Bitcoin Forum

Or what would happen if improved cryptography comes along, how would the protocol deal with this? Would a layer on top of the current protocol be enough to patch it up or will Bitcoin die?

It could very well already be broken.

It would allow the organization that has the backdoor to potentially double spend, reverse transactions, issue coins and so on, depending on how wide the backdoor is.

If people would catch on to it then Bitcoin will be hardforked and everything will resume as if nothing happened.

Thanks for the reply, so what does hard fork entail? Would it be able to resolve the initial problem though?

The network will take up all of the damage that happened up until the moment of the hardfork, after that moment everything will be back to normal unless the new algo will have a backdoor as well.

Thanks

That's a very optimistic scenario. You forgot the part where everyone panics and sells because they don't want their life's savings stolen.

We could roll back to a point in the blockchain where the party didn't begin to exploit it thus no damage would be done.

Of course being an intellectual myself my projections are based on the assumption that the vast majority of Bitcoin users are capable of independent thought and have some minimal intelligence which is a rather wild assumption, otherwise it is impossible to say what will really happen. You can never overestimate the stupidity of the masses.

Of course everyone could panic sell and the bullshit would hit the fan and spray all our white walls with shit, would be an ideal time to buy though.

That's quite a tall order.

What would happen if the force of gravity suddenly reversed?  How would we deal with this?  Would modifications to our current way of living be enough to save us, or will we all die?

Yes, I realize that my hyperbole is a bit excessive, but it points out some of the issues in what you are asking.

First you are taking something that is extremely unlikely to happen (a sudden and secret complete break of multiple dissimilar cryptographic functions) and asking "what if it happens?"

Next, you are essentially asking if we can "patch up" something that relies entirely on trust in the cryptography in order to have any value.  While "patching it up" may be technically possible, isn't likely to restore the trust necessary for it to continue to be useful.  If you take away one of the very things that are necessary for existence, then modifications aren't likely to be enough to restore useful existence.

Note that when cryptography is "broken" it generally starts out by being weakened.  Then after months or years it is weakened more. And so on until it is no longer trusted at all.  Since bitcoin uses multiple layers of cryptographic functions, there should be time to adopt replacements for any layer that begins to be weakened, while maintaining the security of everyone's funds in the interim.

To steal any of my bitcoins through broken cryptography, you'd first have to completely reverse the RIPEMD-160 hash function to determine what SHA-256 result was used as its input.  Then you'd have to completely reverse the SHA-256 function to determine what public key was used as its input.  Then you'd have to solve the discrete logarithm problem for ECDSA with the Secp256k1 curve to find the private key.  Even if one of those 3 functions were weakened so much that you could calculate its input in a matter of years (or days, or hours), I'd be protected by the remaining 2 functions.  Once it's discovered that one of those functions has such a weakness, the code would be updated to replace it with a secure (as far as cryptography can determine at that time) replacement.

So, "the cryptography of Bitcoin gets cracked" isn't really a likely scenario.  Far more likely is the slow replacement of various cryptographic functions within Bitcoin over the course of multiple decades.

Agree with your post Danny, but as academic discussion, are you sure this (quoted) is a precise way
to describe the cryptography?

My understanding was that the ECDSA is the critical piece here, not the SHA-256 hash.  
For instance, if the k value is known (which would be a faulty implementation of ECDSA), then that is
all that's necessary to break the elliptic curve cryptography... (the SHA-256
doesn't matter, and you certainly don't have to reverse it).  
Also, the first step in the DSA is:  e=Hash(m), and I thought m is publicly known.

I could definitely be wrong though... thoughts?

It depends on whether someone has spent from that address once already or not, if he didn't then SHA-256 and RIPEMD-160 need to be broken as well.

I thought the address was the RIPEMD-160 hash of the Pubkey.

Can you explain why we would need to break SHA-256 if the ECDSA is broken?

Which is why I said "To steal any of my bitcoins".  I use a new address for every transaction.  As such, none of my bitcoins are associated with any addresses that have had their public key revealed.

Also, the k value will only be known in a faulty implementation of ECDSA.  The discussion at hand is about a proper implementation of ECDSA where someone has found a shortcut to solve the discrete logarithm problem in years (or days, or hours).  Certainly if someone (intentionally or accidentally) reveals private information, then bitcoins can be stolen.

The m value is only publicly known when the transaction is sent.  At that point, the attacker needs to be able to calculate the private key before a miner (or mining pool) manages to confirm the transaction, and then they need to find a miner (or mining pool) that is willing to accept their replacement transaction in place of mine. This is why I limited the weakness to "hours".  The function would need to be replaced before the weaknesses are advanced to the point where the calculation could be done in minutes.

The address is the RIPEMD-160 of the SHA-256 of the PubKey.

See here:
https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses

thanks for explaining.... i almost understand....  so, what is the m value actually?

I'm not a cryptography expert.  Most of what I've said in this discussion is just parroted from things I've previously heard said by individuals whose knowledge of cryptography I respect.  This topic has come up enough times, and I've read the responses enough times, that I can point out the things that others have pointed out in the past.  As such, there may be some holes in what I've said, but I'm pretty confident that I've got most of it right.

That being said, as far as I know the m value is the transaction that is being signed.  There should be a separate signature for each input in the transaction.  The transaction will include the public key, which means that once the input is signed the address where it was previously "received" is no longer protected by SHA-256 or RIPEMD-160.  Even if the public key wasn't included, it could be calculated from the signature.

we can fork a new version of bitcoin blockchain with the new encryption
but a lot of dedicated hardware will become doorstops

Thanks Danny. :-). Me too, I really enjoy learning from others and passing on what I've learned.

I think you are right.  Even if there was a bad implementation of ECDSA, you wouldn't know the inputs if the address was unused.  

It should probably be noted that if SHA-256 was broken, it could possibly allow someone to cheat at proof of work mining.  But that scenario is quite unlikely.

It is very unlikely that it will be "cracked" as there are so many possibilities of what a private key can be.

Even in the event of a "crack" in the cryptography were to be discovered it could be fixed via a hard fork. Any "crack" would also likely to be very expensive to exploit.

It would have to be VERY VERY broken.

MD5 is currently considered broken and unsafe to use for many purposes. However, it would almost certainly still work just fine for proof of work.  If some weaknesses are discovered in SHA-256, the result would be a sudden increase in difficulty as miners all took advantage of the weakness to increase their profitability.  Meanwhile, steps would be taken to replace the proof-of-work before it became a real problem.

My knowledge is rather limited about this kind of stuff but in theory the fixes after such an attempt would strengthen bit coin by pointing out potential weaknesses for the developers to address.

All the "dedicated hardware" is only used for part of the Bitcoin system, mining. There are other locations where cryptographic functions are used that could, in theory, be broken, such as the generation of a public address from a private key (which is supposed to be infeasible to reverse). Cryptographic functions in these parts can be replaced without making the whole stack of SHA256 mining ASICs obsolete.

As DannyHamilton pointed out earler in this thread, the md5 function is considered to be broken. In fact, the first signs of weakness in the function were known as early as 1993. And still, 20 years later, the function is not yet sufficiently broken to make it unsuitable as an alternative for SHA256 in the mining process. So with that timeline in mind, it is very likely that if a flaw in SHA256 is discovered at some point, there is plenty of time to gracefully retire SHA256 and its dedicated mining ASICs instead of a sudden "guys, tomorrow we're going scrypt!"

If Bitcoin's cryptography got cracked, we would have a lot more to worry about than just the security of Bitcoin, that's for sure!

I totaly do not agree. If something like breaking BTC's crypto happened, trust in BTC would be crushed and BTC would receive death blow from which it would not recover. Not because it's unsafe now (software change would fix it) but there would be no trust. No trust, no users. No users, no value.

If someone steals a lot of Bitcoin, before it gets fixed than yes. If the more likely Event occurs, that someone theorize about a method to "break" it and than a hard fork is made, before anything actually happens, than no, that would not be the death blow to BTC, the price might drop for a short period a lot of people would be happy about buying BTC at that low prices and some months later, a lot of people would be very angry about them self, when BTC returns to business as usual.

Oh and this is so true...SHA256 is used for so much more than Bitcoin. If you put it to perspective, there are MUCH more valuable targets for that than Bitcoin. If it ever happens, Bitcoin will je just secondary target....just because "they can".

An attacker could attack Bitcoin for "testing purposes" or to try to stay under the radar that they have cracked such of a strong encryption code.

Jonald, if you want to get right down to the guts of bitcoin transactions, this is an excellent article here (http://www.righto.com/2014/02/bitcoins-hard-way-using-raw-bitcoin.html).  Ken Shirriff manually assembles a raw bitcoin transaction and then signs it, and he explains what's going on right at the byte level.  

Cool I'll check it out.  Thanks Peter for thinking of me.

Although to be honest I'm getting a bit bored with Bitcoin technicals lately.
My next intellectual pursuit is artificial intelligence.

basically it's impossible for BTC to get cracked

It is not impossible. Weaknesses may be found.

Nothing is impossible but it is highly improbable.

Good question!!!!

I was thinking exactly the same months ago. Some of you involved in IT may know that the last "solid" cryptographic algo was MD5. However, years after its usages flaws were found in it. Then SHA crypto algos appeared and now they are solid. However, I am 99% sure after 20 years a flaw into them will be found as well. IT world is constantly developing race between hackers and security programmers.

Think about the heartbleed bug as well. Something like this can always happen. While a currency relies 100% on IT security it is not safe - FACT.

Too true.

Genius has its limits, but stupidity is infinite.

Hackers ARE security programmers. You're just not a fan of their programming.  ;)

If Bitcoin is going to be adopted by the masses then there will need to be more apps that are idiot proof

Nobody is going to be cracking SHA256 anytime soon. It's not even worth considering, honestly.

Fixed that for you.

Bitcoin is an open protocol, everything can be changed, patched , and so on.
Ultimatively, if sha256 gets to the point where its useless, bitcoin would have to switch algo, making all asics useless.

Would be a fun thing to see, also becose the price would have a major dip, where u could buy, knowing there will be just as powerfull rebound.

Open source means that individual users can make changes to what the do, but for the protocall to be chanced 1/2 of the miners would need to accept the change.

that is just it ...it never does get cracked!  ;D

Not exactly.

It's not just up to the miners, it's up to merchants too. 100% of miners could go with a hard fork change that could be incompatible with what merchants call bitcoin.

Or, say, 20% of miners and merchants fork to a change and start using that ...would simply be another version of bitcoin but if incompatible, would cause a lot of confusion if both were called bitcoin.  

If merchants were to try to change the protocol then no TX would get confirmed if the miners did not agree

Correct.  Everyone has to agree. Not just 50% of miners.

 I always answer for these question saying "bitcoin uses the same crypto standards as "real" banks. We are all in for a serious amount of butthurt if that happens"

More secure sometimes. because you're not required to set a 160 bit pwd on your online banking.

Glad to see some newbies posting this.
Most of people here are concerned only with bitcoin they don't care about anything else.

They wish for another crisis just to see their btc back to 1000/coin forgetting that some of their relatives might lose their job in such a scenario.

Same with the cryptography , btc value going to 0 will be the last thing people will think when this gets cracked. Forget the 7 billions going to 2 cents , think about the trillions banks keep "safe" and that will not be safe anymore.

Its mostly an academic discussion of what ifs, and it's different security systems.

Are sure about that? How sure? :)
Care to  explain in detail what is so damn different that we can rest assured nothing will happen to both same times?

Also , I would enjoy an academic discussion of "ifs" :).

I'm no expert on bank security but obviously it doesn't use public key cryptography as a basis.  Even if passwords are stored as hashes (and they almost certainly are), the public cannot access them as with bitcoin.
And you can do a password reset.  If you cannot reset your password based on 2FA, the bank can help you out.  So, essentially they are based on hierarchical levels of trusted control...bank employees, tech admins, managers, clearing houses, etc.  Bitcoin is trustless at the base level and no way to recover a lost private key.

Bitcoin operates on private/public key pairs. The public part of that keypair is what creates the addresses to which payments are sent. The corresponding private key then allows you to spend BTC that were held by an address. The concern is that someone will be able to generate their own private key that will yield the same public key (or address) and therefore steal those coins.

For example, if I look at the blockchain and find an address that has 1M BTC, I could start trying to generate a keypair for which the public key matches exactly. Currently, this would take way too long (like age of the universe long) but if some weakness or set of weaknesses are found in the functions Bitcoin uses, and if 1M BTC was worth more than $6-7M USD, it might make sense to crack it.

This is all a long way off so I wouldn't worry about it. As soon as such weaknesses were found, Bitcoin could be upgraded to use even stronger crypto/hashing functions.

Bank security, ultimately, comes down to one simple thing.  Money isn't real.

What a bank protects is not money, but a list of debts owed (deposit accounts, etc) and debts owned (loans, etc).  And literally nothing in banking is ever final.  If someone tampers with the debt lists, they can just untamper them during the next audit.

Wouldn't bitcoin be the least of peoples worries of the cryptography was broken?

Doesn't like everything important and sensitive use the same cryptography.


If something better comes along, yes bitcoin can be updated

Didn't people just ask that a few replies ago?

It's like no one even reads the threads before posting
what's been said 3 times already.

The difference between Bitcoin and bank security is that with bank security if you try your password "x" number of times (x is a very small number, likely less then 10) then your account will get locked and you will need to prove your identity in ways that cannnot be broken via crypto, while you can try a bitcoin "password" an unlimed number of times (by password you could mean a private key, a password to a wallet, a brain wallet or similar).

If you were to get the hash of a password to a bank account then you could hack the hash to get the actual password, but if it is detected that the hash of passwords were stolen then the above security measure would be implemented (making customers prove their identity in a no crypto method)

Can the devs not just switch from SHA-256 to the next secure protocol?  It would make miners obsolete, is that the problem?

I am not so sure about it, but I think, in that case we would Need a new blockchain and yes as far as I know most ASIC-miners would become useless, since they are optimized on calculating SHA-256.
So, it is possible, but as Long as there is no good reason for it, the devs will not do it.

Man bro, you would see many many angry people when that happens, they will be like, "What??? Are you telling me my miners don't work now???"

If sha256 gets magically cracked overnight, which is highly unlikely, we're probably going to be engaged in world war 3 along with it.

sha256 remains the underlying encryption method for a wide variety of financial and military applications used by almost ever nation in the world. This much is certain; and depending on who you believe, sha256 is employed in numerous weapons applications of the "immediate strike" capability realm by US warships.

If it was compromised overnight, we'd have ww3 upon us.


but the more likely scenario is that sha256 will be slowly eroded over time where core developers for all of these applications will have time to upgrade encryption and cryptographic applications that it will never be an issue.

In a sudden catastrophic break, that is exactly what would happen.

Of course, such a break is widely regarded as, ahem, unlikely.  Like "getting arrested for going over the tag limit on your unicorn hunting license" unlikely.

What will happen in reality is that some day, someone will publish a theoretical attack that weakens a wildly reduced form of SHA2.  A few years later, people will start to take notice as someone manages to produce an attack on a moderately (or maybe even just slightly) reduced version.  Around that time, someone will make a pull request that invokes the 75/95 rule*, triggering a new rule that says that starting a few tens of thousands of blocks after the majority is achieved, blocks that satisfy the target using either SHA-256 or some other hash function will be accepted**.  Then, someone on the mailing list will pipe up and suggest a different new algorithm that no one has ever heard of, and no one but djb trusts.

We'll spend the next year or so painting that bike shed good and hard, eventually settling on something newer than SHA2, and using a different fundamental compressor, but still something that has been around for a while, and widely respected.

Probably about a quarter million blocks after that, SHA will be retired.

By now, we are a decade past the first signs of weakness, and the cryptographers are getting close to shaving a bit or two off of the full version of SHA2.  Ten or twenty years after that, and SHA2 will be moderately unsafe against an institutional attacker, in some applications, none of which will ever apply to bitcoin.  At some point, the attacks get good enough that cryptographers are creating collisions on napkins at cocktail parties to impress women (to paraphrase the famous timeline), and yet bitcoin would have remained totally safe because the attacks that break hash functions simply do not generalize to short inputs with rigid constraints.

* Yes, I know that the 75/95 rule is for soft forks, but nothing else seems to fit here.  The devs are a conservative lot, but this hard fork can't be dodged.  Most likely, the "tens of thousands of blocks" that I mention next will really be on the order of 100k.

** The mechanism is very simple.  Try the new algorithm.  If it hits a valid target, accept.  Otherwise, try SHA2.  IF it hits a valid target, accept.  Otherwise, junk it.  Notice that there is no need to change any of the structure or fields of the blocks or header, and no new block version is necessarily needed.

it would be cryptobomb for us

Fantastic explanation, thanks Danny. I was concerned about Bitcoin eventually being "cracked wide open", but you did a great job of explaining how secure it really is.