-
Crypto Currency Regulation and Law Enforcement Perspectives
Authors:
Nicolas T. Courtois,
Kacper T. Gradon,
Klaus Schmeh
Abstract:
This paper provides an overview of how crypto currency and blockchain engineering interacts with the law enforcement. We point out that a large proportion of crypto users are amateur investors and the dominant and the largest segment in crypto crime are simply investment scams (!). We look at various questions of criminal use and misuse of technology, especially in the areas of money laundering or…
▽ More
This paper provides an overview of how crypto currency and blockchain engineering interacts with the law enforcement. We point out that a large proportion of crypto users are amateur investors and the dominant and the largest segment in crypto crime are simply investment scams (!). We look at various questions of criminal use and misuse of technology, especially in the areas of money laundering or cashing out the profits originating from illicit activities. The aim of the paper is to raise a set of concerns arising in the criminal justice and policing circles, based on the interviews with law enforcement practitioners, and to see how cryptos could be reconciled with public security and safety. We propose a simplified classification of crimes related to crypto currency. We study the development of blockchains in a broader context of applied cryptography and payment technology. Ransomware is a big threat but we also need protection against corporate misconduct or negligence, with untested financial services breaching customer trust or government regulations. Not paying taxes is illegal, but there is more at stake: exposing crypto holders to losing all their savings in scams or thefts. Interestingly, privacy helps to defend on multiple fronts: against social engineering, targeted crime, scams, and also against cybersecurity thefts and hacks.
△ Less
Submitted 1 September, 2021;
originally announced September 2021.
-
Invariant Hopping Attacks on Block Ciphers
Authors:
Nicolas T. Courtois
Abstract:
Block ciphers are in widespread use since the 1970s. Their iterated structure is prone to numerous round invariant attacks for example in Linear Cryptanalysis (LC). The next step is to look at non-linear polynomial invariants cf. Eurocrypt'95. Until recently, researchers have found extremely few such attacks, with some impossibility results. Eventually recent papers show how to construct polynomia…
▽ More
Block ciphers are in widespread use since the 1970s. Their iterated structure is prone to numerous round invariant attacks for example in Linear Cryptanalysis (LC). The next step is to look at non-linear polynomial invariants cf. Eurocrypt'95. Until recently, researchers have found extremely few such attacks, with some impossibility results. Eventually recent papers show how to construct polynomial invariant attacks for block ciphers, however many such results were of degree 2. In this paper we propose a new incremental methodology for constructing high degree polynomial invariant attacks on block ciphers. A trivial attack on one cipher setup will be transposed to show the existence of a more advanced attack on a stronger cipher in several steps. The key tool is the manipulation of the roots of the so called Fundamental Equation. Examples are constructed with an old historical block cipher T-310.
△ Less
Submitted 8 February, 2020;
originally announced February 2020.
-
Lack of Unique Factorization as a Tool in Block Cipher Cryptanalysis
Authors:
Nicolas T. Courtois,
Aidan Patrick
Abstract:
Linear (or differential) cryptanalysis may seem dull topics for a mathematician: they are about super simple invariants characterized by say a word on n=64 bits with very few bits at 1, the space of possible attacks is small, and basic principles are trivial. In contract mathematics offers an infinitely rich world of possibilities. If so, why is that cryptographers have ever found so few attacks o…
▽ More
Linear (or differential) cryptanalysis may seem dull topics for a mathematician: they are about super simple invariants characterized by say a word on n=64 bits with very few bits at 1, the space of possible attacks is small, and basic principles are trivial. In contract mathematics offers an infinitely rich world of possibilities. If so, why is that cryptographers have ever found so few attacks on block ciphers? In this paper we argue that black-box methods used so far to find attacks in symmetric cryptography are inadequate and we work with a more recent white-box algebraic methodology. Invariant attacks can be constructed explicitly through the study of roots of the so-called Fundamental Equation (FE). We also argue that certain properties of the ring of Boolean polynomials such as lack of unique factorization allow for a certain type of product construction attacks to flourish. As a proof of concept we show how to construct a complex and non-trivial attack where a polynomial of degree 7 is an invariant for any number of rounds for a complex block cipher.
△ Less
Submitted 12 May, 2019;
originally announced May 2019.
-
Constructive Non-Linear Polynomial Cryptanalysis of a Historical Block Cipher
Authors:
Nicolas T. Courtois,
Marios Georgiou
Abstract:
One of the major open problems in symmetric cryptanalysis is to discover new specif i c types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invariant properties systematic exploration is not possibl…
▽ More
One of the major open problems in symmetric cryptanalysis is to discover new specif i c types of invariant properties which can hold for a larger number of rounds of a block cipher. We have Generalised Linear Cryptanalysis (GLC) and Partitioning Cryptanalysis (PC). Due to double-exponential combinatorial explosion of the number of possible invariant properties systematic exploration is not possible and extremely few positive working examples of GLC are known. Our answer is to work with polynomial algebraic invariants which makes partitions more intelligible. We have developed a constructive algebraic approach which is about making sure that a certain combination of polynomial equations is zero. We work with an old block cipher from 1980s which has particularly large hardware complexity compared to modern ciphers e.g. AES. However all this complexity is not that useful if we are able to construct powerful non-linear invariants which work for any number of rounds. A key feature of our invariant attacks is that we are able to completely eliminate numerous state and key bits. We also construct invariants for the (presumably stronger) KT1 keys. Some of these lead to powerful ciphertext-only correlation attacks.
△ Less
Submitted 7 February, 2019;
originally announced February 2019.
-
Distributed Ledger Privacy: Ring Signatures, Möbius and CryptoNote
Authors:
Christopher D. Clack,
Nicolas T. Courtois
Abstract:
Distributed ledger and blockchain systems are expected to make financial systems easier to audit, reduce counter-party risk and transfer assets seamlessly. The key concept is a token controlled by a cryptographic private key for spending, and represented by a public key for receiving and audit purposes. Ownership transfers are authorized with digital signatures and recorded on a ledger visible to…
▽ More
Distributed ledger and blockchain systems are expected to make financial systems easier to audit, reduce counter-party risk and transfer assets seamlessly. The key concept is a token controlled by a cryptographic private key for spending, and represented by a public key for receiving and audit purposes. Ownership transfers are authorized with digital signatures and recorded on a ledger visible to numerous participants. Several ways to enhance the privacy of such ledgers have been proposed. In this paper we study two major techniques to enhance privacy of token transfers with the help of improved cryptography: Möbius and CryptoNote. The comparison is illuminating: both techniques use "ring signatures" and some form of "stealth addressing" or key derivation techniques, yet each does it in a completely different way. Möbius is more recent and operates in a more co-operative way (with permission) and is not yet specified at a sufficiently detailed level. Our primary goal is to explore the suitability of these two techniques for improving the privacy of payments on cryptographic ledgers. We explain various conflicting requirements and strategic choices which arise when trying to conceal the identity of participants and the exact details of transactions in our context while simultaneously enabling fast final settlement of tokens with a reasonable level of liquidity. We show that in these systems, third-party observers see obfuscated settlement. We finish with a summary of explicit warnings and advice for implementors of such systems.
△ Less
Submitted 7 February, 2019;
originally announced February 2019.
-
On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies
Authors:
Nicolas T. Courtois
Abstract:
In this paper we revisit some major orthodoxies which lie at the heart of the bitcoin crypto currency and its numerous clones. In particular we look at The Longest Chain Rule, the monetary supply policies and the exact mechanisms which implement them. We claim that these built-in properties are not as brilliant as they are sometimes claimed. A closer examination reveals that they are closer to bei…
▽ More
In this paper we revisit some major orthodoxies which lie at the heart of the bitcoin crypto currency and its numerous clones. In particular we look at The Longest Chain Rule, the monetary supply policies and the exact mechanisms which implement them. We claim that these built-in properties are not as brilliant as they are sometimes claimed. A closer examination reveals that they are closer to being... engineering mistakes which other crypto currencies have copied rather blindly. More precisely we show that the capacity of current crypto currencies to resist double spending attacks is poor and most current crypto currencies are highly vulnerable. Satoshi did not implement a timestamp for bitcoin transactions and the bitcoin software does not attempt to monitor double spending events. As a result major attacks involving hundreds of millions of dollars can occur and would not even be recorded. Hundreds of millions have been invested to pay for ASIC hashing infrastructure yet insufficient attention was paid to network neutrality and to insure that the protection layer it promises is effective and cannot be abused. In this paper we develop a theory of Programmed Self-Destruction of crypto currencies. We observe that most crypto currencies have mandated abrupt and sudden transitions. These affect their hash rate and therefore their protection against double spending attacks which we do not limit the to the notion of 51% attacks which is highly misleading. In addition we show that smaller bitcoin competitors are substantially more vulnerable. In addition to small hash rate, many bitcoin competitors mandate incredibly important adjustments in miner reward. We exhibit examples of 'alt-coins' which validate our theory and for which the process of programmed decline and rapid self-destruction has clearly already started.
△ Less
Submitted 10 December, 2014; v1 submitted 2 May, 2014;
originally announced May 2014.
-
On Subversive Miner Strategies and Block Withholding Attack in Bitcoin Digital Currency
Authors:
Nicolas T. Courtois,
Lear Bahack
Abstract:
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography. Bitcoin economy grows at an incredibly fast rate and is now worth some 10 billions of dollars. Bitcoin mining is an activity which consists of creating (minting) the new coins which are later put into circulation. Miners spend electricity on solving cryptographic puzzles and they are also gatekeepers w…
▽ More
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography. Bitcoin economy grows at an incredibly fast rate and is now worth some 10 billions of dollars. Bitcoin mining is an activity which consists of creating (minting) the new coins which are later put into circulation. Miners spend electricity on solving cryptographic puzzles and they are also gatekeepers which validate bitcoin transactions of other people. Miners are expected to be honest and have some incentives to behave well. However. In this paper we look at the miner strategies with particular attention paid to subversive and dishonest strategies or those which could put bitcoin and its reputation in danger. We study in details several recent attacks in which dishonest miners obtain a higher reward than their relative contribution to the network. In particular we revisit the concept of block withholding attacks and propose a new concrete and practical block withholding attack which we show to maximize the advantage gained by rogue miners.
RECENT EVENTS: it seems that the attack was recently executed, see Section XI-A.
△ Less
Submitted 2 December, 2014; v1 submitted 28 January, 2014;
originally announced February 2014.
-
The Unreasonable Fundamental Incertitudes Behind Bitcoin Mining
Authors:
Nicolas T. Courtois,
Marek Grajek,
Rahul Naik
Abstract:
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography which has recently gained excessive popularity. Scientific research on bitcoin is less abundant. A paper at Financial Cryptography 2012 conference explains that it is a system which "uses no fancy cryptography", and is "by no means perfect". It depends on a well-known cryptographic standard SHA-256. In…
▽ More
Bitcoin is a "crypto currency", a decentralized electronic payment scheme based on cryptography which has recently gained excessive popularity. Scientific research on bitcoin is less abundant. A paper at Financial Cryptography 2012 conference explains that it is a system which "uses no fancy cryptography", and is "by no means perfect". It depends on a well-known cryptographic standard SHA-256. In this paper we revisit the cryptographic process which allows one to make money by producing bitcoins. We reformulate this problem as a Constrained Input Small Output (CISO) hashing problem and reduce the problem to a pure block cipher problem. We estimate the speed of this process and we show that the cost of this process is less than it seems and it depends on a certain cryptographic constant which we estimated to be at most 1.86. These optimizations enable bitcoin miners to save tens of millions of dollars per year in electricity bills. Miners who set up mining operations face many economic incertitudes such as high volatility. In this paper we point out that there are fundamental incertitudes which depend very strongly on the bitcoin specification. The energy efficiency of bitcoin miners have already been improved by a factor of about 10,000, and we claim that further improvements are inevitable. Better technology is bound to be invented, would it be quantum miners. More importantly, the specification is likely to change. A major change have been proposed in May 2013 at Bitcoin conference in San Diego by Dan Kaminsky. However, any sort of change could be flatly rejected by the community which have heavily invested in mining with the current technology. Another question is the reward halving scheme in bitcoin. The current bitcoin specification mandates a strong 4-year cyclic property. We find this property totally unreasonable and harmful and explain why and how it needs to be changed.
△ Less
Submitted 10 April, 2014; v1 submitted 29 October, 2013;
originally announced October 2013.
-
A New General-Purpose Method to Multiply 3x3 Matrices Using Only 23 Multiplications
Authors:
Nicolas T. Courtois,
Gregory V. Bard,
Daniel Hulme
Abstract:
One of the most famous conjectures in computer algebra is that matrix multiplication might be feasible in not much more than quadratic time. The best known exponent is 2.376, due to Coppersmith and Winograd. Many attempts to solve this problems in the literature work by solving, fixed-size problems and then apply the solution recursively. This leads to pure combinatorial optimisation problems with…
▽ More
One of the most famous conjectures in computer algebra is that matrix multiplication might be feasible in not much more than quadratic time. The best known exponent is 2.376, due to Coppersmith and Winograd. Many attempts to solve this problems in the literature work by solving, fixed-size problems and then apply the solution recursively. This leads to pure combinatorial optimisation problems with fixed size. These problems are unlikely to be solvable in polynomial time.
In 1976 Laderman published a method to multiply two 3x3 matrices using only 23 multiplications. This result is non-commutative, and therefore can be applied recursively to smaller sub-matrices. In 35 years nobody was able to do better and it remains an open problem if this can be done with 22 multiplications. We proceed by solving the so called Brent equations [7]. We have implemented a method to converting this very hard problem to a SAT problem, and we have attempted to solve it, with our portfolio of some 500 SAT solvers. With this new method we were able to produce new solutions to the Laderman's problem. We present a new fully general non-commutative solution with 23 multiplications and show that this solution is new and is NOT an equivalent variant of the Laderman's original solution. This result demonstrates that the space of solutions to Laderman's problem is larger than expected, and therefore it becomes now more plausible that a solution with 22 multiplications exists. If it exists, we might be able to find it soon just by running our algorithms longer, or due to further improvements in the SAT solver algorithms.
△ Less
Submitted 19 August, 2011; v1 submitted 13 August, 2011;
originally announced August 2011.
