Thought experiment: imagine that you live across the street from a police station, and that you install cameras on your property that watch and record the entrance and garage of that police station. How do you think the police would react to that? How might they react if you published your recordings online, so that anyone could see them?
Whatever the argument is for not having people watching the police applies to not having the police watch me. There are are corrupt cops out there who might use their access to a CCTV network to do harm. Abuses of officers' access to such systems have happened in the past:
I'm all for police being able to catch criminals better.
We already have an order of magnitude more prisoners than any country on this entire planet. Do you really want to worsen this situation?
the proper course of action then is to try to get those laws eradicated or at least made to be universally ignored
You are contradicting yourself. How can a law be universally ignored if the police are better able to catch criminals? That is the whole point here: we want to ensure that some laws are unenforceable, because those laws are unjust; therefore, we need to ensure that the power of the police to enforce the law is limited. Every time we broaden the power of the police, we broaden the scope of enforceable law.
Well, let's put it this way: given that you know about Truecrypt and its hidden volumes feature, imagine that you are interrogating a suspected mafia enforcer. You had a wiretap order, you watched the guy receive encrypted email from a known mafia boss, and now you are asking him for his Truecrypt passphrase. He gives you a passphrase, but when you decrypt the drive you do not see any email from the mafia boss, only mail from the guy's wife and daughters. What is your first assumption?
As you said, there is no difference between deniable encryption and other solutions if the interrogator is willing to torture you into giving up your key. If the interrogator will not torture you for a key, you might as well keep your mouth shut. The only situation where deniable encryption has any real advantage is one in which you are required to reveal some, and all that matters is that some valid plaintext is decrypted; I do not think that is a very realistic scenario, and it is completely irrelevant if you have already been arrested.
Really, a smartcard with a "kill switch" is a much better idea. If you have time to shutdown your computer (e.g. to stop RAM-freezing), you have time to destroy a smartcard (you can combine these operations into a single emergency "kill switch"). This makes recovering your files difficult, of course, but solving that problem is very much dependent on your particular situation.
DRM, by definition, hobbles technology. This is not about "choice" -- if all the major media outlets use this technology, it will be enabled by default on everyone's computer, and everyone's computer will be programmed (by default) to fight against the user.
Now that you gave him a password and he does not see what he wants, he just assumes you used a hidden partition, and gets right back to beating you. The problem with deniable encryption is that you have deniable encryption software, and everyone will assume you are using it. You give your "innocent" password, and then they ask for your "other" password.
The question was, "What backs USD?" For a currency to be "backed," there must be some guarantee about the currency's utility. That is what a tax law does: it guarantees that you can use a currency to meet a legal obligation (tax payment).
It's not like people woke up one day and said, "Pieces of paper with pictures of dead presidents are a great currency!" The fact that the government will only deal in dollars and the existence of legal tender laws is the reason dollars are the currency of the US. The overwhelming majority of businesses that "accept Bitcoin" are actually accepting USD payments via an exchange service like Bitpay; those businesses need USD, because of the law, and have no real use for Bitcoin.
They are, however, subject to the US Code, which outlaws treason, defined as it is in the constitution:
Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort
If a military court allows publishing classified documents to be considered evidence that a soldier aided the enemy, it is not a stretch to think that a criminal court might accept such an argument.
This would basically mean that nobody could report on wars, because anyone doing so could be accused of aiding the enemy. Imagine a version of this where Bin Laden said, "Get me a copy of the New York Times!" and the government accused reporters of aiding the enemy.
All I said is that the proof shows that specific security properties are maintained; that only involves defining the class of attack the system is designed to deal with, not the specific manner attack that is carried out. There are a lot of chosen plaintext attacks that might be performed, but you can prove that none of them will be successful against ElGamal. If you do not believe me, go read the work of Goldwasser and Micali, which was the seminal work in provably secure cryptography, which describes this at length.
Agent: "It's a millimeter wave scanner, which means..."
Me: "I have a degree in electrical engineering. I know what millimeter wave scanners are. I am not stepping into it because I feel it is a waste of my tax dollars. Don't waste my time any further."
Just show the TSA idiots the respect they deserve (none) and let them do their jobs with the full knowledge that they are less well liked than the IRS.
Without decentralization a digital cash system is about the most intrusive and evil thing one can imagine
There are different kinds of decentralization. The systems designed by Chaum, Okamoto, and other researchers in the 80s and 90s allowed for decentralized transactions, even offline transactions, and could be shown to hide the identity of spender. The only central element in those systems was the bank that issued the currency units and which was ultimately responsible for dealing with double-spending attempts (in the case of offline payments, double spending cannot be prevented but can be detected; many systems were proposed with the property that the bank would be able to generate proof that a party had double-spent money if and only if the party had actually done so).
Bitcoin has the goal of removing the central issuing authority from the system. Unfortunately, that means that an entirely new formalization of security would be necessary if Bitcoin were to be provably secure, since currently accepted definitions of security for digital cash are based on the assumption of some kind of authority. This problem reflects a deeper issue: Bitcoin is based on an entirely different concept of money, and so any formalization of Bitcoin's security would first require a formalization of money (which I suspect is a bottleneck).
I suppose my wording was bad; my point was that the problem with Bitcoin is that any increase in the cost of attacking the system corresponds to a proportional increase in the cost to use the system at all. That is not the case with something like PGP, where increases in the attack cost are exponential compared to the increase in the cost needed to use the system. It is possible to design a digital cash system with this property, but Bitcoin does not have it.
Actually, the proofs do not mention any specific attacks; they simply assume the existence of some attack, and then show that the attacker can also solve some hard problem efficiently. What the proofs do is to show that the system maintains a specific security property; attacks on things other than that particular property may still be possible, but you are guaranteed that that property holds no matter what. Obviously it is not possible to rule out all classes of attacks: what counts as an attack depends on the context in which the system is used.
So, for example, while ElGamal can be proved secure against all chosen plaintext attacks, it is not secure against an adversary who is allowed to view plaintexts that correspond to messages of his choosing. That is a different security property: the CPA property only deals with an attackers who can see encryptions of particular messages, not decryptions of particular ciphertexts. The Cramer-Shoup system is secure against adaptive chosen ciphertext attacks (CCA2), but that does not protect you if the adversary is allowed to tamper with your random number generator.
That is very different from AES. A new way to conduct chosen plaintext attacks could be discovered tomorrow that works on AES. On the other hand, you know that no such attack on ElGamal will be discovered, because it can be proved (with the caveat that it is possible that the DDH hardness assumption is wrong). Likewise, you know that no CCA2 attack on Cramer-Shoup will be discovered; no such statement can be made about AES, because its security is based on heuristics.
All of this boils down to knowing your requirements. If you do not know your requirements, then the problem is not that you had a false sense of security, it is that you never knew what "security" means for your use case.
The Germans knew Enigma could be attacked but believed that it would be far too costly. That is the same sort of argument you are making for Bitcoin: that the payoff of an attack would not make it worth the cost of the equipment, or that nobody could afford so much computing power in the first place.
There are a lot of problems with this reasoning. The recent price surge should tell you that the cost of the equipment needed to attack Bitcoin may become smaller compared to the payoff of such an attack. It is also the case that the purpose of the attack might not be to profit directly, but to undermine the trust in Bitcoin and kill the system -- any number of governments with the resources needed for such an attack might want Bitcoin to go away. You are also assuming that the attacker cannot simply sell the equipment right after the attack, keeping his profits (which may be sizable).
There is also a deeper problem with this reasoning: there is no way to raise the cost of an attack without also raising the cost of using the system. Compare this with other cryptosystems, where there is a security parameter that can be arbitrarily chosen, where the work needed to use the system is some polynomial in that parameter while the work needed to attack the system is exponential. That is the core of the problem: if you discover that someone is attacking Bitcoin, there is basically nothing you can do except to buy more equipment. With the digital cash systems proposed by Chaum, Okamoto, and others, even if you were confronted with an attacker who could break the security of the system, you would only need to adjust the security parameter to stop that (to put it another way, nobody talks about the need to buy more ASICs just because ElGamal keys are too short -- we just make the keys bigger; now apply that reasoning to a digital cash system).
The attack only requires that the attacker does as much work as the rest of the network until the original transaction is accepted (e.g. after six confirmations), at which point the attacker introduces the malicious block chain where he paid himself. That is not exponential: the attacker is maintaining his own block chain in secret, and only has to work as hard as is needed to keep that block chain as long as the current consensus, which means the attacker will work just slightly harder than the entire rest of the network is working. The concise way of saying that is that the attacker's effort scales linearly with the work done by the rest of the Bitcoin network, which is what I said in the first place.
Point of clarification: the "or" in the statement about ElGamal is an exclusive or; if the DDH problem can be solved efficiently, ElGamal can be broken. The formal statement is actually a reduction: any algorithm that can attack the ElGamal cryptosystem can be used to solve the DDH problem.
To spend Bitcoin money multiple times, you only need slightly more computing power than everyone else using Bitcoin combined. The weakness is due to the use of consensus to decide which transactions are valid; by amassing enough computing power, one can control the consensus.
Moving to ASICs only means that your attacker needs to get a lot of ASICs. Nobody said the attacker could only use CPUs or GPUs.
As for the matter of security proofs, while it is true that AES and SHA256 are based on heuristic tests, there are cryptosystems that are based on strong security proofs. For example, the following statement can be proved: the decisional Diffie-Hellman problem can be solved in polynomial time or the ElGamal cryptosystem is secure against any chosen plaintext attack. The math needed to prove lower bounds on the DDH problem is still a matter of research, but such a lower bound proof would eliminate all questions about the security of ElGamal.
These kinds of security proofs can be given for digital cash systems as well:
Anyone who has studied math or theoretical computer science knows that that statement is untrue. Proofs of non-existence are not at all uncommon. There is no construction in Euclidean geometry for a regular heptagon. There is no algorithm that solves the Halting Problem. No cryptosystem can have statistical security unless the key is at least as long as the plaintext. These statements can all be proved and they are all famous results.
If you're into security, I'd highly recommend looking through the specs. It's an incredibly beautiful piece of engineering whether or not you are using it.
I looked at the specs, in great detail. What I saw is a system that uses cryptography but which is not secure under the notion of "security" that cryptographers use. The effort required for a successful double-spending attack on Bitcoin scales linearly with the effort required to use Bitcoin; this is worthless as far as cryptographic security is concerned.
It is also troubling that the Bitcoin "security proof" only rules out a single attack strategy. Usually we want security proofs to rule out *all* theoretically feasible attacks, even those that we do not know of.
It sounds like you are suggesting...spam filters, hashcash, and greylisting. Oh, wait, we do that already.
The reason SMTP endures despite numerous attempts to replace it is that it does one thing and it does it well. Spam exists because SMTP is so good at delivering messages, and because it does so cheaply. I will not be parting with email any time soon.
Much as I dislike Spamhaus, it is hard to side with someone whose grievances include "Jew lies."
The issue here is not the cryptographic security of transaction signing
No, it is the cryptographic security of digital cash transactions in general, which is what Bitcoin fails to provide. Bitcoin is not a signature system, it is a digital cash system, and the security property of a digital cash system that matters here is the protection against double spending.
The fact of the matter is, double spending attacks on Bitcoin require linear time. Twenty years before Bitcoin was released, David Chaum showed the world how to make a digital cash system where double spending required exponential time in a security parameter that had nothing to do with the number of users of the system. That is probably the most annoying part about Bitcoin: not only is it insecure, but we've known how to solve the same problem in a secure way for decades.
Is "a billion" supposed to impress anyone with any amount of experience in cryptography? Would you use a cipher that could be defeated by a billion modern CPUs?
There is a reason researchers working on secure multiparty computation require that the attacker's work scale exponentially with the work done by honest parties. In Bitcoin, the attacker's work scales at most linearly with the work done by honest parties -- which is cryptographically worthless.
Again, your argument is what the German cryptographers thought about Enigma. It was a mistake then, and it is still a mistake today.
Slashdot Mirror
Question: Would putting everyone in handcuffs when they leave their homes have prevented the bombing? Because that's the only acceptable reason.
Whatever the argument is for not having people watching the police applies to not having the police watch me. There are are corrupt cops out there who might use their access to a CCTV network to do harm. Abuses of officers' access to such systems have happened in the past:
https://www.nydailynews.com/new-york/cannibal-faces-life-guilty-conspiracy-kidnap-illegal-databases-article-1.1286075
I'm all for police being able to catch criminals better.
We already have an order of magnitude more prisoners than any country on this entire planet. Do you really want to worsen this situation?
the proper course of action then is to try to get those laws eradicated or at least made to be universally ignored
You are contradicting yourself. How can a law be universally ignored if the police are better able to catch criminals? That is the whole point here: we want to ensure that some laws are unenforceable, because those laws are unjust; therefore, we need to ensure that the power of the police to enforce the law is limited. Every time we broaden the power of the police, we broaden the scope of enforceable law.
Well, let's put it this way: given that you know about Truecrypt and its hidden volumes feature, imagine that you are interrogating a suspected mafia enforcer. You had a wiretap order, you watched the guy receive encrypted email from a known mafia boss, and now you are asking him for his Truecrypt passphrase. He gives you a passphrase, but when you decrypt the drive you do not see any email from the mafia boss, only mail from the guy's wife and daughters. What is your first assumption?
As you said, there is no difference between deniable encryption and other solutions if the interrogator is willing to torture you into giving up your key. If the interrogator will not torture you for a key, you might as well keep your mouth shut. The only situation where deniable encryption has any real advantage is one in which you are required to reveal some, and all that matters is that some valid plaintext is decrypted; I do not think that is a very realistic scenario, and it is completely irrelevant if you have already been arrested.
Really, a smartcard with a "kill switch" is a much better idea. If you have time to shutdown your computer (e.g. to stop RAM-freezing), you have time to destroy a smartcard (you can combine these operations into a single emergency "kill switch"). This makes recovering your files difficult, of course, but solving that problem is very much dependent on your particular situation.
DRM, by definition, hobbles technology. This is not about "choice" -- if all the major media outlets use this technology, it will be enabled by default on everyone's computer, and everyone's computer will be programmed (by default) to fight against the user.
Now that you gave him a password and he does not see what he wants, he just assumes you used a hidden partition, and gets right back to beating you. The problem with deniable encryption is that you have deniable encryption software, and everyone will assume you are using it. You give your "innocent" password, and then they ask for your "other" password.
i fail to see how tax law is related to this
The question was, "What backs USD?" For a currency to be "backed," there must be some guarantee about the currency's utility. That is what a tax law does: it guarantees that you can use a currency to meet a legal obligation (tax payment).
It's not like people woke up one day and said, "Pieces of paper with pictures of dead presidents are a great currency!" The fact that the government will only deal in dollars and the existence of legal tender laws is the reason dollars are the currency of the US. The overwhelming majority of businesses that "accept Bitcoin" are actually accepting USD payments via an exchange service like Bitpay; those businesses need USD, because of the law, and have no real use for Bitcoin.
Really, your view of currency -- that it is just a thing that magically appears in a market once people agree on it -- is very much out of date: https://en.wikipedia.org/wiki/Modern_monetary_theory
Many people here think that dollars are backed by something
Dolllars are backed by something:
https://en.wikipedia.org/wiki/Legal_tender
https://en.wikipedia.org/wiki/Tax_law
Now that we are past that, can you tell us what Bitcoin is backed by?
Where are the guys that make the RIGHT promises and keep them?
https://en.wikipedia.org/wiki/Third_party_(United_States)
It is spam; mark it as spam.
Treason against the United States, shall consist only in levying War against them, or in adhering to their Enemies, giving them Aid and Comfort
If a military court allows publishing classified documents to be considered evidence that a soldier aided the enemy, it is not a stretch to think that a criminal court might accept such an argument.
This would basically mean that nobody could report on wars, because anyone doing so could be accused of aiding the enemy. Imagine a version of this where Bin Laden said, "Get me a copy of the New York Times!" and the government accused reporters of aiding the enemy.
All I said is that the proof shows that specific security properties are maintained; that only involves defining the class of attack the system is designed to deal with, not the specific manner attack that is carried out. There are a lot of chosen plaintext attacks that might be performed, but you can prove that none of them will be successful against ElGamal. If you do not believe me, go read the work of Goldwasser and Micali, which was the seminal work in provably secure cryptography, which describes this at length.
Agent: "It's a millimeter wave scanner, which means..."
Me: "I have a degree in electrical engineering. I know what millimeter wave scanners are. I am not stepping into it because I feel it is a waste of my tax dollars. Don't waste my time any further."
Just show the TSA idiots the respect they deserve (none) and let them do their jobs with the full knowledge that they are less well liked than the IRS.
Without decentralization a digital cash system is about the most intrusive and evil thing one can imagine
There are different kinds of decentralization. The systems designed by Chaum, Okamoto, and other researchers in the 80s and 90s allowed for decentralized transactions, even offline transactions, and could be shown to hide the identity of spender. The only central element in those systems was the bank that issued the currency units and which was ultimately responsible for dealing with double-spending attempts (in the case of offline payments, double spending cannot be prevented but can be detected; many systems were proposed with the property that the bank would be able to generate proof that a party had double-spent money if and only if the party had actually done so).
Bitcoin has the goal of removing the central issuing authority from the system. Unfortunately, that means that an entirely new formalization of security would be necessary if Bitcoin were to be provably secure, since currently accepted definitions of security for digital cash are based on the assumption of some kind of authority. This problem reflects a deeper issue: Bitcoin is based on an entirely different concept of money, and so any formalization of Bitcoin's security would first require a formalization of money (which I suspect is a bottleneck).
I suppose my wording was bad; my point was that the problem with Bitcoin is that any increase in the cost of attacking the system corresponds to a proportional increase in the cost to use the system at all. That is not the case with something like PGP, where increases in the attack cost are exponential compared to the increase in the cost needed to use the system. It is possible to design a digital cash system with this property, but Bitcoin does not have it.
Actually, the proofs do not mention any specific attacks; they simply assume the existence of some attack, and then show that the attacker can also solve some hard problem efficiently. What the proofs do is to show that the system maintains a specific security property; attacks on things other than that particular property may still be possible, but you are guaranteed that that property holds no matter what. Obviously it is not possible to rule out all classes of attacks: what counts as an attack depends on the context in which the system is used.
So, for example, while ElGamal can be proved secure against all chosen plaintext attacks, it is not secure against an adversary who is allowed to view plaintexts that correspond to messages of his choosing. That is a different security property: the CPA property only deals with an attackers who can see encryptions of particular messages, not decryptions of particular ciphertexts. The Cramer-Shoup system is secure against adaptive chosen ciphertext attacks (CCA2), but that does not protect you if the adversary is allowed to tamper with your random number generator.
That is very different from AES. A new way to conduct chosen plaintext attacks could be discovered tomorrow that works on AES. On the other hand, you know that no such attack on ElGamal will be discovered, because it can be proved (with the caveat that it is possible that the DDH hardness assumption is wrong). Likewise, you know that no CCA2 attack on Cramer-Shoup will be discovered; no such statement can be made about AES, because its security is based on heuristics.
All of this boils down to knowing your requirements. If you do not know your requirements, then the problem is not that you had a false sense of security, it is that you never knew what "security" means for your use case.
Economic arguments are usually pretty bad; that was a lesson learned in World War II:
https://en.wikipedia.org/wiki/TICOM
The Germans knew Enigma could be attacked but believed that it would be far too costly. That is the same sort of argument you are making for Bitcoin: that the payoff of an attack would not make it worth the cost of the equipment, or that nobody could afford so much computing power in the first place.
There are a lot of problems with this reasoning. The recent price surge should tell you that the cost of the equipment needed to attack Bitcoin may become smaller compared to the payoff of such an attack. It is also the case that the purpose of the attack might not be to profit directly, but to undermine the trust in Bitcoin and kill the system -- any number of governments with the resources needed for such an attack might want Bitcoin to go away. You are also assuming that the attacker cannot simply sell the equipment right after the attack, keeping his profits (which may be sizable).
There is also a deeper problem with this reasoning: there is no way to raise the cost of an attack without also raising the cost of using the system. Compare this with other cryptosystems, where there is a security parameter that can be arbitrarily chosen, where the work needed to use the system is some polynomial in that parameter while the work needed to attack the system is exponential. That is the core of the problem: if you discover that someone is attacking Bitcoin, there is basically nothing you can do except to buy more equipment. With the digital cash systems proposed by Chaum, Okamoto, and others, even if you were confronted with an attacker who could break the security of the system, you would only need to adjust the security parameter to stop that (to put it another way, nobody talks about the need to buy more ASICs just because ElGamal keys are too short -- we just make the keys bigger; now apply that reasoning to a digital cash system).
The attack only requires that the attacker does as much work as the rest of the network until the original transaction is accepted (e.g. after six confirmations), at which point the attacker introduces the malicious block chain where he paid himself. That is not exponential: the attacker is maintaining his own block chain in secret, and only has to work as hard as is needed to keep that block chain as long as the current consensus, which means the attacker will work just slightly harder than the entire rest of the network is working. The concise way of saying that is that the attacker's effort scales linearly with the work done by the rest of the Bitcoin network, which is what I said in the first place.
Point of clarification: the "or" in the statement about ElGamal is an exclusive or; if the DDH problem can be solved efficiently, ElGamal can be broken. The formal statement is actually a reduction: any algorithm that can attack the ElGamal cryptosystem can be used to solve the DDH problem.
To spend Bitcoin money multiple times, you only need slightly more computing power than everyone else using Bitcoin combined. The weakness is due to the use of consensus to decide which transactions are valid; by amassing enough computing power, one can control the consensus.
As for the matter of security proofs, while it is true that AES and SHA256 are based on heuristic tests, there are cryptosystems that are based on strong security proofs. For example, the following statement can be proved: the decisional Diffie-Hellman problem can be solved in polynomial time or the ElGamal cryptosystem is secure against any chosen plaintext attack. The math needed to prove lower bounds on the DDH problem is still a matter of research, but such a lower bound proof would eliminate all questions about the security of ElGamal.
These kinds of security proofs can be given for digital cash systems as well:
http://citeseerx.ist.psu.edu/viewdoc/summary?doi=10.1.1.44.8279
You can't prove a negative.
Anyone who has studied math or theoretical computer science knows that that statement is untrue. Proofs of non-existence are not at all uncommon. There is no construction in Euclidean geometry for a regular heptagon. There is no algorithm that solves the Halting Problem. No cryptosystem can have statistical security unless the key is at least as long as the plaintext. These statements can all be proved and they are all famous results.
If you're into security, I'd highly recommend looking through the specs. It's an incredibly beautiful piece of engineering whether or not you are using it.
I looked at the specs, in great detail. What I saw is a system that uses cryptography but which is not secure under the notion of "security" that cryptographers use. The effort required for a successful double-spending attack on Bitcoin scales linearly with the effort required to use Bitcoin; this is worthless as far as cryptographic security is concerned. It is also troubling that the Bitcoin "security proof" only rules out a single attack strategy. Usually we want security proofs to rule out *all* theoretically feasible attacks, even those that we do not know of.
It sounds like you are suggesting...spam filters, hashcash, and greylisting. Oh, wait, we do that already.
The reason SMTP endures despite numerous attempts to replace it is that it does one thing and it does it well. Spam exists because SMTP is so good at delivering messages, and because it does so cheaply. I will not be parting with email any time soon.
Much as I dislike Spamhaus, it is hard to side with someone whose grievances include "Jew lies."
The issue here is not the cryptographic security of transaction signing
No, it is the cryptographic security of digital cash transactions in general, which is what Bitcoin fails to provide. Bitcoin is not a signature system, it is a digital cash system, and the security property of a digital cash system that matters here is the protection against double spending.
The fact of the matter is, double spending attacks on Bitcoin require linear time. Twenty years before Bitcoin was released, David Chaum showed the world how to make a digital cash system where double spending required exponential time in a security parameter that had nothing to do with the number of users of the system. That is probably the most annoying part about Bitcoin: not only is it insecure, but we've known how to solve the same problem in a secure way for decades.
Is "a billion" supposed to impress anyone with any amount of experience in cryptography? Would you use a cipher that could be defeated by a billion modern CPUs?
There is a reason researchers working on secure multiparty computation require that the attacker's work scale exponentially with the work done by honest parties. In Bitcoin, the attacker's work scales at most linearly with the work done by honest parties -- which is cryptographically worthless.
Again, your argument is what the German cryptographers thought about Enigma. It was a mistake then, and it is still a mistake today.