Lost Bitcoins

[dextryn]

So, I've been curious about what happens to those "lost" bitcoins that are out there.  Whether they were sent to the wrong address or sitting in someone's locked wallet with no way of recovering; are they lost for good?  If so, would it be accurate to say that since there are a set amount of bitcoins out there, the amount of "accessible" bitcoins would continue to decrease as these mistakes happen?  How does that affect the viability of the currency as a whole?

[1714891111]

1714891111

[foggyb]

Yes the coins are lost forever. No amount of hash-power that we could reasonably posses will ever find all or even a few of the priv keys.

The decreasing number of coins is an issue, and could become a more serious one if a large batch of coins is abruptly (and inevitability) lost.

The fact that bitcoins are divisible will help mitigate the coin destruction. Others will comment further on this.

[proudhon]

So, I've been curious about what happens to those "lost" bitcoins that are out there.  Whether they were sent to the wrong address or sitting in someone's locked wallet with no way of recovering; are they lost for good?  If so, would it be accurate to say that since there are a set amount of bitcoins out there, the amount of "accessible" bitcoins would continue to decrease as these mistakes happen?  How does that affect the viability of the currency as a whole?

Yes, the amount of accessible bitcoins will continue to decrease as bitcoins are "lost".  It doesn't matter for the usability of bitcoin in a technical sense because they are infinitely divisible.  Lost bitcoins probably help push the price up if anything.

[Etlase2]

:sigh: Search around man, check the wiki. This question has been asked and answered hundreds of times.

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

Sending to the wrong address is unlikely if you are just using a standard client to create transactions as each Bitcoin address has a checksum that ensures there is a 1 in 4.3 billion chance of a typo providing a correct address (actually probably even less likely because if characters are added or subtracted it will likely never be valid).

[dextryn]

:sigh: Search around man, check the wiki. This question has been asked and answered hundreds of times.

I tried searching around, but it was too cluttered with the "I lost my bitcoins what do I do?! threads."  Thanks for the answer though.

[adamstgBit]

it could be that in the future everyone ( and by everyone i mean the miners, since they have asb authority over the bitcoin protocol ) will decide to mine the lost coins.
they will do this by sending out a new version of bitcoin client and ask everyone to send their coins to this new wallet.
any coins left behind during the move will be made available for mining.

this idea has been thrown around, and I'm 99.9% sure it will happen, after all its up to the miners, and what kind of miner would say no to MINE MORE COINS!?

[lassdas]

..I'm 99.9% sure it will happen..

It wont happen, and here's why:
there is no way to tell if coins are actually lost, or not, there is no difference between lost and not-lost coins.
To tell people to send their coins to a new address after X days/months/years/decades would also make all physical bitcoins (like cascasius, paper-wallets and the likes) worthless after that date, you would force everyone to destroy those and create new ones. That's a pretty bad idea.

If some miners decide to mine any already mined coins, they decide to fork/create a new currency,
they are free todo so, but people probably wont use that new currency.

[Yuhfhrh]

..I'm 99.9% sure it will happen..

It wont happen, and here's why:
there is no way to tell if coins are actually lost, or not, there is no difference between lost and not-lost coins.
To tell people to send their coins to a new address after X days/months/years/decades would also make all physical bitcoins (like cascasius, paper-wallets and the likes) worthless after that date, you would force everyone to destroy those and create new ones. That's a pretty bad idea.

If some miners decide to mine any already mined coins, they decide to fork/create a new currency,
they are free todo so, but people probably wont use that new currency.

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

[Etlase2]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

[Yuhfhrh]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

Thank you for teaching and correcting me. 

[FreeMoney]

it could be that in the future everyone ( and by everyone i mean the miners, since they have asb authority over the bitcoin protocol ) will decide to mine the lost coins.
they will do this by sending out a new version of bitcoin client and ask everyone to send their coins to this new wallet.
any coins left behind during the move will be made available for mining.

this idea has been thrown around, and I'm 99.9% sure it will happen, after all its up to the miners, and what kind of miner would say no to MINE MORE COINS!?

Miners can do whatever they want, assign 200 per block, play WOW, move to Antarctica. But if they make changes they aren't mining Bitcoin and people who wan't bitcoins just ignore them. The only thing that matters is what people are accepting for goods and services and right now the only crypto-currency anyone is accepting at all is 100% durable.

[proudhon]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

[Etlase2]

Requiring a hard fork to add extra decimal places is a significant, breaking change to the bitcoin protocol and should not be taken lightly or assumed to be part of the specification.

I was only making that clear.

And they will never be infinitely divisible as there would have to be an infinite number of bits.

[DannyHamilton]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

The value isn't stored in the blockchain as a decimal at all.  It is stored as an integer.  The client just creates a decimal 8 places to the left when it displays it to you.  The client can be modified to create that decimal less places to the left if desired (display in mBTC or uBTC rather than BTC), but none of that changes how the value is actually stored.

As I understand it, to change how much the value represents will require changing how the value is stored in the blockchain. Potentially you could have some miners storing their newly minted coins in the old format, and some storing them in the new format if they don't all upgrade simultaneously.  The upgraded wallets would recognize the new format as valid, while those people who don't upgrade their wallets in time would see the old format as valid.  This would split the blockchain into 2 types of bitcoin.

[Spekulatius]

As I understand it, what will happen far in the future is SHA-256 will be broken (Computing power keeps increasing) and bitcoin will have moved onto a better encryption method. If you don't move to the new encryption method with everyone else, then you will have people "mining" for your bitcoins.

Is this accurate at all? I know my terms may be off.

256 bits is the sweet spot where it would take every joule of the sun's energy produced in an entire year just to COUNT from zero to 256 bits given the completely impractical idea that moving a bit would require the smallest unit of energy possible. Now consider that SHA256 is an algorithm that involves many operations with many rounds (way harder than just counting). As long as a significant weakness is not discovered in SHA256 (there have been some very minor ones), it will likely be forever impossible to break. The SHA3 competition from NIST though looks to address some of the shortcomings of SHA256 and make an even more secure hashing algorithm with less potential weaknesses. But 256 bits will still always be more than enough bits except in the case of quantum computing which could effectively render SHA's 256 bit protection to 128 bits. The counter to that is using a 512 bit algorithm, but that is the end of the road.

But SHA256 is not used for storing your bitcoins, that is done by a digital signature algorithm and those have significantly more weaknesses and few if any are rated as "rock solid, can't be broken" secure by cryptanalysists. Certain properties can be proven secure, but not the algorithm as a whole because they are making use of NP hard type math problems that might have solutions that we just don't know about yet. QC will also make finding solutions significantly easier for things like RSA and ECDSA (what bitcoin uses).

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

[thebaron]

Is it possible that sometime in the future there may be a way crack private keys of lost coins?

If you can crack lost coins and be profitable, then you'd also be able to crack anyone's coins.

[proudhon]

Requiring a hard fork to add extra decimal places is a significant, breaking change to the bitcoin protocol and should not be taken lightly or assumed to be part of the specification.

I was only making that clear.

And they will never be infinitely divisible as there would have to be an infinite number of bits.

Fair enough.  In any event, it's difficult to imagine 8 decimal places not being sufficient.  I still don't understand why it isn't possible to always be able to add one more decimal place to the right.

[waspoza]

Fair enough.  In any event, it's difficult to imagine 8 decimal places not being sufficient.  I still don't understand why it isn't possible to always be able to add one more decimal place to the right.

Of course its possible. Same as increase block reward to 500btc. There is just one thing, rest of the network must agree.

[Etlase2]

Back to the question:

Is it possible that sometime in the future there may be a way crack private keys of lost coins?
Maybe because those lost coins are less protected then the not lost ones?

The answer is complicated, but yes it is possible and may even be profitable at some point. While SHA256 has 256 bits of effective security, the ECDSA curve that bitcoin uses only has 128 bits of effective security, 3.4^38 times easier to crack. And that is still beyond the realm of all the computing power in the world to crack in less than several hundred years. But that is assuming computing power doesn't increase. 128-bit security is predicted to be secur-ish until 2030 or so. It will still be viable for some time after that most likely, but eventually accounts will have to upgrade to 144 bits or 160 bits of security in the future, while lost coins would be vulnerable. There is an extra complication/protection though that many balances are stored as RIPEMD160 (160 bits) hashes rather than ECDSA public keys. This means an attacker would have to find a private key that works for a public key that hashes to a known RIPEMD160 hash, and this is exceedingly unlikely. But not all addresses are stored this way.

There is an algorithm that would allow a quantum computer with sufficient qubits to crack RSA or ECDSA key within minutes. But that's another topic and not something to worry about just yet.

Also, there is still a possibility that we solve the "hard problems" associated with digital signatures and it would make cracking them almost instant. (again they would be protected if they were RIPEMD160 hashed though)

[DeathAndTaxes]

Yes they are lost for good. The currency is divisible to 8 decimal places and potentially further if there is a significant need and a code change. So the currency can adapt in its silly way.

Bitcoins are not "infinitely divisible" as a lot of people will say though. A hard fork of the code is required to add additional decimal places. This is not a simple matter in the least.

What is the limit on the potential divisibility that you admit exists?

The value isn't stored in the blockchain as a decimal at all.  It is stored as an integer.  The client just creates a decimal 8 places to the left when it displays it to you.  The client can be modified to create that decimal less places to the left if desired (display in mBTC or uBTC rather than BTC), but none of that changes how the value is actually stored.

As I understand it, to change how much the value represents will require changing how the value is stored in the blockchain. Potentially you could have some miners storing their newly minted coins in the old format, and some storing them in the new format if they don't all upgrade simultaneously.  The upgraded wallets would recognize the new format as valid, while those people who don't upgrade their wallets in time would see the old format as valid.  This would split the blockchain into 2 types of bitcoin.

Technically the blockchain doesn't store values it stores unspent outputs.  While all unspent outputs are currently in the same format it would be possible to have new "high precision" addresses which say store Bitcoins in a new format.  This new format would only be used on new addresses.  

The migration process would be similar to P2SH:
1) Hash out the details, test, debate, etc.
2) Request miners put a tag in the codebase of solved blocks indicating they support the protocol change.
3) When sufficient majority of miners support the change (I think Gavin looked for 80% in P2SH) release a new version of the client.
4) The new version(s) of the client have a changeover block coded into the client.   The client would have the ability to support the new address type but it would reject them as invalid if seen prior to the changeover block.
5) On the change over block the new address type would be supported.

At that point older nodes (both miners and non-miners) would be forked off.  The main main chain seen as the longest by upgraded nodes would be seen as invalid by them (they would see the new high precision addresses as invalid txs).  As long as they represent a minority there is no real harm.  They simply need to upgrade to the new version.  There is no issue of their client's being "confused" (showing wrong amounts, etc) they simply would reject block & tx involving the new incompatible address.

It worked well with P2SH and IIRC Gavin brought up some ideas that would make future transitions easier (like coding a version number into the blocks & clients so that client would warn users when they see a future incompatible version on the network.  

Since Bitcoin doesn't store values it stores unspent outputs (which are used as a single unit) it is possible to support newer high precision addresses while at the same time also supporting "legacy" addresses.  User could keep using their old addresses or have a new version of the client generate a new address for them and move their funds to the new address.