Antonopoulos Answers the Daunting Question "is Quantum ...
Antonopoulos Answers the Daunting Question "is Quantum ...
r/Bitcoin - NSA is building a Quantum Computer that can ...
Quantum computer systems shall be a risk to Bitcoin and ...
Quantum Computer Crypto-News.net
Quantum Computing Vs. Blockchain: Impact on Cryptography ...
Is Crypto Currency truly at risk due to Quantum Computers, and what can you do about it?
Is Crypto Currency truly at risk due to Quantum Computers, and what can you do about it?
There is no denying that the Quantum revolution is coming. Security protocols for the internet, banking, telecommunications, etc... are all at risk, and your Bitcoins (and alt-cryptos) are next! This article is not really about quantum computers[i], but, rather, how they will affect the future of cryptocurrency, and what steps a smart investor will take. Since this is a complicated subject, my intention is to provide just enough relevant information without being too “techy.”
The Quantum Evolution
In 1982, Nobel winning physicist, Richard Feynman, hypothesized how quantum computers[ii] would be used in modern life. Just one year later, Apple released the “Apple Lisa”[iii] – a home computer with a 7.89MHz processor and a whopping 5MB hard drive, and, if you enjoy nostalgia, it used 5.25in floppy disks. Today, we walk around with portable devices that are thousands of times more powerful, and, yet, our modern day computers still work in a simple manner, with simple math, and simple operators[iv]. They now just do it so fast and efficient that we forget what’s happening behind the scenes. No doubt, the human race is accelerating at a remarkable speed, and we’ve become obsessed with quantifying everything - from the everyday details of life to the entire universe[v]. Not only do we know how to precisely measure elementary particles, we also know how to control their actions! Yet, even with all this advancement, modern computers cannot “crack” cryptocurrencies without the use of a great deal more computing power, and since it’s more than the planet can currently supply, it could take millions, if not billions, of years. However, what current computers can’t do, quantum computers can! So, how can something that was conceptualized in the 1980’s, and, as of yet, has no practical application, compromise cryptocurrencies and take over Bitcoin? To best answer this question, let’s begin by looking at a bitcoin address.
What exactly is a Bitcoin address?
Well, in layman terms, a Bitcoin address is used to send and receive Bitcoins, and looking a bit closer (excuse the pun), it has two parts:[vi] A public key that is openly shared with the world to accept payments. A public key that is derived from the private key. The private key is made up of 256 bits of information in a (hopefully) random order. This 256 bit code is 64 characters long (in the range of 0-9/a-f) and further compressed into a 52 character code (using RIPEMD-160). NOTE: Although many people talk about Bitcoin encryption, Bitcoin does not use Encryption. Instead, Bitcoin uses a hashing algorithm (for more info, please see endnote below[vii]). Now, back to understanding the private key: The Bitcoin address “1EHNa6Q4Jz2uvNExL497mE43ikXhwF6kZm” translates to a private key of “5HpHagT65TZzG1PH3CSu63k8DbpvD8s5ip4nEB3kEsreAnchuDf” which further translates to a 256 bit private key of “0000000000000000000000000000000000000000000000000000000000000001” (this should go without saying, but do not use this address/private key because it was compromised long ago.) Although there are a few more calculations that go behind the scenes, these are the most relevant details. Now, to access a Bitcoin address, you first need the private key, and from this private key, the public key is derived. With current computers, it’s classically impractical to attempt to find a private key based on a public key. Simply put, you need the private key to know the public key. However, it has already been theorized (and technically proven) that due to private key compression, multiple private keys can be used to access the same public key (aka address). This means that your Bitcoin address has multiple private keys associated with it, and, if someone accidentally discovers or “cracks” any one of those private keys, they have access to all the funds in that specific address. There is even a pool of a few dedicated people hunting for these potential overlaps[viii], and they are, in fact, getting very efficient at it. The creator of the pool also has a website listing every possible Bitcoin private key/address in existence[ix], and, as of this writing, the pool averages 204 trillion keys per day! But wait! Before you get scared and start panic selling, the probability of finding a Bitcoin address containing funds (or even being used) is highly unlikely – nevertheless, still possible! However, the more Bitcoin users, the more likely a “collision” (finding overlapping private/public key pairs)! You see, the security of a Bitcoin address is simply based on large numbers! How large? Well, according to my math, 1.157920892373x1077 potential private keys exist (that number represents over 9,500 digits in length! For some perspective, this entire article contains just over 14,000 characters. Therefore, the total number of Bitcoin addresses is so great that the probability of finding an active address with funds is infinitesimal.
So, how do Quantum Computers present a threat?
At this point, you might be thinking, “How can a quantum computer defeat this overwhelming number of possibilities?” Well, to put it simple; Superposition and Entanglement[x]. Superposition allows a quantum bit (qbit) to be in multiple states at the same time. Entanglement allows an observer to know the measurement of a particle in any location in the universe. If you have ever heard Einstein’s quote, “Spooky Action at a Distance,” he was talking about Entanglement! To give you an idea of how this works, imagine how efficient you would be if you could make your coffee, drive your car, and walk your dog all at the same time, while also knowing the temperature of your coffee before drinking, the current maintenance requirements for your car, and even what your dog is thinking! In a nutshell, quantum computers have the ability to process and analyze countless bits of information simultaneously – and so fast, and in such a different way, that no human mind can comprehend! At this stage, it is estimated that the Bitcoin address hash algorithm will be defeated by quantum computers before 2028 (and quite possibly much sooner)! The NSA has even stated that the SHA256 hash algorithm (the same hash algorithm that Bitcoin uses) is no longer considered secure, and, as a result, the NSA has now moved to new hashing techniques, and that was in 2016! Prior to that, in 2014, the NSA also invested a large amount of money in a research program called “Penetrating Hard Targets project”[xi] which was used for further Quantum Computer study and how to break “strong encryption and hashing algorithms.” Does NSA know something they’re not saying or are they just preemptively preparing? Nonetheless, before long, we will be in a post-quantum cryptography world where quantum computers can crack crypto addresses and take all the funds in any wallet.
What are Bitcoin core developers doing about this threat?
Well, as of now, absolutely nothing. Quantum computers are not considered a threat by Bitcoin developers nor by most of the crypto-community. I’m sure when the time comes, Bitcoin core developers will implement a new cryptographic algorithm that all future addresses/transactions will utilize. However, will this happen before post-quantum cryptography[xii]? Moreover, even after new cryptographic implementation, what about all the old addresses? Well, if your address has been actively used on the network (sending funds), it will be in imminent danger of a quantum attack. Therefore, everyone who is holding funds in an old address will need to send their funds to a new address (using a quantum safe crypto-format). If you think network congestion is a problem now, just wait… Additionally, there is the potential that the transition to a new hashing algorithm will require a hard fork (a soft fork may also suffice), and this could result in a serious problem because there should not be multiple copies of the same blockchain/ledger. If one fork gets attacked, the address on the other fork is also compromised. As a side-note, the blockchain Nebulas[xiii] will have the ability to modify the base blockchain software without any forks. This includes adding new and more secure hashing algorithms over time! Nebulas is due to be released in 2018.
Who would want to attack Bitcoin?
Bitcoin and cryptocurrency represent a threat to the controlling financial system of our modern economy. Entire countries have outright banned cryptocurrency[xiv] and even arrested people[xv], and while discrediting it, some countries are copying cryptocurrency to use (and control) in their economy[xvi]! Furthermore, Visa[xvii], Mastercard[xviii], Discover[xix], and most banks act like they want nothing to do with cryptocurrency, all the while seeing the potential of blockchain technology and developing their own[xx]. Just like any disruptive technology, Bitcoin and cryptocurrencies have their fair share of enemies! As of now, quantum computers are being developed by some of the largest companies in the world, as well as private government agencies. No doubt, we will see a post-quantum cryptography world sooner than most realize. By that point, who knows how long “3 letter agencies” will have been using quantum technology - and what they’ll be capable of!
What can we do to protect ourselves today?
Of course, the best option is to start looking at how Bitcoin can implement new cryptographic features immediately, but it will take time, and we have seen how slow the process can be just for scaling[xxi]. The other thing we can do is use a Bitcoin address only once for outgoing transactions. When quantum computers attack Bitcoin (and other crypto currencies), their first target will be addresses that have outgoing transactions on the blockchain that contain funds. This is due to the fact that when computers first attempt to crack a Bitcoin address, the starting point is when a transaction becomes public. In other words, when the transaction is first signed – a signed transaction is a digital signature derived from the private key, and it validates the transaction on the network. Compared to classical computers, quantum computers can exponentially extrapolate this information. Initially, Bitcoin Core Software might provide some level of protection because it only uses an address once, and then sends the remaining balance (if any) to another address in your keypool. However, third party Bitcoin wallets can and do use an address multiple times for outgoing transactions. For instance, this could be a big problem for users that accept donations (if they don’t update their donation address every time they remove funds). The biggest downside to Bitcoin Core Software is the amount of hard-drive space required, as well as diligently retaining an up-to-date copy of the entire blockchain ledger. Nonetheless, as quantum computers evolve, they will inevitably render SHA256 vulnerable, and although this will be one of the first hash algorithms cracked by quantum computers, it won’t be the last!
Are any cryptocurrencies planning for the post-quantum cryptography world?
Yes, indeed, there are! Here is a short list of ones you may want to know more about:
IOTA[xxii] IOTA uses Winternitz one-time signatures[xxiii]. As the name suggests, an address is considered compromised once it signs a transaction on the network, and, therefore, you can only send from an address one time before it’s compromised.
ADA (Cardano)[xxiv] The Cardano roadmap lists quantum resistant signatures using “BLISS.” While BLISS is a strong hashing method, it has an estimated lifespan with classical computers of 6000 signatures (usages)[xxv] but this number could be significantly reduced with quantum tech.
Ethereum[xxvi] The Ethereum network, as well as many more blockchain networks, use the SHA3[xxvii] hash algorithm which is superior to SHA256. Although this is considered by some to be resistant, it is not technically quantum resistant. There is talk of using Lamport Signatures[xxviii] in the future of Ethereum. Although it is not definite at this point, it’s great to see the developers proactive.
QRL (Quantum Resistant Ledger)[xxix] This blockchain concept was conceived in 2016 and is currently in beta testing. Using XMSS (Extended Merkle Signature Scheme) trees combined with Winternitz one-time signatures (but not one time!), it’s fast, salable and truly quantum resistant. If you have not yet checked out this project, I highly suggest you do. To understand why this project is truly post-quantum cryptography ready, do your own due diligence and read the QRL whitepaper.
Although I am in no way associated with any project listed above, I do hold coins in all as well as Bitcoin, Litecoin and many others. The thoughts above are based on my personal research, but I make no claims to being a quantum scientist or cryptographer. So, don’t take my word for anything. Instead, do your own research and draw your own conclusions. I’ve included many references below, but there are many more to explore. In conclusion, the intention of this article is not to create fear or panic, nor any other negative effects. It is simply to educate. If you see an error in any of my statements, please, politely, let me know, and I will do my best to update the error. Thanks for reading!
Part 5. I'm writing a series about blockchain tech and possible future security risks. This is the fifth part of the series talking about an advanced vulnerability of BTC.
The previous parts will give you usefull basic blockchain knowledge and insights on quantum resistance vs blockchain that are not explained in this part. Part 1, what makes blockchain reliable? Part 2, The mathematical concepts Hashing and Public key cryptography. Part 3, Quantum resistant blockchain vs Quantum computing. Part 4A, The advantages of quantum resistance from genesis block, A Part 4B, The advantages of quantum resistance from genesis block, A Why BTC is vulnerable for quantum attacks sooner than you would think. Content: The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.” Already exposed public keys. Hijacking transactions. Hijacks during blocktime Hijacks pre-blocktime. MITM attacks - Why BTC is vulnerable for quantum attacks sooner than you would think. - Blockchain transactions are secured by public-private key cryptography. The keypairs used today will be at risk when quantum computers reach a certain critical level: Quantum computers can at a certain point of development, derive private keys from public keys. See for more sourced info on this subject in part 3. So if a public key can be obtained by an attacker, he can then use a quantum computer to find the private key. And as he has both the public key and the private key, he can control and send the funds to an address he owns. Just to make sure there will be no misconceptions: When public-private key cryptography such as ECDSA and RSA can be broken by a quantum computer, this will be an issue for all blockchains who don't use quantum resistant cryptography. The reason this article is about BTC is because I take this paper as a reference point: https://arxiv.org/pdf/1710.10377.pdf Here they calculate an estimate when BTC will be at risk while taking the BTC blocktime as the window of opportunity. The BTC misconception: “Original public keys are not visible until you make a transaction, so BTC is quantum resistant.” In pretty much every discussion I've read and had on the subject, I notice that people are under the impression that BTC is quantum resistant as long as you use your address only once. BTC uses a hashed version of the public key as a send-to address. So in theory, all funds are registered on the chain on hashed public keys instead of to the full, original public keys, which means that the original public key is (again in theory) not public. Even a quantum computer can't derive the original public key from a hashed public key, therefore there is no risk that a quantum computer can derive the private key from the public key. If you make a transaction, however, the public key of the address you sent your funds from will be registered in full form in the blockchain. So if you were to only send part of your funds, leaving the rest on the old address, your remaining funds would be on a published public key, and therefore vulnerable to quantum attacks. So the workaround would be to transfer the remaining funds, within the same transaction, to a new address. In that way, your funds would be once again registered on the blockchain on a hashed public key instead of a full, original public key. If you feel lost already because you are not very familiar with the tech behind blockchain, I will try to explain the above in a more familiar way: You control your funds through your public- private key pair. Your funds are registered on your public key. And you can create transactions, which you need to sign to be valid. You can only create a signature if you have your private key. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. So the analogy is, that if you got your address and your password, then you can access your mail and send emails (Transactions). If the right quantum computer would be available, people could use that to calculate your password (private key), if they have your email address (public key). Now, because BTC doesn’t show your full public key anywhere until you make a transaction. That sounds pretty safe. It means that your public key is private until you make a transaction. The only thing related to your public key that is public is the hash of your public key. Here is a short explanation of what a hash is: a hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output; but every time you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key "IFUHE8392ISHF", while on the chain, they are registered on "G". So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. As said before: since it is, even for a quantum computer, impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as the public key is only registered in hashed form. The obvious safe method would be, never to reuse an address, and always make sure that when you make a payment, you send your remaining funds to a fresh new address. (There are wallets that can do this for you.) In theory, this would make BTC quantum resistant, if used correctly. This, however, is not as simple as it seems. Even though the above is correct, there is a way to get to your funds. Already exposed public keys. But before we get to that, there is another point that is often overlooked: Not only is the security of your personal BTC is important, but also the security of funds of other users. If others got hacked, the news of the hack itself and the reaction of the market to that news, would influence the marketprice. Or, if a big account like the Satoshi account were to be hacked and dumped, the dump itself, combined with the news of the hack, could be even worse. An individual does not have the control of other people’s actions. So even though one might make sure his public key is only registered in hashed form, others might not do so, or might no know their public key is exposed. There are several reasons why a substantial amount of addresses actually have exposed full public keys:
Only unused addresses are quantum secure, but in reality, there are a lot of people, who reuse addresses. (To clarify: with unused I mean an address that has only been used to deposit money on, and not used to make transactions from. Because if you make a deposit, your public key stays hidden, but if you make a transaction from that address to another address, your public key will be revealed.)
Bitcoin transactions with P2PK UTXOs, so these are the addresses from the period that public keys were not hashed, but published in full. (about 1.77 million BTC fall into this category) (https://eprint.iacr.org/2018/213.pdf p. 7) This includes the Satoshi funds.
Any other revealing of public keys, such as part of signed messages to ensure integrity, in forums, or in payment channels (e.g. Lightning Network ). (https://eprint.iacr.org/2018/213.pdf p. 7)
In total, about 36% of all BTC are on addresses with exposed public keysOf which about 20% is on lost addresses. and here Hijacking transactions. But even if you consider the above an acceptable risk, just because you yourself will make sure you never reuse an address, then still, the fact that only the hashed public key is published until you make a transaction is a false sense of security. It only works, if you never make a transaction. Why? Public keys are revealed while making a transaction, so transactions can be hijacked while being made. Here it is important to understand two things: 1.) How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: the public key to point to the address where the funds will be coming from, the amount that will be transferred, the address the funds will be transferred to (depending on the blockchain this could be the hashed public key, or the original public key of the address the funds will be transferred to). This package also carries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightful owner and you can send funds from that public key. Then this package is sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity”, because the sender proofs he is the rightful owner by adding the signature that corresponds with the public key. And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2.) How is a transaction confirmed/ fulfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If we process the information written above, we will see that there are two moments where you can actually see the public key, while the transaction is not fulfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. (The blocktime) Hijacks during blocktime This paper describes how you could hijack a transaction and make a new transaction of your own, using someone else’s address and send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." (Page 8, point 3.) So this means that BTC obviously is not a quantum secure blockchain. Because as soon as you will touch your funds and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Hijacks pre-blocktime. The story doesn't end here. The paper doesn't describe the posibility of a pre-blocktime hijack. So back to the paper: as explained, while making a transaction your public key is exposed for at least the transaction time. This transaction time is 10 minutes where your transaction is being confirmed during the 10 minute block time. That is the period where your public key is visible and where, as described in the paper, a transaction can be hijacked, and by using quantum computers, a forged transaction can be made. So the critical point is determined to be the moment where quantum computers can derive private keys from public keys within 10 minutes. Based on that 10 minute period, they calculate (estimate) how long it will take before QC's start forming a threat to BTC. (“ By our most optimistic estimates, as early as 2027 a quantum computer could exist that can break the elliptic curve signature scheme in less than 10 minutes, the block time used in Bitcoin.“ This is also shown in figure 4 on page 10 and later more in depth calculated in appendix C, where the pessimistic estimate is around 2037.) But you could extend that 10 minutes through network based attacks like DDoS, BGP routing attacks, NSA Quantum Insert, Eclipse attacks, MITM attacks or anything like that. (And I don’t mean you extend the block time by using a network based attack, but you extend the time you have access to the public key before the transaction is confirmed.) Bitcoin would be earlier at risk than calculated in this paper. Also other Blockchains with way shorter block times imagine themselves safe for a longer period than BTC, but with this extension of the timeframe within which you can derive the private key, they too will be vulnerable way sooner. Not so long ago an eclipse attack demonstrated it could have done the trick. and here Causing the blockchain to work over max capacity, means the transactions will be waiting to be added to a block for a longer time. This time needs to be added on the blocktime, expanding the period one would have time to derive the private key from the public key. That seems to be fixed now, but it shows there are always new attacks possible and when the incentive is right (Like a few billion $ kind of right) these could be specifically designed for certain blockchains. MITM attacks An MITM attack could find the public key in the first moment the public key is exposed. (During the time the transaction is sent from the sender to the nodes) So these transactions that are sent to the network, contain public keys that you could intercept. So that means that if you intercept transactions (and with that the private keys) and simultaneously delay their arrival to the blockchain network, you create extra time to derive the private key from the public key using a quantum computer. When you done that, you send a transaction of your own before the original transaction has arrived and is confirmed and send funds from that stolen address to an address of your choosing. The result would be that you have an extra 10, 20, 30 minutes (or however long you can delay the original transactions), to derive the public key. This can be done without ever needing to mess with a blockchain network, because the attack happens outside the network. Therefore, slower quantum computers form a threat. Meaning that earlier models of quantum computers can form a threat than they assume now. When MITM attacks and hijacking transactions will form a threat to BTC, other blockchains will be vulnerable to the same attacks, especially MITM attacks. There are ways to prevent hijacking after arrival at the nodes. I will elaborate on that in the next article. At this point of time, the pub key would be useless to an attacker due to the fact there is no quantum computer available now. Once a quantum computer of the right size is available, it becomes a problem. For quantum resistant blockchains this is differetn. MITM attacks and hijacking is useless to quantum resistant blockchains like QRL and Mochimo because these projects use quantum resistant keys.
“We only have public keys in hashed form published. Even quantum computers can't reverse the Hash, so no one can use those public keys to derive the private key. That's why we are quantum resistant.” This is incorrect.
This example has been explained in the previous article. To summarize: Hashed public keys can be used as an address for deposits. Deposits do not need signature authentication. Alternatively, withdrawals do need signature authentication. To authenticate a signature, the public key will always need to be made public in full, original form. As a necessary requirement, the full public key would be needed to spend coins. Therefore the public key will be included in the transaction. The most famous blockchain to use hashed public keys is Bitcoin. Transactions can be hijacked during the period a user sends a transaction from his or her device to the blockchain and the moment a transaction is confirmed. For example: during Bitcoins 10 minute blockchain, the full public keys can be obtained to find private keys and forge transactions. Page 8, point 3 Hashing public keys does have advantages: they are smaller than the original public keys. So it does save space on the blockchain. It doesn't give you Quantum Resistance however. That is a misconception.
“Besides having only hashed public keys on the blockchain, we also have instant transactions. So there is no time to hijack a transaction and to obtain the public key fast enough to forge a transaction. That's why we are quantum resistant.” This is incorrect and impossible.
There is no such thing as instant transactions. A zero second blocktime for example is a claim that can’t be made. Period. Furthermore, transactions are collected in pools before they are added to a block that is going to be processed. The time it takes for miners to add them to a new block before processing that block depends on the amount of transactions a blockchain needs to process at a certain moment. When a blockchain operates within its maximum capacity (the maximum amount of transactions that a blockchain can process per second), the adding of transactions from the pool will go quite swiftly, but still not instantaneously. However, when there is high transaction density, transactions can be stuck in the pool for a while. During this period the transactions are published and the full public keys can be obtained. Just as with the previous hijacking example, a transaction can be forged in that period of time. It can be done when the blockchain functions normally, and whenever the maximum capacity is exceeded, the window of opportunity grows for hackers. Besides the risk that rush hours would bring by extending the time to work with the public key and forge transactions, there are network based attacks that could serve the same purpose: slow the confirmation time and create a bigger window to forge transactions. These types are attacks where the attacker targets the network instead of the sender of the transaction: Performing a DDoS attack or BGP routing attack or NSA Quantum Insert attack on a peer-to-peer network would be hard. But when provided with an opportunity to earn billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain. That is exactly the recipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. This specific example seems to be fixed now, but it most definitely shows there is a risk of other variations to be created. Keep in mind, before this variation of attack was known, the common opinion was that it was impossible. With little incentive to create such an attack, it might take a while until another one is developed. But when the possession of full public keys equals the possibility to forge transactions, all of a sudden billions are at stake.
“Besides only using hashed public keys as addresses, we use the First In First Out (FIFO) mechanism. This solves the forged transaction issue, as they will not be confirmed before the original transactions. That's why we are quantum resistant.” This is incorrect.
There is another period where the public key is openly available: the moment where a transaction is sent from the users device to the nodes on the blockchain network. The sent transaction can be delayed or totally blocked from arriving to the blockchain network. While this happens the attacker can obtain the public key. This is a man-in-the-middle (MITM) attack. A MITM is an attack where the attacker secretly relays and possibly alters the communication between two parties who believe they are directly communicating with each other. No transaction is 100% safe from a MITM attack. This type of attack isn’t commonly known amongst average usergroups due to the fact communication is done either encrypted or by the use of private- public key cryptography. Therefore, at this point of time MITM attacks are not an issue, because the information in transactions is useless for hackers. To emphasize the point made: a MITM attack can be done at this point of time to your transactions. But the information obtained by a hacker is useless because he can not break the cryptography. The encryption and private- public key cryptography is safe at this point of time. ECDSA and RSA can not be broken yet. But in the era of quantum computers the problem is clear: an attacker can obtain the public key and create enough time to forge a transaction which will be sent to the blockchain and arrive there first without the network having any way of knowing the transaction is forged. By doing this before the transaction reaches the blockchain, FIFO will be useless. The original transaction will be delayed or blocked from reaching the blockchain. The forged transaction will be admitted to the network first. And First In First Out will actually help the forged transaction to be confirmed before the original.
“Besides having only hashed public keys, we use small standardized fees. Forged transactions will not be able to use higher fees to get prioritized and confirmed before the original transactions, thus when the forged transaction will try to confirm the address is already empty. This is why we are quantum resistant.” This is incorrect.
The same arguments apply as with the FIFO system. The attack can be done before the original transaction reaches the network. Thus the forged transaction will still be handled first no matter the fee hight.
“Besides the above, we use multicast so all nodes receive the transaction at the same time. That's why we are quantum resistant.” This is incorrect.
Multicast is useless against a MITM attack when the attacker is close enough to the source.
“Besides the above, we number all our transactions and authenticate nodes so the user always knows who he's talking to. That's why we are quantum resistant.” This is incorrect.
Besides the fact that you’re working towards a centralized system if only verified people can become nodes. And besides the fact that also verified nodes can go bad and work with hackers. (Which would be useless if quantum resistant signature schemes would be implemented because a node or a hacker would have no use for quantum resistant public keys and signatures.) There are various ways of impersonating either side of a communication channel. IP-spoofing, ARP-spoofing, DSN-spoofing etc. All a hacker needs is time and position. Time can be created in several ways as explained above. All the information in the transaction an original user sends is valid. When a transaction is hijacked and the communication between the user and the rest of the network is blocked, a hacker can copy that information to his own transaction while using a forged signature. The only real effective defense against MITM attacks can be done on router or server-side by a strong encryption between the client and the server (Which in this case would be quantum resistant encryption, but then again you could just as well use a quantum resistant signature scheme.), or you use server authentication but then you would need that to be quantum resistant too. There is no serious protection against MITM attacks when the encryption of the data and the authentication of a server can be broken by quantum computers. Only quantum resistant signature schemes will secure blockchain to quantum hacks. Every blockchain will need their users to communicate their public key to the blockchain to authenticate signatures and make transactions. There will always be ways to obtain those keys while being communicated and to stretch the period where these keys can be used to forge transactions. Once you have, you can move funds to your own address, a bitcoin mixer, Monero, or some other privacy coin. Conclusion There is only one way to currently achieve Quantum Resistance: by making sure the public key can be made public without any risks, as is done now in the pre-quantum period and as Satoshi has designed blockchain. Thus by the use of quantum resistant signature schemes. The rest is all a patchwork of risk mitigation and delaying strategies; they make it slightly harder to obtain a public key and forge a transaction but not impossible. Addition And then there is quite often this strategy of postponing quantum resistant signature schemes
“Instead of ECDSA with 256 bit keys we will just use 384 bit keys. And after that 521 bit keys, and then RSA 4096 keys, so we will ride it out for a while. No worries we don’t need to think about quantum resistant signature schemes for a long time.” This is highly inefficient, and creates more problems than it solves.
Besides the fact that this doesn’t make a project quantum resistant, it is nothing but postponing the switch to quantum resistant signatures, it is not a solution. Going from 256 bit keys to 384 bit keys would mean a quantum computer with ~ 3484 qubits instead of ~ 2330 qubits could break the signature scheme. That is not even double and postpones the problem either half a year or one year, depending which estimate you take. (Doubling of qubits every year, or every two years). It does however have the same problems as a real solution and is just as much work. (Changing the code, upgrading the blockchain, finding consensus amongst the nodes, upgrading all supporting systems, hoping the exchanges all go along with the new upgrade and migrate their coins, heaving all users migrate their coins.) And then quite soon after that, they'll have to go at it again. What they will do next? Go for 512 bit curves? Same issues. It's just patchworks and just as much hassle, but then over and over again for every “upgrade” from 384 to 521 etc. And every upgrade the signatures get bigger, and closer to the quantum resistant signature sizes and thus the advantage you have over blockchains with quantum resistant signature schemes gets smaller. While the quantum resistant blockchains are just steady going and their users aren’t bothered with all the hassle. At the same time the users of the blockchain that is constantly upgrading to a bigger key size, keep on needing to migrate their coins to the new and upgraded addresses to stay safe.
I decided to post this here as I saw some questions on the QRL discord.
Is elliptic curve cryptography quantum resistant?
Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key (and public key since they form a pair) from elliptic curve cryptography would be quantum resistant.)
Why would Nexus be any differtent?
Why are WOTS+ signatures (and by extension XMSS) quantum resistant?
What is WOTS+?
What are the risks of WOTS+?
How is XMSS different?
Is elliptic curve cryptography quantum resistant? No. Using a quantum computer, Shor's algorithm can be used to break Elliptic Curve Digital Signature Algorithm (ECDSA). Meaning: they can derive the private key from the public key. So if they got your public key, they got your private key, and they can empty your funds. https://en.wikipedia.org/wiki/Elliptic-curve_cryptography#Quantum_computing_attackshttps://eprint.iacr.org/2017/598.pdf Why do people say that BTC is quantum resistant, while they use elliptic curve cryptography? (Here comes the idea from that never reusing a private key from elliptic curve cryptography (and public key since they form a pair) would be quantum resistant.) Ok, just gonna start with the basics here. Your address, where you have your coins stalled, is locked by your public- private key pair. See it as your e-mail address (public key) and your password (Private key). Many people got your email address, but only you have your password. If you got your address and your password, then you can access your mail and send emails (Transactions). Now if there would be a quantum computer, people could use that to calculate your password/ private key, if they have your email address/ public key. What is the case with BTC: they don't show your public key anywhere, untill you make a transaction. So your public key is private untill you make a transaction. How do they do that while your funds must be registered on the ledger? Wel, they only show the Hash of your public key (A hash is an outcome of an equation. Usually one-way hash functions are used, where you can not derive the original input from the output. But everytime you use the same hash function on the same original input (For example IFUHE8392ISHF), you will always get the same output (For example G). That way you can have your coins on public key IFUHE8392ISHF, while on the chain, they are on G.) So your funds are registered on the blockchain on the "Hash" of the public key. The Hash of the public key is also your "email address" in this case. So you give "G" as your address to send BTC to. By the way, in the early days you could use your actual public key as your address. And miners would receive coins on their public key, not on the hashed public key. That is why all the Satoshi funds are vulnerable to quantum attacks even though these addresses have never been used to make transactions from. These public keys are already public instead of hashed. Also certain hard forks have exposed the public keys of unused addresses. So it's really a false sense of security that most people hang on to in the first place. But it's actually a false sense of security over all. Since it is impossible to derive a public key from the Hash of a public key, your coins are safe for quantum computers as long as you don't make any transaction. Now here follows the biggest misconseption: Pretty much everyone will think, great, so BTC is quantum secure! It's not that simple. Here it is important to understand two things: 1 How is a transaction sent? The owner has the private key and the public key and uses that to log into the secured environment, the wallet. This can be online or offline. Once he is in his wallet, he states how much he wants to send and to what address. When he sends the transaction, it will be broadcasted to the blockchain network. But before the actual transaction that will be sent, it is formed into a package, created by the wallet. This happens out of sight of the sender. That package ends up carrying roughly the following info: The public key to point to the address where the funds will be coming from, the amount that will be transferred, the public key of the address the funds will be transferred to. Then this package caries the most important thing: a signature, created by the wallet, derived from the private- public key combination. This signature proves to the miners that you are the rightfull owner and you can send funds from that public key. So this package is then sent out of the secure wallet environment to multiple nodes. The nodes don’t need to trust the sender or establish the sender’s "identity." And because the transaction is signed and contains no confidential information, private keys, or credentials, it can be publicly broadcast using any underlying network transport that is convenient. As long as the transaction can reach a node that will propagate it into the network, it doesn’t matter how it is transported to the first node. 2 How is a transaction confirmed/ fullfilled and registered on the blockchain? After the transaction is sent to the network, it is ready to be processed. The nodes have a bundle of transactions to verify and register on the next block. This is done during a period called the block time. In the case of BTC that is 10 minutes. If you comprehend the information written above, you can see that there are two moments where you can actually see the public key, while the transaction is not fullfilled and registered on the blockchain yet. 1: during the time the transaction is sent from the sender to the nodes 2: during the time the nodes verify the transaction. This paper describes how you could hijack a transaction and make a new transaction of your own, using someone elses address to send his coins to an address you own during moment 2: the time the nodes verify the transaction: https://arxiv.org/pdf/1710.10377.pdf "(Unprocessed transactions) After a transaction has been broadcast to the network, but before it is placed on the blockchain it is at risk from a quantum attack. If the secret key can be derived from the broadcast public key before the transaction is placed on the blockchain, then an attacker could use this secret key to broadcast a new transaction from the same address to his own address. If the attacker then ensures that this new transaction is placed on the blockchain first, then he can effectively steal all the bitcoin behind the original address." So this means that practically, you can't call BTC a quantum secure blockchain. Because as soon as you will touch your coins and use them for payment, or send them to another address, you will have to make a transaction and you risk a quantum attack. Why would Nexus be any differtent? If you ask the wrong person they will tell you "Nexus uses a combination of the Skein and Keccak algorithms which are the 2 recognized quantum resistant algorithms (keccal is used by the NSA) so instead of sha-256, Nexus has SK-1024 making it much harder to break." Which would be the same as saying BTC is quantum resistant because they use a Hashing function to hash the private key as long as no transaction is made. No, this is their sollid try to be quantum resistant: Nexus states it's different because they have instant transactions (So there wouldn't be a period during which time the nodes verify the transaction. This period would be instant.) Also they use a particular order in which the miners verify transactions: First-In-First-Out (FIFO) (So even if instant is not instant after all, and you would be able to catch a public key and derive the private key, you would n't be able to have your transaction signed before the original one. The original one is first in line, and will therefore be confirmed first. Also for some reason Nexus has standardized fees which are burned after a transaction. So if FIFO wouldn't do the trick you would not be able to use a higher fee to get prioritized and get an earlyer confirmation. So, during during the time the nodes verify the transaction, you would not be able to hijack a transaction. GREAT, you say? Yes, great-ish. Because there is still moment # 1: during the time the transaction is sent from the sender to the nodes. This is where network based attacks could do the trick: There are network based attacks that can be used to delay or prevent transactions to reach nodes. In the mean time the transactions can be hijacked before they reach the nodes. And thus one could hijack the non quantum secure public keys (they are openly included in sent signed transactions) who then can be used to derive privatekeys before the original transaction is made. So this means that even if Nexus has instant transactions in FIFO order, it is totally useless, because the public key would be obtained by the attacker before they reach the nodes. Conclusion: Nexus is Nnot quantum resistant. You simply can't be without using a post quantum signature scheme. Performing a DDoS attack or BGP routing attacks or NSA Quantum Insert attacks on a peer to peer newtork would be hard. But when provided with an opportunitiy to steal billions, hackers would find a way. For example: https://bitcoinmagazine.com/articles/researchers-explore-eclipse-attacks-ethereum-blockchain/ For BTC: https://eprint.iacr.org/2015/263.pdf "An eclipse attack is a network-level attack on a blockchain, where an attacker essentially takes control of the peer-to-peer network, obscuring a node’s view of the blockchain." That is exactly the receipe for what you would need to create extra time to find public keys and derive private keys from them. Then you could sign transactions of your own and confirm them before the originals do. By the way, yes this seems to be fixed now, but it most definately shows it's possible. And there are other creative options. Either you stop tranasctions from the base to get out, while the sender thinks they're sent, or you blind the network and catch transactions there. There are always options, and they will be exploited when billions are at stake. The keys can also be hijacked when a transaction is sent from the users device to the blockchain network using a MITM attack. The result is the same as for network based attacks, only now you don't mess with the network itself. These attacks make it possible to 1) retrieve the original public key that is included in the transaction message. 2) Stop or delay the transaction message to arrive at the blockchain network. So, using a quantum computer, you could hijack transactions and create forged transactions, which you then send to the nodes to be confirmed before the nodes even receive the original transaction. There is nothing you could change to the Nexus network to prevent this. The only thing they can do is implement a quantum resistant signature scheme. They plan to do this in the future, like any other serious blockchain project. Yet Nexus is the only of these future quantum resistant projects to prematurely claim to be quantum resistant. There is only one way to get quantum resistancy: POST QUANTUM SIGNATURE SCHEMES. All the rest is just a shitty shortcut that won't work in the end. (If you use this info on BTC, you will find that the 10 minutes blocktime that is used to estimate when BTC will be vulnerable for quantum attacks, can actually be more then 10 minutes if you catch the public key before the nodes receive them. This makes BTC vulnerable sooner thatn the 10 min blocktime would make you think.) By the way, Nexus using FIFO and standadrized fees which are burned after the transaction comes with some huge downsides:
FIFO: If there are a lot of transactions, there would be nothing you can do to create a faster transaction. If you need a quick transaction during rush hours, you can’t pay a higher fee to get priority.
Fees are burned after the transactions. This means they are not sent to miners, which would lesser the incentive to mine. Also, because only Blockrewards pay miners, what if the max supply is reached in the future and there is nothing to pay out blockrewards? What would be the incentive to mine or stake?
The risk that comes with small standardized fees is that when someone is willing to pay to harm or spam your chain, they can force spam or small transactions into the system without you being able to stop them. (Miners wouldn't be able to exclude lower fee transactions containing spam or extremely small amounts meant for clogging the chain)
Another risk that comes with small standardized fees would be this: How do you prevent big backlog if there is no higher fee incentive for miners at rush hours to come mine? Usually fees follow the free market? So the larger the backlog of transactions, the higher the fees usually are. This then leads to more miners joining in and that way reducing backlog. Having fixed fees would cancel out that possibility. So the risk of backlog would be huge.
Why are WOTS+ signatures (and by extension XMSS) more quantum resistant? First of all, this is where the top notch mathematicians work their magic. Cryptography is mostly maths. As Jackalyst puts it talking about post quantum signature schemes: "Having papers written and cryptographers review and discuss it to nauseating levels might not be important for butler, but it's really important with signature schemes and other cryptocraphic methods, as they're highly technical in nature." If you don't believe in math, think about Einstein using math predicting things most coudldn't even emagine, let alone measure back then. Then there is implementing it the right way into your blockchain without leaving any backdoors open. So why is WOTS+ and by extension XMSS quantum resistant? Because math papers say so. With WOTS it would even take a quantum computer too much time to derive a private key from a public key. https://en.wikipedia.org/wiki/Hash-based_cryptographyhttps://eprint.iacr.org/2011/484.pdf What is WOTS+? It's basiclally an optimized version of Lamport-signatures. WOTS+ (Winternitz one-time signature) is a hash-based, post-quantum signature scheme. So it's a post quantum signature scheme meant to be used once. What are the risks of WOTS+? Because each WOTS publishes some part of the private key, they rapidly become less secure as more signatures created by the same public/private key are published. The first signature won't have enough info to work with, but after two or three signatures you will be in trouble. IOTA uses WOTS. Here's what the people over at the cryptography subreddit have to say about that: https://www.reddit.com/crypto/comments/84c4ni/iota_signatures_private_keys_and_address_reuse/?utm_content=comments&utm_medium=user&utm_source=reddit&utm_name=u_QRCollector With the article: http://blog.lekkertech.net/blog/2018/03/07/iota-signatures/ Mochimo uses WOTS+. They kinda solved the problem: A transaction consists of a "Source Address", a "Destination Address" and a "Change Address". When you transact to a Destination Address, any remaining funds in your Source Address will move to the Change Address. To transact again, your Change Address then becomes your Source Address. But what if someone already has your first address and is unaware of the fact you already send funds from that address? He might just send funds there. (I mean in a business environment this would make Mochimo highly impractical.) They need to solve that. Who knows, it's still a young project. But then again, for some reason they also use FIFO and fixed fees, so there I have the same objections as for Nexus. How is XMSS different? XMSS uses WOTS in a way that you can actually reuse your address. WOTS creates a quantum resistant one time signature and XMSS creates a tree of those signatures attached to one address so that the address can be reused for sending an asset.
More unanswered questions about Bitcoin from a butthurt crypto critic
copypasta'd from my zerohedge comment section These people still haven't adequately explained several things to us 1) Why they think that totalitarian governments who now have quantum computers and 5000+ qbit processors can't unzip the blockchain and aren't actively doing this now or trying to. We know that a 4 qbit processor can crack a 4bit encryption by merit of the fact a it calculates all possible solutions in parallel and picks the correct one, whereas a linear processor must try each one sequentially, making time to brute force crack a password grow at least linearly/proportionately with the size of the key(s) or geometrically with stronger crypto algoritms. The point is that these algos are not quantum proof, and that is said in their own literature in science journals. So that's point 1. 2) Point 2--Why adopt and put all your faith in this scheme if the governments haven't sanctioned it? And even if they have, they are super DUPER corrupt. The last year alone and all the scandals should tell you have the CIA operates and they have actively trying been trying to create a 2 class society of upper and underclass....why do you think a system like this is safe if it truly empowers the underclass and isn't a ploy to get them to invest their actual dollars into it and then turn the lights off and that money has been taken away. You may say, 'taken away'? You mean destroyed, right? When stock falls it's gone right? NO. Not in the case of crypto. If you mined it, then the energy industry has your money, because it took money to mine bitcoin. 3) Bitcoin is so difficult to mine now (complexity has increased) that the barrier to entry is so high that you have to own a solar farm of your own and a datacenter to do it; so most people either PAY for bitcoin, or they PAY someone else with a datacenter to mine in the cloud, which is increasingly a stupid option because it's risky and the payoff is not so much as to be more desirable than buying bitcoin Where do you buy bitcoin then? Especially since it keeps going UP UP UP, who in their right mind is going to sell it? Exchanges Where do they get their bitcoin from? Mining? HAHA that's a laugh, miners making bitcoin aren't going to sell it WHere do you get bitcoin from when no one wants to sell? 4) Well you get it from Exchanges Ok who owns the exchanges? .... ....Anyone..? ...? I'm guessing it's the CIA / NSA / DEA. After all they confiscated a ton of bitcoin from darknet drug sites and continue to do so on a daily basis. WIth the shutdown of Silk Road, Silk Road 2, Silk Road 2.2, Alphabay, they are setting people up, getting their bitcoin and their drugs Wash rinse recycle Bitcoin price goes up as it becomes more rare...right? I mean you thought this was just from some market cap going up at an accelerated pace? Why would it do that if the complexity is getting harder....? ..Oh because the NSA is using their computers now probably to mine bitcoin to keep this illusion going Some people are probably injecting real money into this thing, but they are buying bitcoin from the FBI, Counterintelligence, DEA, CIA, NSA, etc...the intelligence community as a drug interdiction/money laundering darknet honeypot by my estimation I could be very wrong. We don't know but it's a better explanation than any I've heard. 5) Anyone (like the teen) who bought into bitcoin and then bought a house with it will eventually be targetted by Sessions / DOJ for failing to pay capitol gains tax on it. Therefore it will be subject to asset forfeiture and seized byt he government. I KNOW this is going to happen. I KNOW IT WILL. You can be all cavelier about it, but this is an inevitability. I don't see Congress passing any kind of bitcoin or crypto related capital gains tax bills because these people can't find their way out of a paper bag or even remember to take their Alzheimers meds, much less understand EVEN REMOTELY how crypto works So the DOJ/IRS are going to use this as a mass wealth grab strategy and the media will just be like, "hey you don't get something for nothing", "no free lunch", "#shrugsnotdrugs", "bit what?" So if they legitimize bitcoin, they will probably asset forfeiture If they de-legitimize bitcoin, they will use the incredible infrastructure of the NSA to block bitcoin like they've done bittorrent and VPNS. You'll fight them for a while but you will fail. ISPs will be mandated to block or cut off your internet if you use crypto I doubt they'll do option 2, so they'll do option 1 and take your unpaid capital gains tax
A way to solve Monero's quantum, scaling, and slight-trust problems
Put your tin foil hats on for a second. In 2014, scientists used 4 qubits and Shor's algorithm to factor the number 56,153. In 2016, the Pentagon got audited and could not account for 6.5 trillion fucking dollars lol. What if they used that money to develop a quantum computer, capable of breaking all modern encryption! :O It would give the U.S. (if successfully kept a secret) one of the biggest advantages over every single country that the world has ever seen, and this advantage would justify almost any expense.. What if they have one right now?! OK you can take your hats off. Let me start off by saying that I do not think the U.S. has such a quantum computer. In fact, I would argue that it is super, super, super unlikely, at least at this very second. However, I would also argue that it does not === 0% either. Maybe it is .0000001%, or maybe its .000000000001%. Regardless of what it actually is, we can all agree that it is a positive, finite number. And with every second that ticks by, that number increases ever so slightly. This finiteness should disturb you. We are all Siths here, we all like to deal in cryptographic absolutes. And as of right now, there is no way to know, with 100% cryptographic certainty, whether or not there are fake Monero in circulation. If the NSA had a quantum computer today, it would be able to print a kajillion Monero out of thin air without anyone knowing. In my previous post, olark_0x00D8D8E5 referred me to a paper about switch commitments, which could be implemented to prevent this from happening. However, I think that this will only make sure that current confidential transactions are balanced, not previous transactions. If a quantum computer prints out a bunch of fake coins before this algorithm is implemented, then I think this evil deed will go undetected forever. If this is the case, then it is essentially a race to implement quantum-proof output types/algorithms before the evil gummit actually comes up with a such a device. The problem is that once we implement all the cool quantum-proof stuff, someone could just fork Monero, completely restart the blockchain, and market this new chain as having === 0% chance of having fake 'quantum' coins in circulation, unlike that pesky Monero with its .00000001%. They could argue that Monero was just too ahead of its time, and cannot be considered 'sound money' with that finite number hanging over its head. Is there a way that we can know, with 100% cryptographic certainty, whether or not there are fake coins in circulation? I think there is, and I'm going to call this technique a “MoneroNoob12345 Audit”, named after a great and humble man. To do such an audit, we would just need to follow 3 simple rules:
Old output types can only ring with old output types, and new output types can only ring with new output types. In between these two output types is a one-way audit border.
When converting from old output types to new output types (crossing the one-way audit border), you must publicly reveal the transaction amount being sent.
After a specified Block X, no transactions are allowed to cross the audit border ever again.
Doing this would allow us to convert to quantum-proof algorithms/output types, while at the same time auditing the entire blockchain. If more coins cross the audit border than were ever mined, Monero's price would immediately drop to 0, and Monero would die the absolute quickest of deaths. She wouldn't even know what hit her :( However, if we get to Block X, and the amount that has crossed the border is less than or equal to the amount that had been mined, then Monero lives to see another day, and we all become rich little heathens. Everyone could know with 100% certainty that there were 0 fake coins in circulation before the audit. The most likely outcome of such an audit would be that less coins cross the audit border than were mined, due to lost coins and the like. This difference in coins can either be burned (increasing the scarcity of everyone's Monero), or redistributed to miners as a bonus over so many blocks (increasing the security of Monero while also maintaining the emission schedule). This, however, is a whole nother debate. I personally kind of like the latter, because with it you can get more of the benefits of inflation without the inflation (less dependence on fee market, dynamic blocksize, etc). These benefits would come at the expense of coins that are already screwed to begin with. Regardless of which path we take, simply being able to numerically quantify the amount of screwed coins is pretty sweet. Now how exactly does this help scaling? Well, after Block X, all of the old outputs are now utterly and completely useless! Throw that shit away! Out with the old, in with the new! Unbounded, exponential growth of the TXO set can officially suck our dicks! Every audit would essentially create a brand new, fresh, 0MB blockchain that everyone peacefully transitions to. Every user would be able to verify that nothing funky has happened: they still have the same amount of Monero, and the supply of Monero is still the same (if not less) on this 'new' blockchain. The 'genesis outputs' on this new chain have their transaction amounts revealed, so anybody can add up these outputs as well as the chain's coinbases to calculate the total supply. An occasional audit would actually solve one of Monero's tiny but inevitable trust issues too. With any opaque blockchain, there is always a small-but-finite chance that a genius 8 year old kid finds a bug in the code, and secretly exploits it, printing a kajillion coins in his mom's basement without anyone knowing. With Bitcoin, the second this happens, alarm bells start ringing, thanks to their blockchain being transparent. Monero has no such alarm bells, by design. The reason we don't have alarm bells is the reason why we all love Monero. Audits could be a replacement for alarm bells. It could prove that the fears of fake coins are unwarranted again and again and again, while at the same time completely slashing the TXO set again and again and again. It is a win-win. A downside to this idea is that some people want to send Monero to a paper wallet, and then forget about it for 20 years. To this I reply: tough shit. Again, someone could easily fork Monero after the quantum transition, restart the blockchain, and advertise a 0% chance of fake coins in their new chain. I am pretty sure that a lot of people would buy into this too, especially Siths. This has a chance of ultimately killing Monero, and consequently killing the complainer's stash. Participating in an occasional blockchain audit would be a small price to pay in order to use a beautiful, opaque blockchain. Furthermore, everyday users of Monero are already having to update their software once every 6 months. so occasional audits won't be much of a drastic change. (Sidenote: I love the 6 month hardfork schedule, and I hope it never gets phased out.) As decades pass, and the code becomes more and more set in stone, and technology progresses, these audits can occur way less and less frequently, if at all after a certain time. But during these primitive years, and especially when converting to quantum proof algorithms, I think it might be important to do this. There is also the downside of having to publicly reveal the transaction amount when converting to new output types. However, because of Monero's anonymity features, like not knowing if these newly converted outputs have been spent, I do not think that this is a problem in the slightest. In fact, Monero publicly showed transaction amounts for much of its life; here, we are only doing it for just one single transaction. This could open the door for a temporary 'rich list', where you rank these transaction amounts from highest to lowest. I personally don't see this as much of a problem either, but if it is, then we could just cap the max conversion amount. This would force whales to convert their stash in large chunks, in order to not spook the market or whatever. Now this whole thing assumes that it is possible to publicly reveal the amount you are sending when converting from an old CT output to a new quantum proof one. I think this can be done if you publicly reveal the private view key of the address that you are sending to when crossing the audit border. This is possible if you are sending Monero to yourself, which is what I think should be happening when converting. Miners would have to verify that the private view key in the transaction lines up with the transaction's destination, and reject any that do not. In summary: Audit the Monero! Slash the TXO! Profit! Let me know what you think, and thanks for reading this far! TLDR: Users send their Monero to a new output type by a certain deadline, and reveal the transaction amount when doing this (and only this). This would allow us to make sure that there are 0 fake coins in circulation, and at the same time slash the TXO set down to 0MB.
The first thing I noticed was that in my mind I read it as Cointel-egraph (as in COINTELPRO, as in 'covert Government operation') not 'coin telegraph', which I think it's intention. If I've learned anything it's that spy signalling is not that creative. They like to replay their winks in different ways. They are completely obvious to me now. I'm saying I believe this website is very likely run by the deepstate. Not just from this wordplay but I'll explain further below. And I don't know how 'critical' this shower thought is, but some of you may recall me warning about bitcoin. I am still butthurt from having mined before and getting screwed because of my internet connection and constant ddos attacks on my miner. Which I have assessed as having been from the government itself, on behalf of central bankers. Anyway, thinking about it some, maybe they did me a favor. After all crypto is backed by nothing but people's willingness to pay for it--same as all fiat. Actually scratch that. It's backed on energy times time: watt-hours or more commonly "power", as a sunken cost. But all of that is irrelevant because of several things
) Sun has infinite power and the universe has infinite time (don't ask me how I know the second part, that's another shower thought)
) The NSA has PRISM (and beyond), which is a giant bitcoin miner. Think about it. No really think about it some. Also there's the texas cryptological center no one talks about but when you look at the public cam map it has hundreds of cams around it which means it's a GD bitcoin miner, erm I mean cracking super secret russian communications. Lol (it's a bitcoin miner)
) DARPA is heavily invested and investing in quantum computers which will eventually unzip the blockchain like a cheap dress. Then everyone using it is ready to be f*cked but not in a good way
) If people can manipulate bitcoin like the article above, then it's a bubble waiting to pop
) If and when the internet or the electric grid is attacked, no more bitcoin, sorry
) The fact that its rising above the price of gold means it's a bubble, sorry
) It's a ponzi scheme too because no one can mine it anymore because it's more expensive than the nominal cost per kwh to mine it (too cost expensive unless you got in early and have your own datacenter run on solar), so you have to buy it. Which means that...
) Hidden interests are selling the bitcoin, setting exchange rates and taking fees and such
) Who had 50% of the market in bitcoin from asset forfeitures after mt. gox hack an the shutdown of silk road and silk road 2? That's right, the USMS which means essentially the NSA now has it. Which means that the gov has controlling interest in bitcoin as a 'stock'
) If you think a non quantum safe algo backed virtual coin currency is a good idea, GO FOR IT but when you have people like John McAffee; or David Seaman backing it....beware. David Seaman, who has been recently backbiting on George Webb, calling him a nutty youtuber; alternately whining constantly calling Podesta a pedo based on really no evidence, while smugly having schadenfreude with his 'close knit buddies he smokes up with on livestreams'--whom he's made tons of money on by giving them cryptocoin advice--makes me personally suspect more gaslighting from Cass Sunstain's playbook
Sorry that was kind of a lot to derive from simple wordplay, I go get that. But it gave me an excuse to continue to warn you guys about cryptocoin I mean it's a decent idea and all, but it has shady as F origins, and even shadier as F backers and lots of really unanswered questions--I don't like that. Been burned many times in the past Crypto backed by something real--now that is good. Namecoin is good. Gold-backed crypto--if you trust the company--is good. A precious minerals index backed crypto would be better. But why Again, control. No: why would they build up all this equipment, mine this coin and then unzip it effectively destroying all currency that people have traded all their dollars and gold (covertly to the government who again run the exchanges) for.... ...ohhhh Yeah. "Trust your government, kids! I mean what else can you do?"
New and improved way to audit the Monero blockchain and fix scaling problems
In a previous post, I discussed how there is a tiny-but-finite chance that the evil gummit has created a powerful quantum computer, and has created millions of Monero out of thin air. Lets say there is a .00000001% chance that this has happened. I thought I had come up with a genius way to audit the Monero blockchain, and know with 100% certainty whether or not there are fake coins out there in circulation. The idea was that you create a new quantum-proof output type, and have every user convert their Monero to the new output type by a certain deadline. You also have them reveal the transaction amount when doing this (and only this). If more Monero publicly convert to new outputs than had been mined, then the price would drop to 0 and Monero would die a very quick death. But if less convert than had been mined, then after the deadline we can delete all of the old output types since they are now useless. If there were a million fake coins, and the NSA chose not to convert them in order to not reveal their capabilities, then these fake coins would get deleted forever. This would slash the entire TXO set back down to 0MB. Any coins that weren’t converted by the deadline are screwed, and could potentially be used to feed the miners better. You could get the benefits of inflation without the inflation, having your cake and eating it too. This idea was pooped on for good reason. As _avnr so elegantly put it
So if I was hospitalized, in jail, serving my country with no internet access, whatever, then gone is my money. If I left my keys in my will but my heirs were found only after the deadline, bad for them - they lost their inheritance.
This is a great point, and completely kills the idea. In order for a currency to be truly valuable, you need to be able to store it for long periods of time without having to touch it. We could get rid of the deadline all together, but if the NSA has a million fake coins, then they would always have the ability to kill Monero at any second they like, simply by converting their huge stash. This would reveal that there are more coins in circulation than there should be, and the alarm would trip, insta-killing Monero. After pondering this problem for some time, I think I have found a nice middle ground, and am curious to see as to what you all think. The idea is kind of like having a checking and a savings account. If you get thrown in jail, or you die, or whatever, and you miss the next scheduled deadline, then the money in your checking gets screwed. If it helps you sleep at night, those screwed coins will help feed the miners and secure the network. Money in you savings account will be OK though, and will be for all eternity. How do you move coins into your savings? In August, RingCT will be required, which is badass. However, to put your Monero into your savings account, you would have to convert it to a non-CT output. There would have to be a protocol rule that states that these non-CT outputs cannot be ringed with, and are never to be deleted until converted to a CT output type. We need to be able to know if a non-CT output has been converted or not, and the only way to do this is to prevent people from ringing with non-CT outputs. Requiring non-CT outputs to be converted to the most recent CT type in order to be spent would allow Monero to keep its enforced/required anonymity feature. Because non-CT outputs would not be able to be ringed with, I think it would be super easy to implement multisig for them. It is my understanding the problem with multisig in Monero is figuring out a way to do it with ring signatures without revealing who the actual signer is. If we don’t allow anyone to ring with non-CT output, then there wont be this problem with multisig, at least just with these new multisig savings accounts. If putting away money for years, you would ring with many outputs to secure your anonymity when converting to non-CT. And when you are ready to spend it, you can convert it to the most recent CT output type without ringing with any other outputs. When doing this, all that is happening is your output address is just changing from one to another; this shouldn't affect anonymity at all. So any non-CT output will be saved forever and ever and ever, whereas CT outputs would get deleted after scheduled deadlines. To calculate the total supply, you count the amount of CT coins that have been converted to the most recent CT type, the amount of non-CT outputs that have never been converted, and the amount of all of the new chain’s coinbases. Deleting just old CT outputs wont slash the entire TXO to 0MB like deleting all old outputs would, but it would slash the entire CT TXO set to 0MB. This is still just as good because it is the CT TXO that needs help getting under control, and prevented from becoming too big. This might allow us to forever be able to run a full node on a dad gum smart phone like we currently can. We might also never have to use sharding, an idea the LMDB master has said is inevitable. Monero, with its tail emission and screwed coins feeding the miners, could potentially scale better than Bitcoin. We would be limited only by bandwidth. Deleting old CT TXO sets would allow us to implement quantum-proof algorithms earlier too, since these algorithms take up more memory. We would not have to wait as long for technology to catch up. The biggest downside of this is that there might be people in jail, or have died, or whatever, and have put their CT outputs into a cold wallet. If these coins don’t get moved by the first deadline, then these people would get screwed. However, RingCT has only been a thing since January of this year. I think we should start telling everyone that at a minimum of 5 years from now, only non-CT outputs and a new, to-be-determined CT output type will be safe. If storing in CT (your checking account) you should at least keep track of Monero news like once a year to make sure there isn't anything you need to do currently. I doubt there are very many cases of people who are in jail or died and wont be able to convert sometime between now and 5 years from now. The sooner we start to warn people, the lower the number of these screwed people there will be. This path is a lot better than a contentious/dangerous hard fork way down the road, between pro-auditors and anti-auditors. A weird quirk about this idea is that you would be able to see how much Monero in circulation is in savings vs checking. Not sure if this is a problem or not. Also, for the record, I do NOT think you should get interest on your ‘savings’ account. I just used the savings/checking analogy when it comes to security of funds, and how you have to move your money from savings to checking in order to spend it, not interest. Fuck proof of stake!!! In summary Have opaque blockchain (unlike Bitcoin) Maintain required anonymity (unlike Bitcoin), by keeping things like minimum ring size, and forcing people to convert to CT in order to spend Be 100% auditable (like Bitcoin) Have multisig (like Bitcoin) Be quantum proof (like Bitcoin) Be able to secure coins forever without ever having to touch it (like Bitcoin) Better solve on-chain scaling problems by deleting old CT TXO set and feeding miners screwed coins (unlike Bitcoin’s inevitable fee-market solution) Let me know what you think, and thanks!
A modest proposal (radical pruning for long-term scaling)
I hesitate to post stuff like this, because I'm really not close enough to the project, may not know about past discussions of the same idea, and am not volunteering to do the significant work involved. But still, maybe the suggestion, or the reinforcement of the ideas, is valuable...
I think the unlimited growth of "permanent" data gets too little attention in blockchain currencies, including Monero. People obviously do pay attention to scaling. In the case of Monero, the roadmap talks about using sidechains to take stuff off of the main chain. In the end, though, the main chain grows without bound. If Monero really succeeds, that chain could in fact get very, very big, regardless of optimization. Wikipedia says there are 7.4 billion people on this planet. What if each of them makes one transaction a week? One a day? The problem seems worse for Monero than for, say, Bitcoin, because Monero can't even identify (and therefore merge or selectively prune) spent outputs. You could, however, bound the chain size by simply throwing away everything older than some particular age; not partial pruning, but complete elimination of the blocks. Obviously you could still end up with a huge chain, but there'd be a finite limit on its size. The biggest cost would that outputs ended up with an expiration date. If Monero is lucky, something like that may eventually be a technical necessity. For political and governance reasons, if there's any real chance it will ever have to be done, I think it should be done soon. It may not be possible to do it later.
The phrase "without bound" is intrinsically scary, but permanent retention has other bad effects.
Raw cost and node incentives: Cryptocurrencies generally compensate miners, but not nodes. Once something is on the chain, the network has to store it for free. In the limit, permanent storage (and bandwidth for starting up new nodes) will always become the biggest actual cost, exceeding mining or anything else. Even if "the limit" is never reached, it's still a big cost. It's hard to imagine many people carrying that cost out of love, so you could get weird disruptions caused by the node operators using ad-hoc tactics to get some kind of compensation. Those could be economic disruptors or they could be privacy disruptors. On the other hand, if the network finds a way to build in node incentives, high storage costs may simply mean those incentives have to be more than anybody actually wants to pay.
Centralization: The bigger the chain, the more centralization you have, and the fewer nodes you have. You may be able spread out the storage, but in the end there are only going to be N replicas of any given part of the chain.
Freeloading: The only critical reason to keep old blocks forever seems to be to guarantee that an output you got however long ago will be spendable forever, without you doing anything to maintain it. But that's not necessarily a good thing. Blockchain permanence encourages "store of value freeloading". People who just want to hold the currency pay no fees (and generate no cover traffic), even though they create a real cost to the network at large. Holders are subsidized by the people who actually do transactions. So are people who just want to use the chain as a notary for non-currency purposes, although I don't know if that can happen in Monero the way it can in Bitcoin.
Lost-money waste: If some outside event prevents money from ever being spendable, the blockchain still has to track that money. If somebody totally loses all her private keys, the chain still holds onto her outputs forever, even though they'll never be spendable. If a multisig escrow runs into an unresolvable dispute, the chain is left holding the bag.
Unreliability: Something could unavoidably invalidate old data (Hello, quantum...). At that point permanence has no value, and anything that requires permanence breaks.
Complexity: If you have to split or spread a large data set, you're going to have to do something relatively complicated. Even tiered storage is complicated compared to non-tiered storage. Distributed storage is worse. Spreading things out looks especially tricky for a currency where any given transaction may mix in any given set of outputs. Complexity is bad for reliability, bad for security, and bad for being able to understand your privacy guarantees.
Performance: Bigger data sets are just slower; there's a cost to getting data from the next tier or from another shard or whatever. That's especially true if the data set may not have very good locality properties... and large anonymity sets don't usually like locality.
Privacy: I suspect, but have no actual knowledge, that it's harder to pick a plausible set of mixins if the chain has a huge range of transaction ages.
Why do it now?
Unless the expectation of permanence is quashed early, I'm afraid various factors will lock it in. And the best way to quash that expectation is to decide early, then actually remove permanence ASAP. Obviously there's no certainty that permanence will ever have to be removed, or that conditions will change to make that difficult. But that's the safe way to bet. Removing permanence now is relatively inexpensive.
Remember how Bitcoin sudden couldn't agree on even slightly contentious changes? In a few years, I think changing permanence will be very hard politically. I'd expect it to be about as hard as changing the proof of work, and almost as hard as changing the emission curve. And those will be very hard changes to make if adoption keeps growing.
Don't touch my money!
Cryptocurrency seems to attract people who want money that can never go away. Many want it to be as durable as gold, and think of it mainly as an untouchable "nest egg". If you suddenly tell them it can evaporate unless they do some new thing like renewing outputs, then surely many of them will see that as a takeaway and a betrayal. They'll have that reflex even if the reasons are obvious and the actual cost and effort are tiny. You might say that'd be silly, and I'd agree with you... but I think it'll happen nonetheless. I think it may happen even if permanence goes away now, and I'm sure it'll happen if permanence goes away later. Wouldn't it be better to try to keep such expectations from building up? What happens to the currency if people go around claiming it's a ripoff?
Fear for the uninvolved
Perhaps a more justifiable concern: suppose somebody buys Monero next year. They assume it's permanent because nobody told them otherwise and that's how blockchains work today. They pay no attention for 10 years, and then discover their money's gone away. Sure, that person should have paid more attention, but that doesn't mean anybody should want them to get screwed. Changing now minimizes the number of people who might be in that postion later. And even if you, the reader, don't care about oblivious people, others will. There will be those who really want to protect them, and some of those protectors will have influence. They won't necessarily all be in the community, either; what happens if regulators tell major exchanges that they are on the hook if any unprepared person loses money because of this "unannounced change"? Imagine the outcry if a government decided to expire cash in circulation. Actually, you don't have to imagine it; it happens from time to time. Look how much work those governments put into warning everybody, and how much heat they get if they don't. The Monero community can't warn people that way. So it pays to avoid it being a big issue.
"Monero's been infiltrated! They want you to renew your money so the NSA can trace the transactions! Wake up, sheeple! (obXKCD)". The more relatively casual users Monero accumulates, the worse this will get. And mass adoption is all about the casual users.
Not invented here
Don't forget the political and technical issues you get with trying to do a protocol change once there are a lot of implementations. Today, Monero has one node implementation and a handful of wallets. In the future, a lot more people will have to coordinate on any change. I really like Monero's periodic hardfork system, but it doesn't solve everything.
On the technical project management side, there's also the risk of "technical debt" making it really hard to actually remove permanence. Permanence assumptions could get baked into Monero itself, or into critically important related technology. They might not even always be obvious assumptions. Undoing that could be hard.
Get ready now
There's a chance that non-permanence could be forced on the community, if not by sheer chain size, then by something like quantum computing making old signatures fundamentally meaningless. It should be fairly easy to move new transactions to a new signature scheme, but you would still lose the old ones. It would be good to be prepared in advance if that happened, and the best way to prepare for something is to make it the normal and expected thing.
Here's a crude outline. I'd suggest announcing something like this as The Plan immediately, and building it into the software as soon as reasonably possible. I've written it to talk about times in years, because real time is easier for users to deal with than block counts. If the time accounting has to be done in blocks instead, that's not the end of the world.
Immediately fix wallets
Starting as soon as possible, wallets prepare for impermanence:
Wallets automatically renew old outputs by sweeping those outputs back to themselves. By default, each output is renewed when it's about a year old. The exact timing is randomized, mostly to improve renewals' value as cover traffic. An output is eligible to be put in a renewal transaction when it reaches an age drawn from a uniform distribution between 9 and 15 months. Such renewals are batched up in some sane way. Anything older than 15 months is always renewed immediately. Users can change those parameters, and can manually renew their balances if they know they'll be offline for a while.
A wallet will warn you if you try to make the renewal time more than about 2 years
It will also warn you if you seem to be using it very infrequently.
2020 hard fork
As of about the beginning of 2020, outputs more than three years old cannot be spent, full stop. After that same time, nothing is expected to keep any chain data more than three years old. If you haven't run your wallet for very long time, it may not have been able to renew older outputs, and may show a lower balance when you do run it. If you haven't run your wallet for three years, your balance will be zero.
There's no traceability to the genesis block. The main evidence that any given three-year collection of blocks is "the" chain is the hashpower that's gone into creating that collection, although you could of course "pin" some old blocks in the software itself. I think this implies that there can never be proof of stake mining, but I could be wrong. Money is conceptually only traceable to the oldest retained block, not necessarily to the one where it was mined.
Sidechains and whatnot, when implemented, are expected to "check in" and confirm their relationships with the main chain at least annually (I assume they would anyway, but this would be a hard requirement).
I have some hypothetical questions about Bitcoin. Before you go admonishing me for asking about low probability events hear me out. Nobody thought there could possibly be a shortage of hard drives until the 2011 floods in Thailand. In each of the separate events below I'm interested in the following variables: A. The Bitcoin price response (i.e. the result of the change in demand on the price). B. The total bitcoin hash rate C. Changes in transaction confirmation time as a result of the event. Event #1: Massive earthquake in China / EMP event causing massive power grid black/brown outs near a high concentration of Bitcoin miners. Event #2: Chinese government decides these damn bitcoiners are "up to no good" and begins massive police style raids of bitcoin miners shutting down datacenters or individuals with high concentrations of ASIC miners. Event #3: A rouge agent within a signals intelligence agency (NSA/FSB, etc.) uses their access/resources to begin draining bitcoin from bitcoin "whales" in countries under its sphere of influence. Event #4: Similar to above, except assume an individual or group of individuals have access to a "quantum computing" machine and its existence is not known by the public. I'm also interested in discussions related to the probability (or improbability) of each of the above events, in addition to identification of black swan events deemed more probable than those listed. This is purely an academic thought experiment exercise at this point. I may post this over in the main BTC subs, but I wanted to get some general opinions first as those subs can be hostile at times.
It is time to usher in a new phase of Bitcoin development - based not on crypto & hashing & networking (that stuff's already done), but based on clever refactorings of datastructures in pursuit of massive and perhaps unlimited new forms of scaling
Debates among devs are normal and important. Debates between programmers are the epitome of decentralized development and as such they are arguably the most important mechanism that will ensure the ongoing success of the Bitcoin (or cryptocurrencies) project. Therefore, we would be wise to encourage such debates, rather than trying to make them go away by calling them "personal attacks". In the real world, there aren't a whole lot of different ways to hammer a nail into a board or pour cement into a hole - but in the abstract world of mathematics and programming, there are many, many different ways to represent and manipulate a data structure, limited only by our imaginations, so it is actually appropriate to expect and even demand lots of jostling and critiquing from our programmers as they "try to invent a better mousetrap." In fact, this is the kind of informal jockeying and shop talk that always has gone on and always will go on among mathematicians and programmers - and quite rightly so, because it is precisely the mechanism whereby they maintain order among their ranks, by making subtle and cogent observations about who knows what. A famous example of this typical sort of jockeying and shop talk can be seen elsewhere in the ongoing debates between programmers of the "procedural" / "object-oriented" school (C/C++, Java) versus the "functional" school (Haskell, ML). It's always quite an eye-opener for a procedural programmer who's been using "loops" all their life, when they finally discover how to use an "iterator" in functional programming. They both "accomplish" the same thing of course - but in radically and subtly different ways, since an iterator in a functional language is a "first-class citizen" which can be passed around as an argument parameterizing a function, etc. - allowing much more compact and expressive (and sometimes even more efficient) code. Different Bitcoin dev skill sets are required for different stages of Bitcoin's life cycle An example of the debate between various devs can be seen here:
It is "clear that Greg Maxwell actually has a fairly superficial understanding of large swaths of computer science, information theory, physics and mathematics."- Dr. Peter Rizun (managing editor of the journal Ledger)
https://np.reddit.com/btc/comments/3xok2o/it_is_clear_that_greg_maxwell_unullc_actually_has/ What Peter R is saying here is simply that a different skill set is needed to usefully contribute to Bitcoin development now that it has moved well beyond its "proof-of-concept and initial rollout" stages (hey, this thing actually works) and is now trying to move into its "massive scaling" stages (let's try to roll this thing out to millions or billions of people). Bitcoin's "proof-of-concept and initial rollout" stages Initially, during the "proof-of-concept and initial rollout" stages, the skill set that was required to be a "Bitcoin dev" merely involved knowing enough cryptography, hashing, networking, "game theory", rudimentary economics, and C/C++ programming in order to be able to understand Satoshi's original vision and implementation, doing some simple and obvious refactorings, cleanups and optimizations while respecting the overall design decisions captured in the original C/C++ code, and maintaining the brilliant "game theory" incentives baked therein - the most notable of all being of course that thing which some mathematicians have taken to calling "Nakamoto Consensus" (which could be seen as a useful emerging mathematical-historical term along the lines of Nash Equilibrium, etc.) - ie, Satoshi's brilliant cobbling-together of several existing concepts from crypto and hashing and game theory and rudimentary economics in order to provide a good-enough solution to the long-standing Byzantine Generals Problem which mathematicians and programmers had heretofore (for decades) considered to be unsolvable. In particular, during the "proof-of-concept and initial rollout" stages, the crypto and hashing stuff is all pretty much done: the elliptic-curve cryptography has been decided upon (and by the way Satoshi very carefully managed to pick one of the few elliptic curves that is NSA-proof) and the various hashing algorithms (SHA, RIPE) are actually quite old from previous work, and the recipe for combining them all together has been battle-tested and it should work fine for the next few decades or so (assuming that practical quantum computing is probably not going come along on that time scale). Similar, during the "proof-of-concept and initial rollout" stages, the networking and incentives and game theory are all pretty much done: the way the mempool gets relayed, the way miners race to solve blocks while trying to minimize orphaning, and the incentives provided currently mainly by the coinbase subsidy and to be provided much later (after more halvings and/or more increases in volume and price) mainly by transaction fees - this stuff has also been decided upon, and is working well enough (within the parameters of our existing imperfect regulatory and economic landscape and networking topology, where things such as ASIC chips, cheap electricity and cooling in China, and the Great Firewall of China have come to the fore as major factors driving decisions about who mines where). Bitcoin's "massive scaling" stages Now, as we attempt to enter the "massive scaling" stage, a different skill set is required. As I've outlined above, the crypto and the hashing and the incentives are all pretty much done now - and mining has become concentrated where it's most profitable, and we are actually starting to hit the "capacity ceiling" a few times (up till now just some spam attacks and stress tests - but soon, more worryingly, possibly even with the next few months, really hitting the capacity ceiling with "real" transactions). Early scaling debates centered around blocksize And so, for the past year, we've gone through the never-ending debates on scaling - most of them focusing up till now (perhaps rather naïvely, some have argued) on the notion of "maximum blocksize", which was set at 1 MB by Satoshi as a temporary anti-spam kludge. The smallblock proponents have been claiming that pretty much all "scaling solutions" based on simply increasing the maximum blocksize could have bad effects such as decreasing the number of nodes (decreasing this important type of decentralization) or increasing the number of orphans (decreasing profits for certain miners) - so they have been quite adamant in resisting any such proposals. Meanwhile the bigblock proponents have been claiming that increased adoption (higher price and volume) should be more than enough to eventually offset / counteract any supposed decrease in node count and miner profits that might happen immediately after bigblocks would be rolled out. For the most part, both sides appear to be arguing in good faith (with the possible exception of private companies hoping to be able to peddle future, for-profit "solutions" to the "problem" of artificially scarce level-one on-chain block space - eg, Blockstream's Lightning Network) - so the battles have raged on, the community has become divided, and investors are becoming hesitant. New approaches transcending the blocksize debates In this mathematical-historical context, it is important to understand the fundamental difference in approach taken by Peter__R. He is neither arguing for smallblocks nor for bigblocks nor for a level-2 solution. He is instead (with his recently released groundbreaking paper on Subchains - not to be confused with sidechains or treechains =) sidestepping and transcending those approaches to focus on an entirely different, heretofore largely unexplored approach to the problem - the novel concept of "nested subchains":
Now, this is a new paper, and it will still undergo a lot of peer review before we can be sure that it can deliver on what it promises. But at first glance, it is very promising - not least of all because it is attacking the whole problem of "scaling" from a new and possibly highly productive angle: not involving bigblocks or smallblocks or bolt-ons (LN) but instead examining the novel possibility of decomposing the monolithic "blocks" being appended to the "chain" into some sort of "substructures" ("subchains"), in the hopes that this may permit some sort of efficiencies and economies at the network relay level. "Substructural refactoring"-based approaches So what we are seeing here is essentially a different mathematical technique being applied, for the first time, to a different part of the problem in an attempt to provide a "massive scaling" solution for Bitcoin. (I'm not sure what to call this technique - but the name "substructural refactoring" is the first thing that comes to mind.) While there had indeed been some sporadic discussions among existing devs along the lines of "weak blocks" and "subchains", this paper from Peter R is apparently the first time that anyone has made a comprehensive attempt to tie all the ideas together in a serious presentation including, in particular, detailed analysis of how subchains would dovetail with infrastructure (bandwidth and processing) constraints and miner incentives in order for this to actually work in practice. Graphs reminiscent of elasticity and equilibrium graphs from economics For example, if you skim through the PDF you'll see the kinds of graphs you often see in economics papers involving concepts such as elasticity and equilibrium and optimization (eg, a graph where there's a "gap" between two curves which we're hoping will decrease in size, or another graph where there's a descending curve and an ascending curve which intersect at some presumably optimum point). Now, you can see from the vagueness of some my arguments and illustrations above that I am by no means an expert in the mathematics and economics involved here, but am instead merely a curious bystander with only a hobbyist's understanding of these complex subjects (although a rather mature one at that, having worked most of my long and chequered career in math and programming and finance). But I am fairly confident that what we are seeing here is the emergence of a new sort of "skill set" which will be needed from the kind of Bitcoin developers who can lead us to a successful future where millions or billions of people (and perhaps also machines) are able to transact routinely and directly on the blockchain. And if a developer like Peter R wants to direct some criticism at another developer who has failed to have these insights, I think that is a natural manifestation of human ego and competitiveness which is healthy to keep these guys on their toes. A new era of Bitcoin development The time for tweaking the crypto and hashing is long past - which means that the skills of guys like nullc and petertodd may no longer as important as they were in the past. (In fact, there are entirely other objections can be raised against Peter Todd, given his proclivity for proving that he can, at the mathematical level, break systems which actually do work "good enough" by relying on constraints imposed at the "social level" - a level which PTodd evidently does not much believe in. For the most egregious example of this, see his decision to force his Opt-In (soon to become On-By-Default) Full RBF - which breaks existing "good-enough" risk mitigation practices many business had up till now relied on to profitably use zero-conf for retail.) Likewise the skills of adam3us may also not be as important as they were in the past: he is, after all, the guy who invented ecash, so he is clearly a brilliant cryptographer and pioneer cypherpunk who laid the groundwork for what Bitcoin has become today, but it is unclear whether he now has (or ever had) the vision to appreciate how big (and fast) Bitcoin can become (at "level 1" - ie, directly on the blockchain itself). In this regard, it is important to point out the serious lack of vision and optimism on the part of nullc and petertodd and adam3us:
During the cex.io 51% mining threat a few years back, petertodd publicly declared that he was selling half his Bitcoin to buy Viacoin. As it turned out, that good ole "social pressure" (which Peter Todd doesn't believe in) actually did its magic, when the community pulled together and told cex.io to get lost - which they did, and they now have only a tiny sliver of global hashpower.
When Bitcoin was first starting, around 5-6 years ago, adam3us didn't believe in it - and thus he failed to become an early adopter. Evidently even though he was able to invent much of the crypto that underlies it, he was perhaps too much of a perfectionist and/or pessimist to believe that the economics and game-theory incentives would be "good enough" for the thing to actually work in real life. So now he's probably playing catchup: drawing a salary in fiat from the backers of Blockstream, and trying to come up with a bolt-on level-2 solution with a cool name (Lightning Network), which many people are unconvinced would even work.
nullc, as Peter R has stated, does indeed turn out to have a rather "superficial" understanding of many of the fields related to Bitcoin. While he is of course quite good at the C/C++ and game theory required to maintain Bitcoin "as it was" during its "proof-of-concept and initial rollout" stages, he apparently is totally lacking in the kind of vision and imagination and know-how needed in other emerging areas of mathematics and programming and economics which will be needed to usher Bitcoin into its "massive scaling" stages. This is not to disparage his contributions, which have been significant. But the kind of tunnel-vision and divisiveness he has displayed - where it's either my way or the highway - is probably not the kind of thing which will help Bitcoin transcend its current scaling debates based on smallblocks versus bigblocks plus Lightning Network. All of those approaches may be dead-ends, and entirely new and fresh perspectives may be required now.
gavinandresen, while being a pragmatist in favor of rolling out bigblocks as soon as needed to avoid the system clogging up and dying, is also a visionary who is able to understand many of these newer approaches - in fact, he has been involved in several approaches dealing with novel ways of building and relaying blocks, such as IBLT (Inverted Bloom Lookup Tables) and Weak Blocks (which is part of Peter R's Subchains proposal), and he was involved as a reviewer on Peter R's current paper.
I would also like to mention (in this discussion of skill sets and overall mathematical perspectives) the brilliant work of Pieter Wuille on Segregated Witness. Somewhat similar to Peter R's new work on Subchains, Pieter Wuille's work on Segregated Witness attempts to perform subtle reorganizations and optimizations at a "substructural" level, splitting or "factoring" a block's "merkle tree" quite neatly into two separate subtrees at the top level: one top-level subtree containing the "witness" (ie, the validation info or signature for the block), and the other top-level subtree containing the rest of the data (who sent how much to whom) - which provides very natural, straightforward methods of "pruning" the data to be stored on certain types of nodes (since you can drop all the "witness" or validation data and just keep the data on who sent what to whom), while also supporting a "refutational" style of Fraud Proofs which reduces the amount of data needed to relay on the network (by transmitting information which "proves a negative" rather than information which "proves a positive"). I have written up an appreciation of this work in more detail elsewhere.
TL;DR: Times are a-changin'. The old dev skill sets for Bitcoin's early years (crypto, hashing, networking) are becoming less important, while new dev skill sets are becoming more important (such as something one might call "substructural refactoring"). We should encourage competition as new devs emerge who have these new skill sets, because they may be the way out of the "dead end" of the blocksize-based approaches to scaling, opening up massive and perhaps unlimited new forms of "fractal-like" scaling instead.
This morning I sent an email to a friend "Is bitcoin paying for N. Korea's rocketry program?" then a few hours later, True Pundit released an article, "North Korea is hacking bitcoin exchanges as currency value soars, expert says" -- WTF is going on?
1055am EST North Korea is hacking bitcoin exchanges as currency value soars, expert says Here's my email. It's pretty unpolished. It was a shower thought 908am EST I guess it goes to what you consider consumer confidence to be It's possible that the market cap on BTC is expanding rapidly with adoption, that is NOT what causes the value of BTC to increase, quite the opposite in terms of supply and demand so what makes BTC's value go up? constant trading now if you have AI bots behind the exchanges (running the exchanges) and those ai bots are darpa projects, then you have bascailly have the military 'coaxing people through gaslighting' into adopting, by using their vanity and avarice and urgent fear of missing out against them. By jumping in early they get to say, 'haha you missed the boat and I made out big: suckers!' and they get digital dollars from nowhere, kind of like infinite-QE of goldman sachs, only they are using incremental injections of QE from goldman sachs to finance the uptick on BTC's price...it's essentially a QE laundering scheme that's powered by fee-less (VIP) high speed electronic trading by AI bots, with possible inputs from DWAVE quantum computers and PRISM / Cryptologic supercompters of the nsa...after all it seems much more profitable But why? N Korea As Byegone pointed out, very smartly I might add, DPRK's rocketry program advanced 40 years in 6-7 months time or so. Impossible. Impossible without outside help. China. CIA. Could be both. But they'd have to pay for 40 yrs of advancement and I can assure you that the CIAs vassal state of DPRK--that just inaugurated their first vaseline plant 3 yrs ago, and has a turnip shortage and people starving on the street (deplorables) does not have money to continually and inexplicably blast PNE's under mountains for reasons unknown (probably doing state infrastructure work TBH...freeing up minerals or blast-mining) Well if you had to finance 40 yrs of advancement, how would you do it? You'd agree to the terms of the CIA to do everything they say for the next several decades. You will be a limited hangout. You will wage a fake war with us. You will take our computers and our hackers. you will run terror false flags and become a terror outsource company for us for the next couple of decades. You won't have to pay but you will have to do as we say or we'll take it all away. Ok, DPRK? Ok, they say And then Bitcoin becomes a way for people to inject their dollars into a black hole that effectively gets funnelled to China, in order for china to build their rocketry program Why do I think China? Look at the base of the rockets of the pictures they released. Same design> CHINAS DESIGN. Those are chinese rockets. Front Running on Email I can't help but think that someone passed on this idea, or that an unknown 3rd party is front running by reading emails and maybe mine flagged something somewhere due to the proximal keywords. They read it and were like, 'huh, we've got to manage this shit harder, the plebs are finding out' Or this is just a huge coincidence But name another news story that links bitcoin to DPRK in the recent past. Can't do it can you? You'd have to go quite a long ways. I know this is a temporal bias but still, it seems significant.
Lebanese Bitcoin Scammer’s Identity Revealed After Two Years of Covert Cybersecurity. Bitcoin Offshoots: Bitcoin Cash, Bitcoin Gold and Bitcoin Private. All Bitcoin basics Buy/Spend Physical coins Storage. Ethereum. Decentralized Farming is back with YAM 2.0 announcement. Ethereum Gas Fees Are Sky-High, Here’s Why . Ethereum Total Supply, Total Drama. Lebanese Bitcoin Scammer’s Identity ... To summarize, we can conclude that Bitcoin is not vulnerable to quantum computer attacks as of now. As per the current trends in technological developments, we can predict that Bitcoin most probably won’t be vulnerable during the next few years either. No good algorithms are available in order to break the hashes by using quantum computers. The only hope available to break Bitcoin is through ... r/Bitcoin: A community dedicated to Bitcoin, the currency of the Internet. Bitcoin is a distributed, worldwide, decentralized digital money … Press J to jump to the feed. Press question mark to learn the rest of the keyboard shortcuts. r/Bitcoin. log in sign up. User account menu. 0. NSA is building a Quantum Computer that can break all forms of encryption, is Bitcoin doomed? Close. 0 ... Given what is currently public knowledge, quantum computers are still far away; the most powerful quantum computer to date managed to use Shor’s algorithm to factor the number 21. However, sudden advances are always possible, and we always need to have a plan of what we can do if Edward Snowden decides to leak out that the NSA has fully functional quantum computers hiding in a secret data ... Ripple’s CTO, David Schwartz, believes that quantum computer systems shall be a risk to the safety of Bitcoin, XRP and different cryptocurrencies. Schwartz predicts that quantum computer systems will begin to develop into an issue inside the subsequent 10 years.
Can Quantum Computers Hack Bitcoin / Ethereum? - YouTube
New quantum computer miner with using multiverse for Bitcoin mining. If you want know how it work, use me pool for mining https://zmining.in.ua/ PS:music Fringe - Theme. Bitcoin Q&A: Nonces, mining, and quantum computing - Duration: 15:24. aantonop 12,596 views. 15:24 . Pomp Podcast #251: Mark Yusko on How we got to QE Infinity from the Fed - Duration: 1:06:39 ... Can the Google Quantum Computer Hack Bitcoin? Trade Genius Stock Market News. Loading... Unsubscribe from Trade Genius Stock Market News? Cancel Unsubscribe. Working... Subscribe Subscribed ... Guys i found this kind of miner. I am new member no investment required. All you have to do is to click the link below, sign up and mine with ether,doge,bitcoin etc. Click now! https://www.cpuwin ... Quantum computers are coming online this year - and they might pose a threat to bitcoin, ethereum, and even modern cryptography. Find out what they can do an...