Are governments deliberately poisoning the cryptographic/cryptocurrency well?


Introduction

I will try to keep this brief.  It is a complex subject and I will apologise in advance as it is not my area of scientific expertise so unlike medical sciences I am merely a fascinated layman.

I know we probably have at least a few people on here who will be well versed in the mathematics of cryptographic technique and I would be grateful for your input on this matter.  

I was inspired to write this today by reading an article on Ars Techica.  I would highly recommend reading it:

"NSA could put undetectable “trapdoors” in millions of crypto keys" - Ars Technica.

I think it raises some important questions about government activity that many of us may often wonder about, particularly within cryptocurrencies where we tend to be of a more libertarian (small government) mindset or even a fully anarchistic mindset.

That said, please take this post with the colloquial "pinch of salt".  I don't want people to get too alarmed.  I just think we need to think about such things and be vigilant.  

I will apologise in advance for my stupidity and ignorance.  There will also be kittens at the end as always.

The gist of the article

The article covers how researchers have devised a way to create backdoors in encryption methods (Diffie-Hellman in this case) that are virtually impossible to detect.

From what I understand a lot of encryption methods make use of very large prime numbers to carry out calculations which are prohibitively difficult (computationally) to solve.

The researchers were able to create primes with properties which made them easier to derive.  As the article states:

" The researchers were able to break one of these weakened 1,024-bit primes in slightly more than two months using an academic computing cluster of 2,000 to 3,000 CPUs."

If researchers were able to do this it is a safe bet in my opinion that government agencies already know of this and have technology in place that allows them to do this much more rapidly and efficiently. 

What takes the researchers 2 months may take hours or even minutes for the government with their computational resources.

Is the government putting out compromised primes already?  

It is a really clever idea if you think about it.  

It is the equivalent of one side in a war giving the other side equipment that allows them to evesdrop on what they are doing without them even realising it.  

If you can compromise the communications of "the enemy" then you can potentially win the war before it even starts.

Poisoning the cryptographic well

Government agencies or private companies may be putting out a combination of compromised cryptography resources for us to use and integrate into our software.  

This could take several forms by putting out the following types of resources:

1)Lists of compromised primes as described in the article.

2)Encryption methods/protocols that have a specific fatal flaw that is not readily apparent or publicly known they use an example known as Dual_EC_DRBG.

3)Random number generators/sources that are not fully random.

4)Other encryption resources, tools or software which may be backdoored to allow snooping by the right organisation.

The government would obviously not be open about doing this and some of these resources could be being put out covertly by companies acting as a "front" for the real source.

Is open source software a good place to hide exploits?

Further if I was the head of one of these agencies I would also be seeding this kind of material in open source software.  

The open source movement is central to a lot of software development these days and there is kind of an attitude amongst the public at least that it is must be trustworthy.  

It is developed by large groups of people but there is no centralised way of vetting who is actually working on the software or what their motivations are.  

It could literally be anyone.

One would hope that with multiple people working on it any comporomises would be discovered and brought to light but who knows for sure?

If it was found it could just be called a flaw or a bug and patched.  If not then I (as the government) would have a secret weapon that nobody else knew about.

Are we putting too much trust in the safety of open source?  

Can we be sure that open source resources are clean and not being gamed by security agencies using these methods?

Cryptocurrencies and government agencies

This brings me to the issue of cryptocurrencies.  

They are based on the whole in the principle of computationally expensive cryptography: - 

Is it possible that something like bitcoin itself could have been compromised in this way?  

One would hope that if it was, someone would have spotted it by now, - given all the very intelligent people who are constantly reviewing the code etc. but exploits are missed all the time.

You can never be sure to catch everything.

Was Satoshi a government agent?

My point is we don't know who Satoshi is or was.  One of the theories was that he may have been a group within a security agency such as the NSA.  

What if this was true and they had built in some almost invisble method that allowed them to manipulate the blockchain to their own ends?  

- For example something that was so computationally expensive to the average user that they could never hope to break it or even consider it a problem but that could be broken easily with state resources.

You could get the very people who are against big government to buy into a new type of money/currency without even knowing that it was a government scheme.  

I suppose the question would be to what ends?

My guess would be to have some means of manipulating global markets (assuming bitcoin got to a reserve currency type level).  

It could certainly be considered a matter of national security and could also be used as an economic weapon against foreign powers at that stage.

Do we need to be paranoid of both people and resources?

Obviously the code is now open source but as I stated earlier we don't know exactly who has their hands in the open source code.

With government resources you could easily hire anyone you wanted  to work on the code.  

If money didn't work you could use your powers to compel people who might not even want to help you to get on board.  

They are already spying on us all the time (as Snowden revealed) and could certainly find ways to apply pressure to people in order to get them to bend to their will.  

With enough knowledge you could compromise anyone.

For all we know some of the most public developers in the bitcoin community who profess to be in favour of liberty may in fact be in the pockets of the very governments whose oppression they claim to be fighting.

I think we need to be aware that infiltration is an ancient human tactic and there may well be people that we think are on our side fighting for liberty who may be the metaphorical "snakes in the grass".

Paranoia is not necessarily a good thing but there is nothing wrong with vigilance and caution.

Does this have implications for other cyptocurrencies like Steem too?

  

I'm not sure - I will leave that to those who are more knowledgeable of specific cases to do this.

It is an interesting question though - could for example the DAO hacker have been a government agent who had infiltrated the ethereum community and was ordered to carry out the hack as a form of sabotage?  

Perhaps the government/large corporations saw the momentum and public enthusiasm generated and decided to nip it in the bud.  

It is certainly not something I consider to be beyond their ethics or their means.

Conclusions

As I said previously I don't mean to be alarmist.  I think it is sensible to be cautious and vigilant of the possiblities.  

Further like I said I am not a cryptographer.  I am also not a programmer.  

I am, however, aware that arrogance and extreme belief in one's own knowledge, abilities and expertise has been the downfall of many people throughout history.  

Thinking you are smarter than everyone else and can't fail is an idea that inevitably leads to failure.  

Just look at the recent example of the DAO.  All the pronouncements and hubris that related to that now look like a joke.  

It would be even more ironic if it was carried out by someone internally who was a government agent or someone whom they had compromised.

We need to be vigilant to all threats as a community.  We must also work together to fight them.  

The world is changing fast and it is unlikely that the old vested interests will let go of their power and control of us too easily.

Anyway please let me know what you think.  

Am I getting the wrong end of the stick and being overly paranoid and alarmist despite my intentions? 

As one of my old teacher used to say "a little knowledge is a dangerous thing".  Perhaps that is the case here so I will apologise in advance if that is so.

Thank you for reading.  I will apologise in advance for any typographical errors I may have missed.

The Obligatory Kitten Photo:

If you like my work and aren't already, please follow me and check out my blog (I mainly discuss photography but I do other topics too) -  @thecryptofiend 

Image Credits: All images are from my own personal Thinkstock account.

Some of my Previous Posts and Tutorials:

H2
H3
H4
3 columns
2 columns
1 column
79 Comments