I kind of figured that if I had generated the first and only block, the next thing I would do is transfer some coins to another account to see if everything was working. Probably several different times. Then I might try merging them back together to test that too.

It's possible they have all been merged together. That would be a shame for future historians though. If that's true, I might start looking for coins from the first non-tainted (uncirculated block).

Either way, I figure there is at least a 1 and 10 chance that you have the earliest untainted coins. :-)

Ƅ  Latin capital letter tone six (simple and cool looking)
∄  There does not exist (my ironic favorite, because bitcoins do not exist)
ℬ  Script Capital B  (since you are documenting all the cool things that look like a B)

I'd like to be the first BitCoin collector.

I'd like to buy 5 uncirculated bitcoins from the genesis block.  I'm willing to pay $5 USD for them. That's 20x the current market rate if you are the current owner.

As bitcoins are not individually represented or serialized, here are my requirements for "uncirculated".

After transfer to my bitcoin address(s), you should be able to show the following provenance.
1) A complete transaction list originating at the genesis block
2) All transactions in that list have only a single input. (no merging transactions)

That means, I want coins from the genesis block, that have never been mixed with (circulated with/tainted by) coins generated in subsequent blocks. Otherwise, there is no way to know my coins are true genesis coins.

The only exception to the merging transaction rule, is if you can show that every input to the merging transaction has the above provenance. In other words, the genesis coins have only been mixed with other genesis coins.

I might even pay extra, if you can document the real world owners of every bitcoin address the coins passed through.

Cheers!
Red

I think the digital goods argument holds until it becomes obvious that the following is happening.

1) Someone within the US buys $X,000 worth of bit coins.
2) That person transfers those bitcoins to the account of someone undesirable.
3) That undesirable person sells $X,000 worth of bitcoins for cash in another part of the world.

At that point, unless bitcoin is receiving public adulation, (like say FaceBook) the whole network will be deemed an unregistered money transfer service. If the undesirable person is undesirable enough, showing steps 1) and 2) will not be proven, just implied.

I think you are correct that no one will care for small numbers of X. But as market volume goes up, someone will start to notice.

P.S.:  I think you will also want to be able to show that you are NOT in too tight with other traders. Otherwise it looks even more like a money transmittal service.

I see this is an old thread. Did any real lawyers advise anyone on this?

I see that the current market just helps people meet and paypal or others handle the currency. That seems sound to me. Either those outside organizations are registered to as money transmitters or their neck is on the line.

I doubt any of the argument of "It's not a currency" will hold water in the US, its the money transmittal service aspect that tends to get people in trouble.

I'll learn how elliptic curves work one day, but not today. I should have taken more finite math when I was I college. Who'd a thought it would have come in handy for anything!

By the way, nice idea and implementation of BitCoin Satoshi!

It opens a whole new world of possibilities. I particularly like the concept of distributed agreement without relying upon trust. I think that is the breakthrough concept.

Also, I think the idea of BitCoin mining was brilliant! I doubt you could have gotten the network bootstrapped any other way. I disagree that it's a "fair way" to distribute coins, but hey the world is not fair! And really, I don't think any other way would have generated as much user excitement.


By the way, I concede that there is no thread of stealing bitcoins from my earlier postulation. The double hash seems to assure that from my perspective. Nice call!


Incidentally, I'd still like to know what happens if you generate RSA keys based upon non-prime numbers though. I figure there are other systems out there that didn't double hash. :-)

You might try reading in the economics forum. Lot's of competing suggestions in there.

Beware, it's a hornet's nest!

Let me clarify...

I'd like it if EVERYBODY forgot the old transactions. It doesn't make much sense from an anonymity perspective for just some people to forget them.

And yes, I understand Merkle trees. It's a nice feature.

So the way I read it.

Given two numbers p and q. Which for RSA are supposed to be large primes.

Then n = p*q

The public key is the two fields (n, e).  e is called the public exponent and appears to be chosen from a set of common values.
The private key is also two fields (n, d). d is called the private exponent it it is derived by knowing  e, p-1, and q-1.

The trick is, it is really hard to factor n into p & q. Therefore it is equally as hard to find p-1 and q-1


My postulation is that if n is arbitrary, and e is one of the common values, then there are lots of different p, q pairs that would work. The less prime the numbers the easier to find p and q, and therefore p-1 and q-1. And if you have a big block of arbitrary data that give you lots of flexibility in trying to collide a hash.

(That is the point where I could be totally off base though. Really interested, if a crypto geek knows better than me.)

I did read that the key generation algorithms create p and q such that they are "very likely prime" but it is too much work to know for sure. This leads me to believe non-primes don't cause any obvious FAILs. I could be wrong though.

I think you are correct on the analytical attack. At least a far as I understand (minimally) the mathematical genius that is analyzing them.

I was worried it was the simpler:

bitcoinaddress = RIPEMD-160(publickey)

From what I was told, bitcoin is using one of the 160 bit hashes for generating bitcoin address.

The SHA-1 family of hash algorithms are some of the most commonly used. SHA-1 is a 160 bit hash.

Here is a paper that claims to find SHA-1 collisions in 2^52 crypto operations. And optimally secure hash would take 2^80 operations. 2^52 time is still large, but it is getting into cluster and botnet range.

http://www.ictlex.net/wp-content/iacrhash.pdf

The MD5 hashes can already be crashed in seconds on laptops. That was why it was retired from certificate based signatures.

And yes what I'm saying is **I think** you can think of a public key as two secret numbers mathematically combined together. And the private key as those two numbers kept separately. The thing that make the system secure requires that the two secret numbers be really large prime numbers.

But if they are really large non-prime numbers the combination math still works, it is just must faster to break the algorithm.

I'll do a little more googling and see if I can substantiate my claims. I was hoping someone could dismiss them out of hand though.

Satoshi pointed out that my scenario still required the hash function to be broken. That is true, but I was surprised to learn how successful some have been with that. MD4 and MD5 are obvious examples. But work is well underway at colliding SHA-1 and siblings like SHA-256.

What hash is being used in this part of Bitcoin?

He is also skeptical that you could you could use something other than a generated keypair.

On this point, I'm pretty confident that it is a simple matter of mathematics. I didn't pay enough attention to this until I learned about "blind signing" of documents.

It turns out you can take a document and multiply it by a random number. Then have someone sign the jumbled file. Finally, you divide your random number out of their signature and the result is still a valid signature for the original document. Who'd figured that would work!

Anyway, if keypairs are only secure if they are based upon pairs of primes. Then nothing changes any of the math if the numbers are not prime. They are just much easier to factor.

I'd be perfectly happy for some crypto guy to prove me an idiot. It effects some features of a previous project I created that relied on the same association. I didn't think of this then either.

Thanks Satoshi,

Here is what I sent him.

-----------


Public key cryptography depends on the fact that it is hard to factor large prime numbers. Everyone knows that. If bitcoins were transfers were assigned to a well formed public key, and an associated private key signature was required for future transfer I would concede that bitcoins crypto transfers were completely secure.

However, bitcoin transactions don't seem to work that way (by my reading). Transactions assign coin amounts to a particular "bitcoin address". Where the address is a hash of the public key.

To validate a transaction, nodes take the public key from the signature and use that to verify the actual signature. If the signature is valid, it then hashes the public key to confirm it matches the bitcoin address assigned in the previous transaction. If both match, by definition, the transaction is good.


The potential weakness is in associating the public key in the signature with the bitcoin address.

There is a many to one relationship between public keys and a given hash. Now, if finding a pair of prime numbers that creates a secure public/private key pair where the public key part hashes to a particular bitcoin address seems hard... it probably is.

However, that is not required.

All you need is ANYTHING representing a public key that hash collides with a know large bitcoin account. It does NOT have to be a secure key pair based on primes. It is simply has to work once and allow the transfer of the stolen money to another account. That is potentially much easier.

Some hashes are harder to collide than others. I'm not sure the strength of the hash being used. However, colliding any hash gets much easier if you don't have to care about the content being hashed.

Because of the nature of public keys they look like random data. As I understand them, you can't know if a public key is based upon secure math unless you succeed in factoring it. Therefore clients don't try. They normally just do the validation of the signature and presume the public key was generated in a secure fashion if it worked.

NOTE: The following analysis needs double checking by a real cryptohacker. IANACR

So depending on the hash, you could use one of the up-and-coming hash collision algorithms to generate a colliding block of data which represents a public key. Then by reversing the public/private key math, generate an associated (but hardly secure at all) private key that would generate valid signatures.

You then take your insecure, easily factorable, key pair and generate a signed transaction that matches the target bitcoin address.

Since the transaction log, can't validate the full public key the coins were intended for, it simple presumes it must have been the one presented.


By recording the full public key of the transfer target in the block list you can regain the intended strength. However, you lose the ability to pass around 34 character addresses.


If I'm off base, I apologize for wasting your time.

Cheers!
Red

You stopped my post just in time! :-)

I think there is a pretty significant crypto flaw in Bitcoin as currently implemented. I'm not sure it is exploitable now (I'm not a real cryptohacker) but it is more than plausible that will be in the near future.

The flaw would enable anonymous stealing of coins from arbitrary bitcoin addresses. And no it doesn't involve solving any of the hard problems that keep existing crypto systems secure. It is simply a *potential* correctable logic flaw in the implementation.

I would like bitcoins to succeed, so I'd rather not jump up and down in public yelling about flaws in public. Is there an appropriate place to discuss these types of issues?

Yes, I understand that completely. However, bitcoins create a complete public transaction graph showing who has transacted with who. This gives away lots of correlation information. Someone else drew some nice graphs in another thread.

The obvious initial identity leak is in purchasing coins. Since making fiat payment often comes with identity information you have a potential leak there. Also since on purchase, coins are likely transmitted in a single transaction to a single bitcoin address, it becomes an anchor account tied to your paypal account. (depending on the precautions of the market of course)

A second obvious identity leak is in spending the coins for hard goods. As someone previously pointed out, this ties your real address to the bitcoin address the payment was made from.

Also vendors and users publish well known bitcoin addresses tied with either a person, organization, behavior, idea, or product. Say for example, "Donate to "xxxxx" if you want to support anonymous cheeseburgers delivery." Donating "tags" your account as belonging to a carnivore just as efficiently as a carnivore tag on YouTube.

If you trade from a single bitcoin address to multiple well known addresses, it simply corrolates more information about you. Say a naive noob bought 50 BTC and had them all sent to his shiny new bitcoin address. He then sent 10 BTC to anonymously overthrow the government. Send 1 BTC for a cheeseburger, then later decided he wanted a cool "send me bitcoins if you like me!", in his forum signature, and on his facebook page. Poof, he has now tied his anti-government sympathies, cheeseburger support, forum account to his real world facebook page. Just by being a noob. If you created a second anonymous donate account, but then naively transfered those coins to your main account, you are just as screwed. The many to one, then one-to-one pattern would be obviously apparent.

Now say, both parties took lots of precautions and created lots of intermediate accounts for plausible deniability. But unfortunately decided that access to the kiddiepron site costs 123.45 BTC.  Now it is a simple matter to search for all transactions of 123.45 BTC. Then you simply follow the graph backwards and forwards until you find previous or future transactions that collate to the real world.

Generating coins is anonymous, so un-traded coins are safer. Single use bitcoin addresses are safer. Trading entire blocks of coins at once so there is no forking or merging is safer. Always trading in standard size amounts is safer.

If someone created a "trusted laundry service" (danger word) where you could transfer 100 BTC to the service and have it copy 1 BTC to each of 100 new addresses from it's coin cache, (not your previous transaction), that would be even safer.

But in all cases, the number of private keys that people have to track is going to get huge. This means the likelihood of key-loss goes up.

If they can build an Onion router, I can build a cheeseburger router!



Actually, this is the one feature of bitcoin I'm not enamored with. By having every transaction available to everyone whether they need to know or not, It does make traffic analysis and correlation attacks trivial. I don't think people understand how easy that is for the determined. Digital goods don't help in a lot of cases, because vendors still feel entitled to your name and address.


If one was to build a large cache of bitcoins, they could create their own bitcoin laundry service. That will probably be worth a considerable amount of N-value in the future.

Yes relatively easy... LOL!  :-)

Thanks for the explanation, but I'll be taking your word for it from now on!

Sorry for the noob question, but how is the 1700 Mh/s number calculated or gathered? I saw my local node's speed in the GUI. Didn't notice a network speed.

Are there also stats for the number of nodes running over the same time period?

I'll contest you on this point. But I'll concede if I'm just being ignorant in your terms. :-)

I have dollars in coins/bills, dollars in my checking account, and dollars on plastic cards. In monetary value they are all worth the same. In my case one Wendy's double cheeseburger.

However, if I pay for the cheeseburger using a bill or a coin, I have some semblance of anonymity when the fat police come around. (non-monetary value) If I use a check, or plastic dollars, I lose that advantage. However, if I want to buy my cheeseburgers over the internet, I have only non-anonymous choices, and the fat police are going to track me down. So, if I could buy a cheeseburger using bitcoins over the internet, I would have the same monetary value as a plastic dollar PLUS the anonymity value of a coin.

Therefore, by my logic (which could be out of touch with your terminology) it has to be some value other than M-value.