Schneier on Security
A blog covering security and security technology.
« Non-Lethal Heat Ray |
| Friday Squid Blogging: Squid-Shaped USB Drive »
March 16, 2012
Bitcoin Security Musings
Jon Callas talks about Bitcoin's security model, and how susceptible it would be to a Goldfinger-style attack (destroy everyone else's bitcoins).
Posted on March 16, 2012 at 1:15 PM
• 35 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Except that he doesn't know what 'emergent' means.
...nor does he know what a Bitcoin "is," evidently.
This seems to assume as a given that there's a way to destroy other people's coins with less effort than it would take to steal them outright.
Is that a well-known property of the system, or just a hypothesis to get the speculation going?
Did you know that if a Bitcoin is destroyed, then the value of all the other Bitcoins goes up slightly? That's incredible.
No, that's just supply and demand.
I love this type of stuff.
He's not saying it's possible to destroy a bitcoin through some kind of flaw, he's saying in theory that's a way to increase the value of a bitcoin.
Not sure I agree with what he's saying. I enjoyed it because a lot of the time my brain works in a similar fashion.
Wouldn't the Lulzsec booty already be considered destroyed coins? They're in jail and the government now controls the coins.
If anything that hurt the value.
Still, you're talking about a finite resource, so I guess if demand is high enough it could be plausible.
And what would be the point of owning all the Bitcoins? Isn't the value in transacting with them.
The main problem with this theory is that if BitCoins were relatively easy to destroy, it would tend to reduce the demand for them, which would tend to devalue them. I think the idea would be similar to economies with mass counterfeiting - as would the likely response (use a different currency).
First of all, bitcoins are not simple countable objects. They are simply an arbitrary unit.
The fundamental element in bitcoin is a transaction. A transaction has one or more inputs, and one or more outputs.
An output consists of a program that takes a few parameters and returns a boolean that authorizes or denies a transaction.
The canonical program consists of a public key, and the requirement that the consuming transaction is signed with the corresponding private key.
An input consists of the name of an older output, and a set of parameters that should be passed to this program. The canonical input parameters is a signature of the current transaction that will be accepted by the outputs program.
Destroying your own bitcoins is easy: Create a transaction that legitimately consumes an output you own, and define an output program that obviously can never be satisfied. Destroying other people's bitcoins is hard, since you can't consume their outputs.
"Does revealing the value of a coin destroy it? "
No idea what that is supposed to mean. You can reveal some of your private keys, but that doesn't destroy any bitcoins, it just allows anybody who gets the key to steal them, on a first-come first-serve basis.
The only effect that I see in destroying bitcoins is that it increases the value of all other coins by the value you destroyed. That's about as useful as burning your own money. It hurts you, and helps everybody else a tiny bit.
Bitcoin has a few issues though. One of the biggest I see is that the economic incentive for benign miners gets too small in the long run, reducing their computation power, and thus making it too easy to create a rollback attack.
This is all going to get more interesting when the first Bitcoin specific ASICs start rolling off the production line this summer from our fab partner. With ASICs, the good guys can easily outgun the bad guys and make sure that the Bitcoin system is stable and reliable for many years to come.
I believe the greatest present threat to Bitcoin is the fact that someone with a large enough Botnet can mount a mining attack. But once ASICs are out there, botnets won't have access to enough horsepower, even with millions of zombies participating in an attack.
Dan Kaminsky shares my point of view on this.
"...economic war that leads to a stable end where a single player or an oligarchy holds all the bitcoins."
The only reason that would be a problem would be if there were legal tender laws as we have with the Federal Reserve Notes which prevent competition with other currencies. Without legal tender laws preserving the wealth of the unscrupulous, once they had all or most of the bitcoins, those coins would become essentially worthless due to a lack of demand for them. "Wow, one person with a gazillion bitcoins." If I told you that I had a gazillion bitbucks right now and they were all that existed, would anyone care?
The guy may have just been musing, and might have some valid observations about inflation and deflation, but he doesn't really know much about economics to understand how we are really getting screwed by the current Federal Reserve system and legal tender laws which have provided the impetus for something like bitcoins in the first place. I think you will soon see the Feds clamping down and possibly even arresting people for breaking legal tender laws just as they have with people using Liberty Silver "Dollars."
Bitcoin, like the US dollar only has value when the vast majority of us believe it has value. Its intrinsic value to the community is that it enables exchange; if it has no velocity it has no value. Not eveyone believes Bitcoins have value nor is there an universally accepted value - some are made more cheaply than other (e.g no minimum hourly wage). Because of these facts, the system can readily collapse .... say when the market is cornered.
Owning ALL the bitcoins would be pointless - but if you were able to do a quick targeted attack there is an arbitrage opportunity.
If you had a number of contracts for bitcoins and managed to reduce supply enough for the price to rise AND you held enough to satisfy demand yourself then there could be a win.
This is all wrong. Goldfinger wants to use a cobalt-iodine bomb to contaminate the gold for 58 years, not destroy it. The motivation is that moving the gold from Fort Knox is too difficult.
The bitcoin analogy to Fort Knox is a wallet containing the private key(s) to a vast bulk of transactions, which is kept offline for security. Suppose it is impractical to take the key files, but it may be possible to infect the computer with a virus (stuxnet style, via an insider with usb access). The virus/worm finds the wallet and encrypts it with a key that will take 58 years of compute power to crack. In the meantime, all current and additional transactions sent to that key's public address are untouchable. The bad guys don't have the locked bitcoin, but neither does anyone else, so the market value increases.
Please consider sending some bitcoin (hurray cryptography):
How come with certain people Bitcoin is a relatively trivial concept and it just registers. Then you have others who normally would seem smart that just can't grasp it at all. Why is that?
The description of the link is 100% false. He simply does not talk about bitcoin's security model. Nothing he says is specific to bitcoin, as opposed to any other commodity, and I'm not sure there's any sense it which it has to do with security.
But Bruce's description is not as bad as the link itself.
I would put his idea this way: It's easier to destroy Bitcoins than steal them. (And at some point it might be easier to steal them then to mine or buy them.)
Given a sufficiently large Botnet you're bound to find some unprotected Bitcoins. Yet if you transfer them to yourself you still have to launder them as every transaction is public. Destroying them on the other hand let's to no traces pointing to you behind. And if these were Bitcoins in circulation this might increase the market value of your own Bitcoins. Interestingly it's better to destroy them in a non provable way, because otherwise the Bitcoin network might later on agree to revoke destructive transactions as a mean to counter your attack.
What makes this non trivial, is that in contrast to actual money it seems feasible to destroy large portions of the global supply (given a wide spread zero day exploit for example).
First, to whomever sent me a bitcoin (see above), I am ecstatic and most grateful - it's my first bitcoin!
To stay on topic, part of the article author's intent is that the public has proof that some bitcoins were destroyed (that is, the transaction of some bitcoin value cannot be recovered). As stated, this could be done by providing a non-answerable output script, such as assigning them to a syntactically valid, but otherwise bogus, bitcoin address.
Another goal could be to silently take them out of circulation (without anyone knowing they are no longer spendable). To do this, create a valid address, but utterly destroy the private key. Release your virus/worm to find unprotected bitcoin wallets and sign their coin over to this address. There is no way to distinguish live vs. dead value. Without changing the provisions of bitcoin (that the output script must be honored), the value is never spendable... (unless you break the elliptic curve).
Of course, this all begs the question of why not just keep the private key so you can spend them yourself. Maybe you're trying to topple the entire bitcoin economy, so your rival digital currency can get off the ground. (If the James Bond franchise is reading, this is MY idea!)
A word on wallets:
Since most bitcoin wallets are unprotected on disk, and almost always reside in the same place, any piece of software that you run could read your keys.
Notice how this differs from stealing unencrypted ssh keys. Stealing ssh keys gives the criminal a limited window of opportunity until the user changes their remote login configuration (new keys). Transacting stolen bitcoins is forever (unless the victim detects the activity and transfers to a safe address before the worm). Wallets should minimally be encrypted on disk.
Anyway, feel free to insert another coin for more rambling. In my opinion, Bitcoin is the next best thing since Diffie–Hellman.
- Bitfinger 1PTxHjhrJDHmZqBD3rTEGjTvzmbECNF5Ku
While I don't see how this could work on plain bitcoin, some protocols building on this might offer easier destruction than theft.
For example I'm currently designing an escrow based system, which is vulnerable to amplified destruction. Where for each bitcoin the attacker destroys, the victim loses 3. (exact value subject to tuning).
But since my system is only intended to work on small amounts of money, I hope that this is no problem in practice.
It's worth noting that this link is to just the beginning of a conversation on the cryptography mailing list. It's worth reading through the thread.
My hope is for great crypto minds to focus on the upcoming bitcoin 'transaction fee' issues after the mining reward ends. Debating why an already functioning and working cryptocurrency can't work seems to be self-defeating.
Trusting something new and not easily understood by the masses will always take time. Especially if you have to overcome a lot of scepsis. Keep pushing though :)
"I'll go further and note that if a self-stable oligarchy manages to buy or destroy all the other Bitcoins, they win as a group, too." Except that if you corner the market on all extant bitcoins, you probably destroy their value to anyone else, which probably destroys their value to you as well. This throws the definition of "win" into serious question.
[Handwaving for now the assertion that bitcoins have any value in the first place.]
Promoting Bitcoin is like telling everybody they should get rid of monarchy and instead use democracy, as it works great within your circle of friends. There might be great potential in Bitcoin, but like scaling democracy from ten to ten million people, using Bitcoin for most of humanities transactions requires severe structural changes. There might be attack vectors that weren't interesting before (like the one discussed in the article's link), there are efficiency issues (like the ones Kaminsky discusses) and there might be social issues (how do you carry around your Bitcoins in your (real life) wallet, for example). And as much as I admire Bitcoin working today, I don't see it fit to replace current currencies tomorrow. Yet Bitcoin provides some nice insight in the dynamics of a purely digital (and imaginary) currency and could be a stepping stone for some real alternative.
...and there might be social issues (how do you carry around your Bitcoins in your (real life) wallet, for example)
In case you missed it, Jon Matonis link brings you to a blogpost entitled "Brainwallet: The ultimate in mobile money" where he puts perspective to an idea that answers this problem.
@ Unix Ronin,
[Handwaving for now the assertion that bitcoins have any value in the first place.]
They do have a value or more correctly a sunk cost in the electricity and CPU cycles to "mine a BitCoin". There was an article some time ago that showed that the margin. was so slim that difference between using AMD and Intel hardware made the difference between profit and loss.
Any way have a look at,
They make interesting reading.
My thanks again to those who have chipped in (see above). I was researching digital currency in the early 2000s, and I'm excited to finally have a bit of digital coin!
One of my references (cannot locate it now, and boy will I be embarrassed if it's Bruce) made the point that there will always be a demand for offline and untraceable currency, so long as there are criminals and politicians.
Bitcoin is neither of these things. You must communicate with the Bitcoin p2p network at some point, even if you are handed an offline transaction that you trust to remain valid until you put it into the network. Bitcoin is inherently traceable via the block chain (which is still brilliant). There are mixing services, but they only provide a layer of misdirection (right?).
Regarding whether Bitcoin is "real" currency, it is more of a rare commodity with implied value. This wiki entry explains that Bitcoin is, indeed, a bubble, just like the euro and dollar.
@Perseids The attack vectors such as the ones contemplated by Jon Callas (the 2011 article in this post) and similarly by Ian Grigg have been largely discredited. The advent of ASICs and FPGA incorporated into the mining hardware render botnets' effect on the blockchain moot. See https://bitcointalk.org/index.php?topic=65865.0
Also, regarding the lack-of-efficiency argument put forth by Ben Laurie and others. This misses the essential point that maximum efficiency is not the paramount goal of a decentralised, non-state sanctioned currency. The paramount goal is resiliency.
See comments here http://www.links.org/?p=1183
The idea of bitcoin is great. However i feel the current implementation is a bit rushed, and has some rough edges. This will probably lead to some issues in the future. For example the already stated rollback attacks. Many in the community accept that this is a issue.
In this case however deleting even encrypted wallets does what the attacker wants. Removes bit coins from circulation.
And before you say "backups", even one of the bigger sites for bitcoin lost a *lot* when they more or less just forgot to backup!
It's incredible how little understanding one must have of Bitcoin in order to get quoted by other people on a blog. It's unlike any other area, where people who don't understand anything about a subject are normally ignored.
Jon Callas obviously has little knowledge of both economics and Bitcoin, it eludes me what makes a comment of his about Bitcoin relevant.
If someone is able to buy up all the gold in the world, this too will cease to function as a medium of exchange. The point is that it's not possible. If it were possible, gold would have no value. As soon as a market participant starts buying more gold (or bitcoins) than are being sold, the price goes up. As we approach zero pieces of gold/bitcoin being left to buy, the price of each piece of gold/bitcoin approaches infinity.
@ Rune K. Svendsen,
As soon as a market participant starts buying more gold (or bitcoins) than are being sold, the price goes up. As we approach zero pieces of gold/bitcoin being left to buy, the price of each piece of gold/bitcoin approaches infinity.
Only in open markets where the knowledge that a resource becoming scarce is known by the market participants.
The Russians proved that you can hide the knowledge of "future trades" from a market (grain) and thus buy it up at a low price, many years ago.
So all I have to do is set up secret future contracts with all the holders of BitCoins to buy at a rate slightly above current market. It's currently a small market, so even if I don't succeed in getting all of the BitCoins, I end up distorting the market badly enough to cause very real problems to the market that it may well not recover from.
People who study economics at certain levels sometimes forget that money is made in an imperfect market where knowledge is advantageously known to a few and not to the many and they can profit by it. In some circumstances it's known as "insider trading" in others it's quite legal.
"So all I have to do is set up secret future contracts with all the holders of BitCoins to buy at a rate slightly above current market. It's currently a small market, so even if I don't succeed in getting all of the BitCoins, I end up distorting the market badly enough to cause very real problems to the market that it may well not recover from."
I'm not sure I buy your premise; I think the market would catch up at some point. I think the end result would be that you would spend a lot of money on it, and that you would be able to distort the prices initially. But given that bitcoins can recover from a drop from $30/BTC to $2.5/BTC without people losing interest in them, I really don't see how manipulating the price will deter people now.
The BTCUSD exchange value of bitcoins is really irrelevant. Their use value is exactly the same, whether they cost 1 cent per bitcoin, or $1M per BTC. That's the unique property of any medium of exchange. If bitcoins cost $1M USD, we will start using nBTC (nano bitcoins) to pay each other. If they cost 1 cent per BTC, we will switch to KBTC (kilo bitcoins). The ability of bitcoins to store value is of course affected by their price, since only 21 millions are meant to exist in the end. But when used as a medium of exchange for goods and services, I would argue that their exchange rate is unimportant.
Specialized hardware will render Botnet attacks (on the stability of the block chain) infeasible (even though I guess it is already), but won't make the security of the network as a hole more cost efficient. The reason is that you don't want to protect yourself against an attacker that has access to n hash operations but against an attacker that has access to some amount k of money. I'd say it's pretty reasonable to assume the attacker can buy at least as cost efficient hardware as the majority of the network. Thus to protect itself against the 51% attack the network has to spend at least an amount k of money. Using specialized hardware only ensures it doesn't have to spend even more than that. Even worse this much money has to be spend all the time whether an attack is actually going on or not, because you will only recognize it when it's too late. Now assume attackers like the US government, a large Bitcoin mining network or Google and tell me how cost efficient the operation of Bitcoin really is.
"[Handwaving for now the assertion that bitcoins have any value in the first place.]
They do have a value or more correctly a sunk cost in the electricity and CPU cycles to "mine a BitCoin". "
No, they don't. Sunk costs are just that - costs, losses. You cannot extract sunk electricity and CPU cycles out of bitcoins. They are gone. Quite unlike gold coins which can always be converted to metal ingots.
The whole idea of restricting supply of bit coins by means of proof-of-work is quite idiotic; if the goal is to restrict the supply, just restrict it by design - say, use 32-bit numbers and be done with it.
I'd say people who don't understand the regression theorem are doomed to reinvent fiat currencies.
No, they don't. Sunk costs are just that - costs losses. You cannot extract sunk electricity and CPU cycles out of bitcoins. They are gone. Quite unlike gold coins which can always be converted to meta ingots
I think we are both talking about the same initial processs cost that is of "mining" which applies to bitcoins and gold alike, you put in work resources (energy/money) to the process and you end up with a process output or product.
What you actually end up with is very different in either case, one product is intangable the other tangible so great care has to be used in their comparisson.
Which is where you start all the arm waving stuff by talking of the utility of the process output...
As you point out gold has some small intrinsic physical worth as a tangible object and quite a bit more as a soft easily worked metal, (that also does not tarnish or corrode and is also highly conductive).
BitCoins are however, at the end of the day, just intangible information that has some unusual properties that has no physical presence. Worse like all information once known it is easily reproducable at some incredibly small cost per bit. What I don't know, not having thought about it, is if the BitCoin information has uses in other places where it might have some intrinsic value (you could argue for instance pie is a number with a utility over and above that of just being a number and thus has an increased intrinsic value,likewise asigned telephone numbers).
However in both cases gold and BitCoins are a finite resource one natural the other artificial, which means some humans chose to imbue them with a "scarcity value" over and above their real utility value. That is they are only "scarce" because supply is finite and has "value" because demand is not thus the price in theory rises to limit the demand.
Thus with no intrinsic value and no demand a BitCoins price would be at or close to zero irrespective of it's production cost. Likewise golds would drop to a price equitable with it's intrinsic value and most of it would stay in or on the ground. As there would be no benifit in mining it or picking it up and transporting it.
The problem with "information" is it is intangable and only has physical form when stored or transported due to the medium being used to store it or transport it. That is a book is the tangible paper and ink, the information is captured in the symbols formed by the ink, likewise a letter. Burning either does not destroy the information it just mutates the physical storage medium. Information exists wether we know it or not, generaly getting to know information in a formal way is the process that proceeds storage or transmission. As humans we find the concept of an infinite amount of information but only a finite amount of storage for knowledge a difficult concept. Thus we try to give information physical properties and thus try and assign ownership to knowledge, art, song etc as Intellectual Property. Depending on your viewpoint the concept of owning IP is absurd, you can own a stored copy but not the knowledge.
Assigning value to knowledge over and above the value of the storage medium and reproduction cost is a guarantee of "crime" or "markets" (arguably the same ;) unless the process cost of the crime/market is more than the difference between the value of the storage/reproduction and the assigned value.
This attack seems especially silly. The attacker will have to pay more and more to collect the Bitcoins, making those who sell to him happier and happier to do so. At some point, he'll simply eliminate the utility of Bitcoins, decrease the value of his own holdings to zero, and the rest of us start over with something else, using all the money he wasted to fund our new currency.
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.