How secure is bitcoin?

Friday 21 February 2014

We’ve been hearing a lot in the last week about ‘transaction malleability’, a glitch in the implementation of some exchanges’ wallet software. Some critics have called it the End of Bitcoin (not for the first time; according to the so-called experts, the End of Bitcoin has been on the cards repeatedly since it properly hit the news). So, is transaction malleability a big deal – and are your bitcoins secure? As it turns out, the answers to those two questions are ‘no’, and ‘in most cases’. The bitcoin protocol itself is rock solid. It’s the implementation, and user error, that are the real issues. Sadly, it looks like Mt Gox has succumbed to those, rather than transaction malleability itself.

Bitcoin: a rock solid protocol
There’s a meme doing the rounds on the Internet that illustrates how secure bitcoin should be if it’s used properly. Paraphrasing it for the sake of clarity, it goes something like this:

The universe operates in accordance to the laws of physics. These cannot be broken or circumvented.

Imagine you could build the perfect computer. It functions at the limits of the theoretically possible. It uses the minimum energy possible to perform calculations (which, ultimately, come down to ‘bits’ being switched: 0 to 1, and 1 to 0). It wastes no energy. It’s kept at a tiny fraction of a degree above Absolute Zero: the coldest temperature possible, at which atoms and molecules no longer vibrate.

Oh, and it weighs as much as the solar system. It's a really, really big computer.

You power this computer using the sun, without losing any energy in the process. You set it running, and wait for the lifetime of the sun.

A bitcoin private key – the number you need to spend your own or someone else’s bitcoins – is 256 bits long (32 bytes), a random string of 256 zeroes and ones. That means there are two to the power 256 different private keys possible (2^256), or around 1 followed by 77 zeroes: 100,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000.

Your solar system-sized, ultra-efficient supercomputer could not even count to that number before the sun ran out of power. Don’t worry about any cryptographic functions: it couldn’t even count to 2^256.

The poster ends with the words, ‘These numbers... strongly imply that brute-force attacks against 256-bit keys will be infeasible until computers are built from something other than matter and occupy something other than space.

The security of the bitcoin protocol is guaranteed not by the limits of technology as it now stands, but by the laws of the universe.

So, where are the weak links?

Transaction malleability
Transaction malleability itself isn’t a huge problem, and I mention it here only because it's been heralded as bitcoin's nemesis over the last couple of weeks. It's not. It does not stop transactions from taking place, which means it does not allow money to be stolen from the address to which it is sent. What it does allow, as things currently stand, is doubt about whether a transaction has been carried out.

One of the best examples I’ve seen of this is of ordering something from Amazon – say a DVD. You order the product, Amazon dispatches it, and it goes to your house via the postal sorting office. However, at the sorting office you have a friend who changes the delivery label, masking the original one. The parcel still arrives at your house, but the delivery person scans the barcode and collects your signature to record delivery for a parcel with a false label. You still have your DVD, but there’s nothing to stop you calling Amazon and claiming that you don’t – since their records will rightly show that the bar code on the label they dispatched never made it to your house. You could claim a refund, or have another DVD dispatched. In the case of bitcoin exchanges, there is confusion over whether you have received bitcoins you asked to withdraw, and so you could demand a second payment (note that this is not the same as a double spend, which the bitcoin protocol is designed to avoid through its system of distributed, open ledgers).

It’s a problem that is easy enough to circumvent, in theory. Once the bitcoin transaction has been confirmed the money is on record as being sent to your address. There’s no doubt that the transaction has happened because the bitcoin protocol is transparent.

Bitcoin exchanges have worked hard to get on top of this issue, which is rightly described as a bump in the road rather than anything more serious – albeit one that has been known about for over two years. In fact, Bitstamp and other big exchanges found workarounds within a few days, and were quickly allowing withdrawals to take place once again.

Mt Gox, on the other hand, is still citing technical and security issues, having just released an 'update' that states it is still working on the problem. In fact, this offers nothing new at all. The ease with which other exchanges fixed the bug strongly suggests that Gox is suffering far bigger problems. Speculation is rife that they may have lost funds to the exploit and are now technically insolvent. The price of bitcoins on Gox is around a quarter that of Bitstamp. If market forces are to be believed, this means that traders are gambling that there is just a one in four chance they will get their money back. Gox itself has refused to comment on rumours of its solvency. This is extremely poor practice, and traders are right to be anxious: the bitcoin protocol itself is designed to be fully transparent and open. An exchange that takes such a cloak-and-dagger approach to business should be viewed with suspicion. But one way or another, Gox's problems go far beyond the technical issue of transaction malleability.

Transaction malleability doesn’t pose an existential threat to bitcoin (though it looks like it's been the end of the line for Mt Gox, once the world's largest bitcoin exchange). There are, however, more serious threats to bitcoin's security – and they all come down to human error and human malice. That's something I'll be exploring further next week, in the subject of brainwallets and how their greatest strength can also prove their worst flaw.

Brandon Hurst

Brandon Hurst

comments powered by Disqus