The Three Encryption Methods Used by Bitcoin

[OROBTC]

...

I'm new just today, but have really been very happy with the quality of replies I am seeing and getting, a great community you guys have built! 

So, let me move on to a more complex set of subjects for me to learn about.  My understanding is that the Bitcoin Ecosystem uses three encryption methods:

-- SHA256, a hash-function, see link for what I know (not much) here: /lq667xz]http://[Suspicious link removed]/lq667xz.  Play with that hashing function here at this fun little place: http://www.xorbin.com/tools/sha256-hash-calculator.  (I will learn some more about hash functions as time permits.)

-- I believe an Elliptic Curve Encryption method is used as well: http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/, this link was given to me by zerohedge.com member "zaphod", but I have not had a chance to go look into it, zaphod said it was complicated...

-- "RIPEMD160" (which I believe is another hashing function) is also used, but I know essentially nothing about it other than wikipedia's entry.

***

1)  Is my information correct?

2)  How do those pieces all fit together?  (Or is this question waaaay complicated ??)

3)  Is there a nice tidy little place where I can read up on these three?

[1713454271]

1713454271

[1713454271]

1713454271

[1713454271]

1713454271

[1713454271]

1713454271

[1713454271]

1713454271

[DeathAndTaxes]

Those are all used in Bitcoin however none of them are encryption methods.  Hashing algorithms, digital signature algorithms, and encryption algorithms are all cryptography. 

There is actually no encryption used in the Bitcoin protocol although many wallets do employ encryption (most commonly AES) to protect the keys from being stolen.

As for how do they all fit together ... that is a long topic and I have drunk too much port.  Start looking at the bitcoin wiki.

For general information on SHA-256, RIPEMD-160, and ECDSA (or ECC in general) wikipedia will give you some basic background information.

[AnonyMint]

Bottom line is Bitcoin can be cracked with a future quantum computer (because it is based on number-theoretic assumptions cryptography, e.g. destruction factoring from a constructed whole, instead of Random oracle style cryptography, e.g. construction of deconstruction into partitions).

It is argued this won't matter because the public key addresses are hashed on the blockchain until the balances are spent. (that is if you follow best practices and don't resend the change back to same public key address spent from) And that everyone can spend their balances to a new quantum-proof encryption method (e.g. Lamport) if ever quantum computers are known to be created.

However that erroneous argument has at least 4 flaws.

• When you spend, the quantum computing adversary could sniff your spend before it propagates sufficiently on the network and insert a double-spend that reaches more mining nodes faster than yours. In particular a powerful entity such as the NSA is already admitted to be capable of propagation attacks (see "The Quantum system" section at linked article).
• How do you ever get everyone to do the same human action in large distributed systems? There isn't even an official Bitcoin client any more.
• How do we know when the adversary has a quantum computer, given the capability of the NSA to issue national security letter gag orders? They had differential analysis to break cryptography in the 1970s and 80s and the public was unaware.
• If we adopt something like Zerocoin to add more anonymity to the tracing of trail of ownership of a coin, these signatures can't be retroactively hardened later, thus all that history of anonymity is suddenly lost once the adversary gains a quantum computer.

And people wonder why I think Bitcoin is piece-of-shit.   (and this is only 10% of the technical problems I see in Bitcoin)

The worst would be if the current ECDSA variant chosen was seeded by the NSA. There is some speculation about that yet apparently Bitcoin's choice was not one of the ones seeded opaquely by NIST or other potential surrogate (although I haven't dug in and don't trust the summaries I've seen to do my homework for me).

[greenlion]

...

I think the OP wanted to know how to find out more technical information, not get brainwashed by crackpot conjecture.

[AnonyMint]

The only thing debatable about what I wrote is when the quantum computer will be a reality. Whether you believe or not the NSA (or others) would abuse their power is subjective of course.

[DannyHamilton]

OP, please note: There is a reason that AnonyMint's "ignore" button is a bright orange.
Edit: Just discovered that the highlighted "ignore" link has been temporarily disabled.

As for how do they all fit together ... that is a long topic and I have drunk too much port.  Start looking at the bitcoin wiki.

I don't drink port.  I'll have a go at it:

Bitcoin uses sha256 to generate a unique ID to reference two important types of data.  Indexing these IDs in a database makes searching for them much faster/easier.

A block can be identified by its sha256 hash
A transaction can be identified by its sha256 hash. The transaction hash is only a reliable method of lookup after the transaction is confirmed. Until then, then transaction hash can be modified.
sha256 hashes are used to generate a merkle tree identifying the ordered list of transactions in a block.
The merkle root (also a sha256 hash) is used to prove that a merkle tree for a particular block is valid.

Bitcoin also uses sha256 as a proof-of-work system to make it difficult for an attacker to modify the blockchain.  The result of the sha256 proof-of-work hash is the block hash.

ECDSA (using the Secp256k1 curve) is an Elliptic Curve Digital Signature Algorithm used to provide proof that a spender is authorized to spend the bitcoins that they use to fund a transaction.

ECDSA depends on a mathematically linked pair of keys ( a private key used for creating the signature, and a public key used to verify the signature)  To increase security, and shorten the size of the address, bitcoin passes the public key first through sha256, and then the result of that is passed through RIPEMD160 (another hashing algorithm).  The result of the ripemd160 hash is concatenated with a 4 byte checksum and a version number.  This value is then encoded using a special base58 encoding.  The result of that is that bitcoin address.

This means that if you are given a public key, then you can repeat the base58(ripemd160(sha256(public key))) process to verify that the given public key corresponds to a given bitcoin address.  If you are given a digital signature AND a public key, then you can use the public key to verify the signature, and then repeat the base58(ripemd160(sha256(public key))) to verify that the signature corresponds to a particular address.

These are the only places I can think of that the protocol uses any of these cryptographic functions.  I suppose it's possible that I've somehow missed something.

[AnonyMint]

OP, please note: There is a reason that AnonyMint's "ignore" button is a bright orange.

And note he hasn't dared tried to refute what I wrote, because he can't.

[Come-from-Beyond]

OP, please note: There is a reason that AnonyMint's "ignore" button is a bright orange.

OP, please note: The most valuable info is obtained from people with bright orange "ignore" button. Because they don't lick someone's arses and don't repeat mantras that 1 BTC will be worth 1 million dollars.

PS: AnonyMint is right, once QCs appear Bitcoin will be f***ed. At least noone has offered a good solution to avoid this.

[Peter R]

AnonyMint and Come-from-Beyond please note: the haterz are gonna hate.  You guys just keep on preaching the truth and earning those bright orange ignore banners!  

My physicist friend from D-Wave here in Vancouver says they crack Secp256k1 for breakfast.  Muthaf*%#n Q-bits, yo.  

[Come-from-Beyond]

AnonyMint and Come-from-Beyond please note: the haterz are gonna hate.  You guys just keep on preaching the truth and earning those bright orange ignore banners!  

My physicist friend from D-Wave here in Vancouver says they crack Secp256k1 for breakfast.  Muthaf*%#n Q-bits, yo.  

I see u can say only "blah-blah-blah". Care to say anything valuable? Prove AnonyMint wrong or something.

PS: Yes, I said that u r just a troll.

[Peter R]

PS: Yes, I said that u r just a troll.

That's a relief.  I was worried I wasn't being obvious enough and people might have thought that the D-Wave Quantum Computing Company actually had a quantum computer, let alone one that could crack Secp256k1.  When do D-Wave insiders expect to be able to crack Secp256k1?  Answer: never.  

I see u can say only "blah-blah-blah". Care to say anything valuable? Prove AnonyMint wrong or something.

I did provide something valuable: accurate ridicule.  It was the ridicule of MtGox that prevented even more people from losing money there (the "goxxing" meme, people making fun of MK [although I do not believe he was incompetent]). We are all operating in an unregulated economy and people are waking up to the fact that trust and reputation are important.  

Debating with either of you has shown time and time again to be fruitless.  New readers can check your post histories to see that:

- You are a large stakeholder in NXT and use any opportunity to push this agenda.  You are looking for a platform right now to talk about some disingenuous advantage of NXT over bitcoin.  I went to the Wiki and found one already: "Nxt's PoS mining does not cause monetary inflation."  This implies disingenuously that distributing coins by mining is somehow unfair and NXT came up with a better system.  But another way of describing the NXT coin distribution model is that the original stakeholders started with control of 100% of all coins that will ever be in existence!

- AnonyMint is a notorious thread derailer, who--with great verbosity--will use any platform he can to paint his fear-based image of a dystopian future if we don't all adopt his completely anonymous coin [which we've been waiting to see for for quite some time now].

[Come-from-Beyond]

- You are a large stakeholder in NXT and use any opportunity to push this agenda.  You are looking for a platform right now to talk about some disingenuous advantage of NXT over bitcoin.  I went to the Wiki and found one already: "Nxt's PoS mining does not cause monetary inflation."  This implies disingenuously that distributing coins by mining is somehow unfair and NXT came up with a better system.  But another way of describing the NXT coin distribution model is that the original stakeholders started with control of 100% of all coins that will ever be in existence!

- AnonyMint is a notorious thread derailer, who--with great verbosity--will use any platform he can to paint his fear-based image of a dystopian future if we don't all adopt his completely anonymous coin [which we've been waiting to see for for quite some time now].

By discussing personality of ur opponents u proved that u have no real counter-arguments. Not gonna waste my time on u anymore.

[westkybitcoins]

2)  How do those pieces all fit together?  (Or is this question waaaay complicated ??)

Succinctly:

Each private key in your wallet is a 256-bit number. ECC (yes, it is complicated) is used to create a corresponding public key for each private key.

Both SHA-256 and RIPEMD-160 hashing are used together to derive the corresponding bitcoin address from each public key.

Public-key signing (making use of the ECC-generated public and private keys) is used to sign and verify each transaction sending bitcoins from an address.

SHA-256 hashing is also used to bundle up transactions broadcast on the network into blocks that are verified as legit, and with each block containing a reference to the previous block for added security. Creating these blocks is called "mining".

[Lauda]

OP, please note: There is a reason that AnonyMint's "ignore" button is a bright orange.

OP, please note: The most valuable info is obtained from people with bright orange "ignore" button. Because they don't lick someone's arses and don't repeat mantras that 1 BTC will be worth 1 million dollars.

PS: AnonyMint is right, once QCs appear Bitcoin will be f***ed. At least noone has offered a good solution to avoid this.

This is incorrect. We should ignore you too.

[Come-from-Beyond]

This is incorrect. We should ignore you too.

Incorrect? OK, keep following ostrich policy...

[Lauda]

This is incorrect. We should ignore you too.

Incorrect? OK, keep following ostrich policy...

Quantum is useless.

[AnonyMint]

PS: AnonyMint is right, once QCs appear Bitcoin will be f***ed. At least noone has offered a good solution to avoid this.

I think the community has grown tired of hearing me say I know solutions but haven't released them yet. I will give a small tidbit gift (giving away my secrets before I can implement them) to the community now, so they will realize I am not all talk and no action.

I added the following partial "solution" to Wikipedia yesterday:

https://en.wikipedia.org/wiki/Lamport_signature#Short_keys_and_signature

Now I go quiet if I can.

[AnonyMint]

For the laymen, most public key cryptography (e.g. RSA and Bitcoin's ECDSA and Zerocoin) is based on number theoretic assumptions such as the difficulty in factoring discrete logarithms which makes them impossible to crack (at sufficient bit lengths) with current computers. However, quantum computing would (in theory) enable Shor's algorithm which reduces these factoring problems from exponential to polynomial time. Thus what would have required a zillion years to crack can be cracked in reasonable time to make it practical.

However, cryptographic hash functions do not rely on number theoretic assumptions. Instead they rely on the assumption of asymptotically perfect random distribution of the input to the output, which can be somewhat verified like this. Thus they can't be cracked with Shor's algorithm and only Grover's algorithm can be applied with a quantum computer. Thus they remain exponential time, and only the bit lengths (exponents) get effectively halved.

Lamport signatures use only cryptographic hashes. One of the problem with employing them in a blockchain has been they take up much space (either for the public key or the signature or both), but I just published a discovery in my prior post which enables making them smaller in exchange for more computation.

This discovery makes Lamport signatures more practical for blockchains than they were before, but still they are not as small as number theoretic public key cryptography.

Unfortunately I don't think this will work for Bitcoin, at least not until they implement pruning of the UXTO, but it can work in an altcoin.

I currently see no way to make Zerocoin resistant to Shor's algorithm, but I am still researching this. But Zerocoin is mostly useless any way because of pattern analysis on coin amounts.

[freedomno1]

OP, please note: There is a reason that AnonyMint's "ignore" button is a bright orange.

Had to intrude since some newbies will be confused since you guys keep pointing out the orange ignore being highlighted
The orange ignore highlights are disabled until we switch over to the new forums
So we all look the same (Noticed when Mircea suddenly lost her orange shine)
I opened that thread a while back so I distinctly recall this as a fact
https://bitcointalk.org/index.php?topic=404354.msg4378369#msg4378369

[Ix]

Quantum is useless.

This really isn't true. It's hard to gauge how useful and how soon, but if ever practical, it is definitely not useless. Many of the early unspent coins aren't even protected by RIPEMD-160, so that would be a plentiful place to start.