I'm increasingly coming around to the opinion that #bitcoin doesn't need anonymity. Maybe I'll revert - we'll see. I'm saying that based on the ideal world that we're hopefully building, not the current world. Use privacy best practices. But a future better have a justice system, and property is the basis of justice.
Discussion
if bitcoin were anonymous like monero, we would have never come this far with adoption. It’s part of the magic sauce
Very true
I don't buy that for a second. It's a baseless statement, like "things would've been worse if Obama wasn't president" or some other such ex-post-facto unfalsifiable justification.
ETFs, MSTR and 130 other publicly traded companies, 6 (ithink) nation states with proposals for bitcoin reserve - we could still have that while being perfectly anonymous (I've heard monero isn't, but for the sake of the situation, I'll accept it for a premise) ?
Of course. Gold is perfectly anonymous. Dollar bills are almost perfectly anonymous. Lot's of ETFs have cash on their balance sheets, lots of public lucky traded companies have gold, lots of countries have USD and gold reserves. The only thing bitcoin has over Monero in this regard is time and therefore network effects.
UTXOs and hidden addresses was sufficiently anonymous
properly using that to advantage has taken a long time for wallet developers to actulaly implement
Yeah. It would be nice if utxo management was presented more front and center, so people don't feel helpless in front of the firehose of stuff to learn. Wait... What's a hidden address? Lol!
K, looked it up. Its addresses derived from a public address, so you can use your private key to scan for funds sent to such one time use addresses. Intriguing. But also... What does it change? If you sweep the funds, then it was pointless. I'm missing something. Also leery of whatever software would be involved with this.
yeah, it's based on an arcane construction, which i think was probably one of the key elements of Satoshi's original discoveries that enabled it to be what it is
the payment addresses have to be hashed to reveal, from the pubkey, which is made visible for the first time when you already have published the transaction
this address previously cannot be connected to the pubkey that is derived from the secret key that enables spending
so it's basically a case of you not being able to see ahead of time who might have that key, because you don't know what the key is, only the RIPEMD160 hash of the key, which is a shorter hash than the one used in the signature algorithm (the SHA256 hash of the transaction creates the txid which the signing key must sign on, using teh pubkey, related to the address that was derived from the pubkey by the recipient
it also includes an unusual construction where instead of getting one bit of true/false when verifying, you take the txid (transaction hash) and the signature of the spend transaction, and this gives you something that should be the pubkey, and this can be verified because the pubkey, fed into ripemd160 hash, generates the address specified as teh "out point" in the transaction
so you see, it creates a fog of war on the network that can't be broken, the address hashes are deliberately fully 116 bytes shorter than the hash of the txid and the pubkey so that's a LOT of security against reversing the hash function, 116 bits of security is pretty much still considered to be 1000 years of brute force prevention security for AES style encryption algorithms
nobody had put it all together in this way before, and even, Satoshi, i don't think he had the whole picture before he started on the project, but once he discovered it, the fate of bitcoin was sealed, it was the first time anyone had created a peer to peer cryptocurrency system that was invulnerable to any kind of cryptanalysis attack
this is also why i'm also very hostile to the ecash people, because Chaum's blinded signatures did not solve this problem, and Adam Back is definitely not Satoshi even though some of his ideas that he tried to implement were related, and even that famous NSA paper that describes about 90% of what bitcoin is, was missing critical things, and this irreversible hashing of pubkeys to addresses and teh use of signatures that only give the (maybe) pubkey means that once the spend has hit the p2p network, the holder is now done, you don't know who the two addresses are controlled by (spend and change) and you don't know which of those two is the spend, and you don't know whether they are even another person or not, it can never be known ahead of time where a bitcoin transaction is going to be spent and once it is, it's too late to catch them
ooh, yeah, 116 bits is literally how much bruteforce countermeasure there is between a bitcoin address and the pubkey it relates to, that is VERY strong protection, you can't generate that many hashes in a thousand years even if computer's continue to proliferate at the rate they are now, certainly it's unlikely to happen in less than 100 years, assuming a massive breakthrough in mathematics and computational device technology
That's a lot to wrap my puny brain around, but I guess wallet software can do the work of finding any hidden addresses it can access. Is anyone actually implementing it?
yeah, HD keychains have been around since like, idk, 2014 or something, and it's simple to scan for them, you just generate the next 20 or so keys and monitor the mempool for the ripemd160 hash of the pubkeys from your keychain
satoshi was already gone by the time that all became commonplace, it's also a critical security element of the tech, without HD keychains you can easily lose your sats
Ohhh its just the HD stuff? I thought it was a new thing
Does this mean that the private key generates a public key, and the public key is hashed into an address? So that you can't actually derive a public key from the address, and therefore can never determine an address's related private key?
exactly
I'm looking at the white paper, and it only shows the sender signing a combination of his utxo's hash and the recipient's public key. Where does the address come into the picture and how does the signature work out if the recipient's public key is obfuscated in that signature?
I think you explained that in your note but it went over my head.
The addresses are the out points, there is usually 2 but there can be any number, and each of these addresses designate the spending key for next time. The signature itself, when combined with the hash of the transaction, reveals the public key the address is derived from, and thus proves the right of ownership.
The public key is hidden until the tx is lredy history. This means also that quantum computers don't matter so long as you don't reuse and continue to hold coins at the dress.
The signature logarithm is based on a specific number series that is derived from a tiny seed, which is too small to manipulate to back door it, meaning to hide numbers in it that allow multiple solutions. The other ones used in blockchins do not have this property.
The vulnerability that was discovered that led to segwit related to the ECDSA signatures, which llow a much larger set of other solutions that is referred to as malleability. Schnorr signatures, like used in nostr, and taproot, don't have this problem. They can also be used in the same way here the txid hash and signature reveal the public key, but lso make it easy to function like a keychain, creating a mechanism for encoding multiple codes tied to a single key, which can be used to represent the lternte pths of execution of a smart contract.
Geniuses... F'n geniuses...
Your A key isn't hitting
yeah, touchscreen display is not great on the edge... you can tell i'm using it because it puts capital letters and especially missing teh A and often breaks a sentence by putting a full stop in there
yeah just wanted to clear something, each utxo has to be signed on, and that reveals the public key, the specification of where they go is defined by the out points
in the transaction there is inpoints, which are the address that is spent to, and outpoints, which is where you are sending them... if you have had two payments go to an address, you can spend those with one signature that authorises that address balance to move
so if you are spending a larger amount, you will often have several signatures to create, and usually all but one will be going to one destination, by joining utxo's to spend them into one new balance at a new addresn, so yeah they can be split and joined, and from the point of view of an observer, it can be unclear which is change and which is payment, also, this is one of the core problems with chain analysis, because a better design of transaction can defeat any notion of which is payment and which is change, in fact, for example you could conceivably ask someone to give you 3 addresses to send to, and make 4 of your own change addresses, and who's gonna know which is which?
this is a neat thing you can do with Bitcoin Core also, in the settings enable coin control and you can be selective about everything, including, if you create several of your own change addresses manually, make it entnirely impossible to determine what is "spending" and what is not.
Thank you, I needed that simplification
that's right, UNTIL you move the coins from that new address when it receives them, then the public key is publicised
I’m most concerned about showing off how much corn is in the utxo I’m sending you from.
Whether I have $10,000 or $100 in my bank account. I don’t want you knowing my remainder balance after I send you an e-transfer.
Same difference imo.
Yeah. My best answer currently is:
Keep your utxo's in useful chunks and spend the whole thing every time by sending the extra to a new address.
But beyond that gets into a debate of how much information an investigator needs to investigate a crime. If someone steals, I do want them to be caught. But if its too easy to catch them, then for the same reason, innocent people can become easy targets.
IMO the solution to that problem is to not rely on the money as evidence to investigate crimes. Back when people used cash for everything, criminals were still caught. And I don't have a source but from my view, the rate of crime actually being stopped has not gone up with the rise of financial surveillance. I'd be surprised if someone could show me that that's happened. So, the solution is, give everyone private money and make the cops do their job and investigate. If the trade off is any fuckhead I bought a ps4 controller from on Craigslist can figure out my net worth and crack me over the head and take it, but *maybe* some drug dealers will go to jail and *maybe* the CIA won't have a black budget, that's not a worthwhile trade off. If the trade off is some drug dealers get away but in safe knowing nobody but me and those I volunteer to tell know what I have, I'll take that. And, IMO, the black budget problem goes away, because they can't just print money, they have to take it from us to use it nefariously in the first place. They can borrow it, but without printing, they have to pay it back eventually at full price instead of devaluing what's mine and paying it back with the value I lost. So in my view, algorithmically predictable supply solves the black budget problem and there becomes no need for mandatory everyone-is-naked transparency.
Even if we somehow achieved perfect governments (lol) they aren't the only criminals that exist.
And the whole point of Bitcoin is to not have to rely on corruptable governments (justice system) that got us here in the first place. If Bitcoin was secured by politics, we wouldn't need it, we already have fiat for that.
True