Shouldn't we start using safer keys from now instead of waiting for problems?

[cedivad]

3) 160 bits can't be brute forced.  Period.

Yes, now.
Do you know what hardware and tech the military has? Do you know what we will have in 20 years? I don't. No one knows. This is the point. It's the same as projecting the future costs and sizes of computers before the transistor.

PS, I made you wrote your 8888+1 post. Proud of it!

[1714123840]

1714123840

[1714123840]

1714123840

[1714123840]

1714123840

[1714123840]

1714123840

[Gavin Andresen]

Successful technology companies do not waste their time solving problems that they THINK they MIGHT have in 20 years.

They don't even spend much time thinking about problems that they might have in four years.

I don't spend any time worrying about the strength of 256-bit ECDSA or 160-bit RIPEMD, and I spend even less time worrying about the strength of those two combined.

[cedivad]

Successful technology companies do not waste their time solving problems that they THINK they MIGHT have in 20 years.

I got it, you are talking about Facebook.

It's a problem that will arise sooner or later. It's sure.

Fixing it now is better than fixing it later.

[greyhawk]

cedividad, you should probably first get a basic grounding in cryptography before demanding illusory changes.

Also, are you Atlas?

[DarkHyudrA]

Successful technology companies do not waste their time solving problems that they THINK they MIGHT have in 20 years.

I got it, you are talking about Facebook.

It's a problem that will arise sooner or later. It's sure.

Fixing it now is better than fixing it later.

Go f*ck yourself now is better than go f*ck yourself later.
There are many other things that we must thing before, don't you think?

[cedivad]

Well, I tried.

I should be still alive 50 years from now, i will resume the topic.

[ercolinux]

3) 160 bits can't be brute forced.  Period.

Yes, now.
Do you know what hardware and tech the military has? Do you know what we will have in 20 years? I don't. No one knows. This is the point. It's the same as projecting the future costs and sizes of computers before the transistor.

Even in 20 years military can build a single computer as powerfull as all the computer of the world now and  put 1 quadrillion of that computer together (if they are the size of a credit card and 1mm of thickness they cover all the Earth surface with a stacked heigt of 9Km) it still took 80 years to crack a 160 bit hash. Not to count the energy involved in the process.

[notme]

3) 160 bits can't be brute forced.  Period.

Yes, now.
Do you know what hardware and tech the military has? Do you know what we will have in 20 years? I don't. No one knows. This is the point. It's the same as projecting the future costs and sizes of computers before the transistor.

Even in 20 years military can build a single computer as powerfull as all the computer of the world now and  put 1 quadrillion of that computer together (if they are the size of a credit card and 1mm of thickness they cover all the Earth surface with a stacked heigt of 9Km) it still took 80 years to crack a 160 bit hash. Not to count the energy involved in the process.

Sounds about right... Really, we can't even count to 2^256 with a theoretical perfectly efficient computer without using more energy than is contained in the sun.  Forget calculating a hash for each value.

[Elwar]

In the future kids will be too busy flying cars and eating space cheese to worry about breaking an encryption algorithm.

[notme]

In the future kids will be too busy flying cars and eating space cheese to worry about breaking an encryption algorithm.

mmmmm.... space cheese

[DeathAndTaxes]

3) 160 bits can't be brute forced.  Period.

Yes, now.
Do you know what hardware and tech the military has? Do you know what we will have in 20 years? I don't. No one knows. This is the point. It's the same as projecting the future costs and sizes of computers before the transistor.

PS, I made you wrote your 8888+1 post. Proud of it!

I know the military can't break the laws of physics and I know you have no idea the scale you are talking about.  We aren't talking about "wow this GPU is 3x as fast as last years" we are talking about energy usage on the scale of sending an intersteller spacecraft to another star system to begin a human colony.  

At the thermodynamic limit (the limit of efficiency in storing information imposed by the laws of the universe) it would require an amount of energy more than 100,000 times greater than the global energy usage of the entire human last year just to count to 2^160.  160 bit can't be brute forced today, tomorrow, next century, and likely not anytime until material sciences become so advanced that they will threaten what you propose we upgrade to as well.

Given that k = 1.38×10-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10-16ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

To count to 2^160 (just count 1,2,3 ... 2^160) using a perfect computer would require 6.43x10^32 ergs.  To convert to a unit of power which is better known that is 1.78x10^16 kWh.  A next generation nuclear reactor (1500 MW, 90% capacity factor) can produce 4.257*10^13 kWh annually.  That means even if magical aliens gave us a perfect computer it would require ~420,000 reactor years to produce the energy necessary for it to count from 0 to 2^160.  Remember this is merely counting to the number 2^160.  To perform a brute force attack would require tens of thousands of operations per attempt.  So lets ballpark it to say ~50,000 brand new nuclear reactors constructed and running continually to power nothing but this non-existent alien tech perfect computer for the next 10,000 years .... and it would still only have less than a 10% chance of brute forcing a Bitcoin address.

So yes I know 160 bit keys won't be brute forced in the next 20 years.

This quote applies to 256 bit keys but to a lesser extent it applies to 160bit hashes as well.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

[crazy_rabbit]

3) 160 bits can't be brute forced.  Period.

Yes, now.
Do you know what hardware and tech the military has? Do you know what we will have in 20 years? I don't. No one knows. This is the point. It's the same as projecting the future costs and sizes of computers before the transistor.

PS, I made you wrote your 8888+1 post. Proud of it!

I know the military can't break the laws of physics and I know you have no idea the scale you are talking about.  We aren't talking about "wow this GPU is 3x as fast as last years" we are talking about energy usage on the scale of sending an intersteller spacecraft to another star system to begin a human colony. 

At the thermodynamic limit (the limit of efficiency in storing information imposed by the laws of the universe) it would require an amount of energy more than 100,000 times greater than the global energy usage of the entire human last year just to count to 2^160.  160 bit can't be brute forced today, tomorrow, next century, and likely not anytime until material sciences become so advanced that they will threaten what you propose we upgrade to as well.

Given that k = 1.38×10-16 erg/°Kelvin, and that the ambient temperature of the universe is 3.2°Kelvin, an ideal computer running at 3.2°K would consume 4.4×10-16ergs every time it set or cleared a bit. To run a computer any colder than the cosmic background radiation would require extra energy to run a heat pump.

To count to 2^160 (just count 1,2,3 ... 2^160) using a perfect computer would require 6.43x10^32 ergs.  To convert to a unit of power which is better known that is 1.78x10^16 kWh.  A next generation nuclear reactor (1500 MW, 90% capacity factor) can produce 4.257*10^13 kWh annually.  That means even if magical aliens gave us a perfect computer it would require ~420,000 reactor years to produce the energy necessary for it to count from 0 to 2^160.  Remember this is merely counting to the number 2^160.  To perform a brute force attack would require tens of thousands of operations per attempt.  So lets ballpark it to say ~50,000 brand new nuclear reactors constructed and running continually to power nothing but this non-existent alien tech perfect computer for the next 10,000 years .... and it would still only have less than a 10% chance of brute forcing a Bitcoin address.

So yes I know 160 bit keys won't be brute forced in the next 20 years.

This quote applies to 256 bit keys but to a lesser extent it applies to 160bit hashes as well.

These numbers have nothing to do with the technology of the devices; they are the maximums that thermodynamics will allow. And they strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

http://www.schneier.com/blog/archives/2009/09/the_doghouse_cr.html

MATH! F*ck yeah! I love that stuff.

[ShadowOfHarbringer]

I think you don't really grasp what 2^160 actually means... let alone 2^2048...

This +1.

To the supports .... D&T rant mode engaged.

1) Bit strength alone is utterly meaningless.  ECC was designed to use a smaller key size yet produce the equivelent security of larger key sizes used by RSA.  256 bit ECC has the equivelent security of 3072 bit RSA.   The whole POINT of ECC was to reduce key sizes without reducing security.  Increasing the size of the hash to larger than the ECC key is a good way to just waste space.  It does absolutely nothing.

2) There aren't even any vetted ECC curves beyond 512 bit because it makes about as much sense as idiot LEET hackers speculating that if 2048 bit RSA is good then 4892374190289378952347589347528945 bit RSA must be even better.

3) 160 bits can't be brute forced.  Period.  To put it into perspective the entire bitcoin network has performed roughly 2^56 hashes and comparisons.  If the Bitcoin network was one trillion times faster (note that is roughly a million times more computing power than the entire planet combined) it would take "only" 80 quadrillion years to have a 50% chance of brute forcing a single 160 bit hash.   Most miners understand difficulty so brute forcing a 160 bit key is like a solving a block with a difficulty of 79,228,162,514,264,300,000,000,000,000

4) Larger key strengths are useful in the event an algorithm is partially compromised HOWEVER it is more important to use well known and vetted algorithms which are less likely to be compromised in the first place.  Moving to Bobs Leet 2048 bit hash is of little utility if it is broken wide open providing about 20 bits of effective security vs no practical attacks on RIPEMD-160 or SHA-256.

5) Public addresses are the product of a double SHA-256 hash AND RIPEMD-160 hash of the public key.  This provides resistance to cryptographic attacks as it would require not just a flaw in one algorithm but a significant exploitable flaw in two completely unrelated and highly vetted hashing algorithms to have any useful applications.

6) Nothing is free.  Larger keys, larger public addresses (hashes), and more decimal precision takes up space.  The idiotic idea of going to a 2048 hash would increase the size of all transactions by a factor of nearly 13.  To put it into perspective if the network currently used that the blockchain would be nearly 40GB and growing by 5GB or so a month.  All those scalability limits (bandwidth for a node, computing power to verify tx, annual storage growth requirements, time to bootstrap a new node) would all be increased by a factor of 13.

Your arguments are valid.

Actually I already realized validness of these arguments before, however I am a hardcore crypto freak and i like if my cryptography is blazingly, incredibly strong. I actually use 4096-bit VPN keys to communicate between some of my servers even though i know very well that 2048 is more than enough.

So, now that we have determined that more cryptography is not necessary, what do you think about adding more decimal places ?
This is not an unrealistic future problem. If in 30-40 years Bitcoin becomes world's #1 currency, then 8 decimal places will not be enough. Why not simply add them now while it is extremely easy instead waiting for problems in the future ?

When Bitcoin becomes widespread, it will be much more difficult to change anything than it was to change from Ipv4 to Ipv6 protocol (because of all the mining hardware).

Bitcoin may never scale to a level where such precision is useful.  Say we increase it to 16 digits.  Why not 48? or 96? or 2000?   Now you likely are thinking 2000 digits, now that is stupid.  9+ is really no different.

However, that argument is invalid.
Bitcoin "may never scale" they said. But it also MAY scale - what's then ?

This is a foolish "let's wait for the problem appear, before dealing with it" kind of thinking.

Say we increase it to 16 digits.  Why not 48? or 96? or 2000?   Now you likely are thinking 2000 digits, now that is stupid.  9+ is really no different.

Really ? That's a simple problem.

We can calculate the minimum unit from following algorithm:

Code:

# [Total value] = all Dollars in circulation + Euros in circulation + Yens in circulation + CNY in circulation + all the other currencies
# Convert [Total value] to amount of smallest units/fractions of the earth's cheapest currency (*excluding* internet currencies and currencies of countries with hyperinflation)
# Add one or 2 zeros.

There you have it. The humanity will probably never require more units of Bitcoin than that, even if Bitcoin becomes #1 World currency and everybody on the world starts using Bitcoin instead of other currencies.

Currently, total amount of the smallest units of Bitcoin is 2,100,000,000,000,000 which is just over 2 thousands of trillions (USA scale). Is it enough according to the equation above ? I highly doubt so.

[caveden]

So lets ballpark it to say ~50,000 brand new nuclear reactors constructed and running continually to power nothing but this non-existent alien tech perfect computer for the next 10,000 years .... and it would still only have less than a 10% chance of brute forcing a Bitcoin address.

I'm quoting this just because, apparently, it can't be repeated enough. Thanks D&T.

By the way, correct me in what I'm wrong. What I know about quantum computers is that they're capable of executing operations which normal computers simply cannot execute. With these different kind of operations, it is possible to execute a particular algorithm that exploits a ""flaw"" in some public-key encryption algorithms like ECDSA or RSA and then crack a private key out of its public pair with considerably less operations than a brute force would request.

I have no idea how fast this algorithm can crack a a key, but I believe we have no reasons to worry right now. Quantum-proof public-key algorithms are not as much tested as ECDSA AFAIK, so it might not be a good idea to start using them right away. Hell, RSA is used all over and people are not worrying with this. We can stay cool for many years yet, I suppose.

Finally, hash functions are not quantum-vulnerable. So as long as you use disposable addresses (i.e., never reuse an address), you're safe even against quantum computers.

[ercolinux]

So, now that we have determined that more cryptography is not necessary, what do you think about adding more decimal places ?
This is not an unrealistic future problem. If in 30-40 years Bitcoin becomes world's #1 currency, then 8 decimal places will not be enough. Why not simply add them now while it is extremely easy instead waiting for problems in the future ?

When Bitcoin becomes widespread, it will be much more difficult to change anything than it was to change from Ipv4 to Ipv6 protocol (because of all the mining hardware).

Bitcoin may never scale to a level where such precision is useful.  Say we increase it to 16 digits.  Why not 48? or 96? or 2000?   Now you likely are thinking 2000 digits, now that is stupid.  9+ is really no different.

However, that argument is invalid.
Bitcoin "may never scale" they said. But it also MAY scale - what's then ?

This is a foolish "let's wait for the problem appear, before dealing with it" kind of thinking.

Say we increase it to 16 digits.  Why not 48? or 96? or 2000?   Now you likely are thinking 2000 digits, now that is stupid.  9+ is really no different.

Really ? That's a simple problem.

We can calculate the minimum unit from following algorithm:

Code:

# [Total value] = all Dollars in circulation + Euros in circulation + Yens in circulation + CNY in circulation + all the other currencies
# Convert [Total value] to amount of smallest units/fractions of the earth's cheapest currency (*excluding* internet currencies and currencies of countries with hyperinflation)
# Add one or 2 zeros.

There you have it. The humanity will probably never require more units of Bitcoin than that, even if Bitcoin becomes #1 World currency and everybody on the world starts using Bitcoin instead of other currencies.

Currently, total amount of the smallest units of Bitcoin is 2,100,000,000,000,000 which is just over 2 thousands of trillions (USA scale). Is it enough according to the equation above ? I highly doubt so.

It's really unlikely that bitcoin will replace all world currencies in 20-30 years. Actually assuming that we would use 1/1000th of "coins" we can use 2,1 trillions of "coins" with a value of 1$ each.  That's roughly an average of 262 "coins" for every world inhabitant. Assuming that 1/100 of world population  will use bitcoin is 26200$ per person.

[greyhawk]

It's really unlikely that bitcoin will replace all world currencies in 20-30 years.

Especially if you consider that any single copy of the blockchain would grow by 6 TeraByte PER DAY.

[ercolinux]

It's really unlikely that bitcoin will replace all world currencies in 20-30 years.

Especially if you consider that any single copy of the blockchain would grow by 6 TeraByte PER DAY.

That's will no be a problem: in 20 years an SD cards can reach size of thousands of TB (today there is 2TB usbstick). And you don't have to download all the blockchain to make client works.

[payb.tc]

It's really unlikely that bitcoin will replace all world currencies in 20-30 years.

Especially if you consider that any single copy of the blockchain would grow by 6 TeraByte PER DAY.

i thought the maximum block size was 1mb.

144 blocks per day = maximum 144mb per day.

[ShadowOfHarbringer]

It's really unlikely that bitcoin will replace all world currencies in 20-30 years.

Of course it is very unlikely, but that is not the point.

The UNIX engineers of 1970's also thought that it is really unlikely that anybody in 2013 will use their code & standards such as 32bit UNIX TIMESTAMPS limited to year 2038 and Ipv4 limited to roughly 4.000.000.000 addresses.

This shows that humanity is not really very good at thinking ahead, especially when speed of changes is rising exponentially.

So let's design ahead while you can, do not wait for the problem to show up (especially that now it is extremely easy to change something, and with time it will be more and more and more difficult, nearing impossible in few decades).

[greyhawk]

It's really unlikely that bitcoin will replace all world currencies in 20-30 years.

Especially if you consider that any single copy of the blockchain would grow by 6 TeraByte PER DAY.

i thought the maximum block size was 1mb.

144 blocks per day = maximum 144mb per day.

Yes. Yes it is. See the problem?