Bitcoin Forum
April 24, 2019, 01:21:20 AM *
News: Latest Bitcoin Core release: 0.17.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Does bitcoin use Dual_EC_DRBG in any way?  (Read 686 times)
manuel
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
November 11, 2013, 11:34:55 AM
 #1

Somebody suggested to me that there may be a problem with the random numbers used to select the elliptic curve for bitcoin (or something like that) - it's technically over my head.  However, these articles below seem to be what they were talking about.  Is Dual_EC_DRBG utilized in Bitcoin in any way?  If it is what do you all think about this potential vulnerability.

https://www.schneier.com/essay-198.html
http://www.tgdaily.com/security-features/34903-did-the-nsa-build-a-backdoor-into-a-new-elliptic-encryption-standard
1556068880
Hero Member
*
Offline Offline

Posts: 1556068880

View Profile Personal Message (Offline)

Ignore
1556068880
Reply with quote  #2

1556068880
Report to moderator
1556068880
Hero Member
*
Offline Offline

Posts: 1556068880

View Profile Personal Message (Offline)

Ignore
1556068880
Reply with quote  #2

1556068880
Report to moderator
1556068880
Hero Member
*
Offline Offline

Posts: 1556068880

View Profile Personal Message (Offline)

Ignore
1556068880
Reply with quote  #2

1556068880
Report to moderator
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1008


View Profile
November 11, 2013, 11:41:40 AM
 #2

No, it's not used.
manuel
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
November 11, 2013, 12:11:51 PM
 #3

No, it's not used.


What does it use then?


Here's some more info: http://motherboard.vice.com/blog/what-do-the-latest-nsa-leaks-mean-for-bitcoin

I am surprised that if this figure of $14 million dollars is correct for the amount of hardware necessary to launch a 51% attack, why hasn't anyone done this already?
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1008


View Profile
November 11, 2013, 12:30:05 PM
 #4

The RSA BSAFE library is known to have used it. That in turn has been used in a pile of proprietary software stacks, the most important that I'm aware of is the SSL stacks on some Japanese phones. It is fair to assume all SSL sessions generated by such stacks could have been decrypted by the NSA.

Beyond that, I don't think it got used much.
manuel
Member
**
Offline Offline

Activity: 70
Merit: 10


View Profile
November 11, 2013, 12:57:21 PM
 #5

Didn't the NSA also create SHA-256 and isn't that used by Bitcoin?  What ramifications does that have?
Mike Hearn
Legendary
*
expert
Offline Offline

Activity: 1526
Merit: 1008


View Profile
November 11, 2013, 03:53:09 PM
 #6

They did. However, SHA-256 is based on well studied public algorithms invented by non-NSA affiliated academics, like Merkle–Damgård compression.

Also, it's rather simple, extremely well studied and does not contain any unexplainable numbers or constants like Dual_EC_DRBG or secp256r1 do.

The chances of there being a problem with SHA-256 is extremely low.
maaku
Legendary
*
expert
Offline Offline

Activity: 905
Merit: 1001


View Profile
November 11, 2013, 07:03:41 PM
 #7

I am surprised that if this figure of $14 million dollars is correct for the amount of hardware necessary to launch a 51% attack, why hasn't anyone done this already?

Because... why would you? You're not going to recoup that investment.

I'm an independent developer working on bitcoin-core, making my living off community donations.
If you like my work, please consider donating yourself: 13snZ4ZyCzaL7358SmgvHGC9AxskqumNxP
gmaxwell
Moderator
Legendary
*
qt
Offline Offline

Activity: 2702
Merit: 2156



View Profile
November 11, 2013, 08:42:32 PM
 #8

The number has gone up quite a bit since then since the hashrate is rapidly growing.

At the moment, it's $80,000,000, though it will step down again when I can fairly make the claim $3/gh 28nm parts, instead of $8000 for 400GH/s bitfury parts. ($3/gh would be $12m at current hashrate, though once those parts are actually available the hashrate will go up some large amount).

To elaborate on Maaku's comment.  Bitcoin is foremost an autonomous zero trust system, all full nodes validate everything. A majority of mining ruins the security assumptions, but it still doesn't give the majority completely free reign over the system. Dishonestly using your majority hashpower would likely just make the resulting coins worthless.
Pages: [1]
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!