“The universe believes in encryption. It is easier to encrypt information than it is to decrypt it. We saw we could use this strange property to create the laws of a new world. To abstract away our new platonic realm from its base underpinnings of satellites, undersea cables and their controllers. To fortify our space behind a cryptographic veil. To create new lands barred to those who control physical reality, because to follow us into them would require infinite resources. And in this manner to declare independence.”
—Julian Assange, A Cryptographic Call to Arms
Could the intelligence community have a secret exploit for Bitcoin? It’s rather obvious that Bitcoin presents a very strong financial incentive to break its cryptography, since such a vulnerability could allow an attacker to claim large amounts of virtual currency for themselves. Earlier this month, we learned that the National Security Agency (NSA) has led an aggressive effort to “break widely used Internet encryption technologies.” There is speculation that many protocols or crypto implementations have been compromised, deliberately weakened or have had backdoors inserted. In doing so, they have made the Internet less safe for us all. The Office of the Director of National Intelligence claims it “would not be doing its job” if it didn’t try to counter the encryption used by terrorists and cyber-criminals. New knowledge about what the NSA is able to do with regard to subverting standards could have wide-reaching implications in many areas, including national security and finance.
Bitcoin employs an ingenious mix of two concepts: hashing and signatures. Hash functions typically generate a fixed-length output that maps uniquely to the original input, while signatures are often used to verify the authenticity of a digital message or document. The integrity of Bitcoin’s blockchain and consensus over the ordering of transactions depend on a hash function called SHA-256, which was designed by the NSA and published by the National Institute for Standards and Technology (NIST). Cryptography researcher Matthew D. Green of Johns Hopkins University reveals, “If you assume that the NSA did something to SHA-256, which no outside researcher has detected, what you get is the ability, with credible and detectable action, they would be able to forge transactions. The really scary thing is somebody finds a way to find collisions in SHA-256 really fast without brute-forcing it or using lots of hardware and then they take control of the network.” ECDSA signatures are used to authenticate changes of coin ownership. A theoretical weakness in ECDSA could allow faster recovery of private keys and thus the ability to steal coins, but only people who reuse their wallet addresses would be vulnerable, Bitcoin developer Gregory Maxwell says. Maxwell insists that attacks exploiting such weaknesses would be detected almost immediately, and that they could deploy a replacement algorithm for ECDSA in roughly a month. “Problems with SHA-256 would be potentially more problematic as we cannot replace it in a backwards compatible way,” he said.
Weak random number generators (RNGs) are also implicated in Bitcoin security, as was the case with an Android security vulnerability revealed last month that resulted in the theft of coins. Cryptographic algorithms require a high degree of randomness in order to “seed” the generation of keys, and therefore RNGs are directly implicated in encryption strength—if you can predict or influence the output of an RNG then you’re in trouble. One pseudorandom number generator designed by the NSA, Dual_EC_DRBG, has been confirmed to have a backdoor. While the NSA does have a growing stockpile of cryptographic arms that can be used in cyber warfare, Maxwell thinks that “any break is so valuable they would dare not use it except in the most urgent cases.” Furthermore, certain attacks would only destroy Bitcoin itself—with the ensuing chaos effectively ruining its market value.
A key question is whether the computational capability and budget of any adversary would be enough to shut down the Bitcoin network or make it unreliable. With regard to the NSA, Green estimates: “If you calculate the cost of the mining hardware that would be needed to mount an attack on the Bitcoin network, I bet you would get a number that today would be within their reach.” Computer researcher Dan Kaminsky, who has independently investigated the security properties of Bitcoin, says that “it’s too early to tell whether any of our foundational ciphers have suffered undue influence. They certainly have the ability to mount a 51% attack, but then, so does everyone with a modicum of funding for custom chip design.” A 51 percent attack refers to the scenario when a single entity has more power than the rest of the network combined. According to Maxwell the amount of computing power needed would only “cost about 14 million dollars at retail,” making it an available option to governments like the U.S., Russia, or China.
It’s the nature of Bitcoin that all transactions are recorded publicly. It’s called the blockchain, and you can view it at the Block Explorer. Several academic analyses have shown that Bitcoin wallet addresses can be tied to identities, and that users should have little expectation of privacy. A month ago Reuters revealed that a secretive DEA unit was using intelligence intercepts and massive databases to launch criminal investigations. Could the NSA be assisting the DEA to identify and investigate operators and merchants on the Silk Road, the illicit marketplace accessible via the Tor network, at this very moment? Green says he finds it likely that the government is already analyzing the blockchain for cyber-crime, drug trafficking or potential terrorism transactions—it would be surprising if they were not doing so.
“What’s concerning to them is it gives an anonymous way for people to exchange money,” he notes. Kaminsky seems to hint at the same: “As for analyzing blockchain transactions, there are many ways to track people on the Internet and that’s sort of what the NSA does.”
And what about the possibility of backdoors? Keeping software projects free and open source rather than closed and proprietary is widely regarded as a challenge to their insertion, since anyone reviewing the code could discover them. Maxwell says “There are a lot of people who review the code— but not as many as I’d like. It’s unclear how hard it would be to insert a backdoor.” Maxwell also described how he was once approached by academics to insert tracking code into Bitcoin, and how he not-too-politely declined. Gavin Andresen, the lead developer of Bitcoin and Chief Scientist of the Bitcoin Foundation, claims that he’s never been approached to do anything that would deliberately weaken Bitcoin. “Sneaking in a back-door way of stealing people’s bitcoins would be almost impossible.” he said.
Cryptography can be used for good or evil; it can create spaces of privacy and freedom or be used to surveil and penetrate those spaces. Whistleblower Edward Snowden‘s revelations have confirmed that the NSA considers people who use encryption suspicious, as the FBI does—and they target those communications, retaining and storing them for longer periods of time than plaintext, in the hope that someday, with better cryptanalytic capabilities, they might be cracked.
Over the last few days, computer security experts have been pressing for the journalists reviewing the Snowden documents to name the specific algorithms and implementations that have been compromised on the altar of national security. The release of that information might also let us know whether we can still trust the security of Bitcoin. Developers of free software projects implicated in privacy and anonymity such as the Tor Project and Bitcoin say that what’s needed is multiple implementations, more security testing, and more peer-reviewed code to keep tools robust and safe from subversion. The NSA naively assumes backdoors can only be used by them—when such weaknesses are often discoverable by other state and non-state actors.
Nonetheless, the easiest way to steal Bitcoins remains hacking a computer and taking the wallet file, so long as it’s not password-protected—which has been the method implicated in most of the large Bitcoin heists to date. And if there’s any vulnerability in Bitcoin, it’s more likely to be in the software, or the way people use it, than the protocol itself. Meanwhile, there will be plenty of uninformed speculation on Twitter about whether Bitcoin is actually an NSA plot formulated to distribute the cracking of our secure communications.
This post has been republished with permission from Wireless Fantasy at ageispolis.net/blog.
Kevin Gallagher is a writer, systems administrator and activist based in western Massachusetts. He’s also the director of Free Barrett Brown. Follow him @ageis.
Illustration by Jason Reed