Beta.usv.com

Just a Little Bit More Bitcoin Trouble

2014-07-18

There has been so much tumult in the bitcoin and crypto currency space over the past few days! Interest and concern extends far beyond arcane online communities. Motives vary.
<img src="http://cryptojunky.com/blog/wp-content/uploads/2013/03/BitcoinMining.png" alt="Bitcoin mining on Win 7" width="380" height="220"/>
<h2>Decentralized and anonymous</h2>
There are two conceptual pillars of trust that uphold bitcoin as being superior to fiat currency. The first is decentralization.
The fiat currency of reference is primarily the US dollar, for the time being. Why? Because the $US is the world’s reserve currency, for now. If Germany weren’t part of the EU, if Japan weren’t still in its lost decade and England weren’t so afflicted with problems, the DM, Yen or GBP would be attractive alternatives to the $US as a fungible, stable store of value. 
As ideological (not market!) confidence in the $US has diminished, the appeal of an apolitical, modern alternative increases. I won’t go off on a tangent as to why a currency printed by the U.S. Treasury in support of the Federal Reserve’s monetary policy isn’t as highly esteemed as it was in the past. Obviously the $US dollar is a highly centralized currency.
The second conceptual pillar of bitcoin is anonymity. US dollars held as cash will be anonymous until one wants to use them for exchange for commercial transactions of size. Bitcoin has some anonymity short comings, but they are minor, usually.
<h3>Centralization of bitcoin</h3>
All markets are game theoretic. Bitcoin is more transparently so. I really wish we could ask Professor John Nash what he thinks of bitcoin! Nash actually wrote a pleasant, accessible article about bitcoin-like currencies a few years ago.
I mention game theory because bitcoin’s most acute concern now is loss of decentralization. It is due to the documented, persistent existence of a 51% majority mining pool controlled by gHash.io. gHash is owned and operated by a private entity, cex.io. gHash’s market dominant behavior was noted in March 2014, but the situation was transient, unlike now.
Monopolists, <a href="https://bitcointalk.org/index.php?topic=2227.0;all">and cartels</a>, can assert control as a function of mining power. See <a href="http://hackingdistributed.com/2014/06/16/how-a-mining-monopoly-can-attack-bitcoin/">How a mining monopoly can attack bitcoin</a> for a chart of strategies that mining pools can pursue as a function of hash power. It was recommended by Ed Felten in his post,<a href="https://freedom-to-tinker.com/blog/felten/bitcoin-mining-now-dominated-by-one-pool/">Bitcoin mining now dominated by one pool</a>.
<h3>Production and transaction costs</h3>
In theory, bitcoin is a perfectly smooth, zero transaction cost medium of exchange. In reality. this is possible but involves a modicum of effort.
Some bitcoin miners and many non-mining users keep their holdings in custody of a clearinghouse such as Mt. Gox or Silk Road. This does generate small transaction costs, for holding the users’ e-wallets. In return, users benefit from the greater convenience in making purchases and sales. The clearinghouse may have an additional appeal to miners, as it offers the option of participating in a shared mining pool. 
<a href="http://blog.p2pfoundation.net/in-the-bitcoin-world-half-the-wealth-belongs-to-the-0-1-percent/2014/05/22">Bitcoin was designed to reward early adopters</a>; as more bitcoins are mined, more computational effort is required.
Mining Bitcoin requires processing power and electricity. In 2010, a PC with an NVIDIA or ATI GPU would have been adequate, but no longer. A new crypto currency-specific manufacturing industry has evolved for bitcoin mining equipment, using FPGAs which are more energy-efficient than graphics processing units. This was further improved by an <a href="http://motherboard.vice.com/blog/a-guide-to-bitcoin-mining-why-someone-bought-a-1500-bitcoin-miner-on-ebay-for-20600">application-specific integrated circuit</a> (ASIC),
<blockquote>
In other words, a chip designed from the ground up for the specific purpose of mining bitcoins. ASIC also represents the theoretical limit on the hardware capabilities of mining equipment.
</blockquote>
The mining rigs cost tens of thousands of dollars, and create a high barrier to entry for many miners. The remedy had been to use mining pools in the cloud e.g. Amazon AWS or clearinghouse hardware.
There are costs for miners, but a monetary levy is not the worst of it. The same can be said for non-miners who have others hold their e-wallets. Trust is equally important as middle-man costs. Mt. Gox “lost” many customers’ Bitcoins, then declared bankruptcy. No depositor funds have been recovered.
<h2>Electricity cost and externalities</h2>
Mining bitcoin is costly due to mining equipment prices and the high power requirements, which result in large amounts spent on electricity.
<a href="http://arctanh.wordpress.com/2014/06/14/subverting-computing-research-for-fools-gold/">Perverse incentives motivate uneconomic choices</a>. The most egregious and harmful behavior (directly associated with bitcoin mining) that I’ve seen to-date was unauthorized use of a National Science Foundation supported <a href="http://www.bbc.com/news/technology-27779030">supercomputer to mine bitcoin</a>. $150,000 in computing resources, e.g. electricity, were spent in order to mine the equivalent of $8000 in bitcoin.
Another incident occurred at Harvard University in March 2014. The researcher used Harvard’s high-powered network of thousands of CPU cores to mine an unspecified number of dogecoins.
I don’t know the significance of the following two abstracts to bitcoin or SSL. I would like to share this, in the hope of getting an informed assessment as to the relevance. On 15 March 2014, it was <a href="http://permalink.gmane.org/gmane.comp.encryption.general/18228">“Ooh Aah… Just a Little Bit”: A small amount of side channel can go a long way</a>:
<blockquote>
We apply the FLUSH+RELOAD side channel attack based on cache hits/misses to extract a small amount of data from OpenSSL ECDSA signature requests. We then apply a “standard” lattice technique to extract the private key, but unlike previous attacks we are able to make use of the side-channel information from almost all of the observed executions. This means we obtain private key recovery by observing a relatively small number of executions, and by expending a relatively small amount of post-processing via lattice reduction. We demonstrate our analysis via experiments using the curve secp256k1 used in the Bitcoin protocol. In particular we show that with as little as 200 signatures we are able to achieve a reasonable level of success in recovering the secret key for a 256-bit curve…
</blockquote>
Using the side-channel attack described, above, 200 signatures were sufficient to recover the secret key, as demonstrated using the encryption protocol (secp256k1) for bitcoin. Now, the authors claim to have refined their approach, thus reducing the number of signatures to 25, see <a href="http://iacr-eprint.livejournal.com/1502629.html">Just a Little Bit More</a>, by Joop van de Pol and Nigel P. Smart and Yuval Yarom via <a href="http://eprint.iacr.org/2014/434">IACR eprint 2014/434</a> [PDF]
<blockquote>
We extend the FLUSH+RELOAD side-channel attack of Benger et al. to extract a significantly larger number of bits of information per observed signature when using OpenSSL. This means that by observing only 25 signatures, we can recover secret keys of the secp256k1 curve, used in the Bitcoin protocol, with a probability greater than 50 percent. This is an order of magnitude improvement over the previously best known result. The new method of attack exploits two points: Unlike previous partial disclosure attacks we utilize all information obtained and not just that in the least significant or most significant bits… Furthermore, whereas previous works require direct information on ephemeral key bits, our attack utilizes the indirect information from the wNAF double and add chain.
</blockquote>
Emphasis mine. Candid disclaimer: I have not read either paper.
<h3>Update</h3>
Nice Mr. Ok Turtles @taoeffect said it was a server side issue, not to worry.
For a more detailed understanding of bitcoin vulnerability, see <a href="http://permalink.gmane.org/gmane.comp.encryption.general/19755">Dispelling some myths about Bitcoin</a> (serious). For an intuitive understanding of bitcoin cultural approaches to attack vulnerability remediation, see <a href="https://bitsharestalk.org/index.php?topic=4924.0">Novel method for backup of wallet seeds or private keys</a>(not-so-serious).
To conclude on a less dismal note than usual, go play and have fun with the <a href="http://freedomfeens.com/bs/">Bitcoin Bullshit Generator</a>, freshly forked from the Web 2.0 Economy Bullshit Generator. It amused me.