@matt
10th known contributor to Bitcoin Core. Now Full-Time Open-Source Bitcoin+Lightning Projects at Spiral (Part of Block).
No relay list published yet.
Recent Notes
> it's not necessary for everyone to agree on what level of security to use, it's a lot more nuanced than that (trivial example: hashed addresses vs not, pre-QC consideration; it was never a trivial question. Remember Nicolas Courtois' scaremongering?).
Of course it’s a lot more nuanced, sure, but I hope we agree that if I think a CRQC exists today (obviously it doesn’t, but as an example) then I should obviously sell all my bitcoin - a break in the cryptography that secures the vast, vast majority of Bitcoin doesn’t just impact my coin, but the value of the system overall (economic and otherwise).
In the extreme, it’s simply too naive to pretend that a break which allows a substantial majority of coin to be stolen doesn’t impact people who happen to not rely on that crypto.
Assuming we agree on that, we’re really just arguing thresholds and relative importance.
> And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget.
Sure but to my knowledge it’s also not recently been a material risk that a huge number of coins would simply trivial be stolen. I do not think we can discount how unique this situation is in recent memory.
The only other comparable example in Bitcoin’s history i can think of is early 2010/2011. At that point the vast majority of Bitcoin was held in wxBitcoin/bitcoind wallets many of which were online and reachable over the public internet. During that period I often worried that we’d have a 0day in bitcoind which resulted in some malicious party stealing private keys for 50-75% of the total bitcoin supply.
My view at the time (and AFAIU this was at least somewhat accepted) was that if this were to happen Bitcoin would simply fail and never recover. Not only would the malicious party’s control of that much coin result in massive loss of trust but a reasonable conclusion would have been that the science of software engineering was simply not ready to build something like a cryptocurrency.
As much as Bitcoin has a history of operations now, I think in the extreme a CRQC stealing coin could result in the same outcome. Again, there are a lot of shades of grey here but I hope we agree on the extreme example.
Finally, it is worth pointing to the DAO hack here. Obviously at the time bitcoiners ridiculed the ethereum ecosystem over the theft of something like 80% of all eth, but the same market dynamics would apply to bitcoin (again, in an extreme example). Ultimately there was ETC and ETH and the market decisively picked ETH (for many reasons that might not all apply to bitcoin, sure, but the biggest reason imo was simply that 80% of coins were going to be held by a demonstrably-malicious entity).
> And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals.
Sure you might not but the point is about the market, because the only thing that really matters is what the market values.
In your replies I haven’t yet seen you contend with my point about relative theft, so curious to get your specific take on it. In the scenario I raised in my previous post, I noted that disabling insecure spend paths would result in *vastly* more bitcoin going to its owners than coins that would be burned. Do you really think that it’s ethically wrong to prevent, say, 70% of Bitcoin from being stolen just to avoid burning, say, 10% of Bitcoin? And more generally do you really think that Bitcoin would survive 80% of total supply being stolen?
I suspect I know the answers to these questions which means that we really arguing degrees and likely scenarios, and not really arguing about actual correct decisions.
Of course it’s a lot more nuanced, sure, but I hope we agree that if I think a CRQC exists today (obviously it doesn’t, but as an example) then I should obviously sell all my bitcoin - a break in the cryptography that secures the vast, vast majority of Bitcoin doesn’t just impact my coin, but the value of the system overall (economic and otherwise).
In the extreme, it’s simply too naive to pretend that a break which allows a substantial majority of coin to be stolen doesn’t impact people who happen to not rely on that crypto.
Assuming we agree on that, we’re really just arguing thresholds and relative importance.
> And there is no requirement for any specific users to move out of existing coins to be able to say "bitcoin has the functionality required to keep your coins secure". bitcoin has never yet required people to move their coins, don't forget.
Sure but to my knowledge it’s also not recently been a material risk that a huge number of coins would simply trivial be stolen. I do not think we can discount how unique this situation is in recent memory.
The only other comparable example in Bitcoin’s history i can think of is early 2010/2011. At that point the vast majority of Bitcoin was held in wxBitcoin/bitcoind wallets many of which were online and reachable over the public internet. During that period I often worried that we’d have a 0day in bitcoind which resulted in some malicious party stealing private keys for 50-75% of the total bitcoin supply.
My view at the time (and AFAIU this was at least somewhat accepted) was that if this were to happen Bitcoin would simply fail and never recover. Not only would the malicious party’s control of that much coin result in massive loss of trust but a reasonable conclusion would have been that the science of software engineering was simply not ready to build something like a cryptocurrency.
As much as Bitcoin has a history of operations now, I think in the extreme a CRQC stealing coin could result in the same outcome. Again, there are a lot of shades of grey here but I hope we agree on the extreme example.
Finally, it is worth pointing to the DAO hack here. Obviously at the time bitcoiners ridiculed the ethereum ecosystem over the theft of something like 80% of all eth, but the same market dynamics would apply to bitcoin (again, in an extreme example). Ultimately there was ETC and ETH and the market decisively picked ETH (for many reasons that might not all apply to bitcoin, sure, but the biggest reason imo was simply that 80% of coins were going to be held by a demonstrably-malicious entity).
> And to illustrate more concretely, the part you put in quotation marks: that describes me, I think that, but I don't agree with what follows: I don't prefer the fork "with fewer coins sold", I think that's a non sequitur (not that it can't follow, I mean that it doesn't logically follow), *and* I think it's the ethically wrong position, too, *and* I think long term it's a vector of failure for the project in its goals.
Sure you might not but the point is about the market, because the only thing that really matters is what the market values.
In your replies I haven’t yet seen you contend with my point about relative theft, so curious to get your specific take on it. In the scenario I raised in my previous post, I noted that disabling insecure spend paths would result in *vastly* more bitcoin going to its owners than coins that would be burned. Do you really think that it’s ethically wrong to prevent, say, 70% of Bitcoin from being stolen just to avoid burning, say, 10% of Bitcoin? And more generally do you really think that Bitcoin would survive 80% of total supply being stolen?
I suspect I know the answers to these questions which means that we really arguing degrees and likely scenarios, and not really arguing about actual correct decisions.
s/especially because that position/especially if that position/
Depends on the QC scenario :)
Depends on the QC scenario :)
Sure, to be clear I’m not advocating for radicle specifically, just noting that it seems the furthest along and thus maybe the most exciting. I’m much more driven by retirements than some abstract tech preference, as are most people I imagine :).
It depends so much on the exact scenario. I believe we’re imagining radically different QC development scenarios rather than disagreeing on specifics. Eg see below.
Bitcoin has maintained its neutrality precisely because it only has value if it maintains its neutrality - the market in general will sell any fork that isn’t clearly in line with the properties of Bitcoin that matter.
But there are other market dynamics like supply that matter too. As Pieter puts it, Bitcoin only works if everyone in Bitcoin can agree to the secure set of cryptographic primitives in the system - for those not okay with pre-QC crypto and okay with “you had ten years to move your coins, and even if you forgot we’ll make sure you can still get them in every case we can”, they’ll strongly prefer the fork with fewer coins being sold (not just total supply, coins on the market!). IMO that’s a *very* reasonable position (again, as always, depending on exactly when/how/etc a CRQC is discovered/built), especially because that position *allows more bitcoiners to retain access to their bitcoin*.
@nevent1qqs...
Bitcoin has maintained its neutrality precisely because it only has value if it maintains its neutrality - the market in general will sell any fork that isn’t clearly in line with the properties of Bitcoin that matter.
But there are other market dynamics like supply that matter too. As Pieter puts it, Bitcoin only works if everyone in Bitcoin can agree to the secure set of cryptographic primitives in the system - for those not okay with pre-QC crypto and okay with “you had ten years to move your coins, and even if you forgot we’ll make sure you can still get them in every case we can”, they’ll strongly prefer the fork with fewer coins being sold (not just total supply, coins on the market!). IMO that’s a *very* reasonable position (again, as always, depending on exactly when/how/etc a CRQC is discovered/built), especially because that position *allows more bitcoiners to retain access to their bitcoin*.
@nevent1qqs...
Maybe to emphasize the important point - if we have to move quickly, disabling insecure spend paths and allowing seedphrase proofs to spend coins is likely to recover substantially more coins than would be burned. Let’s say we wake up tomorrow to a breakthrough and a CRQC is clearly only a few years away now (highly unlikely but who knows). Given the low level of coins which would be able to migrate in time, it seems like seedphrase proofs are a *way* better option than just letting everything be stolen!
It depends so much on the specific scenario though - if it’s been 20 years since wallet started universally using some PQC scheme, the calculus is very different. This is also why it’s important to emphasize that we really can’t decide anything today and it’s up to a market to decide when/if these issues become real.
It depends so much on the specific scenario though - if it’s been 20 years since wallet started universally using some PQC scheme, the calculus is very different. This is also why it’s important to emphasize that we really can’t decide anything today and it’s up to a market to decide when/if these issues become real.
One thing I’ve heard desired from folks is the ability to default issues to private visible only by maintainers. This not only ensures that security issues aren’t public immediately but also removes the incentive for people to troll by opening issues. Then a maintainer can mark an issue as legit and it’ll be public. IMO this is a great way to approach it.
Will the market see it that way? I doubt it.
@nevent1qqs...
@nevent1qqs...
> First, stop assuming they're Satoshi's. We don't know that.
Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though.
> Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation.
Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices:
* disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type
* allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system.
I find it *incredibly* unlikely that the market decides to value fork b over fork a.
> Third, there is no "we" to make such a choice.
There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides.
> No group of people have the right to confiscate coins, no matter how rational the reason.
In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo.
> And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't.
Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork.
> Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it
Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.
Fair, thanks for highlighting it. Doesn’t particularly matter to this discussion though.
> Second, when/if they are spent, we won't know how the private key was known to the spender. Quantum's existence won't change that epistemic limitation.
Sure, but the decision a future Bitcoin community will make won’t come after early coins start moving, it would come before then. In a world where it is clear to everyone that a CRQC is *going* to become reality in 2-5 years the Bitcoin community has two choices:
* disable now-clearly-insecure spend paths, allowing those with keys derived from a seedphrase to retain their coins but burning any coins that are not and have not migrated to some post-QC output type
* allow all coins using now-clearly-insecure spend paths to be stolen, absolutely trashing Bitcoin’s reputation as a secure system.
I find it *incredibly* unlikely that the market decides to value fork b over fork a.
> Third, there is no "we" to make such a choice.
There will be a fork cause *someone* will build it and the market will decide which is more valuable. That’s ultimately always how Bitcoin decides.
> No group of people have the right to confiscate coins, no matter how rational the reason.
In this scenario the coins will be confiscated or burned no matter if a fork happens or not. That’s the important part here. Burning >>> theft, imo.
> And to *anyone* (not Matt specifically) who is worried about the market effect of huge selling, consider the market effect of the precedent of freezing coins at the protocol layer. Everything is a one-time exception until it isn't.
Worth raiding again here that no coins derived from a seedphrase would be burned. So strictly speaking no one knows whether any given coin is burned or not. Also possible to do something like allow coins to pre-commit on chain to a new private key via blinded signature that can be revealed later - that way you could spend your coins post-CRQC without doing so pre-fork.
> Notice that that last point is not wrong because "if QC then all btc is worthless"; we are discussing the scenario of there being a migration path but old plain pubkey holders don't use it
Imo the reputational damage of “lol, Google stole 2M bitcoin and is selling it, what a dumb fucking coin” is way worse than you’re making it out. But, again, it’s highly dependent on exactly the state of QC and how public it is at the time. This isn’t something you or I can really decide and ultimately it’s up to the market at the time to pick what it wants bitcoin to be.
Oh sorry, missed the most important one - the ability for people to submit issues without a nostr key/local software. The biggest reason to be on GitHub is the network effects - probably anyone using our software who wants to submit a bug report already has a GitHub account. The easiest fix for that is a simple website that anyone can go to that they just have to pass a captcha and then their browser generates a key for them, stores it locally, then lets them open an issue.
Also in an ideal world the ability for devs to contribute without any local software via a trusted bridge. At least initially.
Bonus points for letting people contribute via GitHub and auto-mirroring it to the other platform, but that’s not really *required*. Easy to do with a bridge bot at least for issues, but PRs probably harder.
Also in an ideal world the ability for devs to contribute without any local software via a trusted bridge. At least initially.
Bonus points for letting people contribute via GitHub and auto-mirroring it to the other platform, but that’s not really *required*. Easy to do with a bridge bot at least for issues, but PRs probably harder.
lol it was a joke bro chill
In general I agree with you. I think the disagreement between Odell and I was primarily of the “how likely is it that the bitcoin community will have clear visibility into the soon-existence of a CRQC”. I think it’s highly likely so burning coins is a substantially better outcome, like you. He thought it’s unlikely so instead you’d be burning without proof a CRQC exists/will exist soon.
No. I’m much more careful with sticks apparently.