Lost Bitcoins

[dextryn]

So, I've been curious about what happens to those "lost" bitcoins that are out there.  Whether they were sent to the wrong address or sitting in someone's locked wallet with no way of recovering; are they lost for good?  If so, would it be accurate to say that since there are a set amount of bitcoins out there, the amount of "accessible" bitcoins would continue to decrease as these mistakes happen?  How does that affect the viability of the currency as a whole?

[1715351479]

1715351479

[1715351479]

1715351479

[1715351479]

1715351479

[1715351479]

1715351479

[foggyb]

Yes the coins are lost forever. No amount of hash-power that we could reasonably posses will ever find all or even a few of the priv keys.

The decreasing number of coins is an issue, and could become a more serious one if a large batch of coins is abruptly (and inevitability) lost.

The fact that bitcoins are divisible will help mitigate the coin destruction. Others will comment further on this.

[proudhon]

So, I've been curious about what happens to those "lost" bitcoins that are out there.  Whether they were sent to the wrong address or sitting in someone's locked wallet with no way of recovering; are they lost for good?  If so, would it be accurate to say that since there are a set amount of bitcoins out there, the amount of "accessible" bitcoins would continue to decrease as these mistakes happen?  How does that affect the viability of the currency as a whole?

Yes, the amount of accessible bitcoins will continue to decrease as bitcoins are "lost".  It doesn't matter for the usability of bitcoin in a technical sense because they are infinitely divisible.  Lost bitcoins probably help push the price up if anything.

[Etlase2]

:sigh: Search around man, check the wiki. This question has been asked and answered hundreds of times.

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

Sending to the wrong address is unlikely if you are just using a standard client to create transactions as each Bitcoin address has a checksum that ensures there is a 1 in 4.3 billion chance of a typo providing a correct address (actually probably even less likely because if characters are added or subtracted it will likely never be valid).

[dextryn]

:sigh: Search around man, check the wiki. This question has been asked and answered hundreds of times.

I tried searching around, but it was too cluttered with the "I lost my bitcoins what do I do?! threads."  Thanks for the answer though.

[adamstgBit]

it could be that in the future everyone ( and by everyone i mean the miners, since they have asb authority over the bitcoin protocol ) will decide to mine the lost coins.
they will do this by sending out a new version of bitcoin client and ask everyone to send their coins to this new wallet.
any coins left behind during the move will be made available for mining.

this idea has been thrown around, and I'm 99.9% sure it will happen, after all its up to the miners, and what kind of miner would say no to MINE MORE COINS!?

[lassdas]

..I'm 99.9% sure it will happen..

It wont happen, and here's why:
there is no way to tell if coins are actually lost, or not, there is no difference between lost and not-lost coins.
To tell people to send their coins to a new address after X days/months/years/decades would also make all physical bitcoins (like cascasius, paper-wallets and the likes) worthless after that date, you would force everyone to destroy those and create new ones. That's a pretty bad idea.

If some miners decide to mine any already mined coins, they decide to fork/create a new currency,
they are free todo so, but people probably wont use that new currency.

[Yuhfhrh]

..I'm 99.9% sure it will happen..

It wont happen, and here's why:
there is no way to tell if coins are actually lost, or not, there is no difference between lost and not-lost coins.
To tell people to send their coins to a new address after X days/months/years/decades would also make all physical bitcoins (like cascasius, paper-wallets and the likes) worthless after that date, you would force everyone to destroy those and create new ones. That's a pretty bad idea.

If some miners decide to mine any already mined coins, they decide to fork/create a new currency,
they are free todo so, but people probably wont use that new currency.

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

[Etlase2]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

[Yuhfhrh]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

Thank you for teaching and correcting me. 

[FreeMoney]

it could be that in the future everyone ( and by everyone i mean the miners, since they have asb authority over the bitcoin protocol ) will decide to mine the lost coins.
they will do this by sending out a new version of bitcoin client and ask everyone to send their coins to this new wallet.
any coins left behind during the move will be made available for mining.

this idea has been thrown around, and I'm 99.9% sure it will happen, after all its up to the miners, and what kind of miner would say no to MINE MORE COINS!?

Miners can do whatever they want, assign 200 per block, play WOW, move to Antarctica. But if they make changes they aren't mining Bitcoin and people who wan't bitcoins just ignore them. The only thing that matters is what people are accepting for goods and services and right now the only crypto-currency anyone is accepting at all is 100% durable.

[proudhon]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

[Etlase2]

Requiring a hard fork to add extra decimal places is a significant, breaking change to the bitcoin protocol and should not be taken lightly or assumed to be part of the specification.

I was only making that clear.

And they will never be infinitely divisible as there would have to be an infinite number of bits.

[DannyHamilton]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

The value isn't stored in the blockchain as a decimal at all.  It is stored as an integer.  The client just creates a decimal 8 places to the left when it displays it to you.  The client can be modified to create that decimal less places to the left if desired (display in mBTC or uBTC rather than BTC), but none of that changes how the value is actually stored.

As I understand it, to change how much the value represents will require changing how the value is stored in the blockchain. Potentially you could have some miners storing their newly minted coins in the old format, and some storing them in the new format if they don't all upgrade simultaneously.  The upgraded wallets would recognize the new format as valid, while those people who don't upgrade their wallets in time would see the old format as valid.  This would split the blockchain into 2 types of bitcoin.

[Spekulatius]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

[thebaron]

Is it possible that sometime in the future there may be a way crack private keys of lost coins?

If you can crack lost coins and be profitable, then you'd also be able to crack anyone's coins.

[proudhon]

Requiring a hard fork to add extra decimal places is a significant, breaking change to the bitcoin protocol and should not be taken lightly or assumed to be part of the specification.

I was only making that clear.

And they will never be infinitely divisible as there would have to be an infinite number of bits.

Fair enough.  In any event, it's difficult to imagine 8 decimal places not being sufficient.  I still don't understand why it isn't possible to always be able to add one more decimal place to the right.

[waspoza]

Fair enough.  In any event, it's difficult to imagine 8 decimal places not being sufficient.  I still don't understand why it isn't possible to always be able to add one more decimal place to the right.

Of course its possible. Same as increase block reward to 500btc. There is just one thing, rest of the network must agree.

[Etlase2]

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

The answer is complicated, but yes it is possible and may even be profitable at some point. While SHA256 has 256 bits of effective security, the ECDSA curve that bitcoin uses only has 128 bits of effective security, 3.4^38 times easier to crack. And that is still beyond the realm of all the computing power in the world to crack in less than several hundred years. But that is assuming computing power doesn't increase. 128-bit security is predicted to be secur-ish until 2030 or so. It will still be viable for some time after that most likely, but eventually accounts will have to upgrade to 144 bits or 160 bits of security in the future, while lost coins would be vulnerable. There is an extra complication/protection though that many balances are stored as RIPEMD160 (160 bits) hashes rather than ECDSA public keys. This means an attacker would have to find a private key that works for a public key that hashes to a known RIPEMD160 hash, and this is exceedingly unlikely. But not all addresses are stored this way.

There is an algorithm that would allow a quantum computer with sufficient qubits to crack RSA or ECDSA key within minutes. But that's another topic and not something to worry about just yet.

Also, there is still a possibility that we solve the "hard problems" associated with digital signatures and it would make cracking them almost instant. (again they would be protected if they were RIPEMD160 hashed though)

[DeathAndTaxes]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

The value isn't stored in the blockchain as a decimal at all.  It is stored as an integer.  The client just creates a decimal 8 places to the left when it displays it to you.  The client can be modified to create that decimal less places to the left if desired (display in mBTC or uBTC rather than BTC), but none of that changes how the value is actually stored.

As I understand it, to change how much the value represents will require changing how the value is stored in the blockchain. Potentially you could have some miners storing their newly minted coins in the old format, and some storing them in the new format if they don't all upgrade simultaneously.  The upgraded wallets would recognize the new format as valid, while those people who don't upgrade their wallets in time would see the old format as valid.  This would split the blockchain into 2 types of bitcoin.

Technically the blockchain doesn't store values it stores unspent outputs.  While all unspent outputs are currently in the same format it would be possible to have new "high precision" addresses which say store Bitcoins in a new format.  This new format would only be used on new addresses.  

The migration process would be similar to P2SH:
1) Hash out the details, test, debate, etc.
2) Request miners put a tag in the codebase of solved blocks indicating they support the protocol change.
3) When sufficient majority of miners support the change (I think Gavin looked for 80% in P2SH) release a new version of the client.
4) The new version(s) of the client have a changeover block coded into the client.   The client would have the ability to support the new address type but it would reject them as invalid if seen prior to the changeover block.
5) On the change over block the new address type would be supported.

At that point older nodes (both miners and non-miners) would be forked off.  The main main chain seen as the longest by upgraded nodes would be seen as invalid by them (they would see the new high precision addresses as invalid txs).  As long as they represent a minority there is no real harm.  They simply need to upgrade to the new version.  There is no issue of their client's being "confused" (showing wrong amounts, etc) they simply would reject block & tx involving the new incompatible address.

It worked well with P2SH and IIRC Gavin brought up some ideas that would make future transitions easier (like coding a version number into the blocks & clients so that client would warn users when they see a future incompatible version on the network.  

Since Bitcoin doesn't store values it stores unspent outputs (which are used as a single unit) it is possible to support newer high precision addresses while at the same time also supporting "legacy" addresses.  User could keep using their old addresses or have a new version of the client generate a new address for them and move their funds to the new address.

[DannyHamilton]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

The value isn't stored in the blockchain as a decimal at all.  It is stored as an integer . . .

Technically the blockchain doesn't store values it stores unspent outputs . . .

Isn't there a value stored in the output?  If I spend a single output, and create multiple outputs of my own, don't my outputs have values stored as int_64 in the blockchain indicating how much is being spent along with the public key (or hash of the public key) allowing the private key holder to spend that output?

[kjj]

Requiring a hard fork to add extra decimal places is a significant, breaking change to the bitcoin protocol and should not be taken lightly or assumed to be part of the specification.

I was only making that clear.

And they will never be infinitely divisible as there would have to be an infinite number of bits.

Fair enough.  In any event, it's difficult to imagine 8 decimal places not being sufficient.  I still don't understand why it isn't possible to always be able to add one more decimal place to the right.

The protocol currently uses integer math.  Values are 64 bit.  If I send 1 BTC to myself, in the transaction that shows up at 100,000,000.

In other words, the fundamental unit of the system is 1/100,000,000 of a BTC (commonly nicknamed "one satoshi").  The software does all math in terms of satoshis, but displays BTC to the user by scaling.

I sorta suspect that we'll switch to a 128 bit representation for technological reasons (wider CPUs) long before we need more digits for economic reasons.  Such a switch would give us some combination of more headroom and more dividing room.  It would also require a more-or-less hard fork.

[Etlase2]

A 64 bit int can hold the entire supply (8 decimals in all) in one integer, 8,700 times over. 4 more decimals could be added and still almost hold the entire supply in one int64 (18.5 vs 21 with a bunch of zeroes). If you limit the left hand side, you could go much further than 4 more decimals.

[kjj]

A 64 bit int can hold the entire supply (8 decimals in all) in one integer, 8,700 times over. 4 more decimals could be added and still almost hold the entire supply in one int64 (18.5 vs 21 with a bunch of zeroes). If you limit the left hand side, you could go much further than 4 more decimals.

But why would you do that?  Changing the way you interpret the integer is what breaks everything, not the size of the field.  If you are going to make the change, make the change big.

[Etlase2]

What you should argue is, if you are going to make the change, make the change smart. Doubling the size of every integer in the block chain so that you can go to 30 zeroes seems a bit odd from that standpoint. I wonder why satoshi didn't just go to 11 decimals though since that wouldn't have changed anything.

[kjj]

Probably because headroom is useful too.  It means that 64 bit accounting systems, for example, can be exact even when dealing with values many times larger than the bitcoin market cap.

[GernMiester]

The whole hard limit will kill BTC all by itself one day. No one needs to do anything but wait and sell BTC to suckers err, investors.

[Jermainé]

satohsidice is holding over 16 of my BTC hostage. Dont ask me why 

[Aseras]

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

you can crack them now with vanitygen, good luck doing it though.

[flatfly]

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

you can crack them now with vanitygen, good luck doing it though.

For the naive (or superlucky) ones:
the 2^256 Deep Space Vagabond awaits you (my little timesink project)

[dooferorg]

Yes the coins are lost forever. No amount of hash-power that we could reasonably posses will ever find all or even a few of the priv keys.

nothing that we could possess TODAY. Technology marches on

[kjj]

Yes the coins are lost forever. No amount of hash-power that we could reasonably posses will ever find all or even a few of the priv keys.

nothing that we could possess TODAY. Technology marches on

If we built a Dyson sphere around the sun and captured all its energy for 32 years, without any loss, we could power a computer to count up to 2¹⁹². Of course, it wouldn’t have the energy left over to perform any useful calculations with this computer. But that’s just one star, and a measly one at that. A typical supernova releases something like 10⁵¹ ergs. If all of this energy could be channelled into a single orgy of computation, a 219-bit counter could be cycled through all of its states. These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

Bruce Schneier

[DannyHamilton]

Yes the coins are lost forever. No amount of hash-power that we could reasonably posses will ever find all or even a few of the priv keys.

nothing that we could possess TODAY. Technology marches on

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

Of course there is a small possibility that the algorithms themselves could succumb to new technology and new understandings, such that finding the private key for a given hash of a public key does not require brute force calculation of all keypairs until a matching one is found.

[Jermainé]

lost coins go straight to my wallet. Just thought you should know.

[pretendo]

For a "Satoshi" to even be worth one penny, which is the smallest unit of a dollar, we would need bitcoins to be valued at TEN MILLION DOLLARS. This is ludicrously high. Some countries don't even use pennies, like New Zealand. Considering our inflation, by the time we have 10 million dollar bitcoins, 1 cent will be even more completely worthless than it is now, pushing to limit to a 10 cent saroshi.Keep in mind, even though the dollar has a lower limit of 1 cent, finance and accounting still trades and deals with fractions of a cent. This is also possible with a bitcoin lower limit. You can make up any division of any currency by arithmetic necessity in accounting.

[DannyHamilton]

For a "Satoshi" to even be worth one penny. . .we would need bitcoins to be valued at TEN MILLION DOLLARS. . .

Double check your math on that...

1 BTC = 100,000,000 Satoshi

If 1 Satoshi = $0.01, then 1 BTC = 100,000,000 X $0.01 = $1,000,000

So, for a "Satoshi" to be worth on penny, we would need bitcoins to be valued at ONE MILLION DOLLARS.

[werneo]

The question of "Lost bitcoins" was raised in this recent article on Read/Write:
http://readwrite.com/2013/12/30/bitcoin-may-fade-2014-prediction

"a full 64 percent of bitcoins have never been spent."

Ref: http://cseweb.ucsd.edu/~smeiklejohn/files/imc13.pdf

Assume these coins are actually LOST FOREVER. In the next few decades, the Technological Singularity is supposed to achieve super-sentience:
http://en.wikipedia.org/wiki/Technological_singularity

If the Singularity follows Moore's Law and becomes exponentially intelligent in a relatively short period of time, when do you suppose it will acquire enough processing capacity to recreate the lost bitcoins?

[kjj]

If the Singularity follows Moore's Law and becomes exponentially intelligent in a relatively short period of time, when do you suppose it will acquire enough processing capacity to recreate the lost bitcoins?

No.  Please do some research instead of asking why not.

[DannyHamilton]

Why does it seem like 99% of necro-posts are useless drivel based on idle speculation and fanciful imagination rather than well thought out logic based on facts and reality?

[ISAWHIM]

Bitcoins are never lost... they are always there... you just lose access to them.

Sorry, but with 100PHs network, you can easily "guess" a collision of sha-256, or guess a collision of a collision of a sha-256.

If it were 1:999999999999-trillion-trillion-trillion to find 1 collision... You could find it in 1 try, on some address on the network, just as easily.

Now 256-bits is only 32-bytes, represented as 64-bytes as HEX-values.
EG: "BOB" = 54fcf974eabb0444320acd2835977b2c686b916162e6571668ac45db549da031

A collision for that could be the hash for the word "SUE", or "FRED", or "CAT", though that is hashed again.
EG: 54fcf974eabb0444320acd2835977b2c686b916162e6571668ac45db549da031 => 96faee69f068c221ad557cbba0c0e7afdd9d3a18ffa2d81f2290d72e2818111a

Now that hash, which could have been "BOB" or "SUE" or "FRED" or "CAT"... has collisions also, which could be "FISH", or "SNOT", or "PEPSI", or "PASSWORD", or "GOLD"... Multiplied by the number of collisions that were possible from the first conversion.

Thus, now there are multiple more "acceptable" hashes/keys that will unlock any of those wallets. Because you are still converting a single-answer-password into a multi-possible-answer-hash, into another multi-possible-answer-hash.

You can test this with something simple like CRC32, and see that you now have millions of "keys" that are valid, instead of only a hundred, by double-encryption, with the same type of encryption. (That is the real reason the whole project was abandoned.)

P.S. Doesn't take a computer long to create 32-bytes randomly and stuff those values into an off-line wallet to see if it unlocks it. Since those accounts are not being monitored by anyone. Since the whole chain, all accounts, are already downloaded on his computer. Takes but a few seconds to make one random key, and try it on all existing accounts, before generating another random key, and trying it on all of them again.

[DeathAndTaxes]

Yeah that is nonsense.  2^256 is bigger than you think.  Not kinda bigger than you think asinenly bigger than you think.

If you converted the entire planet into a super computer and powered it by the sun you couldn't COUNT to 2^256 before the sun burned out, there isn't simply enough energy.  Of course that is doing something fantastical like building a perfect computer (one at which higher efficiency violates the laws of thermodynamics) and capturing the entire energy output of a star.   That isn't finding a collision that is just counting 1, 2, 3, 4, 5, 6, 7 .... 2^256.   

[werneo]

Yeah that is nonsense.  2^256 is bigger than you think.  Not kinda bigger than you think asinenly bigger than you think.

If you converted the entire planet into a super computer and powered it by the sun you couldn't COUNT to 2^256 before the sun burned out.  

Nothing is impossible if you have enough time, energy and processing power.

I am hesitant to send this argument further into absurdity.... but about 20 years ago mathematical physicist named Frank Tipler came up with a model for a computer that had infinite processing power, time and energy. His discovery may have cracked him up because he realized the computer could be "god" (or something like that). I won't speak to Tipler's religious beliefs, but the "Omega Point Theory" has been peer reviewed by Oxford professor/ quantum theorist David Deutsch: http://129.81.170.14/~tipler/physicist.html (see http://arxiv.org/find/all/1/all:+AND+David+Deutsch/0/1/0/all/0/1)
http://www.physics.ox.ac.uk/al/people/Deutsch.htm

In brief, Tipler's model says that it is possible for conscious beings to purposely engineer the collapse of the universe, and that the collapse can be balanced to produce infinite time and energy to be used for an infinite amount of information processing. In other words, this is a closed universe deriving energy from an infinite, organized collapse.

I think it might be possible to create an "Omega Point"-like quantum computer that can solve ANY crytographic puzzle with brute force time and processing power and that would be instantaneous from our point of view. 2^256 is doable if all you have is time and an unbreakable calculator. The Technological Singularity might be able to figure this out on its own.

http://129.81.170.14/~tipler/summary.html

Some of Tipler's peer-reviewed articles:

http://arxiv.org/find/all/1/all:+AND+Tipler+AND+Frank+J/0/1/0/all/0/1

The Ultimate Future of the Universe, Black Hole Event Horizons, Holography, and the Value of the Cosmological Constant
http://arxiv.org/abs/astro-ph/0104011

Closed Universes With Black Holes But No Event Horizons As a Solution to the Black Hole Information Problem
http://arxiv.org/abs/gr-qc/0003082

I'm on twitter all week... https://twitter.com/werneo

[odolvlobo]

Sorry, but with 100PHs network, you can easily "guess" a collision of sha-256, or guess a collision of a collision of a sha-256.

The bitcoin network is already at 10 PH/s, and you think that another power of 10 is all it takes to destroy SHA-256? Considering that it takes the 10 PH/s bitcoin network 10 minutes to guess just a 62-bit hash, how long would it take a 100 PH/s network to guess a 256-bit hash?

I can answer that:

25,108,406,941,546,723,055,343,157,692,830,665,664,409,421,777,856,138,051,584 minutes.

[werneo]

The next logical question is whether Lost Bitcoins are recoverable using quantum cryptography.

Quantum computers and Bitcoin
https://bitcointalk.org/index.php?topic=133425.0

Will bitcoin survive quantum computing?
http://www.reddit.com/r/Bitcoin/comments/1eodjq/

Bitcoin Is Not Quantum-Safe, And How We Can Fix It When Needed
http://bitcoinmagazine.com/6021/bitcoin-is-not-quantum-safe-and-how-we-can-fix/

Will quantum computing kill cryptography?
http://mathoverflow.net/questions/128176/will-quantum-computing-kill-cryptography

I haven't found a direct answer to the question so far.

[kjj]

The next logical question is whether Lost Bitcoins are recoverable using quantum cryptography.

...

I haven't found a direct answer to the question so far.

Seriously?  Despite the rumors, the search box here on the site is not used to send messages to Santa.  It searches the site, and if you had used it to search for "quantum", you'd find many of the dozens of posts that do answer this question directly.

[knightcoin]

lost is lost .. move fwd

[countryfree]

People regularly loose banknotes, some gold coins were in boats which sunk, and some diamonds have felt in a fire. There's nothing new with people losing BTC.

[tsoPANos]

People regularly loose banknotes, some gold coins were in boats which sunk, and some diamonds have felt in a fire. There's nothing new with people losing BTC.

But btc isn't like real gold or currency. The total amount of total bitcoins produced is fixed, wich means that btc will extinct in a matter of few minutes or a geological era.

[werneo]

This article by Chris Pacia answers my question comprehensively:

Bitcoin vs. The NSA’s Quantum Computer

Bitcoiners can rest easy because SHA-256 isn’t threatened by quantum computers (although that doesn’t mean someone won’t find a feasible attack in the future).

http://www.bitcoinnotbombs.com/bitcoin-vs-the-nsas-quantum-computer/

[tonychow]

According to current technology, there is no way to recover the lost bitcoins. Can quantum computing recover? As I know, using quantum to solve computing problem is still in preliminary research stage and we do not see big progress. The only promising area in quantum as I know is in to enhance the security. But if current encryption technology cannot survive, we will create a new one. Otherwise, not only bitcoin, there is nothing can encrypt.
To wrap it, do not worry about quantum.

[mestar]

According to current technology, there is no way to recover the lost bitcoins. Can quantum computing recover?

Oh boy.   

Sure, but quantum computing can recover them only if they are truly lost.  If the keys are hidden in a safe, there is nothing that quantum can do.  Truly magical that quantum thing.

[tonychow]

According to current technology, there is no way to recover the lost bitcoins. Can quantum computing recover?

Oh boy.   

Sure, but quantum computing can recover them only if they are truly lost.  If the keys are hidden in a safe, there is nothing that quantum can do.  Truly magical that quantum thing.

Lost means no one knows private key. Quantum computing is used to guess private key, no matter it is lost or not.

[aminorex]

Why does it seem like 99% of necro-posts are useless drivel based on idle speculation and fanciful imagination rather than well thought out logic based on facts and reality?

Because life without joy and imagination is scarcely living.  And because if you behave arrogantly everyone thinks you have a teeny-tiny wee-wee.

[DannyHamilton]

Why does it seem like 99% of necro-posts are useless drivel based on idle speculation and fanciful imagination rather than well thought out logic based on facts and reality?

Because life without joy and imagination is scarcely living.  And because if you behave arrogantly everyone thinks you have a teeny-tiny wee-wee.

Neither of those answer why necro-posts suffer from delusions at a significantly higher rate than non-necro-posts.

[Xav]

What if ....

Someone was a bit nonchalant and did not back up his/her coins, but ... But he/she remembers his/her private key. Is there a way to 'restore' these 'lost' coins? IOW, is there a way to match private key and a specific address in the block-chain?

[cr1776]

What if ....

Someone was a bit nonchalant and did not back up his/her coins, but ... But he/she remembers his/her private key. Is there a way to 'restore' these 'lost' coins? IOW, is there a way to match private key and a specific address in the block-chain?

If you know the private key, then you can access the coins:

https://en.bitcoin.it/wiki/Private_key

Just as if you wrote the key down or printed it.

[Mavrick]

SEND lost bitcoins here lol

[Wilhelm]

What if ....

Someone was a bit nonchalant and did not back up his/her coins, but ... But he/she remembers his/her private key. Is there a way to 'restore' these 'lost' coins? IOW, is there a way to match private key and a specific address in the block-chain?

As I understand it:

The Bitcoin address is a sha-256 hash of the public key.
The "private key" isn't really a private key but more a public/private keypair.

Yes you can easily extract a public key and bitcoin address from a private key.
Go to www.bitaddress.org and fill in a private key under the tab wallet details... it will give you the address.

[tonychow]

As I understand it:

The Bitcoin address is a sha-256 hash of the public key.
The "private key" isn't really a private key but more a public/private keypair.

Yes you can easily extract a public key and bitcoin address from a private key.
Go to www.bitaddress.org and fill in a private key under the tab wallet details... it will give you the address.

+1.

You are not keep the coin, but the private key in the wallet. The wallet software has a copy of your private key,
so it can send on behalf of you. If your computer is compromised, so does the wallet and your key.
The information on how many coin do you have is in the block chain. All the transaction history is there, and the
wallet calculate how many bitcoin you own based on that information.

[DannyHamilton]

As I understand it:

The Bitcoin address is a sha-256 hash of the public key.

The bitcoin address is a base58check encoded RIPEMD-160 hash of a SHA-256 hash of the public key.

[Xav]

What if ....

Someone was a bit nonchalant and did not back up his/her coins, but ... But he/she remembers his/her private key. Is there a way to 'restore' these 'lost' coins? IOW, is there a way to match private key and a specific address in the block-chain?

If you know the private key, then you can access the coins:

https://en.bitcoin.it/wiki/Private_key

Just as if you wrote the key down or printed it.

Thanks for this answer. The info reads:

The private key is mathematically related to the Bitcoin address, and is designed so that the Bitcoin address can be calculated from the private key, but importantly, the same cannot be done in reverse.

That's great. But, just to be sure, assume that I lost my wallet; completely, no back up. And all I do remember is my private key, can I restore (or recreate) the same wallet including all the coins?

[cr1776]

What if ....

Someone was a bit nonchalant and did not back up his/her coins, but ... But he/she remembers his/her private key. Is there a way to 'restore' these 'lost' coins? IOW, is there a way to match private key and a specific address in the block-chain?

If you know the private key, then you can access the coins:

https://en.bitcoin.it/wiki/Private_key

Just as if you wrote the key down or printed it.

Thanks for this answer. The info reads:

The private key is mathematically related to the Bitcoin address, and is designed so that the Bitcoin address can be calculated from the private key, but importantly, the same cannot be done in reverse.

That's great. But, just to be sure, assume that I lost my wallet; completely, no back up. And all I do remember is my private key, can I restore (or recreate) the same wallet including all the coins?

Hey,
If you go to bitaddress.org and click on "wallet details" and then enter your private key, it will give you the public address.  The problem is that most people can't remember their private key, but if you can do so, that is enough.

For example, this private key:
5JntzqqXVhR8SBRvFWQhrtv3UXRqovnnfaij4FFT5nCAswFoqkx

Generates this address:
14MR8Li8Fna4d43PfY2f2XRp6GAbPM5swJ

You can go there, hit single wallet, copy the private key and then hit wallet details and see if it regenerates the address you just created.

You want to be safe doing that though - off-line, incognito window at minimum, quit when done, restart, if you have any significant numbers of bitcoins there.  Bitaddress.org is reputable, however it is best to be safe and those are the minimum steps I'd take.


:-)

[odolvlobo]

That's great. But, just to be sure, assume that I lost my wallet; completely, no back up. And all I do remember is my private key, can I restore (or recreate) the same wallet including all the coins?

Yes, as long as you have memorized the private keys for all the addresses that have coins -- but why would you not back up a wallet? That seems like an obvious mistake (as well as not encrypting it). Furthermore, why would you back up your wallet in your brain?

[Xav]

Thanks guys. Maybe I didn't express my thoughts clearly enough, but I did not lose any coins, yet. I was just wondering why people lose coins if all can be restored by remembering the private key. BTW I think the safest place to store a private key is in your own brain; of course not in the form of a completely random string of characters, albeit as a quite unique sentence, which you encrypt and hash on a stand alone (offline) computer. The FBI confiscated BTC170,000, now why wouldn't these 'criminals' (or their partners) have moved these coins to another wallet, or were the FBI-agents smart enough to do this themselves already. Hmm, just thinking out loud again ...

[DannyHamilton]

- snip -
I think the safest place to store a private key is in your own brain; of course not in the form of a completely random string of characters, albeit as a quite unique sentence
- snip -

This is generally a very bad idea.

[Xav]

- snip -
I think the safest place to store a private key is in your own brain; of course not in the form of a completely random string of characters, albeit as a quite unique sentence
- snip -

This is generally a very bad idea.

Care for an explanation?

[DannyHamilton]

- snip -
I think the safest place to store a private key is in your own brain; of course not in the form of a completely random string of characters, albeit as a quite unique sentence
- snip -

This is generally a very bad idea.

Care for an explanation?

Human minds are wired for patterns and are VERY bad at randomness.  Brain wallets have a significant risk of loss due to collision (either intentional, or accidental).

Just one of MANY examples from this forum:
https://bitcointalk.org/index.php?topic=421559.0

[Xav]

Now tell me, how likely is it that someone would reproduce my sentence (key):

"Ik heb de Mont Ventoux drie keer opgefietst en de Elfstedentocht even vaak geschaatst."

Of course it is stupid to use some sort of general phrase. One has to make it real personal, and certainly not create it via brainwallet. One more thing, if you prefer to generate a random number by a computer (Andreas Antonopoulos warned about a bug in Linux; random is not so random these days) and you lose it then there is no way ever to get your coins back. My brain can. BTW this "drie keer" in itself means three times also implying three hash runs. Let's say, everyone his own bite.

[jeffg]

Thanks guys. Maybe I didn't express my thoughts clearly enough, but I did not lose any coins, yet. I was just wondering why people lose coins if all can be restored by remembering the private key. BTW I think the safest place to store a private key is in your own brain; of course not in the form of a completely random string of characters, albeit as a quite unique sentence, which you encrypt and hash on a stand alone (offline) computer. The FBI confiscated BTC170,000, now why wouldn't these 'criminals' (or their partners) have moved these coins to another wallet, or were the FBI-agents smart enough to do this themselves already. Hmm, just thinking out loud again ...

It's not that easy. The problem is, most Bitcoin clients generate a new address every time you send money where the change is transferred to (see https://en.bitcoin.it/wiki/Change). So you'd have to memorize a new private key everytime you spend money. To circumvent this you can use a deterministic wallet like armory. It generates a unique "seed" that you need to memorize and can regenerate every address then.

[odolvlobo]

Now tell me, how likely is it that someone would reproduce my sentence (key):

"Ik heb de Mont Ventoux drie keer opgefietst en de Elfstedentocht even vaak geschaatst."

The key doesn't have to be random. It just has to be unlikely to be duplicated whether accidently or on purpose. I guess a phrase like that might never be duplicated, but you might be surprised.

Consider the birthday problem: There are 365 days in a year. In a room with 23 people, what are the chances that two people in the room have the same birthday? It's a lot higher than you think. Answer: 50%

[Xav]

Answer: P = 1 - (³⁶⁴₃₄₃) 22!/365^22 ~ 50%

Can you calculate the probability of a classroom with n children, all having different names, all being blindfolded, all taking a seat randomly, and no kid finds their own seat, which is tagged with their name?