Privkey burner - what say you?

[BTCW]

Privkey Burner - Yes/No?

I was thinking of new methods, standards, or procedures - call it what you want - with the goal to further discourage address reuse, and to give Bitcoin users an additional layer of plausible deniability and the benefit of the doubt.

For the sake of privacy and anonymity, and the advancement of Bitcoin.

So, it struck me that if there existed a service - it could be a simple webpage, to begin with, even though an optimal solution would be a peer-to-peer implementation [maybe as a tool in Bitcoin core and Electrum] - on which you could publish used private keys that you never intend to use again - there would exist a public database of "burned" public addresses containing the ultimate proof - their private keys - which everyone could easily verify.

And anyone ever confronted with the question whether he or she controls a certain public address could answer "since its private key is in the public domain, not only I but every person on Earth controls that address".

My questions:

-- Is this a new idea; what is the "prior art", or whatever you prefer to call it?
-- Do you like the idea? I could mention a couple more upsides, but are there downsides that I haven't thought of?

I'd love to hear your input! If this is worth pursuing, I'm ready to get technical and start working on a service for this.

Please!

---
Edit (additions)

-- Submission to "the list" must, of course, be anonymous and difficult to trace (like how a Bitcoin transaction is broadcasted)
-- "The list" shouldn't contain timestamps linked to individual privkeys (ideally, "the list" contains no meta-data at all)
-- Only privkeys that correspond to public addresses that have appeared on the blockchain and have had a balance should be accepted (or "the list" could easily be spammed with quadrillions of entries)

[o_e_l_e_o]

It's an interesting concept, but I don't think it's a good idea due to the security implications. Knowing a single private key along with the extended public key of a hierarchical deterministic wallet allows you to generate the private keys for all the other addresses in that wallet. If someone who had ever uploaded their extended public key to a site or service, or even had it stolen from a hot "watch-only wallet", burned a single private key from that wallet, then all their coins could be stolen.

A couple of other thoughts:

And anyone ever confronted with the question whether he or she controls a certain public address could answer "since its private key is in the public domain, not only I but every person on Earth controls that address".

If anyone ever confronted me with the question about whether I own a particular private key, I can simply reply either "No", or even "What's a private key?". I'm not sure your proposal grants any additional plausible deniability. Further, unless you are suggesting that people should either create a new wallet for every address, or do away with BIP39 altogether and just create individual keys (which brings with it plenty of implications for backs ups, change, etc.), then stating "Everyone on Earth controls that address" doesn't help me deny anything if I have a hierarchical deterministic wallet with that address in it.

Submission to "the list" must, of course, be anonymous and difficult to trace (like how a Bitcoin transaction is broadcasted)

When you broadcast a bitcoin transaction, your IP is visible to the nodes you broadcast it to. Submissions to your list would have to be done over Tor to be anonymous.

"The list" shouldn't contain timestamps linked to individual privkeys (ideally, "the list" contains no meta-data at all)

If the list is public, it would be impossible to prevent someone from documenting the times that individual private keys first appeared on it.

[pooya87]

And anyone ever confronted with the question whether he or she controls a certain public address could answer "since its private key is in the public domain, not only I but every person on Earth controls that address".

everything is timestamped in bitcoin and on the internet.
the bitcoin part: there is a time your key received a transaction and a time when you spent that output.
the internet part: there is a time when you first submitted that key to public which is after the previous two timestamps.
result is that you can not deny owning that key while it had a balance just because it became public AFTER it was empty!

[ranochigo]

Exposing your own private key is never and will never be a good idea. Address reuse is still pretty prominent among the community and it would be disastrous if someone decide to send funds to your old addresses again. If there are transactions within those addresses which are somehow included in an orphaned block, an attacker could potentially double spend your transactions with less effort. Airdrops are claimable with used addresses. Addresses could be used as a way to verify identity (bitcointalk).

Tl;dr: You should never expose your own private key, even if you won't use it ever again.

[TheArchaeologist]

Most of the things I could come up with have already been mentioned in the prior responses.

The idea you have has two sides as far as I can see:

• Discourage the re-use of an address, so for example: you would not use the same address you sent from as change address in the same transaction. This means I have to plan ahead, knowing I should use a different address for change otherwise I could not give up my private key.
• Plausible deniability: Publishing your private key would mean not only you but the entire world would now know you private key. Setting the timestamping aspect apart, this would mean you can never claim you didn't know the private key at all. In other words: it's not possible to prove you didn't do a transaction.

Also: there are alrady a lot of bots active sweeping addresses for which the private key has somehow leaked. This list would become a free database for those people to add to their bot. It's almost guaranteed some of the addresses will be funded again, intentional or not, and they will be emptied within seconds.

All in all: My opinion is there are way too many downsides to this.

[ABCbits]

Your idea would be useless if the Bitcoiner doesn't manage UTXO manually to prevent linking between addresses and his identity. On practical side, who would take their time to share private key of bitcoin address they no longer use?

[BTCW]

Your idea would be useless if the Bitcoiner doesn't manage UTXO manually to prevent linking between addresses and his identity. On practical side, who would take their time to share private key of bitcoin address they no longer use?

As said, this is an early idea. If this was a default feature in Bitcoin Core (and other major wallets, self-hosted and online) - "Warning: Do not send from and receive to this address - you no longer control its private key" - maybe average Joe Bitcoin user would get it?

Love all your feedback. It's very productive.

I'm not totally convinced - yet - the concept is bad as such, and will continue thinking about it some more.

A minor comment regarding meta-data: Until this is part of Bitcoin Core (if it ever will be), and the stepping-stone is a webpage, it could be designed like

https://haveibeenpwned.com/

I.e., you can search for compromised passwords (think: private keys in our case), but you are not able to retrieve details such as dates and locations; it is unclear when a certain password made it to the list, and it is not trivial to find out.

[o_e_l_e_o]

"Warning: Do not send from and receive to this address - you no longer control its private key"

There is nothing stopping wallets putting a similar warning on addresses at the moment: "Warning - you have used this address in the past. Using it again is a privacy risk." It would have more or less the same effect, without risking anybody losing their coins.

A minor comment regarding meta-data: Until this is part of Bitcoin Core (if it ever will be), and the stepping-stone is a webpage, it could be designed like

https://haveibeenpwned.com/

You now have a centralized database, meaning there is trust involved. The person running it could choose not to publicize a number of private keys they are sent, hoping that people forget they sent them or the addresses are reused in the future, so they can then steal the coins. Even then, there is nothing stopping someone from taking a snapshot of the database every x hours and therefore knowing when private keys first appear on it, not to mention the database owner would also have access to that data.

[Pmalek]

Bitcoin teaches us to be our own bank, correct? That includes using addresses the way we want to use them. I am already not reusing old addresses since I can generate any number that I want. I don't see how a public database of private keys will help in this case. People who are reusing addresses should instead be thought not to do so for their own privacy. And again, a public database will not help to achieve this goal. 

[BTCW]

Bitcoin teaches us to be our own bank, correct? That includes using addresses the way we want to use them. I am already not reusing old addresses since I can generate any number that I want. I don't see how a public database of private keys will help in this case. People who are reusing addresses should instead be thought not to do so for their own privacy. And again, a public database will not help to achieve this goal. 

I hear you, loud and clear.

One final question them, before ditching this idea: What if "the list" was integrated with the blockchain itself? Not a separate and centralized database. But if you had the option to "burn" (expose) your private key on the blockchain, for all to see - wouldn't that accomplish "it"? Toasted public addresses as a part of the public ledger.

[Pmalek]

But if you had the option to "burn" (expose) your private key on the blockchain, for all to see - wouldn't that accomplish "it"?

People might activate the feature by mistake, have their private keys leaked, and coins stolen. That would lead to complaints, accusations against Bitcoin, the wallet software, and other negativity that might affect Bitcoin. The same people you are trying to school will be the ones who run into trouble after they activate the option by mistake. 

[ranochigo]

One final question them, before ditching this idea: What if "the list" was integrated with the blockchain itself? Not a separate and centralized database. But if you had the option to "burn" (expose) your private key on the blockchain, for all to see - wouldn't that accomplish "it"? Toasted public addresses as a part of the public ledger.

Which would require people to store it. Given the fact that the storage is scarce right now, it isn't a good idea. The limitation of this idea doesn't revolve about how storing a private key in a decentralised manner or not. It's that there are too many concerns regarding the leaking of private keys that prove this idea infeasible.

[BTCW]

Appreciate all your input. Most insightful.

I might still, self or via friends in the field, set up an "have I been pwned"-like something for Bitcoin private keys. (Far from an ideal name for it, since all submissions to it must be voluntary, as opposed to those who are really pwned and never asked for any of it.)

If Bitcoin users want a plausible deniability service, it exists. If Bitcoin users are uninterested, so be it - at least someone offered users a chance, and it will die out organically.

There is only one way to find out, I guess? Put it out there and see what happens. The proof is in the pudding.

(Edit: I think the only ethically correct way forward is a service that accepts private keys that control public addresses that have already appeared on the blockchain AND whose current balance is zero.)