GitHub - brichard19/BitCrack: A tool for cracking Bitcoin ...

Technical: Taproot: Why Activate?

This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given public key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

submitted by almkglor to Bitcoin [link] [comments]

Storing Monero in an ultra-paranoid fashion

Hi, I am wondering about how one would store Monero in an ultra paranoid fashion. I saw that the NSA deprecated elliptic curve cryptography for official government use, which leads many to believe that they might have found some vulnerability.
In Bitcoin, I can do a p2pkh or "pay to public key hash" which means that even if somebody finds a weakness in ECC that can help recover private keys from public keys, my Bitcoin would be safe - because the public key isn't revealed until I spend the Bitcoin.
However, in Monero, I can't seem to find a similar way to "pay to public key hash." Is there some other way I can hold Monero without revealing the public key?
I know this is ultra paranoid and the odds of this happening are near negligible. Even further, the odds of an attacker knowing which public keys are mine are even lower. Cracking Monero addresses likely wouldn't even be on the radar of somebody who has discovered such a vulnerability - they would almost certainly go after higher value targets first (like foreign government secret communications.)
However, does Monero offer a solution for an ultra paranoid user like me? Not that I'll stop using it if it doesn't! :)
submitted by GelComb to Monero [link] [comments]

hodlmon.sh: a UTXO monitoring methodology and script for true connoisseurs of security, paranoia and BTC maximalism

EDIT:
Disclaimer: the below script is provided for example purposes only. You're responsible for your own security. Don't trust, verify.
tldr: the script is literally just an example wrapper to call "gettxout" on your own node via cron to check if your own utxo has been spent yet
OK, since there are a few questions on security below, let me clarify: this script is only for people who are 1) already running their own nodes and 2) can understand the bash script below. And obviously, don't trust some random person on the internet, always verify. I provided this as an example for a way to monitor your own UTXOs with your existing node. Those of you who understand what the below script does will see it's painfully simple and obviously harmless. Those of you who don't understand it, just ignore this post, or better yet, research what the below means until you do understand it. What's important is the idea of monitoring your own UTXO, and this script is an example of how to do that with gettxout.
ORIGINAL POST:
Submitting this to help strengthen the community, and for review:
hodlmon.sh: a UTXO monitoring methodology and script for true connoisseurs of security, paranoia and BTC maximalism
Monitor canary UTXOs for early detection of compromised private keys BEFORE funds are lost, using your own full node for maximum privacy and trustlessness. Note that you will need to implement your own notification strategy (email, push, sms, etc). This script is intended to run on your full node, but can be run from any machine with RPC access to your full node.
hodlmon.sh is designed to check if a given UTXO (i.e. a specific output of a specific btc transaction) has been spent or not. This can be used for early and proactive detection if a seed phrase or private key has been compromised, so you have time to move your btc before full compromise happens. In order for this to work, a small amount of btc should be sent to an address controlled only by a given seedphrase, with that seedphrase being part of a multisig wallet or a seedphrase+passphrase wallet, and the majority of your funds controlled in the seedphrase+passphrase or multisig wallet. The idea is to leave the small amount of btc (the canary utxo) in the address, so that it never moves unless the seedphrase that controls it has been compromised and all funds in the wallet swept. In this way, you use those compromised sats to buy information about the current security status of your wallet(s).
Example usage:Set up a cron job to run hodlmon.sh every 30 min to check if transaction output at index "0" for transaction with id "123" has been spent already. Use "my_utxo_nickname" as a friendly name for the UTXO (to differentiate between multiple wallets)
*/30 * * * * /path/to/hodlmon.sh 123 0 my_utxo_nickname > /tmp/hodlmon_log 2> /tmp/hodlmon_err_log
Usage scenario #1: Seedphrase (A) + passphrase (A')Majority of funds are held in a wallet controlled by both the seedphrase and passphrase, A and A'. A token amount of btc is controlled only by seedphrase A.
A + A': majority of funds
A: canary UTXO
hodlmon.sh is used to monitor the canary funds locked by A, so that if it is discovered that A has been compromised, the funds locked by A and A' can be moved to a new wallet before the passphrase A' can be cracked and all your funds exfiltrated.
Usage scenario #2: multisig e.g. 2 of 3, with seed phrases A, B and CMajority of funds held in a multisig wallet controlled by 3 seedphrases A, B, and C. 3 small canary UTXOs are held in wallets each controlled by A, B or C, respectively.
A + B + C: majority of funds
A: canary UTXO 1
B: canary UTXO 2
C: canary UTXO 3
One benefit of multisig (e.g. 2 of 3) is that even if 1 key is compromised, your funds are safe, since at least 2 keys are needed to release funds. But how do you that none of the keys has yet been compromised? If you create separate wallets controlled each by only 1 of the individual keys, and use hodlmon.sh to monitor whether those UTXOs have been exfiltrated, then you can detect partial compromise of your setup before a full exfiltration event takes place, so you can move your funds to a new multisig wallet with freshly generated and uncompromised keys.
Example of 3 cronjobs to monitor all 3 canary UTXOs:
*/30 * * * * /path/to/hodlmon.sh 123 0 key1 > /tmp/hodlmon_log_1 2> /tmp/hodlmon_err_log_1
*/30 * * * * /path/to/hodlmon.sh 456 0 key2 > /tmp/hodlmon_log_2 2> /tmp/hodlmon_err_log_2
*/30 * * * * /path/to/hodlmon.sh 789 0 key3 > /tmp/hodlmon_log_3 2> /tmp/hodlmon_err_log_3

Example hodlmon script:
#########################################################################
#!/bin/bash
touch /tmp/hodlmon_last_run
echo "Transaction ID: $1"
echo "Output #: $2"
echo "Nickname: $3"
NODE_IP=127.0.0.1 #TODO: use actual value
USER=user#TODO: use actual value
PASS=pass #TODO: use actual value
PORT=8332 #TODO: use actual value
CHECK_CMD="/uslocal/bin/bitcoin-cli -rpcconnect=$NODE_IP -rpcuser=$USER -rpcpassword=$PASS -rpcport=$PORT gettxout $1 $2"
RESULT="$($CHECK_CMD)"
echo "${RESULT}"
if [ "$RESULT" == "" ]
then
echo "UTXO HAS BEEN SPENT! RED ALERT!!"
MSG="The UTXO for $3 from tx $1 output $2 has moved!"
#TODO: ADD YOUR FAVORITE NOTIFICATION STRATEGY E.G. EMAIL, PUSH NOTIFICATION, SMS
else
echo "UTXO is still on ice"
fi
############################################

submitted by facepalm5000 to Bitcoin [link] [comments]

[ Bitcoin ] Technical: Taproot: Why Activate?

Topic originally posted in Bitcoin by almkglor [link]
This is a follow-up on https://old.reddit.com/Bitcoin/comments/hqzp14/technical_the_path_to_taproot_activation/
Taproot! Everybody wants it!! But... you might ask yourself: sure, everybody else wants it, but why would I, sovereign Bitcoin HODLer, want it? Surely I can be better than everybody else because I swapped XXX fiat for Bitcoin unlike all those nocoiners?
And it is important for you to know the reasons why you, o sovereign Bitcoiner, would want Taproot activated. After all, your nodes (or the nodes your wallets use, which if you are SPV, you hopefully can pester to your wallet vendoimplementor about) need to be upgraded in order for Taproot activation to actually succeed instead of becoming a hot sticky mess.
First, let's consider some principles of Bitcoin.
I'm sure most of us here would agree that the above are very important principles of Bitcoin and that these are principles we would not be willing to remove. If anything, we would want those principles strengthened (especially the last one, financial privacy, which current Bitcoin is only sporadically strong with: you can get privacy, it just requires effort to do so).
So, how does Taproot affect those principles?

Taproot and Your /Coins

Most HODLers probably HODL their coins in singlesig addresses. Sadly, switching to Taproot would do very little for you (it gives a mild discount at spend time, at the cost of a mild increase in fee at receive time (paid by whoever sends to you, so if it's a self-send from a P2PKH or bech32 address, you pay for this); mostly a wash).
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash, so the Taproot output spends 12 bytes more; spending from a P2WPKH requires revealing a 32-byte public key later, which is not needed with Taproot, and Taproot signatures are about 9 bytes smaller than P2WPKH signatures, but the 32 bytes plus 9 bytes is divided by 4 because of the witness discount, so it saves about 11 bytes; mostly a wash, it increases blockweight by about 1 virtual byte, 4 weight for each Taproot-output-input, compared to P2WPKH-output-input).
However, as your HODLings grow in value, you might start wondering if multisignature k-of-n setups might be better for the security of your savings. And it is in multisignature that Taproot starts to give benefits!
Taproot switches to using Schnorr signing scheme. Schnorr makes key aggregation -- constructing a single public key from multiple public keys -- almost as trivial as adding numbers together. "Almost" because it involves some fairly advanced math instead of simple boring number adding, but hey when was the last time you added up your grocery list prices by hand huh?
With current P2SH and P2WSH multisignature schemes, if you have a 2-of-3 setup, then to spend, you need to provide two different signatures from two different public keys. With Taproot, you can create, using special moon math, a single public key that represents your 2-of-3 setup. Then you just put two of your devices together, have them communicate to each other (this can be done airgapped, in theory, by sending QR codes: the software to do this is not even being built yet, but that's because Taproot hasn't activated yet!), and they will make a single signature to authorize any spend from your 2-of-3 address. That's 73 witness bytes -- 18.25 virtual bytes -- of signatures you save!
And if you decide that your current setup with 1-of-1 P2PKH / P2WPKH addresses is just fine as-is: well, that's the whole point of a softfork: backwards-compatibility; you can receive from Taproot users just fine, and once your wallet is updated for Taproot-sending support, you can send to Taproot users just fine as well!
(P2WPKH and P2WSH -- SegWit v0 -- addresses start with bc1q; Taproot -- SegWit v1 --- addresses start with bc1p, in case you wanted to know the difference; in bech32 q is 0, p is 1)
Now how about HODLers who keep all, or some, of their coins on custodial services? Well, any custodial service worth its salt would be doing at least 2-of-3, or probably something even bigger, like 11-of-15. So your custodial service, if it switched to using Taproot internally, could save a lot more (imagine an 11-of-15 getting reduced from 11 signatures to just 1!), which --- we can only hope! --- should translate to lower fees and better customer service from your custodial service!
So I think we can say, very accurately, that the Bitcoin principle --- that YOU are in control of your money --- can only be helped by Taproot (if you are doing multisignature), and, because P2PKH and P2WPKH remain validly-usable addresses in a Taproot future, will not be harmed by Taproot. Its benefit to this principle might be small (it mostly only benefits multisignature users) but since it has no drawbacks with this (i.e. singlesig users can continue to use P2WPKH and P2PKH still) this is still a nice, tidy win!
(even singlesig users get a minor benefit, in that multisig users will now reduce their blockchain space footprint, so that fees can be kept low for everybody; so for example even if you have your single set of private keys engraved on titanium plates sealed in an airtight box stored in a safe buried in a desert protected by angry nomads riding giant sandworms because you're the frickin' Kwisatz Haderach, you still gain some benefit from Taproot)
And here's the important part: if P2PKH/P2WPKH is working perfectly fine with you and you decide to never use Taproot yourself, Taproot will not affect you detrimentally. First do no harm!

Taproot and Your Contracts

No one is an island, no one lives alone. Give and you shall receive. You know: by trading with other people, you can gain expertise in some obscure little necessity of the world (and greatly increase your productivity in that little field), and then trade the products of your expertise for necessities other people have created, all of you thereby gaining gains from trade.
So, contracts, which are basically enforceable agreements that facilitate trading with people who you do not personally know and therefore might not trust.
Let's start with a simple example. You want to buy some gewgaws from somebody. But you don't know them personally. The seller wants the money, you want their gewgaws, but because of the lack of trust (you don't know them!! what if they're scammers??) neither of you can benefit from gains from trade.
However, suppose both of you know of some entity that both of you trust. That entity can act as a trusted escrow. The entity provides you security: this enables the trade, allowing both of you to get gains from trade.
In Bitcoin-land, this can be implemented as a 2-of-3 multisignature. The three signatories in the multisgnature would be you, the gewgaw seller, and the escrow. You put the payment for the gewgaws into this 2-of-3 multisignature address.
Now, suppose it turns out neither of you are scammers (whaaaat!). You receive the gewgaws just fine and you're willing to pay up for them. Then you and the gewgaw seller just sign a transaction --- you and the gewgaw seller are 2, sufficient to trigger the 2-of-3 --- that spends from the 2-of-3 address to a singlesig the gewgaw seller wants (or whatever address the gewgaw seller wants).
But suppose some problem arises. The seller gave you gawgews instead of gewgaws. Or you decided to keep the gewgaws but not sign the transaction to release the funds to the seller. In either case, the escrow is notified, and if it can sign with you to refund the funds back to you (if the seller was a scammer) or it can sign with the seller to forward the funds to the seller (if you were a scammer).
Taproot helps with this: like mentioned above, it allows multisignature setups to produce only one signature, reducing blockchain space usage, and thus making contracts --- which require multiple people, by definition, you don't make contracts with yourself --- is made cheaper (which we hope enables more of these setups to happen for more gains from trade for everyone, also, moon and lambos).
(technology-wise, it's easier to make an n-of-n than a k-of-n, making a k-of-n would require a complex setup involving a long ritual with many communication rounds between the n participants, but an n-of-n can be done trivially with some moon math. You can, however, make what is effectively a 2-of-3 by using a three-branch SCRIPT: either 2-of-2 of you and seller, OR 2-of-2 of you and escrow, OR 2-of-2 of escrow and seller. Fortunately, Taproot adds a facility to embed a SCRIPT inside a public key, so you can have a 2-of-2 Taprooted address (between you and seller) with a SCRIPT branch that can instead be spent with 2-of-2 (you + escrow) OR 2-of-2 (seller + escrow), which implements the three-branched SCRIPT above. If neither of you are scammers (hopefully the common case) then you both sign using your keys and never have to contact the escrow, since you are just using the escrow public key without coordinating with them (because n-of-n is trivial but k-of-n requires setup with communication rounds), so in the "best case" where both of you are honest traders, you also get a privacy boost, in that the escrow never learns you have been trading on gewgaws, I mean ewww, gawgews are much better than gewgaws and therefore I now judge you for being a gewgaw enthusiast, you filthy gewgawer).

Taproot and Your Contracts, Part 2: Cryptographic Boogaloo

Now suppose you want to buy some data instead of things. For example, maybe you have some closed-source software in trial mode installed, and want to pay the developer for the full version. You want to pay for an activation code.
This can be done, today, by using an HTLC. The developer tells you the hash of the activation code. You pay to an HTLC, paying out to the developer if it reveals the preimage (the activation code), or refunding the money back to you after a pre-agreed timeout. If the developer claims the funds, it has to reveal the preimage, which is the activation code, and you can now activate your software. If the developer does not claim the funds by the timeout, you get refunded.
And you can do that, with HTLCs, today.
Of course, HTLCs do have problems:
Fortunately, with Schnorr (which is enabled by Taproot), we can now use the Scriptless Script constuction by Andrew Poelstra. This Scriptless Script allows a new construction, the PTLC or Pointlocked Timelocked Contract. Instead of hashes and preimages, just replace "hash" with "point" and "preimage" with "scalar".
Or as you might know them: "point" is really "public key" and "scalar" is really a "private key". What a PTLC does is that, given a particular public key, the pointlocked branch can be spent only if the spender reveals the private key of the given private key to you.
Another nice thing with PTLCs is that they are deniable. What appears onchain is just a single 2-of-2 signature between you and the developemanufacturer. It's like a magic trick. This signature has no special watermarks, it's a perfectly normal signature (the pledge). However, from this signature, plus some datta given to you by the developemanufacturer (known as the adaptor signature) you can derive the private key of a particular public key you both agree on (the turn). Anyone scraping the blockchain will just see signatures that look just like every other signature, and as long as nobody manages to hack you and get a copy of the adaptor signature or the private key, they cannot get the private key behind the public key (point) that the pointlocked branch needs (the prestige).
(Just to be clear, the public key you are getting the private key from, is distinct from the public key that the developemanufacturer will use for its funds. The activation key is different from the developer's onchain Bitcoin key, and it is the activation key whose private key you will be learning, not the developer's/manufacturer's onchain Bitcoin key).
So:
Taproot lets PTLCs exist onchain because they enable Schnorr, which is a requirement of PTLCs / Scriptless Script.
(technology-wise, take note that Scriptless Script works only for the "pointlocked" branch of the contract; you need normal Script, or a pre-signed nLockTimed transaction, for the "timelocked" branch. Since Taproot can embed a script, you can have the Taproot pubkey be a 2-of-2 to implement the Scriptless Script "pointlocked" branch, then have a hidden script that lets you recover the funds with an OP_CHECKLOCKTIMEVERIFY after the timeout if the seller does not claim the funds.)

Quantum Quibbles!

Now if you were really paying attention, you might have noticed this parenthetical:
(technical details: a Taproot output is 1 version byte + 32 byte public key, while a P2WPKH (bech32 singlesig) output is 1 version byte + 20 byte public key hash...)
So wait, Taproot uses raw 32-byte public keys, and not public key hashes? Isn't that more quantum-vulnerable??
Well, in theory yes. In practice, they probably are not.
It's not that hashes can be broken by quantum computes --- they're still not. Instead, you have to look at how you spend from a P2WPKH/P2PKH pay-to-public-key-hash.
When you spend from a P2PKH / P2WPKH, you have to reveal the public key. Then Bitcoin hashes it and checks if this matches with the public-key-hash, and only then actually validates the signature for that public key.
So an unconfirmed transaction, floating in the mempools of nodes globally, will show, in plain sight for everyone to see, your public key.
(public keys should be public, that's why they're called public keys, LOL)
And if quantum computers are fast enough to be of concern, then they are probably fast enough that, in the several minutes to several hours from broadcast to confirmation, they have already cracked the public key that is openly broadcast with your transaction. The owner of the quantum computer can now replace your unconfirmed transaction with one that pays the funds to itself. Even if you did not opt-in RBF, miners are still incentivized to support RBF on RBF-disabled transactions.
So the extra hash is not as significant a protection against quantum computers as you might think. Instead, the extra hash-and-compare needed is just extra validation effort.
Further, if you have ever, in the past, spent from the address, then there exists already a transaction indelibly stored on the blockchain, openly displaying the public key from which quantum computers can derive the private key. So those are still vulnerable to quantum computers.
For the most part, the cryptographers behind Taproot (and Bitcoin Core) are of the opinion that quantum computers capable of cracking Bitcoin pubkeys are unlikely to appear within a decade or two.
So:
For now, the homomorphic and linear properties of elliptic curve cryptography provide a lot of benefits --- particularly the linearity property is what enables Scriptless Script and simple multisignature (i.e. multisignatures that are just 1 signature onchain). So it might be a good idea to take advantage of them now while we are still fairly safe against quantum computers. It seems likely that quantum-safe signature schemes are nonlinear (thus losing these advantages).

Summary

I Wanna Be The Taprooter!

So, do you want to help activate Taproot? Here's what you, mister sovereign Bitcoin HODLer, can do!

But I Hate Taproot!!

That's fine!

Discussions About Taproot Activation

almkglor your post has been copied because one or more comments in this topic have been removed. This copy will preserve unmoderated topic. If you would like to opt-out, please send a message using [this link].
[deleted comment]
[deleted comment]
[deleted comment]
submitted by anticensor_bot to u/anticensor_bot [link] [comments]

The next XVG? Microcap 100x potential actually supported by fundamentals!

What’s up team? I have a hot one for you. XVG returned 12 million percent in 2017 and this one reminds me a lot of it. Here’s why:
Mimblewimble is like Blu-Ray compared to CD-ROM in terms of its ability to compress data on a blockchain. The current BTC chain is 277gb and its capacity is limited because every time you spend a coin, each node needs to validate its history back to when it was mined (this is how double spending is prevented). Mimblewimble is different - all transactions in a block are aggregated and netted out in one giant CoinJoin, and only the current spending needs to be verified. This means that dramatically more transactions can fit into a smaller space, increasing throughput and lowering fees while still retaining the full proof of work game theory of Bitcoin. These blockchains are small enough to run a full node on a cheap smartphone, which enhances the decentralization and censorship resistance of the network.
The biggest benefit, though, is that all transactions are private - the blockchain doesn’t reveal amounts or addresses except to the actual wallet owner. Unlike earlier decoy-based approaches that bloat the chain and can still be data mined (XMR), Mimblewimble leaves no trace in the blockchain, instead storing only the present state of coin ownership.
The first two Mimblewimble coins, Grin and Beam, launched to great fanfare in 2019, quickly reaching over $100m in market cap (since settled down to $22m and $26m respectively). They are good projects but grin has infinite supply and huge never-decreasing emission, and Beam is a corporate moneygrab whose founding investors are counting on you buying for their ROI.
ZEC is valued at $568m today, despite the facts that only 1% of transactions are actually shielded, it has a trusted setup, and generating a confidential transaction takes ~60 seconds on a powerful PC. XMR is a great project but it’s valued at $1.2b (so no 100x) and it uses CryptoNote, which is 2014 tech that relies on a decoy-based approach that could be vulnerable to more powerful computers in the future. Mimblewimble is just a better way to approach privacy because there is simply no data recorded in the blockchain for companies to surveil.
Privacy is not just for darknet markets, porn, money launderers and terrorists. In many countries it’s dangerous to be wealthy, and there are all kinds of problems with having your spending data be out there publicly and permanently for all to see. Namely, companies like Amazon are patenting approaches to identify people with their crypto addresses, “for law enforcement” but also so that, just like credit cards, your spending data can be used to target ads. (A) Coinbase is selling user data to the DEA, IRS, FBI, Secret Service, and who knows who else? (B) What about insurance companies raising your premiums or canceling your policy because they see you buying (legal) cannabis? If your business operates using transparent cryptocurrency, competitors can data mine your customer and supply chain data, and employees can see how much everyone else gets paid. I could go on, but the idea of “I have nothing to hide, so what do I care about privacy?” will increasingly ring hollow as people realize that this money printing will have to be paid by massive tax increases AND that those taxes will be directly debited from their “Central Bank Digital Currency” wallets.
100% privacy for all transactions also eliminates one HUGE problem that people aren’t aware of yet, but they will be: fungibility. Fungibility means that each coin is indistinguishable from any other, just like paper cash. Why is this important? Because of the ever-expanding reach of AML/KYC/KYT (Anti-Money Laundering / Know Your Customer / Know Your Transaction) as regulators cramp down on crypto and banks take over, increasingly coins become “tainted” in various ways. For example, if you withdraw coins to a mixing service like Wasabi or Samourai, you may find your account blocked. (C) The next obvious step is that if you receive coins that these chainalysis services don’t like for whatever reason, you will be completely innocent yet forced to prove that you didn’t know that the coins you bought were up to no good in a past life. 3 days ago, $100k of USDC was frozen. (D) Even smaller coins like LTC now have this problem, because “Chinese Drug Kingpins” used them. (E) I believe that censorable money that can be blocked/frozen isn’t really “your money”.
Epic Cash is a 100% volunteer community project (like XVG and XMR) that had a fair launch in September last year with no ICO and no premine. There are very few projects like this, and it’s a key ingredient in Verge’s success (still at $110m market cap today despite being down 97% since the bubble peak) and why it’s still around. It has a small but super passionate community of “Freemen” who are united by a belief in the sound money economics of Bitcoin Standard emission (21m supply limit and ever-decreasing inflation) and the importance of privacy.
I am super bullish on this coin for the following reasons:
Because it doesn’t have a huge marketing budget in a sea of VC-funded shitcoins, it is as-yet undiscovered, which is why it’s so cheap. There are only 4 Mimblewimble-based currencies on the market: MWC at $162m, BEAM at $26m, GRIN at $22m, and EPIC at $0.4m. This is not financial advice and as always, do your own research, but I’ve been buying this gem for months and will continue to.
This one ticks all the boxes for me, the only real problem is that it’s hard to buy much without causing a huge green candle. Alt season is coming, and coins like this are how your neighbor Chad got his Lambo back in 2017. For 2021, McLaren is a better choice and be sure to pay cash so that it doesn’t get repossessed like Chad!
  1. A https://www.vice.com/en_us/article/d35eax/amazon-bitcoin-patent-data-stream-identify-cryptocurrency-for-law-enforcement-government
  2. B https://decrypt.co/31461/coinbase-wants-to-identify-bitcoin-users-for-dea-irs
  3. C https://www.coindesk.com/binance-blockade-of-wasabi-wallet-could-point-to-a-crypto-crack-up
  4. D https://cointelegraph.com/news/centre-freezes-ethereum-address-holding-100k-usdc
  5. E https://www.coindesk.com/us-treasury-blacklists-bitcoin-litecoin-addresses-of-chinese-drug-kingpins
  6. F https://www.youtube.com/channel/UCWkTxl5Z6DNN0ASMRxSKV5g
  7. G http://epic.tech/whitepaper
  8. H https://medium.com/epic-cash/epic-cash-on-uniswap-22447904d375
  9. I https://epic.tech/wp-content/uploads/2019/09/figure-3.1.jpg
Links:
submitted by pinchegringo to CryptoMoonShots [link] [comments]

My Trezor (MEW?) account got compremised, funds were stolen

Hello ladies and gentleman,
I hope you can help me out somehow. I put it in bitcoin as well despite its ethereum but its about trezor and the btc part is involved. In mid september all my ethereum and ethereum based stuff was cleared from my MEW accounts for roughly 38k USD. Trezor couldnt help me at all and we went through all the topics and questions they had which lead to nothing exept an basic answer “your seeds got compromised in the past“, which doesn’t make any sense and I will explain why.
Lets say, Im a person with some basic tech knowledge and worked as admin and I use common sense to handle my crypto stuff which is part of my business and daily task since 2 years.I check all things again before sending. Adress, amount etc and never had any problems before.I never was on a fake page where I had to give my seed or passphrases inI dont open spam mails nor use my new laptop for something else then work, like visiting porn sites or shady stuff or use cracks etc. I didnt even found a malitous cookie after checking everything. The laptop I used was 3 months old and set up on my own with windows, firwall, antivir and anti malware stuff. Things I am doing form me and my friends since year 2000. No cracks used for programms, everything legal. I use a trezor one since then which is updated accordingly when the tool or page prompts me. I used to use chrome as my default browser (which i learned, over the past months trying to figure out what might have happened, is one oft the worst browsers).
No one has my seedsno one knows my pin to entert the trezorI dont store any of this information onlineI dont know my private keys from trezor
So what happened was that september 9 in the evening, a few hours after I sent some usdt deposit to my adress, I want to check if everything is there, login to my MEW account (online, not offline and url was correct. no addon used, just the shortcut in my browser which i safed there and always used and later checked i fit was linked to something else which wasnt), and the account was empty. Three ethereum adresses where i stored some coins, eth and usdt.
I realised that every transaction below happened while i was standing infront of my laptop (checked time happening), trezor connected cause i did some btc transaction before and chatted to customers on different chat tools like telegram or skype. Obvsly without signing any transaction at all everything was sent to other adresses. It seemed someone got the keys to those adresses before. Now, I dont even know my private keys to those adresses which are stored in trezor right? I wasnt logged into MEW before this incident for about 1.5 days. The btc part on my trezor is MUCH more valuable, but still there. After trezor couldnt help me about what happened and MEW treated me like the standard idiot who gets highjacked and then wonders why his money is gone, I went trough so many possibilities. For the most time I thought some kind of KRACK attack happened.
The only problem is trezor says they dont extract the private keys. Some gurus in this topic ( i read on reddit here) say its possible to get them from the network. Even parts are enough to encrypt the whole key after a while which would underline the timeline that it took 6 days from working in this hotel and having the unusual situation with the sending (down explained) till the accs got cleared.
The hotel incident happened the week before my accounts got cleared. I was visitting friends and coworking agents in Vietnam and stayed in a red doorz hotel in Ho Chi Minh. Using the Hotel Wifi and a nvpn.net VPN I sent some usdt funds via MEW to a befriended customer and something very stranged happened, which I never had before.I sent 4k usdt to a customer and the transaction took 13 min working working working and then failed. I’ve never had something like that. We thought it might be because of eth network or so but we never had that before, me and him sending a lot transactions every day.
Then i copied all details in again and send another 4k and somehow he recieved both!
check the screen. The one transaction processed nearly 13 min then failed. 2min later i sent a new one and without any evidence in this screen he recieved both.
https://s19.directupload.net/images/200121/27e8uyd3.jpg
later
https://s19.directupload.net/images/200121/3todak3u.png
So he sent me back the additional 4k and I shut down everything not thinking about this much anymore. Only when the accounts got cleared I was searching for any unusual happenings which could have let to this because pretty much all other “typical“ mistakes people normally do we could exclude. If somehow my seeds got compromised why only the ETH stuff? The btc parts on the trezor had much much more value. I never searched for trezor page on the web and used a link to access my wallets or to do updates. I always used the trezor bridge and made a shortcut to my wallet in my browser. For MEW i always used the same shortcut in my browser which worked pretty fine for the past years an everytime when setting the browser or pc new i checked it all before.
Because of the unusual thing which happened in Vietnam I flew back there (from philippines) prepared with tools and checking because I couldnt let go and I didnt find any other plausible cause. I even got back my old room. In this hotel there are three hotel wifi network and I remeber 100% that I used the 2nd one before cause it had the strongest signal. Anyway. I switched on wireshark and later on Fiddler, repeated all steps I used to do before. Checking if some rerouting, dns poisening or readressing or so is happening. Nothing unusual happened in the first when entering MEW (I sent some bait funds there).
In the 2nd network I used in september the trezor basically totally freaked out. He didnt let me enter MEW, I had to reenter my pin up to 5 times sometimes, It gave me error messages in MEW or it took 30 fucking seconds to enter it. Trezor writes about this:
“When you enter an invalid PIN a few times, the Trezor adds a forced waiting time between attempts.You can see this feature on the photo where the Trezor is making you wait for 15 seconds before another attempt.This countdown is then multiplied by the factor of two until you reach the 16th invalid PIN entry. After that, the device automatically wipes its memory - deleting all data from it.
The behavior of your Trezor at MEW is undoubtedly not standard or in any form pleasantly functional. Nevertheless, it also isn't anything superbly unusual or unexpected, taking poor internet connection into account.“
The thing is, the pin is 6 digits but pretty basic and I never ever entered it wrong. And I used the strongest wifi and could open webpages very easily .
As well as: “Sadly, this does not tell us anything about how your funds could be compromised. None of this could have ever exposed your private keys or made your device vulnerable in any way.
The Reddit thread you linked discusses cracking BIP-39 passphrases, which is irrelevant to your case. Cracking such passphrases assumes the person trying to break the wallet already has full possession of the recovery seed (recovery words). See, a passphrase is not your recovery seed or some additional password on your device. It is an extension of the seed, and it is also 100% useless without controlling the full seed.
The only threat you are exposed to when using Chrome is using Google itself. When googling "trezor" or "trezor wallet", you might stumble upon a phishing site which will present itself as a genuine Trezor website and force you to go through a fake "recovery" process. There you'd give out your recovery seed, which subsequently grants full access to your wallet and funds.
It's reasonable to assume that malware could guide you to such a website. To this day, we are not aware of any such incident ever happening, and even then, there are protections in place to defend you against phishing attempts.“
Basically, something I never did and all funds would haven been gone then.
I checked the 3rd network as well, and like the 1st nothing special happened. Only in the 2nd.
These are the funds and how the got cleared off the wallets.
I always show last transaction from me to the adress as well on the screens. So adress:
0x253ABB6d747a9404A007f57AaDEc1cA2b80694a1
They withdrew this:
1k USDT and the small amount ETH to send stuff
https://s19.directupload.net/images/200121/sg2lumg8.png
adress:
0x01fd43a713D8F46FF9a7Ed108da2FF74884D8400
They withdrew this:Majority of USDT and small eth for sending stuff
https://s19.directupload.net/images/200121/arycubto.png
adress:
0xf73c8C30072488d932011696436B46005504A7aeThey withdrew this:
Majority of ETh, then all coins from valueable to worthless and then some rest eth
https://s19.directupload.net/images/200121/urbgm2y5.png
https://s19.directupload.net/images/200121/rdkod59h.jpg
So this is what happened at 12th september between 16:49 and 17:15. Sick to see that all happened between 16:49 and 17:00 and its like someone came back checking and saw the 0.014 eth and withdrew it 17:15. Around 10pm i discovered what happened.
So, do you have any ideas? Questions? Feel free to guess or ask Im glad for everything which might lead to what might have happened. I somehow can’t let go off the feeling something inbetween the network, MEW and trezor ist he cause, but what do I know.
submitted by The_Wave13 to Bitcoin [link] [comments]

12632 BTC PUZZLE ~(Approximately $80 Million)

12632 BTC PUZZLE ~(Approximately $80 Million)

12632.37162517 BTC hidden in this picture below:
12632.37162517 BTC hidden in 1CoV19
Figure it out, find the key to the Bitcoin, and claim the prize.
Whoever cracks the code can do whatever he/she wants (including donating to charity).
While solving the puzzle you can find private keys to 5 more BTC addresses with huge value.
Congrats to the genius who figures it out.
View the address:16eht5osxarvsX9rFBuNgey18N3TFxeE1P
HINTS:
Address: 1CoV19Nw1731inbx38t3Y2mcdnCehA9FmJ
12 Words 1CoV19.jpeg
A=16eht5osxarvsX9rFBuNgey18N3TFxeE1P
B=1CoV19Nw1731inbx38t3Y2mcdnCehA9FmJ
Private Key A= SHA256(passphrase) 1CoV19.jpeg + B
Mnemonic Code Converter
Sha256 — Reverse lookup, unhash and decrypt

Example:
This private key: KyTxSACvHPPDWnuE9cVi86kDgs59UFyVwx2Y3LPpAs88TqEdCKvb
The public address is:13JNB8GtymAPaqAoxRZrN2EgmzZLCkbPsh
The raw bytes for the private key:4300d94bef2ee84bd9d0781398fd96daf98e419e403adc41957fb679dfa1facd
These bytes are actually sha256 of this public address! 1LGUyTbp7nbqp8NQy2tkc3QEjy7CWwdAJj
....more Examples:
1HwxL1vutUc42ikh3RBnM4v2dVRHPTrTve from Sha256(1FfmbHfnpaZjKFvyi1okTjJJusN455paPH)
1FNF3xfTE53LVLQMvH6qteVqrNzwn2g2H8 from Sha256(1H21ndKEuMqZbeMMCqrYArCdV8WeicGehB
13FzEhD3WpX682G7b446NFZV6TXHH7BaQv Sha256(1E1rSGgugyNYF3TTr12pedv4UHoWxv5CeD)
1LVRWmpfKKcRZcKvi5ZGWGx5wU1HCNEdZZ Sha256(1CVPe9A5xFoQBEYhFP46nRrzf9wCS4KLFm)
1HhNZhMm4YFPSFvUXE6wLYPx63BF7MRJCJ Sha256(145Sph2eiNGp5WVAkdJKg9Z2PMhTGSS9iT)
1G6qfGz7eVDBGDJEy6Jw6Gkg8zaoWku8W5 Sha256(18EF7uwoJnKx7YAg72DUv4Xqbyd4a32P9f)
1MNhKuKbpPjELGJA5BRrJ4qw8RajGESLz6 Sha256(15WLziyvhPu1qVKkQ62ooEnCEu8vpyuTR5)
18XAotZvJNoaDKY7dkfNHuTrAzguazetHE Sha256(15SP99eiBZ43SMuzzCc9AaccuTxF5AQaat)
1HamTvNJfggDioTbPgnC2ujQpCj4BEJqu Sha256(14nuZCWe76kWigUKAjFxyJLFHQyLTsKXYk)
17iqGkzW5Y7miJjd5B2gP5Eztx8kcCDwRM Sha256(1MB3L1eTnHo1nQSN7Lmgepb7iipWqFjhYX)
15M7QfReFDY2SZssyBALDQTFVV1VDdVBLA Sha256(16bjY7SynPYKrTQULjHy8on3WENxCmK4ix)
1LgwKwv9kt8BwVvn6bVWj8KcqpP9JSP1Mh Sha256(1Q81rAHbNebKiNH7HD9Mh2xtH6jgzbAxoF)


Address: 1CoV19Nw1731inbx38t3Y2mcdnCehA9FmJ
will be the next Puzzle if the community decides to raise its value.
Its private key hints will revealed here to solve.
Good Luck .....
submitted by CovidBTC to Bitcoin [link] [comments]

【NeoLine Talk】The life cycle of the private key

【NeoLine Talk】The life cycle of the private key

https://preview.redd.it/yeib74adcoy41.png?width=900&format=png&auto=webp&s=8e50b543a01a25860c7c732c17a1f2da338cd7c6
In the blockchain system, since there is no centralized organization responsible for managing the backup user sensitive data, the generation, storage, use, retrieval, destruction, and update of the user’s private key all need to be guaranteed by the user. Therefore, for the entire life cycle of the private key, there needs to be a strict way to manage and control it, to ensure the security of the asset.
Today ’s NeoLine Talk, let ’s talk about how to ensure the security of the private key life cycle.

Private key generation

Private key: A 256-bit binary random number whose quality depends entirely on the quality of the random number that generated the private key. If the randomness of the key generation process is insufficient to make it predictable, then all subsequent security protection measures will be in vain.
Random numbers are the cornerstone of information security systems based on modern cryptography. The security of the entire system depends entirely on the generation efficiency and quality of random number sequences. The core of high-quality random numbers is “unpredictability”. There are two types of random numbers: pseudo-random and true random.
Pseudo-random is also called pseudo-random. It generally relies on seeds and algorithms. Knowing the seeds or the random numbers that have been generated, you can get the next random numbers, which is predictable. The current mainstream blockchain system is the private key generated by this method …
True random numbers are generally based on the design of the hardware. Random numbers are generated according to the external temperature, voltage, electromagnetic field, environmental noise, etc., and the unpredictability of randomness is greatly increased. All security cryptographic chips in the financial field adopt this design.

Let’s see in detail how to generate a private key from a random number?

The first step in generating a private key is also the most important. It is to find a sufficiently secure source of entropy, that is, a source of randomness. Generating a Bitcoin private key is essentially the same as “choose a number between 1 and 2256”. As long as the selected results are unpredictable or unrepeatable, the specific method of selecting numbers is not important. Bitcoin software uses a random number generator at the bottom of the operating system to generate 256 bits of entropy (randomness). Normally, the operating system random number generator is initialized by an artificial random source, and it may also need to be initialized by shaking the mouse continuously within a few seconds.
More precisely, the private key can be any number between 1 and n-1, where n is a constant (n = 1.158 * 1077, slightly less than 2256) and is defined by the order of the elliptic curve used by Bitcoin. To generate such a private key, we randomly choose a 256-bit number and check whether it is less than n-1. From a programming point of view, it is generally by taking a long string of random bytes from a cryptographically secure random source and using the SHA256 hash algorithm to perform operations, so that a 256-bit number can be easily generated. If the operation result is less than n-1, we have a suitable private key. Otherwise, we repeat it with another random number.

Private key storage

Each bitcoin address corresponds to a private key, and mastering the private key means mastering the bitcoin in its corresponding address. In layman’s terms, a key opens a lock. If the Bitcoin address is a lock, then the private key is the key to the lock.
The storage and use of private keys are generally divided into soft and hard implementations.
Soft implementation, storage, and use are in the form of software. After the key is generated, it is stored in the user terminal or hosted on the server as a file or character string. When used, the private key plain text is read directly or through simple password control into the memory, and the private key calculation is completed by the CPU. This storage and use method has a lot of security risks and is easy to be copied, stolen, brute-forced by hackers or ghosts.
Hard implementation generally relies on a dedicated cryptographic security chip or cryptographic device as a carrier. There are generally mechanisms such as physical protection, sensitive data protection, and key protection to ensure that the private key must be generated by dedicated hardware. At any time and under any circumstances, the private key cannot appear outside the cryptographic device in clear text; the key stored inside the cryptographic device should have an effective key protection mechanism to prevent dissection, detection, and illegal reading. The private key cannot be exported, and only the signature value can be calculated and output.
But whether it is soft or hard, as long as others know your private key, you can transfer your assets. Remember, whoever holds the private key is the real owner of the asset.

Safe use of private keys

When using the private key, it is necessary to ensure the security of the use environment, and access, reading, and writing of the private key file need to have relevant permission control. After the use is completed, all sensitive data cached in the memory needs to be cleared using a dedicated function to prevent the leakage of sensitive data. From the perspective of password cracking, the private key should be replaced after a certain period of use. This is a problem involving the destruction and update of the private key, which we will introduce later.

Private key recovery

If a traditional centralized bank loses its U-shield or forgets its password, it can rebind a new U-shield (private key) through the account system. Accounts and private keys are logically bound and are operated by centralized banks while meeting risk control requirements. There are also some traditional centralized payment institutions. When the user’s asset certificate is lost, the centralized institution can retrieve the relevant data through its identity certificate.
But in the blockchain system, there is no centralized organization to help us back up sensitive data such as private keys. Therefore, when designing the system’s private key management scheme, it is necessary to provide multiple back-ups and recovery methods, such as the use of mnemonic words or the use of passwords plus local ciphertext files to restore private key data. But if your mnemonic is also lost, it means you lost everything.

Private key destruction

When the user needs to destroy the private key data, it is necessary to ensure that all the private key data stored in the backup are completely deleted and destroyed.

Private key update

In the field of blockchain, the private key is the only credential that represents the user’s identity or digital assets. If the private key needs to be updated, registration or digital asset transfer must be re-bound. Therefore, when you need to replace the private key, you need to ensure that the new private key is safely generated or imported, the assets have been safely transferred, and the old private key is safely destroyed.
Everything starts with visibility. The security of the private key is related to the security of digital assets and the security of personal privacy, so it is very important to securely ensure every step of the life cycle of the private key.
submitted by NeoLine_Wallet to NEO [link] [comments]

A Hefty Apology..

First, I'd like to apologies for how long this is going to be, but I believe context is everything.
I'd like to apologize to the Nano community. Since before the re brand I've always cracked jokes about the project, primarily because I can't stand moonbois.. but I digress.
I guess you could say I was early on the Bitcoin chain. I was blown away by the white paper and mined coins before ASICs we're even a discussion. Never got rid of them or anything, just thought it was an amazing concept to me since I had been repeatedly jacked around by a few banks. However, as a recurring theme life happened and I fell out of it completely. A few years went by when someone brought it up to me and when I asked how much it was worth, I almost had a heart attack. Probably shouldn't have spilled beer on the laptop holding my address and key. It didn't even cross my mind when I threw it out..
So I was back, other projects were on the come up and I took interest. Thought they were great, still do.. But I couldn't wrap my head around a lot of it. I'm familiar with code like I am around the block of an engine, but I'm not a mechanic. I couldn't fathom having to use a calculator to figure out how much gas I needed to send 100 coins of X. Thought I did it right and boom... Dust. The rage. Made some good strides and learned from previous mistakes, but I was still somewhat upset with decisions made within these projects. Who would think that was okay? Life happened again and I dropped out for quite awhile again to return back to a colleague at work mentioning BTC at around 9K. I quietly (I don't mention to many people about how involved I've been) checked out my addresses and was blown away. So I was back.
Yeah I made gains (lost a lot too), but I was already well on my way in life and career and didn't need the rocket in some dream of a lambo (Masi's are better). I just wanted all of this to work. Again, it seemed like it was too hard to do anything, move things around... Dust here, dust there.. None the less, I learned more. Taught myself some code just so I could understand the githubs.. No desire to code, just wanted to learn. The dream I saw a few years ago was growing and I felt optimistic. Stuck around for a long run and then life happened again.
Came back at probably the best time in late summer 2017. You want to talk about diversification... I just (today) burned a stack of papers with private keys written down to projects I forgot even existed. The mayhem! Anyway, won some lost some yeah yeah everyone has those stories....
I was still frustrated because that image I had in my head when I was a bit younger was not really fulfilled. Man, these moonbois, let me tell you. At the time and shortly after cracking jokes and having fun was basically my MO (I'm very sarcastic, still am). But yet again, life happened and I let everything just sit where the chips were.. With the exception of those burned out GPUs and the S9's. They went into the trash.
Life gave me a nice little easy path more recently and I've been poking my head around again. The moonboi epidemic is definitely at an ATH. But where the hell was this image I had years back and now and why did it seem like it died? Too many scams? Too many hacks? Too much smoke and mirrors? The founding idea is/was so perfect?
But I wanted that image. The past couple weeks I've been being my sarcastic ass and ripping a bit on Nano. I saw an actual well thought out post on Reddit and thought “Alright, that's pretty well said. Let me hear this out.” So I took a look. Thought it was better put together than other projects so I lurked around.
Today in the daily general I asked for a laymen's approach. I didn't need it, but I wanted to see what would be thrown at me. I was impressed. I saw on another thread about Natrium and a faucet... DAMN, that was fast. Alright I thought, let's dabble. So I did what I always do.. Took a little BTC to the exchange, picked up some nano, set up the ledger and mobile app and tested some stuff out.
Do you know the feeling after everything I just said to send 10 Nano from the exchange (including fee) to a mobile wallet, to the ledger, back to the mobile wallet and then back to the exchange and in the end... still have 10 Nano? In under less than I don't even know.. as fast as I could copy and paste it?!
I called for my wife took her phone and sent myself 10 Nano back and forth. Man am I an asshole. I'm not “In” so to speak, because honestly, at this point. I don't care about prices. I just want to use the shit. Life happens, I want to be able to continue down life and use this shit. The last time I actually used BTC for anything was in 2014.
BTC is digital gold for me.. Yeah, Yeah, Yeah... Sounds like some WSJ headline, I know. But it's been a good hedge against inflation for what's it worth. But during that second to last time I was back.. the Tx fees were unbelievable. Store of value, all the way, buying a snickers bar? No thanks mate.
I'm actually late to meet a friend at the bar for our weekly pint, was gonna just send this, but he's a moonboi. One sec. Lol --- 45 min later --- Alright, at the pub. Got him to download Natrium. We're now gonna just buy eac hother drinks for the next few hours.
I have some questions regarding decentralization.. bottle necking, spam transactions, but I can ask them in discord I guess. My only fear is that this could be replicated by Chase/BofA etc, but then again, I kind of left them years ago for a reason.
I'm sorry, okay. I'm sorry I was a sarcastic asshole. This is by far the closest thing I've wanted in a very long time. Send 1 Nano.. Get 1 Nano. Who would have thought. I'm going back to darts, but before I go...
- Can someone send me something on how to set up a node? Walk through maybe?
- Mods should pin this. I don't care about worthless internet points. Truth is I'm on my 9th or 10th Reddit account. So, I'll retire this one as soon as I hit send. But I think there is a valuable lesson from my time in this crazy town.
I'm not getting rid of my BTC and “going all in for the moonbois”. But I'll definitely be using my Nano. Whenever or wherever I can.
Thank you.
submitted by zBeale to nanocurrency [link] [comments]

AsicVault - Frequently Asked Questions

When was AsicVault established and how is it funded?
AsicVault was established 2016. It is funded by founders and corporate investors. Please see Crunchbase.

How can it be 1,000 times harder to crack compared to other BIP-39 hardware wallets?
BIP-39 hardware wallets are working on very low performance microcontrollers or secure elements. They are doing only 2,048 iterations of PBKDF2 SHA-512 that is even less than old NIST recommendation of 10,000 rounds from year 2016.
Performing higher number of PBKDF2 SHA-512 is standard practice for good security. iTunes does it, LastPass does it and Veracrypt as well. Even Ledger agrees that this very low number is the main problem of BIP-39.
AsicVault specially designed SHA-512 accelerator inside high performance secure chip is at least 340 times faster than common microcontrollers. The number of PBKDF2 SHA-512 rounds is set to be exactly 1,000 times higher than BIP-39, hence the cost to crack AsicVault is also 1,000 times bigger.
Please read in-depth teardown review and validation of AsicVault SHA-512 performance here.
You can perform independent analysis according to this PDF and our device performance is shown on this video.

Does it support BIP-39 passphrase?
Yes, AsicVault supports all standard BIP-39 seed words and additional passphrase (so-called 25th word). You can restore your HD wallet account created by other hardware wallets (Ledger, Trezor, Keepkey) without any additional steps. AsicVault always opens standard security BIP-39 account and high security BIP-39 accounts at the same time.

Why two processors?
Common design practice, also followed by Ledger, is to separate secure and non-secure code. Our advantage is that these two RISC-V processors are inside a single secure chip. This way the Security CPU has full access to the Application CPU RAM. This makes it possible to do proper secure boot.

Why RISC-V?
Open instruction set. Possibility to have open source CPU and extensions. We have already implemented several custom instructions.

Do I need a computer to initialize the device?
No. You can supply power from wall adapter or battery bank. AsicVault supports true air-gapped environment.
You can perform full device initialization, seed word generation and seed word backup without connection to the computer. You can also charge the device and check the status the same way.

Can I use USB extender cables?
Certified USB2.0 extender cables can be used. We don’t recommend extender cables while using USB3.1 features of the device. The device can detect (some) bad cables and show warning messages about them. It is not recommended to use cables/extenders longer than 2.5m. In any case, cables with lower AWG value are better, such as AWG20.

How hot does the device get?
During normal operation AsicVault device temperature reaches 35-37C. High speed USB3.0 operation adds additional 7C. AsicVault utilizes full Aluminum enclosure as an effective heatsink. Internal chips can tolerate up to +85C, so you never need to worry about them overheating. There are no Lithium batteries inside the device that are known for leaking and not tolerating high temperatures.

How long does the active anti-tamper system work?
Active anti-tamper protects your device at least 2 weeks, possibly up to 45 days, after you have fully charged the device. It takes just 15 minutes to charge the supercapacitors again. It is advisable to connect the device to a power source at least once per week. Different anti-tamper settings affect the anti-tamper aggressiveness, sensitivity and power consumption.
It is also good practice to enter your passphrase weekly so that you will not forget it.

How often can I charge it? Do the batteries age?
You can charge it as often as you like, several times per day. Supercapacitors can be charged 50,000 – 1,000,000 times during their lifetime compared to common Lithium batteries that only allow 500-1,000 times. Therefore even 10 times per day for 10 years should be fine. At least weekly charging is recommended for best anti-tamper protection.

How long are private keys safely stored inside device before the memory gets weak and they are lost?
Data retention time of Flash memory inside the main chip is 20 years. Additional encryption keys stored inside FRAM can last for 40 years at temperatures below 70C. These values are higher than the expected lifetime of the device. In any case you must make paper backup(s) of your seed words.

Can it store the whole Bitcoin blockchain inside the device?
No. The device is not designed to store large amounts of data. Internal 128-megabyte Flash is used to store applications. There are thousands of copies of the blockchain, storing yet another copy is not meaningful or necessary.

What is FIPS 140-2 highest Level 4?
FIPS 140-2 is Federal Information Processing Standard.
Level 4 requires that:
  1. physical security mechanisms provide a complete envelope of protection around the cryptographic module
  2. with the intent of detecting and responding to all unauthorized attempts at physical access
  3. Penetration of the cryptographic module enclosure from any direction has a very high probability of being detected, resulting in the immediate deletion of all plaintext CSPs
  4. Security Level 4 also protects a cryptographic module against a security compromise due to environmental conditions or fluctuations outside of the module's normal operating ranges for voltage and temperature
  5. A cryptographic module is required to include special environmental protection features designed to detect fluctuations and delete CSPs
We have used these guidelines while designing AsicVault. We meet and exceed the requirements in the following way:
  1. AsicVault has full Aluminium/Titanium enclosure that is not designed to be opened. Passive antitamper mesh protects the electronic circuits inside the device. Main secure chip also has chip level metal layer anti-tamper mesh.
  2. Active anti-tamper circuit monitors all intrusion attempts and performs immediate device zeroization upon detecting any such attempts.
  3. AsicVault has temperature, voltage and many other sensors that are continuously monitored by the anti-tamper circuit. Additionally, AsicVault has internal supercapacitor-based power reserve to run Elliptic Curve calculations and other cryptographic functions. Therefore, external voltage fluctuations can’t affect our device while performing these critical operations.
  4. Zeroization not only deletes the private keys, it also destroys internal hardware design making it impossible to perform any further analysis of the hardware.
AsicVault has not participated in formal Cryptographic Module Validation Program since we are not targeting US government users at this point.

Can AsicVault device run Linux?
It is not our priority to run Linux since it has too big overhead for hardware wallet. However, our RISC-V processors and Mark II hardware can run Linux for your custom projects.

Where can I purchase the device?
Please contact your local supplier about availability.
submitted by photonreality to AsicVaultOfficial [link] [comments]

The importance of being mindful of security at all times - nearly everyone is one breach away from total disaster

This is a long one - TL;DR at the end!

If you haven't heard yet: BlankMediaGames, makers of Town of Salem, have been breached which resulted in almost 8 million accounts being leaked. For most people, the first reaction is "lol so what it's just a game, why should I really care?" and that is the wrong way to look at it. I'd like to explain why everyone should always care whenever they are part of a breach. I'd also like to talk about some ways game developers - whether they work solo or on a team - can take easy steps to help protect themselves and their customers/players.
First I'd like to state that there is no practical way to achieve 100% solid security to guarantee you'll never be breached or part of a breach. The goal here will be to get as close as possible, or comfortable, so that you can rest easy knowing you can deal with problems when they occur (not if, when).

Why You Should Care About Breaches

The sad reality is most people re-use the same password everywhere. Your email account, your bank account, your steam account, your reddit account, random forums and game websites - you get the idea. If you haven't pieced it together yet the implication is that if anyone gets your one password you use everywhere, it's game over for you - they now own all of your accounts (whether or not they know it yet). Keep in mind that your email account is basically the holy grail of passwords to have. Most websites handle password changes/resets through your email; thus anyone who can login to your email account can get access to pretty much any of your accounts anywhere. Game over, you lose.

But wait, why would anyone want to use my password? I'm nobody!

It doesn't matter, the bad guys sell this information to other bad guys. Bots are used to make as much use of these passwords as possible. If they can get into your bank they might try money transfers. If they get into your Amazon account they might spin up $80,000 worth of servers to mine Bitcoin (or whatever coin is popular at the time). They don't care who you are; it's all automated.
By the way, according to this post (which looks believable enough to be real) this is pretty much how they got into the BMG servers initially. They checked for usernames/emails of admins on the BMG website(s) in previous breach dumps (of which there are many) and found at least one that used the same password on other sites - for their admin account!
If you want to see how many of your accounts are already breached check out Have I Been Pwned - I recommend registering all of your email addresses as well so you get notified of future breaches. This is how I found out about the Town of Salem breach, myself.

How You Can Protect Yourself

Before I go into all the steps you can (and should) take to protect yourself I should note that security is in a constant tug of war with convenience. What this means is that the more security measures you apply the more inconvenienced you become for many tasks. It's up to you to decide how much is too much either way.
First of all I strongly recommend registering your email(s) on https://haveibeenpwned.com/ - this is especially important if your email address is associated to important things like AWS, Steam developer account, bank accounts, social media, etc. You want to know ASAP when an account of yours is compromised so you can take steps to prevent or undo damage. Note that the bad guys have a head start on this!

Passwords

You probably need to have better password hygiene. If you don't already, you need to make sure every account you have uses a different, unique, secure password. You should change these passwords at least once a year. Depending on how many accounts you have and how good your memory is, this is your first big security vs convenience trade-off battle. That's easily solved, though, by using a password manager. You can find a list of password managers on Wikipedia here or you can search around for some comparison articles.
Some notable choices to consider:
Regardless of which one you choose, any of them is 100x better than not using one at all.

Multi-Factor Authentication / Two-Factor Authentication (aka MFA / 2FA)

The problem with all these passwords is that someone can still use them if they are found in a breach. Your passwords are only as strong as the website you use them on. In the case of the BMG breach mentioned above - all passwords were stored in an ancient format which has been insecure for years. It's likely that every single password in the breach can be reversed/cracked, or already have been. The next step you need to take is to make it harder for someone else to login with your password. This is done using Multi-Factor Authentication (or Two-Factor Authentication).
Unfortunately not every website/service supports MFA/2FA, but you should still use it on every single one that does support it. You can check which sites support MFA/2FA here or dig around in account options on any particular site. You should setup MFA/2FA on your email account ASAP! If it's not supported, you need to switch to a provider that does support it. This is more important than your bank account! All of the big email providers support it: GMail, Outlook.com, Yahoo Mail, etc.
The type of MFA/2FA you use depends on what is supported by each site/service, but there is a common approach that is compatible on many of them. Most of them involve phone apps because a phone is the most common and convenient "thing you have" that bad guys (or anyone, really) can't access easily. Time-based One-time Password or TOTP is probably the most commonly used method because it's easy to implement and can be used with many different apps. Google Authenticator was the first popular one, but it has some limitations which continue the security vs convenience battle - namely that getting a new phone is a super huge chore (no backup/restore option - you have to disable and setup each site all over again). Many alternatives support cloud backup which is really convenient, though obviously less secure by some measure.
Notable choices to consider:
Some sites/services use their own app, like Blizzard (battle.net) and Steam, and don't allow you to use other ones. You will probably have a few apps on your phone when all your accounts are setup, but it's worth it. You'll definitely want to enable it on your password manager as well if you chose a cloud-based one.
Don't forget to save backup codes in an actual secure location! If you lose your backup codes and your auth app/physical key you will be locked out of accounts. It's really not fun recovering in that situation. Most recommendations are to print them and put in a fireproof safe, but using some other secure encrypted storage is fine.
There is such a thing as bad MFA/2FA! However, anything is at least better than nothing. A lot of places still use SMS (text messaging) or e-mail for their MFA/2FA implementation. The e-mail one has the most obvious flaw: If someone gets into your email account they have defeated that security measure. The SMS flaws are less obvious and much less likely to affect you, but still a risk: SMS is trivial to intercept (capture data over the air (literally), clone your SIM card data, and some other methods). Still, if you're not a person of interest already, it's still better than nothing.

What Does This Have To Do With GameDev?

Yeah, I do know which subreddit I'm posting in! Here's the section that gets more into things specific to game development (or software development in general).

Secure Your Code

Securing your code actually has multiple meanings here: Securing access to your code, and ensuring your code itself is secure against exploitation. Let's start with access since that's the easier topic to cover!
If you're not already using some form of Source Control Management (SCM) you really need to get on board! I'm not going to go in depth on that as it's a whole other topic to itself, but I'll assume you are using Git or Mercurial (hg) already and hosting it on one of these sites (or a similar one):
First, ensure that you have locked down who can access this code already. If you are using private repositories you need to make sure that the only people who have access are the people who need access (i.e. yourself and your team). Second, everyone should have strong passwords and MFA/2FA enabled on their accounts. If 1 person on the team does not follow good security practices it puts your whole project at risk! So make sure everyone on the team is following along. You can also look into tools to do some auditing and even automate it so that if anyone's account becomes less secure over time (say they turned off MFA one day) they would automatically lose their access.
Additionally you should never commit secrets (passwords, API keys, tokens, social security numbers, etc) to your code repository. Probably 90% of cases where people have their AWS/Google Cloud/Azure accounts compromised and racking up huge bills for bitcoin mining is due to having their passwords/keys stored in their git repo. They either accidentally made it public or someone got access to the private repo through a compromised account. Never store sensitive information in your code repository!
Next topic: Securing your code from vulnerabilities. This one is harder to talk about for game dev as most engines/frameworks are not as susceptible (for lack of a better word) to these situations as others. In a nutshell, you need to keep track of the following:
A lot of these things cannot be solved automatically, unfortunately, but some of it can. If you are using Javascript for your game you likely will be using packages from npm - luckily they (recently) added security auditing for packages. For other languages you can look at tools like Snyk or some other alternatives to audit the libraries you use in your project. Unfortunately none that I know of are aimed at game dev in particular, but it's still important to use these tools when you can. In general, be aware of all of your code dependencies and what impact they can have on your game or your customers if there are security bugs. Impact can range from "can cheat in multiplayer" to "can get IP addresses of all players in the world" or even "can get all information I ever put on my server", etc.
In general you'll want to look into Secure Software Development Lifecycle (commonly SDLC) practices. Microsoft has some information on how they do it.

Secure Your Computer

I'm not going to go in depth on this one because at this point everyone should have a handle on this; if not there are limitless articles, blogs, and videos about the how/what/why. In summary: Keep everything updated, and don't open suspicious links.

Secure Your Website

I will have to add more to this later probably, but again there are tons of good articles, blogs, and videos on these topics. Hopefully the information in this section is enough to get you on the right track - if not feel free to ask for more info. Lots of guides can be found on Digital Ocean's site and they are relevant even if you don't use DO for your servers.
A lot of this will apply to your game servers as well - really any kind of server you expect to setup.

That's it, for now

I ran out of steam while typing this all up after a couple hours, but I may revisit it later to add more info. Feel free to ask any questions about any of these topics and I'll do my best to answer them all.

TL;DR (y u words so much??)

... in general... in general... in general... I sure wrote those 2 words a lot.

Why Should I Trust This Post?

Hopefully I have provided enough information and good links in this post that you can trust the contents to be accurate (or mostly accurate). There is certainly enough information to do some searches on your own to find out how right or wrong I might be about these things.
If you want my appeal to authority answer: I've been working at a major (network/computer) security company for almost 7 years as a software developer, and I've had to put up with pretty much every inconvenience brought on by security. I've also witnessed the aftermath of nearly every type of security failure covered in this post, via customers and the industry at large. None of the links I used are related to my employer or its products.
Edit: Fixed some typos and added some more links
More edit: added a few more points and links
submitted by exoplasm to gamedev [link] [comments]

Information and FAQ

Welcome to the official IOTA subreddit.
If you are new you can find lots of information here, in the sidebar and please use the search button to see if your questions have been asked before. Please focus discussion on IOTA technology, ecosystem announcements, project development, apps, etc. Please direct help questions to /IOTASupport, and price discussions and market talk to /IOTAmarkets.
Before getting started it is recommended to read the IOTA_Whitepaper.pdf. I also suggest watching these videos first to gain a better understanding.
IOTA BREAKDOWN: The Tangle Vs. Blockchain Explained
IOTA tutorial 1: What is IOTA and some terminology explained

Information

Firstly, what is IOTA?

IOTA is an open-source distributed ledger protocol launched in 2015 that goes 'beyond blockchain' through its core invention of the blockless ‘Tangle’. The IOTA Tangle is a quantum-resistant Directed Acyclic Graph (DAG), whose digital currency 'iota' has a fixed money supply with zero inflationary cost.
IOTA uniquely offers zero-fee transactions & no fixed limit on how many transactions can be confirmed per second. Scaling limitations have been removed, since throughput grows in conjunction with activity; the more activity, the more transactions can be processed & the faster the network. Further, unlike blockchain architecture, IOTA has no separation between users and validators (miners / stakers); rather, validation is an intrinsic property of using the ledger, thus avoiding centralization.
IOTA is focused on being useful for the emerging machine-to-machine (m2m) economy of the Internet-of-Things (IoT), data integrity, micro-/nano- payments, and other applications where a scalable decentralized system is warranted.
More information can be found here.

Seeds

A seed is a unique identifier that can be described as a combined username and password that grants you access to your IOTA.
Your seed is used to generate the addresses and private keys you will use to store and send IOTA, so this should be kept private and not shared with anyone. If anyone obtains your seed, they can generate the private keys associated with your addresses and access your IOTA.

Non reusable addresses

Contrary to traditional blockchain based systems such as Bitcoin, where your wallet addresses can be reused, IOTA's addresses should only be used once (for outgoing transfers). That means there is no limit to the number of transactions an address can receive, but as soon as you've used funds from that address to make a transaction, this address should not be used anymore.
Why?
When an address is used to make an outgoing transaction, a random 50% of the private key of that particular address is revealed in the transaction signature, which effectively reduces the security of the key. A typical IOTA private key of 81-trits has 2781 possible combinations ( 8.7 x 10115 ) but after a single use, this number drops to around 2754 ( 2 x 1077 ), which coincidentally is close to the number of combinations of a 256-bit Bitcoin private key. Hence, after a single use an IOTA private key has about the same level of security as that of Bitcoin and is basically impractical to brute-force using modern technology. However, after a second use, another random 50% of the private key is revealed and the number of combinations that an attacker has to guess decreases very sharply to approximately 1.554 (~3 billion) which makes brute-forcing trivial even with an average computer.
Note: your seed is never revealed at at time; only private keys specific to each address.
The current light wallet prevents address reuse automatically for you by doing 2 things:
  1. Whenever you make an outgoing transaction from an address that does not consume its entire balance (e.g. address holds 10 Mi but you send only 5 Mi), the wallet automatically creates a new address and sends the change (5 Mi) to the new address.
  2. The wallet prevents you from performing a second outgoing transaction using the same address (it will display a “Private key reuse detected!” error).
This piggy bank diagram can help visualize non reusable addresses. imgur link
[Insert new Safe analogy].

Address Index

When a new address is generated it is calculated from the combination of a seed + Address Index, where the Address Index can be any positive Integer (including "0"). The wallet usually starts from Address Index 0, but it will skip any Address Index where it sees that the corresponding address has already been attached to the tangle.

Private Keys

Private keys are derived from a seeds key index. From that private key you then generate an address. The key index starting at 0, can be incremented to get a new private key, and thus address.
It is important to keep in mind that all security-sensitive functions are implemented client side. What this means is that you can generate private keys and addresses securely in the browser, or on an offline computer. All libraries provide this functionality.
IOTA uses winternitz one-time signatures, as such you should ensure that you know which private key (and which address) has already been used in order to not reuse it. Subsequently reusing private keys can lead to the loss of funds (an attacker is able to forge the signature after continuous reuse).
Exchanges are advised to store seeds, not private keys.

FAQ

Buying IOTA

How do I to buy IOTA?

Currently not all exchanges support IOTA and those that do may not support the option to buy with fiat currencies.
Visit this website for a Guide: How to buy IOTA
or Click Here for a detailed guide made by 450LbsGorilla

Cheapest way to buy IOTA?

You can track the current cheapest way to buy IOTA at IOTA Prices.
It tells you where & how to get the most IOTA for your money right now. There's an overview of the exchanges available to you and a buying guide to help you along.
IOTAPrices.com monitors all major fiat exchanges for their BTC & ETH rates and combines them with current IOTA rates from IOTA exchanges for easy comparison. Rates are taken directly from each exchange's official websocket. For fiat exchanges or exchanges that don't offer websockets, rates are refreshed every 60 seconds.

What is MIOTA?

MIOTA is a unit of IOTA, 1 Mega IOTA or 1 Mi. It is equivalent to 1,000,000 IOTA and is the unit which is currently exchanged.
We can use the metric prefixes when describing IOTA e.g 2,500,000,000 i is equivalent to 2.5 Gi.
Note: some exchanges will display IOTA when they mean MIOTA.

Can I mine IOTA?

No you can not mine IOTA, all the supply of IOTA exist now and no more can be made.
If you want to send IOTA, your 'fee' is you have to verify 2 other transactions, thereby acting like a minenode.

Storing IOTA

Where should I store IOTA?

It is not recommended to store large amounts of IOTA on the exchange as you will not have access to the private keys of the addresses generated.

Wallets

GUI Desktop (Full Node + Light Node)
Version = 2.5.6
Download: GUI v2.5.6
Guide: Download/Login Guide
Nodes: Status
Headless IRI (Full Node)
Version = 1.4.1.4
Download: Mainnet v1.4.1.4
Guide:
Find Neighbours: /nodesharing
UCL Desktop/Android/iOS (Light Node)
Version = Private Alpha Testing
Website: iota-ucl (Medium)
Android (Light Node)
Version = Beta
Download: Google Play
iOS (Light Node)
Version = Beta Testing
Website: https://iota.tools/wallet
Paper Wallet
Version = v1.3.6
Repo: GitHub
Seed Vault
Version = v1.0.2
Repo: GitHub7

What is a seed?

A seed is a unique identifier that can be described as a combined username and password that grants you access to your wallet.
Your seed is used to generate the addresses linked to your account and so this should be kept private and not shared with anyone. If anyone obtains your seed, they can login and access your IOTA.

How do I generate a seed?

You must generate a random 81 character seed using only A-Z and the number 9.
It is recommended to use offline methods to generate a seed, and not recommended to use any non community verified techniques. To generate a seed you could:

On a Linux Terminal

use the following command:
 cat /dev/urandom |tr -dc A-Z9|head -c${1:-81} 

On a Mac Terminal

use the following command:
 cat /dev/urandom |LC_ALL=C tr -dc 'A-Z9' | fold -w 81 | head -n 1 

With KeePass on PC

A helpful guide for generating a secure seed on KeePass can be found here.

With a dice

Dice roll template

Is my seed secure?

  1. All seeds should be 81 characters in random order composed of A-Z and 9.
  2. Do not give your seed to anyone, and don’t keep it saved in a plain text document.
  3. Don’t input your seed into any websites that you don’t trust.
Is Someone Going To Guess My IOTA Seed?
What are the odds of someone guessing your seed?
  • IOTA seed = 81 characters long, and you can use A-Z, 9
  • Giving 2781 = 8.7x10115 possible combinations for IOTA seeds
  • Now let's say you have a "super computer" letting you generate and read every address associated with 1 trillion different seeds per second.
  • 8.7x10115 seeds / 1x1012 generated per second = 8.7x10103 seconds = 2.8x1096 years to process all IOTA seeds.

Why does balance appear to be 0 after a snapshot?

When a snapshot happens, all transactions are being deleted from the Tangle, leaving only the record of how many IOTA are owned by each address. However, the next time the wallet scans the Tangle to look for used addresses, the transactions will be gone because of the snapshot and the wallet will not know anymore that an address belongs to it. This is the reason for the need to regenerate addresses, so that the wallet can check the balance of each address. The more transactions were made before a snapshot, the further away the balance moves from address index 0 and the more addresses have to be (re-) generated after the snapshot.

What happens if you reuse an address?

It is important to understand that only outgoing transactions reveal the private key and incoming transactions do not. If you somehow manage to receive iotas using an address after having used it previously to send iotas—let's say your friend sends iotas to an old address of yours—these iotas may be at risk.
Recall that after a single use an iota address still has the equivalent of 256-bit security (like Bitcoin) so technically, the iotas will still be safe if you do not try to send them out. However, you would want to move these iotas out eventually and the moment you try to send them out, your private key will be revealed a second time and it now becomes feasible for an attacker to brute-force the private key. If someone is monitoring your address and spots a second use, they can easily crack the key and then use it to make a second transaction that will compete with yours. It then becomes a race to see whose transaction gets confirmed first.
Note: The current wallet prevents you from reusing an address to make a second transaction so any iotas you receive with a 'used' address will be stuck. This is a feature of wallet and has nothing to do with the fundamental workings of IOTA.

Sending IOTA

What does attach to the tangle mean?

The process of making an transaction can be divided into two main steps:
  1. The local signing of a transaction, for which your seed is required.
  2. Taking the prepared transaction data, choosing two transactions from the tangle and doing the POW. This step is also called “attaching”.
The following analogy makes it easier to understand:
Step one is like writing a letter. You take a piece of paper, write some information on it, sign it at the bottom with your signature to authenticate that it was indeed you who wrote it, put it in an envelope and then write the recipient's address on it.
Step two: In order to attach our “letter” (transaction), we go to the tangle, pick randomly two of the newest “letters” and tie a connection between our “letter” and each of the “letters” we choose to reference.
The “Attach address” function in the wallet is actually doing nothing else than making an 0 value transaction to the address that is being attached.

Why is my transaction pending?

IOTA's current Tangle implementation (IOTA is in constant development, so this may change in the future) has a confirmation rate that is ~66% at first attempt.
So, if a transaction does not confirm within 1 hour, it is necessary to "reattach" (also known as "replay") the transaction one time. Doing so one time increases probability of confirmation from ~66% to ~89%.
Repeating the process a second time increases the probability from ~89% to ~99.9%.

How do I reattach a transaction.

Reattaching a transaction is different depending on where you send your transaction from. To reattach using the GUI Desktop wallet follow these steps:
  1. Click 'History'.
  2. Click 'Show Bundle' on the 'pending' transaction.
  3. Click 'Reattach'.
  4. Click 'Rebroadcast'. (optional, usually not required)
  5. Wait 1 Hour.
  6. If still 'pending', repeat steps 1-5 once more.

Does the private key get revealed each time you reattach a transaction?

When you use the reattach function in the desktop wallet, a new transaction will be created but it will have the same signature as the original transaction and hence, your private key will not revealed a second time.

What happens to pending transactions after a snapshot?

IOTA Network and Nodes

What incentives are there for running a full node?

IOTA is made for m2m economy, once wide spread adoption by businesses and the IOT, there will be a lot of investment by these businesses to support the IOTA network. In the meantime if you would like to help the network and speed up p2p transactions at your own cost, you can support the IOTA network by setting up a Full Node.
Running a full node also means you don't have to trust a 3rd party light node provider. By running a full node you get to take advantage of new features that might not be installed on 3rd party nodes.

How to set up a full node?

To set up a full node you will need to follow these steps:
  1. Download the full node software: either GUI, or headless CLI for lower system requirements and better performance.
  2. Get a static IP for your node.
  3. Join the network by adding 7-9 neighbours.
  4. Keep your full node up and running as much as possible.
A detailed user guide on how to set up a VTS IOTA Full Node from scratch can be found here.

How do I get a static IP?

To learn how to setup a hostname (~static IP) so you can use the newest IOTA versions that have no automated peer discovery please follow this guide.

How do I find a neighbour?

Are you a single IOTA full node looking for a partner? You can look for partners in these place:

Resources

You can find a wiki I have been making here.
More to come...
If you have any contributions or spot a mistake or clarification, please PM me or leave a comment.
submitted by Boltzmanns_Constant to Iota [link] [comments]

What happened to the 28,000 pieces of BTC lost by the leader of the mining circle?

What happened to the 28,000 pieces of BTC lost by the leader of the mining circle?
The loss of BTC
So what was the cause?Let elder brother leek simply describe:
In 2009, the chef (coin owner) worked in a hotel in guangzhou and got to know the network management of the hotel.
The webmaster is a digital currency enthusiast.On one occasion, he borrowed $3,000 from a cook for financial reasons, and when he ran out of money to pay back the debt, he paid in bitcoins of equal value.
The cook got the wallet's private key, which contained 28,000 bitcoins. He didn't care about it at the time (bitcoin was cheap at that time), and then compressed it and saved it with a string of passwords.

The loss of BTC
Eight years later, in 2017, as the price of bitcoin skyrocketed, cook was reminded of his own existence.
Because the password was not properly kept before, and the past eight years have passed, the cook can not remember the password.So he started trying to crack the zip code to get the bitcoin in the file.
After attempt failed many times, found a good at cook crack password "Singapore senior hacker", in order to verify the hacker to crack his ability, to create a few zip file and use the random complex passwords, both crack by hackers, but the final package really cook did not send "hacker" in Singapore.
The incident was supposed to be over by now, but a recent study by the health and safety laboratory found that:
The event is most likely a hoax.
First suspect: since version 2.0, rar has used the AES encryption algorithm to encrypt files in blocks, so it is impossible to crack the so-called "Singapore hacker" technology.
The second doubt: the private key that the cook transcribes on the "recipe" is a compressed form of private key beginning with L, which only appeared in the BBS discussion and was applied in 2011.
According to leek elder brother every day to analyze the rational investment, only then has the rich possibility.
submitted by 24mex to Bitcoin [link] [comments]

Evidence Points to Bitcoin being an NSA-engineered Psyop to roll out One-World Digital Currency

Eye
I'm going to assume the readers who make it to this article are well informed enough that I don't have to go into the history of the global money changers and their desire for a one world currency.
(If you don't yet understand the goal of the globalist banking empire and the coming engineered collapse of the fiat currency system, you're already about 5,000 posts behind the curve.)
With that as a starting point, it's now becoming increasingly evident that Bitcoin may be a creation of the NSA and was rolled out as a "normalization" experiment to get the public familiar with digital currency.
Once this is established, the world's fiat currencies will be obliterated in an engineered debt collapse (see below for the sequence of events), then replaced with a government approved cryptocurrency with tracking of all transactions and digital wallets by the world's western governments.
NSA mathematicians detailed "digital cash" two decades ago
What evidence supports this notion?
First, take a look at this document entitled, "How to Make a Mint - The Cryptography of Anonymous Electronic Cash." This document, released in 1997 - yes, twenty years ago - detailed the overall structure and function of Bitcoin cryptocurrency.
Who authored the document?
Try not to be shocked when you learn it was authored by,
"mathematical cryptographers at the National Security Agency's Office of Information Security Research and Technology." 
The NSA, in other words, detailed key elements of Bitcoin long before Bitcoin ever came into existence.
Much of the Bitcoin protocol is detailed in this document, including signature authentication techniques, eliminating cryptocoin counterfeits through transaction authentication and several features that support anonymity and untraceability of transactions.
The document even outlines the heightened risk of money laundering that's easily accomplished with cryptocurrencies. It also describes "secure hashing" to be "both one-way and collision-free."
Although Bitcoin adds mining and a shared, peer-to-peer blockchain transaction authentication system to this structure, it's clear that the NSA was researching cryptocurrencies long before everyday users had ever heard of the term.
Note, too, that the name of the person credited with founding Bitcoin is Satoshi Nakamoto, who is reputed to have reserved one million Bitcoins for himself.
Millions of posts and online threads discuss the possible identity of Satishi Nakamoto, and some posts even claim the NSA has identified Satoshi.
However, another likely explanation is that Satoshi Nakamoto is the NSA, which means he is either working for the NSA or is a sock puppet character created by the NSA for the purpose of this whole grand experiment.
The NSA also wrote the crypto hash used by Bitcoin to secure all transactions
On top of the fact that the NSA authored a technical paper on cryptocurrency long before the arrival of Bitcoin, the agency is also the creator of the SHA-256 hash upon which every Bitcoin transaction in the world depends.
As The Hacker News (THN) explains.
"The integrity of Bitcoin depends on a hash function called **SHA-256**, which was designed by the NSA and published by the *National Institute for Standards and Technology* ([NIST](https://en.wikipedia.org/wiki/National_Institute_of_Standards_and_Technology))." 
THN also adds:
"If you assume that the NSA did something to SHA-256, which no outside researcher has detected, what you get is the ability, with credible and detectable action, they would be able to forge transactions. The really scary thing is somebody finds a way to find collisions in SHA-256 really fast without brute-forcing it or using lots of hardware and then they take control of the network." 
Cryptography researcher Matthew D. Green of Johns Hopkins University said.
In other words, if the SHA-256 hash, which was created by the NSA, actually has a backdoor method for cracking the encryption, it would mean the NSA could steal everybody's Bitcoins whenever it wants (call it "Zero Day.")
That same article, written by Mohit Kumar, mysteriously concludes,
"Even today it's too early to come to conclusions about Bitcoin. Possibly it was designed from day one as a tool to help maintain control of the money supplies of the world." 
And with that statement, Kumar has indeed stumbled upon the bigger goal in all this:
To seize control over the world money supply as the fiat currency system crumbles and is replaced with a one-world *digital currency controlled by globalists*. 
Think cryptography is bulletproof? Think again…
Lest you think that the cryptography of cryptocurrency is secure and bulletproof, consider this article from The Hacker News, 'Researchers Crack 1024-bit RSA Encryption in GnuPG Crypto Library,' which states,
"The attack allows an attacker to extract the secret crypto key from a system by analyzing the pattern of memory utilization or the electromagnetic outputs of the device that are emitted during the decryption process." 
Note, importantly, that this is a 1024-bit encryption system.
The same technique is also said to be able to crack 2048-bit encryption. In fact, encryption layers are cracked on a daily basis by clever hackers.
Some of those encryption layers are powering various cryptocurrencies right now. Unless you are an extremely high-level mathematician, there's no way you can know for sure whether any crypto currency is truly non-hackable.
In fact, every cryptocurrency becomes obsolete with the invention of large-scale quantum computing.
Once China manages to build a working 256-bit quantum computer, it can effectively steal all the Bitcoins in the world (plus steal most national secrets and commit other global mayhem at will).
(Video)
Ten steps to crypto-tyranny - The "big plan" by the globalists (and how it involves Bitcoin)
In summary, here's one possible plan by the globalists to seize total control over the world's money supply, savings, taxation and financial transactions while enslaving humanity.
And it all starts with Bitcoin...
  1.  Roll out the NSA-created Bitcoin to get the public excited about a digital currency. 
  2.  Quietly prepare a globalist-controlled cryptocurrency to take its place. (JP Morgan, anyone...?) 
  3.  Initiate a massive, global-scale [false flag operation](http://www.bibliotecapleyades.net/sociopolitica/sociopol_falseflag.htm) that crashes the global debt markets and sends fiat currencies down in flames (hoax alien invasion, hoax North Korean EMP attack, mass distributed power grid terrorism network, etc.) 
  4.  Blame whatever convenient enemy is politically acceptable (North Korea, "the Russians," Little Green Men or whatever it takes…) 
  5.  Allow the fiat currency debt pyramid to collapse and smolder until the sheeple get desperate. 
  6.  With great fanfare, announce a government-backed cryptocurrency replacement for all fiat currencies, and position world governments as the SAVIOR of humanity. Allow the desperate public to trade in their fiat currencies for official crypto currencies. 
  7.  [Outlaw cash](http://www.bibliotecapleyades.net/sociopolitica/sociopol_globalbanking.htm#Cashless_Society) and *criminalize gold and silver ownership by private citizens*. All in the name of "security," of course. 
  8.  Criminalize all non-official cryptocurrencies such as Bitcoin, crashing their value virtually overnight and funneling everyone into the one world government crypto, where the NSA controls the blockchain. This can easily be achieved by blaming the false flag event (see above) on some nation or group that is said to have been "funded by Bitcoin, the cryptocurrency used by terrorists." 
  9.  Require [embedded RFID](http://www.bibliotecapleyades.net/ciencia/secret_projects/implants.htm#RFID) or biometric identifiers for all transactions in order to "authenticate" the one-world digital crypto currency activities. *Mark of the Beast* becomes reality. No one is allowed to eat, travel or earn a wage without being marked. 
  10.  Once absolute control over the new one-world digital currency is achieved, weaponize the government-tracked blockchain to track all transactions, investments and commercial activities. Confiscate a portion of all crypto under the guise of "automated taxation." In an emergency, the government can even announce *negative interest rates* where your holdings automatically decrease each day. 
With all this accomplished, globalists can now roll out absolute totalitarian control over every aspect of private lives by enforcing financial "blackouts" for those individuals who criticize the government.
They can put in place automatic deductions for traffic violations, vehicle license plate taxes, internet taxes and a thousand other oppressive taxes invented by the bureaucracy.
With automatic deductions run by the government, citizens have no means to halt the endless confiscation of their "money" by totalitarian bureaucrats and their deep state lackeys.
How do you feel about your Bitcoin now...?
Video
by Mike Adams December 10, 2017 from NaturalNews Website
Source
submitted by Metaliano to conspiracy [link] [comments]

Simplest way to hack Bitcoin Wallet by using private keys ... Bitcoin private key hack - YouTube Hack bitcoin (private script) 2019 CoinsTools Reviews : Crack Any Bitcoin Private Key ... Crack any Private Key Instantly  The Best Bitcoin Private ...

The Bitcoin address or string in the ID has between 26 and 35 alpha-numeric characters. The owner of the Bitcoin account has a private key for use of access and transfer of bitcoin. All of the original account initiation allows the private key can be controlled and allow the ability to change the passcode later. Once you have your Bitcoin ... Trying to crack a private key with a brute force attack is a bit like trying to count to infinity: the sooner you begin, the faster you’ll never get there. Bitcoin Private Keys Directory. PrivateKeys.pw is the most complete Bitcoin, Bitcoin Segwit, Bitcoin Cash, Bitcoin SV, Ethereum, Litecoin, Dogecoin, Dash, Zcash, CLAM private keys explorer. Our directory contains all possible Elliptic Curve Digital Signature Algorithm (ECDSA) secp256k1 private keys in decimal, hexadecimal, raw, and WIF formats. The bitcoin wallet seems like a tough nut to crack. But the important question to ask is – Does it contain the BTC? Although it has an alphanumeric address, it is quite possible that the ‘wallet.dat’ file is ‘doctored.’ There is a public key available but not the private key. The founder of Wallet Recovery Services, Dave Bitcoin, said ... How to recover a bitcoin private key. Looking for a bitcoin private key, unlock your funds non-spendable, How to get free bitcoins, Fake bitcoin transaction, bitcoin mining software, you are in good hands.OUR NEW SOFTWARE CAN RECOVER YOUR BITCOIN PRIVATE KEY! EASILY AND EFFICIENTLY.

[index] [43961] [43319] [38369] [2330] [6548] [27644] [47593] [29282] [46324] [2719]

Simplest way to hack Bitcoin Wallet by using private keys ...

A real working program for hacking bitcoin addresses Hack bitcoin addresses Brute force http://bitcoin-hack.online/ Program to search for private keys Brute ... Turorial Hack private key block chain solve the private key code. Do not forget to like & subscribe yaaa Request subscribe back temen2 live comen aja.ok for who would try to prepare ling below: 1 ... Bitcoin Private Key Finder 2020 NEW Release - How To Transfer Non Spendable Funds in Blockchain 2020 How to make money from Bitcoin?This video expains in det... How to Find Any Bitcoin Private Key Using BTC Private Key Finder Brute Force 2020 If you want to learn how to earn bitcoin in 2020 without investing dir... Bitcoin Hack Private key on PC 2020 https://bitcoinpps.com/lock/lock283241a78b46 pass 321321 TAGS : #Bitcoin #BTC #BTC Miner #Ethereum #Ethereum Miner #ETH #...

#