$280 billion rides on the proposition that cryptocurrency is impregnable. Maybe it isn’t.
Machinery in an IBM quantum computing lab (photo by Seth Wenig)
Call it the singularity. One day, maybe a decade from now, a message flashes across the internet: “Elliptic curves cracked!”
Elliptic curve cryptography, or ECC, is the foundation beneath bitcoin. Wouldn’t the discovery of a hole in this code destroy the currency—and take down any coin exchange?
I posed the question to Brian Armstrong, who co-founded and runs Coinbase, the largest U.S. crypto exchange. He can’t prove that there won’t be some mathematical shortcut compromising bitcoin keys. But he considers the risk low.
“Ten years in, there's a ton of people who have looked at this code,” he answered, in an interview at the Coinbase headquarters in San Francisco. “It's a hundred-billion-dollar bounty. So I think that scenario is very unlikely.”
Bitcoin plus the lesser currencies that compete with it amount to a $280 billion asset pile, a tempting target for bad guys. From bitcoin’s earliest days, hacks, cracks, hijacks, phishes, vishes, and social engineering have threatened it. So far the successful assaults on this industry have been around the edges; even the big heist at Mt. Gox did not kill cryptocurrency.
But what if thieves discover a fundamental vulnerability? It might be in the way the encryption works. It might be in the global network of computer nodes that track ownership of bitcoin. It might be in some aspect of crypto that no one is thinking much about.
Crypto players offer two answers to the question about cosmic risks. One is that the system might see an asteroid coming and take defensive measures. If bitcoin’s 11-year-old encryption proves to have a weak spot, the nodes could move en masse to a different protocol. They might be able to do this before any coins have been stolen. Alternatively, they could hark back to an earlier version of the blockchain that was in place before a theft; this is how the Ethereum chain partly undid some skulduggery involving the DAO venture capital fund.
The other answer, not entirely reassuring, is that a lot more than bitcoin is at stake. Says Philip Martin, head of security for Coinbase: “A core math problem? We’re talking the collapse of the internet.” Trillions of dollars course through electronic networks protected with encryption. So, for what it’s worth, in the digital apocalypse an implosion of bitcoin would be the least of our concerns.
Let’s now consider some of the weaknesses that envelop digital currency.
Bad implementation
Once upon a time Sony used elliptic curves to protect its PlayStation. In order to run, a game would have to provide a digital signature constructed from Sony’s secret key, the same kind of key that protects your bitcoin. The signature routine uses, as one of its inputs, a different randomly chosen number for each validating signature.
Sony goofed, recycling the same number. It turns out that this enabled anyone possessing two legitimate games and a knowledge of high-school algebra to compute the secret key and run pirated games. Andrea Corbellini, a cryptographer who has explained the flaw, speculates that Sony might have been inspired by this Dilbert cartoon.
You might think that all such potholes were found long ago and repaired. But no. Recently the National Security Agency reported on a flaw in a Microsoft browser that made a mistake in delivering the digital signatures that verify websites as legitimate. ECC calls for using a specific starting point. The flaw enabled a website to slip in a different point. With just the right substitute, a malicious site could have forged a signature and stolen the password for your bank account.
Microsoft quickly patched the hole. But it makes you wonder. Could there be other holes in some or all of the software used to hold and transfer virtual currencies?
Crypto managers are on guard. Says Martin, the Coinbase security guy: “I am much more scared of an implementation flaw in a library than I am of a flaw in the underlying math.”
Some bitcoin owners, trying to manage their own coin wallets, have made the same mistake Sony did with its game console. Writes one security expert: “A lot of Russian bitcoin hackers have coded bots to automatically grab coins from vulnerable addresses.” Presumably you have nothing to worry about if you hire experts to manage your wallet.
Social engineering
A crook doesn’t have to know algebra to steal bitcoin. Good acting might do it.
Jamie Armistead is a vice president at Early Warning, the bank consortium that runs the Zelle payments network. Is there a risk that someone will crack the encryption that protects the money coursing through Zelle? Answers Armistead: “It’s not hacking” that keeps him awake at night. “It’s phishing, like the false email to the corporate treasurer.”
Vishing, a variant of phishing involving voice commands, is a security risk. So is device hijacking, in which the thief gets control of your smartphone account. So are all manner of man-in-the-middle attacks, the electronic version of a football pass interception. Cybersecurity engineers constantly update communication protocols to prevent that. They can barely keep up.
Could a hoax on a grand scale cause a majority of bitcoin nodes to simultaneously make a fatal mistake? It would have to be rather byzantine. It’s conceivable.
Mathematical hacks
Encryption methods in common use look secure, because they have been studied for many years by many people. But they are not provably secure. Someone might discover a way to tunnel into them.
Encryption works by scrambling numbers. One way to do that, in the scheme named RSA (after inventors Rivest, Shamir and Adleman) that is still widely used to secure sensitive data, involves exponentiation and modular arithmetic. When you multiply 4 by itself 3 times, 3 is the exponent and you get 64. In modulo 11, you divide this by 11 and consider only the remainder 9.
With small numbers like these, this is a meaningless exercise. But cryptography uses gigantic numbers, and those numbers get shuffled into a giant mess. To get a sense of this, try out the exponentiation/modular game on our small numbers: 2 turns into 8, 3 into 5, 4 into 9 and so on. The only way to unshuffle is to know a certain secret about the modulo. This secret relates to some mathematical formulas that go back a long ways. A 17th century Frenchman named Fermat played an important role.
The other big shuffling scheme is ECC. This involves the modular multiplying of not single numbers but pairs of them. Think of the pair as the coordinates on a map. The multiplying is weird: To double a pair, you don’t just move it twice as far from the corner; you bounce it off an elliptic curve. This scrambles all the points on the map. In cryptography, the starting point is not merely doubled; it is multiplied by a gigantic number. This really scrambles the map. That giant number, kept secret, is the key that unlocks a bitcoin.
RSA and ECC both have this feature: Someone who possesses the secret can prove that he possesses it without revealing it.
These two protection schemes rely on the apparent difficulty of certain arithmetic tasks. In the case of RSA, it’s finding the two numbers that were multiplied together to arrive at the modulo; in the case of ECC, it’s dividing the end point by the starting point to determine the multiplier. “Difficult” means taking trillions of years of guesswork on a laptop.
Unless shortcuts are found. For RSA, a well-known shortcut to factoring numbers involves a number sieve. For ECC, there’s a “big step, little step” algorithm that dramatically reduces the computation time. At this point, these tricks go only so far. The difficulty, for a key of a given size, might be measured in billions rather than trillions of years.
For reassurance about the safety of the crypto market and of internet commerce we go back to what Brian Armstrong said: There is a large incentive to find a killer shortcut, and evidently no one has found one. But there is no way to know that no vastly better tricks are about to be discovered.
Fermat, the French mathematician, conjectured a simple fact about exponents of numbers that looked true but couldn’t be proved. For three centuries people labored to prove it and failed. And then one day not too long ago a proof was discovered. It relied, in part, on elliptic curves.
Quantum computers
Computers using quantum effects could, in theory, shrink the time for decoding an encrypted message from billions of years to hours. One such theory, for cracking RSA, dates to 1994.
In October Google sent a shiver through the cryptography world by announcing “quantum supremacy.” An experimental quantum device, the company said, did in 200 seconds what would have taken a conventional computer 10,000 years. That’s debatable; some researchers at IBM claimed that Google overstated the time difference by six orders of magnitude. Still, quantum computing is a threat.
Not an immediate one. The task in the Google experiment was designed specifically for the limited skills of quantum computing elements. These skills are a long way from those needed to crack codes. The 1994 algorithm is not in use because the hardware for it exists only on paper.
But ten years from now? We don’t know where quantum computing will be.
Back door
For an encryption routine the anonymous creator(s) of bitcoin plucked an elliptic curve off the shelf. This curve was designed by the federal government. Were the parameters devilishly selected in a way to create mathematical vulnerabilities? Does the National Security Agency have a back door to your coins? Probably not. But you cannot be sure. Governments are not in sympathy with the anarchist philosophy underlying cryptocurrency.
Since crypto’s creation, thousands of coins have been pilfered in hacks, scams and Ponzi schemes. These will continue. As for the big knockover, in which the whole system is taken down, we can say that the probability is low. But it is not zero.
Related story: Guide To Cryptocurrency Tax Rules
