For 0.31415927 BTC:

Below are the answers to a question taken directly from a GMAT test:

a)   4π sq. inches
b)   8π sq. inches
c)   16 sq. inches
d)   16π sq. inches
e)   32π sq. inches

What was the original question, which answer is the correct answer, and why?

Yes, it is possible.

I got the sarcasm of the statement but I was wondering why not put a valid BTC address there just in case someone agreeded with the statement.

Darin,

All we can see for a fact is that you have 21 posts.  We have no idea how long you have been reading, how much you have read, which threads you have read, or how long you have been around so please let me fill you in on a few things:

Because of the non revertible nature of Bitcoins it is much easier to scam people out of their BTC than it is to scam them using VISA, PayPal, etc.
Because of this fact criminals of all kinds flock to Bitcoins.
These criminals have come up with many ways to scam people, some obvious, some very subtle.
Many have fallen prey to these criminals over the years.
This leads to a very high level of paranoia in your customer base.
This is something you have to deal with as a vendor in the Bitcoin space.

Have you ever heard about certain tribes, when faced with the issue of trying to find out which member(s) of their tribe is lying, will place a red hot knife on the tongue of each member of the tribe?  The members that are not lying will not get burned, however those caught in a lie get their tongue burned.

This whole vetting process you are going through as a new vendor is kind of like that.  If you answer every single question with total and absolute honesty you will survive and be welcomed with open arms into the Bitcoin tribe.  However if there is even one small ounce of deception in you or your business the tribe will generally find it.

We are not just picking on you.  We do this to everyone who comes in trying to sell us something and join our tribe.

Yes, and I have to admit that my thought process was inspired by the following question so some of the credit goes to pc for asking the "stupid" question.  I answered the question but it got me to thinking...

Yes, there are two proposals floating around.  In one scenario the customer generates a key pair so the customer is certain that they, and only they, have half the puzzle.  The other proposal is for Mike to do half and some other trusted entity to do the other half and the customer does nothing until redemption time.  Both are being discussed and I think both are valid use cases.

The fraud vector outlined above applies to both use cases and the use of the serial key creation sytem instead of the point addition system eliminates this fraud vector in both use cases.

After much thought I agree that we should abandon the point addition system and use the serial point creation system instead.  Here is why:

This is the proposed point addition system as used by Mike, who is assumed to be trustworthy
The customer creates public key C and private key c where C = c*G
Mike creates public key M and private key m where M = m*G
The customer sends public key C to Mike and Mike creates the final public key F = C + M = c*G + m*G = (c + m)*G
Mike transfers the BTC to the key pair F = (c + m)*G and ships the product to the customer along with the public key M and the private key m (under the hologram)
The customer can verify that C + M = F and also verify that the BTC are stored on F, all is well.
When the time comes the customer can claim the BTC using c + m

But what about Mike’s evil twin brother Ekim?
Again, the customer creates public key C and private key c where C = c*G
Ekim creates public key E and private key e where E = e*G
The customer sends public key C to Ekim but instead of creating the correct public key F = C + E, Ekim instead creates a pseudo public key P where C + P = E, in other words P = E - C
Ekim now transfers the BTC to the key pair he created E = e*G and ships the product to the customer along with the fake public key P and nothing under the hologram
Since the pseudo public key P was created as P = E – C the customer will be able to verify that C + P = E and also be able to verify that the BTC are stored on E, so the customer thinks that all is well!
When the time comes the customer looks under the hologram and discovers there is no key (or a bogus key) and they have been ripped off.  Ekim can move the BTC from E at any time since he knows e.

Now let’s try the same scenario using the serial point creation system
The customer creates public key C and private key c where C = c*G
Mike creates public key M and private key m where M = m*G
The customer sends public key C to Mike and Mike creates the final public key F = m*C = m*c*G
Mike transfers the BTC to the key pair F = m*c*G and ships the product to the customer along with the public key M and the private key m (under the hologram)
The customer can verify that F = c*M = c*m*G and also verify that the BTC are stored on F, all is well.
When the time comes the customer can claim the BTC using c*m

But what about Mike’s evil twin brother Ekim?
Again, the customer creates public key C and private key c where C = c*G
Ekim creates public key E and private key e where E = e*G
The customer sends public key C to Ekim.  Now in order to pull the same scam Ekim would want to be able to pass off his personal key pair E = e*G as the final keys and load the BTC on to E for later recovery.
In order to do that he needs to have the pseudo public key necessary to fool the customer.
The customer is going to attempt to verify the pseudo key P by calculating E = c*P
But there is no way that Ekim can calculate P because Ekim does not know c.

Ekim will have to turn over a new leaf and be more like his brother Mike.

EDIT:  Note that this is not a cryptographic weakness in the point addition method - it is a fraud vector that does not exist in the point "multiplication" system.

Wow, over 17,000 different systems to choose from    Amazing.

BitMagic,

I am curious about something.  In your signature you have 9Hkao8U82WWDp6SQGn4k7ad9gT1LWeL5s3

I do not recognize this as a valid Bitcoin address.  Is it a joke or is it a type of address that I am not familiar with?

Burt

Even though he has not quite cracked 2000 posts S3052 is the perfect choice.  I will certainly trust his opinion on this.

How much have you personally made?  From the system itself that is - not from selling the system.

Thanks Darin!

No.  You cannot mix public key addition/subtraction and private key addition/subtraction, they are two totally different things.  Public key addition is the defined addition operation on the eliptical group - it is a fairly complex operation and unlike regular addition.  You are adding two points from the elliptical group to get a third point.  Private key addition is the simple modulo addition defined for the finite field.  Apples and oranges.

This is basically what I was thinking and was going to write up basically the same proof but then thought - well that would just be bwagner again saying that I think it is secure which I have already done numerous times.

What we need is a known "expert" to say it.

Mt. Gox already does this.  If you import a private key into your Mt. Gox account they immediately move all BTC from it and will never re-use it.  However, they do have a nice sweep feature.  If you turn it on then they will automatically sweep any coins sent to that address off it into your account.  So if the private key has been or ever is compromised and someone is foolish enough to send it BTC then they get automatically claimed.

I have imported many private keys into my Mt. Gox account - especially every publicly available private key found on this forum and on the wiki - in the hopes that someone will send it some coins on a whim, then they will be mine all mine <insert maniacal laughter here>

After thinking about it a bit there is a pretty big difference between the two systems when extrapolated to 3 or more parties.

The point addition system can be done in parallel.

Assume five parties all publish their public keys to each other (and the world).  These five public keys are a*G, b*G, c*G, d*G and e*G where a, b, c, d, and e are the five private keys.
Now all five parties immediately have eveything they need to calculate the shared public key = a*G + b*G + c*G + d*G + e*G = (a + b + c + d + e)*G

In the other proposed system the calculation of the shared public key cannot be done in parallel, each party must calculate the next point from the previous point


This is perfect for where this is what you want:  for each party to have to send the result of their calculation on to the next party and for the final party to be the only one to know the final public key.  However for our use case we do not need or want this.

I am still looking for a citation regarding the use of point addition.  Will let you know when I find it.

I appreciate PG for all his hard work everywhere on these forums and his line of questioning here.  I did try the service and got my (expensive) coins almost immediately.  Just for the heck of it I did check my credit card charges and so far there is only the one charge:


And no other bogus charges.  I personally don't expect any but I will let you know and if there are any I will simply dispute them!

BTW SimpleCoins:  What is your name so I can more personally thank you for your great service?

In summary there are two possible ways this can be done.  In both systems you need both private keys to spend the money.  In one system you would add the two private keys together to get the private key needed to spend/transfer the funds, in the second system you would muliply the two keys together in order to get the final private key needed to spend the funds.  I believe either system will work and that the addition is slightly easier.

Agree.  

Agree.  However, there is nothing in the proposed two key system that requires that any public key be kept secret.  All three public keys a*G, b*G and (a+b)*G are, at all times, publicly available keys.  Knowing all three public keys give you no new information.  Anyone can use point addition or point subtraction to calculate any one of the three from the other two but that is pointless (grin) since all three are public keys anyway.

Agreed. This would work.  And you have just created a shared key that only Alice and Bob can know, yes.  But since this shared key is going to be a public key why does it need to be a shared secret?

Agreed.  This would work.  However the proposed point addition system will also work just as well.  

True.

Agree with the general statement.  However what is being discussed here assumes the key pair is going to be used one time for a specific purpose.

There is nothing in the proposed point addition scenario that requires any of the points (pubic keys) to be held as secrets.  Where did you get that idea?  

I agree that your proposal would also work for the coin application.  But since your only objection to the proposed point addition method is based on the incorrect assumption that it requires that one or more of the public keys be kept secret do you now agree that the proposed point addition system will also work?

Me too.

Was watching Letterman tonight and Matt Damon talked about the charity he founded called http://water.org

I looked it up and it looks like a great idea/charity to me.

I also think it is about the right size and having a celeb on board would not hurt.

DeepBit,

Out of curiosity is 1VayNert a vanity address of just another randomly generated address? If vanity does it have any special meaning?