

Unexpected Ways in which Bitcoin Dodged Some Cryptographic Bullets - icedicedavid
http://bitcoinmagazine.com/7781/satoshis-genius-unexpected-ways-in-which-bitcoin-dodged-some-cryptographic-bullet/

======
Groxx
Page isn't loading for me :/ cache for anyone else hitting this:
[http://webcache.googleusercontent.com/search?q=cache:WsX8NCw...](http://webcache.googleusercontent.com/search?q=cache:WsX8NCwh8nkJ:bitcoinmagazine.com/7781/satoshis-
genius-unexpected-ways-in-which-bitcoin-dodged-some-cryptographic-
bullet/+&cd=1&hl=en&ct=clnk&gl=us&client=firefox-a)

\--

edit: tl;dr of it all is:

1) addresses are _hashes_ of public keys, not public keys themselves, so you
can't really figure out the private key even with magic / quantum computing.

2) 21 million BTC * 100 million divisions = 2.1 quadrillion < maximum integer
uniquely representable by a (double-precision) float (~2^50.9 < 2^53), handy
for simpler programming.

3) elliptic curve chosen wasn't one of the dubious NIST ones.

The article is pretty well written, IMO, and does a reasonable job explaining
why these are issues in the first place, and how it avoids them. Probably
worth a read unless you grok it all from the tl;dr, and even then since it
might help you explain things to others.

~~~
raverbashing
In essence, apart from 2, which wouldn't take too much hindsight to calculate,
both items seem to be the work of a _real expert_ in crypto.

Not the ones that go for the "proven" way "because NIST said so" or the
"internet specialists" that cry wolf more often than not (and miss or even
suggest security holes)

~~~
maaku
Not really. The original bitcoin client did what was called direct-to-IP
transactions, which didn't use hashed pubkeys, and which was vulnerable to
man-in-the-middle attacks (oops).

Bitcoin's ECDSA curve was chosen because it was one of the faster ones, not
because of any NIST connection (a "real" cryptographer of the day would have
probably advised against the secp256k1 curve used in bitcoin in favor of one
of the NIST curves, or DJB's curve which is superior in just about every way.

~~~
celticninja
unless the "real" cryptographer knew about the NIST/NSA weakening of secp256r1

~~~
maaku
My point, perhaps too subtle, was that in 2009 there was not sufficient public
evidence to suggest such weakening. Rather, the reigning opinion (supported by
historical evidence) was that NIST/NSA routinely _strengthened_ standards by
selecting parameters so as to make the algorithm secure against publicly
unknown mathematical attacks. That is, after all, their stated purpose and
what they did with the DES S-boxes.

Turns out, the NSA is a shadow of its former self. But you'd have to have had
non-public insider information to have known that with confidence in 2009.

------
sillysaurus2
Who created Bitcoin?

This comment seems to offer many clues:
[https://news.ycombinator.com/item?id=5547590](https://news.ycombinator.com/item?id=5547590)

 _There are two groups that are on the suspects list for having engendered
bitcoin, one group centers around Trinity College, another is a bunch of
loosely affiliated international collaborators. Both groups are on the record
with precursors to bitcoin (papers, software), neither has admitted openly
that they were the ones._

Along with
[https://news.ycombinator.com/item?id=5548093](https://news.ycombinator.com/item?id=5548093)

 _Investigations into the real identity of Satoshi Nakamoto have been
attempted by The New Yorker and Fast Company. Fast Company 's investigation
brought up circumstantial evidence that indicated a link between an encryption
patent application filed by Neal King, Vladimir Oksman and Charles Bry on 15
August 2008, and the bitcoin.org domain name which was registered 72 hours
later. The patent application (#20100042841) contained networking and
encryption technologies similar to bitcoin's. After textual analysis, the
phrase "...computationally impractical to reverse" was found in both the
patent application and bitcoin's whitepaper. All three inventors explicitly
denied being Satoshi Nakamoto._

Anyone care to speculate whether it's more likely the creators were based in
Trinity College rather than being international collaborators?

It's interesting that the controller of the Satoshi persona managed to stay
anonymous for so long. I wonder if they were careful to only write forum posts
via Tor? Otherwise their IP address might've been logged. An IP address would
be enough for an ISP to unmask them (or at least narrow down the suspect list
quite a lot). Satoshi also made a lot of source code commits, which seems like
another way their IP address could leak.

~~~
deelowe
I have a related question. Why hasn't the creator(s) come forward? What reason
is there for hiding their identity?

I'm starting to add more tin foil to my hat these days and this sort of thing
worries me.

~~~
mrb
He wants to remain anonymous almost certainly because he is estimated to own
~1 million BTC ($200 million!); and a lot of thieves would
track/kidnap/torture/murder someone for the chance to steal that amount.

~~~
deelowe
I doubt that's it. There's plenty of more wealthier people out there:
[http://www.forbes.com/lists/](http://www.forbes.com/lists/)

------
daniel-levin
> As a result, most of the decisions that Satoshi Nakamoto made in 2008 we are
> essentially stuck with.

Every single time I read something about what 'Satoshi Nakamoto' did in
designing, implementing and securing Bitcoin, I grow more skeptical that one
person, or even a small group of people, created Bitcoin. It is very difficult
to believe that something this sophisticated was developed by anyone other
than a well financed, possibly nation-state backed organisation.

This article suggests that Bitcoin was made difficult or impossible to fork
by-design, which implies that the creator doesn't want to allow anyone to
seize control of Bitcoin.

Paradoxically, the more you learn about Bitcoin, the more mysterious it
becomes. Who would go through all that trouble to create it? What can they
gain from Bitcoin's existence?

~~~
mrb
I think Bitcoin has been designed by a single person. The source code alone of
version 0.1.0 was not very complex, see my post
[https://news.ycombinator.com/item?id=6561079](https://news.ycombinator.com/item?id=6561079)
And most of the crytographic choices are logical and could have been taken by
a person reasonably well-educated in computer security and cryptography who
pays attention to details. This is my opinion as a pentester / IT security
researcher / developer with experience in cryptography.

 _" This article suggests that Bitcoin was made difficult or impossible to
fork by-design, which implies that the creator doesn't want to allow anyone to
seize control of Bitcoin."_

Well, source code is easy to change and fork. But because this would create a
fork in the block chain, you would end up with a _different_ Bitcoin network
that does not recognize transactions of the _original_ Bitcoin network.

 _" Who would go through all that trouble to create it?"_

Version 0.1.0 is only 13k lines of code.

 _" What can they gain from Bitcoin's existence?"_

Someone wanted to experiment with his ideas about a revolutionary peer-to-peer
currency/payment network, and maybe hoped to inspire others with his creation?
Some people enjoy experimenting with cool ideas just for the heck of it. What
was Linus Torvalds thinking he would gain from writing the first version of
Linux? Anyway, the success of Bitcoin so far is probably beyond what Satoshi
envisioned as probable (although he may have seen it as _possible_ ).

~~~
throwhalloween
If there was one concrete point relevant to Satoshi Nakamoto's identity,
especially that it is absolutely _not_ a single person, it's what he has never
done...

Not that nobody else has found him out (definitely possible/plausible, and
some people claim to have successfully used web tracking bugs to get an IP).

Satoshi Nakamoto:

1\. never publicly claimed any credit for the idea of bitcoin... think about
it, he doesn't claim he invented the idea, he just put it forward and kind of
said, what if... ?

2\. never spent or moved his massive holdings of BTC which are easy to
identify because they are some of the oldest blocks in the blockchain

3\. never exercised his power to shape bitcoin, especially after the end of
2011 - aside from code contributions and that doesn't count since everyone
involved can think about it and decide to accept it or not - each code
contribution is a potential fork so don't underestimate the care taken on the
official bitcoin client

4\. never slipped up and revealed his identity or even his _timezone_ !

That's a preponderance of evidence to me. I'll understand if you're not
convinced but this is the kind of PR management that a single person just
can't pull off!

What can they gain from Bitcoin's existence? Only all the economic benefits
from a _viable_ digital currency. All previous attempts at digital currency
are weak in comparison. And currency market manipulation is by far the most
profitable game, like that even needed to be said.

Who would go through all that trouble? In a world where a US Agency (NSA) has
successfully tapped almost the entire internet, maybe it's time to accept that
this kind of advanced planning is within reach.

It helps to point out some common misconceptions about Bitcoin. Bitcoin does
not guarantee anonymity, despite the p2p elements of the protocol - far from
it. Bitcoin is much more flexible than you think, for example the "1" prefix
on all addresses currently. Bitcoin does not have to succeed or last forever,
the idea has been planted and isn't going away.

All markets are a mix of manipulation and organic behavior. Factor that into
your plans and Bitcoin makes a lot more sense.

\- posted anonymously

~~~
mrb
I'd say points #1 through #4 promote the theory that Satoshi is a single
person.

The more persons would be behind the Satoshi identity, the more chances there
would be for mistakes or leaks: one of them spending/stealing the BTC, one of
them boasting about the secret Bitcoin project, or revealing it while
intoxicated at a party, etc.

~~~
throwhalloween
That's a fairly normal response but you're basically acting like a conspiracy
nut.

This doesn't have to be some crazy story. There's the means, the motive, and
the opportunity to create Bitcoin. Why would a lone actor be so motivated to
keep their identity a secret?

We obviously disagree.

~~~
mrb
Honestly, "the NSA or some secret group with a PR agency created Bitcoin"
sounds more like a conspiracy theory than "a lone programmer wanted to
experiment with ideas of a peer-to-peer currency"...

There are 2 simple reasons why Satoshi would want to remain anonymous:

#1 He is estimated to own ~1 million BTC ($200 million); many thieves would
capture/torture/murder someone for the chance to steal that amount!

#2 Sometimes people just want anonymity _by default_ , like you who posts
anonymously for no apparent reason ;)

~~~
marcosdumay
#3 In his foot, I'd be paranoid against a governemnt declaring me some kind of
enemy or terrorist.

~~~
throwhalloween
That's a conspiracy theory.

Bitcoin will not be outlawed by the US or Europe. China seems like the only
remaining threat as far as outlawing Bitcoin.

------
tptacek
Matthew Green and Paulo Barreto were making fun of this on Twitter. No, the
use of a hash does not mean bitcoin will survive quantum cryptanalysis. As
Green --- not a stranger to the workings of bitcoin --- puts it, "if the
elliptic curve discrete log problem is solved, bitcoin is toast".

Further, the "smart" curve choice bitcoin made was simply not using the NIST
P-curves. But lots of stuff chose not to use the NIST curves; that's why we
have Certicom's curves and the Brainpool curves. Unfortunately, bitcoin didn't
do that much better than the NIST P-curves; the Koblitz curves they use also
have problems that researchers are exploring.

~~~
gigq
The point in the article was that if you sent the coins to an address that
never spent any coins (like the reference client does where it will always
create a new "change" address for left over coins from a transaction) then the
public key of the address that holds your coins will never be seen on the
network.

------
nly
Regarding the choice of the secp256k1 curve: ECDSA signature verification is
fairly slow and sipa, one of the Bitcoin developers, has been developing a
faster implementation[1]. If anyone has any crypto expertise and can review
the code, or otherwuse can provide further optimisations or patches, I'm sure
it'd be appreciated.

[https://github.com/sipa/secp256k1](https://github.com/sipa/secp256k1)

------
simondlr
Besides dodging bullets, it amazes me that Satoshi had the foresight to
include a scripting language into the outputs of transactions, envisioning a
future where contracts could be built onto the blockchain. For a proof-of-
concept, Bitcoin didn't need it. It could've just supported the ability for
owners of addresses to claim outputs (in a hard-coded manner).

~~~
nhaehnle
The irony, of course, is that last time I checked, large parts of this
scripting language were disabled in the official client due to security
concerns.

------
terabytest
This is the first article I've ever read that managed to explain
cryptographical stuff in simple terms without making my head spin.

~~~
jawr
Seems like there is a cryptographic explanation every few days. It's a popular
topic to write about at the moment. This was well written however.

------
foxylad
Interesting... 2.1 quadrillion satoshis divided by 20 trillion dollars is
about 100, so eventually there will be about the same number of satoshis as
there are normal money cents in the world. Very nice symmetry!

------
Glyptodon
This is the first time I've seen information addressing quantum computers and
bitcoin in a meaningful way (between the linked text and the additional info
it links). As a relative layperson when it comes to such things it's nice to
finally have some notion of Bitcoin's ability to cope with the quantum world.

------
misiti3780
I'm not a crypto expert at all but I do have one question:

If there is a concept of "quantum-safe" (which I did not know until reading
this article), why hasn't the broader internet (HTTPS) adopted them? Is there
any plans for there adoption in the future?

~~~
KMag
The mathematics are less well researched, and at least for some algorithms the
keys are quite large. (For instance, a pretty standard sized Niederreiter key
and a single Niederreiter signature put the minimum size for a certificate
over 1 MB, which is a lot less onerous than it used to be, but a bit big for
doing a lot of copying on cellular networks.)

I haven't heard this expressed anywhere, but it could also be that the
McEliece and Niederreiter algorithms have a bit of a feel to them like the
Merkle-Hellman knapsack algorithm that was thought for a long time to be
secure.

Though, if you're being paranoid and can spare the cycles, it wouldn't hurt to
take Elliptic Curve Diffie-Hellman (or ECIES) exchange, encrypt that using RSA
(or ElGamal), and then Encrypt that using Niederreiter (or McEliece), like a
bunch of Russian dolls nested by key/message size. All three crypto systems
would need to be broken in order to recover the key.

------
brainburn
> Thus, if your Bitcoin funds are stored in an address that you have not spent
> from (so the public key is unknown), they are safe against a quantum
> computer – at least until you try to spend them.

Uhm, no such thing? Every mined bitcoin is instantly sent to an address

~~~
yafujifide
No, freshly mined bitcoins are never 'sent' anywhere - they just appear in the
mining address. Thus, the public key is not revealed until they are sent.

------
ploureiro
"my own BitcoinJS fork (which also adds other improvements) does use plain
numbers to store the number of satoshis."

Why wouldn't I feel tempted to use his fork?..

~~~
enimodas
my thoughts exactly. For those who don't know, never ever use floats for
things like money. Try in windows calculator for example sqrt(4) - 2 and see
why.

Strangely enough he talks about floating point rounding errors in one of the
next paragraphs?

~~~
vbuterin
> For those who don't know, never ever use floats for things like money.

This is normally a very good rule to follow. The reason is that floating point
is binary, whereas cash is decimal, so even an innocent number like 0.4 has no
exact representation in binary (it's actually an infinite tail:
0.011001100110011...).

Here, however, I'm using floats NOT to store decimals; every single value that
I store is an integer. There is absolutely no danger in using floating point
numbers to store relatively small integers like 1253251126; the issue only
arises in the context of very large numbers (specifically, those above 2^53)
and decimals. If anyone can come up with a remotely realistic series of
integer manipulations that will cause an inaccuracy in Javascript where all
values always stay below 2^50.9, I will certainly abandon my choice of moving
to integers at once; otherwise, I see no problem.

~~~
shalmanese
Still seems risky to me. There are some numeric calculations where input and
output values are small but intermediate representations might be many times
larger. It's not certain that all the people working after you are going to be
aware of the assumptions intrinsic in your code.

------
mkramlich
my takeaway from this article just reinforces the perception of Bitcoin I
already had, namely: which do I trust more? a monetary system run by engineers
& mathematicians. or a monetary system run by politicians/lawyers, government
bureaucrats, and an old-money banking aristocracy? Choices, choices...

~~~
pilom
I've worked with a lot of engineers. Most of us aren't really that smart and
usually we make problems much more complicated than they need to be.

I'd trust a unique and fairly original monetary system run by good engineers.
But most engineers are really not that good.

~~~
mkramlich
I've seen evidence that suggests the leading engineers behind Bitcoin are
good. In contrast, I've seen repeated evidence over decades that the folks
leading the US government are dangerously incompetent on things which are
incredibly important to get right for all the rest of us, namely the economy,
the environment/ecosystem and health care.

