New paper about in what ways bitcoin will fail when cryptography is broken.
Press Release: UCL Blockchain Security Research Prize Fund
With help of some sponsors and friends, and from donations received in UCL seminar donation account,
I have created a fund for research prizes for beginning researchers in bitcoin and blockchain security, financial cryptography and real-life cryptanalysis.
Here is our press release (updated 10 March 2015).
Confirmed sponsors are Blockchain.com, Clearmatics, Complymatic, Finyear, Tramonex, and a number of individual UCL bitcoin seminar supporters.
Two Particularly Rare Enigma Machines Made in France
Enigma cipher machines are rare collector items which are worth a small fortune. It is estimated that at least 50,000 Enigma machines have been manufactured during the WW2. Some Enigma machines are more exceptional than other, as there are much fewer of them left.
When Polish code breakers went to France after Poland was overrun by Nazi Germany, 4 clones Enigma machines were build in France based on an earlier design built in AVA factory in Warsaw. Much later, one of these machines was brought from south of France to London and is now a property of Pilsudski Institute in London (possible to visit after 14 March 2016).
For more than 70 years nobody knew what happened to other 3 machines.
In December 2015, the French foreign intelligence service [DGSE] have officially announced that all Enigma WW2 documents are going to be declassified. Pictures of the French Enigma have been published (left side).
This machine is indeed nearly identical than the machine held in London. Here is a comparison side by side. The keyboard on these machines is in alphabetical order: ABCDE… while the German machines had a QWERTY keyboard.
More Pictures
With permission from Olga Topol, PhD, curator at Pilsudski institute, below are some further pictures of the French-Polish machine which can be seen at Pilsudski Institute in London [it appears that the remaining 2 machines were lost when the passenger boat Lamoricière sunk in 1942].
On Forces of Self-Destruction in Bitcoin
I have worked for several years in bitcoin community.
In May 2014 I have published a paper in which I formulated the theory of programmed self-destruction of crypto currency.
Few points about this
- My conclusion was that
many crypto currencies were genetically programmed or bound to self-destruct. This is absolutely certain. Not because they were financial scams [though some certainly were] but because their source code had certain inevitable consequences. - It turns out I was not the first to formulate a similar idea in the public space, see Gapper FT paper [12 March 2014] which I find interesting but naive and poorly justified.
- Importantly I have also postulated that bitcoin quite possibly will be exempt from this law, as it enjoyed a comfortable position of a natural monopoly with substantial positive externalities and network effects.
I have also for many year reflected on the questions of bitcoin governance. For me it was always clear since ever, that sooner or later incredible tensions will arise inside bitcoin community and that sooner or later some people will find it profitable to quit and invest their money elsewhere. My blog post about possibility of a divorce in bitcoin is cited in a recent report by the British government Chief Scientific Adviser [19 jan 2016].
I view the announcement of Mike Hearn quitting as a terrible setback for bitcoin, a blow from within. A thing close to a bitcoin assassination attempt, by a person who first have had a huge role in bitcoin, then more recently presented himself as a rebel working for but not against bitcoin. A person who had considerable authority and would be one of the few key people whom the community would trust in fixing bitcoin. Instead Mike Hearn, has now announced that bitcoin has failed after selling all his bitcoins.
I would argue that this combination is morally questionable. In private business this is OK, you sell your stocks and you retitre.
However bitcoin is different. It could be ethos or values, or just clever technology which makes that this system and community will exist and work, whatever are the circumstances. It is expected to work in North Korea, resist government intervention. It is expected to live even if Satoshi himself decided to destroy it. It is not expected to fail just because some prominent members of this community are fraudsters or liars. Or because they have been corrupted by bankers. It is not expected to collapse if one developer suddenly writes a paper in which he suddenly discovers things we knew for many years, and which he failed to fix[being in charge more than most people].
The combat for Bitcoin and the combat for money free from dominant forces of corruption will continue.
RNG – Do Not Stop Worrying About Linux urandom
I have spend a few recent days at 2015 CCC congress in Hamburg. CCC is the biggest security conference in Europe with 12,000 participants, and potentially more [tickets were sold out].
Most talks I have attended were really good! 90% are really excellent.
CCC is IMHO also the best security conference in Europe. A place like no other, where you get to learn a lot about real-life cyber-security. But not everything was to my taste.
Real-Life RNG Security For Dummies
Filippo Valsorda, a crypto developer known for exploration of some serious vulnerabilities [e.g. HeartBleed test or showing how RNGs fail very badly] has apparently decided to stop being a hacker (showing how not to do security).
Now he decided to educate the public about how to make a secure random generator and explained that we need to stop worrying!!!
Do Not Stop Worrying About RNG Security
As a university security expert who taught computer security and applied cryptography for a decade now, author of several publications about how RNGs fail and fail again, and due to my industry RNG experience, I must say this recent talk is not exactly what I would call good security advice.
The author has studied the source code of dev/[u]random in Linux [a good start!] and found that it is a PRNG in which system events are used to add entropy to the pool. He also remarked that the system has no counter [which is hard to implement and could be hacked, good remark], which is something he would recommend to use [one single random number could be then used to generate unlimited amount of randomness in a counter mode].
He explained the [well-known] difference between dev/urandom and dev/random.
The difference is the blocking behaviour. The file dev/random will not provide many bits if the entropy pool has not been modified by a sufficient number of events which add entropy to the pool.
He claimed that the blocking behaviour of dev/random is ‘totally useless’.
Right Or Wrong?
His argument is that in cryptography we have secure stream ciphers just for that. Yes, even rather basic and inexpensive cryptography solutions can produce unlimited quantity of secure randomness from a seed/initial pool of fixed size. Yes a counter mode and a hash function as in Filippo proposal also does the job at least equally well. Yes a hash function such as SHA1 which is what Linux uses to obtain outputs from the entropy pool is a secure design provided that just one bit in SHA1 input changes. This even though dev/random uses simpler mechanisms to update the internal memory pool, as many stream ciphers do. All this is correct. HOWEVER.
This is correct in cryptography, but totally wrong in the real life, and totally wrong in crypto engineering.
Consider for example encryption. Again, yes, standard cryptography can encrypt unlimited quantities of data with one short key. However. The reality is almost no real-life cryptographic system I have ever heard of [and I teach applied cryptography] uses the same encryption key for a long time. Frequent re-keying is the norm in the industry since ever [WW2 Enigma,GSM, 3/4G,Bluetooth encryption etc..].
In the same way, many real-life random number generators behave as in Linux: they continuously upgrade their entropy pool. There are good reasons for that. No Linux security engineers, however basic their designs are, are not idiots. They monitor entropy entering the pool for a reason.
The reason is something which we now call a post-Snowden attacker.
Or just what the attacker always was for security engineers, except in “pure mathematical crypto technology push” research [which people love to ignore real-life security and are frequently happy with provable security even though assumptions on the adversary are not realistic].
Now a post-Snowden attacker is NOT about just predicting the next/previous bits of the RNG or recovering the seed, all the things which become impossible with cryptography at an affordable cost.
It is about more practical attacks such as:
recording the state of the pool at different moments in hidden locations inside CPU, OS, file system, your hard drive. Stealing the pool state with side channels, malware, covert channels, BIOS SMM code, or air-gaps.
Then brute force [insufficient] entropy entering the pool between these moments(!) based on some captured randoms generated some moment after the captured data.
This brute force attack is the reason WHY you would count the bits of entropy which enter the pool. Linux developers are doing the right thing. We do not claim Linux RNG is secure but it could be secure enough in practice and using dev/random IS a good idea, rather than the dubious proposal using a counter mode outlined in this talk, which I would not recommend to my worst enemy. It simply makes it super easy to compromise A LOT of random bits by capturing very little data.
More About Building Secure RNGs
Here are some of our [older] slides about how to design RNGs in various applicative contexts which can range from pure software to [secure] hardware environments. We do not claim that these slides are the best reference on this topic, but they represent the idea of robust crypto and security engineering with focus on realistic attack scenarios, and there are some further references recommended inside.
10 Bitcoins Crypto Bounty Offered
10 bitcoins (nearly 4000 USD) is offered for help with breaks, cryptanalysis, security proofs, analysis or improvements relating to the CCT protocol which aims at making the amounts of bitcoin transactions confidential with a dedicated efficient zero-knowledge method. The timing is tight: the price expires on 20 of January.
Additional cash prizes, challenges and bounties on similar questions in applied financial cryptography and crypto research will be announced soon at this blog.
How Secure are NIST Elliptic Curves?
A recent paper from September 2015 revisits a simple [well-known] attack in which a government agency manipulates elliptic curves under the assumption that there exists (a secret) method such that a certain proportion (say 1 in a million of 1 in a thousand) of curves are weak and breakable.
No convincing method to create a weak curve is known and this paper is speculative fiction.
This comes in an atmosphere of increasing incertitudes around more or less all elliptic curves which are no longer recommended by the NSA as long term solutions. For the short/medium term then NSA also re-iterates that the suite B curves remain the safest choice with an upgrade from P-256 to P-384, this is because these curves are those which have been more extensively studied. Interestingly they do not [not anymore] recommend people who would use RSA to upgrade to ECCs, see our summary here.
Added in 2016: Here is how to generate a curve such that manipulation is much harder(!).
Super Fast Elliptic Curve Cryptography
Microsoft have released a new free ECC library which is up to 5x faster than with the traditional elliptic curve P-256 (which was so far the most commonly used curve in practical applications) and a also up to 3x faster than a well-known alternative Curve25519.
Bitcoin elliptic curve belongs to the category “special therefore suspicious” and have been so far a bizarre sectarian choice subject of serious controversy. Should this one consequently be called “double special” and therefore “double suspicious” (instead of 1 special multiple it has 2 special multiples)?
Not sure, Microsoft cryptographers do not want to admit that such curves could be very weak, and take the (same) already controversial idea of using curves with fast endomorphisms as those which can have a very efficient implementation to a new level.
After all so far there is no really serious attack known on these curves and NIST curves do not have good press either.
Stop Using Passwords, Now!
Edward Lucas wrote a nice piece on how businesses can dramatically improve their cyber-security.
He says that:
“Well-run organisations will stop using passwords and logins in 2016.
Instead they will use identifiers that are harder to copy, fake, steal or guess […]
Security questions will stop being […] “mother’s maiden name”. Instead they will ask you to give numbers from codes continuously generated by an app on your phone. ”
What’s Wrong?
In contrast, some people propose to extend the usage of passwords which are today the weakest link.
It is known that password security almost always fails, see for example the brainflayer tool for recovering passwords from bitcoin brain wallets.
How Islamic State Terrorists Encrypt Their Messages
According to BBC and many other sources, islamic state terrorists use a messaging app called Telegram to encrypt communications for groups of users.
On the surface, Telegram developers seem to support high security standards: they have published the spec and API and funded in November 2014 a handsome 300,000 USD cash prize for cracking Telegram encryption [expired in February 2015, the company promises to issue new hacking contests soon]. Experts disagree however that there are reasons to trust telegram and point out many issues with the security of Telegram.
The biggest collateral of terrorist attacks would however be a ban on secure encryption or privacy apps, this has been proposed in the UK but arguably it would be like destroying the very freedom we are trying to protect. Instead, intelligence services are now returning to some more traditional methods, like spies.
What is however missing is reflection on the deeper causes and sources of terrorism, what motivates people to enroll in militant terrorist organizations, and even more importantly the question of funding.
Crypto Currency vs. Terrorist Funding
Even though privacy and encryption are probably going to survive and hopefully will be yet more widely used, it is in my opinion very unlikely that we will ever have a truly anonymous crypto currency which is widely used and accepted.
This could be highly private and based on ZK proofs like in ZeroCash, or just hide the amounts like in CT/CCT proposals, or protect primarily the users and based on ring signatures like in CryptoNote, see fast comparison of features on Fig. 1 here.
However even here advanced cryptography has some tricks to offer, it could be possible to achieve privacy and zero-knowledge proof of good behavior compliance with regulations and taxes, or/and lack of implication in criminal activity at the same time. This actually remains a big question in applied cryptography research if this is realistic. However again cryptography can potentially help to reconcile privacy and policing of organized crime and terrorism.