Bitcoin private key BASE58 problem

[sky59sky59]

I try to learn something but I do not understand following:

It is said that bitcoin private keys from any generator are provided in BASE58 format

on this page I found many examples for private keys:  https://bitkeys.work/

It should be that bitcoin uses secp256k1 ECC  ?  So private key is 32 bytes?

here are some decoded private keys into hex from abovementioned page:

L52sDjGxf8Y5NHy5BjTpQHQUjHDjrqErHyTomskefFXrKPdjf7Di                                                        base58
80e91ed90e9a784499a4e37580de2f5d6b622ba96ff1f735f1992ce787575a44d9010c3e5e49               hex

L2HBA8KcR57PYoGCbZmKUNvmhu7SsrupYj172fQAGkgY75sGUjHQ
8096f833ea1ee11688ad8718e37b3ea81e76911eabed36bbeadb42b6e08b669ee4013cd4ac07

KwXvqELPvZUFgFZ5RhWWLQJQrPvEbk6WKktBk5smCqBeLc17uEvQ
80095f3f838b21709382525317062ada9231188e60304eaaf3d287ed7e7a8c825a01252f78ad

WTF, why private key is not 32 bytes long after decoding base58?  But it has got 6 bytes more?
Also 80 at the beginning seems to be very suspicious....

Any clarification will put me back to a sound sleep during the night...

[1715152498]

1715152498

[PawGo]

Read: https://learnmeabitcoin.com/technical/wif

First 2 characters (80/ef) marks real network or testnet.

At the end 8 characters are checksum generated by hashing private key.
Before checksum you may have also marker '01' which tells to produce compressed public key and produces WIF L.. or K.... Without '01' you receive WIF 5...

[NeuroticFish]

Although the previous link is not bad at all, I'll add this, from Bitcoin wiki, which may be more complete: https://en.bitcoin.it/wiki/Wallet_import_format
Also when you have such questions, these two sites (https://en.bitcoin.it and https://learnmeabitcoin.com/) are good places to look/research

[sky59sky59]

Almost sleeping but:  

I read somewhere that wallet address is the public key generated from private key:

34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo                               wallet address (richest in the world)
0523e522dfc6656a8fda3d47b4fa53f7585ac758cd7c0caa48         decoded wallet address

1P5ZEDWTKTFGxQjZphgWPQUpe554WKDfHQ
00f22f5563839ba6ba5aa8d3726fcbc675cb3e4c9e215b75ef

38UmuUqPCrFmQo4khkomQwZ4VbY2nZMJ67
054a782fe173a0b6718d39667b420d9c8b07e94262578fac8c


I know that public key for ecc secp256k1 is 64 bytes long, why then dcoded wallet has got only 25 bytes???

[o_e_l_e_o]

An uncompressed bitcoin public key is 65 bytes long, made up of "04", followed by the 32 byte x coordinate and then the 32 byte y coordinate.
A compressed public key is 33 bytes long, made up of either "02" or "03" depending on if the y coordinate is positive or negative, and then the 32 byte x coordinate.

An address is not simply a public key in Base58Check. To convert a public key to an address, you must first SHA-256 hash it, then RIPEMD-160 hash it, then add a 0x00 network byte to the start, SHA-256 hash it twice, take the first four bytes of this hash as a checksum and append it to the end, and then convert the whole thing to Base58Check. If you want to work backwards from an address, you can only strip the checksum and network byte to arrive at the RIPEMD-160 hash output. You can't go back any further to find the public key.

[sky59sky59]

Thanx!

I do not understand then, why whole crypto industry is in fear of an arrival of quantum computers?

Because what you write there is not known even public key to be cracked?

I read some articles and it is written that private key simply leaked from third-party-companies? Am I right?

So not using third parties one should be safe with cryptocurrency?

[TheArchaeologist]

Almost sleeping but:  

I read somewhere that wallet address is the public key generated from private key:

34xp4vRoCGJym3xR7yCVPFHoCNxv4Twseo                               wallet address (richest in the world)
0523e522dfc6656a8fda3d47b4fa53f7585ac758cd7c0caa48         decoded wallet address

1P5ZEDWTKTFGxQjZphgWPQUpe554WKDfHQ
00f22f5563839ba6ba5aa8d3726fcbc675cb3e4c9e215b75ef

38UmuUqPCrFmQo4khkomQwZ4VbY2nZMJ67
054a782fe173a0b6718d39667b420d9c8b07e94262578fac8c


I know that public key for ecc secp256k1 is 64 bytes long, why then dcoded wallet has got only 25 bytes???

It all depends on the address type. For P2PKH (Pay to Public Key Hash) addresses the address is indeed a representation of the public key. But as o_e_l_e_o already explained it is not simply taking the public key and apply base-58 encoding.

However two of the three addresses you linked start with a '3'. These are P2SH (Pay to Script Hash) addresses. The decoded wallet addresses refers in those cases to the hash of a redeem script, so it isn't based on a public key.

[BlackHatCoiner]

I do not understand then, why whole crypto industry is in fear of an arrival of quantum computers?

Because they are fearmonger. 

Joke asides, it's because when Bitcoin started in 2009, Satoshi chose to make the coinbase transaction payable in public key. The uttered “Pay-to-public-key” (P2PK). As a result, thousands of addresses containing this unspent output of 50 BTC have exposed their public key.

Besides that, every address that is reused has also exposed its public key. Currently, the one with the most bitcoins, Binance's, has revealed its public key.

[o_e_l_e_o]

I do not understand then, why whole crypto industry is in fear of an arrival of quantum computers?

Because what you write there is not known even public key to be cracked?

You cannot obtain a public key from knowledge of just the address. Further, quantum computers do not provide a significant advantage over conventional computers when trying to reverse a hash, and so even with quantum computers it will still remain impossible to obtain a public key from an address.

However, whenever you make a transaction in bitcoin, you must include the public key of whichever address the coins you are spending are stored on. This public key is then stored as part of your transaction data on the blockchain, and therefore is public knowledge which anyone can look up. Quantum computers provide an exponential speed up over conventional computers when attempting to reverse the ECDLP, which would potentially allow an attacker in the future to obtain a private key from knowledge of the public key.

If you never reuse an address, then this will not be a concern of yours ever. If you do reuse addresses, then you need to think about stopping doing that in maybe 20 years' time.

[BlackHatCoiner]

If you never reuse an address, then this will not be a concern of yours ever.

It will affect them, though, one way or another. Yes, if they take the necessary precautions then their private key isn't going to ever be calculated that way by an attacker. However, the ones who do have exposed their public key and do not take those precautions will affect them. The market will be disrupted once an attacker finds out the first ever rewarded addresses' private keys. Imagine being able to include a million of bitcoins into circulation.

Then, you need to ensure that the attacker can't make the calculations quickly. If they do and specifically faster than the time that takes your transaction to be confirmed, then they can even spend your own money.

Nonetheless, it's considered an improbable scenario, currently.

[o_e_l_e_o]

The market will be disrupted once an attacker finds out the first ever rewarded addresses' private keys. Imagine being able to include a million of bitcoins into circulation.

That could happen at any time that Satoshi or some other early miner with a large stack of dormant coins decides they wants to spend their coins. Assuming that coins which have not moved in 5 or 10 years are permanently lost is incorrect, as we regularly see coins like this move, or occasionally even sign messages.

Then, you need to ensure that the attacker can't make the calculations quickly. If they do and specifically faster than the time that takes your transaction to be confirmed, then they can even spend your own money.

It will be decades before we have a quantum computer powerful enough to reverse the ECDLP. It will be significantly longer than that until we have one which can solve it in <1 hour, or even <10 minutes. I suspect we will move to a quantum resistant algorithm before the former of those two events happen, which will be long before the latter is even within the realms of possibilities.

[DannyHamilton]

Thanx!

I do not understand then, why whole crypto industry is in fear of an arrival of quantum computers?

Whole crypto industry?  No.

Individuals that don't understand cryptography or don't understand quantum computing will often mistakenly believe that "quantum" is a magical word that means "able to instantly break ALL forms of cryptographic functions with as little as 1 qubit".  These people tend to be very vocal and like to hear themselves talk, so you see a lot of nonsense from them.

Because what you write there is not known even public key to be cracked?

As has been pointed out by others, not all bitcoin addresses or transactions are the same.  There are P2PK transactions where the public key is in the transaction (and there is no address).  There are addresses that are hashes of complex scripts that may not use ANY public key at all.

Additionally, in most cases, the public keys associated with the address are broadcast when the bitcoins are spent. This is why it is a best-practice to never use an address more than once to receive bitcoins. Instead, generate a new address for every transaction.

I read some articles and it is written that private key simply leaked from third-party-companies? Am I right?

In many cases bitcoins have been lost due to users trusting some third party to secure their private keys for them.

So not using third parties one should be safe with cryptocurrency?

Unless you fail to secure your private keys yourself.  Malware can capture private keys stored on your own computer. Thieves can gain access to any physical storage or trick people into revealing passwords. If you do not have exclusive access to all the private keys associated with a bitcoin address, then you do not have the bitcoins associated with that address.

[BlackHatCoiner]

That could happen at any time that Satoshi or some other early miner with a large stack of dormant coins decides they wants to spend their coins.

And yet, very few have recovered the 50 BTC. Being able to reverse the ECDLP means you'll get all the rest 90-95% that are considered gone for good. This will definitely upset the market. I don't know for how long or how much, but it'll definitely have an impact on your wealth. The fact that they haven't moved since the day they were mined shows that they're excluded from the ones into the actual, realistically assumed circulation.

The “90-95%” is pure speculation.

even sign messages.

For which incident does that go to? The one that says Craig Wright is a liar?

[mynonce]

That could happen at any time that Satoshi or some other early miner with a large stack of dormant coins decides they wants to spend their coins.

... The fact that they haven't moved since the day they were mined shows that they're excluded from the ones into the actual, realistically assumed circulation.

The fact that they can be moved shows that they will be moved. Bitcoin supply is 21 million and not more than that but also not less than that.

[BlackHatCoiner]

The fact that they can be moved shows that they will be moved.

No, it doesn't. If you throw away your seed phrase and delete your wallet, your balance will remain the same, but the coins will never be moved again. You can't consider those into circulation.

Bitcoin supply is 21 million and not more than that but also not less than that.

What about the provably burnt coins (OP_RETURN) or the unclaimed reward from some miners? It won't be 21 million, neither 20,999,999.9769 which is the precise number.

[o_e_l_e_o]

And yet, very few have recovered the 50 BTC.

And yet, we cannot for a minute say that the other 50 BTC outputs which haven't been moved since they were mined are lost, since we have absolutely no evidence to support that claim.

For which incident does that go to? The one that says Craig Wright is a liar?

That was the main one I was referring to, yes.

The fact that they can be moved shows that they will be moved. Bitcoin supply is 21 million and not more than that but also not less than that.

It is less than that for a number of reasons. There are coins which have been provably burnt due to sending to unspendable outputs. There have been times miners have not claimed the full block reward, and those coins will be lost forever. There have also been a couple of bugs which have resulted in coins being lost forever. The total number of coins provably lost isn't huge, somewhere in the range of a few thousand. But just because a coin has not been moved in a long time does not mean it lost, and certainly not provably lost.

If you throw away your seed phrase and delete your wallet, your balance will remain the same, but the coins will never be moved again. You can't consider those into circulation.

But we have absolutely no way to quantify the number of coins lost in this way, nor do we have any way to confirm that the owner really has lost access like they say they have, nor do we have any way to confirm that access will not be recovered in the future. Therefore, those coins can and should be considered part of the supply.

[BlackHatCoiner]

Therefore, those coins can and should be considered part of the supply.

About 244,000 metric tons of gold have been discovered as of 2021 and around 10% of that is owned by the governments of US, Germany, Italy, France, Russia, China, Switzerland and Japan. NASA's telescope captured a rare medal asteroid whose gold if brought down to Earth, would make the ounce's worth much much less.

So is the circulation ~244,000 metric tons of gold? No, but much more than that. Is it realistically effectively possible to reach that asteroid and start moving huge, golden rocks? No. So, why should you assume they are part of the supply?

I know that you can't make heads or tails of which bitcoins are lost. However, you can assume that possibly hundreds of thousands won't come into the market due to the same reason the asteroid won't come down to Earth. It's highly unlikely.

[mynonce]

It won't be 21 million, neither 20,999,999.9769 which is the precise number.

It won't be  20,999,999.9769, neither 20,999,949.9769 which is the precise number. Block 0's output can't be used. All others can and will.

edit: (OP_RETURN) excluded

[o_e_l_e_o]

It's highly unlikely.

But not impossible. Bitcoin which have simply not moved in a long time are not provably lost. The difference in your analogy is these bitcoin are already accounted for in the max supply. Capturing an asteroid filled with gold will inflate the supply of gold significantly.

All others can and will.

No, all others cannot.

The block rewards from block 91,722 and 91,812 were overwritten by the block rewards from blocks 91,880 and 91,842 respectively, due to a bug which was fixed in BIP 30. Those 100 BTC are irretrievable.

There have been numerous blocks which have failed to claim the full block reward they were allowed to. These unclaimed coins are also irretrievable. Notable examples include block 501,726 which destroyed 12.5 BTC and block 526,591 which destroyed 6.25 BTC, but there are hundreds of other blocks totaling several dozen more permanently lost BTC.

[mynonce]

All others can and will.

No, all others cannot.

The block rewards from block 91,722 and 91,812 were overwritten by the block rewards from blocks 91,880 and 91,842 respectively, due to a bug which was fixed in BIP 30. Those 100 BTC are irretrievable.

There have been numerous blocks which have failed to claim the full block reward they were allowed to. These unclaimed coins are also irretrievable. Notable examples include block 501,726 which destroyed 12.5 BTC and block 526,591 which destroyed 6.25 BTC, but there are hundreds of other blocks totaling several dozen more permanently lost BTC.

Yes, I know that. These coins are not the majority of the unmoved coins. What I mean are coins, where it is possible to move them. That means, if a valid signature would lead to a transaction.

... Therefore, those coins can and should be considered part of the supply.

... NASA's telescope captured a rare medal asteroid whose gold if brought down to Earth ... Is it realistically effectively possible to reach that asteroid and start moving huge, golden rocks? No. So, why should you assume they are part of the supply?

These coins aren't a far away medal asteroid that you have to bring down to Earth. They are here, and the distance is a signature. Therefore, those coins can and should be considered part of the supply.

If Satoshi signed a message with the Block 0 output address, that 'they won't move the 1.1 million coins', even then these coins were movable.

[DannyHamilton]

If Satoshi signed a message with the Block 0 output address, that 'they won't move the 1.1 million coins', even then these coins were moveable.

I understand that this doesn't change the point you're trying to make, but the Block 0 coins are not spendable, regardless of whether the private key is available or not.  Just wanted to point this out for anyone that might think that they are.

Your statement would be more accurate if you stated:
"If Satoshi signed a message with the Block 1 output address, that 'they won't move the 1.1 million coins', even then these coins were moveable."

[mynonce]

If Satoshi signed a message with the Block 0 output address, that 'they won't move the 1.1 million coins', even then these coins were moveable.

I understand that this doesn't change the point you're trying to make, but the Block 0 coins are not spendable, regardless of whether the private key is available or not.  Just wanted to point this out for anyone that might think that they are.

Your statement would be more accurate if you stated:
"If Satoshi signed a message with the Block 1 output address, that 'they won't move the 1.1 million coins', even then these coins were moveable."

'with the Block 0' is correct. Because in this statement, Satoshi would use the private key of Block 0 output address to sign the message.

We know that Block 0 coins are not spendable, maybe you missed it here. (see the pre-previous post)

[pooya87]

'they won't move the 1.1 million coins',

Satoshi owning 1.1 million bitcoins is a weak guess, I don't understand why people keep repeating it as if it is a proven thing!

By the way why are you even focusing on P2PK outputs that each contain a small amount of bitcoin compared to reused addresses that do contain thousands of bitcoin and are the same as far as "knowing public key" goes?

[garlonicon]

and are the same as far as "knowing public key" goes?

They are even less secure, because instead of just "knowing public key", you also know a lot of correct signatures, where d-value is the same. That means you have a lot of "d=(s/r)k-(z/r)" equations, so a lot of "d=number*k-number2" expressions.

[BlackHatCoiner]

It won't be  20,999,999.9769, neither 20,999,949.9769 which is the precise number.

Genesis block's reward isn't included in the circulating supply. It's block number 0, which takes place in no halving epoch. Counting starts from block 1.

But not impossible. Bitcoin which have simply not moved in a long time are not provably lost. The difference in your analogy is these bitcoin are already accounted for in the max supply. Capturing an asteroid filled with gold will inflate the supply of gold significantly.

And those abandoned coins will inflate the currency if they suddenly appear into the market. Similarly with gold, there's obviously a specific supply within this universe, but a minority of the ounces are in the market.

It's not impossible, but I consider it highly improbable for hundreds of thousands.

They are even less secure, because instead of just "knowing public key", you also know a lot of correct signatures, where d-value is the same. That means you have a lot of "d=(s/r)k-(z/r)" equations, so a lot of "d=number*k-number2" expressions.

So?

[mynonce]

'they won't move the 1.1 million coins',

Satoshi owning 1.1 million bitcoins is a weak guess, I don't understand why people keep repeating it as if it is a proven thing!

Whale Alert: We were able to make the most accurate estimate of the number of blocks mined and bitcoins owned by Satoshi
https://whale-alert.medium.com/the-satoshi-fortune-e49cf73f9a9b
And I say, that is not weak and not a guess. It is a perfect calculation, because Satoshi marked these blocks not only with the Nonce values but also with several other characteristics like timestamp, timedelta (between own blocks), ExtraNonce, ...
Yes, we can't say '100%' Satoshi mined them, but if you do your own research and understand what Satoshi has done, then one can say '99.9999999999%'.

...
By the way why are you even focusing on P2PK outputs that each contain a small amount of bitcoin compared to reused addresses that do contain thousands of bitcoin and are the same as far as "knowing public key" goes?

Because after all the research, I know that Satoshi is the owner of these coins. And if there is a possibility to move the coins, someone will do it. What will happen? Nothing. Satoshi will let us move the coins. You don't believe it? Then we have to wait until someone will do it. (And we will see the reaction of the market, but it will be temporary.)
What will happen if someone moves the coins of the mentioned reused addresses that do contain thousands of bitcoin? A lot! I would not try it.

They are even less secure, because instead of just "knowing public key", you also know a lot of correct signatures, where d-value is the same. That means you have a lot of "d=(s/r)k-(z/r)" equations, so a lot of "d=number*k-number2" expressions.

So?

ECDSA: Revealing the private key, from four signed messages, two keys and shared nonces (SECP256k1)
https://billatnapier.medium.com/ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-secp256k1-5758f1258b1d

https://www.youtube.com/watch?v=6ssTlSSIJQE

[pooya87]

Yes, we can't say '100%' Satoshi mined them, but if you do your own research and understand what Satoshi has done, then one can say '99.9999999999%'.

More like 0.1%.

What will happen if someone moves the coins of the mentioned reused addresses that do contain thousands of bitcoin? A lot! I would not try it.

Theft is theft, you can sugar coat it however you like but it is stealing someone else's money. Not to mention that from a cryptography point of view if a single P2PK output could be stolen, all bitcoins outputs are in danger regardless of their type because there is a short step from there to speeding up the process that lets anyone steal the coins in a transaction while it waits to be confirmed. That makes bitcoin obsolete overnight.

[mynonce]

What will happen if someone moves the coins of the mentioned reused addresses that do contain thousands of bitcoin? A lot! I would not try it.

Theft is theft, you can sugar coat it however you like but it is stealing someone else's money. Not to mention that from a cryptography point of view if a single P2PK output could be stolen, all bitcoins outputs are in danger regardless of their type because there is a short step from there to speeding up the process that lets anyone steal the coins in a transaction while it waits to be confirmed. That makes bitcoin obsolete overnight.

With your argumentation, governments could say this:

Money printing is money printing and is a criminal act. What the Bitcoin community is doing, is money printing, or money creation, or money issuance. You can sugar coat it however you like but it is stealing government's money and distributing that money without the permission of the government.


Governments allowed Satoshi to 'print' Bitcoin.
Satoshi will allow 'whoever is able to do it' to transfer these coins.
Governments will allow it.
Yes, you don't believe it. Then we have to wait until it happens.

[BlackHatCoiner]

My friendly, but sarcastic, at the same time, comment to @mynonce is that... Shake it again!

Yes, we can't say '100%' Satoshi mined them, but if you do your own research and understand what Satoshi has done, then one can say '99.9999999999%'.

I disagree that based on few, insignificant facts like reuses of nonce, you can consider it highly likely to be Satoshi's. Let alone, for the private keys to be generated in a predictable way.

Money printing is money printing and is a criminal act. What the Bitcoin community is doing, is money printing, or money creation, or money issuance.

Money printing is what's illegal; to start printing dollars. But, it's not illegal to form another type of money. If some agreed to transact using salt, the government of a democratic regime couldn't consider that illegal unless the people didn't want it either. It could regulate it, though.

There's a difference between creating another currency and cheating the government's monetary system by inflating it.

Governments allowed Satoshi to 'print' Bitcoin.

Or rather couldn't stop Satoshi from inventing Bitcoin.

Satoshi will allow 'whoever is able to do it' to transfer these coins.

Or rather, they won't.

Governments will allow it.

Or maybe they'll have to accept they cannot forbid it.

[mynonce]

...
...

Governments will allow it.

Or maybe they'll have to accept they cannot forbid it.

That will happen.

[BlackHatCoiner]

That will happen.

The acceptance of the inevitable or the allowance?

[mynonce]

That will happen.

The acceptance of the inevitable or the allowance?

Let me answer this so:

Governments allowed Satoshi to 'print' Bitcoin.

Or rather couldn't stop Satoshi from inventing Bitcoin.

If they really wanted to stop it. They would have stopped it. We wouldn't have Bitcoin.
If they really wanted to know who Satoshi is ... (My opinion: They know who Satoshi is and Satoshi knows it.)

[BlackHatCoiner]

If they really wanted to stop it. They would have stopped it. We wouldn't have Bitcoin.

Devil's advocate speaking: And if the people really wanted to rebel we would have it. They wouldn't have stopped Bitcoin.

If they really wanted to know who Satoshi is ...

You must be really afraid of the government, but let me tell you that they are humans just like you and me.

[o_e_l_e_o]

Whale Alert

Think what you like about the Patoshi data, but Whale Alert are one of the stupidest and click baity organizations in the whole of crypto. They tweet complete trash without doing even the most basic of research or investigation. If you are going to read about the Patoshi data, I suggest you read the original research directly. I wouldn't read a single word associated with Whale Alert.

That makes bitcoin obsolete overnight.

I wouldn't call it a "short step". Look at things like CPUs, GPUs, or even ASICs, as comparison. It will take years between the first quantum computer which can solve the ECDLP, and the first quantum computer which can solve it in <10 minutes.

Still, I agree it is obviously theft, but I still don't think we should take any steps to prevent it. If coins have been abandoned or lost or the owners are ignoring them, and they end up being stolen, then so be it. The last thing we want is for nodes/miners/devs/the community to unilaterally decide to make some coins unspendable or remove them from circulation.

[pooya87]

Still, I agree it is obviously theft, but I still don't think we should take any steps to prevent it. If coins have been abandoned or lost or the owners are ignoring them, and they end up being stolen, then so be it. The last thing we want is for nodes/miners/devs/the community to unilaterally decide to make some coins unspendable or remove them from circulation.

You forgot that we aren't talking about some abandoned coins in a P2PK output. We are also talking about a much bigger amount of bitcoin (in total) in reused addresses, like a lot of the addresses in the bitcoin rich-list.
The decision also won't be unilateral, whatever the decision may be. It will be a fork that like any other fork requires support from the majority.

[o_e_l_e_o]

You forgot that we aren't talking about some abandoned coins in a P2PK output. We are also talking about a much bigger amount of bitcoin (in total) in reused addresses, like a lot of the addresses in the bitcoin rich-list.

And in those cases, where addresses are being constantly reused, then almost all of those users will be able to move their coins to whatever quantum resistant algorithm we end up with, which will probably be in place years before the coins on reused addresses are at any meaningful risk.

The decision also won't be unilateral, whatever the decision may be. It will be a fork that like any other fork requires support from the majority.

I meant unilateral in respect to the owner of the coins. The majority shouldn't get to decide what to do with the coins belonging to someone else, even if we think those coins have been lost or abandoned.

[ABCbits]

They are even less secure, because instead of just "knowing public key", you also know a lot of correct signatures, where d-value is the same. That means you have a lot of "d=(s/r)k-(z/r)" equations, so a lot of "d=number*k-number2" expressions.

So?

ECDSA: Revealing the private key, from four signed messages, two keys and shared nonces (SECP256k1)
https://billatnapier.medium.com/ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-secp256k1-5758f1258b1d

https://www.youtube.com/watch?v=6ssTlSSIJQE

True, but it requires user to use vulnerable software. Reusing k value (also called nonce) is well-known problem, so it's unlikely you could someone private key that way.

The decision also won't be unilateral, whatever the decision may be. It will be a fork that like any other fork requires support from the majority.

I meant unilateral in respect to the owner of the coins. The majority shouldn't get to decide what to do with the coins belonging to someone else, even if we think those coins have been lost or abandoned.

Unfortunately people have different opinion on this matter. For example, few people think it's better to freeze vulnerable UTXO rather than letting thief stole it and potentially manipulate Bitcoin price.

[o_e_l_e_o]

Unfortunately people have different opinion on this matter. For example, few people think it's better to freeze vulnerable UTXO rather than letting thief stole it and potentially manipulate Bitcoin price.

I completely disagree with that approach and think it makes use little better than a coin like Ethereum, which forked itself to make sure the "wrong" people didn't have access to certain coins. As soon as a small group of users start deciding who is and is not allowed to access certain coins, then we have turned bitcoin in to something it isn't. I would much rather the market takes the hit from a few million coins re-entering active circulation and ultimately recovers from the hit with the principles of bitcoin still intact, than we change the principles of bitcoin (that no third parties have any say over your money) to avoid such a hit.

The only way I would be ok with coins being locked or frozen would be if there was some method for the true owner to prove their ownership and reclaim them. The only way I can think of doing this would be by showing that the relevant private keys were derived from a seed phrase in their possession, but obviously this does not help with all the P2PK addresses or any non-HD reused addresses.

I'm hopeful that someone much smarter than me comes up with a better solution before it is necessary.

[pooya87]

I completely disagree with that approach and think it makes use little better than a coin like Ethereum, which forked itself to make sure the "wrong" people didn't have access to certain coins.

That's an entirely different situation. Ethereum forked to roll back blocks so that they can get their money back that was lost in a buggy smart contract which didn't get fixed either (If they had fixed the bugs of their protocol then it would at least make a little sense!).

In any ways, I have argued before that if there is a vulnerability it should be removed instead of us letting it exist and hope nobody uses it. In this case if ECC were broken it must be removed completely which would effectively lock any coin that is not moved to new algorithm before a certain deadline.

[o_e_l_e_o]

That's an entirely different situation.

But the outcome was the same - the majority decided what to do to someone else's coins, which violates one of the main tenets of bitcoin.

In any ways, I have argued before that if there is a vulnerability it should be removed instead of us letting it exist and hope nobody uses it. In this case if ECC were broken it must be removed completely which would effectively lock any coin that is not moved to new algorithm before a certain deadline.

It's not a case of hoping no one exploits the vulnerability. ECC will almost certainly be broken at some point in the future, and any coins protected by it will definitely eventually be stolen. We will absolutely move to a new algorithm, but it should not be the decision of the majority to lock coins which we do not own with no say from the true owner. I would much rather those coins are stolen than we set a precedent that the community can decide to lock your coins and there is nothing you can do about it.

[mynonce]

...
The only way I would be ok with coins being locked or frozen would be if there was some method for the true owner to prove their ownership and reclaim them.

Exactly. Therefore, if someone else then Satoshi is able to move Satoshi's early mined coins, so Satoshi has to react.

When objects of value are found in a ship wreck at the bottom of the sea, should those that managed to find the wreck be allowed to profit from that find?  Or should a government agency take evderything salvaged and destroy it?

[pooya87]

It's not a case of hoping no one exploits the vulnerability. ECC will almost certainly be broken at some point in the future, and any coins protected by it will definitely eventually be stolen. We will absolutely move to a new algorithm, but it should not be the decision of the majority to lock coins which we do not own with no say from the true owner. I would much rather those coins are stolen than we set a precedent that the community can decide to lock your coins and there is nothing you can do about it.

Vulnerability in protocol is a very different thing than "locking other people's coins". Lets take OP codes that were disabled/removed from protocol. They had vulnerabilities and if anyone had any coins locked by an OP code like OP_CAT their coins would have been locked because such output can not be spent.
Or for example if you had any coins that were locked with a script like the following (pubkey script) they are unspendable now that BIP-147 is active because "majority decided".

Code:

OP_1 OP_0 OP_0 OP_CheckMultiSigVerify OP_DUP OPHASH160 <hash> OP_EqualVerify OP_CheckSig

You see in bitcoin the majority has been making this kind of decisions for a very long time and it won't be any different for ECC in the far away future either.

[o_e_l_e_o]

Exactly. Therefore, if someone else then Satoshi is able to move Satoshi's early mined coins, so Satoshi has to react.

If anyone is going to prevent someone from stealing Satoshi's vulnerable P2PK coins, then it should be Satoshi and only Satoshi. We should not get to decide to deprive Satoshi of all their coins.

You see in bitcoin the majority has been making this kind of decisions for a very long time and it won't be any different for ECC in the far away future either.

Correct me if I'm wrong, but I'm not aware of any coins being made unspendable by the removal of OP_CAT or by BIP 147. This is in stark contrast to the millions of coins owned by potentially hundreds of thousands of people which would be made unspendable by depreciating ECC.

[pooya87]

Correct me if I'm wrong, but I'm not aware of any coins being made unspendable by the removal of OP_CAT or by BIP 147. This is in stark contrast to the millions of coins owned by potentially hundreds of thousands of people which would be made unspendable by depreciating ECC.

I don't think they have either but theoretically speaking they could have. I agree that it is a bad example but there hasn't been any drastic changes to the protocol for any drastic example.

[o_e_l_e_o]

I don't think they have either but theoretically speaking they could have. I agree that it is a bad example but there hasn't been any drastic changes to the protocol for any drastic example.

It does lead to an interesting thought experiment, though, with implication for the future. Let's say someone shows up today with a significantly valuable amount of bitcoin - say a few hundred - which is now unspendable because of some historical change that was made to the protocol. What does the community do, and what are the consequences of that decision?

The right thing to do would not be to deprive that user of their money, but that would require changing the protocol in some way (maybe even forking) to allow those coins to be spendable, which would be a significant undertaking for the sake of one user. Or do we simply shrug our shoulders and say "Well, sucks to be you"? What are the consequences of us essentially preventing a user from accessing money which is rightfully theirs? That makes us far too similar to a centralized bank or exchange for my liking.

[alexeyneu]

An uncompressed bitcoin public key is 65 bytes long, made up of "04", followed by the 32 byte x coordinate and then the 32 byte y coordinate.
A compressed public key is 33 bytes long, made up of either "02" or "03" depending on if the y coordinate is positive or negative, and then the 32 byte x coordinate.

An address is not simply a public key in Base58Check. To convert a public key to an address, you must first SHA-256 hash it, then RIPEMD-160 hash it, then add a 0x00 network byte to the start, SHA-256 hash it twice, take the first four bytes of this hash as a checksum and append it to the end, and then convert the whole thing to Base58Check. If you want to work backwards from an address, you can only strip the checksum and network byte to arrive at the RIPEMD-160 hash output. You can't go back any further to find the public key.

there're two \0 bytes to be added . second one added to start right before base58 op.

Code:

	char *t = new char[1000]();
	char *tbitaddr = new char[1000]();
	size_t c = 1000;
	size_t cbit = 1000;
	unsigned char bitaddr[25] = {};
	unsigned char pubhash_md[20] = {};
	unsigned char pubhash_mdprefx[21] = {};

	unsigned char pubhash[32] = {};
	unsigned char hashtag[32] = {};
	unsigned char hashtag_f[32] = {};

	const unsigned char b[66] = "BurnItAll0000000000000000000000000000000000000000000000000000000b";
	SHA256(b, 65, pubhash);
	RIPEMD160(pubhash,32,pubhash_md);
	pubhash_mdprefx[0] = 0x0;
	memcpy(pubhash_mdprefx + 1, pubhash_md , 20);
	SHA256(pubhash_mdprefx, 21, hashtag);
	SHA256(hashtag, 32, hashtag_f);
	bitaddr[0]  = 0x0;
	memcpy(bitaddr + 1, pubhash_md, 20);
	memcpy(bitaddr + 21, hashtag_f, 4);
	b58enc(tbitaddr,&cbit,(void *)bitaddr,(size_t)(sizeof(bitaddr)));
	b58enc(t,&c,(void *)b,(size_t)(sizeof(b)-1));
	std::cout << "pubkey :" << std::endl << t << std::endl << "address:" << std::endl << tbitaddr << std::endl;

[o_e_l_e_o]

there're two \0 bytes to be added . second one added to start right before base58 op.

There aren't. The reason that code adds 0x00 twice is because the second time it calls back to the RIPEMD-160 output, instead of calling back to the RIPEMD-160 output with the 0x00 already prepended.

Take the public key, SHA256 it, RIPEMD-160 it, then add 0x00 to the start. Call this pubhash_prefix. SHA256 this twice, take the first 4 bytes, and then append these 4 bytes to pubhash_prefix. Convert to base58 and you have your address.

[alexeyneu]

really it's same one, yeah.

[TheArchaeologist]

Take the public key, SHA256 it, RIPEMD-160 it, then add 0x00 to the start. Call this pubhash_prefix. SHA256 this twice, take the first 4 bytes, and then append these 4 bytes to pubhash_prefix. Convert to base58 and you have your address.

The same thing as described by o_e_l_e_o, this time in python code:

Code:

bin = binascii.unhexlify(public_key)

#Step 1: Create hash of public key:
hash_of_public_key  = hashlib.sha256(bin).digest()

#Step 2: Calculate RIPEMD-160 of the public key:
r = hashlib.new('ripemd160')
r.update(hash_of_public_key)
r.hexdigest()

#Step 3: Adding network bytes (00) to RIPEMD-160
networked =  binascii.unhexlify('00'+r.hexdigest())

#Step 4: Double hash the networked RIPEMD-160
sha4a   = hashlib.sha256(networked).digest()
sha4b  = hashlib.sha256(sha4a).digest()

#Step 5: Get the first four bytes of sha4b:
four_bytes = str(binascii.hexlify(sha4b).decode('utf-8'))[:8]

#Step 6: Adding the four_bytes to the end the RIPEMD-160 from step 3:
address_hex = str(binascii.hexlify(networked).decode('utf-8')) + four_bytes

#Step 7: Convert the hex_address using base58 to bitcoin adres
address_base58 = base58.b58encode(binascii.unhexlify(address_hex))