Bitcoin Forum
December 03, 2016, 12:28:02 AM *
News: Latest stable version of Bitcoin Core: 0.13.1  [Torrent].
 
   Home   Help Search Donate Login Register  
Pages: [1]
  Print  
Author Topic: Bitcoin as a value store for very long periods of time?  (Read 1820 times)
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
January 12, 2012, 07:45:12 PM
 #1

Assuming Bitcoin is here to stay, it would provide an ideal value store for the long term, as in 30+ years.There are a number of reasons to do this, which don't need elaboration here. One example would be cryonic suspension. There are some issues with this, however:

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

What happens if the ECC encryption is changed against another as seems likely at some point - it looks like advances in quantum computing will make this step necessary at some point:
http://www.technologyreview.com/blog/arxiv/27483/
Nothing too surprising here, Satoshi himself has pointed that out, as well as a solution to it. So if the public key is known, a quantum computer can compute the private key. Everyone in the loop will do the necessary steps to convert to the new encryption. But what about those who are not in the loop?

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
1480724882
Hero Member
*
Offline Offline

Posts: 1480724882

View Profile Personal Message (Offline)

Ignore
1480724882
Reply with quote  #2

1480724882
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1480724882
Hero Member
*
Offline Offline

Posts: 1480724882

View Profile Personal Message (Offline)

Ignore
1480724882
Reply with quote  #2

1480724882
Report to moderator
westkybitcoins
Legendary
*
Offline Offline

Activity: 980

Firstbits: Compromised. Thanks, Android!


View Profile
January 12, 2012, 07:54:02 PM
 #2

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
FreeMoney
Legendary
*
Offline Offline

Activity: 1246


Strength in numbers


View Profile WWW
January 12, 2012, 07:59:00 PM
 #3

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.


There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.


Play Bitcoin Poker at sealswithclubs.eu. We're active and open to everyone.
gnar1ta$
Donator
Hero Member
*
Offline Offline

Activity: 756


View Profile
January 12, 2012, 08:03:13 PM
 #4

If you have an encryption cracking quantum computer, don't you think there are many more profitable opprotunities - exponetially more profitable?

Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
westkybitcoins
Legendary
*
Offline Offline

Activity: 980

Firstbits: Compromised. Thanks, Android!


View Profile
January 12, 2012, 08:04:52 PM
 #5

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.


There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.



Ah. So I guess the address would be safe in that situation?

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
January 12, 2012, 08:10:59 PM
 #6

If you have an encryption cracking quantum computer, don't you think there are many more profitable opprotunities - exponetially more profitable?

I am under the impression that Bitcoin will either:

- stagnate, which will cause ppl to lose interest and give up on it.
or
- grow, which will mean that Network effects take over at some point, pushing every other currency out of the door.

I don't see much space in between. And this makes Bitcoin a very nice investment if you plan to leave it for 30+ years. Your hand full of Bitcoins will then be either worthless in which case you didn't lose much, or you can buy a new house with a handfull of Satoshis. That would make a quantum computer attack on BTC 100 worth the while, don't you think?

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
gnar1ta$
Donator
Hero Member
*
Offline Offline

Activity: 756


View Profile
January 12, 2012, 08:30:30 PM
 #7

I don't see much space in between. And this makes Bitcoin a very nice investment if you plan to leave it for 30+ years. Your hand full of Bitcoins will then be either worthless in which case you didn't lose much, or you can buy a new house with a handfull of Satoshis. That would make a quantum computer attack on BTC 100 worth the while, don't you think?

In the finance world there are legal uses of hashing power far more profitable than bitcoin mining or cracking.  I am hoping if the value of bitcoins increase, so will the strength of the network, and I'm sure new encryption techniques will be developed, keeping the same balance as now. I wouldn't discount the ingenuity of open source developers.  But who knows, we could all get robbed blind tomorrow, that's Bitcoin.

Losing hundreds of Bitcoins with the best scammers in the business - BFL, Avalon, KNC, HashFast.
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
January 12, 2012, 08:35:50 PM
 #8


There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.
Ah. So I guess the address would be safe in that situation?

Not if a keypair can be created that fits the hash. But can it?

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
January 12, 2012, 08:38:27 PM
 #9

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
anu
Legendary
*
Offline Offline

Activity: 938


P2P Everything


View Profile WWW
January 12, 2012, 08:58:10 PM
 #10

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

That sounds indeed horrible. But is that 20-60 bit thing an implementation issue or is it like that in principle?

Also, the use case is special! The idea is that you create a wallet, ideally on an isolated computer. You create one address. You delete the wallet. You transfer the funds on this address. Not requiring any backup means you can't lose the backup. But if you lose your backed up wallet.dat you're screwed. And after 30+ years, I can imagine many ways a backup can get lost.

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

Zero Reserve - A distributed Bitcoin Exchange

Install - Getting Started - BitcoinTalk Thread - Github Source
cypherdoc
Legendary
*
Offline Offline

Activity: 1764



View Profile
January 12, 2012, 09:25:12 PM
 #11


There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.
Ah. So I guess the address would be safe in that situation?

Not if a keypair can be created that fits the hash. But can it?

hashes are one way functions.  afaik thats impossible.
kjj
Legendary
*
Offline Offline

Activity: 1302



View Profile
January 12, 2012, 09:45:55 PM
 #12

That sounds indeed horrible. But is that 20-60 bit thing an implementation issue or is it like that in principle?

Also, the use case is special! The idea is that you create a wallet, ideally on an isolated computer. You create one address. You delete the wallet. You transfer the funds on this address. Not requiring any backup means you can't lose the backup. But if you lose your backed up wallet.dat you're screwed. And after 30+ years, I can imagine many ways a backup can get lost.

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

It is a conservative (high) estimate of how much entropy would be present in an excellent passphrase.  Actually "guess" would be a better word than "estimate" because I pretty much pulled it out of my ass without doing any research, but I would "guess" that nearly no one can remember anything with 60 bits of entropy for 30 years.

You should have several backup wallets, in places where you can verify their continued safety frequently.  And by frequently, I mean with a period shorter than the expected time to crack the password/passphrase you use.  If you ever suspect tampering, make new deep storage wallets with new passphrases, and use an untampered copy of the old wallet to transfer your coins to the new wallets.  Finally, pick better storage locations this time around.  Oh, and use M*Disc for long term storage.  They rock.

For extra paranoia, you could set backup copies up in a N of M scheme where you have M parts in different places and someone needs to gather N of them to recover the wallet.  Just be careful in your choices of N and M.

The cryogenics thing is an interesting twist.  But I think it reveals a problem with cryogenics, rather than with bitcoin, to be honest.  Personally, I expect to be thawed because someone needs my mad COBOL skills, and not for my financial wealth.

p2pcoin: a USB/CD/PXE p2pool miner - 1N8ZXx2cuMzqBYSK72X4DAy1UdDbZQNPLf - todo
I routinely ignore posters with paid advertising in their sigs.  You should too.
westkybitcoins
Legendary
*
Offline Offline

Activity: 980

Firstbits: Compromised. Thanks, Android!


View Profile
January 12, 2012, 09:51:26 PM
 #13

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

This has always made me wonder why anyone would risk being cryonically frozen. After a while there's not much incentive in keeping your body frozen, or reviving you.

Yet another strange, unexpected problem Bitcoin could potentially solve.

Bitcoin is the ultimate freedom test. It tells you who is giving lip service and who genuinely believes in it.
...
...
In the future, books that summarize the history of money will have a line that says, “and then came bitcoin.” It is the economic singularity. And we are living in it now. - Ryan Dickherber
...
...
ATTENTION BFL MINING NEWBS: Just got your Jalapenos in? Wondering how to get the most value for the least hassle? Give BitMinter a try! It's a smaller pool with a fair & low-fee payment method, lots of statistical feedback, and it's easier than EasyMiner! (Yes, we want your hashing power, but seriously, it IS the easiest pool to use! Sign up in seconds to try it!)
...
...
The idea that deflation causes hoarding (to any problematic degree) is a lie used to justify theft of value from your savings.
tvbcof
Legendary
*
Offline Offline

Activity: 1974


View Profile
January 12, 2012, 10:19:52 PM
 #14

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

This has always made me wonder why anyone would risk being cryonically frozen. After a while there's not much incentive in keeping your body frozen, or reviving you.

Yet another strange, unexpected problem Bitcoin could potentially solve.


Heh.  Wake him up so the rubber hose works better Smiley


DeathAndTaxes
Donator
Legendary
*
Offline Offline

Activity: 1218


Gerald Davis


View Profile
January 12, 2012, 10:33:06 PM
 #15

It is a conservative (high) estimate of how much entropy would be present in an excellent passphrase.  Actually "guess" would be a better word than "estimate" because I pretty much pulled it out of my ass without doing any research, but I would "guess" that nearly no one can remember anything with 60 bits of entropy for 30 years.



Plus key strengthening can be used to greatly decrease the power of brute force attacks.

For example say the attacker has a rig which can brute force 100 GH/s of SHA-256 passphrases.

Horrible right.  That 40 to 50 bits of entropy will never be able to stand up to that.  Plus Moore's law will ensure that in 30 years someone will be able to brute force 3 Petahashes per second. 

Don't make the seed for wallet a single hash.  Wallet creation and recreation is a relatively rare event.  If you are ultra paranoid make it take 30 minutes to generate.

Say you got a rig w/ 1 GH/s.  You hash the hash of the hash of the hash ... 30 minutes ... of the hash of the passprhrase. 

That is 1.8 terrahashes required to convert a single passphrase into the deterministic seed.  So even that monster 3 petahash rig from the future.  It will only be able to brute force a mere 1666 passphrases per second.  A trivial and pathetic amount. 

passphrase -> 1 hash -> seed
milliseconds to recreate wallet.
attacker can brute force quadrillions of passphrases per second

passphrase -> 1.8 trillion hashes -> seed
30 minutes to recreate wallet on a 1GH machine
attacker can only brute force few thousand passphrases (assuming 30 years of Moore's law and a monster hashing farm).


40 bits of entropy where attacker is limited to 2000 passphrases per second will take

2^40 / 2000 = 8.5 years (and millions of dollars in computing power and electrical resources from 30 years in the future) to have a 50% chance of breaking passphrase.





Revalin
Hero Member
*****
Offline Offline

Activity: 728


165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g


View Profile
January 12, 2012, 10:37:12 PM
 #16

What happens if the ECC encryption is changed against another

I can't make a hard promise, but almost certainly your old ECC-based addresses will still be valid.  As long as someone with a quantum computer didn't steal your coins you can just send them to a new Quantum-Proof address.

Quote
would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Yes, it's protected as long as either SHA-256 or RIPEMD-160 is secure (you'd have to break both to compromise an address).  Neither has any known preimage attacks (what we care about), and neither is vulnerable to any known quantum algorithm.

Even if both are broken or or for addresses that do have spent coins, ECDSA is still marginally secure.  It provides 80-bit security now, and 40-bit security after a quantum break.  40-bit doesn't sound very good, but quantum computers won't be as cheap, fast and efficient as digital computers for a long time, if ever.  You would have to have a lot of BTC in one address before someone would bother trying to steal it.

      War is God's way of teaching Americans geography.  --Ambrose Bierce
Bitcoin is the Devil's way of teaching geeks economics.  --Revalin 165YUuQUWhBz3d27iXKxRiazQnjEtJNG9g
ThomasV
Legendary
*
Offline Offline

Activity: 1722



View Profile WWW
January 13, 2012, 05:28:08 AM
 #17

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

Not true. Electrum provides seeds that have 128 bits of entropy. And it is trivial to use longer seeds if you want.
see http://ecdsa.org/electrum/seed.html

Electrum: the convenience of a web wallet, without the risks
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!