CSACH_4_Nad_Cryptographic_principles_and_

Bitcoin – Cryptographic Principles
and the Collapse of Mt. Gox
Tomislav Nad
!
!
!
11 April 2014
Bitcoin
Bitcoin P2P e-cash paper published by Satoshi
Nakamoto in 2008
First software in 2009
Double-spending is prevented with a peer-to-peer network.!
No mint or other trusted parties.!
Participants can be anonymous.!
New coins are made from Hashcash style proof-of-work.!
The proof-of-work for new coin generation also powers the
network to prevent double-spending.
Security Principles and
Bitcoin
Authentication!
Am I paying the right person?!
Is the payer the owner of the coin? !
Integrity!
Is the coin double-spent? !
Can an attacker reverse or change transactions?!
Availability!
Can I make a transaction anytime I want?!
Confidentiality!
Not very relevant. But privacy is important.
Cryptographic Primitives in
Bitcoin
Hash Functions
Digital Signatures
Hash Functions
Consistent: hash(X) always yields same result!
One-way: given Y, hard to find X such that hash(X) = Y !
Collision resistant: given hash(X) =Y, it is hard to find Z such
that hash(Z) = Y!
!
Examples: SHA-1, SHA-2, RIPEMD-160
message of arbitrary
length
hash function
fixed size hash value
Digital Signatures
Public key cryptography
one private key P and one public key Q
Examples: RSA, DSA, ECDSA
private key
message
hash function
signature
function
signature
Digital Signatures
Public key cryptography
one private key P and one public key Q
Examples: RSA, DSA, ECDSA
public key
signature
signature
function
compare
message
hash function
What is a Bitcoin?
Public database called block chain
Contains every transaction ever done
Block contain
proof of work
transaction data
digital signatures
hash values
etc.
Bitcoin Transaction
transaction record
Pa
digital signature
30 B$
Alice
Bob
50 B$
P2P
network
miners
Qb
transaction block
Block Chain and
Bitcoin Generation
proof
of work
Block
Block
previous hash
Tx
Tx
Tx
nonce
Tx
…
previous hash
Tx
Tx
Tx
nonce
Tx
hash function
hash value<E
…
How to Get Bitcoins
Buy bitcoins
Mine bitcoins
Mt. Gox
Magic: The Gathering Online Exchange
Digital currency exchanger and trade
market
!
User on Mt. Gox has two sub-accounts
one for Bitcoins
one for national currency
User can buy or sell Bitcoins
!
Bitcoins centrally managed by Mt. Gox
Collapse of Mt. Gox
June 2011
Security breach!
Attacker got access to the user database containing hashed
passwords!
At least the password of one account got revealed: admin
account!
Attacker arbitrarily assign himself a large number of
Bitcoins, which he subsequently sold on the exchange,
driving the price from $17.50 to $0.01 within the span of 30
minutes. !
!
With the price low, the thief was able to make a larger
withdrawal (approximately 2000 BTC) before security
measures stopped further action.
http://en.wikipedia.org/wiki/Mt._Gox
Collapse of Mt. Gox
October 2011
About two dozen transactions appeared in the block chain that sent a
total of 2,609 BTC to invalid addresses!
These Bitcoins were effectively lost!
While the standard client would check for such an error and reject the
transactions, nodes on the network would not!
Self-written code used to connect to the bitcoin network!
MtGox admitted to be the source of the error
http://en.wikipedia.org/wiki/Mt._Gox
Collapse of Mt. Gox
2013
DDoS attacks
Software problems
Performance problems
Withdrawal problems
Competition
http://bitcoincharts.com
Collapse of Mt. Gox
February 2014
7 February 2014, all Bitcoin withdrawals were halted by Mt. Gox: “to obtain a clear technical view of the
currency processes”!
10 February 2014 press release stating that the issue was due to transaction malleability: “A bug in the bitcoin software makes it possible for someone to use the Bitcoin network to alter transaction details to
make it seem like a sending of bitcoins to a bitcoin wallet did not occur when in fact it did occur. Since the transaction
appears as if it has not proceeded correctly, the bitcoins may be resent. MtGox is working with the Bitcoin core
development team and others to mitigate this issue.”!
17 February 2014, press release indicating the steps they claim they are taking to address security
issues. “We apologize for the inconvenience caused by the recent suspension of external bitcoin transfers. Fortunately,
as we announced on Saturday we have now implemented a solution that should enable withdrawals and mitigate any
issues caused by transaction malleability (please see our previous statements for details on this issue)."!
20 February 2014, all withdrawals still halted:
”In addition to the technical issue, this week we have experienced some security problems, and as a result we had to
relocate Mt Gox to our previous office building in Shibuya. The move, combined with some other security and technical
challenges, pushed back our progress...we are committed to solving this issue and will provide more information as
soon as possible."!
23 February 2014, Mark Karpelès, the CEO of Mt. Gox, resigned from the board of the Bitcoin
foundation
http://en.wikipedia.org/wiki/Mt._Gox
Collapse of Mt. Gox
February-March 2014
!
24 February 2014, Mt. Gox suspended all trading, and hours later its website went offline, Internal
crisis document leaked which says that Mt. Gox was insolvent due to the loss of 744,408 bitcoins. The
theft went undetected for years.!
25 February 2014, Mt.Gox reported on its website that a "decision was taken to close all transactions for
the time being", citing "recent news reports and the potential repercussions on Mt. Gox’s operations". !
28 February 2014, Mt. Gox filed for bankruptcy protection in Tokyo due to the lost of almost 750,000 of
its customers' bitcoins, and around 100,000 of its own bitcoins, totalling around 7% of all bitcoins, and
worth around $473 million near the time of the filing!
7 March 2014, careful watchers of the Bitcoin block chain observed that 200,000 BTC from addresses
associated with Mt.Gox were being moved for the first time in over two years. As these coins were split
up in much smaller chunks by hundreds of transactions, it was speculated that hackers were now
controlling the funds and tried to cover their tracks.!
20 March 2014, Mt. Gox reported on its website that it found 200,000 in an “old” digital wallet from
2011.
http://en.wikipedia.org/wiki/Mt._Gox
What happened?
Transaction Malleability?
Known since 2011
!
!
!
!
!
!
!
!
!
!
!
Doubts about Mt. Gox Story
•
“Bitcoin Transaction Malleability and MtGox” by
Christian Decker and Roger Wattenhofer, ETH.
Lessons Learned from
Mt. Gox
Understand Bitcoin and its network
Trading requires IT security on an equivalent level
as banks and stock markets
Don’t write your own Bitcoin software unless you
know what you are doing