please delete

[pooya87]

Whether ECC is broken or not, the concern is the public keys of those early addresses (P2PK) are known and exposed.
We don't want reclaiming coins (and a lot do not want that), but I think unspent coins in P2PK addresses that have remained unspent for 20 years ought to become unspendable in the future.

First of all it does matter if ECC is broken or not. Without ECC being broken it doesn't matter at all if the public keys of those outputs (or any other output such as the case with address-reuse) are known, public keys are meant to be public, that's the whole point of asymmetric cryptography.
So for it to be a concern, ECC or at least 256-bit curve has to be broken and considered weak.

Secondly there shouldn't be any kind of "coin age" involved. If ECC is broken and someone can compute private key from it (or break ECDSA, etc.) in reasonable time then there is nothing stopping them from investing more effort into it so that they can also reverse your transaction from an only once used P2PKH output while it sits in the mempool waiting to be confirmed (you have to reveal the public key then).
As I said before you can no longer say "bitcoin is safe" if ECC is broken. So it has to be replaced completely in the protocol (affecting all coins).

Think of it as what happened to SHA1. At some point it was considered weak, then there was a very long transitional period where all browsers started migrating to SHA2 certificates and then at a certain date they stopped accepting any SHA1 certificate altogether. Today if a website has a SHA1 certificate your browser will block it. Then after all that time, someone (Google) found a collision by spending a lot of computing power.

[1714228686]

1714228686

[BlackHatCoiner]

Think of it as what happened to SHA1. At some point it was considered weak, then there was a very long transitional period where all browsers started migrating to SHA2 certificates and then at a certain date they stopped accepting any SHA1 certificate altogether.

Yes, but I think the question is:  How can we migrate to a stronger algorithm by retaining the private keys of the current ECDSA? In your example, the browsers had to just start using a different hash algorithm, but they weren't concerned on “converting” the old hashes to new ones. In this case, someone who owns money on a P2PK address has to be able to spend them with the same ECDSA private key it was given to him, but switch to a stronger algorithm at the same time.

[pooya87]

Yes, but I think the question is:  How can we migrate to a stronger algorithm by retaining the private keys of the current ECDSA?

It depends on what is broken, and some other details which you'll need an expert.
- If it were the signature algorithm (ECDSA) then choosing a different signature algorithm could solve the issue while still using the same curve (hence the same key pairs). Basically we can only change how OP_Check(Multi)Sig(Verify) OP codes (4 OPs) work.
- If the vulnerability were with the secp256k1 curve, changing curve would be a solution but the same keys may not be on the new curve anymore. I also doubt this can happen on this curve alone and not all 256-bit curves (ie the next bullet point).
- If Elliptic Curve Cryptography itself were broken (eg. private to public key were reversible) it has to be completely replaced by another asymmetric cryptography algorithm which may or may not make the existing keys unusable.

[BlackHatCoiner]

It depends on what is broken, and some other details which you'll need an expert.

The whole point of Bitcoin works if the public key used in the scriptSig cannot be reversed. That's where we'll start. Vulnerabilities in secp256k1 haven't be found and probably will never be as the constants were picked in a predictable way which reduces the odds of having inserted a hidden backdoor into the curve.

This leaves us to acknowledge that your third bullet point could be the only realistic possibility sometime in the future. The question remains: What will happen in case the existing keys become unusable at some point in the future? Shouldn't we take some sort of precautions? The last thing we'd want is to force everyone hastily to change their keys.

[pooya87]

~ as the constants were picked in a predictable way

Were they? I don't think NIST has ever released how they chose any of the domain parameters of any of their curves. Their "r" (random) curves such as secp256r1 have a random seed but that doesn't apply to "k" (Koblitz) curves.

The last thing we'd want is to force everyone hastily to change their keys.

I can't predict the future but most probably there will be a long interval (like a year or two) for people to migrate.
BTW Tarproot (P2TR) uses the public key in pubkey scripts similar to (but more complicated than) P2PK.

[Shymaa-Arafat]

I had been thinking about this issue and instead of creating a new thread, I decided to just add my proposal to the OP's since he and I have similar ideas. Hopefully satoshi if he is reading this would not only reward the OP but me as well.

Sweeping stale bitcoin utxos and putting them back into circulation

UTXOs older than a certain number of blocks are allowed to be mined by a miner and put into a block which will then delete the utxo and transfer a certain percentage of it's value to the miner that mined it. The other part will be distributed in a somewhat unpredictable/random fashion to some known active bitcoin addresses.

The UTXO set contains unspendable outputs. It also contains outputs that are theoretically spendable but can't be spent due to various reasons. Both of these problems could be resolved by adopting this practice of getting rid of stale utxos

You are talking about stealing or destroying people's money here, what if they're just HODLing???
I definitely do not agree.
Also, if u force a referesh, u will be forcing them to reveal their identity which I think is against Bitcoin main feature of Anonymity

If u worry about UTXOS set size, u could modify the idea in the paper we were discussing here
https://bitcointalk.org/index.php?topic=5357803.0

To make an age threshold which  after it UTXOS are kept in secondary storage, and can only be spent with an extra fee like min charge since they will require a disk access to verify.

The min charge fee could be announced before being applied. Although in fact the sudden movement of all old UTXOS could cause some mess in programs that handle the UTXOS Merkle based on the heuristic of old UTXOS r less likely to being spent than newer ones, and in the market metrics data scientist use to predict price & advice their customers so may affect the price not sure how

[BlackHatCoiner]

Were they?

That's what we've written in our wiki. It is also written in this pdf.

I can't predict the future but

You don't have to predict the future. I'm not asking you to tell me the exact steps we'll follow to secure the system after the specific public-key cryptographic algorithm we're using is broken. I'm just telling you that at some point in the future, whether we want it or not, we'll have to demand from “our” users to migrate.

Needless to mention the problems that're created once we touch people's money.

[n0nce]

whether we want it or not, we'll have to demand from “our” users to migrate.

I mean, it will be in 'their' interest, because else they'll lose all funds.
Contrary to random hacked / stolen / leaked Netflix accounts for example, there is a big financial incentive to crack public Bitcoin keys.

Also, if u force a referesh, u will be forcing them to reveal their identity which I think is against Bitcoin main feature of Anonymity

Why so? I myself one day decided to transfer funds from my legacy addresses to bech32 addresses and did it to save on transaction fees in the long run. The old addresses were not tied to my identity, the new ones aren't either. I don't see how anonymity was compromised in the process. This is how migration to new wallets with a new cryptographic scheme could work.

[pooya87]

That's what we've written in our wiki. It is also written in this pdf.

Someone more knowledgeable than I should comment on that.

You don't have to predict the future. I'm not asking you to tell me the exact steps we'll follow to secure the system after the specific public-key cryptographic algorithm we're using is broken.

Well the exact steps depends on what happens. For example SHA-0 was replaced by SHA-1 almost as fast as NIST published the standard for it because it had a weakness and it was found quickly. Same with SHA-1 but it took a long time (20 years) to break that one.
With the current ECDLP solutions it would take more than our lifetime to break anything but I can't predict what's going to change.

I'm just telling you that at some point in the future, whether we want it or not, we'll have to demand from “our” users to migrate.
Needless to mention the problems that're created once we touch people's money.

That's the nature of any hard fork and nothing can be done about it! And we aren't touching anyone's money, they would do it themselves.

[Shymaa-Arafat]

Helpful about hard forks/ soft forks & combined here
https://youtu.be/U2yAcsj7P_E
She discusses in min 1:9-15 I think how sometimes people using SPV loses money if wallets wasn't careful about the update (they just see block headers & the Merkle paths they care about)

& interesting in this one u'll see he says Schnorr was known to be better from the beginning, but had a 20yrs copyright that prevented it's use
https://youtu.be/0Q5IimX-AAc
.
Sorry, if this is considered out of scope of this topic.

[n0nce]

Also, if u force a referesh, u will be forcing them to reveal their identity which I think is against Bitcoin main feature of Anonymity

Why so? I myself one day decided to transfer funds from my legacy addresses to bech32 addresses and did it to save on transaction fees in the long run. The old addresses were not tied to my identity, the new ones aren't either. I don't see how anonymity was compromised in the process. This is how migration to new wallets with a new cryptographic scheme could work.

There's possibility the owner doesn't have privacy awareness. For example, the owner would simply download Electrum, then move all coins in single transaction. Electrum's server would know his IP/UTXO set and any blockchain analyzer will make conclusion that those old UTXO belong to same person.

I agree, but if the old wallet wasn't linked to their identity, the new one won't either. Sure, they'll be linked amongst them, but what's the issue?

That's what we've written in our wiki. It is also written in this pdf.

Someone more knowledgeable than I should comment on that.

Looking at wiki history, looks like @theymos is the one who add statement about it. Maybe he can give some information.

Also, unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve.

Interesting. I found this paper online that compares the koblitz and random versions: http://ijeecs.iaescore.com/index.php/IJEECS/article/view/15610
Apparently, secp256k1 is up to 30% faster than secp256r1 and slightly (but not significantly) less secure. In section 4, they also argue that secp256r1 has some weird constants of itself as well:

However, secp256r1 uses the very suspicious seed "c49d360886e704936a6 678e1139d26b7819f7e90" which is strangely similar to the backdoor in Dual_EC_DRBG [18].

[n0nce]

There's possibility the owner doesn't have privacy awareness. For example, the owner would simply download Electrum, then move all coins in single transaction. Electrum's server would know his IP/UTXO set and any blockchain analyzer will make conclusion that those old UTXO belong to same person.

I agree, but if the old wallet wasn't linked to their identity, the new one won't either. Sure, they'll be linked amongst them, but what's the issue?

But you're assuming all old UTXOs isn't linked to their identity. Their privacy is broken if they move all of their UTXOs in single transaction. Even if none of the UTXOs linked to their identity, it still has privacy concern. For example,
1. Blockchain analyzer will know certain someone have X Bitcoin since they move few UTXO in single transaction.
2. If the owner decide to spend his Bitcoin, the receiver might know how much Bitcoin he have.

Riiight, makes sense, thanks! Would there be a concern in sending all utxo's at once to chipmixer and receiving it on multiple addresses in the new wallet?

[larry_vw_1955]

You are talking about stealing or destroying people's money here, what if they're just HODLing???

If they "they" you mean a single person then don't worry. 200 years is plenty of time for them to make a transaction. if they haven't done it by then they aint gonna do it.

here's a question for you though. how do you stop someone from setting up automated transactions that would occur every 199 years? because we need to make sure that people are doing these transactions and not computer programs. that might be a big problem, no?

oh and i'm not hugely concerned about the utxo set size but then again, if you're talking about moving older utxos to a secondary storage and charge people fees to use them then i'm against that. but I'm not against the idea of chipping away at peoples stale utxos so that instead of taking the entire thing all at once, you just take parts of it so that over time it goes to zero. that way they get a advanced warning to do something or else.

[Shymaa-Arafat]

oh and i'm not hugely concerned about the utxo set size but then again, if you're talking about moving older utxos to a secondary storage and charge people fees to use them then i'm against that. but I'm not against the idea of chipping away at peoples stale utxos so that instead of taking the entire thing all at once, you just take parts of it so that over time it goes to zero. that way they get a advanced warning to do something or else.

I'm just suggesting the "or else" after the advanced warning to be more extra fee because it will be fetched from secondary storage, instead of being those UTXOS r  just trimmed with any coins in them simply vanished

[larry_vw_1955]

I'm just suggesting the "or else" after the advanced warning to be more extra fee because it will be fetched from secondary storage, instead of being those UTXOS r  just trimmed with any coins in them simply vanished

I'm not advocating they "vanish" just that they be redistributed to active bitcoin participants. That's all. If an address has no activity for a certain amount of time, it's pretty sure that it can't participate in bitcoin anymore. And that it won't be.

Now as far as secondary storage to me that seems like a very slippery slope. Where they can segregate utxos based on some type of metrics and charge them extra fees to use bitcoin. So what ends up happening is that bitcoin is not really fungible and certain kinds of utxos will be discriminated against. I wouldn't be interested in that at all.

But if someone is not going to use their bitoin for their entire lifetime and another lifetime after that then a case could be made that they dont need it.

[DaveF]

I'm not advocating they "vanish" just that they be redistributed to active bitcoin participants. That's all. If an address has no activity for a certain amount of time, it's pretty sure that it can't participate in bitcoin anymore. And that it won't be.

I have a gold coin from about 1800 to 1805. It's been passed around my family for about 200+ years.

It's worth whatever a few grams of gold are worth today+ a bit. Might be worth a bit more due to it's age but since it's in such poor shape that last time we tried to get a value placed on it, the general consensus was yeah more then gold value less then 3x gold value so still well under $500

If I put BTC0.001 on an opendime or in any other physical collectable, why the hell do you think it's value should be taken from whoever it is passed down to through the years and given to others?

-Dave

[Dabs]

If I put BTC0.001 on an opendime or in any other physical collectable, why the hell do you think it's value should be taken from whoever it is passed down to through the years and given to others?

Opendimes don't use P2PK addresses (or they are not even addresses, just public keys) so that shouldn't be an issue. But Opendimes don't use Segwit either, I'd prefer it if they did or got updated.

"Redistribution" is out of the question. I think the intent of the OP and many others is to prevent P2PK coins from being spent at all.

ECC may be broken, but there are several phases of "brokeness" and I think if it's only broken where the hats still need several hours or days of computing to get one private key out of a single public key, (or several months), it's not that broken enough and most old coins ... we'll see it happening and can probably act on it, if needed.

But if ECC takes less than 10 minutes to crack a private key, then it is truly broken, and we'll probably see a whole bunch of other internet services and websites (and other financial institutions connected to the internet) fall first. (unless the bad guys are smart and decide to do small targetted attacks ...)

[DaveF]

If I put BTC0.001 on an opendime or in any other physical collectable, why the hell do you think it's value should be taken from whoever it is passed down to through the years and given to others?

Opendimes don't use P2PK addresses (or they are not even addresses, just public keys) so that shouldn't be an issue. But Opendimes don't use Segwit either, I'd prefer it if they did or got updated.

"Redistribution" is out of the question. I think the intent of the OP and many others is to prevent P2PK coins from being spent at all.

ECC may be broken, but there are several phases of "brokeness" and I think if it's only broken where the hats still need several hours or days of computing to get one private key out of a single public key, (or several months), it's not that broken enough and most old coins ... we'll see it happening and can probably act on it, if needed.

But if ECC takes less than 10 minutes to crack a private key, then it is truly broken, and we'll probably see a whole bunch of other internet services and websites (and other financial institutions connected to the internet) fall first. (unless the bad guys are smart and decide to do small targetted attacks ...)

Perhaps not the best example on my part, but it still is the same in my mind.

If I take the gold coin or loaded opendime out of my pocket and leave it on a table where anyone can get to it and it gets stolen that's on me.

Since we do know that over time having the opendime in my pocket can lead to damage making it unusable and if I cary the gold coin in the same pocket with my keys the gold is slowling going to get worn off / scraped off and there will be less gold so the coin is worth less. That's on me too.

It's just my opinion but, why should this be any different?

-Dave

[larry_vw_1955]

I have a gold coin from about 1800 to 1805. It's been passed around my family for about 200+ years.

It's worth whatever a few grams of gold are worth today+ a bit. Might be worth a bit more due to it's age but since it's in such poor shape that last time we tried to get a value placed on it, the general consensus was yeah more then gold value less then 3x gold value so still well under $500

If I put BTC0.001 on an opendime or in any other physical collectable, why the hell do you think it's value should be taken from whoever it is passed down to through the years and given to others?

-Dave

I don't think I would take opendime or any physical collectible too seriously since that's not what bitcoin was designed for. Transactions need to occur on the blockchain to be recognized as valid by the network. We all know that. If someone wants to do transactins "offline" and not pay transaction fees and not have it recorded on the blockchain well I don't know what to tell you!

[larry_vw_1955]

It's just my opinion but, why should this be any different?

-Dave

You may not agree but it is different. Way different. Gold that you hold and pass down to generations doesn't impose any cost upon any type of infrastructure. And if it did, you would have to pay fees. Like for storing it or getting it appraised or recasting it into some other form. But if you just store it under your bed, you're not imposing any type of cost to anyone else.

On the other hand with bitcoin your utxos do cost the network storage costs. So that's the difference. They have to maintain your utxos in the utxo set until you decide to use them or someone decides to use them. So they have an ongoing cost for maintaining your bitcoin. You can't expect them to front that cost however minimal forever, right? No you can't That's why ever so often you need to do transactions and pay transaction fees.