I wonder if it ever becomes viable to try to brute-force the private key of such a valuable address, rather than devoting the brute force power to mining.
That's the entire point of asymmetric crypto, the amount of effort you would need to brute force 2^160 keys is staggering. Even if you made billions of ASIC processors and ran them until the end of time, you probably wouldn't find the funds you were looking for.
This is constantly suggested, and it's always useless. If you could attack keys like this the system would be broken.
It's important to note that asymmetric crypto behaves somewhat differently. RSA is a particularly notable example of this: a 160-bit RSA key is almost trivial to break, 512-bit keys are possible, and there are good reasons to think that large organizations with lots of cash and motivation are able to break individual 1024-bit keys when they want to.
The ECDSA keys used in Bitcoin are much stronger than RSA keys at the same size, and they seem quite safe, but don't make the mistake of looking at the time needed to brute force e.g. a 128-bit AES key and assume that applies to asymmetric algorithms too.
No. What the GP is quoting is "security bits" a measure explicitly designed to mitigate that difference. Bitcoin addresses have 160 bits of security, 128 bits if the public key is known. This is directly comparable to symmetric key sizes.
However, in cases where the private key is generated from a hash of a passphrase, like brainwallets, then it is far more feasible. There are people running bruteforcers constantly looking for private keys corresponding to brainwallet passphrases; that's their form of "mining".
To test it, if you make a brainwallet with a password of "password" and then send 0.01 BTC into your account, you'll see it vanish in a few minutes (or a few seconds).
Brainwallet inputs -> public keys are deterministic. It's true that the method of creating the key pair is as much of a password as the password, it's easy to select the most common methods (sha-256 hashes, bitaddress.org's method, etc.)
I cracked thousands of passwords for the https://keybase.io/warp competition (I lost by a few minutes... the answer to the top one is Je).
Once you have those public, private key pairs you can simply make an index of them and watch the blockchain for any of them to show up.
I've also noticed quite a few people who've posted threads on bitcointalk after having fallen victim to one of these brainwallet crackers. It really boggles the mind why someone would entrust significant amounts of money to an incredibly weak passphrase.
I don't think so. Brainwallets are generated as a hash. So if the input is secure, the output is secure. It's not possible to generate the input from the output. And frankly the connection between password -> private key and private key -> public key is very similar in brainwallets. To crack a brainwallet, given only the public key and sufficient bits in the password, is actually harder than directly attacking the private key.
Plus you have to balance "my own fuckup" risk against "someone attacked me" risk, right. Wallets depend on your backup habits, and you backup provider's security. Going through the fora, I'd say "oops. I lot my wallet.dat" is a much more serious threat to your bitcoins, on average, than someone got a hold of your password. Both of those, for most people (including me) are ... lacking. Brainwallets depend on my memory for passwords. A hardware brainwallet would guarantee you're 100% not exposed.
As for ECSDA attacks. It's true that the algorithm itself is near-unhackable. However, make one single transaction on a computer which chooses a non-random k value, and you're exposed. So the risks don't end just because
This is a 2007 study on web password habits. In it, they reveal the fact that fewer than 1% of passwords have bitstrength >= 90 bits: http://i.imgur.com/8vSrx2E.png
Achieving 128 bits of protection with a user selectable and memorable password is statistically unlikely (to put it mildly).
The fact that a brainwallet password is memorable means a computer can bruteforce it in far fewer operations, too. I.e. the bitstrength is mostly meaningless. Just ask the guy who runs http://www.cloudcracker.com
A memorable user-selectable password is incredibly unlikely to be as strong as 128 random bits.
Brainwallets shouldn't be casually recommended without appropriate warnings, but they certainly can be secure.
Passphrases aren't limited by length, and your brainwallet can be derived from your memory and publicly available information, so you can construct very strong memorable passphrases, e.x. the 3rd sentence of the 8th chapter of your favorite book concatenated with a moderately strong but memorable password.
Key stretching with PBKDF or scrypt helps a lot as well. Do you care if it takes 1 minute to compute your keys from the passphrase? Probably not, and it will make cracking much more difficult.
You missed my point. You can't attack the cryptographic function or the keyspace, but you can attack the original passphrase that is hashed, via typical hash cracking methods (rainbow tables, bruteforcing, dictionary attacks, etc.). All you need to know is the hash function; most brainwallets use a single round of SHA256.
Given it got broken up into 4000BTC chunks after the box TX, we can assume they are on paper wallets, probably distributed up using secret sharing. That's standard in the Bitcoin world.
That's the cool thing about Bitcoin. You can create a wallet on a completely offline computer or even a virtual computer, save the address and the private key, and send the money to it.
You only need the internet connection to do something with the coins.
This is why I take bitcoin seriously, the privacy implications are BRILLIANT :P
In all seriousness, this is going to come across as a conspiracy theory, but why else would major government organisations be thinking that bitcoin is actually a good thing? Surveillance by design neatly negates all the current NSA privacy issues! It is also a figurative goldmine for economics researchers, who get to study every transaction in an economy for once, with full information on how the funds are following.
There's quite a few of us who have been concerned for a while about the issue of who controls the bitchain, as the only real thing stopping a single entity from doing this is cost. Yet the advantages are so very high. There's also the very real possibility that you don't actually need 51% of miners to do this for specific purposes, either. Just look at some of the TOR monitoring research.
EDIT: I should also add that we need to be talking about these issues, rather than dismissing them. If the cryptocurrency movement is to survive, then these are the challenges ahead.
And one has to ask, if this is not the sole means of accepted currency, are these issues actually a concern? What would count as appropriate mitigation? Can multiple forms of cryptocurrency co-exist and serve different purposes?
> It is also a figurative goldmine for economics researchers, who get to study every transaction in an economy for once, with full information on how the funds are following.
If you're interested in that than you should look at the economy for Eve Online. It's definitely the closest thing ever created to a real economy which astounding amounts of information available to study. I'll provide some links that talk about Eve's market from economic standpoints, but these really only scratch the surface of what type of analysis is possible.
[NOTE: I am not an author of any of these posts, and I claim no ownership over them]
Your comment paints an amusing picture in my head, of a future in which greenbacks are the underdog preferred currency for underground dealing and political refugees, rather than the Big Brother Bitcoin...
> but why else would major government organisations be thinking that bitcoin is actually a good thing?
Because they realized it would be impossible to fight it and, more importantly, because they probably invested in it themselves. Bitcoin being non-anonymous is a problem that can be solved and is being currently solved.
And this is why I can take Bitcoin seriously. Can you imagine if it were really completely anonymous, and someone could be spending a hundred million dollars on, say, a nuclear bomb, without any record, association, or so much as someonel leaving the house and delivering a suitcase full of cash? Imagine if Russia become a failed state or bribeable - you really want to be able to pay off a hundred million dollars to some general there with no more record - to us, to the rest of Russia, or to anyone else, including at any future point that the general would spend any of that money, than if you typed md5 'haha now i'm nuclear' at a bash shell on some disconnected PC? I think this aspect of btc is great. To see what you're talking about, go ahead and type echo -n Haha I\'m nuclear! | md5sum at the prompt and see if you think that a financial transaction of any amount should be as totally untraceable as the cryptographic operation you just performed locally. Really, come on.
Also we already had a case of ransomware. How about ransomware that attacks a nuclear facility, flight control tower, hydroelectric plant or whatever else, and threatens to immediately cause damage if a ransom isn't paid. You really want that to be totally 100% off of any ledger anywhere - and not even include a delivery of a briefcase full of cash? Nor any way to follow any of that money at any point whatsoever?
A top comment on that article said: It actually made my skin crawl reading about it. Never had that reaction to such a story before. Interesting...
You might think this might have been a speculative work of fiction. It wasn't - this is a story that happened.
As for your run of the mill kidnappings for ransom, blackmail, extortion and other things normal people turn to the FBI with, (that you would too, if you got certain very specific threatening letters for example), I think if you come back after 5 minutes of googling the subject you would not consider the general situation to be speculative. We are talking about sources of blackmail, kidnapping and ransom becoming literally completely untraceable, without even a network effect of where the money is going afterward (what pseudonymous addresses).
As for the infrastructural, nuclear and so forth examples, you will observe that placing or turning moles and spies already occurs historically, which shows that the process is possible. You are talking about lowering the barrier to entry and risk profile.
Literally anyone who is in a position to do something, and understands that they could instantly anonymously receive a the digital equivalent of a briefcase full of cash, without it ever showing up anywhere, without needing to hide it as they spend it (except regarding the effect it would have on their visible lifestyle -- hell, they could anonymously transfer it to some fake lottery that pretends they just won it...nothing would ever connect the two, the lottery could be a complete front and seem 100% legitimate. Or even actually be 99% legitimate, with a single person adding another payout while collecting funds for it from the person being paid and making sure the lotteries ledger's add up... you get the idea.)
It would be a disaster to have absolutely zero leads whatsoever in all such cases. Money has a profound effect on the world and a modicum of possible pseudonymous oversight over its movements is quite a bit more than minimally responsible.
Ask yourself, for hte data ransoming story I linked: would you prefer for the btc address to be totally and completely a black box, or the present state of affairs?
Really, the current implementation is an absolute minimum for 'keeping people honest'. It has a very high level of barrier to de-anonymizing users (as far as I understand it), yet given sufficient resources certain leads can at least be put together.
Data ransom shouldn't ever happen to valuable data. Preventing single points of failure is much more important than chasing around the bad actors that come along and exploit them.
Run of the mill kidnappings are parents violating custody agreements.
Infrastructure needs to be resilient in any case.
I don't mind that bitcoin has a public ledger, but you haven't convinced me it is particularly important.
Traditional currency isn't really anonymous. Sure it is theoretically possible to do an anonymous 150 million dollar cash transaction in USD but in practical terms it's basically impossible without a great deal of money laundering. I believe by law in North America banks have to report any cash transactions >= 10k per 24 hour period to the government. Additionally every bill has a traceable serial number on it.
There is no history of every transaction in which a given serial number appears however. So in that sense it's easier to hide origins... even if the Fed knows which bank got that note originally, it's very likely that there's no trace of it after that unless it was involved in a specific tracked transaction (uncover police drug buy, etc.)
In India, if you deposit more than Rupees 50,000 ( roughly USD 850) to another person's account in cash, you need to provide your PAN card number - which is a unique number issued by the Income Tax Authority. I am sure a huge number of transactions are done illegally beyond this system but the threshold for anonymous legal transactions is pretty low.
Please stop with the privacy scaremongering. A lot of work is currently going into trustless mixing/anonymising services that will largely stop this type of tracking. (coinjoin/zerocoin)
A lot of us are investing with the expectation true anonymous transactions eventually happen, because when they do Bitcoin will become even more valuable.
People are supposed to stop stating true facts because people are doing research that everybody hopes will solve the problem?
That's... pretty stupid.
Calling it "privacy scaremongering" would be reasonable if it were simply wrong. But if it's completely correct, and the only reason you disagree is because you're pretty sure it'll eventually be solved, that's crazy.
cheez is hardly scaremongering. As it stands truly anonymous and private transactions on Bitcoin are apparently impossible. (I'm not a Bitcoin user so feel free to correct me.) I would say that you are the one who is doing whatever the opposite of scaremongering would be called (hope-mongering?).
> As it stands truly anonymous and private transactions on Bitcoin are apparently impossible.
Not true. There are many, many schemes that can be built into the protocol or on top of it to make transactions anonymous. Rather than hastily choosing one, it's probably better to wait for a really good scheme to surface.
If we have to wait for a scheme to surface, that does maen that as it stands truly anonymous and private transactions on Bitcoin are currently impossible, right?
Right now, you and I and our friends could sign our transactions so that nobody can tell which outputs correspond to which inputs. What's missing is that it's not widely distributed in a major client where everyone will partake by default.
Until then, it's opt-in, a hassle, with a small pool of anonymity. But "impossible" isn't the word I'd use to describe the scenario.
>There are many, many schemes that can be built into the protocol or on top of it to make transactions anonymous.
So as it stands truly anonymous transactions are impossible. The possibility to make that not true doesn't negate the fact that today bitcoin is in no way a private way of transferring money.
In theory yes, but as the linked blog-post shows, Bitcoin---in its current state anyway---likely isn't truly anonymous either (ostensibly due to its transactional records being public).
If you create a new wallet.. coins sent to that wallet, a person may know where the coins came from (because of other transactions to their wallet), they don't know for certain that the new wallet is you..
In the case of the article, the reason it's suspected, not even confirmed, is simply because the number of wallets coins were coming from were identified as the same source.
It's definitely more anonymous than wire transfers, or credit card transactions. The way to avoid detection would be to keep many, relatively small wallets... and disperse money from different sources fairly evently.
The term "money laundering" originally referred to the practice of concealing the movement of funds involved in a crime. Now they've redefined it so that concealing the movement of funds is itself a crime, even if the funds are entirely legitimate and no other crime is involved.
Actually, it hasn't been redefined at all - at least legally.
To quote Wikipedia:
It is defined as knowingly engaging in a financial transaction with the proceeds of a crime for the purpose of concealing or disguising the illicit origin of the property from governments.[1]
More specifically, money laundering is defined in Article 6.1.a.i and 6.1.a.ii of the United Nations Convention against Transnational Organized Crime[2]. The PDF won't let me copy & paste the text, but it uses the language "proceeds of crime" in both subsections.
Some jurisdictions may have monetary reporting laws which are broken during transferring BTCs, but it isn't money laundering (under international law anyway).
Yes, because the motivations behind money laundering are driven almost exclusively by crime. For purchases you wish to remain private, such as personally embarrassing products, there are 'anonymizing' but traceable services for you to save face with.
There are very few legitimate reasons to be concealing where you money came from or is going from the IRS, and they well aware of the intent behind the actions.
The problem isn't the IRS, it is everybody else who wants to know. Especially in the case of bitcoin where all transactions are public record.
Come up with a way for the IRS to investigate (not just get it handed to them on a platter, but something that mathematically requires a level of effort to prevent fishing expeditions by IRS employees) while simultaneously keeping all transactions private from everyone else and then we'll have a solution.
>There are very few legitimate reasons to be concealing where you money came from or is going from the IRS, and they well aware of the intent behind the actions
Nice circular reasoning. Because everything that the IRS would disapprove of is illegitimate? When did the IRS get ultimate moral authority?
IRS doesn't care what the money is from or for, only that Uncle Sam gets what he's owed. Income from criminal enterprises is not special: you have to pay taxes on it like everything else. The source of the income is kind of don't-ask-don't-tell.
Spending on sex toys is not special, unless the national security apparatus (or more likely your competitor in the private sector) already has a reason to try to discredit you. Which is a valid concern for activists, but not most people.
Investigations and enforcement actions by the IRS have nothing to do with the morality of your checking account statement and everything to do with tax evasion.
The largest threat to your financial privacy is private enterprise. Underwriters, prospective employers, and others with a financial stake in your "good behavior" are the most interested in judging the moral acceptability/health/prudence of your financial choices.
> Spending on sex toys is not special, unless the national security apparatus (or more likely your competitor in the private sector) already has a reason to try to discredit you. Which is a valid concern for activists, but not most people.
Amazing.
Translation: "Rights are essential for small group of people, because everyone else is not exercising them anyway. So lets just take the rights away".
1) Bitcoin is incredibly more transparent than banking system or tax system. If anything, it is not convenient for tax evaders. HSBC, however, managed to launder 200bln of drug money.
2) I'm a person. I have to pay taxes. Top500 corps - not so much, in practice. What do you say about that?
3) Where the fuck did you get that I'm a tax evader? I was addressing your point about people's rights and your evaluation of their need of having those rights.
Well, you may ignore IRS but it doesn't mean that IRS will ignore you; and it is perfectly able to take your stuff and liberty even if you don't give a shit about what they think.
It may be, depending on your definition, but the term "money laundering" has a distinctly criminal connotation. Bitcoin mixing is more analogous to paying for something with cash withdrawn from a bank account rather than making a bank transfer directly.
Money laundering is the process of concealing sources of money. If the IRS found out Western Union was trying to cover it's tracks of who sent/received money they would be investigated immediately. Laundering implies you have something to hide, most likely tax dollars or ill-received profits.
Except with Bitcoin, there are valid reasons to conceal the source and destination of money from the public besides criminal activity. The money being "laundered" isn't necessarily "dirty" to begin with.
The same logic applies to encryption. People have a right to privacy.
There can be (and are) regulations that may (in particular circumstances) make illegal to conceal the source and destination of money transfers even if the money is clean.
People don't have an absolute right of privacy - the laws can and do restrict that.
Only if that money is the proceeds of a crime and you're attempting to conceal the source of the illegal funds.
The flippant and universalizing way several of the commenters here are referring to money laundering as "concealing where the money came from" cast far too wide a net.
The definition you're using here would include concealing where $500 came from that was donated by anonymous friends to give to another friend in need. Suddenly, by your metric, if any of the friends suspected of donating the cash to help someone don't fess up to the source of the cash, they're laundering money.
Yeah, that's ridiculous. But it fits your description. Money laundering requires the currency be earnings from criminal activity.
If you're running a coin mixing service that makes the coins anonymous to others then as soon as a single transaction is true money laundering (from criminal activity), then you're liable for that. If a single Fed sting operation on silkroad buys drugs for some bitcoin that afterwards gets to your service - you're going down.
Pretty much the only way to do so 'properly' would require you to make the coins anonymous to the public, but ID all of your customers and keep records on who actually gets which coins in the end.
Like the other commenter, you're speaking to a different angle. I was commenting strictly on the repeated blanket statements made throughout these comments that any concealing of the source of money == money laundering. I was not speaking to liability ramifications of running a coin mixing service at all. I wasn't even contending that there might not be legitimate claims made against bitcoin activity that could be money laundering. The act of concealing where money came from as a general principle is not itself money laundering. Yes, running a service that facilitates concealing the source of money can quickly become a target and risk liability for laundering activities. That is still, however, an entirely different point.
Put your money where your mouth is. Openly run a mixer. Openly advertise that you are the person who operates it.
If you're right and I'm wrong, it'll be a lucrative business and you'll probably quickly dominate the mixer industry, as it'd be very easy for you to get press and build name recognition. You could do it as a very part-time job.
If I'm right and you're wrong, you'll be in prison.
The question is will the Bitcoin Foundation put those add-ons into the Bitcoin protocol? I think they would be quite reluctant to do it at this point, as they are more concerned with establishing Bitcoin as a viable currency right now, that's not used just by Silk Road and its ilk.
I do think in the mid to long term Zerocoin or something similar should be added to Bitcoin to at least allow people the option to be anonymous if they want to be.
However, I'm also unsure if this should be done right now as governments are trying to decide what to do with Bitcoin. Perhaps it would be better to wait a couple more years, get Bitcoin more established into the mainstream, and adopted by banks and more companies, and then enable something like Zerocoin in the protocol, when it would be too late to stop Bitcoin. Although I'm not sure what the government's reaction towards Zerocoin would be then.
On the other hand, Bitcoin may be even harder to kill than file-sharing/torrenting, in which case maybe it won't matter if it's done now, as the government's action against it could be irrelevant.
I'm distinguishing it from investments that pay a dividend or interest coupon at time of purchase, or which have a commodity value independent of price (eg gold and oil are commodities that you can speculate in or take delivery of for actual consumption).
You might well get rich from speculating in bitcoin, but if if doesn't pan out then your assets could end up having no value whatsoever - you won't even be able to burn them to keep warm during the zombie apocalypse ;)
I'm not trying to comment on the viability of BTC here, just pointing out that it not the same as many other asset classes.
Can any of the mixing/anonymising services hide the fact that a mixing/anonymising service was used?
It's trivial to work against them - simply forbid any legal business offering goods, services or bitcoin-currency transactions to accept such coins. In essence, the same way that they're fighting right now against laundered cash - you can do it, but not on large scale, and it's not accepted for most of assets you want to buy.
Without running through a mixer, aren't one's transactions are vulnerable to being followed through the network of addresses back to the point of origin, and forward to the destination?
Depends on where you first entered the 'system' that makes you reveal your identity. For example, if you buy on localbitcoins in a face to face exchange without the need of identification, it wouldn't be feasible to track the Bitcoins to your real identity. Sovereign money to Bitcoin conversion is the spot where identities are revealed. Otherwise, it remains pseudonymous.
I haven't been following closely, but could it have been the FBI transferring Silk Road funds to their own address? Given the timing that seems to make sense.
The numbers for this, sadly (or gladly, for holders of bitcoin), don't work out. Even if you had the most powerful supercomputer in the world and could try trillions upon trillions of keys per second, you'd need, on average, more than the current age of the universe to brute-force the key.
In order to spend money sent to a Bitcoin address, you just need to find a ECDSA public key that hashes to the same 160 bit value. That will take, on average, 2 ^ 160 key generations.
Supposing you could generate a billion (2 ^ 30) per second, you need 2 ^ 130 seconds.
Doing this in parallel using a billion machines requires only 2 ^ 100 seconds.
Getting a billion of your richest friends to join you gets it down to only 2 ^ 70 seconds.
There are about 2 ^ 25 seconds per year, so you need 2 ^ 45 years.
The age of the Universe is about 2 ^ 34 years so far—better get cracking!
This type of "sophisticated analysis" will be useless whenever zerocoin is proven as a viable addition to the protocol. True anonymity is scary from a regulatory standpoint but extremely desirable to many others.
Edit: got curious and found an answer: http://bitcoin.stackexchange.com/questions/2847/how-long-wou...
If I understand correctly, it's still not viable even if you tried your brute-forced keys on all addresses in the network.