Bitcoin as a value store for very long periods of time?

[anu]

Assuming Bitcoin is here to stay, it would provide an ideal value store for the long term, as in 30+ years.There are a number of reasons to do this, which don't need elaboration here. One example would be cryonic suspension. There are some issues with this, however:

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

What happens if the ECC encryption is changed against another as seems likely at some point - it looks like advances in quantum computing will make this step necessary at some point:
http://www.technologyreview.com/blog/arxiv/27483/
Nothing too surprising here, Satoshi himself has pointed that out, as well as a solution to it. So if the public key is known, a quantum computer can compute the private key. Everyone in the loop will do the necessary steps to convert to the new encryption. But what about those who are not in the loop?

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

[1713921877]

1713921877

[1713921877]

1713921877

[1713921877]

1713921877

[westkybitcoins]

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.

[FreeMoney]

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.

There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.

[gnar1ta$]

If you have an encryption cracking quantum computer, don't you think there are many more profitable opprotunities - exponetially more profitable?

[westkybitcoins]

The question now is, can a quantum computer compute a valid keypair for an account which has never been used to transfer money (only received money) i.e. the public key is not know on the net? In other words, would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Well, as soon as bitcoins are sent to an address, that public address appears on the blockchain. So if someone were just grinding through the blockchain and trying to get at all addresses with funds still in them, they would eventually hit on any such savings account.

There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.

Ah. So I guess the address would be safe in that situation?

[anu]

If you have an encryption cracking quantum computer, don't you think there are many more profitable opprotunities - exponetially more profitable?

I am under the impression that Bitcoin will either:

- stagnate, which will cause ppl to lose interest and give up on it.
or
- grow, which will mean that Network effects take over at some point, pushing every other currency out of the door.

I don't see much space in between. And this makes Bitcoin a very nice investment if you plan to leave it for 30+ years. Your hand full of Bitcoins will then be either worthless in which case you didn't lose much, or you can buy a new house with a handfull of Satoshis. That would make a quantum computer attack on BTC 100 worth the while, don't you think?

[gnar1ta$]

I don't see much space in between. And this makes Bitcoin a very nice investment if you plan to leave it for 30+ years. Your hand full of Bitcoins will then be either worthless in which case you didn't lose much, or you can buy a new house with a handfull of Satoshis. That would make a quantum computer attack on BTC 100 worth the while, don't you think?

In the finance world there are legal uses of hashing power far more profitable than bitcoin mining or cracking.  I am hoping if the value of bitcoins increase, so will the strength of the network, and I'm sure new encryption techniques will be developed, keeping the same balance as now. I wouldn't discount the ingenuity of open source developers.  But who knows, we could all get robbed blind tomorrow, that's Bitcoin.

[anu]

There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.

Ah. So I guess the address would be safe in that situation?

Not if a keypair can be created that fits the hash. But can it?

[kjj]

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

[anu]

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

That sounds indeed horrible. But is that 20-60 bit thing an implementation issue or is it like that in principle?

Also, the use case is special! The idea is that you create a wallet, ideally on an isolated computer. You create one address. You delete the wallet. You transfer the funds on this address. Not requiring any backup means you can't lose the backup. But if you lose your backed up wallet.dat you're screwed. And after 30+ years, I can imagine many ways a backup can get lost.

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

[cypherdoc]

There is a difference between public key and bitcoin address. The bitcoin address is shown when funds are sent, but the public key is not shown until funds are sent from the address. A bitcoin address is a hash of a public key with checksum added.

Ah. So I guess the address would be safe in that situation?

Not if a keypair can be created that fits the hash. But can it?

hashes are one way functions.  afaik thats impossible.

[kjj]

That sounds indeed horrible. But is that 20-60 bit thing an implementation issue or is it like that in principle?

Also, the use case is special! The idea is that you create a wallet, ideally on an isolated computer. You create one address. You delete the wallet. You transfer the funds on this address. Not requiring any backup means you can't lose the backup. But if you lose your backed up wallet.dat you're screwed. And after 30+ years, I can imagine many ways a backup can get lost.

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

It is a conservative (high) estimate of how much entropy would be present in an excellent passphrase.  Actually "guess" would be a better word than "estimate" because I pretty much pulled it out of my ass without doing any research, but I would "guess" that nearly no one can remember anything with 60 bits of entropy for 30 years.

You should have several backup wallets, in places where you can verify their continued safety frequently.  And by frequently, I mean with a period shorter than the expected time to crack the password/passphrase you use.  If you ever suspect tampering, make new deep storage wallets with new passphrases, and use an untampered copy of the old wallet to transfer your coins to the new wallets.  Finally, pick better storage locations this time around.  Oh, and use M*Disc for long term storage.  They rock.

For extra paranoia, you could set backup copies up in a N of M scheme where you have M parts in different places and someone needs to gather N of them to recover the wallet.  Just be careful in your choices of N and M.

The cryogenics thing is an interesting twist.  But I think it reveals a problem with cryogenics, rather than with bitcoin, to be honest.  Personally, I expect to be thawed because someone needs my mad COBOL skills, and not for my financial wealth.

[westkybitcoins]

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

This has always made me wonder why anyone would risk being cryonically frozen. After a while there's not much incentive in keeping your body frozen, or reviving you.

Yet another strange, unexpected problem Bitcoin could potentially solve.

[tvbcof]

For cryonics patient, another consideration applies: What motivation does anyone after 30 or 50 or 80 years have to revive you? But if they know that you (edit:and only you) have access to considerable funds, they do have a motivation. At least you can pay for the procedure, provided Bitcoin develops the way we hope.

This has always made me wonder why anyone would risk being cryonically frozen. After a while there's not much incentive in keeping your body frozen, or reviving you.

Yet another strange, unexpected problem Bitcoin could potentially solve.

Heh.  Wake him up so the rubber hose works better

[DeathAndTaxes]

It is a conservative (high) estimate of how much entropy would be present in an excellent passphrase.  Actually "guess" would be a better word than "estimate" because I pretty much pulled it out of my ass without doing any research, but I would "guess" that nearly no one can remember anything with 60 bits of entropy for 30 years.

Plus key strengthening can be used to greatly decrease the power of brute force attacks.

For example say the attacker has a rig which can brute force 100 GH/s of SHA-256 passphrases.

Horrible right.  That 40 to 50 bits of entropy will never be able to stand up to that.  Plus Moore's law will ensure that in 30 years someone will be able to brute force 3 Petahashes per second. 

Don't make the seed for wallet a single hash.  Wallet creation and recreation is a relatively rare event.  If you are ultra paranoid make it take 30 minutes to generate.

Say you got a rig w/ 1 GH/s.  You hash the hash of the hash of the hash ... 30 minutes ... of the hash of the passprhrase. 

That is 1.8 terrahashes required to convert a single passphrase into the deterministic seed.  So even that monster 3 petahash rig from the future.  It will only be able to brute force a mere 1666 passphrases per second.  A trivial and pathetic amount. 

passphrase -> 1 hash -> seed
milliseconds to recreate wallet.
attacker can brute force quadrillions of passphrases per second

passphrase -> 1.8 trillion hashes -> seed
30 minutes to recreate wallet on a 1GH machine
attacker can only brute force few thousand passphrases (assuming 30 years of Moore's law and a monster hashing farm).


40 bits of entropy where attacker is limited to 2000 passphrases per second will take

2^40 / 2000 = 8.5 years (and millions of dollars in computing power and electrical resources from 30 years in the future) to have a 50% chance of breaking passphrase.

[Revalin]

What happens if the ECC encryption is changed against another

I can't make a hard promise, but almost certainly your old ECC-based addresses will still be valid.  As long as someone with a quantum computer didn't steal your coins you can just send them to a new Quantum-Proof address.

would using an account that has been used only once, to transfer the bitcoins to it, provide protection even if ECC is cracked?

Yes, it's protected as long as either SHA-256 or RIPEMD-160 is secure (you'd have to break both to compromise an address).  Neither has any known preimage attacks (what we care about), and neither is vulnerable to any known quantum algorithm.

Even if both are broken or or for addresses that do have spent coins, ECDSA is still marginally secure.  It provides 80-bit security now, and 40-bit security after a quantum break.  40-bit doesn't sound very good, but quantum computers won't be as cheap, fast and efficient as digital computers for a long time, if ever.  You would have to have a lot of BTC in one address before someone would bother trying to steal it.

[ThomasV]

It seems to me that using a deterministic wallet allows one to delete all wallet data associated with one's account. As long as one remembers the pass phrase, the keys should be recoverable and the Bitcoins should be accessible again, even after a very long time. It seems to me that deterministic wallets are somewhat fringe and every client is using a different, ad hoc algorithm. It might be that the software is no longer available once one needs recreate the keypair, leaving one with the passphrase and no way to recreate the keys. Having this feature in the official client would help. Is that planned?

Eww.  Please, no.  Deterministic wallets are a horrible idea already, and they just get worse when standardized and widely adopted.

With the standard bitcoin client, each address has about 160 bits of security, and are all unrelated so if an attacker can spend some of your money, the rest is safe.

With a deterministic wallet, each address has ~20-60 bits of security, and are all related, so if an attacker can spend some of your money, they can spend all of it.

Not true. Electrum provides seeds that have 128 bits of entropy. And it is trivial to use longer seeds if you want.
see http://ecdsa.org/electrum/seed.html