RSA requires a larger key size than ECC for the same bit strength thus it would be a less optional choice where bandwidth and storage are constrained (like cryptocurrencies).

All of the following offer 128 bit security
Hashing Function: RIPEMD-128* 128 bit
Symmetric Encryption: AES 128 bit
Asymmetric (elliptic curve): ECC 256 bit
Asymmetric (prime integer): RSA 3,072 bit

* technically RIPEMD-128 is cryptographically weak against collisions and thus no longer offers full 128 bit security.  Newer hash functions have gotten larger so I couldn't find any 128 bit hash functions which are still unweakened by cryptanalysis.

It gets worse for RSA if we ever need 160/256 bit security.

All of the following offer 160 bit security (or better)
Hashing Function: RIPEMD-160
Symmetric Encryption: AES 192 bit (actually is 192 bit security but it is the smallest key size which is >= 160 bit)
Asymmetric (elliptic curve): ECC 320 bit
Asymmetric (prime integer): 7,864 bit

All of the following offer 256 bit security (or better)
Hashing Function: RIPEMD-256
Symmetric Encryption: AES 256 bit
Asymmetric (elliptic curve): ECC 512 bit
Asymmetric (prime integer):15,360 bit

Even 128 bit key strength is beyond what can be brute force using classical computing.  The higher key strengths are intended to be protection against cryptanalysis. For example a break which reduces the key strength of AES 256 by 28 bits has no practical application but the same 28 bit reduction on AES 128 starts to get it dangerously close to what "could" be brute forced.

What you fail to realize is there is no "we".  You will never convince every single user to start calling a satoshi a "Bitcoin".  Names only have meaning if they are consistent.  Imagine if at the same time there was more than one definition for a meter, it would be kinda useless to provide units in meters (which definition of meters).  In centralized institutions the central body can proclaim a new change in value (like redefining a meter, or kilogram) but that doesn't work in a decentralized network.

Can you imagine would utterly confusing it would be if everyone you talked to had a different definition of what 1 BTC was?

A BTC is NEVER EVER going to change.  To do so would require a consensus, it would require rewriting everything that has been written.  It would still lead to confusion and chaos when people looked at outdated articles talking about (there will never be more than 21M BTC and the person own more than that himself).  It simply is not going to happen.

Most of the time you can't get 100 bitcoiners to agree on just about anything but somehow you are going to get millions of users to simultaneously change their definition of what a Bitcoin is?  Really?  That seems a viable solution to you?

You can used bitcoind to query arbitrary addresses however you need to set "txindex=1" in the bitcoin.conf and then you will need to complete a new reindex (so all tx not just your txs) are in the chainstate.  The reindex can take quite a while.  Once complete you can pull the details of any tx using getrawtx RPC call (if you enable verbose output then it will decode the raw tx as well).

Example a random TxId I grabbed from blockchain.info

The reason for referencing the sun is that it is a massive fusion power plant on a scale which nothing humans have ever done even comes close.  Do I realistically think someone would turn the sun into a power plant (dyson sphere) for a giant private key breaking machine? No; but if the sun doesn't have enough energy than nothing in our solar system has enough energy.

The largest nuclear power plants are on the order of 1 GW (10^9 watts).  The sun is on the order of 10^26 watts.  Thus it has the output of 10 quadrillion 1GW nuclear power plants. Even the relatively tiny amount of solar energy which strikes the earth is more than 100x the total energy usage of the human race (in all forms).

If a theoretical "solution" requires more than what is available from our star, given our knowledge of physics, it can't be accomplished.  At least not until humans can travel to other larger sources of power (stars).

Agreed.  The idea that anyone credible said 56 bits would never be broken is laughable.  There is even some speuclation that DES was made 56 bits specifically because the NSA already had the capability to break it from day zero.  At the time there were stronger already implemented 64 bit ciphers in place by IBM and others.  That isn't to say 64 bit would be unbreakable either but it was probably unbreakable in the 1970s (and 1980s as well).


Reversible computing is a theoretical concept.  No functional system has ever been produced, no even on a scale of a simple 8 bit adder.   It also isn't a new concept either there are papers going back to 1961.  six decades later are pretty much no closer than we were then.  It is entirely possible that the human race will never

http://en.wikipedia.org/wiki/Reversible_computing



Progress on general purpose quantum computers has been agonizingly slow.  In 2001 a 4 bit number was factored.  In 2012 a 5 bit number was.   I will start to get more interested in post-quantum cryptography when they can factor a 32 bit number faster than a classical computer can.  Even that benchmark would put breaking 256 bit ECDSA years if not decades away.  NIST does a pretty good job of analyzing cryptographic threats and they still consider 256 bit ECC to be the highest level of security.  Top Secret documents are required to be safe from enemy decryption for at least 40 years (think a stealth fighter design would be obsolete by then) and ECC is good enough.  

The largest threat is probably the most boring and that is the slow and inevitable decline in effective security as academic cryptographers finds flaws and build more and more powerful attacks.  All public key systems have had a pretty bad track record against cryptanalysis over the last fifty years or so (far worse than symmetric encryption and hashing algorithms).  If I was a betting man that is where I would put my coins.  Of course if the public key is unknown the private key can be protected to a limited degree if ECDSA is partially compromised.  If your public key is known you may just be out of luck.  The early mined rewards have the public key exposed so it will be interesting when that happens.

Nope.  You can price things in mBTC (mbits, millies, milliebits, etc) or satoshis if you like.

By moved do you mean withdraw?  The site allowed you to withdraw to a non-existent Bitcoin address?

Each block targets a specific difficulty.  Difficulty can't be faked because a difficulty 1 million block IS 1 million times harder to produce.

The "longest" chain is the chain with the highest sum of block difficulty.

So between these two chains
dif 1, dif 1, dif 1, dif 1, dif 1
block height 5, total difficulty 5

and
diff 2, diff 2, diff 2
block height 3, total difficulty 6

the later is the "longest" chain.

There is no method you can use to consistently produce the longest chain without having more hashpower than all "good" miners combined.

Exactly.  This is rather unremarkable compared to the power of existing ASICs.  The article doesn't mention integer performance and that isn't unusual most super computers are focusing on high floating point performance and high bandwidth interconnects. 

Still if we assume an equivalent integer performance (more likely it will be significantly lower) that would be 10 trillion IntOps per second.  SHA-256 is 80 rounds lets assume (highly optimistically) that it can do one round per IntOp that would be 80 IntOps per hash.  Lets round up to 100 to include loading, incrementing, checking logic.   So 10 trillion integer operations = 100 GH/s.

Well 42 bits of entropy is also awful.  Even if it wasn't on a password list, it could be brute forced by just about anyone and then once it is, it will be on a password list.  Really one should be look at a minimum of 80 bits of entropy and for high security applications more is better (128 bits would be optimal).

Still I do like the fact that the linked password meter checks against known weak/broken passwords.

The example provided was as extreme as I could get
1) assumes 1 key per FLOP (more like 1 key per 80,000 integer ops)
2) assumes moore's law will continue for 40 years (20 if we are lucky)
3) assumes 1 super computer per human on the planet (really)

Even that would be insufficient.  Yet you still stick with a belief that 10^70 is realistic.   There are only 10^50 atoms on the planet.   Even assuming terrahertz scale processor you would need to convert the entire planet into chips and then magically process billions of operations per atom.    What is going to power this?  Where are all the organic life going to go?

Feel free to have the last (delusional) word.  I won't see it because it isn't worth my time anymore.   You can have your own opinions but you can't have your own facts.  128 bit keys are beyond brute force with classical computing.  It doesn't matter if it is today, next decade, next millennium, or using a perfect computer and all the matter and energy in our solar system.

How about you read what was written?   It was talking about a PERFECT computer (a theoretical construct), not a computer built today, or one built with technology a century from now but one which operates at the thermodynamic limit and in roughly absolute zero.  Nothing more efficient is possible.  It is many quadrillions of times more efficient than today's computers.  The human race may never build a perfect classical computer but it is often used as an upper bound as it takes into account all possible performance increases.  Not only does the example use a perfect computer but it is powered using the entire output of our star for the next four billion years or so.  The example was just counting (i.e. 1 bit flip per increment).   Generating a single ECDSA key involves tens of thousands of operations and each of those involve hundreds of bits so even for a perfect computer it is something on the order of millions of bit flips per ECDSA key and thus the power requirements would be millions of times higher.

Keys of 128 bit strength are unbreakable by brute force on a classical computer (even a perfect one).

This doesn't mean they can never be broken but it will be because of:
a) a break in the algorithm itself
b) it becomes possible to implement Shor's algorithm against 256 bit keys using a quantum computer.
c) implementation attack (flawed RNG, backdoor in processor, etc)

None of that has anything to do with your false claim that Moore's law will make classical computers fast enough to break 128 bit keys in a few decades.  Please find a single cite for any reputable cryptography who shares your opinion.

No we won't.   You seem to vastly underestimate how large 10^70, 2^128, and 2^160 are.

In 40 years Moore's law has provided roughly 1*10^6 improvement in transistor density and a roughly comparable improvement in cost per unit of computing power and power per unit of computing power.  It is highly likely that Moore's law will not be sustained for another 40 years, Intel may actually slip below that "benchmark" for the first in this decade.  The cost to build smaller and smaller process nodes is increasing exponentially and the time between process nodes (which should be no more than 24 months) is slowly inching upward.  Lets not even get into the fact that there are only 8 maybe 9 process nodes before we get down to the transistors using 3 atoms a piece.  

Still lets assume that an equivalent amount of improvement occurs over the next 4 decades.  That is a ~10^6.  Today top supercomputers are PFLOP scale.  Lets ignore the fact that Integer performance is often a magnitude worse and that it takes tens of thousands of operations to complete a single keypair (and even more to perform lookups).  Lets just naively assume that 1 ECDSA key generation and lookup can be done in 1 FLOP (which doesn't even make sense but trying to be ultra conservative).  That would mean today a top super computer could do ~34 PK/s (peta keys per second).  To keep the math simple lets just round up to 100 PK/s or 1*10^17 kps.

If we then assume a 1*10^6 factor improvement in relative performance in the next 40 years that would make a top SC something on the order of 1*10^23 kps.  Now lets assume you build one for every man woman and child on the planet (estimated to be ~10 B in 2054).  That would put world wide key breaking power at 1*10^33 kps.   You aren't even within the same ballpark as  10^70.

In reality performance will probably slip below Moore's law, you can't process on key per clock cycle, and even if you could we are looking at an energy requirement greater than what is used by the entire human race for all other purposes.

Coins can be mined out of existence (miner selects a reward less than the max allowed).

Still coins sent to addresses with no known private key are effectively lost.  No you can't brute force it with a lot of hashing power (not even all the computing power on the planet).  If you could then Bitcoin would be worthless.

That wouldn't be destroyed.

Unsure what you are asking here.

901 < 35,659 so not it isn't more than the entire network.  It is ~2.5% (901/35,659) of the network.

I have seen this repeated a lot, please don't tell people this.  The QT client for example NEVER gives up.  It will keep trying to broadcast a tx for 72 years.

If we assume the network is heading towards ~1 J/GH then we are looking at 1MW per PH/s.  That puts us at 30 MW or 263 GWh annually at current network size.  Now that might sound like a lot but the human race uses about 150 million GWh annually (all forms of energy not just electricity) making the Bitcoin network a rounding error (0.0002%) on the energy usage of the human race.

How efficient Bitcoin becomes relative to established monetary systems will depend on how large its user base becomes.  There is a non-linear relationship between the number of users and cost of the network.  The hashrate is likely to rise over time but this will be partially offset by increased hardware efficiency (J/GH).  Also as the cost of ASICs decline (and power costs dominate) we may the emergence of energy offsetting applications.  Dedicated ASIC heaters could be built specially designed for domestic heat and hot water applications.  ASIC arrays could be used on a part-time basis as power shunts to soak up excess electrical capacity instead of 100% loss waste load circuits.

There is no such thing as "balance at an address" that is merely an abstraction.  The only thing which exists is input and outputs.   A transactions references as it inputs the unspent outputs of prior transactions.  The transaction destroys (or "spends") those referenced output(s) and creates new outputs (which will become the inputs of future txs).

All spent outputs can already be pruned from the blockchain.  Of the ~18GB only ~4GB of that is usnpent outputs.

You already have a full copy of the blockchain to query you just need a framework built around it to handle the querying in a user friendly manner.

As for hiding your IP address use a VPN and/or Tor.