Does bitcoin use Dual_EC_DRBG in any way?

[manuel]

Somebody suggested to me that there may be a problem with the random numbers used to select the elliptic curve for bitcoin (or something like that) - it's technically over my head.  However, these articles below seem to be what they were talking about.  Is Dual_EC_DRBG utilized in Bitcoin in any way?  If it is what do you all think about this potential vulnerability.

https://www.schneier.com/essay-198.html
http://www.tgdaily.com/security-features/34903-did-the-nsa-build-a-backdoor-into-a-new-elliptic-encryption-standard

[1714779166]

1714779166

[1714779166]

1714779166

[1714779166]

1714779166

[1714779166]

1714779166

[Mike Hearn]

No, it's not used.

[manuel]

No, it's not used.

What does it use then?


Here's some more info: http://motherboard.vice.com/blog/what-do-the-latest-nsa-leaks-mean-for-bitcoin

I am surprised that if this figure of $14 million dollars is correct for the amount of hardware necessary to launch a 51% attack, why hasn't anyone done this already?

[Mike Hearn]

The RSA BSAFE library is known to have used it. That in turn has been used in a pile of proprietary software stacks, the most important that I'm aware of is the SSL stacks on some Japanese phones. It is fair to assume all SSL sessions generated by such stacks could have been decrypted by the NSA.

Beyond that, I don't think it got used much.

[manuel]

Didn't the NSA also create SHA-256 and isn't that used by Bitcoin?  What ramifications does that have?

[Mike Hearn]

They did. However, SHA-256 is based on well studied public algorithms invented by non-NSA affiliated academics, like Merkle–Damgård compression.

Also, it's rather simple, extremely well studied and does not contain any unexplainable numbers or constants like Dual_EC_DRBG or secp256r1 do.

The chances of there being a problem with SHA-256 is extremely low.

[maaku]

I am surprised that if this figure of $14 million dollars is correct for the amount of hardware necessary to launch a 51% attack, why hasn't anyone done this already?

Because... why would you? You're not going to recoup that investment.

[gmaxwell]

The number has gone up quite a bit since then since the hashrate is rapidly growing.

At the moment, it's $80,000,000, though it will step down again when I can fairly make the claim $3/gh 28nm parts, instead of $8000 for 400GH/s bitfury parts. ($3/gh would be $12m at current hashrate, though once those parts are actually available the hashrate will go up some large amount).

To elaborate on Maaku's comment.  Bitcoin is foremost an autonomous zero trust system, all full nodes validate everything. A majority of mining ruins the security assumptions, but it still doesn't give the majority completely free reign over the system. Dishonestly using your majority hashpower would likely just make the resulting coins worthless.