Bitcoin Forum

Just read this disturbing article, based on recent leaks from Snowden:

http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

The article talks about the NSA responding to the rise in popularity of internet encryption by, among other things, deliberately weakening the algorithms in use to give themselves a back door to decrypt data. Bitcoin relies on SHA-256, originally created by the NSA. Perhaps there is a weakness that an organization with the resources of the NSA is able to exploit.

If so, that would explain why the major governments around the world seem to tolerate bitcoin. They know they can break it whenever they want. Preferable after the cartels and terrorists get comfortable and start relying on it.

This would be pretty easy to test. Just get a bunch of friends to start exchanging encrypted messages about bombing an embassy or govt office. If these douche-bags can break it, they'd be on you like white on rice.

I don't believe it... I could never think of any sci-fi-ass machine capable of cracking SHA256. Of course with Snowden's verification, how could it be false? I'm horrified. Are our savings subject to overnight destruction?

2014 edit - No, they aren't. Go home.

meh.. Snowden himself suggested encryption used properly does work. That article is alluding to obvious hacking and the illusion of security.. https and pwning of Skype; M$; VPNs and third parties etc - requiring providers to allow a backdoor to information they hold.

can anyone think of a lower risk way to test...?

SHA is not an encryption protocol.  You can't encrypt messages with SHA.

No, there is no backdoor.


See: http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number

Better article here.. http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=all&_r=0

and then the Guardian.. http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

SHA-2 is an open algorithm and it uses as its constants the sequential prime cube roots as a form of "nothing up my sleeve numbers".  For someone to find a weakness or backdoor in SHA would be the equivalent of the nobel prize in cryptography.   Everyone who is anyone in the cryptography community has looked at SHA-2.  Not just everyone with a higher degree in mathematics, computer science, or cryptography in the last 20 years but foreign intelligence agencies and major financial institutions.    Nobody has found a flaw, not even an theoretical one (a faster than brute force solution which requires so much energy/time as to be have no real world value).

To believe the the NSA has broken SHA-2 would be to believe that the NSA found something the entire rest of the world combined hasn't found for twenty years.  Also NIST still considers SHA-2 secure and prohibits the use of any other hashing algorithm (to include SHA-3 so far) in classified networks.  So that would mean the NSA is keeping a flaw/exploit from NIST compromising US national security. 

Anything is possible but occam's razor and all that.

Well said. There are many more cryptographic experts in the world than at the NSA. It's not a secret algorithm that's controlled by the NSA. It's in the public domain. Anyone can examine it. If you still think the NSA has a secret back door, then there's a good possibility you're a delusional paranoid shit head.

I believe bitcoin is vulnerable to a well-funded 51% attack, for no other reason than the awareness that the productivity of ASICs scales more exponentially than linearly as funding increases.

I believe bitcoin would quickly recover from a successful 51% attack as "proof of stake tiebreaker" is introduced as a remedy.  For example, a remedy that would bring instant results might be a new rule that allows known entities as well as past miners (via their coinbase keys) to publish endorsement signatures on blocks they see/create.  These blocks are given a much greater weight than ones without such a signature.  Entities doing a good job of endorsing blocks would have their signatures weighted more, and any entities creating disruptive signatures (or at least their public keys) would quickly be banished by the community.  The disruption would be days, and at the most, weeks.  After the disrtuption, Bitcoin will be permanently stronger.

As an end unto itself, engaging in a 51% attack would be so futile as to not be worth it.  As always, a 51% attack constitutes nothing more than the ability to prevent transactions from confirming as well as reversing them... not stealing or creating bitcoins (other than via mining).

But being able to cause the days/weeks disruption at a time of one's choosing may be a very valuable tool for a state's (or banking industry) arsenal.  There's value in temporarily disrupting the network to somebody, and that value is in the eye of the beholder.

To that end, that's where I'd think of what the NSA (or any other state actor) may have put effort.

The question is, does someone, somewhere, have a lot of dormant mining power sitting there just in case?  I say it's safe to assume yes, and it's just a matter of when will it be worth it for them to use that to cause a temporary disruption to Bitcoin.  If you have only got one chance to rock the world of Bitcoin, it's reaosnable to assume you're going to want to time it for maximum value.

Even if so, I don't think anyone's bitcoins sitting in safe wallets (consisting of properly-generated properly-stored offline addresses that have never been used for sending payments) are at risk... only thing at risk is the temporary loss in confidence and in turn the USD/BTC value if/when such an entity decides to pull off such an attack.

"Dual_EC_DRBG or Dual Elliptic Curve Deterministic Random Bit Generator[1] is a controversial pseudorandom number generator (PRNG) designed and published by the National Security Agency. It is based on the elliptic curve discrete logarithm problem (ECDLP) and is one of the four PRNGs standardized in the NIST Special Publication 800-90. Shortly after the NIST publication, it was suggested that the RNG could be a kleptographic NSA backdoor."

(...)

"In 2013, the New York Times published that "'classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency.'"

Source: http://en.wikipedia.org/wiki/Dual_EC_DRBG

I unfortunately have little technical/under the hood-ish know-how of bitcoin, but is this Dual Elliptic Curve stuff not exactly what bitcoin relies on in some way or another?..

Random numbers are only used for key generation, and the DEC algorithm is not used for that in most clients.

Crazy conspiracy theory:

The NSA created Bitcoin and used ECDSA in it because they already had it broken. When Bitcoin reaches a certain market cap they will reveal this exploit, making everyone's coins irrevocably worthless and irreparably harming the public's perception of cryptocurrency.

Potentially reasonable action:

Maybe it's time to implement some post-quantum crypto in Bitcoin? It would be a propaganda victory at worst. Can the academic complex really be relied on as a canary in the coalmine for crypto breaks? What if the NSA is stealing the best young mathematicians and forcing them into NDAs? Things don't always stay the same. The only problem is that I think most post-quantum algorithms are patented.

Quantum crypto, although "perfect", relies on hardware rather than software. Consequently, it's impractical to use it in Bitcoin.

This risk is already mitigated for any bitcoin address that has not been used for spending (i.e. its public key is not yet known).

Even if ECDSA is broken wide open, it doesn't really matter with respect to bitcoins that have been received at addresses that have never been used for spending, because the corresponding ECDSA public key is not known and cannot be determined without also breaking both RIPEMD160 and SHA256 simultaneously.

Simple answer is no it isn't used by Bitcoin at all.  However it does provide a very good counter example of how difficulty it is to hide backdoors in public algorithms.  The algorithm noted is rather rare, I don't know of a single widespread usage of it and even still a cryptographer found and reported a vulnerability less than a year later.  SHA-2 has been around 20 years and is conservatively millions times more widespread and subject to much more peer review and cryptoanalysis and nobody has found even a theoretical flaw yet.

The use of two hashing algorithms created at different times by different entities provides a significant defense in depth.   

The irony is that many alt-coins claim utility because they are an insurance policy if Bitcoin is comproimsed however since they also use ECDSA, RIPEMD-160 and SHA-256 any compromise of Bitcoin (not matter how unlikely) would render those altcoins just as compromised.

Post-quantum crypto, not quantum crypto

You are confusing quantum encryption (or quantum key sharing) with post-quantum cryptography. 
http://en.wikipedia.org/wiki/Post-quantum_cryptography

PQC are algorithms which are resistant to attack using quantum algorithms.  The major problem with these is they tend to have very large key and signature sizes.  Conservatively it would mean a 10x to 100x increase in bandwidth, and storage for Bitcoin. 

It is time for bitcoin to move to 512 bit. Or switch to Scrypt (plz baby jesus, no).

I'm reading this book right now. Pretty on topic. In this novel the NSA can decrypt any algorithm except one...

http://upload.wikimedia.org/wikipedia/en/c/c9/DigitalFortress.jpg

How would you spend the coins though?

Carefully. :)

Imagine a scenario where current addresses are compromised.  The more likely scenario is some flaw is found which makes ECDSA "weakened".  As long as your public key is unknown you are immune.   Developers could come up with a new address type.  We will call existing addresses type 1 and the new stronger ones type 2.  Future clients would support both address types (backwards but not forwards compatibility).  Yes this would be a hard fork scenario but given the backwards compatibility it wouldn't be very controversial. 

You would need to transfer (spend) your coins from a type 1 address to a type 2 address and that tx could potentially be at risk.  A lot depends on how "broken" type 1 addresses are.  If on average it takes a high end hashing farm weeks to break a single private key well your funds would be "safe" long before the key could be compromised.   However lets assume a highly unlikely scenario where type 1 addresses can be broken quickly and cheaply once the public key is known.  Even then we are talking about a race condition so unless the attacker also had a significant fraction of the network they wouldn't be able to double spend successfully. 

However lets assume that is also true.  Pretty much a worst case scenario.  If your public key is already know you are SOL.  If it isn't you would need to make a "covert" transaction to a stronger address.  One option would be to mine it yourself, another option would be to send the "upgrade" tx securely directly to a mining pool you trust.  This could even be offered as a value added service by a pool (say 1% fee).  If you didn't mine it yourself you would need to trust the pool but you wouldn't need to trust the entire network.

I stand corrected.

If SHA2 is broken or ECDSA is broken, Satoshi Dice will go broke overnight, as well as all other casinos that re use addresses.

And almost all Provably Fair gaming will be rigged to death.

Those will be our warning signs.

Of course, if the NSA is smart, they would do this slowly ... ...

Why would the NSA or any other intelligence agency reveal that it had cracked/compromised an encryption technology? Wouldn't they keep it a secret as long as possible, to collect as much damaging information as possible, just as the allies did in WWII?

They may not however SHA-2 has been in a use a long time and a vulnerability would leave financial and communication systems in a country vulnerable.  It would be highly risky for say the UK intelligence community to discover a flaw and then not warn UK companies. If agents for one state can discover the flaw so can another.  It would be like someone building a fortress out of TNT because they believe only they know it is explosive.  To my knowledge no governmental agency (or non-governmental entity) has published any warning about the security of SHA-2 even without disclosing a specific flaw/weakness.

It really isn't accurate to compare encryption in WWII (a niche application over a small period of time with no non-military usage) to SHA-2 (one of if not the most widely deployed algorithms in the world used over an extended period of time in pretty much every aspect of the global economy).  Wouldn't you agree?

Highly highly HIGHLY unlikely that anyone has broken Bitcoin's algorithm. I would never say its impossible because the "impossible" has been achieved in the past, but I doubt you will ever see this impossible.

Remember this is still a government organization.

Yes, they have tons of funding. Do you think the DMV would improve if it suddenly received mountains of funding? Probably not. Most of the government work that requires a brain is contracted out in some way. It's not like the government is capable of attracting talented, intelligent people any other way.

If a private group or academia hasn't found a way to break it yet the NSA definitely hasn't.

One powerful common sense argument: if academic pursuit is not a powerful enough motivator to find algorithmic exploits or mathematical work-arounds, then the political class's fear of losing control of the most powerful social control mechanism should be more than enough to concentrate minds to the task. What would be the motive for such a convoluted action as developing and seeding a cryptographically governed peer-to-peer money network, with the explicit intention of destroying it at a future date? To make the destruction coincide with other planned earth shaking events, in the belief that it would help to drive home the sense of despair at as many stratifications of society as possible? Don't buy that, there's too much effort and too little benefit, as well as too much risk to the religion that is the modern consumerist monetary system. As it stands, the overall Bitcoin protocol and network is a massive threat to the status quo, there would have to be a plan to change so many aspects of it's mechanics in such quick succession, that I can't see how it makes any sense to introduce Bitcoin for publicly condemning an innovative concept or as an intermediate device to invoke some other deception. The coincidence of it's introduction is curious though, that Satoshi just so happened to be inspired with the right combinations of concepts by the 2007 economic crisis, and that he was already well enough informed about the history and importance of world currencies that he wanted his identity concealed. And that he successfully retained his hidden identity, despite all number of clues he could have littered the web with when he was innocently checking out the CypherPunks newsgroup, or looking at DigiCash and HashCash. This train of thought leads me to a conclusion I have often considered; that Satoshi is a non-US state asset, that the whole Bitcoin project is a genuine attempt by some well intentioned state to jam a spanner in the works of this whole Western governmental world domination agenda. The pieces fit in many ways, but also not in many others, the chief example being the lack of substantive action by the targets in such a scenario. The US and the EU states, as well as their various disparate puppets throughout the rest of the world, could have taken more decisive action by now, if nothing more than out of sheer diabolical desperation. Like much these days, the facts just don't quite fit the connecting story. Watch this space, I guess. All I know for sure is, we are somewhere approximating the right vantage point to see world changing events unfold.

Settle down guys.
The NSA is not trying to take down bitcoins.
There are already bitcoin businesses that pay taxes, geesh.

http://www.nbcnews.com/id/52931694#.Uik20azLcpk

The NSA has bypassed or altogether cracked much of the digital encryption used by businesses and everyday Web users, according to reports in The New York Times, Britain's Guardian newspaper and the nonprofit news website ProPublica. The reports describe how the NSA invested billions of dollars since 2000 to make nearly everyone's secrets available for government consumption.

In doing so, the NSA built powerful supercomputers to break encryption codes and partnered with unnamed technology companies to insert "back doors" into their software, the reports said. Such a practice would give the government access to users' digital information before it was encrypted and sent over the Internet.

"Unfortunately, endpoint security is so terrifically weak that NSA can frequently find ways around it," Snowden said.

I do not believe that NSA has broken Bitcoin, but watch out for your other leaks.

Start here.
https://prism-break.org/

+1 for https://prism-break.org/

If someone (NSA, or anyone else) did break the encryption used by Bitcoin, or other cryptocurrencies, that would be all the more reason to switch to Primecoin!

Remember. This website is not safe.

Bitcoin probably is.


Just check the certificate in address bar:
The issuer:
CN = GeoTrust Global CA
O = GeoTrust Inc.
C = US


Oh US... I wonder if NSA has the keys...

The web security isn't really a hard thing to crack. You have handful of authorities and if you get to them whole chain unravels... There is points of weakness and USA government has access to those...

This is an excellent idea! You go first.

A) No need to be vulgar B) it is reason to double check that our implementation of SHA-256 is secure. There could be ways that different secure SHA-256 systems could become vulnerable, like for example- I'm now tempted to think Androids Random Number problem might have been deliberate. It exposed private keys, but maybe it's exposed so much more that the NSA has found valuable.

Correct me if I'm wrong and misread sometime off one of news sites, but I understood that the NSA was able to intercept, then index all transmissions prior to the encryption process. To me, this made perfect sense when I read it, for then it wouldn't matter what SHA(?) is used, the information would already be mirrored and stored, somehow allowing the NSA to act as the man-in-the-middle.

I would say they probably have several ways of breaking Bitcoin but it would be top secret and not be used unless there is a war. It's not going to be used on criminals but if we get into a war with another country and that country thinks Bitcoins will be useful the NSA may have a few surprises.

even if the notion that the NSA can currently break SHA256; Bitcoin; or the entire Internet at will is still far-fetched for the time being, there's no denying how disturbing the reality of the situation is. when i see articles like these, i can't help but picture a Mirror's Edge-style future -- people bounding across rooftops with paper Bitcoin wallets stuffed in their rectums.

as long as information is being encrypted and decrypted on trusted hardware, (even if that hardware is pen and paper,) the NSA can do little to eavesdrop on your plaintext. even if the NSA compromises every computer endpoint involved in the transmission of encrypted communications, they would need to look right over your shoulder to intercept something you 'crypted by hand. that said, a Netgear router and Windows Firewall wouldn't keep the world's top cyber-intelligence agents away from your hard drive, your RAM, and everything you type.

I work for the NNSA and all I can tell is we will look for you, we will find you and we will prosecute you under the name of justice









Disclaimer: NNSA is Not related to NSA

Good point. I was not thinking of addresses. But of the coins themselves. Primecoin would clearly need a way to be able to generate an arbitrarily large number of coins (based on Cunningham Chains), as it has no inherent upper bound to the number of possible coins. That wouldn't matter though, if every address was accessed, like you suggested. Still, if anything will spur developments in cryptography, bitcoin will have some hand in it. At least until the NSA takes over the network and shuts it down to create another great depression.  ;)

NSA even invented Bitcoin.

Nakamoto SAtoshi = NSA

Yep :P
https://bitcointalk.org/index.php?topic=235342.0

This may be a new strategy AS (After Snowden). If the subjects all believe that everything is known and it is futile to try to communicate, or even to think, the cost of staying in power becomes far less. This is covered in 1984 by Orwell.

It is better to asess their real capacity, and act according to that.

no body going to take this risk even its end of a life

send the NSA a  letter and see if they answer your question ::)

Very true. I am less worried about encryption etc being cracked than weakened. Eg back doors, compromised certificate authorities, large numbers of compromised Tor nodes, and importantly purposefully weakened PRNGs.  

The math is the safest part, the implementation of the tools (OSs, compilers programs) are where exploit opportunities are located.

An USA certificate? Why isn't the admin getting a not-USA as fast as possible?

It happens all over, eg http://arstechnica.com/security/2013/01/turkish-government-agency-spoofed-google-certificate-accidentally/

A distributed peer to peer CA would be useful if widely used. Eg tied in with name coin or something else

The certificate authority has no access to the website's keys.

The evil thing CA's can do is that they can sign fake certs… but the CA a particular site uses is irrelevant to this, as any CA can sign for any domain.

I still think because of Bruce Schneier's recent blog (https://www.schneier.com/blog/archives/2013/09/the_nsas_crypto_1.html) that we should hard fork over to using 512 bit ECC...

Yeahh! You can also test sharpness of knife by sticking it into your throat. Always works.

http://www.nytimes.com/2013/09/06/us/nsa-foils-much-internet-encryption.html?pagewanted=2&_r=0&hp&pagewanted=all


N.S.A. Able to Foil Basic Safeguards of Privacy on Web
By NICOLE PERLROTH, JEFF LARSON and SCOTT SHANE



The National Security Agency is winning its long-running secret war on encryption, using supercomputers, technical trickery, court orders and behind-the-scenes persuasion to undermine the major tools protecting the privacy of everyday communications in the Internet age, according to newly disclosed documents.
Enlarge This Image
 
Associated Press
This undated photo released by the United States government shows the National Security Agency campus in Fort Meade, Md.
This article has been reported in partnership among The New York Times, The Guardian and ProPublica based on documents obtained by The Guardian. For The Guardian: James Ball, Julian Borger, Glenn Greenwald. For The New York Times: Nicole Perlroth, Scott Shane. For ProPublica: Jeff Larson.
Multimedia
 
Document
Secret Documents Reveal N.S.A. Campaign Against Encryption
 
Graphic
Unlocking Private Communications
National Twitter Logo.
Connect With Us on Twitter
Follow @NYTNational for breaking news and headlines.
Twitter List: Reporters and Editors
Enlarge This Image
 
Susan Walsh/Associated Press
CITING EFFORTS TO EXPLOIT WEB James R. Clapper Jr., the director of national intelligence.
Readers’ Comments
Share your thoughts.
Post a Comment »
Read All Comments (943) »
The agency has circumvented or cracked much of the encryption, or digital scrambling, that guards global commerce and banking systems, protects sensitive data like trade secrets and medical records, and automatically secures the e-mails, Web searches, Internet chats and phone calls of Americans and others around the world, the documents show.

Many users assume — or have been assured by Internet companies — that their data is safe from prying eyes, including those of the government, and the N.S.A. wants to keep it that way. The agency treats its recent successes in deciphering protected information as among its most closely guarded secrets, restricted to those cleared for a highly classified program code-named Bullrun, according to the documents, provided by Edward J. Snowden, the former N.S.A. contractor.

Beginning in 2000, as encryption tools were gradually blanketing the Web, the N.S.A. invested billions of dollars in a clandestine campaign to preserve its ability to eavesdrop. Having lost a public battle in the 1990s to insert its own “back door” in all encryption, it set out to accomplish the same goal by stealth.

The agency, according to the documents and interviews with industry officials, deployed custom-built, superfast computers to break codes, and began collaborating with technology companies in the United States and abroad to build entry points into their products. The documents do not identify which companies have participated.

The N.S.A. hacked into target computers to snare messages before they were encrypted. In some cases, companies say they were coerced by the government into handing over their master encryption keys or building in a back door. And the agency used its influence as the world’s most experienced code maker to covertly introduce weaknesses into the encryption standards followed by hardware and software developers around the world.

“For the past decade, N.S.A. has led an aggressive, multipronged effort to break widely used Internet encryption technologies,” said a 2010 memo describing a briefing about N.S.A. accomplishments for employees of its British counterpart, Government Communications Headquarters, or GCHQ. “Cryptanalytic capabilities are now coming online. Vast amounts of encrypted Internet data which have up till now been discarded are now exploitable.”

When the British analysts, who often work side by side with N.S.A. officers, were first told about the program, another memo said, “those not already briefed were gobsmacked!”

An intelligence budget document makes clear that the effort is still going strong. “We are investing in groundbreaking cryptanalytic capabilities to defeat adversarial cryptography and exploit Internet traffic,” the director of national intelligence, James R. Clapper Jr., wrote in his budget request for the current year.

In recent months, the documents disclosed by Mr. Snowden have described the N.S.A.’s reach in scooping up vast amounts of communications around the world. The encryption documents now show, in striking detail, how the agency works to ensure that it is actually able to read the information it collects.

The agency’s success in defeating many of the privacy protections offered by encryption does not change the rules that prohibit the deliberate targeting of Americans’ e-mails or phone calls without a warrant. But it shows that the agency, which was sharply rebuked by a federal judge in 2011 for violating the rules and misleading the Foreign Intelligence Surveillance Court, cannot necessarily be restrained by privacy technology. N.S.A. rules permit the agency to store any encrypted communication, domestic or foreign, for as long as the agency is trying to decrypt it or analyze its technical features.

The N.S.A., which has specialized in code-breaking since its creation in 1952, sees that task as essential to its mission. If it cannot decipher the messages of terrorists, foreign spies and other adversaries, the United States will be at serious risk, agency officials say.

Just in recent weeks, the Obama administration has called on the intelligence agencies for details of communications by leaders of Al Qaeda about a terrorist plot and of Syrian officials’ messages about the chemical weapons attack outside Damascus. If such communications can be hidden by unbreakable encryption, N.S.A. officials say, the agency cannot do its work.

But some experts say the N.S.A.’s campaign to bypass and weaken communications security may have serious unintended consequences. They say the agency is working at cross-purposes with its other major mission, apart from eavesdropping: ensuring the security of American communications.

Some of the agency’s most intensive efforts have focused on the encryption in universal use in the United States, including Secure Sockets Layer, or SSL; virtual private networks, or VPNs; and the protection used on fourth-generation, or 4G, smartphones. Many Americans, often without realizing it, rely on such protection every time they send an e-mail, buy something online, consult with colleagues via their company’s computer network, or use a phone or a tablet on a 4G network.

For at least three years, one document says, GCHQ, almost certainly in collaboration with the N.S.A., has been looking for ways into protected traffic of popular Internet companies: Google, Yahoo, Facebook and Microsoft’s Hotmail. By 2012, GCHQ had developed “new access opportunities” into Google’s systems, according to the document. (Google denied giving any government access and said it had no evidence its systems had been breached).

“The risk is that when you build a back door into systems, you’re not the only one to exploit it,” said Matthew D. Green, a cryptography researcher at Johns Hopkins University. “Those back doors could work against U.S. communications, too.”

Paul Kocher, a leading cryptographer who helped design the SSL protocol, recalled how the N.S.A. lost the heated national debate in the 1990s about inserting into all encryption a government back door called the Clipper Chip.

“And they went and did it anyway, without telling anyone,” Mr. Kocher said. He said he understood the agency’s mission but was concerned about the danger of allowing it unbridled access to private information.

“The intelligence community has worried about ‘going dark’ forever, but today they are conducting instant, total invasion of privacy with limited effort,” he said. “This is the golden age of spying.”

A Vital Capability

The documents are among more than 50,000 shared by The Guardian with The New York Times and ProPublica, the nonprofit news organization. They focus on GCHQ but include thousands from or about the N.S.A.

Intelligence officials asked The Times and ProPublica not to publish this article, saying it might prompt foreign targets to switch to new forms of encryption or communications that would be harder to collect or read. The news organizations removed some specific facts but decided to publish the article because of the value of a public debate about government actions that weaken the most powerful privacy tools.

The files show that the agency is still stymied by some encryption, as Mr. Snowden suggested in a question-and-answer session on The Guardian’s Web site in June.

“Properly implemented strong crypto systems are one of the few things that you can rely on,” he said, though cautioning that the N.S.A. often bypasses the encryption altogether by targeting the computers at one end or the other and grabbing text before it is encrypted or after it is decrypted.

The documents make clear that the N.S.A. considers its ability to decrypt information a vital capability, one in which it competes with China, Russia and other intelligence powers.

“In the future, superpowers will be made or broken based on the strength of their cryptanalytic programs,” a 2007 document said. “It is the price of admission for the U.S. to maintain unrestricted access to and use of cyberspace.”

The full extent of the N.S.A.’s decoding capabilities is known only to a limited group of top analysts from the so-called Five Eyes: the N.S.A. and its counterparts in Britain, Canada, Australia and New Zealand. Only they are cleared for the Bullrun program, the successor to one called Manassas — both names of an American Civil War battle. A parallel GCHQ counterencryption program is called Edgehill, named for the first battle of the English Civil War of the 17th century.

Unlike some classified information that can be parceled out on a strict “need to know” basis, one document makes clear that with Bullrun, “there will be NO ‘need to know.’ ”

Only a small cadre of trusted contractors were allowed to join Bullrun. It does not appear that Mr. Snowden was among them, but he nonetheless managed to obtain dozens of classified documents referring to the program’s capabilities, methods and sources.

Ties to Internet Companies

When the N.S.A. was founded, encryption was an obscure technology used mainly by diplomats and military officers. Over the last 20 years, it has become ubiquitous. Even novices can tell that their exchanges are being automatically encrypted when a tiny padlock appears next to a Web address.

Because strong encryption can be so effective, classified N.S.A. documents make clear, the agency’s success depends on working with Internet companies — by getting their voluntary collaboration, forcing their cooperation with court orders or surreptitiously stealing their encryption keys or altering their software or hardware.

According to an intelligence budget document leaked by Mr. Snowden, the N.S.A. spends more than $250 million a year on its Sigint Enabling Project, which “actively engages the U.S. and foreign IT industries to covertly influence and/or overtly leverage their commercial products’ designs” to make them “exploitable.” Sigint is the acronym for signals intelligence, the technical term for electronic eavesdropping.

By this year, the Sigint Enabling Project had found ways inside some of the encryption chips that scramble information for businesses and governments, either by working with chipmakers to insert back doors or by exploiting security flaws, according to the documents. The agency also expected to gain full unencrypted access to an unnamed major Internet phone call and text service; to a Middle Eastern Internet service; and to the communications of three foreign governments.

In one case, after the government learned that a foreign intelligence target had ordered new computer hardware, the American manufacturer agreed to insert a back door into the product before it was shipped, someone familiar with the request told The Times.

The 2013 N.S.A. budget request highlights “partnerships with major telecommunications carriers to shape the global network to benefit other collection accesses” — that is, to allow more eavesdropping.

At Microsoft, as The Guardian has reported, the N.S.A. worked with company officials to get pre-encryption access to Microsoft’s most popular services, including Outlook e-mail, Skype Internet phone calls and chats, and SkyDrive, the company’s cloud storage service.

Microsoft asserted that it had merely complied with “lawful demands” of the government, and in some cases, the collaboration was clearly coerced. Some companies have been asked to hand the government the encryption keys to all customer communications, according to people familiar with the government’s requests.

N.S.A. documents show that the agency maintains an internal database of encryption keys for specific commercial products, called a Key Provisioning Service, which can automatically decode many messages. If the necessary key is not in the collection, a request goes to the separate Key Recovery Service, which tries to obtain it.

How keys are acquired is shrouded in secrecy, but independent cryptographers say many are probably collected by hacking into companies’ computer servers, where they are stored. To keep such methods secret, the N.S.A. shares decrypted messages with other agencies only if the keys could have been acquired through legal means. “Approval to release to non-Sigint agencies,” a GCHQ document says, “will depend on there being a proven non-Sigint method of acquiring keys.”

Simultaneously, the N.S.A. has been deliberately weakening the international encryption standards adopted by developers. One goal in the agency’s 2013 budget request was to “influence policies, standards and specifications for commercial public key technologies,” the most common encryption method.

Cryptographers have long suspected that the agency planted vulnerabilities in a standard adopted in 2006 by the National Institute of Standards and Technology and later by the International Organization for Standardization, which has 163 countries as members.

Classified N.S.A. memos appear to confirm that the fatal weakness, discovered by two Microsoft cryptographers in 2007, was engineered by the agency. The N.S.A. wrote the standard and aggressively pushed it on the international group, privately calling the effort “a challenge in finesse.”

“Eventually, N.S.A. became the sole editor,” the memo says.

Even agency programs ostensibly intended to guard American communications are sometimes used to weaken protections. The N.S.A.’s Commercial Solutions Center, for instance, invites the makers of encryption technologies to present their products to the agency with the goal of improving American cybersecurity. But a top-secret N.S.A. document suggests that the agency’s hacking division uses that same program to develop and “leverage sensitive, cooperative relationships with specific industry partners” to insert vulnerabilities into Internet security products.

By introducing such back doors, the N.S.A. has surreptitiously accomplished what it had failed to do in the open. Two decades ago, officials grew concerned about the spread of strong encryption software like Pretty Good Privacy, designed by a programmer named Phil Zimmermann. The Clinton administration fought back by proposing the Clipper Chip, which would have effectively neutered digital encryption by ensuring that the N.S.A. always had the key.

That proposal met a backlash from an unlikely coalition that included political opposites like Senator John Ashcroft, the Missouri Republican, and Senator John Kerry, the Massachusetts Democrat, as well as the televangelist Pat Robertson, Silicon Valley executives and the American Civil Liberties Union. All argued that the Clipper would kill not only the Fourth Amendment, but also America’s global technology edge.

By 1996, the White House backed down. But soon the N.S.A. began trying to anticipate and thwart encryption tools before they became mainstream.

Each novel encryption effort generated anxiety. When Mr. Zimmermann introduced the Zfone, an encrypted phone technology, N.S.A. analysts circulated the announcement in an e-mail titled “This can’t be good.”

But by 2006, an N.S.A. document notes, the agency had broken into communications for three foreign airlines, one travel reservation system, one foreign government’s nuclear department and another’s Internet service by cracking the virtual private networks that protected them.

By 2010, the Edgehill program, the British counterencryption effort, was unscrambling VPN traffic for 30 targets and had set a goal of an additional 300.

But the agencies’ goal was to move away from decrypting targets’ tools one by one and instead decode, in real time, all of the information flying over the world’s fiber optic cables and through its Internet hubs, only afterward searching the decrypted material for valuable intelligence.

A 2010 document calls for “a new approach for opportunistic decryption, rather than targeted.” By that year, a Bullrun briefing document claims that the agency had developed “groundbreaking capabilities” against encrypted Web chats and phone calls. Its successes against Secure Sockets Layer and virtual private networks were gaining momentum.

But the agency was concerned that it could lose the advantage it had worked so long to gain, if the mere “fact of” decryption became widely known. “These capabilities are among the Sigint community’s most fragile, and the inadvertent disclosure of the simple ‘fact of’ could alert the adversary and result in immediate loss of the capability,” a GCHQ document warned.

Since Mr. Snowden’s disclosures ignited criticism of overreach and privacy infringements by the N.S.A., American technology companies have faced scrutiny from customers and the public over what some see as too cozy a relationship with the government. In response, some companies have begun to push back against what they describe as government bullying.

Google, Yahoo, Microsoft and Facebook have pressed for permission to reveal more about the government’s requests for cooperation. One e-mail encryption company, Lavabit, closed rather than comply with the agency’s demands for customer information; another, Silent Circle, ended its e-mail service rather than face such demands.

In effect, facing the N.S.A.’s relentless advance, the companies surrendered.

Ladar Levison, the founder of Lavabit, wrote a public letter to his disappointed customers, offering an ominous warning. “Without Congressional action or a strong judicial precedent,” he wrote, “I would strongly recommend against anyone trusting their private data to a company with physical ties to the United States.”


John Markoff contributed reporting.

One of these recent articles mentions a breakthrough in cryptanalysis in 2010. This was same year that NSA to stopped relying on Sha-1. Coincidence? I think not. Just a matter of time before SHA-2 is vulnerable.

There is no need to hared fork to upgrade asymmetric schemes in Bitcoin.  Though if our current scheme was insecure it would be due to a mathematical breakthrough that might also render 512 bit insecure. (e.g. if index calculus worked on Elliptic curves ECC security would scale like RSA security and 512 bits would likely be insecure too).  I expect that when we add another asymmetric scheme it will be lamport with a choice of SHA256 SHA512/256 and SHA3 as the hash function (I have a BIP started up on this, but I've been waiting for SHA3 to be finalized)

I'm sorry for your loss.  That book is total junk.  At least with the other formulaic dan brown novels, they touch on something he knows about (religious history).  This one does not. 

What you can learn from this book is that if you design a set of rules and a hierarchy of procedures, then go on breaking each one of them, you are not secure. Maybe there was some sex in there also, I don't remember.

I understand that NSA is doing their best to attack everything and i probably won't trust SHA-3 for some years, but to say that NSA is better than the rest of the world at breaking encryption algorithms is too much. Russia, China, India, Europe and whatelse so far didn't break them and NSA can break everything?

Probably they are trying to get laws to request keys, infiltrate everywhere and modify the implementations of the algorithms

Not yet...

That's an idea but not real sweet honey.  After all your bombing could also lead to increases in their budget so why bother stopping you?  If you are actually looking to make a test, include some real actionable high-stakes financial insider info and watch the futures market to see if anybody read your shit. 

Sending false messages is right out of the NSA's playbook.

http://www.nsa.gov/about/cryptologic_heritage/center_crypt_history/publications/battle_midway.shtml

... in mid-May the commanding officer of the Midway installation was instructed to send a message in the clear indicating that the installation's water distillation plant had suffered serious damage and that fresh water was needed immediately. Shortly after the transmission, an intercepted Japanese intelligence report indicated that "AF is short of water." Armed with this information, Nimitz began to draw up plans to move his carriers to a point northeast of Midway where they would lie in wait. Once positioned, they could stage a potentially decisive nautical ambush of Yamamoto's massive armada.

Indeed. So, Edward Snowden already knew how effective NSA are at code-breaking and how pervasive their surveillance is, and yet he still managed to use e.snowden@lavabit.com to e-mail Glenn Greenwald for a Hong Kong meet, catch a plane to Hong Kong (the story goes that he only had a passport in his own name), and only once it was on every hourly newsreel did they start to try and apprehend him? You'd think that a highly paid contractor with high levels of access and clearance would have been getting watched as a matter of routine. Reality does not fit the story properly.

He was small potatoes.

Well, are the consequences of publicly disclosing state protected secrets serious or not? That's not how the justice system (or the extradition authorities) see it. If staff need to know sensitive information to do their jobs, they need to examine the staff with as much scrutiny as they do all the safety procedures that allow the staff access to this stuff. The details of what Snowden put out there was definitely not small potatoes, those were some pretty large, pretty hot potatoes. Hence the worldwide media coverage and political outrage and hostility? Oh no, I forgot, it was all small potatoes really.

They made mistakes that gave Snowden access to more material than was necessary.

is this related?

"Skynet rising: Google acquires 512-qubit quantum computer; NSA surveillance to be turned over to AI machines"


http://www.naturalnews.com/040859_skynet_quantum_computing_d-wave_systems.html


snowden is a shill btw. The hunt was an actors-piece. I call Snowden a 'limited hangout operation'
-> http://en.wikipedia.org/wiki/Limited_hangout

Someone in Germany sending encrypted messages to go walking near a secret US military facility and try taking photos of NSA spies in their natural habitat should do the trick. It's not enough to lock you up but enough to lift you out of your bed to ask you some questions.

http://www.spiegel.de/international/germany/us-military-and-german-police-respond-to-facebook-post-about-nsa-walk-a-911451.html

I don't see there being a weakness in SHA256. Here's why:

huTyEjKPdHtx0W9TQRAiF641lHS2W5OyGC3yWrmOjqDwayWJxkxeXN7QtHnrQPTY2PGCfafs0CWeMEd qMXx0dZSfkA6ZCqwES8gk8gARLEmufO68vOtKz78mGry5378iH7t7eBxWif6ITDNy3nG5yagcdeeb2B xHfE4HFa8HJjLNZxPJgl5lZyycgA6MQy3wG9Kch1pkELC0SY7Uwtru71bZZkT9IhpkieadeXNM37Ew6 1mVQUJRj6Kol090oD6TCZZNyptkD3PMzcy7bAKjQctJDzkdFwVEE2FCLhm5Z8TakWqlEujJaDe8IfEA f6QRHGu7QKIpv7Q8CggfmZ2JkxeeHzhcu5BhxKCZt3vX9FYiZMtVhHJrg5AkF1xZwtxLBKtJOMYwJXL kJ6pLyTKKEupjKgOs4iDJouaAk7Fd2EAL8SahXmdUiOdDYw0DGSOqfkQuFRQbH3MRok1wtQeiiGsKNO gnBm0wl01MHMKiiEjOYkNxrqqrTi1oYIcMudJKn5qmoOqhcaADKry5ft2fKfIb8ynOFvV6kTNB6Uj9R ed1TuN1ikNfq7Iwniiq2aOAowNVWA6Hla5ppva07eBkmUtADxne9nYcy5MkHDXrrdKmSncqQMbahtSO M9SNjlom5IXropvZHniUc1gOMByKtRiJjghVXbRxn9yWH6Gx1gY3RJIxh0E3ZnEqHAaPuqGjP9GSvcf eksleJaQminAhemgBlSypeSPmVvD17DywFKDYebRlk6UGt0IQVCA7SNr8djsfNC55bvYSX33nqO9vBl DTTnVD8UMziV0irk3Wjer5bcEAKTbGE2hX3CxPEOZgrpy9qTSHK9t31MxoZXVcgEDc42rVHMy2xiEjv 0caHoPSCV1KfixfRqTziNhNcOVqK7VmeiFz4SVVshzyTZ9LtGr8nKVcwVhKH9bmohZifyiN1FWrLyhj bGEdr9ADLkpp6QjluSQK0ybb0odGuk2iTsFIPKAXouM67r7ZC2pH

Hashes to:

f32a214d8ade97871c0832d51bda85ed95b7efa0224e8fa5d6e4b030ab861d7d

Billions of things also hash to this. It's not like there can be extra info we're not seeing, it's all there in those 64 characters.

Breaking a hash doesn't just mean recovering the original data.  It also includes being able to find alternate data that hashes to the same result (which is guaranteed to exist, it's just presumed impossible to find).

Cock-up, not conspiracy? Oh please. Who said that, Snowden himself? Thomas Clapper?



This is a convincing interpretation. I find it hard to believe that journalists are not amongst those that are watched rather closely by the security agencies of our world, and so the idea that Snowden was able to arrange and conduct a meet and exchange state secrets with a known Guardian journalist (who was said to be initially dismissive of using encrypted e-mail) before getting nabbed, it just sounds implausible. State information protection and gathering agency fails to intercept e-mails from a whistleblower to an information dissemination private professional? Come on. The long list of cock-ups from these agencies is more or less the only information about the operational activities of these organisations that ever makes it into our "reputable" media sources, as if the general impression we are expected to believe of these people is of unprofessional incompetence. The most professional public relations campaign they could conceivably run would involve the successful propagation of such a myth. Not to say they are somehow infallible and omniscient either, as this latest Snowden crypto cracking story is provoking, but that any public announcements either about them or from them should be treated with careful analysis, and certainly not blind acceptance.

This thread seems quite related to this one:

https://bitcointalk.org/index.php?topic=288738.20

I'm interested to know what peoples thoughts are about my thoughts on that post regarding Coverity...as it seems like the real question isn't did they break it...it's did they leave a door open within sha-256 and/or within the open source code of QT.  Did QT use Coverity or similar closed source code-checking programs which have been influenced or owned outright by the NSA and/or Homeland Security?

I'm surprised no one has brought up the fact that there is encryption used on the wallet.dat and that may have a backdoor exploit, or a government could in theory steal your bitcoins while inspecting a laptop during travel if they have a backdoor to the encryption scheme.

you should read up on quantum-computers ... i dont know much about sha-256 ... but when i read stuff like

 "Breaking a hash doesn't just mean recovering the original data.  It also includes being able to find alternate data that hashes to the same result (which is guaranteed to exist, it's just presumed impossible to find)."

i am not sure then if quantum-computers wouldnt be able to do the 'impossible' ?
This technology was a myth up until lately. Those new computers are said to have the 3600-fold power like the best supercomputer when it comes to cracking cryptography ...
The company building those monsters is called 'D-Wave'

"D-Wave, the small company that sells the world's only commercial quantum computer, has just bagged an impressive new customer: a collaboration between Google, NASA and the non-profit Universities Space Research Association. The three organizations have joined forces to install a D-Wave Two, the computer company's latest model, in a facility launched by the collaboration — the Quantum Artificial Intelligence Lab at NASA's Ames Research Center. The lab will explore areas such as machine learning — useful for functions such as language translation, image searches and voice-command recognition. The Google-led collaboration is only the second customer to buy computer from D-Wave — Lockheed Martin was the first."

http://www.wired.com/wiredenterprise/2012/02/dwave-quantum-cloud/

'Clock is ticking for encyption':
http://www.computerworld.com/s/article/354997/The_Clock_Is_Ticking_for_Encryption?pageNumber=1

is BTC post-quantum-cryptography already? ... i am a bit clueless though since cryptography is normally not my field ... just wanted to bring the quantum computer to your attention. The NSA also has these new monster-computers and is said to crack ANY encryption because of that ... i hope some of you crypto-experts can actually make sense of this and tell us if this is a threat for BTC ... warning: you will barely be able to understand the quantum-thing if you dont have a degree in physics ...

Generally quantum computers do a poor job of breaking symmetric encryption and hashing functions.  Their real threat is against asymmetric cryptography like ECDSA used by Bitcoin for signing and verifying transactions.   https://en.wikipedia.org/wiki/Shor's_algorithm  Shor's algorithm allows finding a private key given a public key in polynominal time which is many magnitudes faster than classical computing solutions.

D-Wave however isn't a general purpose quantum computer, it can not implement Shor's algorithm and is absolutely useless for breaking cryptography.  ECDSA can be broken with a large enough quantum computer but nobody has even broken 16 bit keys using a Quantum computer yet much less the 256 bit ECC keys used by Bitcoin.

I think the problem here is that governments have backdoor access to your router, your computer OS, and to the encryption schemes used to encrypt your wallet. It would be much easier to get your wallet.dat using these holes and hack that than to hack sha-256. The problem is now bad people also know there is an NSA hole/backdoor and they will try to exploit it.

When you say "crack any encryption", you actually mean "crack any encryption from conventional computers".

Guess what? Quantum computing makes quantum cryptography a reality. And as D&T says, they're not an effective reality yet, not to mention that the laboratory conditions required for the current generations of QC's makes them unsuitable for field work in intelligence.

good to hear that ... of course this technology is still brand new and not ready yet ... but we should keep an eye on that ... maybe in 50 years everybody has such a thing in his livingroom ... with breaking 'any' encryption was ment the conventional encryption for files - so truecrypt for example would be useless ... further than that: i am not an expert in the field and can not exactly say what they can and cant do. You have to research the stuff yourself if you understand cryptography since i wouldnt be able to answer your questions beyond doubt

What exactly are you thinking of when you write "exploit" or "break"? There is no encryption in Bitcoin. There is nothing to "break". They certainly have backdoors in most software, open source included, and in most hardware. All they could do with an undisclosed weakness in sha256 is to start mining faster. Why would they care about being able to mine faster? If they know of a weakness in ECDSA, they could spend my coins. Again, why would they care?

FWIW, Quantum computers are not even _theorized_ to do that.  Very large true quantum computers would render some cryptosystems obsolete, if they turn out to be possible to construct— primarily the popular asymmetric (public key) schemes whos hardness is based on the intractability of the hidden subgroup problem (http://en.wikipedia.org/wiki/Hidden_subgroup_problem) such as discrete log and factoring hardness systems.

QC's really don't do much of anything of interest to symmetric ciphers and hash functions, beyond suggesting that longest hashes and key lengths would be prudent (in theorygrover's algorithm gives a generic speedup on root finding over non-linear functions which is equivalent to halving the number of bits of input).  QC's should not render your truecrypt obsolete.

Bringing this back on topic— if ginormous QC's became a realistic threat we'd need to add a new checksig operator, which is just a soft forking change which could be non-disruptively deployed. So long as you don't reuse addresses you already have a degree of protection against QC's or any $spook backdoors in SECP256k1 ECDSA, as your ecdsa public key is not revealed until the first time you spend and any attacker would have to race your transaction to steal it. The bigger issue is that the QC secure signature schemes result in rather large signatures.

Here is a link that is somewhat on topic.  They don't specifically mention Bitcoin, but they do mention Namecoin.  Now this is a long read and if you aren't into the crypto scene you may not want to bother.  On the other hand, there is some really good info/speculation about NSA and their decrypt abilities. 

Go here to read it:  http://cryptome.org/2013/09/nsa-decrypt-cryptography-13-0905.htm

Two things of note that one or more of the participants mentioned; one said that the whole business was a "a wilderness of mirrors".  Another said something like "beware of recursive paranoia".

Apologies to the pro's who probably already read this, but I didn't see a reference to the list in this series of posts.

/Frank

ooh I like the way you think. Direct and to the point!

If they need to break it they could is as simple as that. So far there is no need to do so, Right now the system does embrace Bitcoin and the alt's because it fits nicely in a system which relays on growed to survive. Banks have more work, mining equipment is required, power companies have increased sales, exchanges need staff, new products being manufactured, ..........the list goes on, its all sweet, perfect for the system. If at some time in years to come bitcoin is a threat or there is some other need to turn off the light switch then that's it, lights are out.
Think about it in an all out conflict the enemy would simply sent encrypted messages back and forth with a few Satoshies and they would be locked out from the own castle the build. (Bitcoins heart is SHA-256)
I am sorry but that's way to spaced out for me to accept. There are in-build weakness which can be exploited if there is a need.

I don't buy this "if they need to break it, they will" bullshit.

Guess what, Silk Road is laughing all the way to the bank, and the DEA hasn't done a goddamned thing about it. Can't they get their NSA buddies to help them out? Every day they operate with their competitors in the onion-space of Tor is absolute proof that they can't do what they're claiming.

Should be easy-peasy, yeah? Just crack the private key and monitor transactions, gather IPs, do some network analysis on the exit/entry nodes...

And yet, millions of dollars are transacted every day without cessation.

So, I call bullshit on the entire idea that ECDSA,RIPE,SHA-2 is vulnerable to the extent that these bullies are implying.

But your public wallet address along with the associated private key is dependent on asymmetric encryption.

You guys are missing the point here.  NSA Social engineered back doors into the algorithms.  They placed back doors in the encryption.  Thus you do not need to brute force your way in in you just need an appropriate key.

True

Microsoft had failed to remove the debugging symbols in ADVAPI.DLL, a security and encryption driver, when it released Service Pack 5 for Windows NT 4.0 and Andrew Fernandes, chief scientist with Cryptonym found the primary key stored in the variable _KEY and the second key was labeled _NSAKEY.

https://en.wikipedia.org/wiki/NSAKEY

And I would not be surprised if "social engineered" did not sometimes include coercion, blackmail, or extortion.

Snowden described his CIA experience in Geneva as "formative", stating that the CIA deliberately got a Swiss banker drunk and encouraged him to drive home. Snowden said that when the latter was arrested, a CIA operative offered to intervene and later recruited the banker.

Because the NSA is so smart that despite the algorithm being open and public nobody else on the planet has found the backdoor despite almost two decades of crypto-analysis? Somehow plenty of other less common weak, flawed, and backdoored algorithms get broken in a matter of months or years but SHA-2 is just beyond the smarts of the entire planet (except the NSA).  What makes this even more dubious is that the NSA would be playing with fire.  SHA-2 is the only hashing algorithm in "Suite B" and its use is MANDATED by CNSS for use in classified systems including those with national security implications.


https://www.cnss.gov/Assets/pdf/CNSSP_No%2015_minorUpdate1_Oct12012.pdf


The SIPERNet and JWICS uses SHA-2 (and only SHA-2) to ensure packet security (prevent MITM attacks).  Think the internet but instead of lolcats it has information that (and I quote) "the unauthorized disclosure of which reasonably could be expected to cause exceptionally grave damage to the national security [of the United States]".

Seems likely the US government would mandate the use of an algorithm they know is weak to protect some of the most important (and damaging) secrets of the US government.   I mean there is no possible way that ANYONE ELSE on the planet given an infinite amount of time, resources, and motivation couldn't find the backdoor and then use it to compromise the SIPERNet (and countless other military and intelligence systems) that might result in "exceptionally grave damage to the national security".

Of course not.  The NSA has god like powers over math and a monopoly on access to all the smart people on the planet (including future generations until the end of time).

For those who want to remove their tinfoil hats and consider things it is probable the NSA will do (or already has done):
* Use secret warrants to force ISP to provide access to raw communications.
* Install backdoors into operating systems, programs, and libraries.
* Actively infect computer systems and network to compromise data before it is encrypted.
* Engage in MITM type attacks that result in parties believing they are communicating in a secure manner but are both communicating with an NSA relay.
* Use brute force to break weak cryptography (80 bit strength or less) as well as keys derived from weak passwords.
* Break the low level requirements for strong cryptographic systems like encouraging usage of faulty or low entropy RNGs.

If you think of cryptography as a locked door, then strong cryptographic systems are more like a massive vault door.  Brute force isn't an option but it doesn't mean you can't (go through the wall, open the vault from the inside, record the code used to unlock the door, sneak in when someone opens it, make the entire vault and owner "disappear", etc.

Well no.  If you are going to provide a correction please at least get the terms correct.  ECDSA is not encryption.  The Bitcoin protocol does not use encryption in any form.  Some clients/wallets encrypt private keys for saf(er) storage but to date all of those have used symmetric encryption (i.e. QT client uses AES-256).

Thats quite a feat with open source.
At least when you compile yourself.

What if the NSA employs some kind of idiot-savant-mathematics-super-genius who can instantaneously decipher any code? 

(from idiot-savant-mathematics-super-genius.com)

One thing instantly comes to mind: SHA-3

As revealed, previously NSA has made NIST to insert their backdoored PRNGs into the standards etc.
NIST organized the competition to find the function to be called SHA-3 and one must wonder if Keccak won and was titled the SHA-3 because of some useful weaknesses NSA discovered in it.

stfu. I am not afraid to ask the tough questions, bro.

Also, on point article published today: http://arstechnica.com/security/2013/09/spooks-break-most-internet-crypto-but-how/

☐ tough question
☑ something else

bro

cool story, i lol'd hard

https://www.ece.cmu.edu/~ganger/712.fall02/papers/p761-thompson.pdf

Am i supposted to open that link?
You could have at least quoted what you think is relevant.

well that's good news.

the NSA is so full of hubris.  it doesn't understand that it's spying activities are ultimately going to hurt US corporations just like Huawei. 

once they start lying and hiding, everything starts to unravel.

this is why we need Bitcoin.

ECDSA curve parameters in Bitcoin are standard ones, recommended by NIST. I wonder where they came from. Is there any rationale behind these particular constants, or they magically appeared out of nowhere, akin to dual_ec_drbg?

Interestingly, Bitcoin is one of the only users worldwide of the ECDSA curve called secp256k1, which is not a verifiably-random curve. Unlike SHA-256's constants, we don't know for sure where secp256k1's curve constants came from. This curve was specified by SECG, which is a group that includes NIST.

It's very unlikely that this curve is particularly weak in any way, but it may be prudent to offer users the option of using different crypto. (This can be done in a backward-compatible way.)


It doesn't matter which CA you use. The CA system is structured such that any CA can compromise sites using any other CA. All HTTPS is unsafe if any CA is compromised (if you trust the CA system blindly).

highlighting added

The NSA recommends Elliptic Curve Cryptography in an article on their site.
http://www.nsa.gov/business/programs/elliptic_curve.shtml

So we could debate the significance of that recommendation, in light of recent disclosures.

For current cryptographic purposes, an elliptic curve is a plane curve which consists of the points satisfying the equation

    y² = x³ + ax + b

along with a distinguished point at infinity, denoted ∞.  The entire security of ECC depends on the ability to compute a point multiplication and the inability to compute the multiplicand given the original and product points.

The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case this was broken in July 2009 using a cluster of over 200 PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously. For the binary field case, it was broken in April 2004 using 2600 computers for 17 months.

Cryptographic experts have also expressed concerns that the National Security Agency has inserted a backdoor into at least one elliptic curve-based pseudo random generator. One analysis of the possible backdoor concluded that an adversary in posession of the algorithm's secret key could obtain encryption keys given only 32 bytes of ciphertext.
https://en.wikipedia.org/wiki/Elliptic_curve_cryptography

This is like Goldman Sachs recommending stocks to their clients they know they are going to be selling short ...

Basically any NSA recommendations have lost ALL credibility, and they are not going to get it back any time soon, if ever. They have not been dealing in good faith and ALL trust in any of their algos, methods, hardware, math, keys, certificates, etc ... everything NSA (inlc. google and other compromised commercial proxies)  are now suspect.

They should now be considered the the national INsecurity Agency.

This is somewhat reminiscent of a scene from the movie Little Big Man

https://www.youtube.com/watch?v=xWGAdzn5_KU

Jack Crabb: General, you go down there.

General Custer: You're advising me to go into the Coulee?

Jack Crabb: Yes sir.

General Custer: There are no Indians there, I suppose.

Jack Crabb: I didn't say that. There are thousands of Indians down there. And when they get done with you, there won't be nothing left but a greasy spot. This ain't the Washite River, General, and them ain't helpless women and children waiting for you. They're Cheyenne brave, and Sioux. You go down there, General, if you've got the nerve.

General Custer: Still trying to outsmart me, aren't you, mule-skinner. You want me to think that you don't want me to go down there, but the subtle truth is you really *don't* want me to go down there!

all of this aside, I think if the NSA had the ability to disrupt the security model of Bitcoin's fundamentals, they would have done it by now. Unless it is just a massive project to crash the world economy, force everyone onto cryptocurrency and only then start pwning the private keys of people they don't like. In which case, why at all sow any seeds of doubt now? Not convinced.

But doing so would have risked revealing their possession of backdoors to other forms of commonly-used computer security as well.  At least that would have been a concern until Snowden revealed the extent of their access, very recently.

from http://www.wired.com/politics/security/commentary/securitymatters/2007/11/securitymatters_1115


highlighting added

http://bitcoin.org/en/alert/2013-08-11-android
We recently learned that a component of Android responsible for generating secure random numbers contains critical weaknesses, that render all Android wallets generated to date vulnerable to theft.

http://www.foxnews.com/politics/2013/09/08/nsa-can-access-most-smartphone-data-report-says/?test=latestnews#ixzz2eLU9Ne6Q
The U.S. National Security Agency is able to crack protective measures on iPhones, BlackBerry and Android devices, giving it access to users' data on all major smartphones, according to a report Sunday in German news weekly Der Spiegel.

The documents outline how, starting in May 2009, intelligence agents were unable to access some information on BlackBerry phones for about a year after the Canadian manufacturer began using a new method to compress the data.  After GCHQ (British) cracked that problem, too, analysts celebrated their achievement...

We know that NSA has been peeing in the pool.  Some of the accidents, errors, and oversights that we are learning about may be deliberate acts.

Well, I still think that as per the Android PRNG issue, people have lost their pocket change as a sacrifice to everyone elses improved understanding of what is and isn't possible. Someone pointed out that the politics of currency isn't the NSA's raison d'etre, and that remains so until and if they are assigned a cryptocurrency takedown notice form the people who do make it their business. In the meantime, I'm glad that the discourse about the ECDSA vulnerabilities is playing out amongst the core development team, and if we need to change things, then change they will. It's not the ideal circumstances to have to alter the cryptographic underpinnings, but I don't know how else we could have expected such a change in perspective to play out. It could be worse than a single government source of (still not definitively a) compromise.

Yes.  I agree that the core development team is in the best position to evaluate all of this, in the light of recent public disclosures. 

I can assure you folks aren't monitored quite like you'd imagine, not everyone at least.

Lots of discussion about broken crypto on here, some really good stuff with legitimacy too. Some of it is a little off the mark but close.

Best advice I will give, which is what I've been taught and live by: Presume none of your encryption matters, with regard to what you store and transmit.

Also, presume what's being suggested to use as the best encryption, is a bit of a double ruse. On one hand, some folks will look at that and think "they want me to use this.. because there's a way around it.. so I won't use it and will look at something else" ... which could also be equally compromised. The old salesman's technique, park the sedan next to the sports car and tell the guy all the reasons why he doesn't want the sports car. He'll buy the sports car.

I've written a speculative piece exploring the implications of this subject:
http://motherboard.vice.com/blog/what-do-the-latest-nsa-leaks-mean-for-bitcoin - What do the latest NSA leaks mean for Bitcoin?

There is a very simple reason. Bitcoin was created to be a substitute for gold. The US government has a lot of computing power but run out of gold. They owe a lot of gold to other nations but will never pay it back in gold.

What do you know that the rest of us don't?

... and after all your hidden wisdoms all you can come up with is, "don't expect privacy in your communications" ... huh, that's it?

NSA has done to crypto-science the identical to what some weak minds and ethically challenged have done to climate science ... subverted it for political motivations.

In the final analysis, the massive databases they are generating have zero difference to the system of dossiers that Stasi built up ... they manage to delude themselves it is because they have 'protections' about when the dossiers are allowed to be pulled.

The problem is not when/who gets to pull the dossier on whomever, it is the fact that they even exist in the first place. Until the databases are destroyed or corrupted beyond usefulness we are living in a Stasi state ...

If you're expecting folks to just come out and say they work for various departments and this is what they're basing their knowledge/experience on, I doubt you'll ever see that answer. I wish I could help you more. I'm sure many of us here wish they could do more.


Absolutely agree. This is just the tip of the green stem in the corner of the field. The briar has yet to fully engulf it, but it will; it's going to be far worse. Not necessarily in our lifetime, it's been about 100 years in the making.

If folks do enough research they'll find pieces of the puzzle and can loosely see that over the past century and a half,  'idiocy' of the US political system, and how a lot of international relations have panned out,  was always planned to look like a circus spectacle, all the  while pulling off one of the greatest slights of hand of all present history. This isn't even conspiracy talk from the looney bin.. I've trolled this forum, and many others, and lots of people have pieces to the puzzle, some have put a few of them together. The reality is most don't realize the big picture, everyone is caught up in small political wars and finger pointing.

Some folks would say Orwel's 1984 was a great novel. Others would say, it was the subtle leaking of a greater plan. Those who understood and heeded the warning signs would know what to expect, and if desired, when to leave.

Zoom out, zoom really far out, and look at the big picture. This doesn't necessarily help this discussion, it's not meant to be the words of an oracle. I just hope it piques interest and gets people to dig. If folks are really curious, and some of you are good at digging, I suggest continue digging.

Why can't you just tell us what the big picture is you that are seeing?  :D

Schneier has been emphatically telling whoever will listen lately to avoid elliptic-curve crypto engineering, or to increase the key sizes, due to math tricks involved he believes are probably ripe for mathematical breakthroughs. Most ECC is patented anyways by Certicom and requires licensing. The NSA has been pushing ECC lately as well in their Suite B protection which is probably Suite (B)ackdoored so they can spoof signatures and handshakes.

Still I doubt the NSA would want anything to do with bitcoin besides use it to pay their own spies in Iran and Russia."Comrade, here is your 1000BTC for political blackmail purposes. Please get picture of Putin wearing lipstick passed out drunk in a dress".

Your signature fits perfectly the self-portrait you just painted.

I also don't buy the 'NSA recommends this so it must be a trick to get us to use something else!'. Whatever NIST recommendations are is what is put into commercial software/hardware blackboxes.

I'm reading about 1 novel a year. Much more than that when I was younger. I don't expect everything in this book to be accurate. I'm 50% done and enjoying it. The rest of the years, I'm reading technical books and stuff so this is relaxing for my mind.

*blink*

What does any of that have to do with anything being discussed? It's a signature to public donation and low volume receipt wallets. Most of us have them.


Exactly. Could the technology and its adaptation/adoption/evolution be of interest in general? Perhaps. But they likely don't give a rip about people using it to send basic transactions.

I have an idea, do what these guys did :D

http://www.dailymail.co.uk/news/article-2407949/Test-reveals-Facebook-Twitter-Google-snoop-emails-Study-net-giants-spurs-new-privacy-concerns.html

This is the crypto standard that the NSA sabotaged: http://boingboing.net/2013/09/11/this-the-the-crypto-standard-t.html

Or that's the one they dont care about if you know it, since apparently its used pretty much nowhere.
I also dont see how that would fit in to this quote from the guardian article:
http://www.theguardian.com/world/2013/sep/05/nsa-gchq-encryption-codes-security

I dont think anyone would be gobsmacked if they found out an obscure, slow, suspect, almost never used psuedo random generator was hacked.

I dont know what to trust anymore right now, but on the top of things I no longer trust, is Tor;
http://news.softpedia.com/news/The-US-Government-Funds-60-Percent-of-the-Tor-Project-381195.shtml

Is that what they cracked in 2010? Who knows.But I doubt they would fund 60% of a project which sole goal is precisely to make it virtually impossible for NSA and others to snoop on its users, unless there was a tangible benefit to it.

Knowing what's in the network packets that folks don't want them to know.

http://en.wikipedia.org/wiki/The_enemy_of_my_enemy_is_my_friend

"Gobsmacked analysts", "huge breakthrough circa 2010", these kinds of comments have now come from more than one source so it is gaining credibility that they are wielding a rather big cracking hammer right now ... all sound reasoning ... as I have suspected for some time Tor is just another spook honey pot.

They want you to avoid using Tor. They also use Tor themselves.

How could you possibly know that?

In related news Matthew Green one of the Zerocoin guys has got into trouble with his dept. dean at JHU criticising the NSA ... what a bunch of PC BS! (Not to mention smacks of censorship, 1st amendment suppression, etc)

http://www.theguardian.com/world/2013/sep/10/johns-hopkins-dean-apologises-for-blog

Andrew Douglas, how pathetic! He belongs more to the Soviet or Albanian past, or to the North Korea of today. In my experience, most of today's so-called intelectuals in the U.S. academia are similarly brain-washed into blind, politically-correct obedience. Dangerously stupid people.

You all sign a notarized piece of paper that these conversations are to exercise artistic speech to create a book and that there is no intent to carry out the discussion that will take place beyond creating a work of fiction?

They helped design and implement Tor so their own people (government) can use it in foreign places. Actually, Tor was originally designed, implemented, and deployed as a third-generation onion routing project of the Naval Research Laboratory. It was originally developed with the U.S. Navy in mind, for the primary purpose of protecting government communications.

you are aware that JHU has since apologized for the reprimand and allowed his original post to remain public?

Not sure on the bitcoin security

Bitcoin does use ECDSA

 https://en.bitcoin.it/wiki/Elliptic_Curve_Digital_Signature_Algorithm

So does that make it vulnerable to the NSA

http://en.wikipedia.org/wiki/Elliptic_curve_cryptography

The use of elliptic curves in cryptography was suggested independently by Neal Koblitz[1] and Victor S. Miller[2] in 1985. Elliptic curve cryptography algorithms entered wide use in 2004 to 2005. The algorithm was approved by NIST in 2006. In 2013, the New York Times revealed that Dual Elliptic Curve Deterministic Random Bit Generation (or Dual_EC_DRBG) had been included as a NIST national standard due to the influence of NSA, which had included a deliberate weakness in the algorithm.[3]

ECDSA is not the same as Dual_EC_DRBG.   The vulnerability is with Dual_EC_DRBG not the entire ECC concept.  Actually the speed at which the crypto community sounded the alarm on Dual_EC_DRBG should be seen as a positive sign.  It was/is an obscure algorithm with no real widespread usage and the flaw was found and published internationally in the span of a few months.   

it's certainly not out of the realm of possibility.  for people who think certain encryptions can't ever be broken, that's very naive to think that way. throughout history we end up breaking or doing things people never thought would be possible.  heck just go back 100 years or so and try to explain a smart phone to people.  so to think encryption can't be broken or won't be broken is very naive, i always assume that it can or is or will be broken at some point so it's going to be up to "us" to continue to make new and improved forms of encryption.

if the question is has the NSA already done it.... no, i don't think so.  But I do believe eventually at some point in the future it very well could happen.

Can anyone speak to the issue, if I use a deterministic wallet (eg electrum,) and I spend from one address, thus ECDSA is all that is needed to be cracked, can that private key be used to access the rest of the address even though Unspent.

Thus would it be safer if I use multibit or the QT, as the issue is in the random generation only but the secon vulnerability is no their as those addresses are not determanisitc.

Where is the best place to generate the safest addresses keys, as I like the electrum interface and could always import keys.

I have tried to raise this in the elctrum sub boards, and the answer was not as definitive as I would have hoped.

That's one reason I don't use deterministic wallets. You guess the master key somehow, you get all the keys. If you can get it from one of the spent keys, I don't know and that is up for debate, but I'd rather not take the risk when it is so easy to just use a brand new randomly generated bitcoin address.

lol

How well do you know your RNG that created those addresses?

so what's the consensus here? NSA does or does not have a backdoor into SHA-256? that would be pretty worrisome.... thinking this is FUD, though.

Even his books on religious history are purely for entertainment and are seriously 'out there' on doctrine. If his cryptography treatment is similar, then accept it with a ten-ton salt boulder. Don't take Dan Brown so seriously.

My understanding (and please double verify) is that a known private key only will not enable you to find another private key, even multiple known private keys won't.  However if the master seed public key AND one private key from the wallet are known it is possible to compute the master seed private key and from that compute all private keys in the wallet. Then again there is no need to ever reveal your master seed public key or a private key so I don't see it as much of an enhanced threat.

Random Wallet
reveal private key - compromise one address
reveal wallet.dat (and passphrase) - compromise entire wallet

Detemrinistic Wallet
reveal private key - compromise one address
reveal wallet file (and passphrase) - compromise entire wallet
reveal master private key - compromise entire wallet
reveal private key AND master seed public key - compromise entire wallet

The first two vulnerabilities are the same.  The third one I just included to be explicit but honestly if an attacker can gain your master seed private key (which resides only in the wallet) it is highly likely your computer is compromised and a random wallet wouldn't provide any more security.

The last scenario is one where a user could (in theory) out themselves.   For example say a user puts master public key seed on a website (so site can generate public keys and a compromise won't result in a loss of a private key).  The user also foolishly gives someone some funds by giving them a single private key.  If an attacker took the known private key and compromised the website to gain the master public key seed then the two could be used together to compromise the entire wallet.  Simple solution don't reveal private keys and if you do generate a new wallet (and thus new master private & public keys) and transfer all funds to the new wallet.

The NSA has no need to put a backdoor in SHA-256 when all they need to do is backdoor the developers.

http://imgs.xkcd.com/comics/security.png

For the most part, the primary developers all:

• are married
• have children
• have established careers with companies or academic institutions which are not easy to replace

Those three things are notable because those characteristics make them more vulnerable to extortion and blackmail than they might otherwise be.

Backdooring SHA-256 is presumably difficult.

On the other hand, threatening a core developer or two until they play ball is easy. Then their handlers just need to tell them to backdoor bitcoin in two steps:

First, build a trackable alternative to Bitcoin's most troublesome (from the NSA's perspective) features, such as the ability to send funds to an arbitrary public key.

Next, deprecate and remove the old function so that users no longer have the ability to avoid tracking.

Breaking SHA256 is pretty unlikely, that being said I still think we may change the wallet address hashing into something like SHA256(XOR(PubKey,SHA256(PubKey))), that will make any preimage attack against SHA256 useless.

nah, Gav addressed this and that's the point of the open surce, you can see the code, and you would just for back to the earlier version. This years 0.8 --> 0.7 for show how quickly this can happen an how transitory its effect was on price

am i correct that a PRNG on a pc is used 2 ways in Bitcoin; generating a nonce for ECDSA signed tx's and generating SHA256 private keys?  any other function i'm missing?

The point made a few pages back was that opensource is a ruse--backdoors in closed source software on the host and client machines bypass the in-between security, rendering the opensource safety net moot.

what close source.....and you can air gap

Any closed source.. anything running on your computer which isn't open source. And as mentioned before, there are developers in the open source world who are planted by various agencies for XYZ reasons.

The old x files adage is true, trust no one, and presume your system is compromised.

For QT wallet (and probably othets) the encryption passphrase is salted using a nonce.  For deterministic wallets the master private key seed would be randomly generated.

Even if they have broken encryption hashing has not been broken.  Bitcoin users not effected.

Plus we know how SHA works and lots of people had analysed it. Its safe

NSA does not need to break bitcoin, something bigger is in the pipelines https://bitcointalk.org/index.php?topic=325642.0 (https://bitcointalk.org/index.php?topic=325642.0)

From the horse's mouth..

http://www.democracynow.org/2013/9/6/the_end_of_internet_privacy_glenn

If you ask me, anything is possible. After all, its only data.

 >:(
Guys I think the community need to take it seriously about NSA breaking the encryption.

http://techstring.files.wordpress.com/2014/01/lw4a1956.jpg?w=474&h=316
WAKEUPCALL --

NSA Just bought a D-wave QUANTUM COMPUTER!!! in there brand new 1billion data senter in utar...

This isnt a dream its going to become a reality and you programmer peps need to get yr ass's in gear and look at a post quantum computer bitcoin world..

Links Below

http://www.extremetech.com/computing/173898-the-nsa-is-building-a-quantum-computer-to-crack-encryption

http://www.washingtonpost.com/blogs/the-switch/wp/2014/01/02/confused-about-the-nsas-quantum-computing-project-this-mit-computer-scientist-can-explain/

And heres the wiki on there fancy data center thats gonna fu@k our economy up..!
http://en.wikipedia.org/wiki/Utah_Data_Center

How is our owning a data analysis center going to ruin the economy?

Not quite the proverbial "box of fans," but nothing to panic over yet.

Search for previous threads on this topic. They're very interesting.

I have a fantastic idea - lets use an NSA algorithm to secure Bitcoin!!
They're good people. Who's with me?

I will as soon as you can explain in specific terms exactly what the NSA can do to Bitcoin with a quantum computer.

^-- Lol, this.

That's a great rebuttal. I'm sure the NSA shares all their secrets with him and he's got all the details. Just be patient.  ::)

The point he's making is... related to quantum computing vs bitcoin. Research it ..

Please tell me how quantum annealing can break cryptography.

Hint: it can't

I'll accept a description of the exact threat posed by trivial method for breaking ECDSA in terms of how it affects network operation.

Start like this:

"If somebody invents a computationally cheap method of deriving ECDSA private keys from either cyphertext or public keys, the effect on Bitcoin will be: X"

Just explain what X is.

... which is what I was implying ...

X is all coins associated with a revealed public key becoming spendable by anybody and impossible to return to their original owners, which would affect primarily early adopters who have never moved their coins and people who reuse addresses.

In addition there would be a window of vulnerability starting at the time when a transaction was broadcast and ending when it accumulated enough confirmations where an attacker who was quick, and well connected in the network, and probably had enough hashing power to orphan a block or two could steal coins.

Problems to be sure, but not exactly the end of the world.

It will be the end of the world when somebody with an axe to grind gets their coins stolen from the allegedly perfectly secure Bitcoin network and goes to the media about it.

I'm 100% sure that SHA256 was born broken by the NSA, as well as every other method that they have released, but that's okay.  They won't reveal their crack just to mess with Bitcoin, and anyways they have probably already cracked most banking encryption as well.
So, you know...

Right, because Bitcoin has only survived until now because the media has been 100% supportive and behind us all the way,  ::)

Because they need to crack banking encryption..? Microsoft, Apple and some embedded systems are in bed with these guys. They have the source. They have root.

They don't need much else.

how hard would it be to make a SHA512 or SHA1024 coin

Since you possess this insight, you should also be able to explain what exactly it means to break a hash function, and what doing so allows an attacker to achieve? Right?

Sure. Practically speaking, "cracking a hash" would mean being able to find a practical and finite number of possible messages that would generate that hash.  From there you can use other identifying characteristics about the message itself to figure out which one is the real message. 

Haha, very true. Anyone care to test (not with me  ;D)

Not very hard, but the blockchain will be bigger.

And that has what exactly to do with Bitcoin?

I know one use that would be totally "end of Bitcoin" horrible:

Take the Bitcoin address, reverse all three hashes and wala you have one of the (on average) 2⁹⁶ possible public keys for that Bitcoin address!!!

OMG, end of the world, etc., etc.

Oh, wait, turns out that is really not all that much of a problem.

Still thinking...

Is it possible that not all Bitcoin addresses are equally difficult to reverse engineer?

Are "even" numbers less secure than "odd"?

Does a higher percentage of alpha characters (rather than numeric) represent higher security?

Are there portions of an elliptical curve that are computationally more difficult?

etc.

There actually are real, valid concerns regarding the effects of hash function vulnerabilities on Bitcoin, but saying "OMG the NSA can break everything!!!!" doesn't achieve anything useful.

Is it possible that not all Bitcoin addresses are equally difficult to reverse engineer?

   No.

Are "even" numbers less secure than "odd"?

   No.

Does a higher percentage of alpha characters (rather than numeric) represent higher security?

   No.

Are there portions of an elliptical curve that are computationally more difficult?

   No.

Mostly true but I wouldn't use 1A5eBnS16ZGdyX2HqXfXzA84BEZJejQ4pG for example.  There are those people who have found that their private key was literally reverse engineered (cough, brainwallet).  Funny how low entropy is really tough to see after it's been hit by a couple hashes. 

Assuming the private key is generated using a secure random number generator with a good source of entropy then:


Fixed.

My thoughts exactly, Crypto will be used by the government just as much as everyone else, anonymous Crypto that is...

'decrypt' it? What are they trying to 'decrypt' about Bitcoin? If people are writing such things, they immediately show that they don't seem to know Jack about Bitcoin. They'd need to reverse one-way mathematical functions (hashing) or severely facilitating brute-force attempts by using holes in those functions (whether or not they may be there remains to be seen)

Haha, that's actually a nice thing to do :D :D But you would only see if the encryption you're using is flawed or broken. It wouldn't say a whole lot about the mathematical hashing functions of Bitcoin that protect it! You'd need to test or break them!

Man I have a feeling this community is its own worse nightmare, you are all going to conspiracy bitcoin to death lol, with all these posts from the outside trolls trying to plant seeds in all the paranoid heads around, and believe me there are many paranoid people here, I just hope 99.9% of the people here are smart enough not to believe in all this non-sense troll articles.

Go away you IMF hired troll - nobody has time to taste your tears.

I would seriously doubt that there are unknown "holes" in Bitcoin. Both nefarious actors and the Bitcoin devs are constantly looking for potential holes in the protocol to either exploit or fix. If the "NSA" were to "hack" Bitcoin then a specific person would have to had done it, and if this was the case the person would have a huge incentive to exploit it for personal gain.

The NSA does a lot which can provide great personal gain for any of the individuals working for them. The trick is to keep the workers happy.

why so many nsa threads today

This one is from last year.. who knows.

If the NSA had all this amazing survelliance equipment then they already have everybodies private keys so therefore you should hack the NSA  ;D

The NSA is only working for one country though right? they couldn't possibly affect us in other countries could they?

Working 'for' one country, or working 'in' ? Their primary allegience is the US, but they gather intel from all over the globe, and I'm sure use it as leverage with other governments to their advantage.

i agree with "vesperwillow"
It doesn't matter where their from... they have access to all the intel

If the NSA can crack encryption, and can crack Tor, it would be in their best interests to have the public believe that they cannot do such things. These people specialize in misinformation, so when the NSA says they "will never be able to deanonymize all Tor users all the time," I wouldn't be so quick to believe it.

This would be very unethical for any entity to do. Companies do give some level of fringe benefits like free goods/services of what the entity produces but something like this would be crossing the line. This would be an abuse of power.

I agree. This would be very unethical. It would be similar to a loan officer approving his own loan. There was actually a scandal about employees at the NSA spying on their love interests via various NSA programs, the employees did not make out well in terms of their careers or their security clearance.

The public is usually so uncaring about the truth it doesn't usually matter, as long as they get their entertainment.

Americans are generally foolish sheep, too desirous to believe the happy fairy tales about their government, and incapable of handling the reality. As long as they stay entertained and appeased, they'll sign away all of their freedoms and rights.

Article doesn't really go into technical details, which is pretty much all that matters. I have faith in sha256.

i love conspiracy theories, gives me something to think about.

There seems to be overwhelming evidence that people at the NSA have deliberately weakened cryptography several times so that encrypted material would be available them.

Is there any question about this?

When thy talk about backdoors  I don't think they mean the encryption scheme, they mean the proprietary software that uses it. For example Skype has backdoors that allow the NSA to eavesdrop on conversations. They are not breaking encryption, they are circumventing it with the help of Microsoft.

Many, many articles. Here are a few that are first on a search engine.

http://www.theregister.co.uk/2013/09/11/nist_denies_that_the_nsa_weakened_its_encryption_standard/

http://m.motherjones.com/kevin-drum/2013/12/nsa-paid-security-company-adopt-weakened-encryption-standards

http://www.theguardian.com/technology/2013/sep/16/nsa-gchq-undermine-internet-security

http://rt.com/usa/rsa-nsa-deal-weaken-encryption-581/

http://mobile.reuters.com/article/idUSBRE9BJ1C220131220?irpc=932

http://www.newscientist.com/article/dn24165-how-nsa-weakens-encryption-to-access-internet-traffic.html#.VTkzZKpMGns

http://www.propublica.org/article/the-nsas-secret-campaign-to-crack-undermine-internet-encryption

Sha is bullshit.

This is probably common knowledge in government cryptographic circles in various countries and may even be what motivated a Chinese national to create Litecoin shortly after bitcoin.

The question really is if they can weaken SHA256 so much that they are able to break the encryption or render BTC useless. There are a lot of mathematical geniuses in the world and the incentive has never been higher to find a loop hole in those encryptions.

I agree that it is good to promote learning, to motivate it.

But there are very few people, none in fact, who have even one percent of the computing power of the NSA.

Should we trust that they are 'benevolent' with their power? Look around the world and decide.

The NSA has a long history of providing the most secret material to dictators and oppressive regimes. A tiny miniscule fraction of its intelligence product is used legitimately to fight objective crime.

Before the dawn of the internet this was not a problem. Almost no Americans knew what was actually being done with the data they collected. Now though the internet has changed things.

It is not a question of 'rendering bit coin useless'. Obviously that would defeat any purpose behind having control of the algorithm.

Imagine a world where only one group of people knows exactly how much money you have and where you spend it.

Now imagine you are in a country with a military dictatorship supported by that group. Your family has been killed. Most of your friends have been killed. There is almost nothing left you can do. But you have enough bit coin to escape...

citation needed

http://www.informationweek.com/architecture/nsa-building-$8965-million-supercomputing-center/d/d-id/1097313

One percent of $896.5 million is roughly $9 million.

They have much more than that.

Do you know any people with even $9 million computers loaded with code breaking software?

The point is that the person defending the NSA was offering a false gift, a Trojan horse. Is the NSA secretly trying to help the public learn math? No. That is zero percent of their motive, though a few people may learn a little math by trying to break btc.

Really good govt secrecy from the courts can hide as much incompetence as cool tech.

If the NSA devoted all that equipment toward Bitcoin mining, what percent of the network hashrate would they acquire?

In the following thread:

https://bitcointalk.org/index.php?topic=289795.0

you will see that we cuss and discuss where the ECC parameters come from, if they were possibly designed to be weak by the NSA, etc.  I even contacted people on the committee that designed the ECC used by Bitcoin and asked them directly where the parameters came from.

I suggest a read of that entire thread.  It is probably the most fascinating thread I have ever participated in.

Incompetence is one way of looking at it.

I was driving a cab many years ago and a lady was in the cab with a kid about 5 or 10 years old. The kid said to his mother something like "mom you have a booger in your eye", and the mother started beating the kid. Not just mild hitting, she was pounding him and he was screaming. I didn't know whether to pull over and break it up, I did nothing.

I don't know much about that kid now. He would be in his 30s. I do know pretty surely he supports the NSA and any other agency without question. Some people are taught one direction, some another.

Incompetence might not be the best word.

Good thread indeed. I've always been more worried about potential weaknesses in ECC rather than somebody's ability to "decrypt" SHA256.

One thing I have noticed again and again with regard to the integrity of bit coin crypto is a pattern of escalating deception.
Step one / Bit coin is secure because it would take trillions of trillions of years to break it. Once a person realizes that is nonsense they were shuffled to ...
step two / Hi, I am an authority in Cryptography and your concerns are nothing but conspiracy theory. The NSA has messed with software but they would not pollute actual crypto standards. So the media says otherwise > step three?

What is your opinion, derived from the thread you link to? Do you believe the thread points to bit coin being secure?

Probably not much. ASICs are what, a couple of orders of magnitude faster/more efficient than general computing hardware? Unless they've been heavily investing in bitcoin mining hardware specifically I doubt even the NSA could tackle the bitcoin mining system. I'd be open to quantitative analysis though. Personally I'd be more concerned about the Chinese government than the NSA. They would have potentially greater motive and resources (via contracts/strongarming of locally based bitcoin mining hardware companies) for an attack on bitcoin.

Why go into all the trouble to solve encryption, if they already have access to your device, on a hardware level? It is common knowledge that they have "backdoor" access to hardware and firmware on almost all hardware coming from the USA. {example : Cisco}

Those people using VPN's.... Sorry.. they got you too.  :(

They inject nasties into almost everything we do... {Quatum / Turbine etc. etc} Not even your phones are safe. {The OS and the service providers are infiltrated}

So just except that your Bitcoin can be compromised, if they wanted to.... but for now, they are supposed to use that data, to fight terrorism / Money laundering / War against drugs etc. etc..  ::) 

WTF?
You let the kid get beaten up?

And what makes you so sure the kid supports the NSA now?
Because the NSA can stop bad mothers beating up their kids because she has a booger in her eye?

Apart from that, what makes you think that Bitcoin is not an NSA project to begin with?

What makes you think that, even if that were the case, it would matter at all?

Bitcoin is open source, and clearly documented, and everybody can verify that it does what it's supposed to do, and cannot be controlled by the maker or anyone else.
Whoever made Bitcoin, or why, is completely irrelevant.

And by the way, I still see a lot of people in this thread talking about the NSA (or China or quantum computers or anyone) decrypting stuff, or 'breaking encryption'. Get a grip, people. THERE IS NO ENCRYPTION IN BITCOIN WHATSOEVER. So there's nothing to decrypt to begin with.

Maybe it is just semantics but when you sign a transaction with your private key some people would call that encrypting.  These same people sometimes call the process of verifying signed data using the public key decryption.

Bitcoin does these processes, whatever you want to call it.

My personal opinion, after researching it quite thoroughly, is that the NSA had zero input into the parameters used to create the specific elliptical curve (secp256k1) used by the Bitcoin protocol. 

This does not address possible weaknesses in the mathematics of elliptical curve cryptography in general. 

This does not address possible entropy issues in the random private key generation, and just as importantly the random nonce generation, of any particular implementation.

This does not address possible weaknesses in the other cryptographic subsystems used in the Bitcoin protocol, specifically the hashing algorithms.  Although I have looked into it and am personally fairly convinced that the hashing algorithms used are safe for our purposes.

I expected that answer.

My opinion is other than that.

I expect that Bitcoin will eventually be upgraded to use ed25519 signatures, putting to rest entirely any controversy associated with secp256k1.

With regard to secp256k1 do you have any facts to back up your opinion?

Wouldn't that require a fork? or that can be done easily on the fly on a further upgrade of Bitcoin qt? how does that work.

The problem is that you think such a concept exists as "private key", as if the privacy in inherent to the key. The phrase seems to imply that a private key is always private and cannot suddenly and inexplicably become known to someone else. This is a mistake, because in reality, there are only keys, which are bits of highly sensitive information, bits of math. The privacy or publicity of these bits of this information is the responsibility of whoever hold(s) keys. Always remember, information seeks to be free just as water seeks to flow down toward sea level.

I've heard that it can be done with a soft fork by redefining a currently-unused opcode.

What concerns me is that every single vocal defender of the security of bitcoin's algorithm viz the NSA uses fallacious arguments, in my opinion, including you.

The suggestion as per your comment here is that a lack of evidence against secp256k1 would imply strength or security in bit coin, but that is not true. It's like saying "Oh, you do not live in Antarctica therefore you do not know snow". Further, the fact that such weak arguments are so pervasive concerns me.

Most bitcoiners believe it would take billions of years to crack bitcoin. But the truth is that nobody is going to crack it by brute force.

I am not a cryptographer, but I recognize bullshit and a lot of the defense of bit coin against possible NSA meddling is frankly bullshit.

1) There is a lot of material online about the NSA supposedly introducing deliberately flawed algorithms. The most serious of that material has been held back, even by Snowden.

2) Bitcoin relies on sha2 which is basically an NSA algorithm. In fact sha1 was tweaked by the NSA for reasons it chooses to keep secret.

3) The founder of bitcoin, Satoshi Nakamota, is an unknown. I understand that there is a cult feeling around him for some people but all of the facts on top of his anonymity should be cause for pause.

4) Another very popular algorithm has been documented to my satisfaction as having originated with the NSA.

Speaking of fallacious arguments: it's not possible to know that some material has been witheld, and that simultaneously this is known to be the most serious. By trying to make that statement sound more terrifying, you've revealed that you're making rhetorical arguments, not factual arguments.

FWIW, I'm not speaking from a position where I believe bitcoin is without any kind of dishonest influences, despite no solid facts existing to the contrary (you were asked to present some, to which you instead speculated again). But your position is one big contradiction. If the NSA or whoever are using their resources to develop cryptocurrency, it should be pretty clear from the way bitcoin has played out that they have serious intentions. I doubt anything or anyone could prevent their intended goal (whatever that is), these sorts of organisations have access to the kind of resources that no-one can challenge.

No it's not. I don't believe that NSA did not play a role. No evidence exists to suggest that they did, or that they did not. Therefore no-one (except NSA) knows. That includes you.

No worries. There are several altcoins working on this problem now.

Certainly bitcoin will have to be upgraded. There is simply too much uncertainty in the future in terms of processign power/trust that could possibly undermine it entirely. Through what method it is upgraded, whether it be another coin or through itself, remains to be seen.

SHA256 is not going to get broken anytime soon. If that happened, it would basically mean every other electronic transaction system would get cracked as well. Bitcoin would be the least of the worries. Practically every credit card encryption is rocking the SHA256.

Security that is good for banks simply isn't good enough for bitcoin. Bitcoin businesses that advertise their services to be of "banking grade" security are very funny. The "very secure" microcontrollers used in the credit cards simply shouldn't be used for bitcoin hardware wallets if they don't qualify for open source hardware!

I think the only people who think bitcoin is broken are the people who don't understand it and are conspiracytards who would rather invent or believe in the exciting myth and mystery of a conspiracy rather than the cold boring truth.

That still doesn't prove that NSA has intentionally made SHA insecure. It gives them a motive, but there's no evidence.

OK, if you were in control of the hashing algorithm used by Bitcoin, which one would you use and why?

Which one? Give a concrete answer.

What would happen if, just once, the NSA was asleep at the wheel and allowed a major cryptographic tool like SHA-2 get approved without an exploitable back door, and to make things worse some status quo-threatening distributed currency started using it.

How might they recover from this blunder?

One way would be to spread FUD about SHA-2 to convince everyone to switch to a new algorithm their deep cover agents had prepared just for this event.

But on the other hand, if SHA-2 was broken and they wanted to keep the truth from getting out, they'd propose a story just like what I wrote above. Unless that's just what they want you to think.

Maybe this loop of infinite recursion of motives but no proof is not the way to go.

Instead, look at this another way.

There is an enormous financial incentive to being able to break double SHA-256. The the most obvious incentive belongs to the ASIC manufacturers, who are devoting a lot of time to building machines that try to break double SHA-256 as rapidly and efficiently as possible.

None of them have found a substantial shortcut yet, despite years of working on it.

If the NSA did have a secret method, then every single person in the organization who knew about it would have a huge incentive to profit from it personally. Could all of them resist the temptation?

I think the hash rate will tell us if/when SHA-256 is broken, because we'll see a sudden increase that's not explainable any other way. Unless or until that happens, SHA-256 is probably safe.

That is another example of the fallacies being used to defend sha in bitcoin.

Is it not enough that I do not want to use an algorithm that was developed for and promoted by an intelligence gathering agency that for decades has used its data mainly for overseas repression?

I am not a cryptographer.

I am a person who does not want to support cryptography that will be used to target innocent people.

Are there really no options other than using an nsa algorithm?

???

Also, please describe in detail exactly what you mean by a "broken" secure hash algorithm?  What, specifically, would be able to be done with the broken hash algorithm?

I other words, given that the NSA has some sort of "back door" into the hashing algorithm, what would they be able to do with this back door?  In what way could they harm Bitcoin with it?

****

Is it not enough that I do not want to use an algorithm that was developed for and promoted by an intelligence gathering agency that for decades has used its data mainly for overseas repression?

I am not a cryptographer.

I am a person who does not want to support cryptography that will be used to target innocent people.

Are there really no options other than using an nsa algorithm?

****

Is the mystery really why I do not support using an nsa algorithm?

Or is the mystery why so many of you do?

I'm not defending SHA. Why do you get that impression?


This is an ad hominem fallacy.


Then you will have a hard time convincing cryptographers about what you believe is right. You should consider researching what you defend.

I do not trust an algorithm developed by the nsa.

Why so many people are so quick to use weak arguments to defend the use of an nsa algorithm in bitcoin, I don't know.

I think it more likely that their interest is in exploiting bitcoin than in breaking it.  What they want to do is track all the money.  Bitcoin has never been particularly private or anonymous; I'm sure that with the Internet-monitoring and data-mining capabilities they possess, they can pretty much attribute every bitcoin transaction to a particular user.  This doesn't require breaking bitcoin, or subverting its encryption or hashing, or being able to steal the money; in fact doing any of that would work against their interests since Bitcoin is likely to be the best thing that's ever happened to them in terms of making movements of money more trackable by their own resources (and not requiring pesky subpeonas or legal permissions to track) than it is by someone else's. That makes it in their best interests for Bitcoin to become the standard.



Not in evidence.  MANY people who are not on their payroll, and have serious mathematical chops, have been all over SHA looking for ways to break it.  No break has been found.  Your certainty that there must be one is not evidence of its existence.  


Embrace the power of 'and'.  They're both.  They aggressively hire mathematics and cryptography people, and not just as contractors.  They bring them onto payroll, tend to keep them employed at the same place for their entire career, and keep them up-to-the-minute with training and original work.  So yes to them being cryptographers.  They get as much as they can with cryptography, but they also have to go with what you're calling 'con' too.  With civilian crypto getting better, they are increasingly relying on protocol hacks and hardware hacks to go around the cryptography where they can't break it.  

They are only "weak" in your mind because you admittedly do not know the specifics of what you are arguing.

It is analogous to you saying, we shouldn't use F = M.A (newton's law) because newton was an alchemist in his spare time.

An algo designed by Bitcoin Engineering Task Force specifically for bitcoin. Then and only then bitcoin has a chance to be safe. Bitcoin should not use hashing algo because it is recommended by NIST or NSA or whatever. On the contrary, other organizations should use whatever bitcoin network uses because if it is broken bitcoin will act as honey-pot and will inevitably expose the weakness!

Roll you own = recipe for total disaster, see DVD copy protection and many other examples.

Well, how is that different from saying "Roll your own currency = recipe for total disaster"?

Putting together several standard crypto sub-systems to make something new, interesting, useful, etc.

versus

Creating your own crypto sub-system.

Using standard crypto that has been vetted by a worldwide audience of crytpo experts and has millions of hours of use/debug/hardening.

versus

Using crypto that is vetted by a very small subset of all crypto experts and has very few hours of use/debug/hardening.
 

Roll your own can work, but doesn't usually.  

I'm not a "great" cryptographer, I'm only a "good" cryptographer.  That means I could create something secure, but it would be an order of magnitude more expensive to compute than a secure thing designed by a "great" cryptographer.  

There's a pretty big deal about the effectiveness of various tradeoffs.  Most crypto design is all about trying to find the *minimum* amount of processing needed to achieve a particular level of security.  If you're looking for a 128-bit block size, for example, you are looking for the smallest amount of processing you can do to make sure that an opponent trying to break it has no shortcuts that can save them from having a job at least as big as trying 2^128 possibilities until one of them works.  

There's also a pretty big deal about short, simple source code where bugs and backdoors have no place to hide.  If you can't express your encryption (or your hash) in about ~120 lines of code, plus data, people have good reason to suspect that it is longer mostly to give untrustworthy actors a place to hide things in it.  If any part of your data is not constrained for known reasons to have particular values, then the community will want to see "nothing up my sleeve numbers" such as digits of pi or e or phi or a story about how the 5 FAB CAFE BABE5 AD 1 COFFEE & 3 DEAD BEEF EA.

OTOH, if you just care about "secure" and damn the amount of hardware gates or the execution time or whatever, then you'll take your 30 lines of source code or whatever, verify that it's got some provably nonlinear components such as a composition of add-with-carry and XOR, identify a "well studied" PRNG such as SPRITZ to generate a thousand rounds worth of pseudo-random S-boxes, use a Feistel construction or something to make sure it can be inverted with a key, and iterate for a thousand rounds.  

Maybe you could have achieved your security goal with 24 rounds.  Maybe if you'd designed it much more carefully and with deep understanding of all known applicable attacks you could have shown that you could have achieved it with less than 50 and so designed it with only 100 or whatever.  Most likely there's some other construction that could achieve it with ~16 rounds of much more carefully selected and designed computation, where it could be shown to take less than 20 and so someone would have designed it with only 40 rounds.  What you come up with by throwing way more resources at it than needed is likely to be a waste of time and effort and silicon that would never get accepted as a standard.  And, bluntly, if you don't know combinations of operations result in provable nonlinearity (ie, if you're not even a "good" cryptographer, let alone a "great" one) you're likely to wind up with something that's STILL insecure.  

And nobody will ever trust it, because why on earth would somebody be spending that much compute effort on something that could be done faster and more efficiently, if they had nothing to hide?  This was the problem that the community had with NIST/RSA/NSA's Dual-ECC DRBG standard; it was horribly inefficient compared to known, well-studied PRNG's like SPRITZ, so why would anybody ever use it let alone make it standard?  And then they studied it hard and searched the literature and discovered a few old papers that had postulated the possibility of a broken PRNG based on a similar construction, and then verified that the Dual-ECC DRBG was susceptible to exactly the same breakage, and suddenly understood exactly why that horribly inefficient thing was put forward as a standard.  And RSA still has egg on its face from having to recommend to its users to NOT use its own product as the whole thing became public.

The "Bitcoin Engineering Task Force" (aka Satoshi) already decided that SHA-256d is the best hash algorithm for Bitcoin. ;)


Designing strong crypto is really really hard. Of the 56 algorithms in the SHA-3 competition (submitted by world-class cryptographers), some sort of potential weakness was found in ~33 of them (http://ehash.iaik.tugraz.at/wiki/The_SHA-3_Zoo). It's best to settle on a few algorithms that the academic community can scrutinize carefully for many years, as they've been doing with SHA-2. Even rather paranoid cryptographers like Bruce Schneier aren't really concerned about SHA-2. No one has any serious ideas on how you would even start to attack it. The similar but far-less-secure SHA-1 isn't even considered to be absolutely broken yet -- there aren't yet any examples of SHA-1 collisions, for example.

Satoshi (aka DARPA) designed bitcoin by the end of 2008 to substitute gold because by that time US financial system was teetering on the brink of total collapse with no gold in store. This is not necessarily a bad thing. But it's time for the lizard to sacrifice the tail and break free!

I'm not defending the NSA algorithm. I'm truly concerned with your lack of trust of them, but when I ask you what other alternatives you have considered, you start attacking me repeating again and again that I'm defending them.

And I'm truly concerned by your trust in the NSA.

As for alternatives, again, I'm not in that business but did not litecoin quickly find an alternative that was developed privately and whose security does not involve trusting the NSA?

From Wikipedia
"As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been broken; an attack against it was used to break SSL in 2008.[9]
The SHA-0 and SHA-1 hash functions were developed by the NSA."

Did the NSA pay a $10 million bribe to RSA to secretly weaken some respected cryptographic tool? Are those articles false? Or are sha backers saying the RSA bribe was a one time thing and the NSA would never do something like that again?

You're not listening. Why are you not listening?

OK, if I understand correctly, now I see a proposal, that scrypt would be a better alternative than SHA.

All of this is irrelevant to the discussion of whether or not SHA2 is "broken". Just like I could bring up your ideas about 9/11, but it's irrelevant to your belief that SHA2 is "broken." It might let some of the other people on the thread know what a waste of time it is to argue with you.

It seems some people like to think the NSA is some sort of know it all god that has deciphered everything that we ever knew, to make their lifes more exciting or something. The truth of the matter is, they can't neither decipher SHA2, TOR, and etc. It is what it is.

stop feeding the troll

That's because you're only looking at the NSA, and the people who don't see anything wrong are looking at what the code actually does.

Yes, the NSA is a bad actor in several senses.  But you're talking about something which works in a known way that we can see and analyze.  What you're doing is sort of like claiming that there must be a hole in a steel pot because the guy who made the pot is an unethical businessman.  Well, unethical he might be.  He may have made some pots with holes in them.  But it does not mean that every pot he ever made has a hole in it.

People can still look at the pot - inspect it carefully even, test it as a pressure vessel - and find that it does not leak.  Similarly, scores of professional cryptographers and math Ph.D's have analyzed every aspect of SHA2 looking for ways to attack it, and found no leaks. 

If we could not see how it worked, or we didn't know how to search for problems, etc, then you'd have a point, but you'd also be meeting with no disagreement.  People would immediately and rightfully reject anything whose workings and structure they could not verify and analyze, notwithstanding whether they trust or do not trust its source.

Not only that, he hasn't described any conceivable method that a "back-doored" sha256 could be used to attack bitcoin in such a way as to cause damage or loss before it could be replaced if necessary.

Total troll, with repeating the same question ad-nauseum, ad-hominems and using willful ignorance to avoid specifics. No-name, throwaway newbie account. Yawn.

No crypto is trusted whether it comes from the NSA or not. Let's say SHA-3 gets preferred treatment because it was not from the NSA. Well, who can be sure that they were not involved at all? With the spy stuff going on, it's better to stick to the math.

This is all BS.

no ice:

i'll tell you what's more likely given all the evidence we've seen over the years re: crypto, the NSA, and Bitcoin.

it's more likely you're a gvt/bank hired troll assigned to come here and inject fear into the Bitcoin community and to try and scare off any new adopters.  i say that b/c everything you've said is hearsay and is based on lack of evidence.  you appear not to understand the first thing about cryptography.  it's pure fear mongering.

You are a troll or WIDLY over estimate how smart you are.. sorry to break it too you.  Like widly over estimate..

Do you even know what a cipher is ?  DO you know what encryption even does?


It is like trying to explain the Imaginary number to a 7yo that just learned how to add.

There's an industry devoted to building machine that break double SHA256 as rapidly and efficiently as possible.

If there's an explotable flaw in SHA256, they'll eventually find it and incorporate it into their products.

Then all the manufactures will copy the technique and the network difficulty will adjust upward to compensate for the attack and things will be right back normal, giving us plenty of time to upgrade the network to a stronger hash function.

Well here is one. A message "Bitcoin was created by a special team authorized by US government" published and signed with Satoshi's PGP key. Although some altcoins will flourish that will be the end of bitcoin.

... and what would that have to with a back-doored sha256?

I agree with you wholeheartedly!

Bitcoin is not going to change the hashing algorithm used based upon feelings.  If a weakness is ever discovered there will be plenty of time to switch to another algorithm.

Not only that but doesn't PGP uses RSA, not ECC?

My point is there is no need to craft complex 'conceivable' methods to attack bitcoin. What attacker needs to focus on is breaking a single PGP key (was it 2048 bit or less?). This is why it is important not to sit and wait until this key is broken but move on and make bitcoin truly independent of its creator's will.

If you insist on RSA vs ECC argument, then same message might be signed with the key Satoshi used to sign network genesis block.

I think this is the most sensible interpretation of the thread.

The NSA has deep pockets for sure. They are the #1 employer of mathematicians in the US and their budget though classified is estimated at around 50 billion US$.

But have they managed to push a flawed encryption standard through? I don't think we can know. They were caught red handed once but it could be trick too. Get caught on a small lie so that the bigger lie goes undetected.

I see you don't want to touch the NSA with a 10-ft pole. What are the alternatives?

* You choose another hash scheme. I already said that it would be hardly possible to prove that the NSA  was never involved in its development. Even if they weren't, they could still know a way to crack it.
* You choose a 'provably secure hash function'. Well - they are just as secure as another problem deemed to be hard. Then again, the NSA could have solved it.

In short, no one knows what they can do and can't do.

So, we use blind tasting.

What the community has done is to pick a few hash functions: SHA-2, RIPEMD-160 and apply them several times. Each of these functions has had ample public analysis. To keep a weakness secret, they would have to design/find a flaw that is so crafty that no other person can see it. They have many enemies in the world, therefore I think that if there was such a flaw someone else would have pointed it out.
Even if they managed, well, in bitcoin you hash the hash.

The flaw would need to be gigantic.
Much bigger than the MD-5 weakness - and in several unrelated hash functions - and somehow every mathematician in the world is part of a conspiracy of silence.

I don't trust the NSA, but I think that the fact that they were the creator of SHA-2 doesn't impact its applicability in bitcoin.

So, no - I don't think the NSA has broken bitcoin.

PS: I intentionally didn't use any jargon. I believe the concern that the OP has is not related to cryptography details.

^^^  Great post.   Thanks.

I think the NSA created bitcoin... and they created SHA256

And they created this forum.

Who created SHA256?

They also have friends who created several dark markets an dodgy exchanges. They are busy little bumble bee's aren't they?

NSA. Says wikipedia  http://en.wikipedia.org/wiki/SHA-2

I just wanted to repeat cypherdoc's advice before anyone's tempted to reply and get this thread going again.

Gorrammit I'm too late.

The NSA did create sha256.

Well, they didn't exactly create the dark markets, they helped run them  :P
And they didn't create exchanges they are just trying to regulate them  :o

For anyone who has a reasonable understanding of cryptography, this is as silly as not trusting the number 0 because we're unsure who was the first culture to use it.

No, it would be not to trust the number 0 because we're sure the Mayans created it, and we know the Mayans are evil (you know, with all the 2012 doomsday thing... what year is it again?)

Are you saying that all of the cryptographers who say that sha will eventually be broken are wrong?

Or are you saying people should automatically trust anything pushed by the NSA culture?

You are a cryptographer, or reasonably understand it, you say?

If bitcoin is broken, why does it still work?

The NSA has back doors in every encryption since some time in the late 1980s/early 1990s.  PGP 8.0 was the last piece of software that did not contain any institutional back doors (I still have my discs).

point = moot

"Broken" means cracked. If sha  has some sort of NSA devised weakness, in your opinion, and I do think it is likely, then why is the point moot?

I don't know seems too far fetched. Maybe they could use one of there quantum qubit computer though  :o

It seems farfetched that the NSA would put a deliberate flaw in an algorithm?

Seriously?

?

The way I see it, if everything is back doored already, why worry about it?  These things don't get exploited willy-nilly, they're last case option sorts of things, otherwise it would be too much in the forefront.

Believe me, if there were a revolution in USA right now and people were organizing and communicating via SHA256 encoded text, suddenly SHA256 would "get cracked".

SHA256-encoded text? I didn't know hashes could be used for encoding.

It's not a literal example, you get the point.

Mr. No-ice-please... 

You are certain that "SHA-256 will eventually be broken." 

I am certain that "eventually" in this case does not mean "within the next 50 years."

So ...  If you're under, say, 30, or otherwise have plans to survive well beyond what are currently considered as biological limitations for the basic human design by some means, I would like to make a bet with you. 

Got a couple BTC you're willing to commit to long-term escrow? 

It's easy to use hashes for encoding.

The decoding step, on the other hand, is a bit lossy...

Thanks, I needed that laugh.

Not a lot of spare coins to gamble with at the moment and long term for me is a few hours.

You are misinterpreting my complaint.
1)There are things that we know about the history of the NSA and the so called secure algorithms it promotes. They push bad crypto. Apparently that's their job. Fine.
2) It's not like we do not know what they do. It's like if you see a sign on a store that says "Rotten Horse Meat", and you buy what looks like beef. You get home and what do you think is going to be in the package?
3) The ethical issue is that the major use to which NSA intercepted information is put is not generally anything that benefits people in developing countries. In fact it is safe to say that if the NSA does own bitcoin effectively, in enough ways, it would be used to cancel political dissidents in repressive allied countries. A huge number of people have been killed in Latin america, Africa, Asia directly or indirectly by information the NSA provided to some pretty shitty governments. So a coin with an NSA algorithm should be a no go across the third world.

Is it broken? I don't know.
Will it be broken if it isn't,t? I don't know.
What do I know? See 1,2 and 3 above. It's enough for me.

The risk to Bitcoin is not the NSA itself, but merely the RUMOR that NSA has cracked it...

That alone can undermine confidence.

So, if you feel the need to believe in a conspiracy, just tell yourself NSA is spreading a false rumor.

It's the cheapest way to undermine.

Perceptions are important but real issues are more so.

Real issues need real evidence.

Apparently they didn't broken bitcoin and bitcoin run very well.
Even if they can crack bitcoin and it can be updated quickly.

Not only that. They also surpress "good" crypto. Check the story of Tron and his cryptophone back in 1997. Or the one about Barnaby Jack a few years ago. Aaron Swartz. Karl Koch and more unamed hackers, that died under questionable circumstances.

not really quickly, it needs to be updated before that occur, because it will require a hard fork, if a case like this would ever happen(maybe with future quantum computer) it must be done early

This becomes ridiculous. To discredit an algorithm it is enough to say that the authority behind it is discredited.

Is the NSA a credible provider for trustworthy algorithms?

What is the truth?

I understand a lot of people will support NSA and other govt algorithms no matter what.

But what is the truth?

What is the actual truth?

Should a person trust an algorithm provided by the NSA?

https://mobile.twitter.com/csoghoian/status/375722670253686784

https://bitcointalk.org/index.php?topic=288545.0

https://realcurrencies.wordpress.com/2013/06/21/is-the-national-security-agency-behind-bitcoin/

http://motherboard.vice.com/blog/what-do-the-latest-nsa-leaks-mean-for-bitcoin

http://cointelegraph.com/news/113985/are-we-owned-by-nsa-bitcoin-experts-discuss-how-to-evade-hardware-hacking

http://www.ibtimes.co.uk/bitcoin-suspected-be-nsa-cia-project-1460439

http://www.opednews.com/populum/pagem.php?f=Connecting-the-Dots-betwee-by-David-Spring-Spying-131206-522.html

https://bitcointalk.org/index.php?topic=360.0

At this point I don't know what to say.

How much evidence do you want?

Why the pretending?

The final nail in sha256's coffin is http://archive.wired.com/politics/security/commentary/securitymatters/2007/$

It was deleted but you can read it here https://web.archive.org/web/20141115041659/http://archive.wired.com/politics/security/commentary/securitymatters/2007/$

You have said one sentence on which we agree, and one on which we don't. 

I do not give a crap who developed a sort algorithm, because I can tell when things are sorted correctly and I can prove that the algorithm does sort things correctly in every case. 

And hashing, given the level of mathematical sophistication and effort applied by people who are NOT controlled by any particular agency, is not very different from sorting in this regard.

This is incredibly stupidly wrong. It doesn't matter who creates/discovers an algorithm. What matters is what it does.

There should be an option on bitcointalk that just translates all the posts of "no-ice-please" and its alts to their shortest logical equivalent: False.

The NSA is not omnipotent.

They have a lot of resources, true, but they are a government bureaucracy just like any other and not notably better at utilizing their resources than any other bureaucracy.

The reason we know the NSA has put backdoors in algorithms in the past is because they got caught doing it.

Anything underhanded the NSA can do to a public crypto spec, others can discover when they are looking for it.

Right now, a lot of people are looking.

1. Lots of people (including myself) gave reasons why the current consensus is that bitcoin is not 'cracked' by the NSA but whoever doesn't agree with you is a shill for the NSA.
2. You list 'articles' to defend your point. None of these are of any reputable source. I challenge you to provide a single peer reviewed research paper.
3. You say that bitcoin shouldn't use a hashing algo created by the NSA but don't have any better alternative.

Essentially, it is pointless to discuss with you.

This topic is getting old but again, here is an example of why the promoter matters.

md5 was listed as a secure cryptographic hashing algorithm, one of only two listed as such, until very recently on Wikipedia.

As you probably know the NSA had cracked it enough to be able to make fake security certificates with it. Obviously it was in their interest to continue the charade of promoting it as secure.

We would not know how broken it is except that some Iranian computer place that was targeted figured it out.

After it was announced that md5 was not use able, i.e. after the Iraniasns found the flame malware, there was a sloppy rush to make it look like md5 had been discredited much earlier. In fact a few cautions had gone out about it but it was promoted and used as secure cryptographic hashing until flame.

Something is not quite right with using sha in hi coin. The arguing is getting old though. I have my opinion based on what I have read and I have posted plenty of links on the various threads.


Of course they are only people, but they are people intoxicated with bureaucratic values and emboldened by billions of dollars plus all the false weight of pretending to be in charge of a nation's security.

It seems likely that they would use flaws that cater to their resources, e.g. huge supercomputers, and which most researchers would not be able to emulate, if that's the right word.


Ha ha, you want a peer reviewed article that basically says "since the NSA has promoted broken crypto in the past it might be wise to not use their in house algorithm's. Basic common sense does not need an article. Can you produce a peer reviewed article that says a person should ignore the NSA's history of cheating on crypto?

Many times I've said I'm not a cryptographer and am not able to recommend an algorithm. Quite a few coins though have managed to find non government algorithms.

EXCLUSIVE — RAND PAUL: WE’RE GOING TO TAKE NSA ALL THE WAY TO SUPREME COURT. AND WIN

Sen. Rand Paul (R-KY) is celebrating the news a federal appeals court rejected President Barack Obama’s National Security Agency (NSA) data collection program on Thursday. In an exclusive interview with Breitbart News, Paul says he can’t wait for the Supreme Court to eventually rule it unconstitutional.

“We initiated a lawsuit on this over a year ago, and we are excited that the appeals court agrees with us,” Paul said.

Now, they’re saying it’s illegal in that Section 215 of the PATRIOT Act doesn’t authorize that—that the government has gone too far—I think that’s a good first step. We want the Supreme Court to eventually rule on whether this is Constitutional or not. Our main complaint, or one of our main arguments is, the Fourth Amendment says you have to name the person who you want to get a warrant—but not naming anyone and putting “Mr. Verizon” down and saying you can get the records of millions of people, you’re not writing a specific warrant.

You’re writing a generalized warrant. This is one of the things that we fought against that the British were doing to us. James Otis famously argued in court that the writs of assistance that the British were using were non-specific and didn’t use the person’s name—and so we wrote the Fourth Amendment to try to stop this kind of stuff. I guess it’s gratifying that the courts are beginning to recognize the problem. We are anticipating and eager for this to get to the Supreme Court.

More...http://www.breitbart.com/big-government/2015/05/07/exclusive-rand-paul-were-going-to-take-nsa-all-the-way-to-supreme-court-and-win/ (http://www.breitbart.com/big-government/2015/05/07/exclusive-rand-paul-were-going-to-take-nsa-all-the-way-to-supreme-court-and-win/)

No, I want a peer reviewed article that shows a viable attack on SHA rather than dubious news site that claims that since the NSA has made SHA, they must have a backdoor.
You keep repeating the same thing as if it makes it more valid: "NSA is evil - don't use anything they touch". The other coins that are using non gov algo are equally likely to be cracked, if not more. Just because the NSA hasn't invented an algo doesn't make stronger. If you can't understand that, continue your picket protest.

This is the most literal example of an ad hominem fallacy.


Actually, yes it does. If you just believe in your common sense, you're going to be wrong.

Common sense tells us that the Sun revolves around the Earth. Only through scientific observation we were able to determine that it's the other way round.

First you have to think about the history of the NSA and what it is here for. Think about the history of cryptography and its importance for national security. Think about what has been done in the past to break the cryptography of the "enemy" and to create its own unbreakable one.

What would be the reason to open source your "unbreakable code" and make everybody use this and your hardware?

Without specialists looking at my 'unbreakable code', I wouldn't think that it's unbreakable. Hiding the algorithm doesn't do anything to make stronger.

a. NSA is always recruiting exactly these "specialists" and b. hiding your crypto source code is OF COURSE making it stronger.

Hmmm. I don't know how to say it nicely but if you think that, I don't think you have studied cryptography (Browsing the web doesn't qualify).

Riddle me this:  is the "source code" for SHA hidden or not?

True. I didn't study cryptography, but this fact has nothing to do with my statement.
So, what you think is, that the NSA promotes a code, that the rest of the world can use to hide against NSA spying and to hide illegal activities or terrorism? OK, you possibly have studied cryptography. Now I don't know how to say it nicely, but I don't think you have a clue about the importance of cryptography in national security. Seems you simply don't know how much efford is beeing taken to be always two steps ahead of the rest of the world.

As long as the most people think they are completely anonymous with their Tor browser and their data is fully safe encrypted with TrueCrypt or Bitlocker or whatever is promoted to be "NSA resistant" at that time, it's a lot easier to control their activities.

That's true.
The NSA likes to keep an eye on many things.
That is why they have funded Facebook and let us not forget the famous nsakey that every Windows version has.

It's not about inventing the useful technology, but about taking control as soon as it is classified as important for national security.

Well - I guess you feel the need to attack me personally. I don't really care about what you think. I'm just gonna put you on ignore. Judging from your post history, I won't miss much.
Incidentally, I know that cryptography is paramount for national security. People have been sacrificed to protect ciphers.
Still it would be good to have the facts right. SHA isn't even an encryption scheme!

I've just learned that ignoring AGD also hides that Manson gif avatar. While this a little "meta"/offtopic, it still might be the most important information in this thread.

Well, the words that made you feel "attacked", were just used by you to "attack" me. Typical mirroring. Please don't ignore me, because I will feel soooo bad, when one of billions put me on ignore. Just joking, do whatever you want.

What if your senses are correct and heliocentrism is part of an ancient mind control conspiracy perpetrated upon the unwashed masses? You're taking 3rd party information that goes against common sense and turning it into a belief akin to religious faith without taking any measurements or making any observations yourself.

Actually, the tricky thing is: there are no measurements that can confirm Earth revolves around the sun and not vice versa. The reason we believe it is because there's a relatively simple mathematical model (including other stars and other planets) in which Earth revolves around the sun. Attempts to form a mathematical model with Earth at the center were always complicated and never fully successful. Ultimately this is the argument why the Earth revolves around the sun: the maths is simpler. Well, today most people believe it because people think you're an idiot otherwise, so it's more social pressure than mathematical simplicity. So in the end you're right: it's mind control.

The maths of SHA256 is simple as well. It's an avalanche of simplicity.

Indeed, it's so simple that Bitcoin can be mined manually:

https://www.youtube.com/watch?v=y3dqhixzGVo

So basically, it's all a problem of not being able to bruteforce. And they will never be able to bruteforce it, it's a non issue.

A person does not have to make value judgments, "NSA is evil" as you put it, to observe that the NSA has a history of promoting untrustworthy algorithms.


The NSA is not a person, so it's not ad hominem, and most people would agree that if an agency, it's employees, repeatedly push crypto that they have broken, then they are discredited.

Yes, the earth revolves around the sun. That has nothing to do with this issue. It's like saying "1+1=2 therefore we were justified in invading Iraq".


Saying cryptography is important for any security is like saying a gun is important for security. You have to look at the person behind the gun to decide whether they do anything good. Looking at the actions of the NSA over the last 30+ years, they have not been helpful to America's security.

You seem to be playing semantic games with your statement "sha isn't even an encryption scheme".

----

The supporters of sha in bitcoin are like mafia followers.

If some guy in Atlantic City has a business, he looks through the yellow pages and finds a garbage company to empty his dumpster. He calls around and gets the best price then signs up. A few days later some guys stop by and say "Hey, Fat Tony has a garbage company and he would like your business. Sure he charges a little more but he is here for the community. He is here to help us."

When John Gotti used to get charged with various things the people in his neighborhood would have protest marches claiming he was being persecuted. Did they really do this because he was such an integral part of the neighborhood, and did so much supposed good for the community? Or were they feces licking lapdogs pandering to some mafia scumbag?

The NSA promotes bad crypto.

They have done it again and again and again.

If you want to pretend that something else is the truth then pretend.

This thread is proof that no, they don't agree.


http://en.wikipedia.org/wiki/Analogy

Bzzzt, wrong.  This is Kerckhoff's principle. http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle (http://en.wikipedia.org/wiki/Kerckhoffs%27s_principle) Auguste Kerckhoff got this one before there even WERE computers. 

If you want something that's secure and you want to get people to trust it, you want it out where everybody can see it and check for themselves that it's secure. 

And history has borne this out.  Virtually everybody who comes up with a "proprietary" crypto primitive that they don't reveal, has come up with one that gets ripped to shreds in short order when push comes to shove.

Wow.  This is like some weird psy-op where someone comes up with completely nonsense accusations against the NSA solely to get people like me to defend it - because maybe if I get used to defending it from really stupid accusations I'll consider defending it against accusations that are, uh, accurate?  Or anyway plausible?  You sure you're not drawing a government paycheck for this silliness?  It'd be a heck of a sweet job if you can get it.

Dude, it ain't gonna work.  They are what they are and they do what they do.  They have promoted both unsound and sound crypto in the past.  You handle that by completely ignoring their recommendations.  You have to judge the crypto on its merits. 

In this case the NSA is not interested in gaining trust by the people, but to communicate secure and at the same time be able to read the communications of all the others. This can't be gained through the release of an unbreakable code. Or if it was released it was not relevant anymore. In this case, because access is gained through hardware backdoors, encryption doesn't matter anymore.



edit: This is all quite offtopic, because I don't think, that the NSA has "broken" Bitcoin anyway.

You used a false analogy.

I pointed it out.

So you copy and paste a definition of analogy?

You never pointed out it was a false analogy. And, if you did, you need to say WHY it is a false analogy.

My full comment to hhanh00 was
**
"Ha ha, you want a peer reviewed article that basically says "since the NSA has promoted broken crypto in the past it might be wise to not use their in house algorithm's. Basic common sense does not need an article. Can you produce a peer reviewed article that says a person should ignore the NSA's history of cheating on crypto?

Many times I've said I'm not a cryptographer and am not able to recommend an algorithm. Quite a few coins though have managed to find non government algorithms."

**

To which you replied with a partial quote and an analogy

Your analogy is poor on several levels. If you really need help figuring out why, please start a new thread.

no-ice-please definitely nsa plant counter-psyche trolling ... just-shut-up-already and go-away-please, thnx.

I don't disagree with you on this. You have said it a million times. If you haven't noticed no one defends the NSA on this.

Instead of repeating the same thing over and over because you think that we are not listening to you, maybe you should try listening to what other people say.

I'll try to summarize.
- NSA works on crypto. They produce algos and make recommendations.
- We don't know the extend of their knowledge. They have people working on every popular encryption.
- Cryptographers dislike "security by obscurity". They believe that an encryption should be judged by its own merits.
- They studied SHA and estimated that its security was sufficient.
- They think that using it in bitcoin is safe under the current parameters

What they don't say:
- It will never be broken. Never is a long time. But they estimate that it will be safe for many years.
- It is the best algo because other factors participate (speed, memory usage, existing hardware, etc.)

By the way, discrediting the NSA is nearly as bad as giving them credit. If we followed your blind recommendation, we would be choosing another algo because it's not published by the NSA.
Well, the NSA can easily publish under a fake name.

Anyway, I'm sure I won't change your views. Every post you make gets more illogical. So the ignore button is my best defense against this barrage of insanity.

This post of yours has mostly intelligent opinions, aside from the sly ad hominem. You post a quote then say you can't disagree with it. Then you sum up saying my posted are illogical, but you don't give examples. Knowing that I will ask for examples, you say you will use the ignore button. That kind of slippery response pretty much sums up the sha defense.

My summation of the response is in the quote above.

1) The NSA has a history of promoting broken crypto so they can spy.
2) Anyone in a 3rd world country that has been ravaged by drones recently, or by death squads and para groups before that, will justifiably scratch their head when they learn that the bitcoin algorithm was developed by a U.S. intelligence agency.
3) It would be a simple matter to correct this huge problem simply by, as many other coins have, using a non NSA algo. It is certainly true that the NSA could secretly make some private algo under another organization. And that stealth threat would certainly encourage the study by individuals of potential shortcuts in cryptographic math.

no ,

some believe that since the nsa invented sha 2 (secure hash algorithm 2) and then stopped using it , that means well it must be cracked like an egg or they would not have changed to sha 3


The nsa plans for decades in advance.

I think that when sha 1 had some issues and some very older documents were decrypted they said well we know sha 2 is rock solid now but what about 20-40 years from now.........

Even there, you are stretching it..... a working quantum computer would be required to crack bitcoin , I would not plan on seeing that anytime soon.

Yes there have been great advancements in quantum computing, making gates, qbits, I could go on and on......

But I think you will see a quantum computer that can operate as a universe simulator before you see one designed that could break bitcion.

Ever hear of the idea that there is a 99.9 percent chance we are all living in a 'virtual reality' right now ?

If not I suggest you use your imagination on that , not worrying that sha 2 can be backdoored, 

There are so many protections in bitcoin the average person has no idea what most of them even are.

Honestly

Here is the link (bit off topic but what the person who started this thread needs for therapy and peace of mind)

After reading this you may conclude you don't need anything since you are living in a simulated holographic projection and forget all about bitcoin.

Constraints on the Universe as a Numerical Simulation  24 page pdf http://arxiv.org/pdf/1210.1847v2.pdf (http://arxiv.org/pdf/1210.1847v2.pdf)

Nice article. Not very likely, but still possible.

I often wonder if there's any astroturfers or paid trolls here. It just doesn't make sense that all these people would waste so much time trolling if they wern't getting something out of it.

Or maybe sha256 is too good and they wanted something with a secret back door.

oh I am sure there are many people who have a full time job pushing someones agenda on this forum and others and in social media. 

In fact I would say I guarantee you there are but since my proof is 'indirect' i will leave it at that.

Many people are against bitcoin and want to harm it, many others want to get your bitcion and steal it..... I could go on and on.

Take a scam like ripple for example.

This was started by the same person who opened magic the gathering online.

Now.... I consider it a 100% scam but that is not the topic of the thread. 

Assume for a moment I am correct, would they not pay people to (just like in all other large businesses) go after the competition ??

the banking industry is certainly not happy about bitcoin in general .....

I read an article about a year ago that said walking into a bankers office and saying the word bitcoin was like saying you had a 'bomb'

Also i am not too familiar with other countries but I know for a fact in the Unitied States that the fbi cointelpro program is alive and well
and also since bitcion owners/miners in the united states under current law have bitcion being treated as personal property (something I expect will change in the future either by policy makers or by court challenges) 

So yes there are trolls all over these boards , in particular the alt coin section with all different agendas. 


If sha 2 is broken and you believe the nsa or someone other party has a backdoor into it I cannot prove you wrong but I would ask you to state what technology is being used ?  Saying these guys have a special machine underground somewhere that can just crack it is too much of a stretch for me based on my personal knowledge of cryptography and mathematics.


When Snowden revealed that bulk collection was going on i was not shocked at all in fact i suspected as much for years.
That is because these actions are within the current scope of known technology. 

Take it one step further, if someone had a 'backdoor' into bitcoin since all tx are visible and stored in the blockchain I think it would stand out pretty quick if unusual things started going on.....






If






 

As

Nah, sha-256 is definitely NOT broken ... not without a fully working quantum computer (then using Shor's Algorithm, NSA or some other powerful state entity could crack it in seconds)

Care to explain how could integer factorization algorithm apply to the cryptanalysis of Merkle-Damagard hash functions?

Care to explain how they put a "back door" into SHA256 when the initialization vectors were chosen on purpose to be the totally transparent numbers:

If the NSA can crack Bitcoin, it would be in their best interests to have the public believe that they cannot do such things... Anyway personally I think they didn't broke bitcoin yet...

sorry to post to this old thread but while I think the future of cryptocurrency is in the sha 3 final candidates ------------ i find it highly unlikely sha 2 is 'cracked' , i won't bore you with pd' files and other references to back up my point,  anyone who understands what I am saying should know those things anyway

The top 3 mining groups control more than 51% of the hashing power of the network. If you add in the 4th, you are over 60%.

So, if you want to fork the blockchain or do anything else, you don't need to do math.

I was recently told by a guy who knows a guy in the NSA that they cannot crack Bitcoin.

If they did we would know already, because those things leak. If they break Bitcoin, they can break the entire banking system and everything else too. And what about TOR? they struggle with Tor too. I think Bitcoin is as safe as it gets from 3 letter agencies.

Oh, a guy who knows a guy, he is the foremost authority on all things that go on inside the NSA! He knows all about 9/11, too.

 ::) ::) ::)

It's impossible to break BItcoin, it's quantum secure and everyone will be safe once BIP47 is deployed, trying to crack it its useless and a waste of resources, they are losing the antiencryption war

I think the NSA could be able to de-anonymize users, or large portions of them. Bitcoin is only pseudo-anonymous (http://www.bitcoinisnotanonymous.com/), for some organization with resources of NSA and determination they could data mine all their databases for linking bitcoin addresses with emails, user accounts on exchanges, fake darknet markets, online shops, etc.

This is one possible reason, people give, why satoshi hasn't moved any bitcoins from his early addresses. It would be just too dangerous to his anonymity too touch them. 

And now, I've been told by a guy who knows a guy who knows a guy in the NSA. Connect the dots, sheeple!

Well sure, of course you should do your own research. There is no plausible scenario that the NSA can crack Bitcoin's protocol and highly doubtful they can overpower the hashrate.

When the NSA tries to crack something they do the same things that any cracker does. Typically they are trying to crack passwords or get inside a site to elevate their privileges. So they look for low hanging fruit like stupid users with short passwords and poor practices. They run a dictionary at it then brute force it if necessary. But they do not have some kind of alien technology and are in the same boat as anyone who wants to get it.
This has little relationship to bitcoin, IMO. Because breaking a password may allow access to some individual wallet, but not to all wallets. 

Probably not, but with all the mass surveillance data they have (e.g., access to emails, exchanges, backdoors virtually everywhere, online shops, etc) its very likely that they could identify many bitcoin addresses if they really wanted.  Bitcoin is only pseodo-anonymous (http://www.bitcoinisnotanonymous.com/), and for some organization with resources such as nsa and data warehouses full of, well ... data from different places, they could probably cross correlate this information with bitcoin transactions.

Great idea Einstein  ???  spend 20 years in prison to test if the NSA can break sha256.  Go ahead you first  ;D

They can break if they start using or producing the quantum computers, as these are known as very powerful computers but until now i don't think they brought the bitcoin.