What do the latest NSA leaks mean for Bitcoin? (Sept. 2013)

This piece was first published on September 15th, 2013 at VICE Motherboard and also appeared the next day at the Daily Dot.

Could the intelligence community have a secret exploit for Bitcoin? It’s rather obvious that Bitcoin presents a very strong financial incentive to break its cryptography, since such a vulnerability could allow an attacker to claim large amounts of virtual currency for themselves. Earlier this month, we learned that the National Security Agency (NSA) has led an aggressive effort to “break widely used Internet encryption technologies.” There is speculation that many protocols or crypto implementations have been compromised, deliberately weakened or have had backdoors inserted. In doing so, they have made the Internet less safe for us all. The Office of the Director of National Intelligence claims it “would not be doing its job” if it didn’t try to counter the encryption used by terrorists and cyber-criminals. New knowledge about what the NSA is able to do with regard to subverting standards could have wide-reaching implications in many areas, including national security and finance.

Bitcoin is an open source cryptocurrency; a peer-to-peer (decentralized) electronic cash system. It’s also the most powerful distributed computing project in the world. As an alternative to fiat money, it has garnered the attention of technology geeks, financial analysts, regulators, and governments. It has a total market capitalization of $1.5 billion. Earlier this year, the U.S. Treasury Department’s Financial Crimes Enforcement Network (FinCEN) issued its guidelines on virtual currencie — which many within the Bitcoin community regarded as an overreach and an attempt to bring it under regulation. In April of last year an FBI assessment anticipated it would be used by cybercriminals and malicious actors. Bitcoin has recently landed on the radar of the New York Department of Financial Services, the California Department of Financial Institutions, and Thailand’s central bank. The U.S. Senate Committee on Homeland Security and Governmental Affairs recently sent a letter to the Department of Homeland Security asking for information on how it plans to deal with Bitcoin.

Bitcoin employs an ingenious mix of two concepts: hashing and signatures. Hash functions typically generate a fixed-length output that maps uniquely to the original input, while signatures are often used to verify the authenticity of a digital message or document. The integrity of Bitcoin’s blockchain and consensus over the ordering of transactions depend on a hash function called SHA-256, which was designed by the NSA and published by the National Institute for Standards and Technology (NIST). Cryptography researcher Matthew D. Green of Johns Hopkins University reveals, “If you assume that the NSA did something to SHA-256, which no outside researcher has detected, what you get is the ability, with credible and detectable action, they would be able to forge transactions. The really scary thing is somebody finds a way to find collisions in SHA-256 really fast without brute-forcing it or using lots of hardware and then they take control of the network.” ECDSA signatures are used to authenticate changes of coin ownership. A theoretical weakness in ECDSA could allow faster recovery of private keys and thus the ability to steal coins, but only people who reuse their wallet addresses would be vulnerable, Bitcoin developer Gregory Maxwell says. Maxwell insists that attacks exploiting such weaknesses would be detected almost immediately, and that they could deploy a replacement algorithm for ECDSA in roughly a month. “Problems with SHA-256 would be potentially more problematic as we cannot replace it in a backwards compatible way,” he said.

Weak random number generators (RNGs) are also implicated in Bitcoin security, as was the case with an Android security vulnerability revealed last month that resulted in the theft of coins. Cryptographic algorithms require a high degree of randomness in order to “seed” the generation of keys, and therefore RNGs are directly implicated in encryption strength — if you can predict or influence the output of an RNG then you’re in trouble. One pseudorandom number generator designed by the NSA, Dual_EC_DRBG, has been confirmed to have a backdoor. While the NSA does have a growing stockpile of cryptographic arms that can be used in cyber warfare, Maxwell thinks that “any break is so valuable they would dare not use it except in the most urgent cases.” Furthermore, certain attacks would only destroy Bitcoin itself — with the ensuing chaos effectively ruining its market value.

A key question is whether the computational capability and budget of any adversary would be enough to shut down the Bitcoin network or make it unreliable. With regard to the NSA, Green estimates: “If you calculate the cost of the mining hardware that would be needed to mount an attack on the Bitcoin network, I bet you would get a number that today would be within their reach.” Computer researcher Dan Kaminsky, who has independently investigated the security properties of Bitcoin, says that “it’s too early to tell whether any of our foundational ciphers have suffered undue influence. They certainly have the ability to mount a 51% attack, but then, so does everyone with a modicum of funding for custom chip design.” A 51 percent attack refers to the scenario when a single entity has more power than the rest of the network combined. According to Maxwell the amount of computing power needed would only “cost about 14 million dollars at retail,” making it an available option to governments like the U.S., Russia, or China.

It’s the nature of Bitcoin that all transactions are recorded publicly. It’s called the blockchain, and you can view it at the Block Explorer. Several academic analyses have shown that Bitcoin wallet addresses can be tied to identities, and that users should have little expectation of privacy. A month ago Reuters revealed that a secretive DEA unit was using intelligence intercepts and massive databases to launch criminal investigations. Could the NSA be assisting the DEA to identify and investigate operators and merchants on the Silk Road, the illicit marketplace accessible via the Tor network, at this very moment? Green says he finds it likely that the government is already analyzing the blockchain for cyber-crime, drug trafficking or potential terrorism transactions — it would be surprising if they were not doing so.

“What’s concerning to them is it gives an anonymous way for people to exchange money,” he notes. Kaminsky seems to hint at the same: “As for analyzing blockchain transactions, there are many ways to track people on the Internet and that’s sort of what the NSA does.”

And what about the possibility of backdoors? Keeping software projects free and open source rather than closed and proprietary is widely regarded as a challenge to their insertion, since anyone reviewing the code could discover them. Maxwell says “There are a lot of people who review the code — but not as many as I’d like. It’s unclear how hard it would be to insert a backdoor.” Maxwell also described how he was once approached by academics to insert tracking code into Bitcoin, and how he not-too-politely declined. Gavin Andresen, the lead developer of Bitcoin and Chief Scientist of the Bitcoin Foundation, claims that he’s never been approached to do anything that would deliberately weaken Bitcoin. “Sneaking in a back-door way of stealing people’s bitcoins would be almost impossible.” he said.

Cryptography can be used for good or evil; it can create spaces of privacy and freedom or be used to surveil and penetrate those spaces. Whistleblower Edward Snowden‘s revelations have confirmed that the NSA considers people who use encryption suspicious, as the FBI does — and they target those communications, retaining and storing them for longer periods of time than plaintext, in the hope that someday, with better cryptanalytic capabilities, they might be cracked.

Bitcoin has a thriving attendant economy with many legitimate businesses and startups, and it’s attractive to libertarian and anarcho-capitalist geeks who are passionate about countering the global financial system and banks. But there is more than enough indication that governments see Bitcoin as a threat, and its users are probably no exception to the intel agencies’ criteria for reasonable suspicion. When asked about those who think the pseudo-anonymity of Bitcoin makes it an antidote to the surveillance state, Andresen responded that “decentralized technologies like Bitcoin or the Internet are powerful forces for good,” but they are not “panaceas that will suddenly turn oppressive surveillance states into transparent bastions of liberty.”

Over the last few days, computer security experts have been pressing for the journalists reviewing the Snowden documents to name the specific algorithms and implementations that have been compromised on the altar of national security. The release of that information might also let us know whether we can still trust the security of Bitcoin. Developers of free software projects implicated in privacy and anonymity such as the Tor Project and Bitcoin say that what’s needed is multiple implementations, more security testing, and more peer-reviewed code to keep tools robust and safe from subversion. The NSA naively assumes backdoors can only be used by them — when such weaknesses are often discoverable by other state and non-state actors.

Nonetheless, the easiest way to steal Bitcoins remains hacking a computer and taking the wallet file, so long as it’s not password-protected — which has been the method implicated in most of the large Bitcoin heists to date. And if there’s any vulnerability in Bitcoin, it’s more likely to be in the software, or the way people use it, than the protocol itself. Meanwhile, there will be plenty of uninformed speculation on Twitter about whether Bitcoin is actually an NSA plot formulated to distribute the cracking of our secure communications.