[josephagoss]

This is a surprisingly good analysis that strengthens the argument that a Government agency created Bitcoin (Much like what Paul Graham suggested)

The main point is the same one that PG brought up, that the transaction graph is very easy to follow and if the gatekeepers are compromised then most of transactions become transparent.

A novel point they make is that some group (probably the creators of Bitcoin) control 25% of the money supply. I have not read the paper yet so cannot comment but I was under the impression 95% of Satoshi's coins have never moved since being mined. (If he does control them at all) Of course if they do control 25% of all the circulated Bitcoins this would forever stunt its growth as that actor would always be far too powerful.

Whilst I do not believe a Government created Bitcoin I welcome these articles that counter my own views. This also re-emphasizes the work that needs to go into coinjoin or zerocoin implementations as soon as possible. Also we need to seriously fix the 7 tx/sec limit.

[nwh]

>Bitcoin is, by design, highly vulnerable to network analysis.

By design as in, that's the only way the network could conceivably work. Each node must be able to verify that the chain is intact and valid, otherwise they would have to be trusting a third party. There's ways of obfuscating this anyway, which seem to work quite well in practise.

> This is a surprisingly good analysis that strengthens the argument that a Government agency created Bitcoin

It's not really. If the US government were to create something like this, they wouldn't have risked releasing something as ridiculously buggy as the original Satoshi client. You're talking massive remote exploits, people able to make their own coins due to an integer overflow, just chaos in the code. It's truly miraculous that it even took off at all, and the developers are still trying to fix the issues that Satoshi unknowingly introduced. Bitcoin was not the work of a skilled team.

>I was under the impression 95% of Satoshi's coins have never moved since being mined

That's correct, though you can't even verifiably say that all the coins were minted by Satoshi. I doubt they'll ever move, given that Satoshi made it very clear that remaining part of the community is a bad idea. In their shoes, I would have been mining to a bit bucket, which I imagine is the case here.

> This also re-emphasizes the work that needs to go into coinjoin or zerocoin implementations as soon as possible.

Coinjoin is well and good, but zerocoin is a no show at the moment. It's immature, creates massive signatures, and is completely untested. There's no way it would ever make it's way into the mainstream client in it's current state, and the developers know that too.

> Also we need to seriously fix the 7 tx/sec limit.

I'd go close to calling that one a myth. There's really nothing stopping 7 transactions a second at the moment, in fact it's intended to be tight for block space in order to create a market in which people battle for transaction fees. There's also nothing to stop the block limit from just being increased, 1MB is just arbitrary at the moment.

[feral]

>By design as in, that's the only way the network could conceivably work. Each node must be able to verify that the chain is intact and valid, otherwise they would have to be trusting a third party. There's ways of obfuscating this anyway, which seem to work quite well in practise.

You can say that there's no other way the network could conceivably work, or that its possible to obfuscate the trail, but it doesn't make sense to say both.

Surely whatever scheme you have to obfuscate the trail could be built into the network? If so, why wasn't it?

Normal people don't encrypt their e-mail. According to some, even security researchers don't encrypt their e-mail.

Do you think normal people are going to take the care to obfuscate their Bitcoin transactions properly? I don't.

I have always found it worrying that Nakamoto, a person or group who took such pains to - henceforth successfully - hide their own identity, made so little effort to strength or design the privacy of Bitcoin.

[nwh]

> Surely whatever scheme you have to obfuscate the trail could be built into the network? If so, why wasn't it?

Not really. Mixing Bitcoin relies on shared wallets controlled by a third party. You trust in them not to leak the details of what Bitcoin went where, and you also trust them not to just pocket the inputs and never send anything back. That would never make it into the network. The alternative is something called CoinJoin, which allows people to pair up and spend each others Bitcoin to ruin the trail through the blockchain, this probably will be implemented at some point, but it's just in development stages thus far.

> Do you think normal people are going to take the care to obfuscate their Bitcoin transactions properly? I don't.

By the same token, do they need to?

[feral]

As you say, mixing isn't really a solution - it requires that you trust the mixer to not steal your coins, and that you trust the mixer to not keep records. Looking at the efforts to compromise TOR, I don't think you can assume that mixers won't be adversaries.

But I accept your point that if trusting mixers is your obfuscation scheme, then its at least non-trivial to put that into the system spec.

What I was thinking about instead was the 'linking' property - which leaks so much information - why wasn't that avoided at a system level?

Clients could also make network analysis much harder by moving Bitcoins between newly generated addresses randomly. Why wasn't that in the system?

>By the same token, do they need to?

This sounds like saying "they only need to be worried about privacy if they have something to hide" ?

[betterunix]

"Looking at the efforts to compromise TOR, I don't think you can assume that mixers won't be adversaries"

That really depends on how things are being done. Tor involves making a temporary, random choice of relays, and periodically updating that choice. If all your transactions are sent through a randomly chosen chain of mixing services, you might have some kind of anonymity (but this is poorly defined to begin with, since mix-nets are supposed to enable anonymous communications rather than anonymous payments, and so it is not even clear that what applies to one still applies to the other).

"What I was thinking about instead was the 'linking' property - which leaks so much information - why wasn't that avoided at a system level?"

Like I said elsewhere, there is no specific problem definition for Bitcoin, so why bother to ask such a question? Really if you want a digital cash system without a central authority, you need to first define what that actually means; likewise if you want that hypothetical system to not have this "linking" property, whatever that actually means.

[feral]

>Like I said elsewhere, there is no specific problem definition for Bitcoin, so why bother to ask such a question?

Are you saying that, as Bitcoin doesn't have a publicly stated problem definition, its immune from any criticism of its design choices? That's a bizarre argument.

First off, Nakamoto's original paper has a section on Privacy, talking about how to maintain privacy by keeping public keys anonymous. If Bitcoin, in practice, fails to provide privacy for its users, it is absolutely fair game to point that out.

Secondly, perhaps you mean that the original paper didn't have a formal specification of the 'privacy' desired, which the performance of Bitcoin can be evaluated against? Again, that's a bizarre argument.

Lets say I release a new design of car. You build one and drive it, and then it goes on fire due to a design flaw. How would you feel if I argued "But I didnt formally specify the parameters within which it wouldnt go on fire and injure you!"

That'd clearly be a nonsense argument, because there are expected standards of operation of a car, even if there isn't a formal spec. If you write an informal section on privacy in your paper, and your system compromises user privacy, criticism is absolutely fair.

> if you want that hypothetical system to not have this "linking" property, whatever that actually means.

The "linking" property is well defined in the context of Bitcoin anonymity; I refer to the situation where multiple addresses used as inputs to a transaction reveal the shared ownership of all those addresses.

As Nakamoto writes: "Some linking is still unavoidable with multi-input transactions, which necessarily reveal that their inputs were owned by the same owner."

[betterunix]

Bitcoin does not and never did have well-defined requirements or constraints, so it is kind of pointless to ask why some feature is not present or why the creators of Bitcoin have not worked to improve it in some particular way. None of the definitions of privacy or security defintiions that apply to academic digital cash can be satisfied by Bitcoin, as those definitions all assume the existence of a central bank in the system. Similarly, definitions that are applicable to anonymous messaging (e.g. mix-nets) are useless here unless you want to use Bitcoin as an anonymous messaging system (rather than as a digital cash system).

[ianso]

>>Bitcoin is, by design, highly vulnerable to network analysis.

>By design as in, that's the only way the network could conceivably work.

This network, yes. But you can construct truly anonymous cryptocurrencies with e.g. zero-knowledge proofs, yet the author(s) chose not to. This would have enabled AP, maybe answering PGs question in point #2 of his post (https://news.ycombinator.com/item?id=5547423).

I didn't know the original code was that buggy, I confess I was lulled a bit by the line "This was the only major security flaw found and exploited in Bitcoin's history" in the wiki article. Maybe it needs changing in the light of https://en.bitcoin.it/wiki/Common_Vulnerabilities_and_Exposu... :-)

[nwh]

I don't think any of them ever got a CVE to be quite honest. There's a few that come to mind, my favourite being an integer overflow that lead to the creation of billions of Bitcoin in a single transaction.

Here's the thread for that bug: https://bitcointalk.org/index.php?topic=823.0

[josephagoss]

> Bitcoin was not the work of a skilled team.

This is refreshing to hear, however the Government does not have a history of writing good code (excluding NASA) I still feel like the Government argument could be correct.

> I'd go close to calling that one a myth

Well the limit is based on size, and 7tx/sec assumes an average transaction I think.

> in fact it's intended to be tight for block space in order to create a market in which people battle for transaction fees

I remember reading Satoshi did not intend for limited blockchain space and envisioned 500GB blocks.

> 1MB is just arbitrary at the moment.

A hard fork will be required, this will not be an issue if no one complains.

[bunderbunder]

> the Government does not have a history of writing good code

I'd love to hear more about that, because it goes against my own experience. (And I'll go ahead and disclaim that I'm obviously speaking anecdotally here.)

Whenever I've run into software that was developed by the US government it's generally been pretty competent. No worse, and maybe a little better, than what I'm used to seeing come out of the companies I've worked with. Certainly better than the stream of epic fails that seems to characterize what results from outsourcing to private contractors.

[gknoy]

Partly that may be because they can (in theory) work closer to the true customer, rather than having an additional contract/specification-based interface to getting things made. When you don't find out for six months that you completely misunderstood the client's needs, it's hard to build good stuff -- frustrating for the client, and for the developers.

If, however, you ARE your own client, such as writing research code or simulation/test code, you likely have a clearer idea of what needs to be done.

[celticninja]

it depends on who does what, if the people that want/need/use the code are responsible for writing it then I woudl agree, if you have a different department/wing/group writing the code then what you end up with may not be useable by the end user or may not be as useful anyway. If you add in another step where lots of disparate groups have input i.e. impse a set of requirements, usually indepdent of one another, then what you get left with is an expensive, unworkable, useless piece of spftware that everyone is forced to use until someone else decide to have a crack at improving it.

source: i have worked for govt.

[josephagoss]

Sorry it was just an assumption I made. Over the years all the stuff I have read point towards bad code from the Government. I guess the NSA would be of higher caliber though, similar to NASA embedded code.

[ufmace]

I don't think you can really argue either way on Government code quality. It depends entirely on how the project was set up and who did it.

There's plenty of Government software projects with the usual lists of WTF-generators like lowest-bid contractors, poor requirements communication, incompetent managers mostly concerned with covering their own asses, etc.

And there's plenty of other Government software projects made by a tight-knit core of highly skilled hackers with good goals under good management. See Stuxnet, etc.

[dagw]

the Government does not have a history of writing good code

How much NSA code have you seen? SELinux is one of the few pieces available and seems reasonably competent.

[krenoten]

I can't say how this applies within the NSA, but (security) hackers tend to write better publicly released code than academic mathematicians, as the constraints imposed on them tend to encourage soundness of implementation over soundness of concept. I have no idea how applicable this trend is to NSA security engineers vs whoever inside the NSA might have been tasked with this. I just think it's possible that if this were an NSA project, that doesn't necessarily imply good code.

[nwh]

> This is refreshing to hear, however the Government does not have a history of writing good code (excluding NASA) I still feel like the Government argument could be correct.

My point was more that if it was set up to be a honeypot, they'd want to do quite a good job to ensure that it was picked up by a community. The Satoshi client was anything but, and in itself would have had quite a high risk at completely bombing out. Developers are still battling with some of the less sensible bits of the design.

> Well the limit is based on size, and 7tx/sec assumes average transaction I think.

More clients moving to compressed keys would help with that, but yes, I think that's where the 7tx/second number comes from.

> envisioned 500GB blocks

I still think everybody would struggle with that. It's not a small amount of data to move around. I don't think I could even write 500GB to a hard disk in under 10 minutes, let alone the 6 or so minutes between blocks at the moment. It'll be a long time until that's even possible on a network-wide scale, my current node is under heavy enough load responding to it's peers as it is.

[consonants]

If Bitcoin is truly a covert operation led by the government to attract criminals, they would be funding this through a completely unrelated subsidiary who either provides grants to research institutions or contracts the work out.

In either case the code will be shit. The problem with this argument is that it is incredibly hard to prove without knowing the circumstances behind bitcoins inception.

[imsofuture]

Can you elucidate on your point about Zerocoin? I'm really fascinated by what I've read about it, but admittedly don't have much of a basis to evaluate on.

[nwh]

The idea is good, and it would actually work as it currently stands. The fundamental issue is that the signatures it creates would be massive in comparison to the lean scripts that the Bitcoin network uses internally. There's certainly ways of making it work, it just needs a little more baking before any of the Bitcoin developers would even consider using it.

[quantumpotato_]

Tinfoil hat conspiracy: bitcoin v1 client released with intentional bugs to appear it was made by an amateur.

[mcphilip]

>A novel point they make is that some group (probably the creators of Bitcoin) control 25% of the money supply. I have not read the paper yet so cannot comment but I was under the impression 95% of Satoshi's coins have never moved since being mined.

From Table 7 on page 11 of the linked paper:

Entity ID | Accumulated Incoming BTC's | Number of Transactions

A | 2,886,650 | 246,012

B | 2,206,170 | 477,526 //Mt. Gox

Since there were 9 million in the address graph, I assume that the 25% remark refers to unidentified Entity A in this table. However, I did not see any claim in the paper that there was evidence that this unnamed entity was trying to hide this accumulation.

Does anyone know why this claim was made in the article?

[ianso]

Yup, because I misread the paper :-/ I thought it also stated that entity A had done large amounts of churning, which it hasn't. I'll fix that, thankyou...

[feral]

>The main point is the same one that PG brought up, that the transaction graph is very easy to follow and if the gatekeepers are compromised then most of transactions become transparent.

I agree with that point, but where did PG say that?

Its not in his post here: https://news.ycombinator.com/item?id=5547423

[dobbsbob]

Plenty of people on the cryptography mailing list mined the first coins like Hal Finney who wrote he is leaving them for his kids which is why they havent moved. Satoshi buggered off the day Gavin announced he was presenting BTC to the CIA seems odd he wouldnt stick around and try to influence development if he was a gov agent. His opsec was perfect though, which could mean he was an NSA or GCHQ employee doing this as a secret side project for himself. Nobody has had better opsec than Satoshi not once did he talk about anything personal even in PMs to Gavin or leave indicators to analyze. Somebody even scanned for every unique word Satoshi used to match it up to existing whitepapers and mailing lists, nothing turned up

[celticninja]

yeah, the one thing that makes me think this was the work of one person is the fact that a group, even a close knit group of NSA/CIA/GCHQ operatives could not produce, test and release something liek this without one of them making an error. I assume that satoshi thought through the production and release of this software well in advance of actually doing it, i.e. never suggesting it on a forum account, never testing or discussing it with anyone until he was soewhat ready to go. However his posting to the cypherpunks group does make me think he was at least a lurker on there before he signed in as satoshi, hence his decent OpSec.

[dobbsbob]

The gateway monitoring argument is also pretty feeble since how are they going to extract ID scans or other info from worldwide gateways or p2p sales. Sure bitcoin is risky if using a major exchange in a western country but good luck getting info on a trade from a Russian exchange, or IRC exchanger connected via Tor who lives in Vietnam

[gwern]

> Somebody even scanned for every unique word Satoshi used to match it up to existing whitepapers and mailing lists, nothing turned up

Really? Who was that, I don't recall ever hearing about a real textual analysis being done.

[fleitz]

The entire worth of all bitcoins is just north of $50 billion. It wouldn't be very difficult for any soveriegn to gain control of 25% of that market.

Whether government created bitcoins is a moot point, knowing the answer to this question doesn't mean anything. The question is whether bitcoins provide a superior environment for transacting business when compared to alternatives.

[ianso]

I didn't know that PG suggested something similar, thanks for the pointer :-)

[blauwbilgorgel]

If a government created Bitcoin wouldn't China be more likely than the US?