Bitcoin: Chronic Under-Development

Posted by on

DNA_keyboard

It is clear that bitcoin is in a serious crisis:

  • It is somewhat NOT trying at all to solve the most obvious problems such as setting a roadmap to tackle increasing blockchain size and allowing bigger transaction size.
  • The same problem applies to the appalling transaction speed which could be easily fixed in a variety of ways, some solutions are discussed here.
  • Bitcoin peer network is in decline: number of network nodes has reached dangerously low levels because there is no monetary incentive whatsoever to run bitcoin nodes. Interesting solutions which do create such monetary incentives for people to run bitcoin nodes are so far ignored under dubious pretexts.
  • In addition, the peer network functions very poorly (in our experience) cannot handle small-fee transactions and actually some researchers claimed that with current fees rational miners should reject bitcoin transactions because they increase the probability that their block will be discarded.
  • Bitcoin has an appalling track record of NOT trying to improve on the questions of bitcoin security and cryptography.
  • Overall bitcoin is chronically under-developed: only 3 people are currently paid for bitcoin development, there’s almost nothing happening, and only one of these three is working on any improvements at all, as explained recently by Mike Hearn.

 

Bitmine.CH

Posted by on

A Swiss Champion of Empty Promises

The Swiss company Bitmine.CH has an appalling track record.

They sell miners for cash, they sell hosting plans,  they produce their ASIC and they are mining themselves in Iceland.

However all this was funded with customer money obtained on repeated empty promises.
They have let down a lot of customers, nobody knows how many.

Example:

  • 1 year ago, I have ordered a miner for 8988 USD. Ordered on 16 September 2013 with Bitmine.CH.
    • The promised to deliver in November/December 2013.
    • Then repeatedly they made promises about prompt delivery, like: we will deliver next week. They didn’t.
  • I have requested a refund on 3 May 2014 and nearly 5 months later I have not been refunded.
  • They made a lot of empty promises about refunds.
    • Some people requested refunds in March, some later.
    • Not sure if anybody was ever refunded.

Many people are now looking for a lawyer to sue them. Some remarks:

  • Are these guys any better than ButterFly Labs?
  • Apparently there is no class action in Switzerland.
  • Also legal costs cannot be easily recovered by the winning party in a lawsuit.
  • This will certainly mean a bankruptcy for Bitmine.CH.

ButterFly Labs Shut Down

Posted by on

bl

The Federal Trade Commission (FTC) have on 18 September 2014 ordered to suspend the activities of ButterFly Labs. Some details:

  • They have taken between 20 and 50 million dollars in pre-orders.
  • Took orders starting June 2012, by September 2013 more than 20,000 customers still not received their orders.
  • Reportedly they have not delivered for 12 months or similar,  and by the time miners were shipped, the amount of bitcoins produced was incredibly low, like less than 1 % of what was expected (see Section 2.4 in this paper).
  • The FTC attorney has said that ButterFly Labs engaged in “systematic deception”.  The FTC is also now very clearly saying that ButterFly Lab have mined with customer machines and at the same time they made public announcements to the contrary, and they mocked their angry customers.
  • We recall that they have also cheated their customers on the power consumption:
    In October 2012 they have announced:

    • “We are so confident in our power consumption that we are offering up 1000 BTC to charity if we miss our power consumption targets by more than 10%. We are offering our devices at 1 watt consumed per gigahash. If our power targets end up consuming more than 1.1w of power per gigahash, we will donate 1000 BTC to charity! How is that for confidence in our power usage?”
    • Later they delivered machines consuming 3.2 W and actually for most people they delivered nothing at all for a very long time.
  • It was known since September 2012 that the CEO of Butterfly Labs was a convicted felon in a 25M dollars mail fraud scam.

Well done the Feds, better late than never. Overall this shows that free market did not function very well: in spite of all the warning signs and in spite of tens of thousands of angry customers, this company has been in business for years.
Let’s hope they go to prison or at least that victims get some compensation .

What About Other Companies?

Many other companies deserve proper investigation for fraud. For example:

These companies above are real businesses, they just have let down their customers very badly. There is yet much worse.  Other companies never existed, and were pure criminal scams, for example:

  • HashBlaster.com, never existed, the website based in Panama was shut down 3 days after I wrote about them. Run with the money paid by the customers.
  • XtremeMiners.net, never existed.
  • There were a few other. Some responsibility lies with this web page which have listed several scams over the years as if they were genuine companies. I think also that many journalists who wrote about miners have failed to do their job correctly: they avoided to talk about scams and avoided to warn the victims.

 

What is the Security Assumption in Satoshi Paper on Bitcoin?

Posted by on

It appears that Satoshi have convinced himself that bitcoin was secure or secure enough. In his paper he repeatedly claims that bitcoin is secure IF a certain assumption holds. What is the exact assumption of Satoshi?

sam_shad200

Knowing the assumption is crucial because if we have stated our assumption and bitcoin is later shown to be broken or insecure,  we can blame EITHER the real world which does not satisfy our assumption, or the designers and engineers of bitcoin which have not been able to design a secure system based on this assumption. In other worlds we could have a clear cut situation and we should be able to determine without ambiguity who is to blame for bitcoin being insufficiently secure.

In this respect Satoshi sets a bad example of not being clear about what his assumption is, and yet explicitly several times claiming that his system is in some sense secure:

  1. For example in the abstract of his paper Satoshi says that he assumes that “majority […] are not cooperating to attack the network. Here Satoshi claims the system is secure under this assumption, which security claim is NOT TRUE in pooled mining as people can easily be part of  large scale attack without cooperating (we recall that Satoshi paper is all about CPUs, so not only he did not predict pooled mining, but he did not anticipated that people will built ASICs hardware miners only for the purpose of mining).
  2. In Section 6 of his paper initially there is no security result claimed just an “incentive” which possibly “may help encourage nodes to stay honest.” This however could be interpreted as a very weak security assumption: we may assume for example see that ‘nodes have some incentives to stay honest’ (a fact) and then the assumption would be ‘if nodes have non-zero incentive to stay honest they will be honest‘ (a clear assumption). In the text which follows a security result is claimed: the attacker is claimed to have a certain choice which is clearly an incorrect security claim.  Even under some assumption the security result claimed here by Satoshi is incorrect.
  3. The Section 6 can also be interpreted differently, as another security assumption, that the attacker is assumed NOT to be “able to assemble more CPU power than all the honest nodes”. This assumption is clearly badly confused and flawed as the attacker could control the hash power of the same honest nodes (both have some control, not exclusive). Now let us assume this and possibly we could make an even stronger assumption that he cannot assemble hash power at all, in any meaningful sense. Now does bitcoin become secure under this assumption? Again not in the sense claimed by Satoshi in the text which follows, the same fake dilemma is claimed.
  4. In the conclusion of his paper Satoshi again claims that the system is secure if “honest nodes control a majority of CPU power”. This is a very different and STRONGER assumption than our 1. above: nodes could be not honest and deviate from the protocol for fun or for profit in a variety of creative ways without “cooperating” with any attacker.
    • Does this stronger assumption make that bitcoin becomes secure? Of course not, the security result claimed by Satoshi is wrong again  if you take it literally: even if honest nodes control a majority of hash power, because the control is not exclusive, bitcoin can still be attacked.
  5. Maybe we need to require an even stronger assumption such as – some ideas below:
    • Assumption 253: Honest nodes have exclusive control over a majority of hash power and honestly include all the bitcoin transactions with valid digital signatures which are received by them from the network and mine on the longest chain or mine on the branch which they have received first.
    • We should remark the Cornell researchers have proposed to modify this last rule and choose a branch at random in case of a fork.

Future research will show if bitcoin is secure under this (yet much stronger) assumption (or a version of it). Clearly the first version is not ideal and does not make bitcoin totally secure against some attacks however little practical these attacks may be. It is also possible so see that the work of Cornell researchers on the honest mining is yet very innocent: they assume that the attacker is honest in the sense that he is NOT trying in some way to cancel any transactions, the only thing which he is trying to achieve is to earn a bit more from ordinary (honest) mining.

 

A Fake Dilemma Claimed By Satoshi

Posted by on

In Section 6 of the celebrated original Satoshi paper on bitcoin we read that:

“If a greedy attacker is able to
assemble more CPU power than all the honest nodes,
he would have to choose between using it to defraud people
by stealing back his payments, or using it to generate new coins”.

And later we read that he “ought to find it more profitable to play by the rules” which do “favour him”.

5727282498_9b1a140866_z

Fake Dilemma

This dilemma is entirely fake. Very clearly Satoshi says that the attacker must choose between these two options. In reality the second (honest) option is bogus, immaterial, a product of wishful thinking. Let us explain why.

The key remark is that in the mining process the miner just needs to know the PUBLIC KEY in order to mine or commit a 51% attack and /or steal “back his payments”. In contrast one needs to be able to steal or modify the PRIVATE KEY in order to  “generate new coins” for the attacker.

There is plenty of ways for miners to operate and in most cases the attacker will be able to make the miner work for him without being able to access his private key. In almost all bitcoin mining scenarios known to us, the attacker does NOT control the money from mining: he does NOT have the private keys used for mining. The attacker can hardly  expect to control the private keys which can easily be stored at another place. This regardless whether this private key is hold by individual miners (e.g. when mining with Eligius) but however typically will be hold on a different device, or by the pool manager (with most other pools) in which case we should hope that the pools not to put private keys on a pool manager web server connected to the Internet.

We see that the honest option claimed the by Satoshi does not exist, in most typical scenarios, what remains is the dishonest option. Who said that 51% attacks are not a threat?

Note: there are also exceptions, some very powerful network attacks where the attacker totally impersonates the pool, see for example here, and therefore CAN control the income from mining, which attacks however could be prevented by standard network security techniques such as TLS and by a careful choice of which pool website we trust.)

Mistakes Never Die

The mysterious visionary founder of bitcoin can potentially be forgiven for this technical blunder. After all he clearly makes another major confusion here: he says “nodes” and he should say “miners”. He clearly did not anticipate things such as pooled mining: Satoshi has written that in bitcoin every peer node will be mining, cf. Section 5 of his paper. Satoshi would probably be very astonished to see that now the number of miners is now much higher than the number of peer nodes which is reaching dangerously low levels.

However Satoshi is not the only person who gets it badly wrong.

  • For example two Cornell researchers Eyal and Sirer in this blog post also clearly badly confuse between miners which may “hold 49% of the [mining] revenue”, with the control of hash power for the purpose of mining blocks (easier).

Which Crypto Currency Will Win?

Posted by on

Monetary technology solutions have existed for thousands of years. They are subject to a Darwinian evolutionary process which is NOT exactly what it seems.

For centuries in this historical process there was always some sort of unique natural winner or a dominant curency. We had gold, USD and Euro and maybe sooner or later, the Chinese RMB would become the world’s favorite reserve currency.

winner

Now that we have crypto currencies everything has changed!

New currencies are likely to attract substantial business activity once many of current (very serious) problems are fixed. Entry barriers have become incredibly low. The ability of states to control money has been seriously eroded and it is simply impossible to ban anything in the cyberspace. The idea that there would be just one dominating currency is no longer taken for granted. Technologists point out that modern technology makes it possible for a single person to use many di erent currencies. Overall the competitive Darwinian process does not change, but incentives for endless creation of new private currencies (important seignorage bene ts) are likely to remain strong. Convertibility and co-operability can be easily achieved with purely virtual money systems. This is likely to maintain a certain diversity in major currencies and in payment technology business. Competition will now take place in distinct niches. If some powerful programmable or super anonymous currencies are likely to be banned in many jurisdictions, they will be used elsewhere. This will just increase the diversity.

 

Darwin Revisited: Do Better Crypto Currencies Prevail?

Posted by on

Our job is security engineering. We criticise some bad insecure or otherwise imperfect solutions and promote solutions which make them better, more robust, more secure, faster etc.

We naively believe that we can improve crypto currencies.

Evolution-Photo-by-Johanna-Pung1-450x180

Can we?
There is plenty of evidence that we can’t.

Crypto currencies are subject to a Darwinian evolutionary process. Crypto engineers like us sometimes naively hope that “better” currencies will drive “not so good” currencies out of business. In fact the Gresham-Copernicus Law [1517] says exactly otherwise! Bad currencies DO frequently drive better currencies out of business.

The “bad” option is also happening with bitcoin: it has gained excessive popularity NOT because it was technically very good (it never was) or had solid intrinsic value, or it was fast and convenient (it never was). It has thrived because it has created huge expectations which temporarily bitcoin competitors could not meet. Bitcoin remained the obvious choice, a sort of natural monopoly [see Section 12 here]. However bad and ugly it has been.

the_evolution_of_man

The “Yahoo of cryptocoins” is now waiting for the  “Google of cryptocoins” to steal their business
purely on technical superiority and without a single hostile shot. This however is NOT guaranteed to happen.

For example if one crypto currency fixes some cryptography issues, it will get something else wrong.

Antonopoulos [a former UCL student] has once pointed out that “when you have a technology that is ‘good enough’ that achieves network scale […] good enough suddenly becomes ‘perfect'” and therefore he claimed that bitcoin has made it: “I don’t see any altcoin displacing it”, he says.  If bitcoin crashes, again according to Antonopoulos it will be rather because “we blow it up by accident and that could happen”.

In general a Darwinian evolutionary process does NOT lead to strict technical superiority.
Inferior and imperfect solutions have good chances to thrive, if they are able to adapt to circumstances, or if they just lie and cheat us to believe that they are OK. They can just pretend to do the right thing or imitate what good solutions should be doing. Welcome to the creepy world full of noise, propaganda, self-indulgent promotion, and numerous scams (which are also all about imitation and mimicry).

The good, the bad and the ugly are here to stay.

Stellar: Good Points And Some Glitches

Posted by on

A new crypto currency and decentralized exchange platform STELLAR has been launched on 31 July 2014.

shootst

It is run as a non-profit. It was created by Stripe CEO Collison and Ripple co-founder McCaleb. It has received $3 million in initial funding from Stripe.

Some good points about Stellar:

  • Non-profit: some people say that Stellar is expected to be “Ripple with the Evil taken out”.
    • They promote donations to charities in a variety of ways.
  • Stellar is a major innovation with distinct characteristics and is very far from being yet another altcoin.
    • It is based on bitcoin and Ripple source code which is expected to be well understood (in fact it is now clear that it inhered some serious problems).
  • It is luring subscribers and users in many different ways mostly through small monetary incentives.
    • 95% of all coins will be given away (but not exactly for free, see below).
    • Stellars will be also given to ANYONE who has bitcoins (10%) or Ripple (1%), based on the data in the blockchain at a certain moment. This is very clever: it will get Stellar a lot of new users.
  • They promise to release a paper showing that Stellar is secure.
    • Unlike bitcoin they DO CARE about cryptographic security. Very recently in July 2014 they decided to go for an elliptic curve Curve25519 which is currently not suspected of having a backdoor.
  • They seem to be focused on fast transactions (not like bitcoin). They say: “Every few seconds, the servers tally up the most recent batch of transactions and verify that their ledgers are in sync”. Their consensus algorithm is called Firmeza.
  • They support accounts in ANY currency, fiat or crypto.
    • This is achieved through multiple Gateway companies which hold these assets for you (like existing bitcoin exchanges or small independent banks).
      Later people exchange cryptographic IOU underwritten by these parties.
    • In fact this is super dangerous and could be potentially illegal. Not only because this could be hacked. There is a major question of regulation and banking licence. Both Stellar and individual users are now facing an enormous challenge to know which Gateway companies can be trusted. For example criminals could set up these companies. Then they will run with our money (recall MtGox).
  • There is no mining in Stellar, it is purely based on trusting Stellar and independent Gateway companies.

Actually we have some objections:

  • It is a mistake  not to have any mining. Bitcoin is in trouble, because of lack of Proof of Stake.  Stellar is in bad trouble because of lack of Proof of Work! Probablya decent crypto currency should combine both POW and POS.
  • Stellar distribution has been so far quite messy, NOT FAIR and not transparent.
    • First they gave 6,000 Stellars to each new account, now it is less, and they do NOT even say how much.
  • It is NOT given for free. In exchange you must connect with a genuine active Facebook account.
    • Then you will be asked  to share your “public profile, friend list and Photos” with Stellar.
  • So Stellar is STEALING personal data from users in exchange of a promise of an unspecified monetary reward worth a few dollars.
    • Bruce Schneier have once said: “If McDonalds offered a free Big Mac in exchange for a DNA sample, there’d be lines around the block”. Stellar are doing just that with our personal data.
    • This is done in a rather deceptive way: many people think they will get 6,000 stellars as promised.
  • They do NOT encourage running network nodes? They claim that “anyone is free to set up their own server on the network”, however the reality is different:
    • they do NOT even have an easy to download full peer network client for Windows.
    • so it is difficult to trust this network. Probably extremely few people run peer nodes.
    • most people probably access their stellars through a web interface (centralized).
  • There are YET extremely few Gateway servers (like 1).
  • According to some sources Stellar is now the second largest crypto currency by market cap. However this is an ENTIRELY FAKE valuation (this web page has more accurate market caps).
    • Some people have promised NOT to sell their stellars for a long time.
    • Most stellars have not been given away, only some 1.3% have been.
    • As soon as people get their stellars they will sell them and the market price is likely to collapse.

 

What Do We Stand for In Security Engineering and The Question of Improving Bitcoin

Posted by on

What do we stand for? The answer is quite simple: threats and attacks needs to be anticipated and protections must be built pro-actively, in advance before something bad happens and it is maybe too late. The golden standard in information security is: “it’s always better to assume the worst” because “when the unexpected happens, you’ll be glad you did”, this following the well-known information security engineering and applied cryptography guru Bruce Schneier.

secure_insecure

Recently I have publicly said that in my opinion  “Bitcoin has a toxic culture of people avoiding talking about its problems.” and even though my exact words were distorted, I have also kind of accused the Bitcoin foundation of not acting responsibly, which would be to make more space for cryptographers and security engineers and in general be more careful about security.

This post has provoked 150 comments in just one day. Some people say: This subreddit is notorious for […] attacking anyone and everyone who is not pumping bitcoin. In fact, maybe not so bad, it seems to show all sorts of opinions.

Jeff Garzik, one of the core developers most people trust and respect, a brilliant devoted contributor, have responded: “On the contrary, we document our problems openly”: https://en.bitcoin.it/wiki/Weaknesses

Not untrue, however the better is the enemy of the good [Voltaire 1772].  This wiki does not contain anything like a  detailed informed expert discussion on bitcoin attacks. On the contrary, it is over-simplistic and is likely to mislead rather than inform the reader in order to ignore some important threats and attacks on bitcoin, here is why.

Can Bitcoin be Reformed?

I remember that I have personally asked Jeff Garzik about the bitcoin elliptic curve during some bitcoin event. It was on the last floor of a certain London Canary Wharf skyscraper. I remember that I was very careful to state my question very clearly: “Would they change the Bitcoin elliptic curve PREVENTIVELY, before a problem is found by cryptography researchers?”.
The answer was no, not unless something bad happens!

This is exactly what me and many other people are talking about, lack of pro-active security. Wait and see.

Recently another bitcoin core developer Peter Todd has become frustrated with some of his friends in Bitcoin development community and have said that: “it might take a disaster to get the consensus to fix it” (his concerns were different I think, mainly 51% threat and the current excessive centralization of bitcoin).

Can Bitcoin Cryptography be Broken?

For sure it will be broken, it is just a matter of time. Either SHA256 or secp256k1 will be broken. It is foolish to believe that standard modern cryptography is secure, and moreover bitcoin cryptography is very clearly sub-standard and very peculiar.
Now will bitcoin cryptography be broken like next year? Probably not. It is now possible to bet on this question with bitcoins in total anonymity . It is a game, I do not personally think it will be broken so quickly.

Best Understood Attack In All of Bitcoin?

Posted by on

Post in the series “bitcoin mistaken claim of the month”.

Bitcoin Wiki and 51%

I have today looked at the official Bitcoin wiki which is there to “document [bitcoin] problems openly”

and provide an open forum with “loads of discussion about bitcoin’s problems” according to an official and highly respected source.

https://en.bitcoin.it/wiki/Weaknesses

I have checked and ooops, sorry, in fact, there isn’t any discussion there whatsoever. This wiki is all about educating bitcoiners in a top-down way, and they can only discuss their doubts elsewhere in some forums.

So far so good, the wiki isn’t particularly bad, though it is looks a bit neglected.

According this wiki, there are no problems in Bitcoin whatsoever. Well, for sure there is a brief section about 51% attacks. This section however does NOT even get into the part entitled “Might be a problem“. It appears in the subsequent part entitled “Probably not a problem” and this under a highly misleading title:

“Attacker has a lot of computing power”.

octopusglobe

Quite happily just below they correct it and say it is rather about temporary control not ownership. They explain that the exact scenario is when he “controls more than 50% of the network’s computing power” and they make it clear it can be temporary: “for the time that he is in control”.

Not so good, but not yet very bad.

In fact even controlling is still an over-statement… The attacker just needs to hack the communication: man-in-the-middle attack, super classical, yet the wiki does not even mention this term! Or he can trick miners to mine through his own malicious pool, or his own malicious crypto currency, and this for limited time like 1/2 hour. The cost of blocks mined during 1/2 hours is NOT large (maybe 75 BTC) and could much less than the potential gains (between 500 and 2000 bitcoins are at risk of double spending in each single block).

Now this official wiki at numerous places refers to another article about Bitcoin attacks reportedly written by David Perry for more general audience and this one is really very badly mistaken. It is a concentration of common archetypal misconceptions about 51% attacks. We hear that “the 51% attack is the oldest and best-understood attack in all of Bitcoin” and that “we all know how it’s supposed to work” and that “the “fix” is built right into the client – just wait for your 6 confirmations” (ignoring the fact that 6 confirmations are certainly not enough if a larger sum of money is at stake).

Are 51% Attacks Costly?

More importantly the author claims that 51% attacks are “so amazingly cost-prohibitive to perform that we’re basically talking about a government focusing the full power of every top-secret ridiculously expensive supercomputer they’ve got at us”.

Knowing that just 10 pools command some 75% of the hash power (possible coalition) and the attacker just essentially needs to subvert 10 computers and make innocent miners mine on a different block than they think they are mining, HOW does it make 51% attacks amazingly cost-prohibitive?

In fact the real ‘close to taboo’ topic which some people simply do not enjoy to discuss in the bitcoin community are NOT the hypothetical or possible attacks, but one simple hard fact about current bitcoin.

The fact that bitcoin is  excessively centralized, 1 person controlling 51% or 10 pools controlling 75% does not make such a big difference. This is simply a violation of the original idea of bitcoin by Satoshi Nakamoto.

Remark: Here is a longer presentation about 51% attacks.

Can Bitcoin be Improved and/or Reformed?

It is clear that bitcoin is under-developed and in a serious crisis. More generally, bitcoin needs to be reformed, basically fixed, in order to be saved from the EXCESSIVE centralization which is “a serious threat” to the very existence of bitcoin and its good reputation, and is also just contrary to the original idea of bitcoin by Satoshi Nakamoto which is expected to be decentralized.

A well-known bitcoin core developer Peter Todd has recently also become frustrated by this careless and easy-going attitude regarding to the 51% threat and centralization of bitcoin. He recently proposed to reform bitcoin in order to make it less centralized. He has said that: “it will take a system failure to get people to agree” and “it might take a disaster to get the consensus to fix it”.

Note: Peter was recently hired  to work on a specific alternative conception of Bitcoin 2.0 technology.

 

LINKS ADDED after this post was written:

  • Some major bitcoin governance questions are discussed here.
  • Here is another paper on the question of double spending.
  • Bitcoin remain super-fragile and forks can occur. In July 2015 bitcoin core software has been been on a red alert, see here. Suddenly serious forks have occurred and we are told that “Please continue to wait 30 more confirmations than you usually would wait before accepting a transaction”. Yhese forks are actually due to bitcoin mandating a security upgrade maybe too quickly: strict signature validation rules. A good thing overall but it shows how super fragile bitcoin software is.