I can't understand why people do this. It is spelt out in every CEX's Terms of Use/Service, which have been carefully written and re-written by a team of lawyers specifically to work in the exchange's favor in every possibly scenario, that any coins you deposit are not yours. In the case of Coinbase, it is spelt out in legally binding contracts mandated by and filed with the SEC (a government agency), that you are an unsecured creditor with essentially no claim to your deposits. And now that has all been tested in court and, completely unsurprisingly, been held up and ruled in the favor of the exchange, confirming that users do not own anything they deposit. And yet people will continue to believe a tweet from a serial liar like Armstrong or CZ over the literal word of the law. It's unbelievable.

That dream is a long way away yet, but it is still entirely possible (and getting easier every month with new platforms and technologies) to go back and forth between bitcoin and the fiat world without ever needing to hand over your data or your coins to these centralized exchange scams. You just need to have the desire to do so and not just settle for handing your life over to Binance because you saw their ad somewhere.

That's not quite right. If one of your seed phrases is compromised in the XOR set up, the attacker can still gain nothing, just as in a multi-sig set up. The difference is that if one of your seed phrases is lost in a XOR set up, it is impossible to recover your wallet since you need all the shares, unlike multi-sig which is set up to require m-of-n shares.

Given this, if you were using 3 shares in a XOR set up, you would want each of them backed up at least twice, since the loss of one share means the loss of everything, which then necessitates 6 separate secure back up locations. At that point a 3-of-5 multi-sig is much preferable, as you say.

Here is the ruling in question: https://cases.stretto.com/public/x191/11749/PLEADINGS/1174901042380000000067.pdf

And a few important quotes:

So this has finally been addressed in court and confirms what some of us have been saying all along. As soon you send coins to a centralized exchange, you give up all ownership and all claim to those coins. They are 100% solely the property of the centralized exchange, that centralized exchange can do anything it wants with them, and if something goes wrong (as it has here), you will lose everything.

Remember when Brian Armstrong said he "believes" users wouldn't lose everything in such an event? Or whenever CZ says "FuNdS aRe SaFu"? You can point to this ruling to show that they are 100%, provably, full of shit.

If your bitcoin is on a centralized exchange, then you do not own any bitcoin.

I have no experience with "DanskaBank", but when you are trading peer to peer using a bank transfer then the money is sent from the other party's bank account directly to your bank account. It does not come from a centralized bitcoin company or exchange. All your bank will see is a standard transfer from one individual to another. Provided the other party doesn't label the transaction as "Bitcoin" or something like that, then your bank will have no idea what the payment for.

If you are willing to change it for gift cards to somewhere you would be spending cash anyway, then buying gift cards via somewhere like Bitrefill will be a very easy and straightforward option for you. If you want to swap it for actual fiat, then you would be best served doing it via an escrow. You send the bitcoin to an escrow, the other party sends you the fiat, then once you've confirmed you've received the fiat, the escrow releases the bitcoin. This protects you from being scammed (provided you choose a reputable and trustworthy escrow). The two other sites I listed above (HodlHodl and AgoraDesk) have built in escrow functionality.

The very nature of bitcoin is that every transaction is public. By telling us exactly how much you received, I can easily perform a search for any transactions involving that exact amount over the last 7 days. Yours was the only one. To protect your privacy in the future, be less specific with the values you are talking about.

At that point you then lose the plausible deniability that each share is an individual standalone wallet and not part of a bigger XOR scheme.

The most talked about implementations of SSS I am aware of (and please correct me if there are other common ones, as I tend not to pay much attention to SSS implementations for the reasons I've discussed above) are Trezor's (https://github.com/satoshilabs/slips/blob/master/slip-0039.md) and Ian Coleman's (https://iancoleman.io/shamir39/ and https://iancoleman.io/shamir/ - he has two different ones). All of them are completely incompatible with each other, and a wallet generated with one is unrecoverable with the others. Not a safe choice.

Sure, but if you are defining the parameters for the four secp-k1 curve simultaneously, then doubling a set value on each curve is a much more straightforward way of arriving at a G which has a 50% chance of being 160/192/224/256 bits, rather than multiple hashes and combining different lengths of your two hash outputs in to one number.

Although looking more closely, the generator point for secp160k1 actually only has an x coordinate of 158 bits. So my guess above doesn't really make sense in that context.

I searched through the Sparrow GitHub and found a few similar issues from other users, but they all seemed to be related to using signing devices which were not grinding for low R value, which is not the case for my transaction. Without sharing the transaction (because I don't want to compromise my privacy), the R value for each of my signatures was 32 bytes.

So I can't really explain it. I don't want to open an issue on Sparrow for the same privacy reasons, but as far as I can tell it was just that Sparrow was incorrectly estimating the size prior to the transaction being signed.

This much is true, but if I was selling a large amount I would never go to the order book on a single platform and just start scooping up all the orders there. Much better to create your own order, preferably two or more orders on different platforms, setting your own price and letting trades come to you. Then you can fill your order with multiple different parties with no price slippage.

No different really to when you keep your coins on a centralized exchange, and that exchanges decides to censor your transactions or freeze your account entirely because you did or said something they didn't like, tried to send money to someone they didn't like, or even just live under a regime they don't like. See my thread here: https://bitcointalk.org/index.php?topic=5387401

Have a read about data brokers. It is a multi-trillion dollar industry which most people don't even realize exists. Have a read of my thread here: https://bitcointalk.org/index.php?topic=5394338. A single data broker company known as Acxiom has 11,000 data points on 2.5 billion individuals. 11,000 data points! Can you even think up a thousand data points about yourself? Now try 11,000! Everything from age, gender, address, through to employment, education, politics, religion, through to far more insidious things like financial history, purchases, debt, health conditions. They know what you like to watch, when you like to watch it, what you like to watch it on, and who you like to watch it with. They know what house you live in, who lives there with you, their relationship to you, how many bedrooms it has, and how much you pay in rent or mortgage. They know what health conditions you have or when you might be trying for a baby before your doctor does based on your internet search history, social media use, and recording of your private conversations. And yes, they know what exchanges you are signed up to, what addresses you use to deposit and withdraw from those exchanges, and how much money you are moving through those exchanges and when.

These data broker companies sell data to literally anyone who is willing to pay them, and governments are more than happy to spend your tax money on this.

Absolutely fine, you can have as many wallets as you want. But if you want to move bitcoin between the wallets, you will need to make a transaction and pay the transaction fee. I don't really see anything to be gained by you setting up another new wallet now. Your current set up seems to be working fine.

No, you don't. This is a wallet for a completely different cryptocurrency called BCash, which is not bitcoin and is generally set up to scam newbies such as yourself in to buying this fake not bitcoin. You do not need to download any software in order to sell your bitcoin.

It is much safer for you if you don't start sending your ID to random websites or internet strangers. Check out the links I gave above about where to start.

You can do conversions using this site: http://preev.com/btc/gbp

Currently, that is worth £307.

I can see your output on block explorers, and it already has >400 confirmations. It cannot disappear until you spend it.

If you are not planning on trading long term and are just looking for a single one off trade, then your best bet will probably be to find a reputable and trusted person on either the currency exchange board of this forum or on a peer to peer marketplace such as HodlHodl or AgoraDesk. I would of course suggest that instead you hold the bitcoin long term, or even you just spend it directly with any local merchants who accept bitcoin, or use it to buy gift cards at somewhere like Bitrefill.

But it is yet another thing to back up, and yet another thing where the loss of a single component could potentially result in complete loss of your coins. Multi-sig remains safer. If the code for recovering multi-sig wallets is no longer available anywhere online, then bitcoin itself will no longer exist.

SSS is a poor choice for a wide number of reasons:
https://blog.keys.casa/shamirs-secret-sharing-security-shortcomings/
https://en.bitcoin.it/wiki/Shamir_Secret_Snakeoil

Again, multi-sig remains the better choice, or even just a single sig wallet with an additional passphrase and multiple back ups.

There's an email from Dan Brown you can read here, which might interest you if you've not seen it already: https://bitcointalk.org/index.php?topic=289795.msg3183975#msg3183975. In terms of the generator point, he also says it is "something I cannot explain".

I wonder if the 166 bit point was doubled simply so G is 256 bits. I can already imagine all the questions about "Why is G so small?" and "Is G insecure because it is only 166 bits?" that we would see otherwise.

I would use multi-sig over XOR for a number of reasons.

Firstly, XOR is not widely used. The code provided is not widely audited, and if you do it yourself you are prone to making mistakes. If the code disappears, would you remember how to combine your seed phrases and regenerate your original seed phrase? Seems unlikely to me. Multi-sig is a standardized feature of bitcoin and can be recovered using many different wallets.

Further, with a 3-of-3 system like XOR (or any other number) the loss of one share means you have lost everything. A 3-of-5 multi-sig means an attacker still has to compromise the same number of shares to access your coins (3), but you have 2 additional shares to provide redundancy in your system.

A XOR system requires all the shares to be brought to one place to be combined in to a single wallet on a single device. That's multiple single points of failure. A multi-sig system can have each wallet remain on entirely separate systems and avoids any single point of failure.

The benefit that ColdCard give about each XOR share being a valid seed phrase which can generate a wallet and therefore provide plausible deniability holds equally true for every seed phrase share in a multi-sig set up.

I've only meddled with Sparrow thus far, and have only actually made a single transaction using it, but I ran in to this problem. I set the transaction fee as 1 sat/vbyte, signed it, tried to broadcast it, and was hit with a relay fee too low error from my node. The signed transaction ended up being 2 vbytes bigger so my transaction fee ended up as just under 1 sat/vbyte. Resigned it paying a fee of 1.1 sats/vbyte and it broadcast fine, but again, the signed transaction size was marginally bigger.

Is there a way around this while using Sparrow? I'm so used to just setting 1 sat/vbyte on Electrum and not thinking twice.

A Swan-Ganz catheter is its full name. The bit that you will see will look similar to all the other IVs that I'm sure you are used to by now, except it will have (usually) 5 of them, and it will come out of the (usually) right side of your neck. Obviously I don't know your case, but I assume their reasoning behind leaving it in is that it would allow them to constantly keep a very close eye on your heart function and then either bump you up the list or put in an intra-aortic balloon pump (IABP) at a later date if needed.

That's the wrong way to think of it. The way we explain it is not "someone has to die", but rather "someone is going to die anyway". That person will still have had the best possible care in the lead up to their death, but death is a fact of life. Whether or not their organs are being donated will have made absolutely zero difference to that person's care up to the point of death. The only question now is whether those organs are buried in the ground to rot, incinerated to ashes, or used to give the gift of hope and life to other people and other families. I know which of three I would choose for my organs.

They can't. The best attack against a known public key with no further information requires in the order of 2¹²⁸ operations, which is impossible.

Depends on how narrow a range they need to search.

No, as long as that signature hasn't reused a known k value or some similar vulnerability. Indeed, the very basis of elliptic curve multiplication is that even if you know the public key and multiple signatures, then the private key still cannot be cracked. If it could, then there are multiple very rich addresses which have hundreds of thousands known valid signatures which would have been cracked long ago: https://mempool.space/address/bc1qm34lsc65zpw79lxes69zkqmk6ee3ewf0j77s3h

Not revealing your public key provides theoretical security against quantum attacks which do not yet exist.

No no no, I will not accept completely reasonable and highly likely explanations. The only answer here is that 1miau is deliberately trying to sabotage my devious plan to get my prediction in at the last minute! Instead I'll have to get it 61 minutes prior to the deadline just to be sure, which will of course rob me of 6 blocks (on average) of valuable information!