Bitcoin Forum

Hi everyone,

I want to announce a simple utility to do something that I think is quite interesting: to encrypt and send messages using the Bitcoin network and the blockchain.

I know a lot of people are going to find this very controversial because I'm using the blockchain to do something for which it wasn't originally intended. However, I do believe the blockchain is a neutral store of data and something like this is eventual and also serves to affirm the reliability of the blockchain.  I believe in the blockchain!

That being said, I'm willing to donate 5 BTC to a charity or interesting code bounty or any otherwise charitable clause. See the bounty below for details.

The idea behind Bitmsg is to encode data into Bitcoin public keys such that only the intended recipient(s) can decode and read the message. It works on a very similar idea to MasterCoin, in fact, except we use multiple M-of-N multisig transactions.  In many ways, this strategy can be an effective replacement for Bitmessage (where Bitmessage relies on PoW algorithms, Bitmsg is a sacrifice-based system).  

Bitmsg messages, like all Bitcoin transactions, are produced without PoW, so it could allow for faster conversation than Bitmessage.  In fact, communication is as fast as it takes for a transaction to flood-fill the network.

Unfortunately, the current strategy involves throwing away a Satoshi to each of the encoded addresses, something I'd like to eventually improve upon (I'd rather the Satoshis go to the miners).  If the Bitcoin reference client allowed for relaying zero-satoshi outputs, we could instead send the dust to the miners as a better proof of sacrifice system. It also means that every message that gets published gets stored in the Blockchain forever, perhaps that would be quite bad for anonymity.  

The current implementation supports RC4, AES-128 and AES-256 (all symmetric key) encryption and also supports multiple-recipient RSA (of any key size).  It also supports sending public messages where no encryption key is required.

As for the bounty, I would thoroughly appreciate anyone who can start work on a PyQt4 UI.  To the person that writes that code (and it works, and I accept the pull request) I'll donate 5 BTC to a charity of your choice.  I reserve the right to request a different charity but I doubt I'd have any need to do that.  I'll sign a message using the source Bitcoin address as confirmation and proof.

The github repository is here (https://github.com/sarchar/Bitmsg).  It contains a small list of TODO items.  If anyone has suggestions for a better name, I'm all ears:)

And as a friendly reminder:
USE AT YOUR OWN RISK. THIS IS PREMATURE SOFTWARE. DO NOT USE WITH ADDRESSES THAT CONTAIN MORE THAN YOU'RE WILLING TO LOSE.  

Reserved spot for now.

You'll find you can get longer and cheaper messages by (ab)using CHECKMULTISIG.

Also, see this library: https://github.com/petertodd/python-bitcoinlib/tree/pythonize (specifically my pythonize branch)

This is a pretty cool idea.  Does the reference client limit "standard" multisig transactions to 2-of-3 or can it be much more? Are 19-of-20 txs possible ?

EDIT:

I just checked master branch on bitcoind, and it looks like there are limits on the number of sigs for multisig transactions.  Still, that reduces the amount of outputs by a little bit... I'll try coding it up tomorrow.

Up to 3 pubkeys, but a pubkey can be any data from 33 to 120 bytes long. (what's actually in the data isn't checked at all)

The main advantage of CHECKMULTISIG is that one of the pubkeys can be real, and your own, which lets you still spend that output and recover the bitcoins sent to it.

All right. I pushed a change that will use multisig transactions (1-of-n, where n can be 1, 2 or 3). Right now, the outputs are still unspendable.

Question though: where can I find information on 120-byte long public keys? Browsing through bitcoind source code seems to indicate only 33 and 65 byte keys are acceptable.

Look at the IsStandard() function in script.cpp - a pubkey in the standard transaction testing code is defined there. c49b3c445c89d832289de0fd3b0281efdcce418333dacd028061e8de9f0a6f10 is an example of 2x 120 byte PUSHDATA'S, and one actual 33 byte pubkey. 72590fcf0d8021bad77826c5008eaca3541f81d212d55bb7c02ec6a4bf584404 is another example, with 3x 120 byte pushdatas, although it's not spendable.

Are you aware of the dust limit?

Well, I'll be damned. The relevant code is in script.cpp Solver():


I had thought that the code was checking to make sure the pubkeys are actual ecdsa keys (i.e., of length 33 or 64 and starts with 0x02, 0x03, or 0x04).


Yes and no. I'm aware that it exists, that it's part of what determines relaying and standard transactions, however, it doesn't seem to be preventing any of my transactions from confirming.

Yup, I thought that was a bit of a WTF when I found it too.

FWIW while code may be added in the future to make sure things that are supposed to be pubkeys start with the right bytes, it's unlikely to go further than that; you might want to make your program drop the first byte of any pubkey-like thing that's either 33 or 65 bytes for forward compatibility in the future.

Another trick is to use the low-order-bits of the txout value to signal which PUSHDATA's in the txout script are or are not part of the message being embedded. If you do this, it's best to encrypt those bits as well for the sake of censorship resistance.

Of course, people will bitch at you before long for putting crap in the blockchain, but from a technical point of view there's nothing that can be done to stop that entirely, just make it more expensive. (which as you say is a good thing from a spam point of view)


You sure about that? I thought you said they were single satoshi outputs - that's definitely under the dust limit. You using an up-to-date client?

Oops, typo.  Pushed code that uses the full 120 byte pubkey space for data.

Maybe I'm not motivated enough to do this, as I'm not sure what it gets me other than a bit more obscurity.  If the message itself is already encrypted, I'm not sure how shuffling around the bits with funky magic adds anything to security.


Naturally, and I expect them to.  In some regards, these "bloat" mechanisms for the chain serve only to reinforce the stability of Bitcoin.


Yeah, the tx 5da82ef18664968630fe14440caaa4882d00141fb74e054c941866b985fd008e was indeed one that was confirmed with dust outputs. Perhaps it's still standard because of the one non-dust output?

Means you can add a "full-stealth" mode in the future easily where unless you have the decryption key you won't even be able to know if the message is there at all. (the low-order bits let you easily have txouts that are not related to the message for instance)

Speaking of, I noticed that you aren't using an initialization vector (https://en.wikipedia.org/wiki/Initialization_vector) with your encryption scheme; you really need this. Yes, RC4 doesn't support one natively, but RC4 is awful - use AES instead. (AES128 is fine) A nice trick for this stuff is to take the IV from the first transaction input, specifically H(txid + n), which means you don't need to waste any space on it. You also want to be using something other than electronic codebook (https://en.wikipedia.org/wiki/Block_cipher_modes_of_operation#Electronic_codebook_.28ECB.29) mode.


Well one reason people dislike this stuff is some have this idea that blockchain space will somehow magically have enough supply for all "reasonable" financial transactions to the extent that users won't need to think about fees; applications that make use of blockchain space for any other reason compete with financial transactions and push up the price for them. Sure fee competition is "stable", but it still makes some marginal uses of Bitcoin too expensive.

The question then is how many applications out there need the unique capabilities of data storage, data distribution, timestamping, censorship resistance and proof-of-publication that the blockchain provides, and how much are those users willing to pay? I think efforts like your's are a necessary evil, because we need to understand this stuff before Bitcoin becomes large enough that we can't change it.


Ah, I just realized how you're using blockchain.info to send transactions - they don't care about the dust limit, so your transactions still manage to get to one of the miners that ignores it. Nice trick.

That would be an interesting thing to have.  I think a message could easily be hidden in the pubkeys by actually using 65-bytes pubkey, and nobody would know whether it's a message or actually from a key.  However, using such small outputs makes it look suspicious. The multisig output could be the change output (using 1-of-m multisig) if one of the three keys is actually the one belonging to the sender.


I'll add this to my todo list.  I think you're right and it should be done.  AES128 would be nice too. 


Wouldn't it be in the interest of miners to see the fees go up?  I guess it's also against their interest to have to process and store lots of data..

Thanks! And I agree. I'm glad that the first person responding to this project is approaching it with a very objective viewpoint:)


But that confuses me - I thought the dust change made recently affected relaying mostly.  Regardless of where I push to (I could actually just push to the network manually), nodes on the network should stop relaying a "dust" transaction.  And actually right now, blocks aren't processed for messages.  As long as the tx floodfills the network, the message can be received; as far as functionality goes, it actually doesn't matter if the tx ever gets confirmed.

I just pushed AES-128 support.

Today I've pushed support for RSA public-key encryption of messages, along with AES-256 and some other minor improvements.

Cool!

FWIW BitMessage has decent ECC encryption implemented for its messages; you could easily take that code and apply it to Bitmsg and get smaller messages from it.

What is the purpose of this? It seems useless, and abusive. You're not going to suddenly stop being abusive by donating 5 BTC to charity, sorry.

If you are interested in messaging that obfuscates metadata, you would do much better to contribute to Pond:

https://pond.imperialviolet.org/

It provides forward secure messaging using Tor to frustrate traffic analysis, and a bunch of clever crypto tricks to kill metadata collection as well (even if you can find the servers).

using it right now...should be a early user of bitmsg..

Sarchar: Something I was thinking about yesterday is how messaging and data distribution over the blockchain is offers an interesting form of plausible deniability as well: people contributing bandwidth and storage space to the application can easily say they are simply contributing to Bitcoin itself rather than any particular secondary usage. Long-term data storage is particularly relevant here as the plausible deniability aspect negates the usual argument that authorities will just release blacklists of transactions that node operators will be encouraged to delete - by running a non-deleting node you get to A: continue to keep Bitcoin fully auditable and trustworthy(1) and B: continue to make censored data available to those who want it with the plausible deniability that they were just syncing up their full nodes/syncing their SPV wallets.

1) Make sure any data storage/messaging scheme is designed such that to prove any given message has a data payload you need to provide the entire message; that is if you don't have the entire message the authorities may actually be using the "data blacklist" as a way to freeze peoples legitimate Bitcoin funds, and if you do have the entire message through the "data blacklist" the blacklist itself is serving as the means to distribute the data. I think the scheme I outlined of encryption using the first txin as an IV meets this criteria.

Sarchar: Oh, and one more thing: I outlined a scheme of mine on #bitcoin-wizards for what I call TXO commitments that if implemented makes UTXO bloat mostly a non-issue. Consensus seemed to be that the scheme worked and can be implemented, so don't feel bad about the UTXO bloat your stuff is creating; if anything make sure your code has options to also hide the data in truly undetectable pay-to-(pubkey|scripthash) outputs as well like the wikileaks data script from earlier this year did.

Ah, neat.  I can check out their code some time.  ECC would be nice in that we could then use Bitcoin pub/priv keys as the encryption keys.  I'll keep it on the TODO list.

Personally, I think it's a rather intellectual exercise.  The fact that this can be done is worth exploring, and I don't want to be on the "abusive" side of things, which is why I encourage proper usage of Fees to the miners and am actively looking for ways to not destroy Bitcoin (For example, I'd like to see 0-output txns to be considered standard, so that Bitmsg can push all the sacrificed coins to miners).


You're right - it's up to the Bitcoin protocol and its implementations to prevent abuse.  You have to assume that there will be people out there doing intentionally bad things and the protocol has to adjust to handle these things.  I'm in the market of improving Bitcoin, not abusing it.


While Pond is pretty neat, I don't think it's a viable tool for a proof-of-sacrifice messaging system.  It requires Tor to be secure.

Along with MasterCoin, your blog post on PoS is kind of what inspired this.  It's a toy, a proof-of-concept if you will. 

Well, if messages are encrypted it would be hard for anyone contributing to the network to even know what they were transmitting.  As far as they know, they are only serving to help Bitcoin.  Long-term data storage is something I've thought about - it's really cool you know, you have to *pay* for storage. A 500kB file will cost you 5 BTC. How cool is that?  The space is expensive, and will only get more expensive, so it's unlikely people will bloat the chain with copies of their favorite mp3s.


The problem with using the amount of the first input is knowing what the amount is in the message-receiving end.  Unless you're a full node, you can't connect inputs properly, which sucks if all you want to build is a lightweight message retrieval application.  The current implementation does use the first input's txid as the IV, however.

How does using P2SH help?  P2SH standard scripts only have that hash of the script. There's no good place to store data.

Yeah, long-term data storage on the blockchain will never be a day-to-day backup solution, but there's a whole class of applications where the cost is worth it.

One interesting one I came up with is for "pseudo-HD wallets": you use a master key, like a normal HD wallet, but instead of deriving a series of secondary keys with ECC magic you just encrypt a series of private keys and store them in the blockchain tagged such that SPV clients can easily find them again with bloom filters. It's a nice way to take a "bag-of-keys" wallet and upgrade it to HD wallet form, without having to throw away the original keys, yet a complete backup is still just that master key. No less secure either as compromise of the master key compromises the HD wallet completely anyway.


Nope, I just mean the txid:n pair, also known as an OutPoint. (from the COutPoint class in the reference client) That you don't need a full-weight client for, as you already know.

Anyway, if you're using the txid as an IV I think you've already met my criteria just fine!


As long as P2SH^2 isn't implemented nothing actually checks that the hash is actually a hash; you can stuff whatever data you want in it. Here's an example tx doing just that: https://blockchain.info/tx/5143cf232576ae53e8991ca389334563f14ea7a7c507a3e081fbef2538c84f6e

Yeah, but there are reasons for that. What is your threat model, exactly? If you're worried about governments that engage in fibre taps, then using Tor+hidden services seems like a basic precaution you'd need to take even with a flood-fill protocol like yours. Otherwise they can watch the messages fly around and see who was first to broadcast it (bitcoin itself has the same issue, of course).

Pond has other features that seem important, like forward security.

So I'm not sure why you say it's not viable. It seems like a well thought out solution to a very strong threat model.

Another thought: make Bitmsg pay at least slightly over the 0.0001BTC/KB minimum fee by default so you beat out badly designed wallet software that doesn't let you set fees. You can go a bit further and make the default based on the fee/KB such software would pay for a standard 1 txin, 2 txout transaction, thus beating out most stuff in the fee competition.

Less relevant for Bitmsg really, as the fact that the txs get mined eventually doesn't actually matter too much, but for a small data storage tool this is quite useful, and the marginal cost over the absolute minimum fees isn't much because of how you just need to beat a fixed-in-stone fee.

Sensitive data that should be preserved at all costs?


There's a whole range of applicable programs that could be built on top of a data-neutral messaging layer.  I've wondered about how a peer to peer marketplace for selling of goods and services could be done.  One guy can (semi-)anonymously broadcast an "I've got a TV for sale for 4 BTC. Send me a message, here's my RSA public key."-style message. An application can take care of sorting through and searching available offers, building responses, reputation, etc.  Reputation can be done with more proof-of-sacrifice sends.  All really fascinating scenarios, really.


Ah, right. I could have used the input_n in the hash, but the tx hash should be enough right?


Well, then you don't end up with any more data space than regular pay-to-address.  Are you suggesting that pay-to-address/scripthash is better at disguising messages than a 1-of-M multisig tx?  If you use the 0x04 prefix on the public keys in the multisig transaction, you wouldn't be able to tell if they're real keys or message data.

Fair point - I mentioned security though security isn't a particularly motivating factor.  Encryption is easy these days...

It would be interesting to see what this could actually reveal.  Anyone who's really interested in protecting where the message comes from could connect to tor and broadcast through blockchain.info/pushtx. 

I should read more on forward security, but it seems to me that this is something that could be added on top of any data-neutral transport layer.


I think I'm just seeing a barrier that involves combining three separate pieces of software instead of one, and the task would involve learning Pond when I'm already pretty familiar with the workings of Bitcoin.  I wrote this project in only a couple of hours as a proof-of-concept...

This is probably a wise move going forward: Bitmsg should definitely contribute more to miners.  Thanks for the suggestion.

Yup.

Heck, I uploaded the very first computer program I ever wrote to the blockchain a few months ago.


Yup. You'll probably find that at some point the fees per KB simply become too expensive, but that's just a practical consideration - figure out what parts of the system are best done on the blockchain, and what parts on a secondary system. For instance when someone has committed fraud and you want to destroy their reputation, the guaranteed wide audience of the Bitcoin blockchain may be worth the higher cost.


Re-using IV's is often very bad and leads to plaintext compromise. Having said that, here we're using encryption for censorship resistance and steganography, not privacy, so the odd IV re-use isn't a disaster. Still you should avoid it, and including the input # helps. Come to think of it, including the nSequence of the first txin and the nLockTime of the whole transaction would be a good idea too as it's been proposed (https://github.com/bitcoin/bitcoin/pull/2340) to alway set nLockTime to the current blockheight to discourage fee-sniping, thus really reducing the chances of accidental IV re-use. Point being, doing that in the future may be totally normal, so a transaction that does that won't stick out, and in the meantime including them in the calculation of the IV does no harm.


Again, the point isn't to be efficient, it's to allow the creation of "stealth" data-encoding transactions whose existence can't be proved unless you have the secret key required to decode them.


I've got Tor support in my dust-b-gone (https://github.com/petertodd/dust-b-gone) tool that you might find instructive.

I have a bounty that is simalar to this on https://bitcointalk.org/index.php?topic=236742.new#new that was approved by the coins dev team.

You may find this post on generating valid-looking pubkeys that hide data interesting: https://bitcointalk.org/index.php?topic=265488.msg3377058#msg3377058