(Funny, that.  I was just now perusing forum archives, trying to learn more about the trust system and DT.  I got quite an eyeful about QuickSeller... and here he is!  It figures that he gave merit to OP.)


I understand that your blind hatred for Lauda can sometimes make it difficult to exercise critical thinking; but a post in broken English vaguely describing a half-baked, nonsensical idea somehow, implicating KYC privacy-rape in an unspecified manner, does indeed meet common criteria for being described as a “shitpost”.


(Boldface supplied.)

...thus, deterring the spew of illiterate morons who use this forum as their personal free money machine.  Works for me.

But you = theymos = the CIA.  This poor, oppressed soul fears that you will ban him, then subject him to “extraordinary rendition”.

(You know it’s coming...)

There is already a place which offers merit bounties for quality posts.  It is called the “Bitcoin Forum”, and its URL is https://bitcointalk.org/.  Posts placed there will be considered for merit by merit sources, high-ranking users, and anybody else who has sMerit.  I invite users with quality posts to place their posts there.

---

As a low-ranked user who has proved efficient at earning merit the normal way, I find such a suggestion extremely discouraging.

Suppose that I spend some hours writing post, as I have on some of my best posts both before and after the introduction of the merit system.  I do it because I want to make the post—because I have something worthwhile to say.  I place the post in the forum appropriate for its subject matter.  Then, I find that joeuser123 received merit I didn’t because he entered his post into a “merit bounty” contest, and I didn’t.

I do not like this idea.

---

Consider the distorting effects of the system here proposed.  Far from improving merit distribution, it draws the limited supply of merit away from organic, natural distribution in the ordinary course of forum discussion, and pools it in a “contest” (OP’s word).

If you thought for even one moment that the proposed idea may be (ahem) meritorious, please reread that paragraph twice.

---

Understand that the whole of the merit system is a “bounty” program.  It cannot perform its function of improving the forum, unless the forum as a whole is treated as one huge “merit bounty” section.

I am very uncomfortable with the merit giveaway threads.  I myself have neither entered any of them, or even checked to see if I was eligible.  I know that some of the people running them are well-intended; and I don’t think there will be any long-term damage, if such threads be only a temporary phenomenon during the exciting and tumultuous initial phase of the new system.  But widening such threads into a permanent, formally organized institution would undermine the merit system.

There is and must be one, and only one proper way to earn merit:  By making high-quality, on-topic posts in the forum appropriate for their subject matter.

For the merit system will not achieve its intended purpose unless it operates naturally, organically, rewarding good posts in the ordinary course of forum discussions.  You see, you read, you are impressed by a post—you hit the “+Merit” link.  You write, you post (where you would have anyway), you do a good enough job to impress someone else—someone else hits the “+Merit” link.  Merit sources may need to develop more elaborate distribution strategies, given the importance of the task entrusted to them.  But for the rest of us, the use of this system is supposed to be dead simple.

---

...by precisely the people who deserve no merit, and will never earn any.  That’s a feature, not a bug.  Evidently, the system is working exactly as intended:


(Emphasis is theymos’.)

Sorry, I think I overreacted here.  From your further posts, it seems your questions have been sincere.  I should explain.

There is a steady stream of posts, often from new accounts, which desperately try to find something, anything wrong with Lightning.  I sometimes see excellent posters waste hours and an ocean of virtual ink trying to keep up with frivolous arguments.  And while there’s nothing wrong with a new account, insofar as all start that way, that gives no post history for me to check and see if you be that type.

Thus you may understand my reflexive irritation at apparent fear, uncertainty, and doubt expressed over the urgent need for softforks which were already done.  The task of pulling up the page numbers so that other readers could find context for a mish-mash of disparate quotes did not help matters.

There is a very competitive market, with a hefty dose of politics involved.  There are many people with an axe to grind against Bitcoin.  Lightning Network is a brilliant new system with a promising future—Bitcoin’s future.  I think you can see where many of us who simply want to enjoy this new technology may oft be a bit on the defensive.


I myself tend to expect that the connectedness of nodes will roughly follow something like a Gaussian (bell-shaped) distribution.  Those connected to only one node would be at one extreme; nodes connected to a very large number of others would be at the other; and most would lie somewhere in the middle.  But that, as all else said on this topic, is a matter of more or less well-informed speculation.  I think we will really need to wait and see how the network grows.


It’s not a matter of layers.  From what I understand, there are existing userfriendly implementations which seem not so different than userfriendly GUI Bitcoin wallets; though I am not familiar with them as I should be.  Anyway, I’ve seen screenshots which looked simple and slick.  Time for me to catch up with what’s happening there!

Oh, I hear you there.  Nevertheless, I myself have been spending more time in Meta, at the expense of other things.  The merit system has great promise as new hope for the forum.  The earliest stages are the most critical, as precedents are set and a culture develops around it.  It could be poisoned and irreparably corrupted at this stage—for example, if a precedent were set for social acceptability of begging.  Or it could be strongly established and wound with social conventions which prohibit such corruption.  The difference is up to us.

The most important time to pay attention to the merit system is now, even if it means suffering through a profusion of “merit blah blah merit blah” threads.  The whining may seem interminable; but it will indeed terminate, if things go right.  By the time the merit system ceases to be a “hot issue” and discussion thereof dies down, we will have passed the critical early-stage point of determining what the merits system will mean in the future.

OP here is evidence that actmyname is doing a superlative job of protecting the merit system in its infancy, helping to nurture its growth, and setting the right precedents for future expectations.

Yes, I myself will be spending some more time in Meta for awhile.

You appear to be referencing “The Bitcoin Lightning Network: Scalable Off-Chain Instant Payments” by Joseph Poon and Thaddeus Dryja, which you did neither linked to nor precisely identified.

First, observe that the date on the first page is “January 14, 2016”.  When it speaks of required softforks, it speaks of the Segwit upgrade which occurred in the year 2017.  According to my calendar, 2017 has already passed.

You also mashed together disparate pieces of text, without identifying which parts of the document you were copying.  This makes it very hard to follow.  I will provide pinpoint section and page references for readers.

Now, to address your specific questions:


That is from Section 3, on page 7.


That is from Section 3.1.2, on page 8.


That is from Section 3.3, on page 13.


Your refer to the text starting at page 52.

The malleability fix was deployed as part of the Segwit upgrade.  It has been active on the Bitcoin network since 24 August 2017.  There cannot be an inability to make the necessary soft-fork, when the soft-fork is already done.


You quote from Section 10, on page 53.

Zeroth of all, there is no longer a 1MB block size limit; indeed, there is no longer a block size limit at all.  Since 24 August 2017, Bitcoin has instead had a block weight limit of 4000000 bytes (4MB).  It is expected that over time, average blocksizes will work out to a bit over 2MB.

First of all, you will observe that the text speaks of long-term planning.  There is ongoing Bitcoin hardfork research into how to safely fork the network if such a thing becomes required.

The text itself answers your specific question:  Miners can refuse to build on consensus-valid blocks.  It would be financially suicidal for any individual miner or pool to attempt enforcing such a policy:  They would quickly wind up building their own minority chain, which would be rejected by nodes in favour of the chain with higher total POW.  But if all miners were to agree to build only on blocks smaller than the consensus hard limit, then they could do that.  N.b. that non-mining nodes don’t produce new blocks, and the smaller blocks would be consensus-valid.


As aforesaid, the required soft fork was done half a year ago.  It is called Segwit.

---

Edit—self-correction:  As noted from achow101’s post, I somehow zoned out on the checksequenceverify (CSV) softfork (BIPs 68, 112, 113).  That was activated on the network on 4 July 2016.

Thanks.  Feel free to point to me already.  For my part, I’ve been flaunting my merit score to whiners of all kinds.  Some might take that as tooting my own horn; but I don’t care, because—well, zeroth of all, I just don’t care about that.  First of all, I needn’t boast when the number is printed right below my name.  But it sure feels good to rub it in the faces of all the self-entitled nincompoops who loudly demand that they should be able to rise in rank, when they can’t or won’t make good posts.

---

Cheers!

---

That.


As a Tor user, I would strongly object to that.  It is likely that many accounts have been created from whatever exit IP I happened to use when I created mine.  I paid the requisite fee to absolve myself of that IP’s “evil”.  But had there been any restriction on accounts created per IP, then I would not be here at all.

Whitelising Tor for multiple accounts created per IP would not be a solution.  Tor is not the only anonymity solution; and moreover, a whitelist of Tor exits would simply mean that all users who wanted to create many accounts would use Tor for that.  It’s likely that many of them already do, anyway.

Of course, as an anonymity network user, I focus on that aspect.  What about ISP proxies and carrier-grade NAT?  Due to IPv4 exhaustion, carrier-grade NAT is increasingly common nowadays.  A single IP address can map to many people, each of whom has no choice in the matter other than to swich ISPs.  In a market with an ISP monopoly, or where all local ISPs use carrier-grade NAT, they may have no choice at all.

The notion of some quasi-bijective mapping between people and IP addresses is a common fallacy; as such, IP addresses are far too much abused and mistaken as some sort of identity token or identity limiter.  The worst part is, professional spammers, blackhats, and other net abusers have access to huge collections of IPs.  They suffer the least from such restrictions.  I recall theymos saying that part of the reason why his homebrew anti-DDoS system failed was that attackers had “thousands of IPs”.  So do many other abusers.


The whole point is to discriminate—to be highly discriminating between high-quality and low-quality posts.  As a discriminating conoisseur of fine words, I urge discrimination and intolerance against worthless drivel.

What Naitik evidently desires is that merit be awarded indiscriminately, to forum poetry and one-liner garbage posts alike.  I think that speaks much as to his motives.

As of this writing, digaran has 508 merit.  As a “Hero” (allegedly), he received 500 merit for free.  Thus in the past nine days, he has been earning merit at the underwhelming average rate of <0.9 merit per day.

All along, I’ve been noting the merit levels (or lack thereof) of Newbies and Jr. Members who in some fashion dislike the merit system.  With a simple arithmetical operation, that easily extends to identifying highly-ranked accounts who would never have reached their status under the merit system—as such, who do not merit their status.

(I addressed the substance of digaran’s post; but it bears examining potential for self-interest motives, also.)

Why the hell would I pay for the privilege of giving my valuable time and effort to post?

Of course, I don’t have a paid signature.  But if pay-to-post were enacted only for accounts with paid signatures, this would cause two problems:  (0) Reliably identifying such accounts.  If accounts with paid signatures had to pay to post and others didn’t, then some signature campaigns would simply go underground.  Yes, my friend asked me to put this big, flashy link in my signature.  Nobody paid me.  Now, you need mods to search for accounts making unpaid posts with paid signatures, and perform adequately thorough investigations of them.  (1) Account farmers would set their bots to spew garbage with no signature from new accounts, until those accounts reached a high rank.  Then, they could pay a small fee for every spam bearing a colourful billboard.  Depending on how the economics work out, that may be profitable for them even if their posts are deleted after x average time.  To tilt the economics squarely against them, the fee may need to rise too high for everybody else.

All in all, this “pay to post” idea sounds too much like the “e-mail postage” idea.  Competent spamfighters were always strictly against the latter, on grounds that it would not work and it would create too much collateral damage.

The only solution to the problem of quality is to measure quality, viz., to enact some system for discriminating between valuable posts and worthless drivel.  That’s what we now have.

---

That would be a boon to beggars—and most of all to farmers with lots of alts.

You have it backwards:  The merit requirements for upper ranks should be raised.  Especially for Legendary status.  That threshold should be at least doubled or trebled.  If somebody can’t earn some thousands of merits in 2–3 years of active posting, then that person has no right to be called “Legendary”.


That would make a joke of the merit system.  Starting from zero as a then Jr. Member, after only five days of actively posting since I returned to the forum, I myself would now be nearly merit-eligible for Hero status.  Why, I should be merit-eligible to make Hero tomorrow!

I observe that you have thus far earned no merit whatsoever.  You are currently at a flat 250, which was given to you based on your pre-existing status as a Sr. Member.  Thus, your suggestion makes you no different from any of the whining newbies who complain about how oh so tough this system is.  Please!  Go make some quality posts.  The forum needs that.

Ooh!  A contrarian endorsement!  This is the best proof yet that actmyname is working magic to clean up the forum.  From n.a.n-a.e., it is well proved that efficacy at spamfighting can be judged directly by the level of desperate screaming, impotent revenge threats, psychotic counter-accusations, etc., etc. from spammers.

actmyname, if the post at the top of this thread weren’t such an eyesore, I’d suggest that you should frame it and hang it on your wall.  Too bad, spammers and their leavings are so aesthetically displeasing.

I envy actmyname.  When do I get to have some spammer make an account “ihatenullius” and post a bunch of trash talk about me?  I have some cred.  Why, I insulted a man so badly that he gave me +50 for it.  But I am as yet many leagues away from achieving actmyname’s calibre of incurring spammers’ hatred.  Forsooth, it is an inspiration:  I must needs work harder.

---

I am guessing that his main accounts (plural—all ten or twenty or two hundred of them) are already dripping blood-red, anyway.  So, the only reason is that he’s a coward.

No:  The main purpose of the merit system is to reward and encourage good posts.  Why is everybody focusing on the implicitly consequential negative, rather than the explicit primary positive?


Good idea; so do I.  Then, perhaps you should rely on my post as to which you replied.  Look above.

In Development & Technical Discussion, I also suggest that you should watch posts awarded merit by DannyHamilton.  If you are a learner, follow his own posts, too:  He excels both at providing good information, and tearing apart misinformation.

There are other expert users whose merit endorsement should tell you that a post is meritorious on technical grounds; but I think those are the most consistently active.  Merit is somewhat transitive; thus if you see that a particular user is often awarded merit by somebody whose technical judgment you trust, then merit awarded by that user should be a good guide, too.

As such, consider Dev & Tech merits to function as a de facto peer review and reputational system.

Most people seem to be ignoring the main and positive purpose of the merit system:  It gives appreciation and encouragement to good posters.

The whiners are exactly the ones who should go away.

Signed,

A user who ranked up from Jr. Member to Member on 30 January, and thus started with zero merit.

I am inclined to disagree with the idea of “technical trust”.  I don’t see how it could be made to work, without the cure becoming worse than the disease.  But OP highlights a real problem.

As a regular on Development & Technical Discussion, I certainly see difference between what OP calls “dumb answers” versus “misinformation”.  The section is infested by trolls who regularly and repeatedly post wrong information at high volume.

There is a very deliberate quality to much of the misinformation (and disinformation; there is an old and subtle distinction between the two words).  It derails threads, and poisons sincere discussion.  I dislike incorrectness anywhere; but if somebody speaks in ignorance, that can be corrected, whereas spreaders of “misinformation” are incorrigible and ineducable.  Worst of all, they present a real danger of misleading newbies who earnestly seek to learn.

A few recent examples of “misinformation” trolls:

• In the thread I started on Bitcoin’s Public-Key Security Level (OP currently +18), Anti-Cen #1423316 posted so much gibberish about using Microsoft Windows RSACryptoServiceProvider(512) for Bitcoin keys (!) that I myself had difficulty wading through it to pick out the real replies so I could respond to them.  That has a real impact on readers.  Anti-Cen’s post history includes claims of his own extraordinary expertise to support grossly wrong technical statements about Bitcoin, extreme hostility toward Core, a persistent suggestion that fees be capped at 1.5 (without specifying a unit), etc., etc....  At some point, I gathered a representative selection of quotes from Anti-Cen’s posts.  As I have not hereto revealed publicly, Anti-Cen has also tried to bait me by PM.  I think that Anti-Cen is probably the most odious troll in Dev & Tech right now.
• In a thread ChiBitCTy started on Important Lighting Network reading- for everyone! (OP currently +9, including +1 from me), dinofelis #376659 derailed the thread into discussion of his attack on nodes:  “Nodes are ‘vote by IP number’, which is what Satoshi wanted to nullify by vote by PoW”, “The only reason why they talk Joes into running nodes in their basement, is because bitcoin needs a story, and decentralization sounds like a good selling argument”, “nobody will give a shit that 10 000 Joes find their nodes switching off because they don't find the ‘right’ block chain any more”, etc., etc., plus a sprinkle of crazy:  “People very knowledgeable of that system cannot ignore the basic design principles of that system, can they ?  So there must be a deceptive reason for telling this [that the system is decentralized —Ed.], given that it is objectively wrong.”  I tried to cut the discussion off—I mean it—so as to set the thread back on track.  Any thread which catches dinofelis’ attention is liable to go in a similar direction.  I see that Wind_FURY seems to be trying to draw fire, I presume to unclog other threads.  I’d expect that all the technically competent regulars must be sick of dinofelis.
• My first exposure to the troll problem there came when I made a long reply to abominably incorrect information by “bitfools” #1152876.  DannyHamilton clued me in that IHBT.

There are a few others.  But for the sake of examples, I’ve necessarily already brought too much attention to people who are evidently seeking it for whatever reason (or unreason).

Thus, I appreciate OP’s concerns.  Unfortunately, I don’t see any easy solution to this, nor how a benign “technical trust” system would not be redundant.  Setting a system to be the arbiter of “true” and “false” is always—problematic.  Is this proposal supposed to function as some sort of peer review?  The merit system already does that:  Good, correct technical posts there tend to get showered with merit, whereas false and stupid posts of all kinds usually get none.

I’d like to find a better solution to this problem.  I doubt this be it.  Am I missing anything?

Slightly offtopic question; please followup-to this thread:


Yes, that’s where I got the C code for my bech32 shell utility.  I mentioned sipa’s code above, but omitted to link it.  (The one time I don’t...)

Do you know if anybody has written a quality C implementation of error correction?  I’ve been intending to port sipa’s Javascript demonstration code for that purpose; but if somebody else already did (or wrote good new code), I don’t wish to duplicate efforts.

This would not be useful for address generators, vanity or otherwise; but it would be very useful for my bech32 shell utility, as well as some other things I have in the pipeline.

Who said anything about IP numbers?  I don’t even expose one; I’m onion only.

Who said anything about votes?  Bitcoin is not a democracy.  There is no “vote by PoW”; that’s nonsense, and shows a total lack of understanding of what POW is and how it is used to achieve BFT transaction ordering.  There is no vote at all.


Quoted for craziness.  You forgot to add that the CIA designed Bitcoin, and gives all these very knowledgeable people their mendacious talking points about nonexistent “decentralization”.  I admit, I work for the CIA, too.


The design of Bitcoin is a subject about which you demonstrate worse than zero understanding, insofar as misconceptions must be unlearned.  You really ought to go study up on how Bitcoin actually works before you spout off.  You don’t even grasp the basics.  You talk as if you learned all you know by reading /r/btc.

---

Posted whilst I typed up the foregoing:


Redoubling my point:  You have evidently never heard of consensus rules and validation.  Among other things.  These are not set by the Byzantine agreement which miners produce for transaction ordering, and only that.  You really know less than nothing about Bitcoin.

(Did you just go look up “Byzantine agreement” on Wikipedia between your posts?  Though I’m curious, I only ask rhetorically; don’t bother answering.)

Now, this is an offtopic thread hijack of a good and important Lightning Network thread.  I desire to avoid that.  I will not take this as an opportunity to explain Bitcoin design fundamentals, much less argue about them with somebody who shows belligerent ignorance and an unscholarly attitude.

---

Edit:  While I was writing the above addendum, dinofelis edited and completely changed the post to which the addendum replied.  The above quote is as I first saw it.  From its much longer replacement, I wish to make one point crystal clear for the benefit of other readers who come across this thread:


No, the design of Bitcoin is not amenable to a Sybil attack; and indeed, Core developers tend to have a dim view of systems which are.  Bitcoin’s general Sybil resistance rises from the fact that there almost is no voting whatsoever in Bitcoin.  The only exceptions have been when votes of sorts have happened (or been attempted), via various “signalling” bits.  I know of instances when “XT” advocates tried to Sybil the network; it sort of wound up being a sick joke.

You could spin up a million of your own Sybil nodes on a million different IP addresses, and the integrity of the Bitcoin network would be unaffected.  (I here ignore DoS, since that is not a Sybil issue.)

pebwindkraft, at some point, you may be wasting your time.

dinofelis is wrong, has repeatedly been wrong, is persistently and incorrigibly wrong.  In every thread he fills with long, tortuous argumentation, everything he says is shot full of holes by people who actually know what they’re talking about.  He still fills threads with long, tortuous argumentation.

Downplaying the importance of nodes is a hallmark of people pushing a certain agenda, for which dinofelis gives talking points.  (“The only reason why they talk Joes into running nodes in their basement, is because bitcoin needs a story, and decentralization sounds like a good selling argument.”)  Whereas nodes represent the economic majority on the network, and collectively have more power than miners or exchanges.  We have seen that repeatedly demonstrated within the past 6–8 months.  Indeed, if “nobody will give a shit” about nodes, then NYA/2X would have taken over the network; instead, NYA/2X was cancelled in a face-saving maneuver.  Originally, closed-doors power-player NYA had been backed and indeed, promulgated by some of the most powerful exchanges and miners!

This is in addition to, and an extension of, what you said about UASF and whence came NYA in the first instance.

dinofelis speaks of a “PoW oligarchy”, which demonstrates how little he understands about how Bitcoin works.  (Hint:  Miners have one, only one, exactly one very important job—Byzantine agreement for transaction ordering—whereas all else is done by nodes.)

Moreover, on the face of things, anybody who uses the phrase “nobody will give a shit” as a technical argument is neither competent nor serious.  Sloppy and vulgar speech on a technical topic belies sloppy and vulgar technical thinking.

Perhaps your time could be better spent.

That is a point either missed, or realized all too well by all the people whining about ranks being “frozen”.  The majority of current users should never advance much (if any!) in rank.  The merit system will facilitate the natural advancement of good users who have something to contribute, theymos’ “ideal new user”, whilst keeping all the numerous and prolific “Bitcoin soon moon luckily, if not dump” posters “frozen” at Jr. Member or below until mods can get around to nuking their accounts.


I presume that “sources” must be the types of community leaders who treat the forum as a full-time job.  That is, the types who not only write many posts, but also read many posts.  A relatively small cadre of such people should be able to distribute relatively large amounts of merit to a relatively wide selection of excellent posts.  From there, well—have you ever played “six degrees” style games?  I think every single post on this forum is read by multiple people whose posts are read by multiple people... whose posts are read by one or more “sources”.  The merit should flow from sources outward in ever-wider circles, as ripplings from a pebble tossed in a pond.


Given the damage of red trust, abusing merit (including begging) is now a most excellent way to risk totally destroying your account.  Within the past few days, I myself witnessed up close the permanent demolition of a “Legendary” account which got caught merit-farming.  (I must observe, it was the account of a user who self-evidently never would have reached “Legendary” status under the merit system!)  I’ve also been actively tagging users who beg for merit.  So yes, people try to game the system; and some of them will get away with it for awhile, just as street criminals tend to get away with it for awhile.  Such people’s luck always runs out at some point.


Excellent observation.  That is a bigger problem, and especially so when tied to existing rank.  I have been pointedly ignoring many low-ranked accounts which are transparently obsequious in their behaviour toward others, and especially in their effusive praise of the merit system!  Yet I question whether I may have been much more subtly taken in by some highly-ranked accounts operated by intelligent individuals.  Part of the problem may be that as a newer user, I naturally grant some deference in assuming the best of people who appear to have well-established reputations.  I will try to be more watchful about that.


That’s a bad analogy.  The feudal system tended to succeed in proportion to the merit of the nobility, including their resistance to the wily inveigling of flatterers.  Those who embrace flatterers always do so at their peril.

Historical discussions are off-topic, so I will leave it at that.

---

Now for one thing you left out of “the Good”:  People who work hard on their posts can feel some appreciation!

I will here speak to my experience.  It is not unreasonable to suppose that other good posters have had similar experiences.

I work hard on my posts.  I did that before the merit system, and I do that now.  Some of my best posts take hours for writing, editing, proofreading, gathering links, etc., etc.

Many of my posts get few replies, if any.  I don’t expect and don’t want any replies which simply acknowledge my post, adding nothing else.  Thus before the merit system, I was oft left to wonder if anybody found my posts useful—indeed, whether anybody had even read them.

My first notification of the merit system came when I logged in 29 January after a few weeks’ absence, and found I already had 17 merits for posts I made in December.  It felt good to know that somebody, somewhere sufficiently appreciated my posts to remember them for tribute a month later!  Since then, I’ve enjoyed watching the merit trickle in whenever I make a post which people find valuable.

It’s not an ego boost.  I don’t need that, and am not susceptible to it.  I don’t need praise.  What I do need is to know that when I spend hours of my time making something to give away freely, it is found by others to be useful and valuable.  Otherwise, it feels like expending effort in vain, without purpose.

The merit system rewards good posts.  People are placing far too much focus on what it does to people who don’t earn merit, and the negative necessity of stopping garbage posts.  Look to the positive purpose!  Look first to the encouragement this system gives to good posters!

Preface:  I wish to more concisely restate and amplify the greater point of my original post.

People are worrying about the wrong measure of the wrong thing.

I’ve seen endlessly repeated forum discussions of how big 2²⁵⁶ is, in the context of Bitcoin’s 256-bit keys—oft accompanied by estimates of how long it would take to try each potential key in a bruteforce attack.  That’s the wrong measure:  No actual attacker would use a bruteforce attack against ECC.  Against actual attackers, Bitcoin’s public-key crypto has a 128-bit security level.  This means that breaking it would require a humanly impossible amount of computation, approximately 2¹²⁸ work.

And it’s the wrong thing to worry about.  Worry about your computer security, your operational security, your privacy.  Those are all incomparably weaker and more vulnerable than crypto with a 128-bit security level.  Bitcoin’s public key security level is a strength.  Worry about your weaknesses.  Worry about all the many weak links in the chain of your security, not one of the few strong links.

I expect that if people put into their “weak links” even half the energy they expend obsessing over how hard it is to break things which are humanly impossible to break, then many fewer coins would be stolen.

---

Breaking the security of a 160-bit key hash requires a full preimage attack.  Therefore, the security level for this particular component is 160 bits.  That exceeds the 128-bit security level of the public key itself; so, “what I think” is that it’s stronger than strong enough.  So as for P2WPKH.

P2WSH upgraded to a 256-bit hash because multisig transactions are vulnerable to a collision attack by a malicious signer, such as a cheating party in an escrow transaction.  Collision attacks are much easier than preimage attacks, due to the birthday paradox.  In old-style P2SH (with “3” addresses), using a 160-bit hash, multisig has only an 80-bit security level against malicious signers; the hash still has a 160-bit security level against anybody who is not a signer.  Multisig with Segwit P2WSH and its 256-bit hashes has a 128-bit security level against malicious signers, and a 256-bit security level against everybody else.

Exponentials confuse many people.  The difference between 80-bit and 128-bit doesn’t sound like much.  Whereas 2¹²⁸ work is more than 281 trillion times bigger than 2⁸⁰ work.  To do 2⁸⁰ work is feasible today, albeit costly in the extreme.  To do 2⁸⁰ work more than 281 trillion times over is humanly impossible and unthinkable.

N.b. that this pertains primarily to multisig.  I can imagine it might also affect some other uses, but multisig is the major use case which invokes vulnerability to collision attacks.  There are other P2SH uses, which do not include in the script any data from an untrusted party—for example, the backwards-compatibility nesting of P2WPKH in P2SH.  For such use cases, old-style P2SH has a 160-bit security level; and Segwit P2WSH has a 256-bit security level.

There are some interesting references apropos in this Core blog post.  Note that the “comparison” to the Bitcoin mining network is outdated:  Hashrate has much increased; it now takes a bit over a day and a half for Bitcoin miners to collectively do 2⁸⁰ work.

---

Do you mean P2WSH?  What you said does not make any sense.  s/P2WKH/P2WSH/g.  Next, understand the difference between a collision and a preimage.  A collision means finding two different inputs which have the same hash—any hash.  Whereas in P2WSH (or almost anywhere else in the on-chain use of hashes), the hash is already determined.  To find an input matching a particular hash requires a preimage attack, not a collision attack.  This is a huge difference.  Preimage attacks are much harder.

---

I am now convinced that Anti-Cen is trolling.

This is a note for people who are not forum regulars, and newbies trying to learn.  Just ignore Anti-Cen.  Apologies for the noise.

---

(Link upgraded to https in quote.)  Thanks, pebwindkraft.  Good link, though note that the pertains to old-style P2KH transactions.  Segwit P2WPKH transactions involve a different serialization (not instead of, but in addition to the old serialization for non-witness data), among other differences.  Of course, P2SH and P2WSH are much different.

---

If that’s intended to suggest that Bitcoin’s security-level is, wow, mind-bogglingly huge, then yes, I would agree with that.

---

hatshepsut93 is right.  As I recently expressed elsewhere:  If you do not have a working Cryptographically Secure PRNG, then you have nothing else, either.  Your concern is almost tantamount to saying, well, what if you give the attacker your secret key?  Then, of course all the crypto is “broken”!  Of course!  The security of random number generation is important, because using a bad random generator to make your secret key is nearly like giving your secret key to the attacker.

That says absolutely nothing about the security of Bitcoin’s public-key crypto, which has a 128-bit security level—which is extremely secure.

I think the most fitting answer, ironic but serious, would be:  “None of your business.”  Of course, I have “bought” Bitcoin (viz., exchanged fiat funny money for real money).  Indeed, most of my life savings wound up in Bitcoin (then most of that, in a privacy-oriented altcoin where I took a very painful loss—but that’s another story).  Whereas I have never bought Bitcoin on an exchange which does KYC.

Nobody anywhere has any record that I’ve ever owned even a single satoshi.  Most people who know me in real life don’t even know that I know what Bitcoin is.  And I would not brag about that, except under a nym made for the purpose of privacy and security work and activism.

There are plenty of other ways.  If the question were rephrased, “How might someone buy Bitcoin without a KYC-requiring exchange?”, then there are many forum threads, several websites, and at least one peer-to-peer network devoted to this exact question.  I note this without endorsing anything in particular.


I think that Jet Cash would need to speak for Jet Cash.  Anyway, arguendo, dislike for the merit system would not adequately explain giving merit to anything “KYC”.