Bitcoin security (by alaric)
I've been learning about Bitcoin lately.
It's an electronic currency. I've seen electronic currency before - in the late 90s there were efforts to create them based on virtual banks issuing coins. The coins were basically long random serial numbers which, along with a statement of the value of the coin, were then signed by the bank. The public key of the bank is published, so people can check they're valid coins issued by the bank. The idea was that rather than withdrawing a bunch of notes from the bank, you can ask the bank to mint you a bunch of these signed numbers instead; and anyone who sees them can check their value, and eventually, return them to the bank (which can also check their value in the same way) to get their account credited.
This simple approach has two problems: the coins can be traced by their unique serial number (even more conveniently than the serial numbers on notes, and about as conveniently as card transactions and inter-bank transfers already can), and that it's hard to detect somebody spending the same coin twice - as it's just a number, you can make as many copies as you like. Various elaborate cryptographic techniques were proposed to avoid this, with the person withdrawing from the bank choosing the random numbers and letting the bank "blind-sign" them without knowing them, people spending the coins having to hand over a recipient-chosen random set of bits from a secret number such that if the same coin is spent with two different recipients enough bits are revealed to identify the double-spender, and so on...
These things just complicate the process of transferring funds, in ways that make it harder and harder to trust the security. And it leaves a currency that relies on central banks to issue it (which can be exploited by determined and/or powerful attackers).
So, enter bitcoin. I won't bore you with the deep technical details (see the paper for that), but the basic idea is this: I have a pool of bitcoin addresses, which are just public+private key pairs - the well-studied basis of cryptographic digital identity. Other people can send money to those identities by issuing transactions, signed by an identity that has enough money, specifying the hash of my public key (my address, that I publish) and an amount to transfer. For this transaction to be valid, there has to be enough money in the source address - so trying to spend the same money twice means the transaction is not valid. The money assigned to any one address can be traced back through the transactions to an event that first created some money (more on that in a moment).
Now, how do people know if a transaction is valid? Because when I issue a transaction, it gets broadcast into the network. And all the other nodes in the network check their copy of all the transactions that have ever happened to see if it matches the rules. If so, they accept it - and demonstrate this fact by competing with each other to solve a Hard Maths Puzzled based on my transaction. The computer that does this first then receives a fixed bonus, which creates new money; and it also receives any optional "transaction fee" I put in my transaction, encouraging computers to pay attention to my transaction first.
That's really clever. My transaction is vouched for by other computers - ones I do not control - vouching that it meets the rules by spending their time competing to solve the puzzle and get the bounty. Claiming the bounty is a transaction much like any other, creating money from nothing and sending it to an address; other computers won't accept it unless the rules are kept (meaning there's no incentive for a computer to try and solve the puzzle for an invalid transaction, as other computers won't accept it and give them the bounty).
And the difficulty of the puzzle that needs to be solved, and the maximum bounty that can be claimed for solving it, changes with time. The difficulty is adjusted based on how quickly previous puzzles were solved, and the amount of bounty with the amount of money in circulation, so even as more and more computers join the system, the average time before a transaction is wholly accepted by the system remains about the same (about one hour) and the total amount of money in circulation will slowly rise for a while, then remain roughly constant (the bounties will get smaller and smaller until, eventually, transaction fees are the main motivation for trying to solve the puzzle).
Who sets the difficulty of the puzzle and all that? The computers in the network do - when the system was created, rules were agreed, and written into the software. As everyone runs software following those rules, anybody solving easier puzzles or trying to award themselves more bounty for doing so will have their bounty-claiming transaction rejected as invalid. To loosen the rules, a majority of the computers in the system will all need to accept the new rules - so it will require consensus from the community.
Bitcoins started off being worthless (so the original "miners" setting their computers to solve the puzzles made lots of them and hoarded them), but over the past months, they've started gaining real cash value. As I write this, they're about $5 each, and people are racing to build supercomputers to solve the puzzles faster and faster so they get a bigger share of the approximately 300 an hour that currently get generated as bounties. The recent meteoritic rise suggests a speculative bubble, which will burst some day - the ten I bought for £2.20 each yesterday are worth about £2.80 each today.
But the recent public attention (Forbes article, This Week in Startups interview) has caused people to start raising questions. Is this going to encourage money laundering, tax evasion, buying and selling illegal goods and services? Will it be stomped down on by governments?
I have a few thoughts on the matter.
Bank transfers and card transactions are incredibly traceable. There's only a few banks, and the authorities have taken the time to forge relationships with them all, so bringing up somebody's bank records is a simple matter; and from that, it can be seen who all their money has come to and from, and then go and pull their bank records in turn.
Which is why illegal transfers are done in cash or by barter. When you withdraw cash from your bank, you have objects you can hand to somebody. Notes have serial numbers, and a sufficiently motivated law enforcer can try and find the serial numbers of notes held by somebody of interest, and then see where they turn up; but it's a lot of work, so it's presumably only done when it matters.
Bitcoin is rather like those notes, except the difficulty is slightly different in nature.
You see, bitcoin relies on the global transaction history being public knowledge, so that everyone can agree on what transactions are valid (by checking them against all other transactions to make sure the same money isn't spent more than once, in ANY OTHER transaction). The privacy is in the addresses. The bitcoin software generates addresses for you on demand; normal practice is to make a new address every time somebody is to send you money, so you can see when it arrives. If you buy from a bitcoin shop, they will give you a payment address that's unique to that one transaction, so you don't need to specify a "reference" like you do with bank transfers. Sure, you might publish an address for random donations, but that's then separate from your other addresses.
But the addresses aren't like bank accounts, exactly. When you want to buy something, the client software slurps together a load of addresses' balances to cover the amount to send. And as the resulting amount will often be slightly more than is needed, it'll also create a new address of your own, and have the transaction send enough money to the requested recipient, as well as the "change" (minus a transaction fee) back to the new one-off address.
So, money sent to or from known addresses can be "traced" to the holder of that address. Transactions sending money from the CIA's address to Al Quaeda's address will, well, be obvious.The problem is that most transactions will involve these one-off addresses, most of which will have all their value transferred on and never used thereafter.
Indeed, I could make my bitcoin client sit there creating new addresses and transferring random chunks of my wealth to random new addresses 24x7, to effectively launder all my money through a few thousand identities. If I give somebody some money and, ten hops later, some of it is used to buy porn, I can't tell what those ten hops were - they might be ten transfers to different people, in which case, well, aren't we all six or so degrees apart anyway? It could be anyone. Or it could be the same person, laundering his money.
So isn't that a nightmare for law enforcement? Won't they have to crack down on this and make it illegal, before it's used to FUND TERRORISM and DESTROY CAPITALISM?!?!
Well, no. Perhaps they will do that anyway as a knee-jerk reaction. But I think it's just like cash, but a little easier for them to trace. If they realise it, they'll be behind it, which I think will be a good thing - as I think Bitcoin is a good currency that will enable all sorts of cool things that can't currently be done practically.
For a start, those laundering transactions are exactly the kinds of things intelligence services are good at figuring out. They can put supercomputers to work analysing the global transaction stream (all available in ONE place; no need to talk to lots of banks - or worry about infiltrating uncooperative foreign banks). Some value that goes into an account then buzzes through a self-contained pool of accounts for some time then zooms out to somewhere else can probably be traced through analysing the timings of transactions and the like; the pattern of automated laundering will be different from actual spending, if you have enough computer power to find the patterns. Imagine drawing a diagram with a blob for each address you know something about (eg, can tie to a person or organisation), and drawing arrows for all the transactions between them. Any single-use addresses can just be chained together as part of the same arrow. Any unknown addresses can be given small blobs on the diagram. Colour the arrows with the magnitude of the amount transferred, on a log scale. Arrange the diagram so the minimum of arrows overlap. Do this for the transactions in each day, and then make a movie of them changing over time. Take a given known-suspect transaction and treat it like a drop of dye, colouring it strongly, and mixing it with the light grey of other money flowing through the system as it dissipates, and see where that dye spreads to. Then get computers automating the analysis even further.
Similarly, if you can snoop somebody's Internet traffic, you can see where transactions come from; when money is spent from an address, this fact is obvious from the internet connection over which the transaction is issued. So if the CIA sends Al Qaeda some money, and they launder it from their laptop, this will be obvious. By watching somebody's Internet connection, you can see all their outgoing transactions; and from that, you can learn all their addresses; and from the global transaction stream, you can then see all the money being sent to those addresses.
A successful money laundry would need to use a lot of different computers and not re-use them in suspicious ways. It would need to go to the effort of simulating an ordinary economy of its own, spread around the world. And the effort and organisation that takes would make it ripe for hunting down using traditional law-enforcement techniques: paying moles, finding a slip-up and exploiting it to find the network, and so on.
What about using Internet traffic anonymisers, like Tor? They encrypt the traffic coming to and from your computer, which removes the advantages available to doing that. Tor was initially sponsored by the US government, and is not without its weaknesses - again, ones which I suspect will protect legitimate users by being too expensive to employ en mass, but will be possible to overcome when individual people or organisations become worth spending millions to hunt down.
So, I think bitcoin will be a boon for law enforcement, as it'll overally make it easier to trace down the financial activities of bad apples. Therefore, the bad apples won't use it much, which will help to give the network a good reputation and encourage legitimate take-up. Bitcoin will be as anonymous as cash - for people who are not the subject of a major, expensive, law enforcement investigation, it's perfect. It'll be a lot harder to do the kind of routine mass surveillance that is currently done with card payment records, and I think that's a good thing; routine mass surveillance is an infringement of fundamental liberties. But it'll still give the tools to sufficiently powerful organisations to break the anonymity and trace down money flows.