What happens if the cryptography of Bitcoin gets cracked?

[PetePete]

Or what would happen if improved cryptography comes along, how would the protocol deal with this? Would a layer on top of the current protocol be enough to patch it up or will Bitcoin die?

[madmadmax]

Or what would happen if improved cryptography comes along, how would the protocol deal with this? Would a layer on top of the current protocol be enough to patch it up or will Bitcoin die?

It could very well already be broken.

It would allow the organization that has the backdoor to potentially double spend, reverse transactions, issue coins and so on, depending on how wide the backdoor is.

If people would catch on to it then Bitcoin will be hardforked and everything will resume as if nothing happened.

[PetePete]

Thanks for the reply, so what does hard fork entail? Would it be able to resolve the initial problem though?

[madmadmax]

Thanks for the reply, so what does hard fork entail? Would it be able to resolve the initial problem though?

The network will take up all of the damage that happened up until the moment of the hardfork, after that moment everything will be back to normal unless the new algo will have a backdoor as well.

[PetePete]

Thanks

[odolvlobo]

Thanks for the reply, so what does hard fork entail? Would it be able to resolve the initial problem though?

The network will take up all of the damage that happened up until the moment of the hardfork, after that moment everything will be back to normal unless the new algo will have a backdoor as well.

That's a very optimistic scenario. You forgot the part where everyone panics and sells because they don't want their life's savings stolen.

[madmadmax]

Thanks for the reply, so what does hard fork entail? Would it be able to resolve the initial problem though?

The network will take up all of the damage that happened up until the moment of the hardfork, after that moment everything will be back to normal unless the new algo will have a backdoor as well.

That's a very optimistic scenario. You forgot the part where everyone panics and sells because they don't want their life's savings stolen.

We could roll back to a point in the blockchain where the party didn't begin to exploit it thus no damage would be done.

Of course being an intellectual myself my projections are based on the assumption that the vast majority of Bitcoin users are capable of independent thought and have some minimal intelligence which is a rather wild assumption, otherwise it is impossible to say what will really happen. You can never overestimate the stupidity of the masses.

Of course everyone could panic sell and the bullshit would hit the fan and spray all our white walls with shit, would be an ideal time to buy though.

[DannyHamilton]

Or what would happen if improved cryptography comes along, how would the protocol deal with this? Would a layer on top of the current protocol be enough to patch it up or will Bitcoin die?

That's quite a tall order.

What would happen if the force of gravity suddenly reversed?  How would we deal with this?  Would modifications to our current way of living be enough to save us, or will we all die?

Yes, I realize that my hyperbole is a bit excessive, but it points out some of the issues in what you are asking.

First you are taking something that is extremely unlikely to happen (a sudden and secret complete break of multiple dissimilar cryptographic functions) and asking "what if it happens?"

Next, you are essentially asking if we can "patch up" something that relies entirely on trust in the cryptography in order to have any value.  While "patching it up" may be technically possible, isn't likely to restore the trust necessary for it to continue to be useful.  If you take away one of the very things that are necessary for existence, then modifications aren't likely to be enough to restore useful existence.

Note that when cryptography is "broken" it generally starts out by being weakened.  Then after months or years it is weakened more. And so on until it is no longer trusted at all.  Since bitcoin uses multiple layers of cryptographic functions, there should be time to adopt replacements for any layer that begins to be weakened, while maintaining the security of everyone's funds in the interim.

To steal any of my bitcoins through broken cryptography, you'd first have to completely reverse the RIPEMD-160 hash function to determine what SHA-256 result was used as its input.  Then you'd have to completely reverse the SHA-256 function to determine what public key was used as its input.  Then you'd have to solve the discrete logarithm problem for ECDSA with the Secp256k1 curve to find the private key.  Even if one of those 3 functions were weakened so much that you could calculate its input in a matter of years (or days, or hours), I'd be protected by the remaining 2 functions.  Once it's discovered that one of those functions has such a weakness, the code would be updated to replace it with a secure (as far as cryptography can determine at that time) replacement.

So, "the cryptography of Bitcoin gets cracked" isn't really a likely scenario.  Far more likely is the slow replacement of various cryptographic functions within Bitcoin over the course of multiple decades.

[jonald_fyookball]

To steal any of my bitcoins through broken cryptography, you'd first have to completely reverse the RIPEMD-160 hash function to determine what SHA-256 result was used as its input.  Then you'd have to completely reverse the SHA-256 function to determine what public key was used as its input.  Then you'd have to solve the discrete logarithm problem for ECDSA with the Secp256k1 curve to find the private key.  

Agree with your post Danny, but as academic discussion, are you sure this (quoted) is a precise way
to describe the cryptography?

My understanding was that the ECDSA is the critical piece here, not the SHA-256 hash.  
For instance, if the k value is known (which would be a faulty implementation of ECDSA), then that is
all that's necessary to break the elliptic curve cryptography... (the SHA-256
doesn't matter, and you certainly don't have to reverse it).  
Also, the first step in the DSA is:  e=Hash(m), and I thought m is publicly known.

I could definitely be wrong though... thoughts?

[madmadmax]

To steal any of my bitcoins through broken cryptography, you'd first have to completely reverse the RIPEMD-160 hash function to determine what SHA-256 result was used as its input.  Then you'd have to completely reverse the SHA-256 function to determine what public key was used as its input.  Then you'd have to solve the discrete logarithm problem for ECDSA with the Secp256k1 curve to find the private key.  

Agree with your post Danny, but as academic discussion, are you sure this (quoted) is a precise way
to describe the cryptography?

My understanding was that the ECDSA is the critical piece here, not the SHA-256 hash.  
For instance, if the k value is known (which would be a faulty implementation of ECDSA), then that is
all that's necessary to break the elliptic curve cryptography... (the SHA-256
doesn't matter, and you certainly don't have to reverse it).  
Also, the first step in the DSA is:  e=Hash(m), and I thought m is publicly known.

I could definitely be wrong though... thoughts?

It depends on whether someone has spent from that address once already or not, if he didn't then SHA-256 and RIPEMD-160 need to be broken as well.

[jonald_fyookball]

I thought the address was the RIPEMD-160 hash of the Pubkey.

Can you explain why we would need to break SHA-256 if the ECDSA is broken?

[DannyHamilton]

To steal any of my bitcoins through broken cryptography, you'd first have to completely reverse the RIPEMD-160 hash function to determine what SHA-256 result was used as its input.  Then you'd have to completely reverse the SHA-256 function to determine what public key was used as its input.  Then you'd have to solve the discrete logarithm problem for ECDSA with the Secp256k1 curve to find the private key.  

Agree with your post Danny, but as academic discussion, are you sure this (quoted) is a precise way
to describe the cryptography?

My understanding was that the ECDSA is the critical piece here, not the SHA-256 hash.  
For instance, if the k value is known (which would be a faulty implementation of ECDSA), then that is
all that's necessary to break the elliptic curve cryptography... (the SHA-256
doesn't matter, and you certainly don't have to reverse it).  
Also, the first step in the DSA is:  e=Hash(m), and I thought m is publicly known.

I could definitely be wrong though... thoughts?

It depends on whether someone has spent from that address once already or not, if he didn't then SHA-256 and RIPEMD-160 need to be broken as well.

Which is why I said "To steal any of my bitcoins".  I use a new address for every transaction.  As such, none of my bitcoins are associated with any addresses that have had their public key revealed.

Also, the k value will only be known in a faulty implementation of ECDSA.  The discussion at hand is about a proper implementation of ECDSA where someone has found a shortcut to solve the discrete logarithm problem in years (or days, or hours).  Certainly if someone (intentionally or accidentally) reveals private information, then bitcoins can be stolen.

The m value is only publicly known when the transaction is sent.  At that point, the attacker needs to be able to calculate the private key before a miner (or mining pool) manages to confirm the transaction, and then they need to find a miner (or mining pool) that is willing to accept their replacement transaction in place of mine. This is why I limited the weakness to "hours".  The function would need to be replaced before the weaknesses are advanced to the point where the calculation could be done in minutes.

[DannyHamilton]

I thought the address was the RIPEMD-160 hash of the Pubkey.

Can you explain why we would need to break SHA-256 if the ECDSA is broken?

The address is the RIPEMD-160 of the SHA-256 of the PubKey.

See here:
https://en.bitcoin.it/wiki/Technical_background_of_version_1_Bitcoin_addresses

[jonald_fyookball]

thanks for explaining.... i almost understand....  so, what is the m value actually?

[DannyHamilton]

thanks for explaining.... i almost understand....  so, what is the m value actually?

I'm not a cryptography expert.  Most of what I've said in this discussion is just parroted from things I've previously heard said by individuals whose knowledge of cryptography I respect.  This topic has come up enough times, and I've read the responses enough times, that I can point out the things that others have pointed out in the past.  As such, there may be some holes in what I've said, but I'm pretty confident that I've got most of it right.

That being said, as far as I know the m value is the transaction that is being signed.  There should be a separate signature for each input in the transaction.  The transaction will include the public key, which means that once the input is signed the address where it was previously "received" is no longer protected by SHA-256 or RIPEMD-160.  Even if the public key wasn't included, it could be calculated from the signature.

[waldox]

we can fork a new version of bitcoin blockchain with the new encryption
but a lot of dedicated hardware will become doorstops

[jonald_fyookball]

thanks for explaining.... i almost understand....  so, what is the m value actually?

I'm not a cryptography expert.  Most of what I've said in this discussion is just parroted from things I've previously heard said by individuals whose knowledge of cryptography I respect.  This topic has come up enough times, and I've read the responses enough times, that I can point out the things that others have pointed out in the past.  As such, there may be some holes in what I've said, but I'm pretty confident that I've got most of it right.

That being said, as far as I know the m value is the transaction that is being signed.  There should be a separate signature for each input in the transaction.  The transaction will include the public key, which means that once the input is signed the address where it was previously "received" is no longer protected by SHA-256 or RIPEMD-160.  Even if the public key wasn't included, it could be calculated from the signature.

Thanks Danny. :-). Me too, I really enjoy learning from others and passing on what I've learned.

I think you are right.  Even if there was a bad implementation of ECDSA, you wouldn't know the inputs if the address was unused.  

It should probably be noted that if SHA-256 was broken, it could possibly allow someone to cheat at proof of work mining.  But that scenario is quite unlikely.

[Harley997]

Or what would happen if improved cryptography comes along, how would the protocol deal with this? Would a layer on top of the current protocol be enough to patch it up or will Bitcoin die?

It is very unlikely that it will be "cracked" as there are so many possibilities of what a private key can be.

Even in the event of a "crack" in the cryptography were to be discovered it could be fixed via a hard fork. Any "crack" would also likely to be very expensive to exploit.

[DannyHamilton]

It should probably be noted that if SHA-256 was broken, it could possibly allow someone to cheat at proof of work mining.  But that scenario is quite unlikely.

It would have to be VERY VERY broken.

MD5 is currently considered broken and unsafe to use for many purposes. However, it would almost certainly still work just fine for proof of work.  If some weaknesses are discovered in SHA-256, the result would be a sudden increase in difficulty as miners all took advantage of the weakness to increase their profitability.  Meanwhile, steps would be taken to replace the proof-of-work before it became a real problem.

[Ron~Popeil]

It should probably be noted that if SHA-256 was broken, it could possibly allow someone to cheat at proof of work mining.  But that scenario is quite unlikely.

It would have to be VERY VERY broken.

MD5 is currently considered broken and unsafe to use for many purposes. However, it would almost certainly still work just fine for proof of work.  If some weaknesses are discovered in SHA-256, the result would be a sudden increase in difficulty as miners all took advantage of the weakness to increase their profitability.  Meanwhile, steps would be taken to replace the proof-of-work before it became a real problem.

My knowledge is rather limited about this kind of stuff but in theory the fixes after such an attempt would strengthen bit coin by pointing out potential weaknesses for the developers to address.