Game theory involving Quantum Resistance protocol

[aliashraf]

Most of them, wallets with exposed public keys, will migrate to the new scheme before the catastrophe and after the QC resistant fork. At the End of the day, we are left with a (tiny, IMHO) fraction of bitcoin wallets being abandoned by their owners for some reason, which I suppose less than 10% of them would have exposed keys and P2PKH addresses. My estimation is based on their current 25% ratio and the fact that such wallets are used to be more active compared to untouched wallets that are more suspicious to be abandoned.

Those numbers are completely invented. If my time in this space has taught me anything, it's that most people are overwhelmingly careless about their security and don't keep up with Bitcoin development.

No! 25% is not invented:

https://medium.com/@sashagnip/how-many-bitcoins-are-vulnerable-to-a-hypothetical-quantum-attack-3e59e4172e8

As of 2018 June 4, 19% addresses (4,204,148 of 22,275,753) that hold 25% bitcoins (4,319,806 of 17,072,361) reveal their public keys

This analysis is done using two almost simple scripts and one should run the scripts for the current date but I'm sure the numbers are getting better through time not worse.

The second number (10%) is a reasonable estimation because it is very likely that abandoned wallets are ways rarer compared to active wallets as long as we are talking about money.

This problem is compounded by the fact that quantum resistant signatures Like Lamport are extremely heavy, so we have incentive to delay a fork as long as possible:

The size of Lamport public key and signature together is 231 times (106 bytes vs 24KB) more than the ECDSA public key and signature.

I'm not sure what alternatives there are.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.

[1713524522]

1713524522

[AverageGlabella]

• Second deadline(m>n blocks after the fork):
  
  • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

What you are proposing is the most popular option I would say at this moment and I think its the only logistical one that I have heard of but I don't understand why you are pushing for it to be done so soon. The second deadline does not need to be months after and could instead be a couple of years to allow those that are less security conscious. The elitist attitude of "that is their problem for not listening" is invalid if we wish for mass adoption of Bitcoin. The decisions made for Bitcoin should appeal to the majority of members and not blame it on them if they are not up to date as we are. Quantum computers capable of threatening Bitcoins algorithm will be around the year 2025 at the earliest. This means we have several years to implement the first stage and then several years to allow for people to change on the second deadline. Moving this along to quickly is not an effective way of making a big change like this.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.

If this is true like we are both predicting then the second stage can be rolled out over a couple of years and not a few months.

[aliashraf]

• Second deadline(m>n blocks after the fork):
  
  • p2pkh wallets should migrate, otherwise, after m blocks, anybody who has access to public keys corresponding to such a UtXO has a right to nulify it with a fixed satoshi/Byte fee rate by means of generating and relaying a transaction.

... I don't understand why you are pushing for it to be done so soon. The second deadline does not need to be months after and could instead be a couple of years to allow those that are less security conscious.

QC resistance cryptography is new just like QC itself and it is already ahead of the enemy by any measures, I think long before QC is ready to attack we will be ready to fork.

If this is true like we are both predicting then the second stage can be rolled out over a couple of years and not a few months.

I'm not pushing. Just trying to show that we are ahead of QC threat and there is a lot of possibilities to keep the risks involved very low in the next couple of decades 

[aliashraf]

...
3- Let people with abandoned p2pkh UTXOs with an uncompromised public key that are still active after the second deadline to mine their transactions privately by leasing/installing hash power or by buying private service from known responsible miners/pools.

I don't understand you suggest this part. There aren't many pools/solo miners and you'd create big dependency towards them (pools and solo miners).

I'm not proposing anything, just reminding a possibility.

A few decades later, probably, when QC is no longer sci-fi and bitcoin has successfully implemented QC resistance and most wallets have migrated to the new scheme, there will be a hopefully small fraction of p2pkh UTXOs still untouched. In such a situation, commercially cheap QCs lurking around in shadows, if an owner of such a wallet tries to access his funds by publishing a transaction, the funds are being put in risk in the unconfirmed minutes of the transaction lifecycle. Hence they are practically lost already.

What I'm suggesting is that in such a marginal situation, the poor owner of the wallet who secretly has access to both public and private keys matching the wallet's unused RIPEMD-160 address, still has this option, privately mining her txn, either directly or by buying third party services. Sure it is not ideal but it works and is much more preferred than risking public disclosure of his unconfirmed txn and putting not only his funds but also the ecosystem in danger. Bitcoin will suffer from any kind of robbery as well as lost funds; we all know.

[franky1]

destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

not only does that break the 'trust math' theology. because now devs decide they want to go against the rules, so people cant trust that they will always have coins if they just locked their only copy of a private key in a time capsule. they have to trust and hope devs dont go barbaric on code rules

not only does destroying coins destroy many aspects of bitcoin.but the social drama impact of such an act would effect the markets more so than just letting a theif sell coins

think about it once brute forced coins are sold or moved out of insecure keys. drama is over.
its far better to let someone waste their life brute forcing a private key for 50btc and sell them, then repeat 20,000 times until 'satoshi stash' is no longer on insecure addresses... than it is to let devs manipulate the rules to declare more than 1m coined defunct and destroyed in on go. whats next if p2pk keys need destroying, do devs wait a month and declare war on p2pkh p2sh. then when they find an issue with segwit declare a war on p2wpkh. would it ever end

people would prefer to know if they leave their coins its their fault for not loking after them, if they care and there is a output format that is genuinely more secure they can move them. if they dont then they are at risk of someone else spending them.. but never ever should devs ever consider destroying coins..

in business terms. imagine thre is a company in the middle of a merger/liquidation buyout/hostile takeover. is it more beneficial to just let it happen as you know its only a 15minute news item that passes as fast as a price dip would.. or would you call in the military and nuke the facility and shout 'ha ha ha no one gets it' and then go on a mission where nuking businesses is standard practice

the price drama of a user selling 50btc a day is small if they brute forcd a satoshi stash address each day. and it would take 20,000 of thos days to do it to 1m coins.
just think about how little effect on the price 50btc is in comparison to average daily volume.
just think about how little drama it would realistically create compared to breaking some of bitcoins fundemental rules.

more people would be more concerned that devs are coming to dstroy their coins next compared to the worry of someone spending 50btc of satoshi stash a day

[figmentofmyass]

destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

it doesn't. the rule is there can't be more than 21 million coins.

due to the nature of private keys, there was always an implicit assumption that lost coins deplete the supply. i've been operating under that assumption since i arrived 7 years ago. in fact, satoshi explicitly said as much in 2010.

you're telling me that entire monetary philosophy just goes in the trash bin now? lost coins aren't a donation to holders, but rather those with quantum computers?

think about it once brute forced coins are sold or moved out of insecure keys. drama is over.

if QC can break ECDSA, then ECDSA secured outputs should not exist, period. "people should be free to have their coins stolen!!!11!!1!" is not a compelling answer. it's completely against the interest of all bitcoin holders.

[mda]

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

[squatter]

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

That sounds like a real kludge. The idea probably wouldn't gain traction. Theoretically it's also not just unhashed public keys that are vulnerable, but all public keys as they currently exist.

The solution seems rather binary to me. We either lock/destroy vulnerable outputs or we let them wreak havoc on the market. Whether the first option is ethical seems like an issue of time -- how long is long enough?

We have some duty of care not to deprive people of their money, but does that entail going down with the ship?

[AverageGlabella]

destroying coins?? (facepalm)

not only does that break the rules of the whole 21m coin 'there will be 21m coins in the future .. oh wait we meant 15mill, now 14m'

That is not breaking the rules of Bitcoin or how I would prefer to look at it Bitcoins philosophy. Bitcoin was proposed to have a limited amount of Bitcoin to prevent inflation and other issues in the long term however that only includes disallowing new coins from being generated after 21 million and at no point was it proposed that destroying coins would not be allowed. Of course it is allowed and in theory the more Bitcoin that are lost the more valuable and limited it will be. Bitcoin does not have many hard set rules in terms of what you are suppose to do with your money. If you want to destroy coins you can the only limit is you can't generate anymore after 21 million coins has been reached.

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

If you want to severely limit Bitcoin's potential then you could do this but I would and many others would advise putting any sort of limitations on the Bitcoin technology. Limiting it shows that there is a centralised force trying to control Bitcoin despite it being for a good cause. If you want to transact more than a couple million dollars in Bitcoin in an hour then you should be allowed to do that. Freedom is the best approach here.

[mda]

A possible trade-off would be to limit transaction amounts from unhashed public keys to few million USD per day.

If you want to severely limit Bitcoin's potential then you could do this but I would and many others would advise putting any sort of limitations on the Bitcoin technology. Limiting it shows that there is a centralised force trying to control Bitcoin despite it being for a good cause. If you want to transact more than a couple million dollars in Bitcoin in an hour then you should be allowed to do that. Freedom is the best approach here.

This trade-off is a middle ground between two options. Let quantum computing flood the market in a short period of time (freedom approach) or destroy these coins because it's an easy way to preserve and even increase a bit our wealth.

[Laskoo]

I personally don't bother too much just because if someone Google, 3 letter agency or even aliens will come up with a quantum computer satoshi's funds will be the last thing that we'll need to worry about.
Just think about all the "password protected" (encrypted) things that are out there, like: financial system servers , electricity servers, medical care servers, airplanes servers, nuclear missile codes. These are things much more valuable and important than 1M bitcoins.

[qubitasic]

I personally don't bother too much just because if someone Google, 3 letter agency or even aliens will come up with a quantum computer satoshi's funds will be the last thing that we'll need to worry about.
Just think about all the "password protected" (encrypted) things that are out there, like: financial system servers , electricity servers, medical care servers, airplanes servers, nuclear missile codes. These are things much more valuable and important than 1M bitcoins.

They would build a quantum computer intentionally for Bitcoins case to frack the 'Shalecoins'. ('Shalecoins', coins with no owner ' https://bitcointalk.org/index.php?topic=5134441.0)

Banks can freeze accounts, rewind, correct it.
But Bitcoin can't.

[squatter]

I personally don't bother too much just because if someone Google, 3 letter agency or even aliens will come up with a quantum computer satoshi's funds will be the last thing that we'll need to worry about.
Just think about all the "password protected" (encrypted) things that are out there, like: financial system servers , electricity servers, medical care servers, airplanes servers, nuclear missile codes. These are things much more valuable and important than 1M bitcoins.

How about in a decade or two, when Bitcoin's market capitalization might be in the trillions, or tens of trillions? Valuable enough?

We're also talking about much more than 1 million bitcoins. It's 5 million+ that have exposed public keys and theoretically the entire supply if QC is capable of breaking transactions in flight.

Centralized infrastructure also requires far less coordination to secure. In a zero-day situation, governments and banks could react far more effectively than the decentralized Bitcoin network ever could. If QC broke ECDSA in the wild today, I don't think Bitcoin would ever recover.

[Carlton Banks]

How about in a decade or two, when Bitcoin's market capitalization might be in the trillions, or tens of trillions? Valuable enough?

sure, but...

We're also talking about much more than 1 million bitcoins. It's 5 million+ that have exposed public keys and theoretically the entire supply if QC is capable of breaking transactions in flight.

...the greater percentage of the total BTC supply someone can steal using any exploit:

• The more BTC's market value will crash, meaning the attack's purpose changes from profit to an arson-like motive
• The more likely that a majority of previous holders reject BTC in favor of a resistant new coin, even if a fix for the exploit is discovered

The last point (ironically) resembles what's actually happening with central bank money today; people rejecting it for alternative assets because knowledgeable abusers of the system are being allowed to over-aggressively suck all the value (as well as any remaining credibility ) out of it, while the economists and policy advisers desperately try to appear to be correcting the situation

Centralized infrastructure also requires far less coordination to secure. In a zero-day situation, governments and banks could react far more effectively than the decentralized Bitcoin network ever could. If QC broke ECDSA in the wild today, I don't think Bitcoin would ever recover.

this is very true, and so credit to the developers who have the sense to move slowly and carefully with changes/additions (even competitors to Bitcoin have behaved very responsibly, e.g. the reporting for the inflation bug, or the handling of the recent channel spoofing bug in Lightning). But we're in a virtuous circle here; very talented software developers and computer scientists were attracted to Bitcoin when it was still experimental, and now many of those same people are as motivated to contribute to furthering it's viability as they are invested. Brilliant.

[squatter]

...the greater percentage of the total BTC supply someone can steal using any exploit:

• The more BTC's market value will crash, meaning the attack's purpose changes from profit to an arson-like motive
• The more likely that a majority of previous holders reject BTC in favor of a resistant new coin, even if a fix for the exploit is discovered

Fair point. If one had access to this technology, the rational approach would be to slowly siphon off bitcoins in a way that would be extremely difficult to detect, maintaining the market value. 

I'm mainly thinking about the arson scenario. If adversaries were able to destroy faith in Bitcoin this way, I'm not sure how much confidence would be left in any cryptocurrencies.

[Laskoo]

I personally don't bother too much just because if someone Google, 3 letter agency or even aliens will come up with a quantum computer satoshi's funds will be the last thing that we'll need to worry about.
Just think about all the "password protected" (encrypted) things that are out there, like: financial system servers , electricity servers, medical care servers, airplanes servers, nuclear missile codes. These are things much more valuable and important than 1M bitcoins.

How about in a decade or two, when Bitcoin's market capitalization might be in the trillions, or tens of trillions? Valuable enough?

We're also talking about much more than 1 million bitcoins. It's 5 million+ that have exposed public keys and theoretically the entire supply if QC is capable of breaking transactions in flight.

Centralized infrastructure also requires far less coordination to secure. In a zero-day situation, governments and banks could react far more effectively than the decentralized Bitcoin network ever could. If QC broke ECDSA in the wild today, I don't think Bitcoin would ever recover.

I like your enthusiasm, and I hope Bitcoin will hit tens of trillions in value.

"Valuable enough?"
- No. Not more valuable than a human life, at least for me.

As for the Quantum Computers, if this will happen of course Bitcoin will be worthless like everything out there using encryption, but I'm sure Bitcoin developers will launch a new Quantum Resistant Bitcoin maybe called qBitCoin.

Don't be afraid, we will adapt like we always do, as humans.

[Carlton Banks]

They would build a quantum computer intentionally for Bitcoins case to frack the 'Shalecoins'. ('Shalecoins', coins with no owner ' https://bitcointalk.org/index.php?topic=5134441.0)

Only applies for Bitcoin address where it's public key is known

something has occurred to me since this all started

is it not the case that Taproot/tapscripts output would expose it's public key in it's pubkey script on the chain before it is spent? I'm gonna have to check that out today, I'm not certain

If so, I don't think this is some kind of oversight on the part of Taproot's design; as was pointed out upthread, if a QC-based attacker scans the mempool for inflight transactions, the hashed public key offers them zero protection during the time between broadcasting a tx and it getting confirmed. That amount of time could easily be long enough to use the QC to resolve the private key from the (briefly exposed) public key.

This post is subject to change if I'm wrong! Re-reading the Taproot/Tapscript BIPs right now...

https://github.com/sipa/bips/blob/bip-schnorr/bip-taproot.mediawiki

https://github.com/sipa/bips/blob/bip-schnorr/bip-tapscript.mediawiki

[satoshyknew]

"We will know when quantum computers exist when Satoshi’s coins move." https://marketrebellion.com/why-quantum-computing-is-not-a-threat-to-bitcoin/

Satoshi knew that one day quantum computers will exist and will be able to move the early mined coins (P2PK) and created an unofficial prize competition to accelerate the development.

Maybe Satoshi created the greatest prize competition and the privatekeys are somehow within the blockchain. https://bitcointalk.org/index.php?topic=5150688.0

Satoshi:

However, if something happened and the signatures were compromised (perhaps integer factorization is solved, quantum computers?), then even agreeing upon the last valid block would be worthless.

True, if it happened suddenly.  If it happens gradually, we can still transition to something stronger.  When you run the upgraded software for the first time, it would re-sign all your money with the new stronger signature algorithm.  (by creating a transaction sending the money to yourself with the stronger sig)

Nobody is asking why he did not move and is not moving these early mined unmoved P2PK coins:
https://bitslog.com/2013/04/17/the-well-deserved-fortune-of-satoshi-nakamoto/
https://bitcointalk.org/index.php?topic=175996.0

Our guess is that he knew that the early mined coins will be moved one day. So he created a 'prize competition'. Otherwise he could move the coins to quantum resistant P2PKH addresses, but he did not and is not doing.

The only question is:

Who will win the race and get the early coins?

Quantum computing or solving the "Satoshi Prize Competition".

Nobody can stop that race.

[AverageGlabella]

"We will know when quantum computers exist when Satoshi’s coins move." https://marketrebellion.com/why-quantum-computing-is-not-a-threat-to-bitcoin/

This is just inaccurate fud. We have no reason to believe that Satoshi is still active in the community its been years since he has been involved and Bitcoin has developed without him for a long time. Yes he is someone to be respected but for all we know Satoshi could well be dead or imprisoned. We will know when to make the changes that are needed for quantum computing by monitoring the development of quantum computers and not because someone decides to move their coins.

[achow101]

"We will know when quantum computers exist when Satoshi’s coins move." https://marketrebellion.com/why-quantum-computing-is-not-a-threat-to-bitcoin/

This is just inaccurate fud. We have no reason to believe that Satoshi is still active in the community its been years since he has been involved and Bitcoin has developed without him for a long time. Yes he is someone to be respected but for all we know Satoshi could well be dead or imprisoned. We will know when to make the changes that are needed for quantum computing by monitoring the development of quantum computers and not because someone decides to move their coins.

Given that Satoshi's coins are in Pay to public key outputs, the pubkeys are publicly available already. So if we assume Satoshi is dead or otherwise gone, his coins moving would actually be an indication that Quantum computers exist because the only way for them to move (assuming he is no longer around) is for someone to have been able to compute the private keys to those exposed public keys, presumably via quantum computer. In general, it would mean that the ECDLP is has been broken in some way (regardless of QCs) and should no longer be relied upon (i.e. we should move off of ECDSA and Schnorr).