5
6

Petition to Protect Satoshi's Coins (self.Bitcoin)

Anenome5 投稿

並べ替え:
ベスト
トップ新着論争中古い順Q&A
あなたは単独のコメントのスレッドを見ています。

残りのコメントをみる →

[–]theymos -36ポイント-35ポイント  (58子コメント)

Edit: To be absolutely clear: I am not proposing (and would never propose) a policy that would have the goal of depriving anyone of his bitcoins. Satoshi's bitcoins (which number far below 1M, I think) rightfully belong to him, and he can do whatever he wants with them. Even if I wanted to destroy Satoshi's bitcoins in particular, it's not possible to identify which bitcoins are Satoshi's. I am talking about destroying presumably-lost coins that are going to be stolen, ideally just moments before the theft would occur.

This issue has been discussed for several years. I think that the very-rough consensus is that old coins should be destroyed before they are stolen to prevent disastrous monetary inflation. People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation. Allowing lost coins to be recovered violates this assumption, and is a systemic security issue.

So if we somehow learn that people will be able to start breaking ECDSA-protected addresses in 5 years (for example), two softforks should be rolled out now:

  • One softfork, which would activate ASAP, would assign an OP_NOP to OP_LAMPORT (or whatever QC-resistant crypto will be used). Everyone would be urged to send all of their bitcoins to new OP_LAMPORT-protected addresses.
  • One softfork set to trigger in 5 years would convert OP_CHECKSIG to OP_RETURN, destroying all coins protected by OP_CHECKSIG. People would have until then to move their BTC to secure addresses. Anyone who fails to do so would almost certainly have lost their money due to the ECDSA failure anyway -- the number of people who lose additional BTC would be very low. (There might be a whitelist of UTXOs protected by one-time-use addresses, which would remain secure for a long time.)

[–]Dude-Lebowski 44ポイント45ポイント  (2子コメント)

No. Not reasonable.

Anyone with a coin should maintain access to that coin forever.

If they want to risk quantum that's their risk.

If you think you have the right to other people's money, including Satoshi's you don't.

Let's not turn Bitcoin into a central bank with bankster policies.

[–]DSNakamoto [スコア非表示]  (0子コメント)

The Dude abides.

[–]Anduckk [スコア非表示]  (0子コメント)

This proposal isn't targeting specific coins. Also, if ECDSA is broken and it starts to be obvious that people are stealing others coins.. Well, in my opinion that should happen then. Network shouldn't and can't enforce people to not lose their coins if they want to.

[–]chuckymcgee 29ポイント30ポイント  (9子コメント)

I think it sets a dangerous precedent to go about forking Bitcoin so that those who omit to do something lose their coins. The ability of the majority to strip a minority of stored value is contrary to one of Bitcoin's core appeals.

What if we learned ECDSA-protected addresses would start being broken in 1 year? 6 months? 3 weeks? How soon would be too soon to permit a softfork?

And why is it up to us to say that it's wrong that old-coins be suddenly recirculated? People never joined Bitcoin that coins would be lost at any particular rate, or that they'd actually know what that rate would be. Surely people have assumed some coins thought lost would be recovered and recirculated, how can this be said to be too much? And, importantly, if we know ECDSA-protected addresses are going to be broken in X years, why shouldn't bitcoin participants be able to price this possibility in before what we've deemed inevitable occurs?

[–]Dude-Lebowski 26ポイント27ポイント  (2子コメント)

The dude strongly abides.

The day Bitcoin starts managing people's money is the day Bitcoin gets replaced with something better.

[–]saibog38 [スコア非表示]  (1子コメント)

Then the reality is that if and when quantum computing becomes a reality, there will be a massive gold rush for people to steal those unsecured coins instead. Is that honestly better? Anyone who wants to secure their coins will need to ensure they're secured by a quantum safe signature, that's true regardless of any proposal being discussed here.

I can see arguing for the quantum theft gold rush due to certain moral objections to the alternative, but I'm skeptical that's actually the best outcome. That would likely mean whatever entity (or entities) has first access to a legitimate quantum computer gets to steal millions of bitcoins, probably a government intelligence agency or some big corp.

It'd be great if the original owners could just keep control of the coins, but under the scenario being considered that's not really an option unless they themselves move them to safe addresses, so you have to consider what you think the lesser evil would be.

[–]ScarfacePro3 [スコア非表示]  (0子コメント)

Fcuk...you quantum 1 it's a couple of weeks work to grind the rest...you think age of transactions would change anything?! (a huge part of the reason BTC works is you're not allowed to do shit like that)

[–]011010110 [スコア非表示]  (2子コメント)

Are you serious? Doesn't this set a dangerous precedent for deleting any coins? A bit like the apple backdoor, once it is created it can be reused for other purposes.

[–]theymos [スコア非表示]  (1子コメント)

That's probably the strongest argument against it, but I don't really see much of a slippery slope. IMO there's a very wide gap between applying a uniform policy meant to address a specific technical/security issue, and doing targeted deletions. (The majority of miners could already do targeted deletions, BTW, which is a huge concern which should be addressed by widespread usage of CoinSwap, etc. and efforts to decentralize mining.)

Maybe I find this idea less surprising because this general idea of expiring old UTXOs has long been discussed in the context of scaling. If you expire UTXOs after a year or whatever, it limits the size of the UTXO set and also allows for several other nice optimizations. I (and others) were talking about this as early as 2011, and some altcoins have implemented versions of the idea. Later on, far better scaling technologies were developed which put this concept (often called "demurrage" in the Bitcoin universe, though it's very different from this word's usual meaning outside of Bitcoin) out of fashion. But I've always thought that it's an acceptable technique, if Bitcoin's survival requires it.

I don't think this will actually be a problem for 10-20 years, so we'll have plenty of time to debate it...

[–]svarog [スコア非表示]  (0子コメント)

Yeah... Only there's no consensus about it, so I think its forbidden to discuss it by the rules of this subreddit.

[–]iamnotmagritte [スコア非表示]  (1子コメント)

I don't often post here but you are fucking crazy.

[–]umbawumpa [スコア非表示]  (1子コメント)

Anyone who fails to do so would almost certainly have lost their money

I gave some friends of mine paperwallets as they got childrens, with the instruction to keep them closed until their child's 18th birthday... So much for that

[–]theymos [スコア非表示]  (0子コメント)

If the paper wallet addresses are unused, then they should be reasonably safe against a quantum computer, and so the coins wouldn't be destroyed in this case. (Though I've advised since 2011 not to store Bitcoins in any way that makes them inaccessible for longer than a year or two, for exactly this reason.)

[–]goodbtc [スコア非表示]  (0子コメント)

What about Casascius coins?

[–]segregatedwitness [スコア非表示]  (0子コメント)

ridiculous! This would damage bitcoins fungibility.

[–]OnNom [スコア非表示]  (0子コメント)

I think that the very-rough consensus is that old coins should be destroyed before they are stolen to prevent disastrous monetary inflation.

"We must steal people's property so that it cannot be stolen." Get out of here with this authoritarian bullshit.

[–]darkice [スコア非表示]  (0子コメント)

No.

[–]princekolt [スコア非表示]  (0子コメント)

No. Just no.

People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation.

I don't think I know of anyone who did that. The Bitcoin deflation (or rather lack on inflation) comes from the fact that less coins are produced over time.

From the bitcoin paper (emphasis mine):

Once a predetermined number of coins have entered circulation, the incentive can transition entirely to transaction fees and be completely inflation free.

Nowhere in the paper any kind of deflation is mentioned. Please don't skew the facts.

[–]deadalnix [スコア非表示]  (4子コメント)

That's a very elaborate way to say you want to steal and destroy other's property.

[–]theymos [スコア非表示]  (3子コメント)

"Steal" implies that someone would get the destroyed coins, which is not what I'm talking about. I'm talking about lessening the impact of the almost-certain widespread theft of coins in case ECDSA is broken.

There are two choices if ECDSA is predicted to be broken:

  • Allow the vulnerable coins to be stolen. The original owner loses the money, and Bitcoin as a whole is severely harmed.
  • Destroy the coins. The original owner loses the money, and Bitcoin is not massively harmed. In extremely rare cases, people could lose money slightly earlier than otherwise.

As far as I see things, the second choice is clearly superior.

[–]deadalnix [スコア非表示]  (0子コメント)

It is up to the coin's owner to decide.

[–]todu [スコア非表示]  (0子コメント)

I think steal is an appropriate word. By destroying Satoshi's unmoved coins, you would be in effect making your own coins worth more at the expense of the person who would otherwise have had / gained control over the Satoshi coins. We should not be allowed to destroy other people's bitcoin even if there are bitcoin that we know will be stolen by a thief. Let's not mess with the monetary supply and fungibility of Bitcoin.

It would be immoral to intentionally cause a big deflationary boost to the Bitcoin economy with the excuse to prevent a limited one time 1 million bitcoin theft from occurring. It's better for the Bitcoin system as a whole to let such a theft occur.

[–]sQtWLgK [スコア非表示]  (1子コメント)

There might be a whitelist of UTXOs protected by one-time-use addresses, which would remain secure for a long time.

This would not help if the ECDSA attack is fast enough. An attacker could try to steal the outputs when a tx spending them gets published, and may succeed before it gets confirmed.

[–]theymos [スコア非表示]  (0子コメント)

It'll take many years after keys first start getting broken for quantum computers to get that fast.

[–]-Hegemon- [スコア非表示]  (1子コメント)

A counter argument is that the bounty that resides in these keys might help propel the development of quantum computing.

If we agree that it's development will be beneficial to society (do we? I don't know enough to give an opinion), it'd be foolish to deprive the would be inventors of their incentive.

[–]todu [スコア非表示]  (0子コメント)

And if such actors take control of those unmoved coins, then it's unlikely that they'll dump the coins on the fiat exchanges. So in that case the exchange rate of bitcoin would not be affected. It would just be an indirect way of funding quantum computer research.

So this would not be a problem for the rest of us Bitcoin users and we should therefore not try to make these coins unspendable. We should simply consider it a bounty for quantum computer research. We could even market that as one of the many benefits to society that Bitcoin gives. It promotes and rewards research.

[–]Mark0Sky [スコア非表示]  (0子コメント)

IMHO, that's an absolutely silly proposition.

[–]BitcoinXio [スコア非表示]  (0子コメント)

This is a terrible precedent to set. I take issue with this statement in particular:

People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation. Allowing lost coins to be recovered violates this assumption, and is a systemic security issue.

This is not true. One of bitcoin's selling points has never been the guarantee of lost coins thus making other coins more valuable. It's always been something said to happen but not on the basis on why people use bitcoin as a store of value. In addition, what is more concerning is that many people have purchased bitcoin in the early days with the sole intent to hodl them, and not use them until much later when they are worth more. The proposition to essentially steal these people's coins because of the fear that someone else could steal them before you is not what anyone wants and should never happen in my opinion.

[–]redlightsaber [スコア非表示]  (2子コメント)

Ah, more central economic interventionism. It's clear on what side of the debate you're on regarding this issue.

Your economic concerns are false. Satoshi using his old coins is always a possibility, and I don't think anyone should assume otherwise (or that the current market is doing so).

Setting a precedent that developers could just choose to "destroy" any group of coins, or worse still, to impose an expiry date on all of them, is a far more dangerous proposition than any imagined dangers that a one-time 5% inflation event could produce, and that's assuming a suddenly perfect quantum computer engineered out of the blue... In reality the addresses would be "hacked" in such a scenario at a slow and steady rate, very possibly not even being able to reverse the continuous deflation.

Please stop. Most of us are into bitcoin trying to get away from centralised interventionism.

[–]Ant-n [スコア非表示]  (1子コメント)

is a far more dangerous proposition than any imagined dangers that a one-time 5% inflation event could produce,

It will have to be compared to the Bitcoin liquidity at that time. So in the worst case scenario if 1millions coins enter the market (very very very unlikely to happen even if the coins get stolen) it will be likely many times bigger than what the market can "digest".

Send the price to near zero I guess..

With that being said I agree with your point.

[–]redlightsaber [スコア非表示]  (0子コメント)

I think we're talking about very different things. I'm talking about inflation, for which liquidity would matter little. You seem to be referring to a hypothetical event where a) all the coins would be acquired at once, and b) the hacker/thief would be stupid or malicious enough to decide to put them up for exchange all at once.

Rest assured, I consider the probablity of a*b to be near zero. And even if it happened, while I agree it could send the exchange rate down by quite a bit, it would do nothing to its inherent usefulness, and in a post-speculation market, such a price dip would be extrenely fleeting, with the entire economy kicking themselves in the butt not to have had dollars in their exchanges at the moment this "flash sale" took place.

[–]AceSevenFive [スコア非表示]  (1子コメント)

Could you explain the differences between Lamport and ECSDA?

[–]Guy_Tell [スコア非表示]  (0子コメント)

People joined Bitcoin with the understanding that coins would be permanently lost at some low rate, leading to long-term monetary deflation.

This kind of rhetoric reminds me of Gavin's "People joined under the assumption the block size limit would be raised, consequently we must raise it". Moving to Lamport signatures should be opt-in and there is no good excuse to force it upon people.

[–]xhiggy [スコア非表示]  (0子コメント)

There is no consensus to this asinine idea, rough or otherwise. Your are a con man and a cheat

[–]liquidify [スコア非表示]  (0子コメント)

think that the very-rough consensus

Who's "very-rough consensus?" Yours alone?

[–]pokertravis -1ポイント0ポイント  (0子コメント)

The special consideration of a key is to not lock it in that which it unlocks. I think you failed the power test here (S.Lerner did I think too). This key is the most powerful weapon we have available with the ability to harness society. Benevolent Satoshi would have locked it within that which it unlocks, and let it be a transparent "safe".

We should look for it there, and hope.

Otherwise, what you describe is a process that would have a destabilizing effect TODAY, because the markets would not like this uncertainty.

I also think a benevolent Satoshi would not accept this plan because its not fair for people that do not plan on being ready for this type of event.

Do you understand my view? We cannot mess with these things, even if they seem optimal. The utmost stability.

[–]Anenome5[S] -3ポイント-2ポイント  (10子コメント)

Sounds reasonable. The latter provision might set off a quantum-computing race however to obtain the old coins before the cutoff.

[–]theymos 1ポイント2ポイント  (9子コメント)

Yeah, getting the timing right will be difficult. On the one hand, you want to give people as much time as possible to move their bitcoins, but on the other hand it'd be very harmful if you're late by too much.

One helpful thing is that quantum computers will start out extremely slow and extremely expensive. So if the deadline is a few months too late, it's likely that only a small fraction of QC-breakable bitcoins could be stolen in that time, and maybe none of the parties with access to such a powerful quantum computer would be hidden enough to actually steal BTC and get away with it.

One interesting suggestion I heard was that you could do the UTXO deletions gradually over a year-long interval (or whatever), with the highest-value UTXOs getting deleted before the lower-value ones. That way, the UTXOs with the highest reward-to-cost ratio for attackers and the highest risk to Bitcoin would be deleted right away, buying extra time for the vast majority of people who have far-lower-value UTXOs.

(BTW, although you often hear about minuscule quantum computers being built in labs, most experts think that a quantum computer large enough to attack Bitcoin keys won't exist for at least 10-20 years.)

[–]Anenome5[S] 0ポイント1ポイント  (1子コメント)

One helpful thing is that quantum computers will start out extremely slow and extremely expensive. So if the deadline is a few months too late, it's likely that only a small fraction of QC-breakable bitcoins could be stolen in that time, and maybe none of the parties with access to such a powerful quantum computer would be hidden enough to actually steal BTC and get away with it.

That's a good point; Satoshi made a new wallet for each block mined, IIRC.

So, anyone with the actual QC power to steal coins is faced with a dilemma, take wallet by wallet, or crack wallets one by one and delay the sweep, risking the chance that someone else may sweep them in the meantime.

Which means they'll likely start sweeping immediately and, as you say, it should still take some time to sweep even one address.

One interesting suggestion I heard was that you could do the UTXO deletions gradually over a year-long interval (or whatever), with the highest-value UTXOs getting deleted before the lower-value ones. That way, the UTXOs with the highest reward-to-cost ratio for attackers and the highest risk to Bitcoin would be deleted right away, buying extra time for the vast majority of people who have far-lower-value UTXOs.

Hmm, yeah, that might be a good idea.

(BTW, although you often hear about minuscule quantum computers being built in labs, most experts think that a quantum computer large enough to attack Bitcoin keys won't exist for at least 10-20 years.)

Sure, but when there's a billion dollars on the line or w/e, no one thought a bitcoin ASIC miner would be the world's first 20nm consumer product either (ala KNC).

[–]Dude-Lebowski 2ポイント3ポイント  (0子コメント)

Any block other than 0 and 9 are not 100% Satoshi. We had at least 5 people the first few days. It only grew from there.