Bitcoin Forum
November 07, 2024, 01:06:15 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Bitcoins removed from circulation  (Read 1543 times)
Koooooj (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 01, 2012, 08:31:19 PM
 #1

I'm wondering if someone with a strong understanding of the math/cryptography behind bitcoins can help shed some light on a line of thought I've been having.

As I understand it, there is a maximum number of bitcoins, hard-coded into the network; mining rewards (from generation) halve sometime late this year, and are eliminated entirely some time later.  At that point, there will be a maximum amount of BTC in circulation, but those BTC can be misplaced (e.g. by losing a wallet).  Eventually the total effective BTC in circulation will decrease.  Now, this is not in and of itself a problem, since BTC is so divisible, (I hear that there is work being done to allow for transactions of less than 1 Satoshi); however, if someone were to lose a wallet, especially one with a lot of coins in it, they may want to get it back.

For example, I've seen several transactions for tens of thousands of BTC on http://blockchain.info/ that are years old with no child transactions.  These BTC are either lost or have been held in storage for a very long time.  I'm wondering if there is a method to recover them.  Also, I suppose that one could use the method that I will attempt to describe below in order to steal someone's coins.


From what I have read, in order to spend coins, your bitcoin client makes some proof that the coins are yours to spend.  It does this based on information in the block chain, and on information that is in your wallet.  I assume that it does something along the lines of providing the input that gives the same output as some publicly available data that is in the block chain (probably having to do with your address).  I'm not strong on the cryptography, so I don't know the details of that step, but from what I can see, there has to be some publicly visible data, combined with some private data in your bitcoin wallet, which are used to prove your ownership of the coins.

With all of that buildup, my question is: is there anything to stop someone from attempting to steal unspent coins by executing a brute force attack, other than the amount of brute force required, and how much brute force would be required?

Now, I don't want to spread FUD--I feel like the average wallet is safe, and countermeasures against this type of attack should be straightforward:  since it cannot steal an entire wallet, just the coins from a single transaction (assuming those coins have not been spent again, and even assuming that such an attack is possible), keeping coins as the result of a large number of small transactions instead of bundled as a single transaction would greatly increase the cost and decrease the attractiveness of such an attempt.  I'm just curious about what makes bitcoin safe (and on if it is economically viable to attempt to "mine" lost coins that seem abandoned).

Sorry for the rambling.  I hope I'm not completely off in my understanding of how bitcoin transactions work.  Any thoughts are much appreciated.
Foxpup
Legendary
*
Offline Offline

Activity: 4532
Merit: 3183


Vile Vixen and Miss Bitcointalk 2021-2023


View Profile
July 02, 2012, 01:53:06 AM
 #2

I'm wondering if there is a method to recover them.
There is not, and never will be.

From what I have read, in order to spend coins, your bitcoin client makes some proof that the coins are yours to spend.  It does this based on information in the block chain, and on information that is in your wallet.  I assume that it does something along the lines of providing the input that gives the same output as some publicly available data that is in the block chain (probably having to do with your address).  I'm not strong on the cryptography, so I don't know the details of that step, but from what I can see, there has to be some publicly visible data, combined with some private data in your bitcoin wallet, which are used to prove your ownership of the coins.
Correct. Bitcoin uses digital signatures (an application of public-key cryptography) to authorise transactions. A bitcoin address consists of a hash of a public key, to which the owner of that address holds the corresponding private key. Transactions are signed using the private key and the public key is published on the block chain, allowing anyone to verify that the transaction was indeed created by someone with access to the correct private key and that the transaction was not been modified by anyone else.

With all of that buildup, my question is: is there anything to stop someone from attempting to steal unspent coins by executing a brute force attack, other than the amount of brute force required, and how much brute force would be required?
Barring a hitherto unkown breakthrough in cryptanalysis, brute force is the only way. In order to spend coins from a particular address, it would be neccessary to find a private key whose corresponding public key has the same hash as the bitcoin address. Bitcoin keys are 256-bit ECDSA and the address hash is 160-bit RIPEMD-160, so the weak link is the hash. It would take 2^160 operations to brute force, which is totally infeasible.

Now, I don't want to spread FUD--I feel like the average wallet is safe, and countermeasures against this type of attack should be straightforward:  since it cannot steal an entire wallet, just the coins from a single transaction (assuming those coins have not been spent again, and even assuming that such an attack is possible), keeping coins as the result of a large number of small transactions instead of bundled as a single transaction would greatly increase the cost and decrease the attractiveness of such an attempt.  I'm just curious about what makes bitcoin safe (and on if it is economically viable to attempt to "mine" lost coins that seem abandoned).
No, such an attack would be able to steal all coins from a particular address, regardless of how many transactions that address was used for. Using multiple addresses probably won't help either, since the only way this attack is even remotely possible is through some breakthrough in cryptanalysis, which would make all bitcoin addresses (not to mention all online banking) vulnerable. You've got bigger problems than your bitcoins if that ever happens.

Will pretend to do unspeakable things (while actually eating a taco) for bitcoins: 1K6d1EviQKX3SVKjPYmJGyWBb1avbmCFM4
I am not on the scammers' paradise known as Telegram! Do not believe anyone claiming to be me off-forum without a signed message from the above address! Accept no excuses and make no exceptions!
Koooooj (OP)
Member
**
Offline Offline

Activity: 75
Merit: 10



View Profile
July 02, 2012, 04:55:38 PM
 #3

Thanks for the response.  The 2^160 number is the one I was looking for.  I'm just going to do some very rough math here, to help me, and possibly others, understand what 2^160 means in terms of real time to an incredibly fast supercomputer (if stealing large numbers of BTC were to be feasible to someone with a very large cluster, someone would build a very large cluster).

2^160 is, in decimal, approximately: 1,464,501,640,000,000,000,000,000,000,000,000,000,000,000,000,000 (1.46... x 10^48)

Now, assume that someone built a very large cluster able to check 100 billion of those a second (say, they developed an ASIC that could carry out the required operation, and then sank several million into their manufacture, to say nothing of the development costs); I don't claim that this is economically feasible, or that 100 billion/s is even technologically feasible, but it feels like a good, very very generous number to use.

100 billion is 100,000,000,000, or 1 x 10^11

So, if they ran that hypothetical super-machine 24/7 for 5 years (I'm assuming that a year is exactly 52 weeks for the sake of math), that's

1 x 10^11 * 60 (seconds/min) * 60 (min/hour) * 24 (hour/day) * 7 (day/week) * 52 (week/year) * 5 (years) = 1.57248 x 10^19.

That means that the odds that the attack has succeeded after five years of continuous work is 1.57248 x 10^19 / (1.464501 x 10^48), or about 1.07 x 10^-29.  (1 in 9.29 x 10^28).  By comparison, one would be far, far more likely to win the Mega Millions lottery,with a probability listed on Wikipedia as 1 in 175,711,536 (1.75 x 10^8), and can achieve those odds with a ticket that costs $2 (also, the payout would be larger).  In fact, even if the attacker invested a million times more resources (at this point, probably more than the wealth of any country), they would have roughly a lottery-jackpot chance of ever succeeding at breaking even a single hash, while expending countless amounts of power and other resources.

So I guess the moral of the story is if you want to recover lost coins, play the lottery instead--the odds are a million times better.
pieppiep
Hero Member
*****
Offline Offline

Activity: 1596
Merit: 502


View Profile
July 02, 2012, 05:01:18 PM
 #4

Or start mining Smiley
zhitgeist
Newbie
*
Offline Offline

Activity: 26
Merit: 0



View Profile
July 02, 2012, 06:00:59 PM
 #5

It's practically impossible and I'm glad that's the case.
Kazimir
Legendary
*
Offline Offline

Activity: 1176
Merit: 1011



View Profile
July 02, 2012, 07:19:21 PM
 #6

So I guess the moral of the story is if you want to recover lost coins, play the lottery instead--the odds are a million times better.
Well said. You're absolutely right Smiley

In theory, there's no difference between theory and practice. In practice, there is.
Insert coin(s): 1KazimirL9MNcnFnoosGrEkmMsbYLxPPob
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!