Theymos: “Bitcoins Belonging to Satoshi Should Be Destroyed”

[Blackmet]

If it will help to prevent monetary inflation so why not? I am not really interested on bitcoins what belong to satoshi nakamoto, i am interested only on my own income.

[pogress]

No.  The private key and corresponding public key (a.k.a. your Bitcoin address) do not have to change at all.  Rather, if/when we change the DSA from ECDSA (which is QC vulnerable) to another DSA which is QC resistant then your wallet software will have to be changed to use the new DSA; that's all; nothing else.

If we don't change the DSA to one that is QC resistant then bad actors (with enough moxie) will be able to sign messages moving bitcoins they have no right to more.

So basically only reused adresses or those who sign messages with the address are in danger, right? This would mean no lighting network (or Blockchain.info thunder) anymore. Btw, does QC resistant DSA ever exist ? - all I know you can only keep increasing bits from 256 to 512 and higher so QC cannot catchup as it need increasing number of stable qbits which is the real challenge in QC - if you need reusing adresses, thats it.

[finkelsteinMonster]

... I agree perfectly well with you that if (legitimate) ownership can be established, the coins should be left alone and that ownership absolutely should be respected.

No. Until it is conclusively shown that legitimate owner has zero interest in the coins, only he has the right to decide what's to be done with those coins.

Failing to expend trivial effort to safeguard coins would, it seems to me, "conclusively show" that the legitimate owner had zero interest in the coins.

You're easily convinced, it shows no such thing to me.
Bitcoin is meant to be a store of value, safeguarded by "immutable laws of the cosmos and maths." If my investment is only safe as long as I read bitcointalk on regular basis, that's not something I'm interested in.
A person may not be able to move his coin for extended periods of time, being throw in prison, for instance.

Those disagreeing with me recently have emphasized the paramount rights of an owner of bitcoins against any infringement, even if it means that other bitcoin owners might be harmed by their inaction. (In this case, coins being stolen and dumped.) Whereas I've played the role of a neutral arbiter who is trying to minimize loss across the board, across all owners.

Thieves are no more likely to dump stolen coins on the market than are the legitimate owners. Less likely, actually, because such sums would need to be dumped via exchanges, which means banks, which means KYC/AML.
Moving the coins to a bunch of other addies is far simpler, and wouldn't look any different than same coins being moved by their legitimate owners.
So "kill the few so that many could live" vs "do nothing & many would die" is a false dichotomy.

[David Rabahy]

does QC resistant DSA ever exist ?

https://en.wikipedia.org/wiki/Lattice-based_cryptography & https://en.wikipedia.org/wiki/McEliece_cryptosystem

[The00Dustin]

Point of information:  it is not the hashing algorithms that are QC vulnerable it is the ECCDSA that is vulnerable.  If/when QC becomes a reality we will have no trouble convincing a majority to move to a new DSA.  Deciding exactly which new DSA to move to may be an issue but after a lot of the standard drama that accompanies all decisions in Bitcoin, I believe a new DSA will be picked and we will move to it.  The hashing algorithms used can and will also be replaced/upgraded as needed (just not due to QC).

Oh.  Where is ECDSA https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm used in Bitcoin?  If that can be changed without me giving up my current private keys and Bitcoin addresses then this whole topic is noise.

Found it; https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm.  So, yeah, this topic useless; move on.

Actually, this discussion is all about whether or not you should have to give up your current addresses.  Any new algorithm would require new addresses and new private keys.  Your existing private key and address could not be ported (for lack of a better word), and the discussion technically revolves around whether or not you have the right to keep using the pair even after it could be vulnerable to attack.

No.  The private key and corresponding public key (a.k.a. your Bitcoin address) do not have to change at all.  Rather, if/when we change the DSA from ECDSA (which is QC vulnerable) to another DSA which is QC resistant then your wallet software will have to be changed to use the new DSA; that's all; nothing else.

I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?

[andulolika]

If it will help to prevent monetary inflation so why not? I am not really interested on bitcoins what belong to satoshi nakamoto, i am interested only on my own income.

Bitcoin doesnt really have inflation, and no one should have the powers to touch someones else coin whatever their name is.

[David Rabahy]

I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?

Perhaps the quality of the private keys are in question.  If a private key is generated with good randomness then it shouldn't be vulnerable.  If a private key is generated with poor randomness then it is vulnerable.  If the Satoshi (or anyone else's for the matter) private keys are at risk then having them age out seems like overkill.  Let the lucky bad actors take them.  The owners of such can move them before they are stolen to an address derived from a superior private key.

If the quality of the private key isn't in question then what the heck are we talking about?  If I sign and distribute a bunch of messages using my private key then each of those messages give the bad actors more data to attack.  If I never sign and distribute even a single message then I am just depending on the quality & security/privacy of my private key.  The block reward comes into existence without any signatures.  Only outputs require signatures.  Move coins to a fresh address (one that has never been used to sign) and it is safe.

Destroying anyone's coins to eliminate the risk of them becoming active is wrong pure and simple.

Is someone worried that Satoshi or anyone else is at risk of being coerced?  Destroying their coins hardly seems the appropriate response.

[AgentofCoin]

I hear what you're saying and I'm intrigued, because it implies my somewhat simplistic understanding of encryption technologies may be wrong here.  However, if it were so simple, then why would there even be a discussion about earlier coins being more vulnerable?  If any existing (or technically non-existing) private keys could be used to match up to existing bitcoin addresses using a different DSA, then the only addresses that would ever be vulnerable are addresses that have been used as outputs or signed against using the old DSA.  In that case, the majority of the coins being discussed here that were mined and never touched would be safe unless blocks were once generated including a signature for the address the reward was mined to and that was subsequently changed some time ago.  So, what gives?

Perhaps the quality of the private keys are in question.  If a private key is generated with good randomness then it shouldn't be vulnerable.  If a private key is generated with poor randomness then it is vulnerable.  If the Satoshi (or anyone else's for the matter) private keys are at risk then having them age out seems like overkill.  Let the lucky bad actors take them.  The owners of such can move them before they are stolen to an address derived from a superior private key.

If the quality of the private key isn't in question then what the heck are we talking about? ...

The following is what Theymos stated the issue is centered around.
Early mined coins are more vulnerable since public keys were used then.
See the below quotes from earlier in this thread.

How do coins that are never spent factored into this? I mean, those addresses that do not have public keys yet, because the coins have not been spent and that particular address has not been reused?

Isn't it that bitcoins are protected by at least 2 layers of encryption: The public / private keys, and a hash which results in the bitcoin address?

The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern. (Emphasis added)

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).

[David Rabahy]

The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern.

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).

Oh.  What does it mean to be "paid directory to a public key, not an address"?  Let's compare https://blockchain.info/tx/0e3e2357e806b6cdb1f70b54c3a3a17b6714ee1f0e68bebb44a74b1efd512098 to https://blockchain.info/tx/4d32d3caa4fc7121e48c59e895ff50aa4a80763aea107e7fc82749885aac5e99 and try to see the difference.

Instead of destroying Satoshi's stash, how about if we create an address and move the vulnerable coins there for safekeeping?

[cjmoles]

(Hmmmm....I must be on the collectively biased midget minded ignore list....)

(I will save that argument for another time.)

My question in this debate is becoming:  Even if the Secp256k1 algorithm becomes exploitable by quantum computing, where does pruning the block chain by burning unsecured ledger entries fit into the consensus protocol? I think this is where the bigger leak in this argument can be demonstrated.

[jbreher]

So from this perspective, which I agree with, the risk of losses from other people's insecure coins is part of the risk I assume when I buy into bitcoin. If this is the consensus of the bitcoin community (and I think it is), then I am much more agreeable that no action should be taken to destroy coins that could be lost due to a QC-event or similar loss of security.

Thank you for your reconsideration.

For the record, the charge of im-/a-morality was meant more to shock people into reexamination of the issue. In general, I tend to accord people as intending to behave in a moral manner unless there is concrete evidence to the contrary.

But to seal the deal for others on the sidelines:

With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.

[David Rabahy]

With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.

Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?

[BurtW]

My question in this debate is becoming:  Even if the Secp256k1 algorithm becomes exploitable by quantum computing, where does pruning the block chain by burning unsecured ledger entries fit into the consensus protocol? I think this is where the bigger leak in this argument can be demonstrated.

This is the actual crux of this and any other argument that has the form "I think we should do X to enhance/change/fix Bitcoin"

This has been proposed thousands of times on this forum:  change the block reward, 21M cap is stupid; decrease the block time, 10 minutes is too long for me to wait; prune out the old coins, they might get stolen and dumped; and my all time favorite:  recycle the "lost" coins so we can mine them again and bring the total back up to 21M.

All of these hypothetical desires fail right out of the gate based on the fact that any fork of this nature creates a new coin and this new coin is no longer Bitcoin.

As long as there remains a small number of miners and nodes on the original protocol that side of the fork is Bitcoin - the other side of the fork is something else.

[cjmoles]

With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.

Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?

The root of this very question has been dissected many times in philosophical debates.  Here is one such debate that illustrates the reasoning: https://birajbahadurbista.wordpress.com/2013/12/10/concept-of-justice-in-platos-republica/

[jbreher]

With today's technology, it is trivial for a thief to crack a door key and ignition key on many cars. Given enough immoral actors, and enough time, every such vulnerable car is a candidate for theft. We do not preemptively steal all such cars "for the common good". Because such is theft would be evil. Even if we were to subsequently crush any such vehicles that were "fixed" in this manner, it is still evil. And the fact that if we did not do so, leaving the theft to another who might subsequently sell the vehicle, would marginally reduce the value of all our other vehicles on the used market does not change the fact that preemptive confiscation is inherently evil.

Shouldn't we instead move the car(s) to a more secure location until the proper owner steps forward to claim?

Perhaps you missed the 'with today's technology...'. Are you proposing that it would be valid to do so today? For that is the analogy.

But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.

[David Rabahy]

But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.

The owner had best get on with securing his stash before they are taken.  Does it take a quantum computer to take them?  Can a classical computer take them in a reasonable amount of time/effort?  Should I be making an effort to take them?  In the meantime, the market participants should take the risk into a account and discount the exchange rates.  Or are we saying they already have?  I doubt it.  If/when a Satoshi coin moves then the markets will react.  Until then the working assumption is they won't ever move.  Since the movement would likely wreck havoc then there is something to talk about.  If enough "voters" want to eliminate this risk then they can.  Don't sit on a pile and expect the rest of humanity to ignore it.  If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.

[BurtW]

humanity can abandon Bitcoin for something else without that particular risk.

If that is what they want I invite humanity to do just that.  Bitcoin will still be Bitcoin no matter what Nanny coin is developed for the "humanity" you speak of.

[AgentofCoin]

The Bitcoin client's built-in solo miner paid directly to a public key, not an address. So there's over a million BTC in the form of unspent 50-BTC block rewards which are vulnerable to a break in ECDSA. This is the main concern.

Unspent addresses are OK, at least until quantum computers get so fast that they can break keys within the few minutes between when you spend from such an address to when it gets confirmed. Contrary to what someone said earlier, SHA-256 and RIPEMD-160 are OK. QC halves the number of bits of security for symmetric crypto. SHA-256 has 128 bits of security under QC, etc.  Whereas all asymmetric crypto used today is totally broken (ie. the complexity of breaking a key is polynomial w.r.t the key's length under QC, though it still might take some time).

Oh.  What does it mean to be "paid directory to a public key, not an address"?  Let's compare https://blockchain.info/tx/0e3e2357e806b6cdb1f70b54c3a3a17b6714ee1f0e68bebb44a74b1efd512098 to https://blockchain.info/tx/4d32d3caa4fc7121e48c59e895ff50aa4a80763aea107e7fc82749885aac5e99 and try to see the difference.

There is a security difference. See the following.


https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses

Instead of destroying Satoshi's stash, how about if we create an address and move the vulnerable coins there for safekeeping?

That has been proposed as well, but the problem is that ultimately you are locking those
coins indefinitely, which is the same as destroying or burning them.

The bottom line is, if users do not move their coins to a more secure cryptography in the future,
they risk losing them through theft from more advanced systems. Plain and simple.

[cjmoles]

But regardless, the answer is _no_. The prerogative -- and the responsibility -- belongs solely to the owner.

The owner had best get on with securing his stash before they are taken.  Does it take a quantum computer to take them?  Can a classical computer take them in a reasonable amount of time/effort?  Should I be making an effort to take them?  In the meantime, the market participants should take the risk into a account and discount the exchange rates.  Or are we saying they already have?  I doubt it.  If/when a Satoshi coin moves then the markets will react.  Until then the working assumption is they won't ever move.  Since the movement would likely wreck havoc then there is something to talk about.  If enough "voters" want to eliminate this risk then they can.  Don't sit on a pile and expect the rest of humanity to ignore it.  If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.

If nothing else the rest of humanity can abandon Bitcoin for something else without that particular risk.

That /\ would actually be the result of this \/.

If enough "voters" want to eliminate this risk then they can.

LOL

[GreenBits]

But in the actual example, the only coins affected are those that have been for all practical purposes abandoned - and WILL be stolen.

Bull-fucking-shit. You ('you' being anyone or any group of people) have absolutely no way of knowing whether or not those coins are abandoned. You also have no way of knowing when or even if they will be stolen.

Again, in case you are still blind to the moral principle, the only person who has a legitimate claim on managing the risk is the owner of the coins themselves. Any lesser standard is simply theft.

If you have a mic, it needs to be dropped.

Nope.

As I understood it, in the scenario Theymos outlined, QC technology has reached a point where it is apparent the existing bitcoin protocol WILL be compromised. So a hard fork is developed that will be QC-resistant. Everyone is asked to take action (moving coins in some fashion) into the new QC-resistant haven. Those who do not are leaving their coins where they will become vulnerable to theft using the new QC technology.

So the claim that "You have absolutely no way of knowing whether or not those coins are abandoned" is not accurate. Clearly they _are_ abandoned at this point, by the failure to take action to keep or safeguard the coins. You can't dump cash on a busy street, drive away, and still claim ownership in any meaningful sense.

By rejecting Theymos' suggestion, all you will be achieving is leaving some fraction of all bitcoins available for the first people with the QC technology to sweep up all the loose coins at will. You won't be saving them from evil devs. You will just be losing them to thieves. And then everyone else with bitcoin suffers as the market collapses from the shock of such stupidity in allowing this to happen.

Thank you sir. I concur, and your sentence structure is excellent. Also, as per you last post, I applaud you for making your motivations clear. If everyone on the board did this, the shill/disinformation paradigm would vanish overnight.

We can not protect these coins, and suffer the consequences as a whole, or we can take preventative measures, and mitigate the harm to a select few, obviously negligent actors at this point.

Would you starve due to the negligence of your brother? I am all for helping another in need, but when that need is self imposed, when does one limit their own exposure to another's poor situation?