Bitcoin cryptography.

[Cryptowatch.com]

I've meant to look deep into this for a long time, but haven't gotten around to it. I'm a big bitcoin supporter, but anyway there's a small voice in the back of my head that have some concerns. I don't expect anyone to do all the research for me, but if there's some valid work done by crypto experts, I'm interested in learning about it.

Is the crypto that bitcoin uses 100% safe? In the sense that there's no backdoors and no ability for any entity to seize funds?

There's some background info here:
http://blog.ezyang.com/2011/06/the-cryptography-of-bitcoin/

SHA-256, RIPEMD-160 and Elliptic Curve DSA is mentioned here.

Now, obviously, I don't have the knowhow to judge whether everything's "safe", as I'm no crypto-expert. But I assume there's many crypto experts that have already looked deeply into the crypto used in bitcoin and have reached some conclusions that tech-heads with less crypto knowledge can use as a guide.

So my questions would be:

- Can all crypto used in bitcoin be 100% trusted? If so, what are the arguments for this?
- Who made the crypto- algorithms that is used in bitcoin? If these are made by govt. entities is it not reasonable to expect that there's backdoors? If not, why?
- Forgive me my limited understanding, but given you assemble the brightest minds in maths and crypto, as the government funded agencies do, would they not be able to come up with sneaky solutions that would not be detected by independent crypto researchers? Ie. could a crypto-method be declared safe, and yet contain some kind of backdoor?
- Would govt. agencies create unbreakable crypto? And if so why, as it could also be used against themselves. But this is a two edged sword as safety (protection from prying eyes) could only be ensured if the crypto is unbreakable, because if entity A can break a crypto algorithm, so can entity B.


Let's assume that Satoshi's invention is genuine and we have nothing to fear, that's fine - however if the opposite is the case, and we know how important it is to control the money of a state, could it happen that the one who controlled bitcoin would also control its users? Comply, or else you will lose your coins.. It would not only be a monetary loss if coins could be controlled remotely, but also a severe confidence blow to the entire network.

So in short, what guarantees does any business or private entity have that his coins are indeed secured by math and untouchable by man?

[Hazir]

I am not a techy guy but from what I could see isn't Bitcoin's source code open? Everyone can look into it and see if there is any weird triggers or algorithms are rigged or something. So I imagine that multiple very knowledgeable tech brains looked already into it and confirmed that indeed bitcoin's code is pure and won't backfire in the future.

[Ibelievetruly]

SHA256 was originally made by the government, nsa specifically.

SHA256 was chosen because it was the lesser popular algo at the time, and the other one had suspected backdoors

SHA256 cannot be broken at this time

SHA256 has no backdoors, it's opensource, feel free to check for yourself

[Cryptowatch.com]

SHA256 cannot be broken at this time

Got it. What are the arguments for this? I guess more research is warranted on my part.

SHA256 has no backdoors, it's opensource, feel free to check for yourself

It would be stupid of me to assume I would be able to see something in the source code, as I do not have the required skills, and would need to trust other crypto experts and their statements.

[redsn0w]

I am not a techy guy but from what I could see isn't Bitcoin's source code open? Everyone can look into it and see if there is any weird triggers or algorithms are rigged or something. So I imagine that multiple very knowledgeable tech brains looked already into it and confirmed that indeed bitcoin's code is pure and won't backfire in the future.

Yes of course, the code is obviously open source and this is one of the numerous reason of why bitcoin is very successful, in 5-6 years of "life" no one found a backdoor or a shitty code, so it is not a "software" written by any government. The sha of 256 bits is based on math, if you don't trust math it is obvious that you should not trust bitcoin (but it doesn't seem this is the case ).

[OROBTC]

...

This is a a great topic.  I am not qualified either to look at the open-source code to make a judgement as to whether or not there are any hidden back-doors and related.

Has anyone really good at coding and cryptography here at bitcointalk (or anyone else who presumably could be trusted) taken a good hard look at this?

I have seen various comments about how robust the three encryption techniques are, but I have not run into a definitive study as to how robust BITCOIN is to snooping, back-doors, etc.

[umair01]

Bitcoin is as secured as it comes, many people are obviously trying to crack it but none have found any success so far and it will not happen in the near future as per my knowledge. The entire source code is open source and has been reviewed by so many people and it is obvious that there is no backdoor in it.

[NyeFe]

SHA256 cannot be broken at this time

Got it. What are the arguments for this? I guess more research is warranted on my part.

SHA256 has no backdoors, it's opensource, feel free to check for yourself

It would be stupid of me to assume I would be able to see something in the source code, as I do not have the required skills, and would need to trust other crypto experts and their statements.

Here you go https://bitcointalk.org/index.php?topic=1008489.msg10943694#msg10943694

[ensurance982]

Well you can't be sure until proven otherwise, actually. Thing is: those algorithms are perfectly well known and there are a lot of mathematicians who are getting a kick out of proving/disproving the security behind those algorithms (they're being paid, also). Well, that being said: I guess they're pretty safe!

[DannyHamilton]

Is the crypto that bitcoin uses 100% safe? In the sense that there's no backdoors and no ability for any entity to seize funds?

As far as anyone that has spoken publicly has indicated, there are no backdoors.  In reality, it is impossible to know for 100% certainty that the algorithms chosen don't have any intentional weaknesses.  It might help to consider that nobody has ever demonstrated a workable weakness in a properly generated address.  Given the financial incentive that exists, if there were any intentional weaknesses, you'd think someone would have used them by now (and/or that someone would have discovered them by now).  It also might help to know that there are three separate cryptographic functions between your private key and your address (ECDSA, SHA256, and RIPEMD160).  Therefore, even if there's a weakness in one (or two) of those algorithms, it would require that all three algorithms be significantly broken before someone could gain control of bitcoins sent to a properly secured address.

- Can all crypto used in bitcoin be 100% trusted? If so, what are the arguments for this?

100%?

Nah.  There's always a chance that someone will discover some weaknesses in any cryptographic function.  However, the odds against it are so astronomically small, that you're better off worrying about other things in life.

- Who made the crypto- algorithms that is used in bitcoin? If these are made by govt. entities is it not reasonable to expect that there's backdoors? If not, why?

IIRC, the United States NSA designed SHA-256, the concept of ECC was introduced by Neal Koblitz and Victor S. Miller, Certicom came up with the parameters of the Secp256k1 curve, and RIPEMD was developed by Hans Dobbertin, Antoon Bosselaers and Bart Preneel at the COSIC research group at the Katholieke Universiteit Leuven.

- Forgive me my limited understanding, but given you assemble the brightest minds in maths and crypto, as the government funded agencies do, would they not be able to come up with sneaky solutions that would not be detected by independent crypto researchers?

You'd have to assume that all of the "brightest minds" in the world would choose to cooperate with world governments in a conspiracy that spans a few decades.  There are a lot of talented mathematicians in the world. It seems likely to me that one of them would eventually figure out what's going on.  It isn't possible to hide the actual math that is happening.

a  Ie. could a crypto-method be declared safe, and yet contain some kind of backdoor?

It could.  Given the financial incentives and the number of "experts" looking at it, it seems highly unlikely.

- Would govt. agencies create unbreakable crypto?

To the best of their abilty?  Yes.

And if so why, as it could also be used against themselves.

Anything that they can break, can be broken by someone else.  If they want something to be secure, then they need it to be "unbreakable".

But this is a two edged sword as safety (protection from prying eyes) could only be ensured if the crypto is unbreakable, because if entity A can break a crypto algorithm, so can entity B.

Exactly.

Let's assume that Satoshi's invention is genuine and we have nothing to fear, that's fine - however if the opposite is the case, and we know how important it is to control the money of a state, could it happen that the one who controlled bitcoin would also control its users? Comply, or else you will lose your coins.

Except it wouldn't be "Comply, or else you will lose your coins" would it?  As soon as it was clear that they could "control" the movement of the value, all bitcoins would essentially lose any value they have.  So, it would be "Comply, or it will become evident to the world that bitcoin isn't secure and EVERYONE that is holding any bitcoins at all will lose ALL value".

It would not only be a monetary loss if coins could be controlled remotely, but also a severe confidence blow to the entire network.

Exactly.  On the other hand, they don't really need it to be insecure at all.  All they need is for you to be insecure.  Then they can gain access to your private keys.  Malware on your computer, surveillance, social engineering, any (or all) of these can be used to trick you into giving up the necessary information much more easily and much more cheaply than trying to "break" all the algorithms used to secure bitcoins.

For example, they could create a service (like blockchain.info) that encourages users to reuse the same address for multiple payments.  Voila, they no longer need to crack SHA-256 or RIPEMD-160.  Suddenly the ECDSA public key is available for them in the blockchain.  This reduces their effort to just having control over the Secp256k1 curve.

Better yet, they could create a service (like Coinbase) that encourages users to turn complete control over the private keys to the service.  Voila, they no longer need to crack any cryptography at all.  You've just handed over complete control of your bitcoins without even realizing it.

So in short, what guarantees does any business or private entity have that his coins are indeed secured by math and untouchable by man?

There are no guarantees in life.  But you have the choice to trust that the government will do a good job of managing the value of the fiat currency that you hold, or trusting that any intentional weaknesses in the cryptographic functions would have been discovered by now.  I know which of those I'm more likely to put my faith in.

[smolen]

It also might help to know that there are three separate cryptographic functions between your private key and your address (ECDSA, SHA256, and RIPEMD160).

And MD5 between external entropy and private key.

[DannyHamilton]

It also might help to know that there are three separate cryptographic functions between your private key and your address (ECDSA, SHA256, and RIPEMD160).

And MD5 between external entropy and private key.

This is not true. There is nothing in the Bitcoin protocol that requires the use of MD5 in the generation of a private key. Each wallet creator is welcome to use whatever process they prefer for gathering entropy and generating a private key.

[smolen]

It also might help to know that there are three separate cryptographic functions between your private key and your address (ECDSA, SHA256, and RIPEMD160).

And MD5 between external entropy and private key.

This is not true. There is nothing in the Bitcoin protocol that requires the use of MD5 in the generation of a private key. Each wallet creator is welcome to use whatever process they prefer for gathering entropy and generating a private key.

Yes, that's not in the protocol.
Correct me, if I'm wrong, but Bitcoin Core generates 100 private keys for newly created wallet.dat, each key consumes 32 bytes of entropy, internal state of default OpenSSL RNG is 1023+16 bytes, keys are created in bulk, so not much additional entropy could be gathered. No way (up to my knowledge) to exploit it, but Bitcoin Core is ~16000 bits of entropy short on the first run (EDIT: and this missing entropy is emulated with MD5) - for the sake of small code simplification.

[LiteCoinGuy]

https://www.youtube.com/watch?v=U2bw_N6kQL8

https://www.youtube.com/watch?v=ZloHVKk7DHk


this can help too.

[jonald_fyookball]

Has anyone really good at coding and cryptography here at bitcointalk (or anyone else who presumably could be trusted) taken a good hard look at this?

no, no ones ever looked at it.

ECC is well known and studied.  
http://en.m.wikipedia.org/wiki/Elliptic_curve_cryptography

The hardest ECC scheme (publicly) broken to date had a 112-bit key for the prime field case and a 109-bit key for the binary field case. For the prime field case this was broken in July 2009 using a cluster of over 200 PlayStation 3 game consoles and could have been finished in 3.5 months using this cluster when running continuously. For the binary field case, it was broken in April 2004 using 2600 computers for 17 months.

Bitcoin uses a 256 bit key and the secp256k1 curve.

see https://en.bitcoin.it/wiki/Secp256k1

unlike the popular NIST curves, secp256k1's constants were selected in a predictable way, which significantly reduces the possibility that the curve's creator inserted any sort of backdoor into the curve.

The SHA-256 hash function is based on a Merkle Damgard construction,
which has been considered solid for decades.

[oblivi]

It's open source and it's not crackeable unless the gov has quantum machines ready to bruteforce SHA256 based passes (thats just straight Sci-fi). So yeah, you can be safe with your BTCs, the only problem one has is storing them in a place that can't be accessed online, and even if they did they would need to crack the pass, which is impossible given it's a decent one.
So your main mission is not forgetting your pass. If you want to be your own bank that's expected. If not, you always have stuff like Xapo.

[Professor James Moriarty]

There have been enough computer scientists and researchers that have looked over Bitcoin's theory and cryptography and code in the past 6 years. If it was a problem they would've said something already :-)

[cellard]

There have been enough computer scientists and researchers that have looked over Bitcoin's theory and cryptography and code in the past 6 years. If it was a problem they would've said something already :-)

There's nothing to "crack" about the BTC code... again, at the end of the day it all comes down to cracking the cryptographic algorithm which is simply ridiculous. If someone cracked SHA256, it would be a global catastrophe, since endless security is based around SHA256.

[MikeCorleone]

There have been enough computer scientists and researchers that have looked over Bitcoin's theory and cryptography and code in the past 6 years. If it was a problem they would've said something already :-)

There's nothing to "crack" about the BTC code... again, at the end of the day it all comes down to cracking the cryptographic algorithm which is simply ridiculous. If someone cracked SHA256, it would be a global catastrophe, since endless security is based around SHA256.

I don't see him mentioning anything about cracking the BTC code, and your answer is very incorrect. SHA256 can be fine as an algorithm, and secp256k1 can be fine as a curve, but Bitcoin's implementation of both of those could be flawed.

Let's not forget that someone did legitimately create 184 billion Bitcoin in a single block in 2010, and the network had to be patched (resulting in a short-lived fork).

The Bitcoin wiki has a good article covering OP's concerns: https://en.bitcoin.it/wiki/Weaknesses

[thejaytiesto]

There have been enough computer scientists and researchers that have looked over Bitcoin's theory and cryptography and code in the past 6 years. If it was a problem they would've said something already :-)

There's nothing to "crack" about the BTC code... again, at the end of the day it all comes down to cracking the cryptographic algorithm which is simply ridiculous. If someone cracked SHA256, it would be a global catastrophe, since endless security is based around SHA256.

I don't see him mentioning anything about cracking the BTC code, and your answer is very incorrect. SHA256 can be fine as an algorithm, and secp256k1 can be fine as a curve, but Bitcoin's implementation of both of those could be flawed.

Let's not forget that someone did legitimately create 184 billion Bitcoin in a single block in 2010, and the network had to be patched (resulting in a short-lived fork).

The Bitcoin wiki has a good article covering OP's concerns: https://en.bitcoin.it/wiki/Weaknesses

True, I think everyone knows the 184 billion BTC incident, but those were the super early days. At this point, all those sorts of problems have been patched.