Bitcoin security (by alaric)
I've been learning about Bitcoin lately.
It's an electronic currency. I've seen electronic currency before - in the late 90s there were efforts to create them based on virtual banks issuing coins. The coins were basically long random serial numbers which, along with a statement of the value of the coin, were then signed by the bank. The public key of the bank is published, so people can check they're valid coins issued by the bank. The idea was that rather than withdrawing a bunch of notes from the bank, you can ask the bank to mint you a bunch of these signed numbers instead; and anyone who sees them can check their value, and eventually, return them to the bank (which can also check their value in the same way) to get their account credited.
This simple approach has two problems: the coins can be traced by their unique serial number (even more conveniently than the serial numbers on notes, and about as conveniently as card transactions and inter-bank transfers already can), and that it's hard to detect somebody spending the same coin twice - as it's just a number, you can make as many copies as you like. Various elaborate cryptographic techniques were proposed to avoid this, with the person withdrawing from the bank choosing the random numbers and letting the bank "blind-sign" them without knowing them, people spending the coins having to hand over a recipient-chosen random set of bits from a secret number such that if the same coin is spent with two different recipients enough bits are revealed to identify the double-spender, and so on...
These things just complicate the process of transferring funds, in ways that make it harder and harder to trust the security. And it leaves a currency that relies on central banks to issue it (which can be exploited by determined and/or powerful attackers).
So, enter bitcoin. I won't bore you with the deep technical details (see the paper for that), but the basic idea is this: I have a pool of bitcoin addresses, which are just public+private key pairs - the well-studied basis of cryptographic digital identity. Other people can send money to those identities by issuing transactions, signed by an identity that has enough money, specifying the hash of my public key (my address, that I publish) and an amount to transfer. For this transaction to be valid, there has to be enough money in the source address - so trying to spend the same money twice means the transaction is not valid. The money assigned to any one address can be traced back through the transactions to an event that first created some money (more on that in a moment).
Now, how do people know if a transaction is valid? Because when I issue a transaction, it gets broadcast into the network. And all the other nodes in the network check their copy of all the transactions that have ever happened to see if it matches the rules. If so, they accept it - and demonstrate this fact by competing with each other to solve a Hard Maths Puzzled based on my transaction. The computer that does this first then receives a fixed bonus, which creates new money; and it also receives any optional "transaction fee" I put in my transaction, encouraging computers to pay attention to my transaction first.
That's really clever. My transaction is vouched for by other computers - ones I do not control - vouching that it meets the rules by spending their time competing to solve the puzzle and get the bounty. Claiming the bounty is a transaction much like any other, creating money from nothing and sending it to an address; other computers won't accept it unless the rules are kept (meaning there's no incentive for a computer to try and solve the puzzle for an invalid transaction, as other computers won't accept it and give them the bounty).
And the difficulty of the puzzle that needs to be solved, and the maximum bounty that can be claimed for solving it, changes with time. The difficulty is adjusted based on how quickly previous puzzles were solved, and the amount of bounty with the amount of money in circulation, so even as more and more computers join the system, the average time before a transaction is wholly accepted by the system remains about the same (about one hour) and the total amount of money in circulation will slowly rise for a while, then remain roughly constant (the bounties will get smaller and smaller until, eventually, transaction fees are the main motivation for trying to solve the puzzle).
Who sets the difficulty of the puzzle and all that? The computers in the network do - when the system was created, rules were agreed, and written into the software. As everyone runs software following those rules, anybody solving easier puzzles or trying to award themselves more bounty for doing so will have their bounty-claiming transaction rejected as invalid. To loosen the rules, a majority of the computers in the system will all need to accept the new rules - so it will require consensus from the community.
Bitcoins started off being worthless (so the original "miners" setting their computers to solve the puzzles made lots of them and hoarded them), but over the past months, they've started gaining real cash value. As I write this, they're about $5 each, and people are racing to build supercomputers to solve the puzzles faster and faster so they get a bigger share of the approximately 300 an hour that currently get generated as bounties. The recent meteoritic rise suggests a speculative bubble, which will burst some day - the ten I bought for £2.20 each yesterday are worth about £2.80 each today.
But the recent public attention (Forbes article, This Week in Startups interview) has caused people to start raising questions. Is this going to encourage money laundering, tax evasion, buying and selling illegal goods and services? Will it be stomped down on by governments?
I have a few thoughts on the matter.
Bank transfers and card transactions are incredibly traceable. There's only a few banks, and the authorities have taken the time to forge relationships with them all, so bringing up somebody's bank records is a simple matter; and from that, it can be seen who all their money has come to and from, and then go and pull their bank records in turn.
Which is why illegal transfers are done in cash or by barter. When you withdraw cash from your bank, you have objects you can hand to somebody. Notes have serial numbers, and a sufficiently motivated law enforcer can try and find the serial numbers of notes held by somebody of interest, and then see where they turn up; but it's a lot of work, so it's presumably only done when it matters.
Bitcoin is rather like those notes, except the difficulty is slightly different in nature.
You see, bitcoin relies on the global transaction history being public knowledge, so that everyone can agree on what transactions are valid (by checking them against all other transactions to make sure the same money isn't spent more than once, in ANY OTHER transaction). The privacy is in the addresses. The bitcoin software generates addresses for you on demand; normal practice is to make a new address every time somebody is to send you money, so you can see when it arrives. If you buy from a bitcoin shop, they will give you a payment address that's unique to that one transaction, so you don't need to specify a "reference" like you do with bank transfers. Sure, you might publish an address for random donations, but that's then separate from your other addresses.
But the addresses aren't like bank accounts, exactly. When you want to buy something, the client software slurps together a load of addresses' balances to cover the amount to send. And as the resulting amount will often be slightly more than is needed, it'll also create a new address of your own, and have the transaction send enough money to the requested recipient, as well as the "change" (minus a transaction fee) back to the new one-off address.
So, money sent to or from known addresses can be "traced" to the holder of that address. Transactions sending money from the CIA's address to Al Quaeda's address will, well, be obvious.The problem is that most transactions will involve these one-off addresses, most of which will have all their value transferred on and never used thereafter.
Indeed, I could make my bitcoin client sit there creating new addresses and transferring random chunks of my wealth to random new addresses 24x7, to effectively launder all my money through a few thousand identities. If I give somebody some money and, ten hops later, some of it is used to buy porn, I can't tell what those ten hops were - they might be ten transfers to different people, in which case, well, aren't we all six or so degrees apart anyway? It could be anyone. Or it could be the same person, laundering his money.
So isn't that a nightmare for law enforcement? Won't they have to crack down on this and make it illegal, before it's used to FUND TERRORISM and DESTROY CAPITALISM?!?!
Well, no. Perhaps they will do that anyway as a knee-jerk reaction. But I think it's just like cash, but a little easier for them to trace. If they realise it, they'll be behind it, which I think will be a good thing - as I think Bitcoin is a good currency that will enable all sorts of cool things that can't currently be done practically.
For a start, those laundering transactions are exactly the kinds of things intelligence services are good at figuring out. They can put supercomputers to work analysing the global transaction stream (all available in ONE place; no need to talk to lots of banks - or worry about infiltrating uncooperative foreign banks). Some value that goes into an account then buzzes through a self-contained pool of accounts for some time then zooms out to somewhere else can probably be traced through analysing the timings of transactions and the like; the pattern of automated laundering will be different from actual spending, if you have enough computer power to find the patterns. Imagine drawing a diagram with a blob for each address you know something about (eg, can tie to a person or organisation), and drawing arrows for all the transactions between them. Any single-use addresses can just be chained together as part of the same arrow. Any unknown addresses can be given small blobs on the diagram. Colour the arrows with the magnitude of the amount transferred, on a log scale. Arrange the diagram so the minimum of arrows overlap. Do this for the transactions in each day, and then make a movie of them changing over time. Take a given known-suspect transaction and treat it like a drop of dye, colouring it strongly, and mixing it with the light grey of other money flowing through the system as it dissipates, and see where that dye spreads to. Then get computers automating the analysis even further.
Similarly, if you can snoop somebody's Internet traffic, you can see where transactions come from; when money is spent from an address, this fact is obvious from the internet connection over which the transaction is issued. So if the CIA sends Al Qaeda some money, and they launder it from their laptop, this will be obvious. By watching somebody's Internet connection, you can see all their outgoing transactions; and from that, you can learn all their addresses; and from the global transaction stream, you can then see all the money being sent to those addresses.
A successful money laundry would need to use a lot of different computers and not re-use them in suspicious ways. It would need to go to the effort of simulating an ordinary economy of its own, spread around the world. And the effort and organisation that takes would make it ripe for hunting down using traditional law-enforcement techniques: paying moles, finding a slip-up and exploiting it to find the network, and so on.
What about using Internet traffic anonymisers, like Tor? They encrypt the traffic coming to and from your computer, which removes the advantages available to doing that. Tor was initially sponsored by the US government, and is not without its weaknesses - again, ones which I suspect will protect legitimate users by being too expensive to employ en mass, but will be possible to overcome when individual people or organisations become worth spending millions to hunt down.
So, I think bitcoin will be a boon for law enforcement, as it'll overally make it easier to trace down the financial activities of bad apples. Therefore, the bad apples won't use it much, which will help to give the network a good reputation and encourage legitimate take-up. Bitcoin will be as anonymous as cash - for people who are not the subject of a major, expensive, law enforcement investigation, it's perfect. It'll be a lot harder to do the kind of routine mass surveillance that is currently done with card payment records, and I think that's a good thing; routine mass surveillance is an infringement of fundamental liberties. But it'll still give the tools to sufficiently powerful organisations to break the anonymity and trace down money flows.
By Jaime Nunez, Thu 12th May 2011 @ 11:22 am
Very good analysis, covering many of the issues we are all thinking about regarding this bitcoin currency.
By Jon Matonis, Thu 12th May 2011 @ 2:42 pm
Excellent read...clearly written by someone who understands mechanics of digital bearer cash.
You point on transactional tracing definitely made me think about 'self-contained pools' and 'transaction timing'. However, I don't think you are considering a structure of unrelated, unconnected mutual offset accounts as are used today in correspondent banking. For example, a Pound Sterling transaction comes in and a Japanese Yen transaction goes out without the two ever connecting because the offset is conducted off the grid.
Also, as more 'mixer' services -- http://bitcoinlaundry.com/ and http://app.bitlaundry.com/ -- come on line, the greater the pool of dead-end transactions and the greater the opportunity for unrelated, off-the-grid offsets.
By Yuliy, Thu 12th May 2011 @ 4:24 pm
I don't buy your arguments that BitCoin is traceable, especially when used by organized crime.
The presence of botnets makes the claim that someone's BitCoin activity can be traced bogus. Also, as Jon pointed out, the BitCoin activity stream cannot be an effective way of determining the entire story.
Very few people need untraceable irrevocable transfers. And of those people, even fewer need them for legitimate purposes.
By Vandroiy, Thu 12th May 2011 @ 5:18 pm
I'm not so sure about the tracking. Any service that allows users to add and withdraw BTC might be used to obscure the flow. Right now, if mtgox decides to make its internal transactions obscure to an observing authority, I see little chance of tracking coins that entered it. They might flow out as BTC in any quantization to any target, and are mixed up with massive amounts of other transactions that enter and exit.
Relaying transactions over a hijacked machine anywhere should be trivial as well. The methods of tracking proposed are not reliable.
I don't think that's so bad though. Cash is similar, it's always been there, but the world didn't crumble yet. Okay, it's faster and easier to transport BTC. But for large amounts that have enough of a criminal origin to require laundering in the first place, speed is not that much of an issue. I don't think the difference will be all too big.
By Mark Herpel, Sat 14th May 2011 @ 8:19 pm
(the gov considers everyone using a non-bank unlicensed financial system a bad apple)
"So, I think bitcoin will be a boon for law enforcement, as it'll overally make it easier to trace down the financial activities of bad apples."
True but it's FAR from being a full proof way to track funds. It's very naive to think that your statement is at all accurate, a majority of funds bouncing around in the digital world will move between currency. (1)As an example, an agent will accept Bitcoin and pay out Liberty Reserve leaving no absolutely no way to trace. (2)Anyone out there swapping Second life currency, Facebook credits or some other online digital unit for Bitcoin? (3)Funds may be paid in a deposit of an online a game, a few hands of poker played and funds withdrawn. (4)Merchandise can be purchased and resold via eBay. There's an endless global supply of outlets and exchanges for digital currency. The few rare circumstances you mention for tracing transactions could soon become the exception not the norm. All of this has been done before over the past decade with other digital currency, it's really shocking how many people think Bitcoin is the first of it's kind.
"Therefore, the bad apples won't use it much..."
HA, we'll all have to stand in front of the mirror and repeat that phrase each morning. You got to be kidding me you believe that one.
"...which will help to give the network a good reputation and encourage legitimate take-up."
I really wish that were true. The only thing which will encourage legitimate business to accept it will be a government license and printed regulations, otherwise it's the wild west and anything goes and that won't last. Don't get me wrong, I love the wild west, I'm trying to give you some heads up, if you think this will all be rainbows and puppies, you're in for a fricken big surprise, get out of the US with this business, THEY DON'T WANT IT. The first to go is always be the agents exchanging the digital to national currency. The banks will close their accounts, they will be prosecuted or both. Don't do it through the US and I'd say it will all be fine.
[ed: fixed formatting]
By alaric, Sun 15th May 2011 @ 12:05 pm
Yikes, the formatting went a bit funny on Mark's comments there.
As for laundering money via Bitcoin and other forms of online currency (and, presumably, out into actual cash that you then transport via other means, and gold, and so on) - these are all part of the existing money laundering industry, though. I guess the point I'm trying to make isn't that you can't launder Bitcoin, but that for law enforcement, it's not really largely worse than the current situation. Whether the benefits of a global transaction stream they can pipe straight into their supercomputers versus the ease of micropaying between random identities via Tor to launder your own bitcoins play out as harder or easier than cash laundering remains to be seen, but either way, I think it's roughly the same order of magnitude as cash, and so not a horrible new threat that needs stamping on from above...
Yeah, "bad apples" will use it, but what I mean is more that they shouldn't flock to it as a lovely new panacea for transferring money without legal oversight. From the perspective of a criminal, I'd be very suspicious of the security of bitcoin compared to the traditional briefcases full of nonsequential bills and so on!
By Iain, Sat 4th Jun 2011 @ 6:07 pm
There's a very simple way that criminal enterprises will get round the tracing that you've described. They already have access to thousands of computers at different addresses via botnets.
A botnet would be perfect for the bitcoin laundering process you describe above.
By alaric, Fri 22nd Mar 2013 @ 11:00 am
Botnets will help to get around the connection-based traffic analysis, but they'll still be prone to statistical analysis; and they have a particular flaw - as they depend on communication between themselves to coordinate their money laundering activity (after all, the launderer needs to make sure the money ends up in bitcoin addresses they control), they will tend to fall prey to the weakness of most botnets: once an instance of the bot has been found and analysed, the control and communications mechanism can be reverse-engineered and subverted. That means the eventual target addresses can be found, and it might even mean that the botnet can be fooled into sending all the money to an address controlled by somebody else...
By Sasha, Wed 13th Nov 2013 @ 6:09 pm
Al, do you have any idea of how I can chart the money flow through transactions?