Bitcoin Forum

This is a basic question about bitcoin security that I don't see answered adequately.

I'm not an expert in anything, so it is possible I am missing the obvious, but would still like an answer.

The bitcoin private key is a 256 bit number that contains a numerical address and a key to decrypt numerical messages sent to that address.

The number of key is quite high. The security of the bitcoin system seems to be based on the difficulty of using a public address to work backwords and find the private key. But there seems to be an obvious proof that shows that to be flawed.

In order to show that the current bitcoin key system is flawed, all that a person would need to do is show that there was a correlation between the relative position of a private key and the relative position of its corresponding public address.

In other words, if you took the lowest possible private key, a 256 bit number starting with 00000... etc, and the highest possible private key, a 256 bit number starting with 11111... etc, and you were able to show that the two public addresses for those keys formed hard boundaries, i.e., that all bitcoin public addresses fell between those two numbers in some mathematical formula or progression, then you would be showing that an accessible formula existed to work backwords from the public adrress to the private key.

The obvious question then, does some formula or progression exist that could put bitcoin addresses in sequence? Any set of numbers that are derived from another set of numbers ultimately can be ordered in the same sequence as the original set. Therefore it seems that the "security" of the cryptography used in bitcoin would come not from the size of the number set but rather from the computational difficulty of converting private key to public address or vice versa. Since in bitcoin the conversion in one direction, i.e., private key to public address, requires little effort, there is really no security once a formula or progression rule for addresses is discovered. And such a fomula or progression is easily findable by anyone with a little skill in that kind of thing.

... Is that accurate?

There was once a user here in the forum that often holds bounties in the form of solving complex equations and mathematical problems that are somewhat related to cracking the fundamentals of the bitcoin privkey and its security. It was a fun thread to show as it progresses, but I'm no mathematical genius, but seeing those comments and replies to his thread (and similar to what you are pointing to), there is indeed a way to solve the privkey for each addresses in existence, though it strongly oppose this line here:


Again, according to that thread, solving the necessary formula needed a huge amount of computing power before being "cracked."

Your assumption that such a formula is "easily findable" is false. 
 
Hash functions effectively scramble the data so there's no way to predict what the output is going to be,
so you cannot find a "progression rule". 

Correct, the consensus is that good hash functions are "one way". They require a ridiculously huge amount of computing power to brute-force (predict), but only a small amount to verify information.

Try to find some basics about encryption, using private keys. It is a one way encryption and lucky guessing is with the current state of computing power not something that is done easily. Though the development of bitcoin is spawning mines that have massive computer power and it spurts like hell to new hights. The downfall of the crypto currency might just be it's popularity and influence on the processing power.

Not really, because the amount of processing power required to brute force a private key is MANY orders of magnitude beyond that of solving a block.

 

I hear what you are saying, but the fact of the matter is that so far, no one has
been able to detect any sort of pattern in strong cryptographic hash functions
such as SHA-256.    

There is something called the 'avalanche effect' where changing one character
changes the outcome completely.  If you look into the inner workings of the
hash function, it goes through I believe 64 rounds of computation.  By the
time its done all that computing, you're left with something that has no
discernable pattern.  

So while you're correct that they are not 'random', the outputs appear
random for all intents and purposes and without a pattern to follow,
no ordering is possible.

Perhaps someday someone may indeed find a pattern, but when/if
that happens, it would be time to migrate to a stronger form of
cryptography.

No, it's just a 256 bit number. It doesn't "decrypt" anything. However, it's used to sign messages proving a relationship to a particular public key.


Yes.


Yes, that's the part of security which protects user accounts (private keys). It's based on elliptic curve cryptography. The other large part of Bitcoin security is secure hashing algorithms used by miners to provide arbitration for the blockchain.


Nobody needs to show that. It's already known. That's why it's possible to verify a private key without knowing it.


The part where you go off the track is when you say "accessible formula". The elliptic curve used by Bitcoin is Secp256k1. Its points on a graph would appear randomly scattered and the number of points is between 2^255 and 2^256 or about one point for every eight atoms in the universe. If you think you have or can find an accessible formula to compute these points backward from a public key, then yes you could cause problems with the current version of Bitcoin.



Yes, counting up by one for instance. The problem is there are so many possible addresses it would take you (or a computer) an unbelievable amount of time just to count upward and hit one.


Can be ordered or must be ordered?  


The security comes from both the size of the number set and the difficulty in calculating the private key from only a public key.


This presumes such a formula could be discovered.


Let's see it then.

You just make it sound too easy.
Mathematical geniuses  were researching cryptography before there was even a computer. One a mathematical level, there was no way found, to reverse e.g. SHA-256.
Don't you think, people already tried that? People, who are much smarter than everyone who wrote in this thread combined(at least, when it comes to math).
I guess, you would have to find a new mathematical law, that would win you the nobel prize with certainty, to find the pattern you are talking about.

Both the elliptic curve maths for going from private to public key, as well as the sha256+ripemd160 hashing to go from public key to address, are both deliberately designed to be one way operations.

The only correlation is that they're deterministic (the same private key always results in the same address).

Not saying that it is theoretically impossible to come up with a feasible way of constructing a matching private key with some given addresses (although extremely, astronomically unlikely). But in general, such a formula will not exist. For starters because it's destructive: some information is lost in the process, and you can't magically restore information out of thin air.

You seem to think that for mathematical or logical reasons, there must be some hidden correlation or formula that, once discovered, would allow you to efficiently reverse addresses back into private keys. This is not necessarily the case.

For example, suppose that the function that converts from private keys to addresses is a pseudorandom mapping: it's deterministic, but there's no specific order or correlation whatsoever. Or for argument's sake, let's say the mapping is really random, constructed by sequentially throwing a dice a centillion times. Then this boils down to a huge (but ordered) list of private keys and their corresponding addreses. Well, guess what, we have such a mapping right here:

http://directory.io/

Note that this is actually real: ALL private Bitcoin keys are in there, both used and new, current and future ones, along with their matching addresses.

So there's the function right there. It allows for very efficiently calculating the address for any private key, based on a simple (but huge) one-to-one mapping. Now, given this function, how does your argument apply that this 'must' be feasibly reversible in some way?

Without getting into details of Mathematical trap doors please just watch this video and you will begin to understand how difficult it is to brute force or guess a private key.

https://www.youtube.com/watch?v=ZloHVKk7DHk

Additionally , Its not just about guessing the correct private key but guessing the correct private key for a specific public key.

This is the reason there are hundreds of wallets with single public addresses that even the smartest cryptographers and hackers cannot steal.

http://bitcoinrichlist.com/top100

As we've been trying to explain, there IS no way to way to know
if one address came from a higher or lower private key than
another address.
 
Why is that so hard to accept?

There is no formula or progression that exists.
If it did, then current known cryptographic systems used by world intelligence agencies would be rendered worthless.
It is not possible to do what you propose since calculating all addresses from private keys would also take thousands of years and millions of dollars.
You need to do more reading on how Bitcoin's cryptographic system is implemented and functions.

Of course anything is possible, it's just not practical, and that's the design: to be elegantly simple, but incredibly convoluted at the same time.

Even if you had the "master" algorithm, modern computers can't crunch it, and humans can't do it on paper. That Satoshi was a genius. All this trouble for invisible money. LOL

Brute forcing a private key would be incredibly difficult considering that a password that is 10-15 digits is considered secure a private key would be beyond the computing capabilities of today. But in the future with large amounts of power it could be possible.

Easy? I doubt it. You seem to think that a hash is calculated from a mathematical formula whether in fact the process is more akin to shuffling and combining a list of bits.

Right, it is a common misconception carried on by popular culture.

Easier? Why? Just because people don't know about the iron door doesn't make it less sturdy.

I recommend reading the papers on MD5. It was successfully cracked and its construction is the same as SHA-256.

Please do, because your hypothesis relies on baseless assumptions.

Well, it's the difference between theory and practice. Since a hash has a finite length and can be applied on arbitrary long messages, there is an infinite number of collisions, and yet not a single one has been found.

And we can live on Mars, it's only a matter of building a colony there.

To my knowledge it hasn't been done.

On rare occasion, when something has never been
done before, an innovator steps up and opens a new door.

However, most times, there are reasons why things
that intuitively seem easy that no one (or few people)
can do, are actually difficult.

Many times those reasons aren't discovered until you
actually try for yourself.

So, try it.

Try to find a pattern.

Maybe you will come back
later and tell us you found
a pattern...or more likely
that you haven't and why not.

Each address is supposed to be generated independently of other addresses. Thus, no pattern can be found between addresses.
If a private key, for example, ends in EpqWR73, and its corresponding address is gCaAbj23,
then the same private key, but ends in EpqWR74, its corresponding address is 55dXgH29.

There is no beginning or end or boundary to attempt to crack within.
The governments know this and don't waste time cracking,
they will just install malware through progs or etc to get around the cryptographic functions.

What you are describing is like finding Einstein's Unifying Theory.

EDIT: This video might be of interest to you, called "How did the NSA hack our emails?"
https://www.youtube.com/watch?v=ulg_AHBOIQU (https://www.youtube.com/watch?v=ulg_AHBOIQU)
This video shows that cryptographically, it is impossible to crack, so the NSA actually needed to place backdoors in the cryptographic functions, originally.

When SHA256 gets too easy, they just incorporate SHA512 etc... etc.. The protocol could evolve with time and computational power.. It's not set in stone.  ;)

If you ever fear this possibility... watch this video -->  https://www.youtube.com/watch?v=ZloHVKk7DHk

"Quindecillion" is HUGE numbers! .... The metaphor he used with drawers was excellent to explain it.... The time and resources to solve this, will be HUGE and it will kill most of your profit from doing this.  ;)

Note that to convert from private key to bitcoin address you need to go through 2 transforms that are each "one-way", at least for now.

private key -> public key -> address

Someone already mentioned what these transforms are (EC PK cryptography and SHA256). Cryptographers spend their careers designing as well as trying to break these transforms, because they protect other stuff much more valuable than bitcoins.

Now you come out of the blue, claim you know nothing about cryptography, but assert that is should be easy to go directly from address -> private key because there must be some pattern that should be easy to find?

It's exactly 50%.

For any given random address, there is an equal probability for it (that's 2^-256) belonging to ANY random private key.

You clearly don't understand much about what you are talking about and you are taking a very simplistic understanding of arithmetic and attempting to apply it to a very complex area of mathematics (specifically cryptography).

Lets try and get you straightened out on the very basics that you're lost on before we waste time trying to help you see the more complex areas of digital signature algorithms and hashes.


You are mistaken.  SHA256 uses two hundred fifty-six single bit characters. Each and every one of those characters is either a 1 or a 0.  The results are converted to base58 for display to humans, but the math is all done in binary.  You are welcome to convert the 256 bit primary key and the 512 bit public key into any format you like, it won't change the security of the underlying binary numbers.


You are talking about patterns as if they are guaranteed to exist.  It is quite likely that there are no discoverable patterns linking an ECDSA private key to an associated bitcoin publick key hash.  Clearly if they do exist, then they can't be found with a regular computer "in a short time", because people have been trying to crack these cryptographic functions for many years and nobody has been successful yet.
 

That is almost certainly not something that is going to happen.


Fortunately bitcoin doesn't rely on complex numbers and a false impression of security.

Note that even if weaknesses are discovered in any of the cryptographic functions, there will almost certainly be plenty of time to adapt the protocol to user newer signature and hashing algorithms before those weaknesses are expanded enough to be a problem.  For example, weaknesses were discovered in the SHA-1 hashing algorithm a decade ago in 2005 and yet it would still work perfectly fine as a hashing function for bitcoin mining today if Sathoshi had chosen it instead of SHA-2

The relationship between a private and public key is not based on a hash.  Bitcoin uses an elliptic curve algorithm.  Here's a good primer: https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

This particular type of public/private key algorithm is used all over the place.  If it were cracked, huge portions of our electronic security systems would collapse.  So if you do crack it, you should probably choose a more lucrative target than bitcoin.

Although hashing is used, both in the ECDSA calculations, as well as in additional steps to calculate the address from the public key.

True, but to get from a public key to a private key, reversing the hashing algorithm will get you exactly nowhere.

You understood wrong.

For some reason you seem to insist that there must be some pattern hidden underneath, waiting to be discovered. Don't you realize that it's very well possible (or even extremely likely, statistically speaking) that there simply IS no such pattern?

Going from address back to private key, that is reversing the ECC + Sha256 + Ripemd160 steps, is not by any stretch of the imagination comparable to divisibility by 3. Not just a "way more complex version" of it, but just a totally, fundamentally different kind of process.

Try and understand my random mapping example (https://bitcointalk.org/index.php?topic=1006519.msg10930847#msg10930847) I posted in the previous page.

You really have a false conception of the underlying math.

It's not "more complex" numbers. It's longer numbers, as in, more bits. With no correlation. More entropy. And more entropy does not mean more detectable patterns, it means harder to guess.

You're just jumping to conclusions.


And if a credible flaw were found in scrypt, we would need to find other hashing algorithms. What's your point?

Fortunately, nothing in bitcoin is encrypted.  Furthermore, hashes are not "random"  they are entirely deterministic.  Every time I perform SHA-256 against the words "no-ice-please is spouting off words without taking the time to understand the processes that he is attempting to discuss", I will ALWAYS get the result: bf403c0c12e1f27f5bd372b4724a2a41bbc2360a02c52ead40b4c7b4b66e6d11.  There is nothing random about it.  However, you aren't going to find a pattern in the SHA-256 inputs and outputs that will allow you to look at the hash: 1e39dffd07a1690be370193a7c03ae6e494f2adb98a8391c83c4920a5951f857 and figure out exactly what text I started with.  It is deterministic, but it isn't reversible.


Certainly.


Well that's a ridiculously non-specific question.

Ancient?  Like hundreds of years old?  No.

Untrusted?  That depends on the person doing the trusting and the purpose that it's being used for.

Recent?  Like within the past few hours?  Sure.


Microsoft does a lot of stupid things.  I don't understand the point you're trying to make.


I'd still defend MD5 as being perfectly suitable for some purposes.  MD5 (and SHA-1, and SHA-2, and RIPEMD-160) is just a tool.  When used properly, it can serve a purpose.  When used improperly, it will result in problems.

Note that MD5 didn't go from "very secure" to "completely useless" in a matter of hours (or days, or weeks).  There were incremental advancements on finding weaknesses in the algorithm building on those weaknesses.  There was a significant amount of time between when the first weakness was identified and when it was possible to forge a certificate.  Those aware of advancements in cryptography (the same types of people that contribute to the bitcoin protocol) would have been aware of the early discoveries and would have had plenty of time to adopt newer algorithms as needed.


Perhaps.  Or perhaps the effect would be to increase the mining difficulty in bitcoin and work towards replacing SHA-2 in the generation of bitcoin addresses.

Note that if it was possible today to calculate an ECDSA 256 bit public key from its SHA-256 hash in a fraction of a second, bitcoin would still be perfectly secure.  The public key is broadcast EVERY time you spend your bitcoins.  Knowing it isn't going to help you steal someone's bitcoins.

Two problems:

1. you can not calculate the public key from the address, since the conversion is not lossless. This is similar to, you can not get the raw picture data from a compressed JPG file, since lots of raw data have been thrown away during the compression. The only way is to guess the missing part using brute force. That is only possible by a 256 bits quantum computer, which only exists in imagination

2. You can get the public key in an transaction if one address has spent its coins. Then it is theoretically possible to calculate the private key using public key, by using a specially designed 256 bits quantum computer, which only exists in imagination

In fact, the difficulty for quantum computer lies in the calculation. You can factor large numbers since the calculation is extremely simple, just multiply, but to do hash function using quantum computer would be a huge challenge

There's no way around SHA-256 unless we invent quantum computers powerful enough to bruteforce the passes period. The rest is paranoia and FUD.

and the algorithms to use them.  there is no known quantum algorithm capable of 'brute forcing'.

Sorry, I don't have my no ice please password so I created a new I'd.

This is what I have understood so far:
1) MD5 was considered utterly secure until it was cracked. The crack involved a flaw inherent to using hashes in asymmetric cryptography and should obviously thus preclude their use for things such as bit coin.
2) The hash cracking process involved two basic steps. Initially a meta flaw in hashing security, then a specific application adapted to a specific algorithm such as md5.
3) There have been not one but several completely distinct meta vulnerabilities found in using hashes for cryptographic purposes. In other words several different ways have been mentioned publicly to crack them. Some are slow others are very fast.
4) Using a longer key length does not realistically increase the cryptographic strength of hashes even with very long keys.

So I with my small years old computer and meager interest in the subject will not break sha2, but someone has. There are literally dozens or more of people working full time to crack it, using powerful computers, it is safe to say they can do to sha2 what relatively poorly equipped researchers did years ago with md5.

So my question now is which coin has a more reliable algorithm, preferably without the seal of approval from any govt?

No matter what hashing algorithm you use, it will be eventually cracked (according to your own post). So, why bother with them, anyway?

This should put things in perspective for you...
http://miguelmoreno.net/wp-content/uploads/2013/05/fYFBsqp.jpg

It's no use. no-ice-please thinks that a flaw can be found that bypasses counting and harnessing the energy of a million suns. That idea is baseless, though.

It's right. You can not stop it happening. Someone, somewhere will eventually crack it and you will be doomed then.
Better you go with flow.

MD5 only had 64 bits of security, SHA-256 has 128.

Anyway, don't forget...information wants to be free.
If something is cracked, it won't be a secret for long.

Keccak subset SHA-3 also contains SHA384 (192 bit) and SHA512 (256 bit), so the Bitcoin Core can be upgraded if the need ever arises. Plus, I am sure more secure algorithms will be developed in the future that Bitcoin can be upgraded to if needed.

That said, I've yet to hear of a single collision with SHA256, and we know that cryptographers and hackers are trying to do it. But if you can produce any SHA256 collisions, please show us all, but I don't think you can.

This all is really a non-issue.

Yeah, during our lifetime and beyond SHA256 will be uncrackable, all counterarguments include traits of science fiction. You can sleep at night Op, your BTC is safe.

The info graphic shows only that it would be inordinately difficult to brute force sha256.

I have to ask why some people are misrepresenting potential weaknesses in sha256.

md5 also was impossible to brute force but then several different ways were found to crack it within seconds on a home PC system.

Sha256 is as uncrackable by brute force as md5 and the evidence strongly suggests that it is just as cryptographically flawd as md5 as well.

Again, do you understand that your argument refers only to bruteforcing?
And do you understand that the argument thus looks good but has no merit whatsoever?

Or do you not understand that?

-------------------------------------------


Keccak is sort of discredited by anyone who wants to research it.

There are a series of articles about NSA involvement in these algos that has more info. You might be able to find more info by searching "what the NSA created cryptonote for" or you might not.

The evidence seems to be that sha2 is broken, that keccak is not a secure substitute, and that there will be some effort to funnel people into cryptonote.

I don't think that will be successful and, aside from cryptonote in the very short term, I am looking for some algorithm that is profitable.

--------------------------------------


When md5 was trusted the same sort of info graphic as above was used. The evidence indicates that md5 was broken for a long time before it was known to be broken, and that the history of public knowledge of its weakness was altered. In other words if you look at actual forum comments on various sites the timeline of awareness about its potential weaknesses is not quite what is portrayed on Wikipedia and elsewhere. Revisionists are covering their asses.

Looking at all the evidence I believe there is sufficient proof already that sha2 is broken.

What evidence would that be?

Can you explain us, in detail (and by detail I mean all the technicalities, not just a weak “what if”) how does that evidence work to prove SHA is broken?

~it's not 'proof,, but it is enough to give me pause~

Among others

1) Bitstamp hack involved roughly one tenth of one percent of all existing bit coin.
But a person or group who could hack Bitstamp's hot wallet as late as January 2015 would have the capability to get much more. In other words the hacker probably limited the scope of the hack. This and several other hacks point to an attack originating in a flaw in sha.

2) The md5 hack was known to various governments before it was public. That is obvious. They used the flaw for political malware until it was exposed. After md5 was shown weak, instead of going to something that would be beyond question, such as an objectively strong algorithm, trusted widely, they extended their 'current product'. In other words sha2 is an extension of md5 rather than something different. Why? Please speculate.

There is one further piece of evidence that convinces me but I don't want to start a shitstorm with it.

There is no question but that my arguments are not 'rock solid'. They involve speculation. But when I look at the public supporters of sha2, and their arguments such as the info graphic above, I am forced to ask what they are hiding. Why are defenders of sha2 using 'brute force strength' arguments instead of 'cryptographic strength' arguments? Is the deception accidental, irrelevant?

OK, it is not proof. Stop there.


One exchange getting hacked means that they got access to the server storing the private key, not that SHA was broken.


You say:
MD5 is a hashing algorithm.
MD5 is known to be weak.
SHA2 is a hashing algorithm.

And then you conclude, disregarding how logic actually works, that SHA2 is broken too.


Please come back when you do have rock solid evidence.

What we are talking about here is the financial protocol used to secure a lot of money. The burden of proof is on those who claim it is secure. I am struck again and again that defenders of sha2 resort to using ad hominems, inaccurate portrayal of 'brute force attack' as the risk and on and on. Maybe there is someone who knows cryptography and is able to defend sha2 but so far its defenders have only been throwing up smokescreens, and I have to ask why.

Quite a few exchanges secured by some of the best security people available have been hacked. It's not just a question of getting access to a server.
Please explain what logic I am disregarding. Md5 was state of the art just a few years ago. Now it can be cracked easily by an amateur within seconds on a cheap computer. Sha2 is a more elaborate algorithm than md5 but uses the same basic principle to encrypt.

It was not my intention to force you to respond to my questions. I did not come to your thread, you came to mine.

It boggles the mind that despite such obvious questions about the cryptography involved in bitcoin there is no site, or at least I have not seen one, that spells out the exact computation, in layman's' terms, with an example, alongside a comparable example with md5.

Your basic answer, and the answers of most of the others on this thread so far, is "bitcoin is secure because we can yell louder than you". Underneath that is the implicit "well the NSA says it is secure and they lied to us about md5 so they could play assinine spy games with it, so let's just trust them".

A fair point, but what you are saying is a hypothesis, not evidence, which are 2 completely different things.

Furthermore, your hypothesis is a weak one because of hasty generalizing and ignoring the number
of bits of security advertised in each of the hash functions (64 bits vs 128 bits).

Simply assuming that all hash functions will be broken at some point in the near
future is a counterfactual fallacy as well... There are many strong hash functions
regardless of the fact that there others such as MD5 that are broken.

Well, as others pointed out: There's no 'rule' or no 'progression'. The input into the one-way functions (hashing algorithms) need to be random in order for Bitcoin to be secure. That's the 'only' requisite!

There seems to be evidence for both sides. I was trying to present evidence on one side and asking people to refute it. Nobody has done so. Instead they have presented 'defenses' of sha2 that are very weak.

At this point therefore my hypothesis is that sha2 is cracked, or should be considered so.


A few years ago people were saying about md5, 64bit etc "it would take millions of years to break, so trust it!
It can be broken now in seconds.

Not 'broken' through a random collision but through a collision on any key you choose, i.e., 100% broken.
Not broken through a single obscure crack identified by some genius at MIT. Broken through several independently found weaknesses identified by amateurs in their spare time.

So if the purpose was to offer at least the credible perception of security then 1) the standard would have gone from 64bit to at least several hundred thousand bits and b) a totally new function would be depended on to convert data to code. But instead of that a tiny step was offered.


Okay then. What is it about sha2 that makes it unbreakable when compared to md5?

Please don't say 256 bits.
64 bit hash broken easily in seconds by an amateur with a cheap computer.
So how long would it take a PhD with a supercomputer to crack a flawed 256?

----------


But that is proven untrue.
It is true that the input must be random and if the hash function is truly one way then a high number of bits would guarantee security.

But it is not true that the hashing functions described are one way. Therefore the security is false.

MD5 was pumped a few years ago exactly as sha2 is being pumped now. There are a lot of ways the security of sha2 could be demonstrated satisfactorily, but instead of doing that its defenders use dishonest rhetorical techniques to defend it. Go over this thread and you will see numerous examples. A person holding aces doesn't need to bluff.

@ice
These algorithms are not new. If you had studied cryptography, you would know that proving that a hash is uncrackable is impossible. So the best way is to come up with a method, have everyone have a go at it and if it has a weakness, tweak the method and incrementally improve. Starting from a completely new method is more risky.
I understand your concerns and the people who keep bringing up the infographics of the sun surely don't help. It is obviously of little value yet the truth requires much more advanced mathematics that very few people have the patience for.
Their arguments may be wrong but the theory still can be right. You criticize their logic but haven't shown any proof on your side. All I see from your post is handwaving too.

For instance,
MD5 is weak + SHA2 is based on MD5 => SHA2 is weak

If this line of reasoning is correct to you, then there isn't much to say. No one forces you to put money in bitcoin or crypto currencies.

No, you are simply at the wrong place. Why don't you ask on a cryptography forum instead?

A good idea.

Thank you.

That's actually an excellent question and I don't know,
because both do use the Merkle-Damgard construction.
 
Best left to ask a cryptographer.
 
I think there's certainly room to be a skeptic here, given the similarities, but
the fact remains that no one has publicly produced any evidence of significant
weakness so far in SHA-2.

No.  It isn't.  There is no way that is "much easier:"  In fact it's every bit as hard as reversing the hash operation in the first place.

They are different in that no single address appears in both sets, but there is no discernible difference in the statistical distribution of any bit or any pattern of bits.  There is literally no way, given an address, to guess which of these set it's in.  Except, you know, by iterating through all the possible private keys and seeing if it matches. 

Is it accurate that various government agencies were aware of flaws in md5 and yet continued to promote it as secure?

I don't know.  Do you have a reference for that?

Even if they were, it was private organizations that exposed the weaknesses so wouldn't that be a moot point anyway?

For what it's worth, the MD5 break is of a very particular kind.

MD5 has a collision vulnerability, but it does not have a meaningful preimage vulnerability.

What that means is that it is now easy to construct two  or more documents that have the same MD5 hash (a collision), but given a hash value it is still damned hard to construct something which hashes to that value (a preimage). 

It's preimage resistance isn't quite perfect mind you; an attack has been found that takes 2^123.5 operations to find a preimage, when it ought to take 2¹²⁸ if its preimage resistance were as good as it was supposed to be.  So MD5, while completely broken in terms of collision reistance, is only about 1/24 as hard to find a preimage as it ought to be. In practice finding a preimage is still far beyond the amount of computing power that could be produced by a computer the mass of Earth in a time less than the expected lifetime of the sun. 

Of course, attacks never get worse ... and it's possible that the preimage attack can be extended somehow. 

Phew... people should keep in mind that there effectively is an infinite amount of private keys, so every public key (and thus also address) has an infinite number of private keys that can access that address! Scary, isn't it? If you look at the math, it isn't anymore!

well there's 2^256 private keys and 2^160 addresses so yeah there's many private keys for each address,
but that's not really what's being discussed.

Cryddit's post is enlightening, in revealing that even MD5 is subject to collisions but
not pre-image attacks.

I'm not sure exactly why collisions are that important if they would happen rarely,
or how you would use that to attack a target.

Interesting. I was under the impression that MD5 was vulnerable against preimage attacks.

"A 2013 attack by Xie Tao, Fanbao Liu, and Dengguo Feng breaks MD5 collision resistance in 218 time. This attack runs in less than a second on a regular computer."

http://en.m.wikipedia.org/wiki/MD5

There seem to be quite a few different md5 cracks which were found independently.

It appears that the government and Microsoft both encouraged the use of md5 until it was exposed publicly by Iranian computer researchers.

If md5 were used for bitcoin it would be possible for anyone to steal bitcoin.

If sha2 is compromised as md5 was, and if the government is covering that up in order to exploit it, as they did with md5, what are the implications?

It is safe to say other governments also have cryptography programs.

If MD5 were used for bitcoin it would not be possible to steal coins, or at least not directly.  That would require preimages.

What would be possible would be constructing txOuts that could be spent by any of several different keys.  Which could be interesting, but doesn't lead to any immediate capability of theft.

It could be used in some kind of scam or confidence game though; two different keys capable of spending the same BTC25 could coexist in a wallet and most software would think the wallet had BTC50 in it, for example because neither key would appear to be a multisig or shared key. 

Among the several different md5 cracks is at least one that was used to forge a Microsoft certificate.

But you are saying that if md5 were used for bitcoin, it would be secure?

From Wikipedia
"In cryptography, a preimage attack on cryptographic hash functions tries to find a message that has a specific hash value. A cryptographic hash function should resist attacks on its preimage.

In the context of attack, there are two types of preimage resistance:

    preimage resistance: for essentially all pre-specified outputs, it is computationally infeasible to find any input which hashes to that output, i.e., it is difficult to find any preimage x given a "y" such that h(x) = y. [1]
    second-preimage resistance: it is computationally infeasible to find any second input which has the same output as a specified input, i.e., given x, it is difficult to find a second preimage x' ≠ x such that h(x) = h(x′).[1]

These can be compared with a collision resistance, in which it is computationally infeasible to find any two distinct inputs x, x′ which hash to the same output, i.e., such that h(x) = h(x′).[1]

Collision resistance implies second-preimage resistance,[1] but does not guarantee preimage resistance.[1]"

---

It seems from the descriptions of the various md5 cracks that md5 lacks collision resistance, therefore you could find a second, or fabricated, input which would hash to a legitimate looking output
and
it lacks second preimage resistance which seems to equate to finding a second private key.

Considering the amount of bullshit that has been shoveled already in defense of md5 and sha2 my opinion remains that most likely they are cracked several ways by several governments and those overpaid slippery cunts are trying to drag the game out as long as they can.

The Bitstamp hack may be their undoing though. If that hack was actually a sha2 crack then you would think they would take pains to leave a fake forensic trail. More info will be coming out on that I imagine.

The malware that exposed md5 as weak was found by Iranians. It was evidently political malware that was created by several 'anti Iranian' governments.

Wikipedia has a timeline but if you look at actual forum posts on various sites it is clear that Wikipedia is presenting a distorted picture. Forum posts suggest md5 was actually considered quite secure until the Iranian issue.

The fact that private organizations uncovered it makes sense if governments were trying to keep the weakness secret.

Evidently a wide mix of governments were aware of flaws in md5 and used that knowledge for political games.

When Iranian researchers found the malware they gave it to Kaspersky to analyze and look for historical evidence and patterns. Kaspersky seems to have been a bit disingenuous, perhaps the Russian government was benefiting from the crack as well. At any rate, any Iranian can look at the evidence and decide how helpful the Russians actually were.

The bigger question is whether these putrid alphabet soup agencies engaged in a massive deception for years with md5, but then decided 'well let's start playing square now'?

Can we trust them now?

This is not what collision resistance implies. It would be true if it lacked pre-image resistance. Collision resistance means that you can find two messages that hash to the same value but you don't get to choose the hash value.

In the case of the MD5 certificate attack, they made two certificates that have the same hash: one is regular (SSL), the other is supreme (CA: Certificate Authority). They asked the root CA to sign the SSL one without problem. And then they put the signature in the CA certificate. Because they have the same MD5, the signature is valid for both of them.
They made a CA that appears to be trusted by the root CA. Their CA can issue SSL certificates that will be accepted by the rules of trust delegation.

So you see that this isn't applicable to bitcoin.

Okay. But here is from a 2004 article. 2004
https://www.schneier.com/essays/archives/2004/08/cryptanalysis_of_md5.html

"This year, Eli Biham and Rafi Chen, and separately Antoine Joux, announced some pretty impressive cryptographic results against MD5 and SHA. Collisions have been demonstrated in SHA. And there are rumors, unconfirmed at this writing, of results against SHA-1."

"In 1990, Ron Rivest invented the hash function MD4. In 1992, he improved on MD4 and developed another hash function: MD5. In 1993, the National Security Agency published a hash function very similar to MD5, called the Secure Hash Algorithm (SHA). Then in 1995, citing a newly discovered weakness that it refused to elaborate on, the NSA made a change to SHA. The new algorithm was called SHA-1. Today, the most popular hash function is SHA-1, with MD5 still being used in older applications."

Bold added by me.

At this point anyone who does not know what the weakness was is not paying attention.

I don't think anyone knows what the weakness is but that was 1995 and there's been other collision attacks published since with SHA 1. 

what is your point?

2004, but my point has to do with the culture of both cryptography and intelligence.

The "weakness" was that the NSA had not broken it yet".

Most cryptographers are academics. They play the common academic game of justifying their actions. My guess is that a lot of academic cryptographers feel that 'state of the art' should be half a step, not a full step, ahead of 'old'. In other words they have the Marie Antoinetteish posture that "we are doing something good, promoting some higher value others don't see, and so we have certain responsibilities and privileges to enforce". i.e. "We will use cryptography to develop math across borders" etc. i. e. "rather than to do the honest work of providing secure cryptography that can be protected from attacks by anyone, including us".

Specifically I am referring to Snowden type leaks that show deliberate weaknesses built into U.S. cryptography, as well as research showing such deliberate shoddiness, such as the cryptobang article mentioned earlier. If you are not able to find the article, or a copy, I will provide links.

Coin security may be fun and games for some people but I stand to lose quite a high percentage of the little I have if it turns out that governments are going to enforce their academic values on the altcoin economy.

You're basically saying cryptographers aren't terrible concerned about security.  Doesn't that sound a little silly?

Also, putting backdoors into hash functions isn't like putting backdoors into operating systems or something like that.
I'm not an expert but I don't think its very doable as MD construction has been around a while.
Of more concern to Bitcoin would be how the ECC is implemented.

I was not speculating about whether or not cryptographers were interested in security.

I was pointing out that many high level cryptographers have cooperated with government efforts to deliberately put weaknesses into algorithms.

I offered some links as well but you are disinterested?

The basic question is whether or not the security of any bitcoin, or certain other altcurrencies a person might hold, is dependent on the whim of gangster scum hiding behind inflated college degrees and cushy jobs.

The evidence overwhelmingly says that is the case.

I will refer you again to the cryptobang article, which has disappeared so you have to look for archives, or the Snow den leaks, which I think refer to NSA attempts to force cryptography to use weakened random number generators, flawed libraries etc.

I understand what you're saying but disagree with your conclusions.  Cryptography is a widely studied field.  While somewhat technical to be sure, I don't think it is so esoteric that there's only a tiny group of academics who can understand it.   I myself have read about how these hash functions work and the rounds of calculation that occur using bitwise rotation etc, enough to get a feel of them and the nature of their one way function which would be difficult to create backdoors for.  Because cryptography is widely known and studied, such a grand and international conspiracy as the one you're hypothesizing seems quite implausible.

Most conspiracies foisted on the public are created by influencing of public opinion through misinformation and also there's usually an aware group of conspiracy theorists who have some evidence to back their counter arguments and theories.  If you think hash functions are broken or compromised, find me someone technical who can explain why.  Just saying there's "gangster scum" out there who may be in cahoots with big brother is certainly not evidence.  There's nothing in the links you provided to back up your wild theories.

You have looked at the links on the cryptobang page and do not believe that the NSA is quite heavily meddling in cryptocurrency as well as deliberately fudging the trustworthiness of the cryptography they push?

link?

The original page disappeared. The following might or might no be a faithful copy, I have not checked it.

https://criticl.me/post/what-nsa-created-cryptonote-2292

edit to add
I looked at the page enough to know that it contains much of the same material as the original but is not the exact page that was on cryptobang.

This is talking about "cryptonote" http://en.wikipedia.org/wiki/CryptoNote

It is used in some altcoins.  Interesting (it uses ring signatures for greater anonymity) but irrelevant to the point you're trying to make, IMO.

Did you read any of the links? There are quite a few.

Two of them.

http://web.archive.org/web/20140912134430/https://cdt.org/blog/what-the-heck-is-going-on-with-nist%e2%80%99s-cryptographic-standard-sha-3/

http://web.archive.org/web/20141110221312/http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html



N.S.A. Able to Foil Basic Safeguards of Privacy on Web
By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE
Published: September 5, 2013

The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
Enlarge This Image
Associated Press

This undated photo released by the United States government shows the National Security Agency campus in Fort Meade, Md.

This article has been reported in partnership among The New York Times, The Guardian and ProPublica based on documents obtained by The Guardian. For The Guardian: James Ball, Julian Borger, Glenn Greenwald. For The New York Times: Nicole Perlroth, Scott Shane. For ProPublica: Jeff Larson.
Multimedia
Document
Secret Documents Reveal N.S.A. Campaign Against Encryption
Graphic
Unlocking Private Communications
National Twitter Logo.
Connect With Us on Twitter

Follow @NYTNational for breaking news and headlines.

Twitter List: Reporters and Editors
Enlarge This Image
Susan Walsh/Associated Press

CITING EFFORTS TO EXPLOIT WEB James R. Clapper Jr., the director of national intelligence.

The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”

An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.

In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects."

The article minus links.

Despite the fact that the website www.cryptobang.com is no longer on the web we have strong intentions for this information to spread further across the internet. Knowledge must be available to everyone. Neither NSA, nor CIA, nor any government must influence the information flow.

We sincerely hope and believe that the information will not just vanish from this website. We would like to extend our invitation to an open dialogue.

http://web.archive.org/web/20141106091836/http://www.cryptobang.com/2014/10/05/what-nsa-created-cryptonote-for/

A few months have gone by since Edward Snowden started telling the world about the National Security Agency’s mass surveillance of global communications. A mass hysteria that ensued in the wake of his revelations had brought a justified wrath by users on such high-tech giants as Facebook and Apple. There is a point of view that cryptocurrency Bitcoin, which has experienced sudden growth in terms of usage and value, is a project run by the US National Security Agency. It’s hard to believe but apparently NSA possesses groundbreaking capabilities in terms of obtaining any kind of information in any point in time. So the idea may not seem as farfetched as it sounds.

Given its alleged use in drug trafficking, money laundering, terrorist financing and other anti-social activities, a number of countries across the world strongly suggest against using or relying on the decentralized money. But where the underlying idea of cryptocurrencies comes from and who’s the true inventor of blockchain based coins? The first efforts at ecash algorithms started as far back as 1998 and not without funding from the US government. Also, Tor (software for enabling online anonymity) is a product of collaboration by NSA and DARPA intended initially for protecting government communications. It was sometime later that NSA begun tapping into traffic to and from the directory servers used by Tor to scoop up the IP addresses of people who visited it. Some experts suggest that Bitcoin was intended to be the same kind of Trojan horse that Tor had turned out to be. The two of them would have made a perfect combination of eavesdropping tools. But since the collapse of Silk Road (online market operated as a Tor hidden service) where Bitcoin has become the preferred payment method for much of the online underground, the ensuing arrests of its users became a clear evidence of blockchain analysis being a perfect tool for identifying Bitcoin wallet holders.

Some renowned cybercrime experts began to suspect the existence of backdoors in Bitcoin as far as 2012. For instance, Dorit Ron and Adi Shamir published their famous paper ‘Quantitative analysis of the full bitcoin transaction graph’ in 2012 causing quite a turmoil in the Bitcoin community. If we look at the charts from https://blockchain.info/ focusing on the time frame within which the paper got published we will see a rapid increase in number of transactions with transaction volume remaining unchanged i.e. the average size of a transaction became smaller. This can only indicate one thing; the users carrying out transactions with substantial amounts of bitcoins for questionable purposes became disillusioned with the currency and moved on to more sophisticated schemes that would allow them to avoid government agencies oversight. Meanwhile tech-savvy community members set about making new anonymous cryptocurrencies like AnonCoin or ZeroCash along with mixing services (sharedcoin and coinjoin).

Obviously NSA was able to grasp the repercussions of losing control over the digital currencies. To tighten grip over illicit financial flows they had to come up with an alternative to discredited Bitcoin. That is when CryptoNote enters the picture.

CryptoNote technology employs an extremely sophisticated cryptology that boggles the minds of everyone but the brightest scientist like Adam Back and Greg Maxwell. The founders of CN prefer to keep their names secret and that constitutes another mystery. Don’t they want recognition for their achievement? Or maybe they simply are not allowed to name themselves. After all, all the top notch cryptographers, to whom CN team could easily be attributed to, are either on the NSA watch list or have graduated from their IA programs.

Perhaps the name of the CN whitepaper author was supposed to tell us something. Nicolas van Saberhagen is a rare name that is hardly ever mentioned anywhere on the Internet. An attentive reader could pick out letters NSA in the name but that as well could be mere wishful thinking.

Having been completely mystified with CryptoNote and its first implementation Bytecoin, me and a few of my fellow researchers looked at the technical aspects of the CN technology and were able to identify a number of puzzling clues.

To begin with, a renowned cryptographer and mathematician Daniel J. Bernstein in his observation of elliptic curve, which is the core concept of the CN technology, states that signature generation algorithm should use a deterministic random (http://ed25519.cr.yp.to/ ). This method eliminates the dependency on random generation derived from external events. Also external libraries become unnecessary. But for some inexplicable reason, CryptoNote employs the same elliptic curve and matches it with nondeterministic random through the random_scalar function. random_scalar is used for signature generation within the code whereby the random function becomes linked with external libraries which in turn leads to possible vulnerabilities.

(http://ed25519.cr.yp.to/) Bernstein writes: “Foolproof session keys. Signatures are generated deterministically; key generation consumes new randomness but new signatures do not. This is not only a speed feature but also a security feature, directly relevant to the recent collapse of the Sony PlayStation 3 security system.” — The abovementioned clearly states the necessity of deterministic random; however CryptoNote opted in a potentially unsound scheme.

It’s been reported that one of the most frequently used randomization libraries Dual_EC_DRBG was implanted with a backdoor. This particular insight was provided by Edward Snowden. But whether there are more libraries with NSA implanted vulnerabilities remains unknown.

It is likely that CN developers deliberately neglected the Bernstein’s rationale in order to make the backdoor possible. By inferring malice aforethought on the CN developer’s part we may as well call them crooks. The vulnerability is exploited by allowing to whoever has the knowledge to recover users’ private keys thereby de-anonymizing them through ring signature and key image compromisation. Since the core user base of anonymous cryptocurrencies is likely to be individuals or entities aiming to hide, launder or transfer illicit funds, the abovementioned vulnerability may provide NSA with a tool to uncover their identities. According to some indisputable evidence, at least one CryptoNote based currency had been in circulation on deeb web before certain events made it go public. CryptoNote reappeared on Clearnet some time before Snowden’s shocking revelations got published in The Guardian newspaper. Exactly what use CryptoNote had been put to on deep web is not that hard to guess. Since NSA is able to tap into its network, the illicit transactions made with CN based currencies yielded all the necessary information on the parties involved.

According to Snowden’s disclosures, NSA has been purposely implanting backdoors in cryptographic protocols in order to gain access to users’ private data: link

We have also found one confounding detail about Keccak.

NIST (National Institute of Standards and Technology) has selected Keccak as the winner of the SHA-3 hash function competition: link

NIST is a long-standing partner of NSA and the chances are that Keccak has intentionally been made defective. Experts suggest that Keccak based systems are susceptible to NSA attacks: link

CryptoNote has adopted a significant part of its cryptography from Keccak. Moreover, every single candidate in SHA-3 hash function competition who made it to the final round (link) had been used as building blocks of CryptoNote hash function. What made us wonder is that Keccak was the last on that list. Now if you look at this chronologically, CryptoNote was officially announced in july 2012 and the competition winner became known in october of the same year which makes us assume that CN (or whoever controls it) somehow knew the results before they were even announced. And that may be seen as clear indication of NSA involvement in CN project.

The NSA goal, from a February 2012 document, as confirmed by Snowden, released on November 22, 2013, is to extract all data on “anyone, anytime, anywhere” by influencing (corrupting) the “global encryption market. – link

1996 NSA report surfaced, ‘predicting’ a crypto-cyber unit eerily close to Bitcoin (link) However, upon closer inspection it turns out that the crypto-cyber unit described by NSA is more akin to CryptoNote than Bitcoin. Section 2.3 (3 Untraceable Electronic Payments) outlines the necessity of using blind signatures in order to achieve anonymity. But this feature wasn’t implemented in Bitcoin. The CryptoNote technology, on the other hand, presupposes the use of ring signatures which are analogue of blind signatures in p2p currencies.

Besides, initially itcoin was supposed to maintain the egalitarian principle where 1 CPU = 1 Vote. As the user base grew it became obvious that Bitcoin could be mined with GPUs and ASICs that are capable of substantially higher hash power. Subsequent wide-scale proliferation of ASICs rendered NSA incapable of controlling the vast network of Bitcoin. CryptoNote, as opposed to Bitcoin, doesn’t give an edge to GPU mining therefore NSA can be in control of the network at any time. Moreover, NSA is capable of crashing any CN coin’s network at almost negligible cost.

We spent quite some time recovering all these pieces of data. Having weaved together enough technical proofs arguing in favor of NSA theory of CN origination we leave it up to you to make sense out of it. Meanwhile lets turn to more trivial things. For starters, there are scores of CN based coins but what purpose do they serve since there is hardly any service that accommodates them apart from exchanges? It’s very likely that these coins are being used on deep web chiefly for purchases of illegal articles. Another option would be money laundering and sponsoring of illicit activities. Bytecoin in that respect is the most likely candidate. It is by far the oldest CN based coin with proven track record of deep web exposure. Since CN coins are easily converted in fiat they can be put to any use imaginable, starting with financing the US-supported insurgency groups scattered across the world or even legalizing profits from international drug trade. One way or another, deep web is routinely monitored by NSA and it has been proved by multiple backdoors in Tor.

Whatever the case with CryptoNote, the Heartbleed bug that caused the disruption in the Tor network for several days along with loss of users private keys should not be forgotten. The possible involvement of NSA in creation of CN and collaboration with its developers leaves the door open for all sorts of security vulnerabilities. So if you are a CN user, be vigilant and keep track of your transactions, however secured and anonymous they are, because you never know who might be watching.

I wonder if YOU are reading it, or comprehend what you are reading.
 
The link you posted says:
"there hasn’t been any result that calls into question the soundness of SHA-2 at all."

Stuff like:  "hacked into target computers to snare messages before they were encrypted"
or "build entry points into their products." have nothing to do with the hash function.

No doubt the NSA are bunch of vipers that should not be trusted on any level,
but I don't think they have a preimage attack on SHA-256.

Saying that they might is just baseless speculation, and none of the articles
are suggesting that.

Lots of mental masturbation posted, but no proof of a single collision with SHA-256 has been posted yet.

From the nytimes article above

"The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards..."

"And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world."

"“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart... When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”

And that is really the milder stuff.

Any person can follow the links and research a bit and most people will come to the conclusion that the NSA is deliberately giving a defective product to the public so they can derive short term benefits.

I'm not going to spend a lot of time arguing this. My interest is in not losing the little that I have because of some overly ambitious jackass bureaucrats who have zero integrity. Why some people online seems to work so hard to cover the misconduct of crooked nsa vermin, anyone can speculate.

If someone wants to research the subject further here are the first few links that come up on a search. I have not read any of them yet.

http://arstechnica.com/security/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/

https://bitcointalk.org/index.php?topic=291217.0

http://searchsecurity.techtarget.com/video/NSA-encryption-backdoor-How-likely-is-it

http://www.wired.com/2013/09/nsa-backdoor/

Now it is easy to predict that someone will again try to divert the discussion or distract attention from evidence that the NSA has subverted sha2

The coins can not be deleted in the normal way. You just need to lose or destroy the private key. I am not sure if this has not happened already. It is very strange that a such huge amount of value has not been moved and exchanges in any way so far.

Yes, any person can follow the links but I honestly haven't seen anyone come to that conclusion specifically about SHA-256 or SHA-2.

I think this quote sums it up:



Anyway, you seem to have made up your own mind about the matter, so I guess that's the end of the discussion.  ;D cheers.

Cheers.

http://arstechnica.com/security/2014/01/how-the-nsa-may-have-put-a-backdoor-in-rsas-cryptography-a-technical-primer/

https://bitcointalk.org/index.php?topic=291217.0

http://searchsecurity.techtarget.com/video/NSA-encryption-backdoor-How-likely-is-it

http://www.wired.com/2013/09/nsa-backdoor/

...

A pre Snowden thread on the topic

https://bitcointalk.org/index.php?topic=120473.0

A quote from http://web.archive.org/web/20140912134430/https://cdt.org/blog/what-the-heck-is-going-on-with-nist%e2%80%99s-cryptographic-standard-sha-3/

"In 2005, researchers developed an attack that called into question the security guarantees of an earlier secure hash algorithm, SHA-1. The characteristics of this 2005 attack seemed to hint that it could be refined to attack many of the secure hash functions at the time, including SHA-0, MD4, MD5 and even SHA-2. At the time, for many cryptographers, the message was clear: a new hash algorithm is needed and it should be based on completely different underlying mathematics that are not susceptible to the attacks threatening known hash functions."

I'm not saying anything is wrong with sha.

Just saying something doesn't look kosher.

Plenty of time for developers to move to SHA512 or whatever hash they wish, whenever they deem it's necessary. Bitcoin is not carved in stone

I am not trying to be rude, but doesn't the above quoted paragraph indicate that there might have been an indication of some developing problem in 2005.

Some posts on another thread from 2011:



No disrespect to mr Andreson but his comment seems to recall that reply:


Amazing that the amount $10 million was chosen.

http://www.infosecurity-magazine.com/news/rsa-received-10-million-from-the-nsa-to-make/

It may well not ”look kosher“ but that's primarily because your own reasoning is being spared the standard of rigour that you insist should be applied to cryptography.

The unanimous rejection of your argument by those from whom you sought an opinion in the first place should be a cue for you to re-examine your underlying assumptions. It's likely that your conclusions are flawed because an incorrect assumption is resulting in false premises, an instance of GIGO. OTOH, you may be experiencing a cognitive illusion (http://www.yale.edu/cogdevlab/aarticles/IOED%20proofs.pdf%201.pdf) (PDF, sry) which I've observed to be particularly prevalent in cryptography.


Cheers

Graham

SHA-1 and SHA-2 have zilch in common, moron. They are totally different algorithms.

Who knows where to take blockchain.info Second Wallet Password?

As you have established earlier, SHA-2 is based on SHA-1 which is based on SHA-0 which is based on MD5 which has some known weaknesses. SHA-1, SHA-0, and MD5 all have known collision attacks, but reasearchers have not been able to get any of the attacks used in these algorithms to work on SHA-2. There has obviously been an evolution of the algorithms from MD5, as the attacks for each broken algorithm is different from the previous.

All cryptographic algorithms and such will at some point be broken, however, Bitcoin's developers can have the time to shift Bitcoin to another algorithm which will be more secure than SHA-256 once SHA-2 is broken. As stated earlier, algorithms are not broken overnight, and there is plenty of warning between the time that a paper is released announcing a successful attack and a working exploit which can damage things.

As for the NSA or other government agencies for having known exploits or vulnerabilities in SHA-2. These agencies, by having these exploits, would severly undermine entire industries as many many companies, organizations, other governments, and industries rely on SHA-2 for their security. Furthermore, SHA-2 is one of the most popular hashing algorithms, and has been studied by almost every cryptographer since its release in 2001. It has been more than a decade since its release, and no one has found a working attack against SHA-2.

Even if the NSA has broken SHA-2, why would they go after Bitcoin? Once people realize that SHA-2 is broken, Bitcoin would become unused, have no value, or be shifted to a new algorithm which would take the NSA more time to break. It would be a waste of time and money for them to break Bitcoin and for almost no gain whatsoever.

Now onto the technical aspect. As we know, SHA-1, SHA-0, and MD5 all have collision attacks but not preimage attacks. The collision attacks allows someone to find the same hash for different inputs. The current attacks on these three algorithms involve knowing the hash output for the attack to work. Now, if these could be applied to SHA-256, it still would be pointless. In order for this attack to be able to steal Bitcoin, the owner of the sign the transaction first in order for the hash to become available. The signature comprises of essentially the entire transaction, all of the inputs and the outputs, and the private key, in order for the transaction to verified and used in further transactions. In order to use a collision attack, you would need to have the owner of the transaction create and sign the transaction in order to get the hash. Thus, the attack would not work because the Bitcoins would already be spent and an attacker could not use a collision attack without first knowing the hash that would spend such bitcoins. A collision attack on SHA-256 would then not work to break Bitcoin or allow someone to steal Bitcoins.

As for a preimage attack, if one were to be found, Bitcoin would be screwed. However, its none of its predecessors have working preimage attacks. If one were to be found, an attacker could get the private key and use that to steal Bitcoins. It would then be possible to reverse a signature and find the private key from the input, take the key, import it and steal all of the Bitcoins associated with said key. This kind of theoretical attack would work to break Bitcoin, but a preimage attack has yet to be found in all of the aforementioned hash algorithms.

The preimage attack would also allow someone to mine Bitcoin much faster than the current miners do, and give said miner a massive advantage. At this point though, the developers could switch Bitcoin to another algorithm to make it secure.

Thus, your concern, though valid, is not yet applicable. At some point, SHA-256 will be broken, but it has not been broken yet. If a collision attack were found, it could not undermine Bitcoin. If a preimage attack were found, it could screw over Bitcoin. But, neither attack has been found and none of the previous attacks on older hash algorithms have been applied successfully to SHA-256

Both are derived from sha  http://en.m.wikipedia.org/wiki/Comparison_of_cryptographic_hash_functions and as has been mentioned previously, experts have said that some of the hacks used against md5 may be applicable to sha.


Kind of a polite ad hominem but you did not address a single one of the points raised by others in the previous post.

Here it is again

Historically, the NSA has published, promoted and standardized their own broken cryptography, most notably Dual_EC_DRBG, a random number generator. Since Dual_EC_DRBG is a broken RNG, any algorithm using it for random numbers is thus broken, which happened to on of RSA Security's products. The NSA had paid RSA a lot of money to use the broken Dual_EC_DRBG in their flagship encryption products so that the NSA could decrypt the information. However, Dual_EC_DRBG's flaws were discovered very quickly, and attacks were developed in a short amount of time. The cryptography community discovered the flaw within a year of its publishing.

Now, if the NSA did backdoor SHA-256, they must have done it extraordinarily well since no working flaws and attacks have been found against SHA-2 in the past 14 years. Furthermore, they must have hidden the backdooring from the docs that Snowden took since those docs also revealed and proved that the NSA did backdoor Dual_EC_DRBG and did pay RSA to use that RNG in one of their products. Since no flaw has been found nor any docs revealed backdooring so far, it is highly unlikely, though not impossible, that the NSA backdoored SHA-2.

To aid your research, I suggest that your first read through these:
https://en.wikipedia.org/wiki/SHA-2#Cryptanalysis_and_validation
https://en.wikipedia.org/wiki/Collision_attack
https://en.wikipedia.org/wiki/Preimage_attack
https://bitcoin.org/en/developer-guide#transactions

you're chasing ghosts with this SHA-256 thing.
You seem to keep ignoring the fact that
even MD-5 doesn't have pre-image attacks.

Instead, if you want to look for weakness in
Bitcoin, you should look into the ECDSA, as that is far
more likely to be exploitable.

I also strongly recommend:

http://ehash.iaik.tugraz.at/wiki/The_Hash_Function_Zoo

and, less relatedly

http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo

Cheers

Graham

No offense but you don't seem to be a very good listener.  I'm telling you that a better place to search for vulnerabilities would be the elliptic curves used in Bitcoin.  I believe those were used and/or created by agencies of the USA as well.

It is a known fact that ECDSA has been exploited because the people that implemented it did a poor job. Blockchain.info has BTC stolen because of broken values used for one of the value in calculating the signature. Rather, the part that truly affects Bitcoin is the random number generator that each implementation uses. ECDSA relies on diffidently random integers, and when the RNG is predictable, the cryptography can be broken. no-ice-please was actually right in asking about SHA-256 because the implementation of ECDSA used in the Bitcoin protocol used the standardized SHA-256 algorithm. The only other thing to focus on would be the RNG used, but that differs from OS to OS and wallet to wallet.

Any hash function could be used (i assume) but the exploit would not be because the hash function is reversible.  As far as conspiracy theories go, my understanding is that there are different curves and Satoshi chose a more obscure one with more transparent parameters.

Thanks, actually I did learn a little searching that.

I don't know enough about this to even begin to search for vulnerabilities though. What I am able to look for though, and what anybody should be able to notice, is the following,

1) Someone using the pseudonym Satoshi Nakamoto developed a digital currency that used one of only three algorithm's approved by NIST http://csrc.nist.gov/groups/ST/toolkit/digital_signatures.html from the only group of hashes approved by them http://csrc.nist.gov/groups/ST/toolkit/secure_hashing.html . In other words that person steered bitcoin into American waters.

2) Before Snowden there were numerous questions raised, see previous links. Post Snowden it becomes almost bizarre that bitcoin, all things considered, would stand by the NSA.

3) The arguments defending that decision generally could be described more accurately as "excuses" rather than explanations. In other words even if I don't understand the arguments I can see that something is not quite right.


1) There are a few too many examples of poor implementation. Is it really likely that Blockchain.info, Sony and others were unable to properly use the algorithm? Sorry to be conspiracyish but considering the revisionism of md5 and so on, it's only another reason to be cautious.

2) Random number generators come up too often as a flaw. Someone should make a thermometer that measures temp to 50 decimal places and you can use the last 20 digits as random numbers.

3) I asked about sha2 because there is a heavy layer of bullshit surrounding its defense. It seems to only get thicker.


"Satoshi" chose NSA all the way https://www.nsa.gov/ia/programs/suiteb_cryptography/index.shtml

With all of the people involved in Bitcoin, it seems like there must be some who feel that caution with NSA products is prudent and who also have the ability to create an algorithm suitable for it.

Obviously each person has their own motives.

Some people will support specifically using an NSA algorithm, I think Satoshi falls in that category. No offense, just a fact.

Some people will say that cryptography should be only a small step ahead of cutting edge, in order to motivate people to learn math. Someone did use that argument. The problem there is that it is just a cheap rationale for academics to submit, surrender, under the guise of some hidden superior motive. e.g. "We are promoting some greater good secretly that justifies helping the NSA with its sneakiness".

Call it conspiracy or anything else, the facts remain.

It could be a conspiracy, or it could be coincidence. Given these facts, you can decide whether to use Bitcoin or not. If you are afraid of the NSA doing something,  don't use Bitcoin. You should also check out this thread: https://bitcointalk.org/index.php?topic=288545.0

Personally, I feel that there is little risk of the NSA doing anything with my Bitcoins. I think that they have little gain for tampering with Bitcoin, and so, I will continue to use Bitcoin.

Math is math.  Public key cryptography relies on the difficulty of solving certain math problems such as factoring, discrete logarithms, etc.  Some of your points don't really make sense to me because you're in effect saying that all mathematicians in the world could be conspiring together to deceive the rest of the world. 

That in essence is only possible if math could not be described as a logical set of steps of deduction, itself a false premise. If mathematicians did submit to an external influence to backdoor an algorithm, it would be visible upon inspection of the logic and algorithm definition (if the algorithm is properly published and defined). Of course, there are concerns with some algorithm parameters such as ECC curve definitions, but there aren't really any fatal flaws in secp256k1 (or even major unexplained decisions).

Well, it is true that "we dont know what we don't know".  If there was a method to solve an equation with less steps than previously known, you can't know about it simply by following the math of published methods.
Still, the OP is basically a certain group of intellectuals is keeping information from the rest of the world, which is implausible in this case.

Although I personally am not familiar with them, there are branches of theoretical math that allow one to prove that a certain problem admits no solution, or no "easier" solution than brute force.

I never said a certain group of intellectuals is doing anything like that. I said that in the past the NSA has promoted broken codes to the public so it could decypher encrypted coms. The question in my opinion is whether NSA algorithms are trustworthy. The issue regarding keeping cryptography 'possibly breakable' is an argument someone else made. I do not agree with people who act on that motive but it is a separate issue.

Regarding a proof that a problem has no easier solution than brute force, any randomness can eventually be figured out, we don't know what we don't know, as someone just said.

No proof of that statement.

The evidence suggests otherwise.  Certain codes are unbroken after thousands of years.

http://www.viralnova.com/unbreakable-codes/

Awesome link, will have to go through that list.

But the most difficult code ever broken in history was broken in a tiny fraction of the time available to break it.