Rise in value is welcome as masses adopt the currency, but that rise has to be no more than 5% per year. There is no way to control the rise in value and second a rise of 5% per year with no speculation would mean the underlying economy is growing at 5% over the rate of monetary inflation per year. For something as small as Bitcoin that would be a death sentance. It would take decades for the userbase to grow even into the millions. If you want slow steady rises in value wait a decade or two. Bitcoin will either be gone or it will be magnitudes larger and the rate of growth will have been reduced significantly. |
|
|
|
It is now time to fork bitcoin. There is no reason to have only one.
With new efforts to integrate user identities - there is now a very big divide between two competing schools of thought. Each can go down their respective paths without interfering with the progress of the others. The one thing necessary for this to occur - exists wonderfully.
To create Bitcoin1 and Bitcoin2, we'd need to divide the processing power. Fortunately, we presently have more than twice the processing power that is necessary. The network is a perfect capacity for being split.
Bitcoin1 can go on with the anarchists/outlaws who hate all government involvement and despises law and order. Bitcoin2 can intergrate things which improve decent use in an orderly society.
Time to Fork Bitcoin.
This is nonsense. I'm going to go out on a limb and say you are new to bitcoin. If there is something you don't like, get involved and change it. Forking something just for the heck of it doesn't make sense. If you want and anarchist bitcoin, just use the bitcoin testnet. It's anarchy there anyway. And yes, it's built into your bitcoin client. Just google it. Enjoy, you already have your bitcoin2 and you didn't even know it. :-) Or advocate to keep Bitcoin fungible. Don't support compnies which seek to harm the fungibility. Don't support the investors other projects. Edcuate other users on the dangers. Make sure your favorite merchants know if they implement it they will lose your business. Support improvements like Luke's miner patch, coinjoin, and other projects which will make it tougher for the "validators" to accomplish their goals. |
|
|
|
I'm not a miner but I just discovered this important thread. Excuse me if this has already been covered (thread now too long to read in full) but let me share my 2 satoshis:
I setup all my "converts" with the blockchain.info wallet on a smart phone. People just send and receive to the same address over and over and I can see all the money flows into and out of their account. You can't tell them to do anything different--they *think* they don't care, and besides it can't really be done on blockchain.info for mobile anyways. Most new users don't realize the potential for future privacy/security problems with address re-use.
I like Luke's idea because it would incentivize people like piuk to implement BIP32 for the main web wallet on blockchain.info. Users would just see a balance in their "spend" account and the fact that a new address is being created for each transaction would be invisible to them. This adds no complexity that I can see, but lots of privacy and security. It seems only a good thing.
Yup. That is the important part. Luke's patch can't FORCE anyone to use unique addresses however it can provide an incentive and if/when more of the hashpower implements it the incentive grows. Without any incentive we likely will be in the exact same situation a year from now. The current "lazy" static address use scenario is the easiest to implement. Privacy minded miners can push for this patch which provides an incentive to make the Bitcoin network more what they want it to be. Voting for change with hashpower. |
|
|
|
I assume this cannot affect the prioritisation of the Coinbase transaction that constitutes p2pool miner's reward payments? Can you clarify this?
The coinbase tx itself? No (it would be in the block you solve, nothing can change that). Spending the outputs of the coinbase tx? Yes. p2pool could implement BIP32 or in the interim given that p2pool nodes also run bitcoind could just implement a direct getnewaddress() RPC call after any successful block to ensure future blocks use a unique address. |
|
|
|
|
Remember price =/= valuation. Not speaking on the merits of the model but if the model is using non-price inputs and speculation drives price up (in short term) faster than the underlying economic activity the model isn't modeling that. However as you see price eventually corrects to value.
|
|
|
|
I like what's being done here. At first glance, it seems rather rushed to throw this into miners straight away; but I guess it could be looked at as a shot across the bow, since it doesn't break any kind of transaction right now, just makes a certain subset slightly slower. Well so far only one major pool (plus maybe a few solo miners) is using it. That is the nice thing about decentralized network. Some parts can try out new code (outside of core protocol) at different times. Right now 15% of hashpower is using this. Maybe by the time BIP32 is more ubiquitous 80% of the hashpower will be using it. |
|
|
|
|
To the OP ... go ahead. Have fun trying to explain to users how "your Bitcoin" isn't the same "Bitcoin" as everyone else when they say "Bitcoin".
Lasting forks are the worst possible scenario for Bitcoin. They should be avoided at all possible cost.
|
|
|
|
People already have the right incentives to not re-use coins (privacy).
This is not the case. My privacy is not an incentive for someone who wants to pay me coin, nor for someone whom I want to pay coin to. It is only an incentive for me, and I need the cooperation of these other parties to make it work. In the absence of some further incentive that works for all the parties involved, privacy simply has not happened and evidently will not happen. It's nice to think it's "coming" in these newer clients, but my privacy is more secure, AFAICT, if when it does so people have some substantial reason to *USE* and *PREFER* these features of the newer clients. Otherwise I wind up out on the short end of the stick dealing with people who don't want the new client for some reason and who aren't sufficiently inconvenienced by my lack of privacy to care. This. Privacy doesn't end at a single persons addresses. It involves everyone one you interact with and everyone they interact with. One can be perfectly anonymous and if the people they interact with are not well that can provide an indirect method of identifying transactions. |
|
|
|
This would be all well and good if every wallet client (or even most of them) actually, you know, implemented BIP32! As it is, the best you can do is point me to a python tool? I'm capable of using it, but that just seems like a massive pain in the ass to go to. (Oh look, someone used another one of my addresses! Better boot to linux, generate the private key, and import it into my wallet!) And that's for me, a software engineer. What about the less tech-savvy users? Really as a tech savy person you can't think of a better workaround? How about generate and import 1,000 private keys. Then when you need to change the address simply use the python tool to find the next one in the sequence. Moreover, most Bitcoin-related websites don't have BIP32 support either! They take one address for withdrawals. Some allow you to give multiple addresses, if they're a bit fancier, but even then, I'm supposed to post 50 addresses and log in to switch the address every time I get a payout? Well they won't until there is a reason to do so and the patch gives them a reason. In the interim if a site allows posting 50 addresses why would you need to manually change them. It would be a trivial amount of coding for a site to use the next one automatically and notify you when the queue is low or out. Still BIP32 is a better longer term solution. However if sites don't implement them you can still use funds with a small disincentive. That would encourage people to use sites which do promote single use addresses. And then there's Blockchain.info. Did you know Blockchain.info wallets reuse addresses by default unless you create new ones? Then encourage blockchain.info to change their default behavior. The issue of reuse has been known since a YEAR PRIOR to the genesis block. It is unlikely without an incentive anything will change. Lastly remember this doesn't prohibit reuse, it doesn't make coins sent to a used address lost, it doesn't even mean higher mandatory fees. It is merely delaying secondary spends from the same address. I appreciate the intent behind this proposal, but I don't think we're ready for this change yet. I do agree that we need to do this at some point in the future, but shouldn't we, you know, roll out the infrastructure necessary to make it actually workable first? Chicken or the egg. Without the incentive will the infrastructure ever exist. Blockchain.info could easily (within minutes) change their code. Will they? Probably not. Not until users complain. Will users complain unless their is an incentive? Once again probably not. It isn't like Bitcoin just launched. There has been years to do things right and the lazy, easy approach has been used in most cases. |
|
|
|
When 2^80 addresses are created u will find at least 1 identical pair with probability very close to 100%. I'm not talking about finding a collision to one particular address.
And assuming 11M active funded addresses there is a 99.99999999999999999% (should be 18 9s ) chance the address is unfunded. Of course for it to be any use one would need to store both the private keys AND public key and generate the public key from a private key using ECDSA operations so we are talking a rather slow operation and roughly double the storage requirements of storing just pubkeys. |
|
|
|
So once again do you realize how large 2^80th is.
I don't, each day I work with 256-bit numbers, 2^80 looks so small.  dree12 convinced me that we r safe coz it's hard to store 2^80 numbers. Even if it is trivial to store 2^80 the cost for this "attack" would be magnitudes more than a 51% attack and would do magnitudes less. We can only hope in the future attackers are willing to skip the obvious cheaper attack and waste magnitudes more resources on a trivial pointless "attack". A single collision isn't going to even cause a blip in the long term utility of Bitcoin. It would take thousands of such collisions to make people question if the address system is flawed. Even a single collision would cost far more than simply 51% attacking the network and refusing all transactions. Hundreds or thousands of collisions would be a cost on an order not seen. |
|
|
|
An attacker can claim, and mathematically prove, to have an arbitrarily high probability of having generated a collision, but cannot show the colliding public keys. The attack is successful it is very easy to prove. Find a PubKey A & B such that RIPEMD-160(SHA2(SHA2(PubKeyA)) == RIPEMD-160(SHA2(SHA2(PubKeyB)). Publish A & B or simply send coins to the address they share and spend from that address using both PubKeys. Showing a collision is very black and white so I think maybe you mean something else? This is due to the outrageous memory requirement. Storing 280 public keys in memory is impossible, as it would require ~39 yottabytes of memory. In comparison, the NSA is predicted to have less than 5 zettabytes (0.005 yottabytes) of storage capacity, despite having what is likely the largest cold storage complex in the world. Even assuming hard disk size doubling every year, it would take 13 years for someone to amass that kind of capacity. There is also the benefit vs cost. Even if/when storing that amount of data is possible we are talking about a cost which is magnitudes higher than simply 51% attacking the network. So this "attack" has magnitudes higher cost for magnitudes less impact. It will never happen. Even if someone had that kind of resources and wanted to destroy Bitcoins there are simply easier simpler ways to do so. As has been predicted, generating 280 addresses is likely to be feasible in the next decade; however, proving with 100% certainty that a collision has occurred is not. Maybe you mean "will occur" because after a collision has occurred it is trivial to prove that it has occurred? |
|
|
|
Do you understand how large even 2^80 is?
Bitcoin network hashrate is 5*10^15 ~ 2^52. So in 2^28 seconds (8 years) we'll reach this number. Doesn't look too large. And this is without the Moore's law. Even if we assume that the hardware COULD be used for this purpose basically you are saying: Someone could spend 800%* of the cost to 51% the Bitcoin network to potentially produce an unused pair of pubkeys which hash to the same pubkeyhash rather than: a) collect ~50% of annual Bitcoin mining revenue. b) attack the network with a sustained 51% attack. Yeah I think we are safe. So once again do you realize how large 2^80th is. Do you realize the asinine cost it would require to produce a collision? Do you realize the far easier attacks that can be done with that amount of cost, and energy? Do you realize the utter stupidity of using this as an attack? * In reality it is probably closer to 8,000% as generating PubKeys is far more computationally expensive than generating SHA-2 hashes. |
|
|
|
Well, isn't this the basic rule of the game? For everyone who makes a win must be someone who makes a loss. He might be greedy, but so are all the other people playing the game. And of course nobody is forced to play. Well not it isn't. https://en.wikipedia.org/wiki/Comparative_advantage |
|
|
|
Sorry but sites like Mt. Gox it doesn't tell you if there is that option and I looked on a local trading site, and it only listed prices of whole bitcoins. And like I said I'm new so I figured if someone was on those sites they could just say "Hey all those sites offer smaller shares too".
It is simply the price. If potatoes are $2 per pound it doesn't mean you can't buy 1/4 pound of potatoes. If Bitcoins are $400 ea it doesn't mean you can't buy 0.1 BTC. Like I said I don't know a single site which requires you to buy only in increments of one whole Bitcoin. |
|
|
|
How do you support that alt coins is going to surge? He owns a lot and therefore wants it to happen. Nothing more. |
|
|
|
Maybe I should change the title of this thread... you are addressing something that I feel is quite off-topic. I just wanted to have a discussion over what dynamics changed after Nov. 3, 2013 -- not a general discussion about transaction fees and confirmation times.
So far the hypotheses are that Elgius changed how they prioritize transactions based on address reuse and that we hit recently hit a threshold of transactions broadcast per day (due to the growing adoption of Bitcoin).
This is what I'm talking about. I didn't bother mentioning it because it's already been explained several times in this thread. I was merely elaborating on why, with a sufficiently large number of transactions, many of those transactions will not get into a block, even though the block size is nowhere near the limit and the transactions pay the minimum required fee. The minimum fee is not sufficient if a block is more than a quarter full. If nobody ever pays more than the minimum fee, blocks will never be more than a quarter full, leading people to ask "why is there a huge backlog of fee-paying transactions when the blocks are nowhere near full?" And now you know. And knowing is half the battle. That is a flawed understanding of the fee rules. High priority txs have no required fee, none. As in 0 satsohis. This applies regardless if a block is 1MB in size. The min mandatory fees FOR LOW PRIORITY TXS are designed as a denial of service prevention mechanism. They are only enforced at the client level. Even if miners follow those they have absolutely no effect on high priority txs. Lastly the rules aren't enforced at the protocol level. Miners an build any valid block they want by using custom bitcoind. This is hardly beyond the capabilities of a major pool (all are using custom nodes already). It is possible to have a block contain NOTHING but no fee txs (as in ~2,400 of them) and the block is still valid. |
|
|
|
My thoughts on this are that a collision will occur in about 10 years. The question that lies is will that collision be one of the biggest bitcoin wallets or a wallet with very little bitcoins.
You base this on what magic? Do you understand how large even 2^80 is? If a billion people produces a thousand addresses per second for the next 1000 years the odds of a collision are 1 in 260,000. Of course even that understates the chance because regardless of how many new addresses are used only a finite number of addresses can be funded. The absolute max number of funded addresses is 2.1 quadrillion and that would be all addresses contain a single satoshi each. The actual number of addresses is likely to be much much much lower but that provides an absolute upper bound. |
|
|
|
I have to say my response to the subject line is "No it isn't."
The person putting the affirmative statement on the table has the obligation actually to prove it. My guess is you can't.
Math related to birthday paradox was provided in the OP. The rest is just a plain common sense. U guessed right coz it's very hard to prove obvious things. Birthday paradox my ass. I had already noted and ignored that. It will probably be a meaningless dust transaction if you've looked at the blockchain lately. Even if it does happen. It is far more likely (as in thousands of quadrillions to one) that any match would be unused addresses. The used active addresses space is ~11M addresses. 2^80 is 109,902,347,237,693,561x larger. So after an utterly asinine amount of time, energy, and cost if/when a pair of pubkeys which produce the samepubkeyhash were found it is 99.99999999999999999% likely the two pubkeys would be ones created by the attacker and be empty. |
|
|
|
The original discussion was about being able to find 2 keypairs which form the same bitcoin address in 2^80 attempts on average. Assuming someone has the resources to do this, what is the advantage for them? I can't think of anything they could do to take advantage of this?
Also to perform the attack, I'm thinking you'd need to store at least 52 bytes per address (32-byte private key and 20-byte pubkey hash). This is 52 Yottabytes of data!
Nothing. The OP claim is they could do this at massive expense to spend coins from an address using two different pubkeys and that would be a negative PR for Bitcoin. I am doubtful how much of an effect it would have and if anything people would be a repeat (or thousands of repeats) which wouldn't occur and it would be chalked up to incredibly bad luck. Still anyone with the resources to do this could 51% the network which is an "easier", cheaper and far more direct attack. He can't spend coins from them, all he could find are two hash-collision pubkeys. Well that is the point the "attacker" (and yes this would be most expensive and stupidest possible attack on Bitcoin) could find a pair of pubkeys which hash to the same pubkeyhash, then send coins to that address, and then spend those coins with both pubkeys. Generally speaking this is something that shouldn't be possible and it may be a small loss of confidence as it would be publicly visible to anyone on the blockchain. It would be good for a FUD campaign "see Bitcoin is broken" and that is the OP contention. However the MASSSIVE expenditure required to perform this "attack" combined with the limited effect makes it dubious. A single instance would quickly be dismissed as incredibly unlikely random chance. To replicate the attack and make it appear that Bitcoin was compromised would require finding hundreds or thousands of pairs of pubkeys which share a pubkeyhash so the entire attack cost would have to be increased by a factor of 100x or 1000x. At this point you are taking more computing power and energy than what is required to 99.9% attack the Bitcoin network. So no there is no utility in this "attack" but it is technically incorrect to say coins couldn't be spent. They would be the attackers own coins but they could be spent by either (or more like both) pubkeys which hash to the same pubkeyhash. |
|
|
|
|
Show Posts
