Bitcoin In Denial

As a co-founder of BitGo, you already know I’m a huge fan of Bitcoin. I wholeheartedly agree with the proponents of Bitcoin that share a vision for a new world of finance based on crypto currencies. To recap the benefits of Bitcoin: Bitcoin puts the power of money into the hands of the people at low cost. It is a system where the bank can’t steal your money (crooks), the government can’t steal your money (inflation and poor monetary policy), and hackers can’t steal your identity (trivially forged credit card systems). It’s fantastic – it’s internet cash with zero fraud and low cost.

But the entire industry is largely in denial about the suitability of Bitcoin for the real world.

The conundrum for Bitcoin is simple:

To develop this great system, we’ve used crypto “keys” and put them directly into your hands. This simple concept is the core that puts you completely in control of your own money. Sounds great!

Unfortunately, and this is what the entire industry seems to ignore, it’s highly unlikely that you are competent to keep any of the “keys” to your own money, in spite of the benefits in doing so. The problem is that in the digital world, managing the “keys” to your life savings means that you must be part techno-geek, part cryptographer, and part super hero. Chances are that you’re none of these and completely unfit to manage the keys to store any significant amount of value.

Bitcoin proponents (myself included), have thought for some time that we’ll solve the usability of Bitcoin and solve this issue. I still think we’ll make inroads. But as I look in more depth at Bitcoin and the viability of Bitcoin for mass markets, I’m increasingly convinced that this will just never happen. We don’t ask Wells Fargo how they secure the vault, and none of us would pretend for a minute that we’ll have vaults at home which are suitable to store our life savings. Bitcoin may be digital, but the monitoring, backup, and safe handling of millions of dollars is simply not a casual task. Consumers will never be ready for this.

Rest assured, I’m not predicting the doom of Bitcoin. I’m simply articulating what so many seem to deny: key management is not going to be a strength of consumers. For Bitcoin to work, we need revolutionary change in the way we store and manage keys. The Bitcoin protocol is great at a low level, but the key management problem is simply out of reach for consumers and businesses today.

I wish that I had an answer to this right now. Certainly many of the things BitGo does, such a multi-signature wallets, multi-user approvals, key sharding, and more help to mitigate the complexity problem. But the fundamental issue of trust-less, safely stored and safely backed up keys remains out of reach for most everyone. Until we solve this problem, Bitcoin will be relegated to a niche form of money with little chance of success.

You can probably guess what my highest priority is right now.

Introducing the JS Bitcoin Benchmark

bitcoinbench

[This is a mirror of a post I made over at the BitGo Company blog]

Recently we started work here at BitGo to implement BIP38. BIP38 is a solid proposal for a standard way to encrypt a bitcoin private key with a passcode. Since we have that functionality, we’d like to use a standard, interoperable format rather than create our own. The key premise behind BIP38 is to use an algorithm which is resistant to large-scale bot-net style attacks. This is accomplished using scrypt, which is intentionally resource intensive. If you’re a user, and just doing a single password try, BIP38 is tolerable, despite taking 2-3 seconds for a single decrypt operation. But if you’re a hacker, trying to brute force crack a password (e.g. guess every possible combination), taking 2 seconds per guess makes it cost-prohibitive.

Since, BitGo is implemented almost entirely in Javascript, we were able to include an open source implementation of BIP38 into our version of bitcoinjs-lib (available on github). But we ran into a snag. While a high-end machine running Chrome can execute a single BIP38 encryption in about 5 seconds, other browsers do not fare as well, with some taking as much as 60 seconds to do a single operation! Our first instinct was that our implementation is flawed. But after some investigation we concluded that while it certainly can be optimized, we weren’t going to get to an acceptable user-waitable performance. And since Chrome was able to do it while other browsers were as much as 12x slower, we strongly believe that the fault here lies mostly in the javascript virtual machine implementations rather than our javascript code. We verified that other sites that do BIP38 are equally slow (e.g. http://bit2factor.org/). And so, this led us to do a fair amount of research into the javascript performance of our product. And soon we had constructed a small benchmark which encompasses many of the crypto algorithms included in bitcoin:

  • bitcoin address creation
  • elliptic curve signing and verification
  • SHA
  • Scrypt
  • address chaining
  • AES

The source code for the benchmark is available on github as part of the bitcoinjs-lib project mentioned above. Or, if you just want to run the benchmark yourself, you can check it out here: https://bitgo.com/bitcoinbenchmark

As for test results, it looks about like this on my windows laptop:

  • Chrome32: 97.5
  • Firefox26: 78.2
  • IE11: 27.1

And on a Mac Mini running Mountain Lion:

  • Chrome32: 131
  • Firefox26: 111
  • Safari6.1.1: 105

I believe this benchmark is differentiated from other benchmarks, the relative difference between browsers using the this benchmark is different than the relative difference of the same browsers using other benchmarks. Using either the sunspider benchmark (http://ie.microsoft.com/testDrive/Benchmarks/SunSpider/Default.html) or Google’s Octane, or Firefox’s Kraken Benchmark, you might think IE is only ~25% slower than other browsers. But as you can see in this benchmark, IE is about 3 times slower on these bitcoin related operations.

I hope others find this benchmark useful. Unlike many benchmarks, which can test contrived cases, these tests really do reflect the core algorithms of bitcoin. If we can make these run super fast in Javascript, we can make great bitcoin software that runs in your browser.

To my friends in the browser teams of Microsoft, Firefox, and Google – the bitcoin community will be very happy if you adopt this benchmark to help move JS forward in 2014!

Please don’t hesitate to send us feedback or jump in and contribute to the effort!

P2SH Safe Addresses

I wrote this whitepaper a while ago, and have now fully implemented it as part of BitGo. If you own bitcoin, it is worth checking out!

 

P2SH Safe Address

mike belshe
[email protected]


wallet-architectureBackground
This paper describes a mechanism for using Bitcoin’s P2SH functionality to build a stronger, more secure web wallet.

Bitcoin addresses (where your bitcoins are stored) are secured today using public key cryptography and the Elliptic Curve Digital Signature Algorithm (ECDSA). This offers very strong security. But the secret keys used within ECDSA are lengthy 256 numbers which humans can’t remember, and the security of your bitcoin hinges on how safely you can protect this key from others. To help us protect and manage our keys, users employ bitcoin wallets. There are many wallets available to choose from, and each offers its unique benefits for ease of use, security, and features. But wallets can be divided into two basic categories:

  • Client-side Wallets
    These wallets, such as the original Satoshi Client, run using software installed locally on the user’s computer.
  • Web Wallets
    These wallets are hosted on a web site and require no custom software installation from the user.

Client-side wallets

The advantage of a client side wallet is that your bitcoin keys are entirely your own. No intermediaries are required to help you transact. The disadvantage of the client side wallet is that the security is entirely your own. In effect you are the guard of your own bank. As such you need to: prevent malware and viruses from stealing your keys maintain and update proper backups of your keys enforce physical security of the computer(s) containing the keys (e.g. locked with an encrypted hard disk). Accessing your bitcoins from multiple computers can be difficult, as it requires you to transfer the keys safely between multiple computers. Further, because most users take extra precautions with their passwords for their bitcoin cash, forgetting or losing unusually ‘strong’ passwords becomes a real threat of loss.

Web Wallets

Web Wallets have the advantage that they are accessible through the web, from anywhere. The web site hosting your wallet needs to be a trusted party, as they often require direct access to your keys, or they may hold your keys while you don’t have them at all. Assuming that the website does a good job managing the security of your keys, this can be an advantage, as you don’t need to do it yourself.
But the disadvantages are obvious. A web site holding many keys for millions of users is a very obvious target for attackers. If the web site is hacked, you will lose your bitcoin. Similarly, if the website is shutdown due to failure to meet regulatory compliance, you will lose your bitcoin as well.

Pay To Script Hash (a.k.a. P2SH)

P2SH is a new type of bitcoin address which was introduced as part of Bitcoin Improvement Proposal 16 (BIP 16) in early 2012. P2SH addresses can be secured by more complex algorithms than traditional bitcoin addresses. In this paper, we evaluate using a 2-of-3 signature address, which we’ll call a “2-of-3 address”.
Unlike traditional bitcoin addresses, which are secured with a single ECDSA key, 2-of-3 addresses are secured with three ECDSA keys. Depositing funds into the 2-of-3 address is the same as depositing funds into a standard bitcoin address. However, withdrawing funds from the 2-of-3 address requires at least 2 of the 3 keys to sign.

Using a 2-of-3 address offers several advantages:

  • you can give a trusted party a single key for final approval on transactions without enabling them to initiate transactions on your funds alone.
  • you can lose a key but not lose access to your funds.
  • you can share a key with multiple, trusted parties who individually cannot access your funds, but can if they work together.

A Proposal for a 2-of-3 Address Web Wallet Implementation

In this section, we propose an implementation of a web wallet using the 2-of-3 address. It provides the following features

  • Safety
    • The service cannot initiate a transaction by itself
    • Stealing the user’s online password is not sufficient to steal funds
    • Stealing the user’s online private key is not sufficient to steal funds
    • Malware on the user’s computer cannot steal funds
  • Convenience
    • The user can access his funds from any computer
    • The user does not need to remember his private key and can access funds with a password and two-factor authentication.
  • Recovery
    • The user can recover funds even if the service is shutdown due to regulatory reasons
    • The user can lose his website password and not lose his funds
    • The user can lose his private key and not lose his funds
  • Privacy
    • Privacy must be maintained for the user’s funds

This implementation will rely upon:

  • A service (e.g. a website) with all communications over TLS.
  • Coordination between a browser and that service
  • Use of 2-factor authentication
  • Use of strong passwords

2-of-3 Address Creation

The mechanics of creating the 2-of-3 address is very important. In this proposal, it will be done both on the user’s computer and on the website. Critically, the user will generate 2 keys while the server will generate one. Address creation time is the only time when two or more of the keys are on the same computer concurrently.

The process starts with the user’s browser (or client-side key creator) generating 2 ECDSA keys:

  • The user’s key-pair
  • A backup key-pair

The backup private key-pair will be printed out and stored completely offline. It is only for fund recovery. The backup public key will be stored with the service. The service never sees the backup private key and cannot use it to unlock funds.

The user’s private key will be encrypted on the user’s machine with a strong password of the user’s choice. The encrypted private key and the public key will be stored in the service. Because the private key is encrypted with a password the service has never seen, the service cannot use this key to unlock funds.

The server will then create a 3rd key. The private key will be encrypted with a strong password known to the service and stored on the server. The server will use the 2 public keys from the user as well as the service key to create the 2-of-3 address. The server will notify the user of the server’s public key, as this will be critical for recovering funds from the address if the service ever goes down. The user will print out a copy of all 3 public keys and store them securely.

With this system, we now have an address where the user has 1 key, the service has 1 key, and the 3rd key has been saved for later use.

Withdrawing Funds from the 2-of-3 Address

To withdraw funds from the 2-of-3 address, the following steps will need to take place.

First, the user will login or authenticate to the service, and inform the service that she will make a withdrawal. The service will require the user to further authenticate with a 2-factor authentication challenge to a smartphone or mobile device. Note: 2-factor authentication is required because even strong passwords can be stolen with a keylogger.

Upon validation of the 2-factor authentication, the service sends the user’s encrypted private key to the user’s browser. The browser will prompt the user for the user’s password to unlock the encrypted private key.

Executing within the user’s browser, the application creates the bitcoin transaction for the withdrawal, unlocks the encrypted private key, and signs the transaction with a single signature.

Finally, the signed transaction is then sent to the service. The service validates the transaction, and if suitable, applies the 2nd signature using its private key. Note that the service will likely implement transaction limits. If, for some reason, the user’s account was compromised, the service can refuse to sign large transactions unless further authentication or the backup key signature is presented.

Maintaining Privacy

To maintain maximal privacy, it is important to not re-use bitcoin addresses. However, re-generating such keys repeatedly with each transaction would make many of the backup benefits that come with this system difficult. Users of bitcoin standard addresses already face this problem today and use a variety of deterministic wallet mechanisms to generate multiple keys from a single source.

The same techniques can be applied to the 2-of-3 address. Any key used as a signature should be rotated to a new address based on the next sequence in the deterministic key.

As a compromise solution, the 2-of-3 address offers one more option: only rotating the server’s key. Since the 2-of-3 key is generated from 3 keys, one of which is managed by the service, we can rotate the user’s funds to a new address by only rotating the server’s key. The resulting address cannot be correlated to the original 2-of-3 address. However, upon spending of the outputs, the public keys will again be revealed and a correlation could be made at that time. To maintain the ability for the user to extract funds without the service, the service will need to send the newly minted service public key to the user for safekeeping. This can be done via email. But again for maximal privacy, use of deterministic key rotation is recommended.

Other Advantages

Using multi-signature wallets provides flexibility for the user to share keys with trusted family without exposing all funds. For example, a user may decide to give one key to his sister, and another to his lawyer, with instructions to get the bitcoin when the user dies. With a traditional bitcoin address, the lawyer and sister would both have full access to the user’s funds. With a 2-of-3 wallet, they would need to collude against the user. But overall, the 2-of-3 address offers a lot of flexibility.

Weaknesses

No security mechanism is perfect. One potential weakness with the 2-of-3 address is that it does have 2 of the 3 keys online in the user’s browser at the time of address creation. Malware that specifically targeted an application using 2-of-3 wallets could lie-in-wait of an address to be created, steal the keys, and then extract the funds later. However, any wallet, client or server suffers from this problem. With a 2-of-3 address, the exposure to malware is mostly limited to address creation time, whereas traditional addresses are exposed to this weakness any time you transact. Hardware wallets may be the best mitigator against this particular attack.

The Feds Are About To Learn How Awesome Bitcoin Is

In the wake of the Silk Road bust this week, I think we’ll see some new thinking around Bitcoin. Contrary to popular belief, Bitcoin is not anonymous at all. It never was, and it never will be. It is probably the most public trading system ever created. This sounds scary, but unless you’re a criminal it’s not really.

For Dread Pirate Roberts, aka Ross Ulbright, it seemed anonymous. Until someone tied his zeroes and ones back to him. Now we know who he is, and the FBI busted him. Further, with the details of DPR’s bitcoin accounts in their possession, the FBI now knows everyone that he has ever transacted with. Ever. You can’t do that with cash! Every person that used silk road is a leaf in a tree called the bitcoin Blockchain.

The FBI will, if they have not already, trace these so-called anonymous Bitcoin accounts back to transactions at popular trading exchanges like Mt Gox, Coinbase, and Bitstamp. These exchanges, because they trade real money for bitcoin, know their user’s true identities. This will enable the government to get warrants for those exchanges to turn over those identities. I guarantee that the vast majority of Silk Road users did not have the technical savvy required to stay anonymous. They bought coins at these exchanges, then headed over to Silk Road. They shouldn’t have believed the anonymous hype – it’s just not true.

In other words, digital drug busts are a FBI agent’s wet dream. Every transaction ever done is public, and its just a matter of a half-dozen small search warrants to get to every user that ever used the Silk Road. Even if it takes them 10 years to bring down the kingpin drug dealer, they will be able to retroactively identify all of this customers.

So unless the operators of the exchanges have the bravery that Lavar Levinson of Lavabit has, these records will go to the FBI within a matter of days.

On one hand, this is terrible! It’s such an invasion of privacy. But on the other hand, is it? The law enforcement agents are doing exactly the same work they’ve always done, but this time its digital. We created these laws and we created these agencies. With digital currencies, they can do their job with incredible efficiency. The law-abiding citizen should be ecstatic – we could literally haul a million druggies to jail as soon as the paperwork is done.

I for one am glad that Silk Road is gone. It gave Bitcoin a bad name. I hope this bust goes far and wide and helps the government recognize that Bitcoin is an opportunity rather than an obstacle.