Embed Size (px)
DESCRIPTION
Bitcoin security
Citation preview
Bitcoin what are they worth?Laura Mihaela Vasilescu
project for Advanced Topics in Computer and Network Security [email protected]
Abstract The highly volatile value of Bitcoin has led to some questions about its ability to function as a currency. Few are willing to use a currency with a highly variable value. Its deflationary bias, which incentivizes hoarding and removes money from circulation, is also cited as a stumbling block to Bitcoin becoming a function currency. This article is presenting the principles behind Bitcoin, how it works and if they worth anything.
Keywords: bitcoin, cryptocurrency, cypherpunk, peertopeer, surveillance
I. INTRODUCTION
Whitfield Diffie and Martin Hellman are those who brought cryptography closer to the public awareness, when they published, in 1976, the first publicly available work on publickey cryptography [1]. Until then, cryptography was mainly done in secret by military and spy agencies.
Cryptography evolved as a necessary mechanism for ensuring privacy in digital environments. In 1985, David Chaum published a paper about anonymous digital cash [2] which had political significance because it offers an alternative to government backed currencies. His technique for anonymity revocation contingent on doublespending of a coin can be seen as an example of encoding a social norm or rule into cryptography (public exposure of thieves).
In 1988, Timothy May took Cahum’s ideas and handed out copies of his “Crypto Anarchist Manifesto” at the Crypto conference in Santa Barbara. The academics pretty much ignored him, but, in 1992, together with Eric Hughes and John Gilmore, founded a small group that met monthly at Gilmore’s company (Cygnus Solutions) in the San Francisco Bay Area. The group was humorously named cypherpunks. By the end of 1994, they had 700 subscribers for their mailing list and had become a very active mailing list with technical discussion ranging over mathematics, computer science, cryptography, political and philosophical discussions, personal arguments and attacks, etc. In average, there where 30 messages sent a day. In 1997, the number of subscribers reached 2000 people.
The ideas that brought the people together were highlighted in the manifesto [3]: “Privacy is necessary for an open society in the electronic age.”
1
“We cannot expect governments, corporations, or other large, faceless organizations to grant us privacy.”
“We must defend our own privacy if we expect to have any.” “Cypherpunks write code. We know that someone has to write software to defend
privacy, and ... we’re going to write it.”
One of their purposes is to protect against government mass surveillance, such as PRISM, Tempora, NSA warrantless surveillance controversy, Room 641A, the FRA, etc.
A second concern is evasion of censorship, particularly Internet censorship, on the grounds of freedom of expression. Cryptoanarchists make contribution to open source projects that make it possible to both publish and read information off the internet or other computer networks in an anonymous manner. For example, Tor, I2P, Freenet and many similar networks allow for anonymous “hidden” webpages only accessible by users of these programs.
A third reason is to build and participate in counter economics. This is why bitcoin appeared: to allow trading goods and services in an anonymous manner, with little interference of law.
Bitcoin is the first cryptocurrency and integrates many existing ideas from the cypherpunk community. In November 2008, a paper was posted on the Internet under the name Satoshi Nakamoto titled Bitcoin: A PeertoPeer Electronic Cash System [4]. The paper detailed methods of using a peertopeer network to generate what was described as “a system for electronic transactions without relying on trust”. Nakamoto released the first open source Bitcoin client in January 2009 and mined the first block of bitcoins ever (the “genesis block”), which has a reward of 50 bitcoins.
Chapter II is presenting the mystery around Satoshi Nakamoto. Chapter III presents how bitcoins works and the nebula behind the mining concept, while Chapter IV is talking about the value of bitcoins. In Chapter V, there are presented several exploits of the bitcoin system. Chapter VI presents conclusions.
II. WHO IS SATOSHI NAKAMOTO?
Satoshi Nakamoto is the pseudonymous person or group of people who designed and created the original Bitcoin software (BitcoinQt). His involvement in the original Bitcoin software does not appear to extend past mid2010.
Nakamoto claimed on his P2P foundation profile [5] to be an individual male at the age of 37 and living in Japan, which was met with great skepticism due to his use of English and his Bitcoin software not being documented nor labeled in Japanese. His written work is british formatting and implies is of British origin. However, he also sometimes used American spelling, which may indicate that he was intentionally trying to mask his writing style, or that he is more than one person.
2
There were several private investigations runned to find out who hides behind the pseudonymous:
1. The New Yorker arrived at Michael Clear, a young graduate student in cryptography at Trinity College in Dublin, who was named the top computerscience undergraduate in 2008. He was hired by Allied Irish Banks to improve its currencytrading software, and he coauthored an academic paper on peertopeer technology.
2. Fast Company’s investigation brought up circumstantial evidence that indicated a link between encryption patent application filed by Neal King, Vladimir Oksman and Charles Bry on 15 August 2008, and the bitcoin.org domain name which was registered 72 hours later. The patent application contained networking and encryption technologies similar to Bitcoin’s. Textual analysis showed that some phrases were used in both the patent application and bitcoin’s whitepaper.
But all of them denied to be Nakamoto.
Nakamoto was active in updating Bitcoin software and posting technical information on forums until his contact with other Bitcoins developers began to fade in mid2010. Before he left, he set up Gavin Andresen as his successor by giving him access to the SourceForge project and a copy of the alert key. Gavin Andresen is the chief scientist of the Bitcoin Foundation, a group modeled after the Linux Foundation that aims to provide some organization to bitcoin’s expansion, from establishing new ways to process transactions, to maintaining the bitcoin.org website, etc.
III. HOW IT WORKS
Before Bitcoin, electronic payments were based on trust: a trusted third party was needed in order to allow two parties to make a transaction. Bitcoins relies on cryptographic concepts: transactions that are computationally impractical to reverse would protect sellers from fraud, and routine warranty mechanisms could easily be implemented to protect buyers.
An electronic coin in a chain of digital signatures. Each owner transfers the coin to the next by digitally signing a hash of the previous transaction and the public key of the next owner and adding these to the end of the coin. The receiver can verify the signatures to verify the chain of ownership.
The flow is presented in Figure 1, originally published in Nakamoto’s paper.
Even if the receiver can verify the previous ownerships of the coin, it can’t verify that one of the owners did not doublespend the coin. A common solution is to introduce a trusted central authority, that checks every transaction. Only transactions verifies by this third party are trusted not to be doublespent. The problem with this solutions is that the systems relies on a third party. This is how banks work.
3
The only way to confirm the absence of a transaction is to be aware of all transactions. In the previous model, the third party was aware of all transactions and decided which arrived first. To accomplish this without a trusted party, the transactions must be publicly announced and the participants to agree on a single history of the order in which they were received.
Figure 1: Bitcoin transaction mechanism [4]
A timestamp server works by taking a hash of a block of items to be timestamped and widely publishing the hash. The timestamp proves that the data must have existed at the time, obviously, in order to get into the hash. Each timestamp includes the previous timestamp in its hash, forming a chain, with each additional timestamp reinforcing the ones before it.
For widely publishing the hash, a proofofwork system similar to Adam Back’s Hashcash [6] is requested. The proofofwork involves scanning for a value that when hashed, the hash begins with a number of zero bits. The average work required is exponential in the number of zero bits required and can be verified by executing a single hash. The bitcoin system implements the proofofwork by introducing a random value in the block until a value is found that satisfy the number of required zero bits. Once the CPU effort has been expended to make it satisfy, the block cannot be change without redoing the work. As later blocks are chained after it, the work to change the block would include redoing all the blocks after it.
The majority decision is represented by the longest chain, which has the greatest proofofwork effort invested. If a majority of CPU power is controlled by honest nodes, the honest chain will grow the fastest and outpace any competing chains. An attacker would have to redo the proofofwork of the block and all the blocks after it and then catch up and surpass the work of the honest nodes. The probability of a slower attacker catching up diminishes exponentially as
4
subsequent blocks are added. The system can identify nodes with larger CPU speed by counting the average number of blocks per hour. If they’re generated too fast, the difficulty increases.
New transaction broadcasts do not necessarily need to reach all nodes. As long as they reach many nodes, they will get into a block before long. Block broadcasts are also tolerant of dropped messages. If a node does not receive a block, it will request it when it receives the next block and realizes it missed one.
The first transaction in a block is a special transaction that starts a new coin owned by the creator of the block. This is how the coins are initially distributed into circulation, since there is no central authority to issue them. The addition of new coins is analogous to gold miners expending resources to add gold circulation. In bitcoin case, it is CPU time and electricity that is expended. This way, the nodes are encouraged to stay honest. If a greedy attacker is able to assemble more CPU power than all the honest nodes, he would have to choose between using it to defraud people by stealing back his payments, or using it to generate new coins. It is more profitable to play by the rules, such rules that favour him with more new coins than everyone else combined, than to undermine the system and the validity of his own wealth.
Once the last transaction of a coin is buried under enough blocks, the spent transactions before can be discarded to save disk space. Transactions are hashed in a Merkle Tree [7] to facilitate this without breaking the block’s hash. A block header with no transactions would be about 80 bytes. Assuming blocks are generated every 10 minutes, it means 4.2 MB per year. With computer systems typically selling with 2GM of RAM as of 2008, and Moore’s Law predicting current growth of 1.2GB per year, storage should not be a problem even if the block headers must be kept in memory.
It is possible to verify payments without running a full network node. A user only needs to keep a copy of the block headers of the longest proofofwork chain, which he can get by querying network nodes until he’s convinced he has the longest chain, and obtain the Merkle branch linking the transaction to the block it’s timestamped in. He can’t check the transaction for himself, but he can see that a network node has accepted it, and blocks added after it further confirm the network has accepted it. As such, the verification is reliable as long as honest nodes control the network, but is more vulnerable if the network is overpowered by an attacker. One strategy to protect against this would be to accept alerts from network nodes when they detect an invalid block, prompting the user’s software to download the full block and alerted transactions to confirm the inconsistency. Businesses that receive frequent payments will probably still want to run their own nodes for more independent security and quicker verification.
The traditional banking model achieves a level of privacy by limiting access to information to the parties involved and the trusted third party. The necessity to announce all transactions publicly precludes this method, but privacy can still be maintained by breaking the flow of information in another place: by keeping public keys anonymous. The public can see that someone is sending
5
an amount to someone else, but without information linking the transaction to anyone. This is similar to the level of information released by stock exchanges, where the time and size of individual trades, the "tape", is made public, but without telling who the parties were. As an additional firewall, a new key pair should be used for each transaction to keep them from being linked to a common owner. Some linking is still unavoidable with multiinput transactions, which necessarily reveal that their inputs were owned by the same owner. The risk is that if the owner of a key is revealed, linking could reveal other transactions that belonged to the same owner.
IV. IS IT WORTHING?
Historically, money was defined as a certain quantity of a commodity that had exchange value in the marketplace prior to and independent of any usage as a medium of exchange. That isn’t the case of bitcoins. These digital units don’t exist at all in a physical dimension; therefore, they have no nonmonetary value. Though, this didn’t stopped them from becoming a preferred unit of exchange for various market participants.
According to Carl Menger, they are worth whatever individuals choose to believe they are worth. It is clear that many individuals value this new medium of exchange highly. Bitcoins have several attributes that make them attractive and valuable to those who choose to use them:
digital currency seems only natural in a digital age they afford privacy, convenience, superior portability and independence from central
banks and intrusive governments
Because of its independence, the Chinese government forbidden bitcoins usage. From this action, arose two valuable questions:
1. Does China actually succeed in suppressing the use of bitcoins?2. What steps the American government may take to regulate, modify or suppress this
challenge to IRS surveillance and the Fed’s monetary hegemony?
Even if bitcoins value exploded during the past two months, some people are not ready yet to embrace them. The market price of them is too volatile. Bitcoin’s first movers have gotten rich as the popularity of and demand of bitcoins had exploded while the supply has remained fixed and limited. Many people now value bitcoins, not as money, but as speculation.
V. EXPLOITS
This section is presenting different exploits that happened in the past.
A. Exchange Bitcoins services closed
On 3 September 2012, nearly a quarter million dollars worth of the peertopeer currency was stolen by accessing unencrypted backup wallet keys.
6
BitFloor was a FinCENregistered Bitcoin currency exchange and trading platform site with headquarters in the state of New York, USA. Their servers were compromised and, as a result, the attacker gained access to an unencrypted backup of the wallet keys. The actual keys were stored in an encrypted area, but it wasn’t the case for the backups. Using these keys, they were able to transfer the coins.
On April 2013, another Bitcoin Wallet Service suffers from attack and decided to suspend itself and shut down.
This happened to other companies too, like MyBitcoin.
B. Recovering Bitcoin private keys
Nils Schneider, a researcher, published on 25 December 2012 in his blog [8] an article about how he discovered a potential weakness in some Bitcoins implementations. He used weak signatures from the blockchain and that allowed him to recover private keys. ECDSA requires a random number for each signature. If this random number is ever used twice with the same private key, it can be recovered. What Schneider observed is a transaction generated by a hardware bitcoin wallet using a pseudorandom number generator that was returning the same “random” number every time.
C. Java Pseudo Random Number Generator not that randomly
Not directly related to Bitcoin itself, but on March 2013 three researchers published [9] information about weaknesses they found in Java Pseudo Random Number Generators which affects the randomness of numbers generated by SecureRandom.
This made possible for some attackers to get gain of the vulnerability in different Bitcoin application written in Java, including all the application for Android.
D. Other exploits
An exhaustive list of previous attacks can be found here:https://en.bitcoin.it/wiki/History
VI. CONCLUSION
The highly volatile value of Bitcoin has led to some questions about its ability to function as a currency. Few are willing to use a currency with a highly variable value. Its deflationary bias, which incentivizes hoarding and removes money from circulation, is also cited as a stumbling block to Bitcoin becoming a function currency. But the concepts behind this currency are pretty interesting. It remains a matter of time until we will find out if the currency will be a revolutionary
7
one, or it will fade in the history as a digital speculation currency.
REFERENCES[1] Diffie, Whitfield, and Martin Hellman. "New directions in cryptography." Information Theory, IEEE Transactions on 22.6 (1976): 644654.[2] Chaum, David. "Security without identification: Transaction systems to make big brother obsolete." Communications of the ACM 28.10 (1985): 10301044.[3] Hughes, Eric. "A Cypherpunk's manifesto." The electronic privacy papers. John Wiley & Sons, Inc., 1997.[4] Nakamoto, Satoshi. "Bitcoin: A peertopeer electronic cash system." Consulted 1 (2008): 2012.[5] http://p2pfoundation.ning.com/profile/SatoshiNakamoto (accessed on 3 December 2013)[6] Back, Adam. "Hashcasha denial of service countermeasure." (2002).[7] Jakobsson, Markus, et al. "Fractal Merkle tree representation and traversal." Topics in Cryptology—CTRSA 2003. Springer Berlin Heidelberg, 2003. 314326.[8] http://www.nilsschneider.net/2013/01/28/recoveringbitcoinprivatekeys.html (accessed on 9 December 2013)[9] Michaelis, Kai, Christopher Meyer, and Jörg Schwenk. "Randomly failed! the state of randomness in current java implementations." Topics in Cryptology–CTRSA 2013. Springer Berlin Heidelberg, 2013. 129144.
8
