How do coins that are never spent factored into this? I mean, those addresses that do not have public keys yet, because the coins have not been spent and that particular address has not been reused?

Isn't it that bitcoins are protected by at least 2 layers of encryption: The public / private keys, and a hash which results in the bitcoin address?

The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern. (Emphasis added)

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).
hero member
Activity: 709
Merit: 503
I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?
Perhaps the quality of the private keys are in question.  If a private key is generated with good randomness then it shouldn't be vulnerable.  If a private key is generated with poor randomness then it is vulnerable.  If the Satoshi (or anyone else's for the matter) private keys are at risk then having them age out seems like overkill.  Let the lucky bad actors take them.  The owners of such can move them before they are stolen to an address derived from a superior private key.

If the quality of the private key isn't in question then what the heck are we talking about?  If I sign and distribute a bunch of messages using my private key then each of those messages give the bad actors more data to attack.  If I never sign and distribute even a single message then I am just depending on the quality & security/privacy of my private key.  The block reward comes into existence without any signatures.  Only outputs require signatures.  Move coins to a fresh address (one that has never been used to sign) and it is safe.

Destroying anyone's coins to eliminate the risk of them becoming active is wrong pure and simple.

Is someone worried that Satoshi or anyone else is at risk of being coerced?  Destroying their coins hardly seems the appropriate response.
legendary
Activity: 2310
Merit: 1047
If it will help to prevent monetary inflation so why not? I am not really interested on bitcoins what belong to satoshi nakamoto, i am interested only on my own income.
Bitcoin doesnt really have inflation, and no one should have the powers to touch someones else coin whatever their name is.
hero member
Activity: 807
Merit: 500
Point of information:  it is not the hashing algorithms that are QC vulnerable it is the ECCDSA that is vulnerable.  If/when QC becomes a reality we will have no trouble convincing a majority to move to a new DSA.  Deciding exactly which new DSA to move to may be an issue but after a lot of the standard drama that accompanies all decisions in Bitcoin, I believe a new DSA will be picked and we will move to it.  The hashing algorithms used can and will also be replaced/upgraded as needed (just not due to QC).
Oh.  Where is ECDSA https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm used in Bitcoin?  If that can be changed without me giving up my current private keys and Bitcoin addresses then this whole topic is noise.
Found it; https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm.  So, yeah, this topic useless; move on.
Actually, this discussion is all about whether or not you should have to give up your current addresses.  Any new algorithm would require new addresses and new private keys.  Your existing private key and address could not be ported (for lack of a better word), and the discussion technically revolves around whether or not you have the right to keep using the pair even after it could be vulnerable to attack.
No.  The private key and corresponding public key (a.k.a. your Bitcoin address) do not have to change at all.  Rather, if/when we change the DSA from ECDSA (which is QC vulnerable) to another DSA which is QC resistant then your wallet software will have to be changed to use the new DSA; that's all; nothing else.
I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?
newbie
Activity: 56
Merit: 0
... I agree perfectly well with you that if (legitimate) ownership can be established, the coins should be left alone and that ownership absolutely should be respected.

No. Until it is conclusively shown that legitimate owner has zero interest in the coins, only he has the right to decide what's to be done with those coins.

Failing to expend trivial effort to safeguard coins would, it seems to me, "conclusively show" that the legitimate owner had zero interest in the coins.
You're easily convinced, it shows no such thing to me.
Bitcoin is meant to be a store of value, safeguarded by "immutable laws of the cosmos and maths." If my investment is only safe as long as I read bitcointalk on regular basis, that's not something I'm interested in.
A person may not be able to move his coin for extended periods of time, being throw in prison, for instance.

Quote
Those disagreeing with me recently have emphasized the paramount rights of an owner of bitcoins against any infringement, even if it means that other bitcoin owners might be harmed by their inaction. (In this case, coins being stolen and dumped.) Whereas I've played the role of a neutral arbiter who is trying to minimize loss across the board, across all owners.
Thieves are no more likely to dump stolen coins on the market than are the legitimate owners. Less likely, actually, because such sums would need to be dumped via exchanges, which means banks, which means KYC/AML.
Moving the coins to a bunch of other addies is far simpler, and wouldn't look any different than same coins being moved by their legitimate owners.
So "kill the few so that many could live" vs "do nothing & many would die" is a false dichotomy.
member
Activity: 96
Merit: 10
No.  The private key and corresponding public key (a.k.a. your Bitcoin address) do not have to change at all.  Rather, if/when we change the DSA from ECDSA (which is QC vulnerable) to another DSA which is QC resistant then your wallet software will have to be changed to use the new DSA; that's all; nothing else.

If we don't change the DSA to one that is QC resistant then bad actors (with enough moxie) will be able to sign messages moving bitcoins they have no right to more.


So basically only reused adresses or those who sign messages with the address are in danger, right? This would mean no lighting network (or Blockchain.info thunder) anymore. Btw, does QC resistant DSA ever exist ? - all I know you can only keep increasing bits from 256 to 512 and higher so QC cannot catchup as it need increasing number of stable qbits which is the real challenge in QC - if you need reusing adresses, thats it.
hero member
Activity: 854
Merit: 500
If it will help to prevent monetary inflation so why not? I am not really interested on bitcoins what belong to satoshi nakamoto, i am interested only on my own income.
legendary
Activity: 1708
Merit: 1036
... I agree perfectly well with you that if (legitimate) ownership can be established, the coins should be left alone and that ownership absolutely should be respected.

No. Until it is conclusively shown that legitimate owner has zero interest in the coins, only he has the right to decide what's to be done with those coins.

Failing to expend trivial effort to safeguard coins would, it seems to me, "conclusively show" that the legitimate owner had zero interest in the coins.

I was originally on the other side of the fence on this topic (as you can see from my first post in this thread!), and I've been second-guessing myself more than you might guess from my recent series of posts. So let me switch sides again (!) with this line of thought:

Those disagreeing with me recently have emphasized the paramount rights of an owner of bitcoins against any infringement, even if it means that other bitcoin owners might be harmed by their inaction. (In this case, coins being stolen and dumped.) Whereas I've played the role of a neutral arbiter who is trying to minimize loss across the board, across all owners.

This latter view is surely the dominant view regarding government today (socialist/nanny state), but it conflicts with the more individualistic libertarian (or even anarchist) viewpoint that my opponents set forth. In this latter view, you are choosing to take risks when you invest in bitcoin - and the risk of coins being hacked and dumped, harming your own investment, is demonstrably part of the cryptocurrency landscape today.

So from this perspective, which I agree with, the risk of losses from other people's insecure coins is part of the risk I assume when I buy into bitcoin. If this is the consensus of the bitcoin community (and I think it is), then I am much more agreeable that no action should be taken to destroy coins that could be lost due to a QC-event or similar loss of security.

It becomes more problematic if bitcoin goes mainstream and is adopted by large numbers of people lacking the ethos that you carry your own risks when using bitcoin and don't expect anyone to bail you out. In the context of broader society I could respect someone who holds on to the idea that the coins should be destroyed 'for the public good.' But it does fit more with my own libertarian philosophy to switch back to saying caveat emptor and agreeing to let the coins lie.

I just hope we don't have to put this to the test.


Pages:
Jump to: