Epicenter - Learn about Crypto, Blockchain, Ethereum, Bitcoin and Distributed Technologies - Nicolas Courtois: BTC2B Conference – Potential Security Vulnerabilities in Bitcoin ECDSA
Episode Date: October 30, 2014Nicolas Courtois is a cryptographer and senior lecturer at University College London. He has been studying cryptocurrencies for some time and has written a number of papers on bitcoin. His talk is tit...led “Cryptographic Security of ECDSA in bitcoin” in which he exposes the security vulnerabilities in the specific variation of the Elliptic Curve digital Signature Algorithm used in bitcoin. Episode links: Slides for this presentation Nicolas Courtois’s Wikipedia Page Personal blog On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies paper Nicolas’s Bitcoin Publications This episode is hosted by Sébastien Couture. Show notes and listening options: epicenter.tv/050
Transcript
Discussion (0)
This episode of Epicenter Bitcoin is brought to you by Fairlay.
Fairlay is a Bitcoin prediction market where you can place predictions on the likelihood of
sporting events, the Bitcoin price, or current affairs.
You earn money if your predictions are correct.
Head over to Fairlay.com slash epicenter.
That's F-A-R-L-A-Y.com slash epicenter to place your first bet today.
Hi, welcome to Epicenter Bitcoin, the show it talks about the technologies,
projects, and startups driving decentralization and the global cryptocurrency revolution
My name is Sebastian Couture, and today's episode continues our coverage of the BTC2B conference,
which took place in Brussels on October 16th and 17th.
So in this episode, we have the final talk of the conference,
which was delivered by Nicola Courtois, who is a well-known cryptographer,
codebreaker, as well as a senior lecturer at the University College London.
He has over 100 publications, multiple patents, and years of experience working in the smart card industry.
In the last few years, Nicola has shifted some of his time to city,
in cryptocurrencies. He's authored several papers on Bitcoin and is the author of the so-called
theory of self-destruction of cryptocurrencies. You can find Nikola's work and writings on his website
at blog.bettercrypto.com. So this talk is titled Cryptographic Security of ECDSA in Bitcoin,
in which Nikola exposes the security vulnerabilities in the specific variation of the elliptic
curve digital signature algorithm used in Bitcoin. In fact, he speculates that
Bitcoin will be cracked sometime in 2015.
It's a very technically complex talk, but very interesting.
It opens your eyes to the possibility that the technology that we all use and want to succeed
may have some serious security issues.
So for those of you who are interested, the link to the slides for this talk will be in the show notes
at epicenter Bitcoin.com.
And you can, of course, read more of Nikodah's research on his website at blog.bettercropto.com.
And we'll try to get them on as soon as we can so that we can dive deeper.
into this topic. So without further ado, here's Nicola Courtois.
So I will tell you about cryptographic security of Bitcoin focusing on ECDS.
Okay, so my profession is basically to break things. I'm cryptologists and codebreaker.
So I have spent my whole life in this space.
I'm also a Bitcoin activist, so I run a Bitcoin.
seminar in central London and I have a blog it's better crypto.com.
You can also Google for usually a Bitcoin seminar.
It runs every week.
So, well, the question is, is Bitcoin secure?
Actually, Satoshi is someone explicitly claiming this in his paper and other places.
So I have done some research on 51% attacks.
Okay, so for example, here is some comments on my paper.
a paper, okay, cryptocurrencies are programmed to self-destruct, politically incorrect news,
stranger than fiction, usually true.
Okay, it's a very, very long paper.
So my whole life I have tried to improve the security baseline, okay.
I was basically crying wolf all the time, okay, like 50% attacks,
electric curve open SSL, a few more today.
Okay, it did not help.
Okay, the wolf was always allowed to operate.
Okay, so we failed to protect our data.
Okay, and it's not so much about the NSA actually.
You know, you have all these things which are behind the NSA here, which really are the real.
Okay.
We fail to protect our money.
Okay, so basically there is no reasonable way to store money in today's economy.
You are a victim of some sort of, you know, very strange people who are doing to do very strange things with your money.
So one of the solutions is basically building sort of decentralized peer-to-peer systems and decentralized peer-to-peer systems and decentralized peer-to-peer systems.
society.
Okay.
One of the
solutions is
blockchain technology.
Okay, so here is
what a journalist
from the Telegraph
has recently written.
So until recently
we have needed central bodies,
banks, stock markets,
blah, blah, blah.
Police forces
to settle
vital questions.
Who owns this money?
Who controls this
company?
Who has the right
to vote?
And so on.
Now, we have a
small piece of
pure incorruptible mathematics in computer code, which allows to solve the same problems.
Okay.
But is cryptography incorruptible?
Okay, so here is some excerpts from the last year NSA budget, the mission statement,
to covertly influence insert vulnerabilities into commercial public technologies.
Okay.
So it's quite funny, but actually probably have heard a lot about John Nash, okay, in maybe
Ethereum with Vitalik, okay, but John Nash also was a cryptographer or had tried to be a
cryptographer. It was not a very successful. But he has written in 1955 his letter to the NSA,
which was declassified very recently. And in his letter, he explains what according to his
it would be a secure crypto algorithm.
And this is pretty revolutionary even today,
because he believes that a secure crypt algorithm is such
that the security increases exponentially
with the length of the key.
And actually, very few crypto systems have ever achieved that.
I mean, RSA is not secure in the sense of John Nash intention here.
So RSA is not a secure a crypto system for John Nash.
Okay?
So an example of secure crypto system is an elliptic curve cryptography, basically.
It achieves this thing which is called exponential security.
Okay?
So are serious cryptography.
I mean, how do you convince a bunker that something is secure?
Probably you can't, but here is one method.
Okay, so you publish cryptographic challenges.
And currently, if you break the elliptic curve cryptography, you can earn like $700,000.
and dollars in prices and challenges.
Okay, so this is how you convince a bank of the summing is secure.
It's the only way we do it.
Okay. So I always like this idea of crypto challenges.
And I was very naive, but I have runs written and said years ago and years before Snowden
that we should punish those who by their ignorance, incompetence or because of a hidden agenda,
that put everybody's security under great risk.
Okay, I was very naive because these people are never
ever punished and nothing but happens to them.
So, so these challenges have important.
I mean, this is really how we know that something is secure.
Okay, by the way, the Bitcoin, the curve is not included.
Okay, if you break it, no price you bring.
So obviously, as Vitalik was said to me,
obviously there are billions of dollars out there if you break it.
Okay, but where is the honest option?
Okay?
Here's the honest option, like, I mean, if you work for the NSA,
you might quit and cash on this and retire.
The whole lot of this option is that you can put a whole lot.
If you get a whole bunch of Bitcoin, put it on BidFinex,
what you do, negative tax leverage,
then it's your paper, then watch the price you're off.
Well, possibly, it's very interesting ideas.
Also, in some countries actually have legal right to have 10% of something you find,
if it's lost, but here it's not lost.
So I don't really see an honest option,
but it's an interesting method.
Okay, so what about the Bitcoin's an electric curve?
It's quite funny because, you know,
the origins of this curve are pretty obscure.
And recently Dan Brown, who's basically the head
of this efficient cryptography group,
which has standardized this elliptic curve in the first place,
okay, has actually denied
the support whatsoever for this curve.
So he has written, I did not know that Bitcoin is using this curve.
I'm surprised to see anybody use it.
Okay, so this is from last year.
You should not use it.
And I have surveyed different industrial systems,
and nobody ever uses this curve.
Okay, so if you compare the standard this curve, which is this one,
which everybody uses, okay?
And for example, like 7% of TLS connections are,
use elliptic curves nowadays, but 98% of these they use this single curve.
It's like something which almost everybody uses.
Microsoft, German, French government systems, you know,
EMV bank cards, Kerberos, Open VGVIPSEC,
NATO military cryptography, NSA, and this recommend this curve and so on and so.
Okay, so very few people actually recommend the Bitcoin elliptic curve.
And even less people use it ever.
I think Bitcoin is the only real, a serious system which ever uses it.
Okay, I think there is no other planet Earth.
Okay, it's quite interesting.
So I have made a bet.
You can bet with Bitcoins anonymously or not animously is your choice.
Okay?
And you can bet money, so you can bet it's going to be broken within a year from today.
It's a game.
I don't think it's going to be broken.
Well, it's just again to raise the awareness of crypto in Mexico.
Okay.
So you can bet Bitcoin's whether yes or no it's going to be broken next.
There's a specific way.
So how much should you bet?
Don't bet a ridiculous amount, please.
There are some millionaires probably in this room or who know some millionaires.
Okay.
So as long as we don't have 2,000.
bitcoins in these bets, okay?
We simply not yet know if Bitcoin ECC is broken.
Okay?
You don't expect civil codebreakers to work for free.
If they can make $700,000 elsewhere,
they will not even look at the Bitcoin in the curve.
They will tell you get lost.
We have other things to do.
Okay?
So as long as there isn't 2,000 bitcoins in this bet,
you absolutely cannot know if this Bitcoin curve is not already broke.
by like somebody, who is an expert.
So, because, you know, somebody can break it,
they'd rather steal Bitcoins, for example,
then, you know, where is the honest option?
There's no honest option.
Okay.
So they would rather steal some Bitcoins.
By the way, this is possible only your public keys reveal.
So tip, use each Bitcoin address only once.
Everybody, I think, knows that.
So Bitcoin has a lot of issues, you know,
I will skip, I let you know,
crypto could get broken monetary policies,
either weird or mad, you know.
51% attacks and double spending is actually easy as plain by many people,
including myself and levy and so on.
PFTU P network is actually collapsing,
slow speed, poor anonymity,
payment fees are not improving and so on.
Okay, so Bitcoin is not a good shape, basically.
Okay?
And also, Bitcoin has so far failed.
to achieve the most basic goal being a decentralized peer
counts.
This has absolutely totally failed on this subject.
Okay, if you want to know more details,
look at my blog, so much.
So basically, we need to do better than this.
We need to try to improve it.
Okay, so from the business perspective,
the question is really what happens next.
Okay, and we have a very interesting precedent in business.
Yahoo and Google story.
There was this guy who was sitting on the board of Yahoo,
and on this board meeting, somebody has said,
let's improve the search engine, okay?
You know, because we want to improve our business.
And other people on this board meeting of Yahoo has said,
get lost, now search is just 3% of our business.
We are major media company, et cetera.
We don't need to improve the search engine.
This is how Yahoo disappeared,
and the whole business was stolen by Google.
Okay?
So there was like board mediums.
So the Yahoo of Cryptocon, which is Bitcoin,
is now waiting for Google of Cryptocoins to still Bitcoin business.
So maybe Vitalik will steal it or nobody knows.
Okay.
And this purely on technical superiority
and without a single hostile shot.
I mean Google never advertised.
They've never done anything bad to anybody,
or at least they claim so.
They're just better.
People switched.
Okay.
So this is an interesting question.
Is it going to happen?
Okay.
Well, I think this is not guaranteed to happen.
So this is really a big question.
This does not always happen.
Okay, so maybe it's going to happen.
Ask Vitalik what he says.
Okay.
Well, I was very naive during my whole life, you know.
I always kind of consider that better security does automatically happen in the future
and with more cryptography and I thought the cryptography have to solve any problems, you know, and things like that.
And typically it doesn't.
Okay.
So will better security prevail?
It's not obvious, and it's even less obvious in financial systems.
Okay?
Because the right amount of insecurity, well, allows to share some sense.
insurance. Like recently I spoke to a guy who told me that actually, you know, major
companies in the UK are buying a lot of data from criminals about credit cards only because
they will be able to blacklist them very quickly and this is what their business is about.
And it was hypothesized that actually they are the major source of revenue for criminals.
Okay, it's quite interesting.
And so you have this problem of, you know, profiting from crime, which is many companies actually
do. It also is good for us. I mean, it trains our survival and cybersecurity skills.
Okay? It creates lots of interesting jobs for our students. Okay. And possibly avoid criminals
to engage in more violent crime. Maybe it's not so bad to have all this insecurity
at all. Okay? So I'm not saying that better security always prevents. It's not always.
So another question is, does better money
prevail in general.
Okay, so again,
crypt engineers like me,
sometimes naive hope that
better currencies will drive not so
good currencies out of business.
Okay, but there's a
famous Gresham launch, actually was first
stated by Copernicus in 1517,
which says exactly
otherwise, bad money is driving good money
out of business.
Okay, and this is more or less what Bitcoin is.
The bad option.
Okay, so Bitcoin has
gained excessive popularity, not
because it felt technically very good, it never was, or had solid intrinsic value, or it was
fast and convenient it never was.
It has thrived because it has created huge expectations which, temporarily,
Bitcoin competitors could not meet.
Maybe for now.
Bitcoin will remain the obvious choice and some sort of natural monopoly.
So this is related to the question of network effects.
So Antonopoulos, who is a former, you see a student,
points out that when you have this sort of technology
which is kind of just good enough
and it achieves this network scale,
then good enough something that becomes perfect.
It's just good enough.
Okay?
So he says, I don't see any alch coin displacing it.
Bad news for Vida.
If Bitcoin crashes again,
according to a monobulus it will be rather because we blow it by accident and this is very
likely okay I mean you know my Bitcoin client just crashes like three times per day at
this moment okay and some bitcons have disappeared two days ago and nobody can explain why
so you know I have published this paper about program self-destruction of crypto currencies
and crypto have renamed my paper
Bitcoin suicide not PDF.
It's not my idea.
Actually, my paper showed that quite possibly
Bitcoin is exempt from this destruction process,
natural monopoly.
Okay?
And whatever is bad with Bitcoin is even worse with most outcomes.
Okay, so it's not at all an obvious conclusion.
Okay.
So we have published a few papers on Bitcoin.
We have a blog, better crypto.com.
blog by BetterCuctor.com.
I have also worked on the question of speed.
So here is a citation, which I have given an interview for the financial times.
It's not true that Bitcoin is the Internet of Money.
Bitcoin is the horse carriage of money, because it's so badly slow, you know.
Okay, so this is one of the issues.
But today is really about security.
Okay, let's skip this one.
But the funny thing about Bitcoin is there is an interesting relationship.
in Bitcoin Security and speed.
I have spent my whole life in cybersecurity,
and security in speed
are always opposites in cybersecurity.
And here it's not like this.
It's very, very strict and interest.
So I've learned the security implies speed in between.
Why?
Because, you know,
the only reason why people are not accepting Bitcoin transactions
instantly is out of fear of various attacks,
which do not have been so frequent.
Okay, you improve the security, you could instantly have high frequency training on Bitcoin,
on current Bitcoin with like maybe micro-second transactions, maybe even faster.
Okay, you could have that on current Bitcoin.
Okay, so it's a peculiar sort of situation, which I'm not used to.
Okay, so well, probably everybody knows about everything about Bitcoin, so I will skip the introduction.
I will just make a few remarks.
So you have, in Bitcoin, you have these things which are called wallets.
And it's either a file or a program, which is also called the wallet.
So I skip the explanations.
Bitcoin is a public key cryptography-based currency.
You have the blockchain.
I think everybody knows how blockchain works.
Okay, you have Bitcoin addresses.
validated like 10 minutes or more, so it's slow.
Okay, and basically this process of transferring Bitcoins
is a process which is based on digital signatures.
You have transactions with several inputs, several outputs,
and each of the inputs for the transaction has to be digitally signed.
Okay?
So everything is underpinned by this digital signature scheme.
If it's broken, all your bitcoins will be stolen.
Okay, so I skip some slides here.
I want to talk about other things.
Okay, so if you look at this signature scripts, okay,
well, they are composed of a ECDS signature.
Okay, so there is R and S.
And then you have the public key,
which is typically revealed at this moment.
Okay, and the interesting part here is this R,
which is the right.
But actually it's not the random that you actually generate as a random.
Okay, you normally generate a random, then you apply elliptic
operation and this is the second random which you obtain,
and this one is the one which is going to be published.
And this has very important consequences because it's not obvious
that if your random generator is bad, that you will actually see it so easy
on the blockchain because of this operation should be applied
after the random number generation.
And this is one of the crucial problems in our recent research.
So there are obviously thefts.
There are thefts due to bad randoms.
So this question was first publicized by one of the Bitcoin developers,
Neil Schneider, in January of 2013.
Because I put this random is repeated more than 50 times in the Bitcoin blockchain.
Okay.
And interestingly, it was used twice by the same year.
okay
and actually it wasn't able to see
that if he used the same random by the same
user it's very easy to break
actually needs already publishes the formula
how to compute the private key
and you can steal the bitcoin instead
okay so this has been
already done and it's not very complicated
it's not
it's much more complicated
if the same random is used
by two different uses
okay
so
So these sort of events have been happening for years, and for some time they have stopped.
Like in the August 2013, there was like the last event of the sword.
The Android bug was fixed, and everybody in Bitcoin thought that we are secure against these sort of things.
Okay?
And actually, if you look at simple signatures, like without multi-signature, there was no other
events in the Bitcoin blockchets since that time.
Okay? But now
something interesting
happened. So by the way
the effects, for example, it was reported
that somebody has stolen
55 bitcoins using this method.
And the funny thing, it's still there.
So the guy is not kind of afraid
on how to spend it, you know, he's afraid of
touching this money. It's still sitting on the blockchain.
Even today.
Okay, so it's because it became so
famous, the guy is really afraid.
of going there and spend this one.
Okay, so it's still there.
But now recently there was a second major outbreak in May 2014.
Lots of, lots of events, huge numbers.
Okay, and they are still happening like last month, you know.
These things are still happening.
Okay, so it has not stopped.
And there is a lot more events in 2014.
then 2013.
Okay.
So here is an example of a recent bad random from September last month.
Okay?
It appears eight times in block this number, 3229, 925.
Okay.
However, it's used by different users.
Okay?
So it's not obvious how you steal Bitcoin.
It's possible to see that each of these users can steal the other users Bitcoin.
users bitcoins, that's correct, but it's not that like everybody can steal
Bitcoin's.
Potential is the same person.
If it's the same person, there's no risk.
I mean, you can just steal your own bitcoins.
Okay, it's the same app, you know, then there is no risk.
Yes.
Yeah, so isn't it smart to try to discover which app it is, and then you know which it is,
so you just use all the apps, generate transactions out of...
Yeah, so if you have the source code on this app, and if you can reproduce the randomness,
Then it's much worse.
Then you can steal all the bit.
Absolutely.
Agree.
Okay.
But it's not something that it's necessarily easy to do.
Okay?
Yes.
Okay.
So at this moment, it's not always so dangerous.
Okay.
So what is the question?
Okay.
So here comes our recent research.
So in all the random attacks published so far,
we had the situation that only very few users were concerned, basically like one person can steal the other people, the other person's bitcoins, and that's it.
Okay, so only like 100 accounts in history of Bitcoin, a few hundred accounts are concerned by these problems.
And many of these accounts have zero bitcoins at this moment, okay? Money have already moved elsewhere.
Okay, so you might think it's a law overestown.
attack. Okay, so now I will explain why this is actually a very, very important attack.
This is the new discovery, and it's really, really scary.
And it's going to be published in a few days.
So actually, in our research, we showed that under certain conditions,
all bitcoins in cold storage can be stolen.
And so actually, millions of accounts are potentially affected by this vulnerability.
Okay?
It's like a combination of two different vulnerabilities.
So here's the new paper.
It should be available within like one week.
I have just submitted to e-print server yesterday.
Okay.
So is there a fix, by the way?
So there is one.
It's widely known.
Okay, so RFC-6979 by Toma Pornan.
Okay.
So if you have...
have applied this, many people, some people have done ages ago, it's no problem.
Okay, however, if you have not applied this, we claim that no existing cost of storage solution
which have not applied this patch can claim to resist to our attacks.
We claim that inherently how to know that all Bitcons can be stolen by this attack,
probably before it's too late.
because the attack has this offline stage
which is inherently difficult but not
infeasible and somebody with a large computing power
will just do it ahead of you
and they will detect a suitable event
and steal all your bitcons from the whole security domain
so it could be like with one single attack
you will steal bitcons from millions of accounts potentially
okay
so which systems are affected
well
you know I don't have a
very good picture about this. You need to talk to different developers. So for example, this
RFC is already applied by electric, multi-bit and treasor and few other. But there are some people
who are, you know, very, very strangely unpatched. Like blockchain and info is secure at this
moment, and they rely on, you know, open SSL. I mean, can you trust open SSL? It's ridiculous.
Bitcoin core, apparently a patch was submitted like January 2014,
and it's kind of still there waiting to be applied.
It's very strange.
I don't really understand exactly what happens.
So it's going over there.
Okay.
So if you want to know details about this software questions,
I'm not really an expert, you know,
but there is a
our Italian friend actually
and co-author
has made a presentation about this
in Malaysia two days ago
and so he knows a bit more
than me on this topic
okay because he has spent more time
expecting the source code
so
and so this is everything that I know about
this applicability of these attacks
yes questions
can you explain briefly
how the attack works?
I think it's not a topic for today.
It's a combination attack
which uses
hardware deterministic wallets and BIP
032
and bad random events in combination
to break
all accounts in a given security
domain or even all
accounts in several
security domain simultaneous.
And is it also
an attack on that randomness
or something? Yes.
Yes, absolutely.
It requires bad randomness.
How can you attack all randomness of drug once?
Isn't that just...
Because, you know, again, it's not really a topic for today,
but because these key management systems,
which are very widely using the community,
are excessively fragile.
I mean, they are such that a small security incident
in a remote corner of your own,
of your system compromises the whole.
It's really, really bad.
Okay, so the default also
lies in this key management standards
specified by Peter Wurl and
Peter Wohl and Greg Maxwell
who are the kind of, you know, inventors on these things.
And these things are really, really fragile.
They are kind of secure, except that very fragile.
It's like a minefield.
You just move one centimeter to the right
to the left you explode. It's super dangerous.
And this RFC thing is a fix that fixes the
bad random generation, the potential
random instances? Well, it's basically a deterministic way to get random numbers.
So therefore, you know, it's a very good fix against kind of all
bad random attacks. Yes.
So if I understand correctly, if blockchain
dot info patches it, everybody needs to send their bitters to do it
afterwards. Well, they should do it for you basically. Yes, they should force you
to know it, otherwise most people will never do it.
Okay, this is what people with Android apps have done.
They've just forced every user to change, they automatically transferred bitcoins, you know.
If I take a coin and I flip it 100 times,
would that be a good random or can that be broken too?
Yes, it should be a good random if you take a physical coin.
Yes.
Okay.
But deterministic randomness is even better than real randomness.
Okay, because, you know, real randomness could be hacked.
Okay?
So, for example, it's widely known that the NSA have infected a lot of, you know,
firmware for hard drives.
So, for example, if you have your Bitcoin app, which is using OpenSSSL,
what the hard drive does on behalf of the NSA to replace
on the fly the open SSLL which you load
by another special crafted one
which has a better NSA compatible
random number generator.
Okay? It's one of the
ways to bridge it.
Okay.
So, like
if it's a Bitcoin smart card,
you will basically as an attacker
hug the random number generator physically
and disable it.
Okay, and then
you can break.
can extract all the keys from the smart.
And so, okay, so really the deterministic method specified by Toma Pona in this standard
is really better than any, even like a real random method.
Okay.
So that's it for today.
So really, it's a survey of different questions relating ECDSA in Bitcoin.
Do we have additional questions?
I am here to answer.
I think in the conference is over, so we have time.
Maybe I don't know.
Yes, yes, please.
It's far, far as a second.
Perhaps the question on everyone's mind is,
where do we need to put our bitcoins in order to be secured?
Do I like to treasur multi-bid?
Well, I cannot answer this question.
Nobody has paid me to advertise a specific source.
Yes.
You did this bad thing where you can do the Bitcoins,
and if you break it, you get a bit.
You can bet yes or no.
Sorry, sorry, what?
The bet you did.
The bet, yes, yes.
Will Bitcoin be broken by 2015?
Yes, by September, in 2014.
But what is the incentive to vote yes?
Because if it's broken, the bitcoins you win are worthless.
It's a game, and you know.
Maybe you think it's not broken, but you will vote it when you're broken.
For example, there was a bet on Scottish referendum.
And, you know, my reasoning was, you know, if Scotland becomes independent, it will have a lot of bad effects on my life.
Okay, so I have bought, I have made a bet on yes, it will become independent, okay, because then I would get some compensation.
So I have been against my idea, okay, that, you know, I thought it will not happen, but I, yes, but yet I have bet that it will become independent because,
because then I would get some compensation from the bed,
knowing that it will have a lot of bad consequences for me
if Scotland becomes independent.
In this case, your compensation will be zero.
Yeah, whatever.
But, you know, it's not obvious that when you bet on such a system
that you really bet according to what you think.
It's not true.
So you vote it.
Okay?
But it's a game, it's a game which is meant to raise the awareness
about cryptography in the middle community,
which is pretty long, to be honest.
Okay, yes.
What do you think about quantum computers?
I mean, in theory, they could break.
Yeah, they could break all this stuff, yeah.
Do you think that even, I mean, if this would be happened, I mean, if they could break...
Yes, so actually there are already post-quantum solutions to fix Bitcoin,
and actually VitaLittalidic sitting behind you actually has proposed one in 2013.
Okay, so it's possible to build Bitcoin without any public cryptography whatsoever based on the Hushfan.
based only on hash functions.
And hash functions are already naturally post-quantum things
which are secure against kind of normal quantum computers
like Shoros algorithm.
So they are still quantum shortcuts for hash functions,
but they are not like going from exponential to polynomial.
They are like going from one exponential to another exponential.
Okay?
So you could have a secure Bitcoin even if everybody has a quantum computer on the ER.
Okay.
Okay. Any other questions?
Yeah, I have a lot of comments, so I won't go about it.
This is a very fun talk because you speak a lot of different topic and they are all interesting.
But there are a lot of stuff I disagree with that you said.
For example, you said that Bitcoin is quite slow because it needs a 10 minute confirmation time.
In crisis, you need it.
There are a lot of ways that I want to easily see if a total
would be a little bit of a response or not.
So it's not an issue in practice in New York.
Well, you know, it's not for us to decide.
It's a crowding out problem.
Bitcoin has so many problems and each of these problems
makes space for Bitcoin.
Competitors, you see, so the question of Google of Bitcoins,
is it coming or not?
This one, specifically for me, it's not a problem.
I saw a lot of people use Bitcoin.
Are for Canada who have a complete this prison?
reason, you know, because people, it makes research for people, people has to be, they
will not be act.
I think Okam would rather say, either people do not know the issue with Bitcoin security
or simply there has no big security issue.
When you said that the overall cryptography algorithm was better, the argument today is that
it's used and value a lot of software, but this is not an argument because you have a lot of
because you have a lot of
security
algorithm.
That's a good point.
But the thing is that
like somebody has said,
actually Antonopoulos has said this,
you know,
if Bitcoin elliptic curves
is broken like everybody's in trouble.
And he has cheated you
and it's not true.
Because, you know,
and so the NIST elliptic curve
is such that if it gets broken,
everybody's in trouble
and not only Bitcoin.
But currently the situation
is that if Bitcoin
elliptic curves is broken,
you know,
cryptographers
who laugh at you and will tell you,
you know, you have been an idiot
because, you know,
everybody knew in cryptography
that this elliptic curve is dodgy.
And I think you will not meet a
single professional cryptography
of planet Earth who will recommend this
curve to you. Not a single one.
But I think that's on Bitcoin,
you have the biggest incentive of
all the cryptography algorithm.
I mean, the pot of gold is
right there and it's huge. I mean,
but where is the honest option?
I don't want to still put that.
I don't know to revogism.
I'm sure you are.
I'm not sure you are.
This is a little bit of a lot.
Yes.
Next question.
I don't know if it's true,
but a while back I heard that there were vulnerabilities
in the R version of the...
Well, the our version is still not okay
according to some expert.
Barrestein still does not put it on the list of safe curves.
But again, it's much better than anything else,
because this is like if it's broken,
and everybody's in trouble.
Okay, so this is,
so this is really like,
at least for best practices,
it's what, you know,
so it's certainly much, much better
than Bitcoin Eptic curve.
It's not ideal, of course,
and you could have a better Arctic curve.
Some people have already done it, like Stellar,
they have a different Liberty curve,
they have changed in July,
they have abandoned the Bitcoin
Ptipharve and many other people are following suit.
So, you know, it's happening.
Yes.
Is that done on the basis of their
might be something wrong with the K version?
Or is it just to be in a space that...
It's basically dogey cryptography.
Like, if you talk to cryptographers,
the standard kind of approach is to never ever use something like this.
Because, you know, unless you have to.
So no cryptography would recommend it because it's a special curve.
And we have learned for ages in cryptography,
the special typically means broken, like at least 50% of the time.
time.
And this one, you know, it's actually already broken in the theoretical sense.
It is already an attacker faster than like the normal end of the curve, but it's just
slightly faster.
And currently, no expert believes that it could be really much, much faster.
I do believe that it's really much, much faster, but I'm a minority.
Okay.
So, but kind of, you know, state of the art in cryptography would be to never, ever use
something like this because it's fundamentally dodgy.
Now, people use this sort of curves when they need something like pairings, you know,
so in the fancy cryptography side, like you want to very short signatures, you know,
you want to have really advanced cryptography, then people do use such curves.
But for normal cryptography should not take chances.
Okay, because it's like, actually, the public cryptography is a very interesting technology.
It's a disruptive technology.
British secret service were the first to actually invent it.
They have not published.
So Americans,
Rivers Shamir and Merkel,
et cetera, they have published it.
And public e-cropographies
inherently fragile. So I have spent
many, many years of my life
inventing new public ecosystem. I have 20 papers
published about this.
And most of public cryptosystems
ever invented were always broken.
I'm going to say it's also broken in some sense.
It's not exponential security and so on.
Okay?
So basically, public cryptography is very fragile.
Okay?
And my personal view is that every public ecrypto system will be broken always after a number of years, 10, 50 years maybe.
Okay.
I mean, in the sense that it would be much faster than everybody would think.
Okay, so, you know, like you can build a block cipher, hash function, whatever, an idiot.
Anybody can build a block cipher.
function which will be secure enough.
Okay, a monkey could do it.
Public cryptograph is a different set of technology.
It's a place where experts fail
with priority are 50 or 60 percent,
the best experts on our planet,
amateurs fail with probability close to one.
Okay, so it's really like a rare animal.
It's a rare animal, this public cryptosystems which are secure.
There are extremely few of them,
and even those, are broken on a number of years, like,
Even at this, it occurs with like, you know, $700,000 prices.
Half of them are already hypothetically broken in field.
Okay, so, you know, it's public cryptography is just collapsing every year.
And it's like if you were the history of cryptography, you have to learn from history, you will understand what it works.
It's inherently, you have this kind of, you know, minefield thing, which is,
that you know, you do a small mistake and you explode.
Like it took, it really took us really years to understand how to use RSA properly.
Most variants, most industrial variants of public cryptography have been broke, like most, I mean, at least 90%.
Okay.
So at least 90% of industrial public ecryptography systems which were proposed were broken in the coming years, in some sense, more or less strong.
Okay, so it's public in cryptography is inherently difficult to do me.
And this is going to always be said.
So I hope you enjoyed this talk by Nicola Courtois.
I thought it was very interesting and also refreshing to hear somebody come forth
and point out some of the potential flaws in the technology.
Now, if you want to support the show, there are multiple ways you can do that.
You can start by leaving us a review on iTunes.
And you can also leave us a tip at epicenterbiccoin.com slash tips.
And we want to thank all of those who have been supporting the show through their donations.
If you want to stay up to date, you can follow us on Twitter at Epicenter BTC.
You can also find us on Facebook and Google Plus.
And for those of you who are not up to date, you should know that we're now doing live Google Hangouts,
in which you can interact with guests and ask your questions on Twitter and in a Q&A module.
And we usually announce those hangouts just a few days before they happen on all or different social media platforms.
In fact, as I record this, we're getting ready to do a live interview with David Johnston, who is an investor, technologist, he's managing director of the DAPS fund, a board member of the MSC Protocol Foundation, as well as the co-founder of the Bit Angels Network.
And so that interview will come out on Monday, November 3rd, so be sure to look out for that on iTunes, SoundCloud, YouTube, and everywhere you are used to finding us.
So thanks again for listening, and we look forward to being back on Monday.