Topic: Has the NSA already broken bitcoin? - page 6. (Read 50483 times)

It seems some people like to think the NSA is some sort of know it all god that has deciphered everything that we ever knew, to make their lifes more exciting or something. The truth of the matter is, they can't neither decipher SHA2, TOR, and etc. It is what it is.

All of this is irrelevant to the discussion of whether or not SHA2 is "broken". Just like I could bring up your ideas about 9/11, but it's irrelevant to your belief that SHA2 is "broken." It might let some of the other people on the thread know what a waste of time it is to argue with you.

OK, if I understand correctly, now I see a proposal, that scrypt would be a better alternative than SHA.

You're not listening. Why are you not listening?

And I'm truly concerned by your trust in the NSA.

As for alternatives, again, I'm not in that business but did not litecoin quickly find an alternative that was developed privately and whose security does not involve trusting the NSA?

From Wikipedia
"As of 2009, the two most commonly used cryptographic hash functions are MD5 and SHA-1. However, MD5 has been broken; an attack against it was used to break SSL in 2008.[9]
The SHA-0 and SHA-1 hash functions were developed by the NSA."

Did the NSA pay a $10 million bribe to RSA to secretly weaken some respected cryptographic tool? Are those articles false? Or are sha backers saying the RSA bribe was a one time thing and the NSA would never do something like that again?

I'm not defending the NSA algorithm. I'm truly concerned with your lack of trust of them, but when I ask you what other alternatives you have considered, you start attacking me repeating again and again that I'm defending them.

Satoshi (aka DARPA) designed bitcoin by the end of 2008 to substitute gold because by that time US financial system was teetering on the brink of total collapse with no gold in store. This is not necessarily a bad thing. But it's time for the lizard to sacrifice the tail and break free!

The "Bitcoin Engineering Task Force" (aka Satoshi) already decided that SHA-256d is the best hash algorithm for Bitcoin.


Designing strong crypto is really really hard. Of the 56 algorithms in the SHA-3 competition (submitted by world-class cryptographers), some sort of potential weakness was found in ~33 of them. It's best to settle on a few algorithms that the academic community can scrutinize carefully for many years, as they've been doing with SHA-2. Even rather paranoid cryptographers like Bruce Schneier aren't really concerned about SHA-2. No one has any serious ideas on how you would even start to attack it. The similar but far-less-secure SHA-1 isn't even considered to be absolutely broken yet -- there aren't yet any examples of SHA-1 collisions, for example.

Roll your own can work, but doesn't usually.  

I'm not a "great" cryptographer, I'm only a "good" cryptographer.  That means I could create something secure, but it would be an order of magnitude more expensive to compute than a secure thing designed by a "great" cryptographer.  

There's a pretty big deal about the effectiveness of various tradeoffs.  Most crypto design is all about trying to find the *minimum* amount of processing needed to achieve a particular level of security.  If you're looking for a 128-bit block size, for example, you are looking for the smallest amount of processing you can do to make sure that an opponent trying to break it has no shortcuts that can save them from having a job at least as big as trying 2^128 possibilities until one of them works.  

There's also a pretty big deal about short, simple source code where bugs and backdoors have no place to hide.  If you can't express your encryption (or your hash) in about ~120 lines of code, plus data, people have good reason to suspect that it is longer mostly to give untrustworthy actors a place to hide things in it.  If any part of your data is not constrained for known reasons to have particular values, then the community will want to see "nothing up my sleeve numbers" such as digits of pi or e or phi or a story about how the 5 FAB CAFE BABE5 AD 1 COFFEE & 3 DEAD BEEF EA.

OTOH, if you just care about "secure" and damn the amount of hardware gates or the execution time or whatever, then you'll take your 30 lines of source code or whatever, verify that it's got some provably nonlinear components such as a composition of add-with-carry and XOR, identify a "well studied" PRNG such as SPRITZ to generate a thousand rounds worth of pseudo-random S-boxes, use a Feistel construction or something to make sure it can be inverted with a key, and iterate for a thousand rounds.  

Maybe you could have achieved your security goal with 24 rounds.  Maybe if you'd designed it much more carefully and with deep understanding of all known applicable attacks you could have shown that you could have achieved it with less than 50 and so designed it with only 100 or whatever.  Most likely there's some other construction that could achieve it with ~16 rounds of much more carefully selected and designed computation, where it could be shown to take less than 20 and so someone would have designed it with only 40 rounds.  What you come up with by throwing way more resources at it than needed is likely to be a waste of time and effort and silicon that would never get accepted as a standard.  And, bluntly, if you don't know combinations of operations result in provable nonlinearity (ie, if you're not even a "good" cryptographer, let alone a "great" one) you're likely to wind up with something that's STILL insecure.  

And nobody will ever trust it, because why on earth would somebody be spending that much compute effort on something that could be done faster and more efficiently, if they had nothing to hide?  This was the problem that the community had with NIST/RSA/NSA's Dual-ECC DRBG standard; it was horribly inefficient compared to known, well-studied PRNG's like SPRITZ, so why would anybody ever use it let alone make it standard?  And then they studied it hard and searched the literature and discovered a few old papers that had postulated the possibility of a broken PRNG based on a similar construction, and then verified that the Dual-ECC DRBG was susceptible to exactly the same breakage, and suddenly understood exactly why that horribly inefficient thing was put forward as a standard.  And RSA still has egg on its face from having to recommend to its users to NOT use its own product as the whole thing became public.

Putting together several standard crypto sub-systems to make something new, interesting, useful, etc.

versus

Creating your own crypto sub-system.

Using standard crypto that has been vetted by a worldwide audience of crytpo experts and has millions of hours of use/debug/hardening.

versus

Using crypto that is vetted by a very small subset of all crypto experts and has very few hours of use/debug/hardening.
 

Well, how is that different from saying "Roll your own currency = recipe for total disaster"?

Roll you own = recipe for total disaster, see DVD copy protection and many other examples.

An algo designed by Bitcoin Engineering Task Force specifically for bitcoin. Then and only then bitcoin has a chance to be safe. Bitcoin should not use hashing algo because it is recommended by NIST or NSA or whatever. On the contrary, other organizations should use whatever bitcoin network uses because if it is broken bitcoin will act as honey-pot and will inevitably expose the weakness!

They are only "weak" in your mind because you admittedly do not know the specifics of what you are arguing.

It is analogous to you saying, we shouldn't use F = M.A (newton's law) because newton was an alchemist in his spare time.

I think it more likely that their interest is in exploiting bitcoin than in breaking it.  What they want to do is track all the money.  Bitcoin has never been particularly private or anonymous; I'm sure that with the Internet-monitoring and data-mining capabilities they possess, they can pretty much attribute every bitcoin transaction to a particular user.  This doesn't require breaking bitcoin, or subverting its encryption or hashing, or being able to steal the money; in fact doing any of that would work against their interests since Bitcoin is likely to be the best thing that's ever happened to them in terms of making movements of money more trackable by their own resources (and not requiring pesky subpeonas or legal permissions to track) than it is by someone else's. That makes it in their best interests for Bitcoin to become the standard.



Not in evidence.  MANY people who are not on their payroll, and have serious mathematical chops, have been all over SHA looking for ways to break it.  No break has been found.  Your certainty that there must be one is not evidence of its existence.  


Embrace the power of 'and'.  They're both.  They aggressively hire mathematics and cryptography people, and not just as contractors.  They bring them onto payroll, tend to keep them employed at the same place for their entire career, and keep them up-to-the-minute with training and original work.  So yes to them being cryptographers.  They get as much as they can with cryptography, but they also have to go with what you're calling 'con' too.  With civilian crypto getting better, they are increasingly relying on protocol hacks and hardware hacks to go around the cryptography where they can't break it.  

I do not trust an algorithm developed by the nsa.

Why so many people are so quick to use weak arguments to defend the use of an nsa algorithm in bitcoin, I don't know.

I'm not defending SHA. Why do you get that impression?


This is an ad hominem fallacy.


Then you will have a hard time convincing cryptographers about what you believe is right. You should consider researching what you defend.

****

Is it not enough that I do not want to use an algorithm that was developed for and promoted by an intelligence gathering agency that for decades has used its data mainly for overseas repression?

I am not a cryptographer.

I am a person who does not want to support cryptography that will be used to target innocent people.

Are there really no options other than using an nsa algorithm?

****

Is the mystery really why I do not support using an nsa algorithm?

Or is the mystery why so many of you do?

Also, please describe in detail exactly what you mean by a "broken" secure hash algorithm?  What, specifically, would be able to be done with the broken hash algorithm?

I other words, given that the NSA has some sort of "back door" into the hashing algorithm, what would they be able to do with this back door?  In what way could they harm Bitcoin with it?

That is another example of the fallacies being used to defend sha in bitcoin.

Is it not enough that I do not want to use an algorithm that was developed for and promoted by an intelligence gathering agency that for decades has used its data mainly for overseas repression?

I am not a cryptographer.

I am a person who does not want to support cryptography that will be used to target innocent people.

Are there really no options other than using an nsa algorithm?