You ask "My question is this: Shouldn’t the origin of SHA-256 upend a large part of the crypto narrative?" and say "So you trust the code not its author?".
For computer science/math types, your question is a guilt by association question. So it's not that nobody has noticed, but rather to the STEM mindset that question is silly.
Here's a thought example to illustrate. Suppose in an alternate reality, Adolf Hitler discovered the pythagorean theorem. That in a right triangle, the length of the sides are related by a^2 + b^2 = c^2. Now, you say all these people who use this math identity should be questioning their work because of the origin of that particular piece of math. Since that was from a bad bad bad person. It's Hitler math. It's a guilt by association claim. Or use an even simpler example, 2+2=4 was discovered by Hitler. So anyone who adds 2+2 should question that bad bad bad source of that bit of math.
Now, to you, SHA-256 seems exotic and complicated. And hard to believe. But to people who use this math in the real world, it's merely another 2+2=4 basic piece of every day math. The inventor of it does't mean the math is bad. Math is an identity. It has no moral valence. Of course you can use math in a bad way. But to people who use it, once that math is out in the world, it's just another tool in the toolkit, and the providence of it just doesn't matter.
Maybe it matters to you, because it is appears so complex and odd. But to people who use these tools, it's just another software math library call. So your question will get completely ignored by people who actually use these tools. Why? It will appear to them as a very weird claim they shouldn't add 2+2=4 because the historic originator of that math was someone they are supposed to hate.
Still, to us non-cryptographers the probability is non-zero that the NSA knows how to break SHA-256 while nobody else does. How do you respond to that? I believe the theoretical computational complexity limit of generating SHA-256 collisions is unknown. Scientists have a way of overestimating their own expertise.
The defense community did have adaptive optics imaging long before the academic community caught on.
SHA hashes are used everywhere on the internet, including the basic encryption used in web browsers with https, and have a long history of people trying to crack them, and then a new improved version getting rolled out. Because there's such massive financial value in cracking them, they are an incredibly well tested and widely used standard. If you glance at this wikipedia page, it'll give you a better feeling for why the idea of there being some evil conspiracy behind such a widely used and heavily tested standard sounds completely silly to anyone who writes code and knows what they are talking about.
That page does not give me confidence. SHA-256 seems to be part of the SHA-2 family, which was adopted after weaknesses were found in SHA-1 (also designed by the NSA). Without mathematical proof of computational complexity, SHA-256 is a faith-based algorithm.
Weaknesses were not “discovered” in SHA-1. It’s just that SHA-1 was invented at a time when computers were much slower and could not brute-force it the way they can now.
The study demonstrating the first full SHA-1 collision says: "We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. [...] As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search." https://shattered.io/static/shattered.pdf
Edit: The definition of brute-force is also changing with GPU computing, FPGAs, and made-for-hash ASICs.
That’s misrepresents the argument. The point is that for a currency which aims to take the faith and state out of fiat currency and outsource trust to a code it involves a lot of faith in the code and the state that created it. How many of the libertarian crypto crowd have a sufficient understanding of the core code and SHA-256 to form their own sound basis for trusting it?
The core argument is the points 1 and 2 towards the end. The fundamental contradiction goes further that your by association stuff which only the pure minded STEM/math types can interpret.
I would instead suggest that the STEM mindset is all too willing to trust “the science” (i.e. the assumption that some guy who knows better has already tested it) whilst being incapable of verifying that trust.
That’s completely okay and is the basis of modern liberal thinking but the point Tooze makes is that when “the science” is “the state” then how far do bitcoin’s libertarian ideals go and are they a sound basis for a currency let alone a political ideology?
This article isn’t an article against bitcoin or crypto it’s an argument against the argument for bitcoin and crypto; a subtlety that what you’ve charitably called the “STEM mindset” failed to identify.
The point isn’t that “2+2=4 is hitler math. Hitler is bad. Therefore 2+2=4 is wrong.” The point is “You say Hitler is always wrong. He invented 2+2=4. 2+2=4 is right. So premise 1 is false.”
> Or is there an underlying sociology of professional expertise which means that Satoshi Nakamoto and his ilk trust their counterparts at the NSA and NIST because they are essentially part of the same expert community?
The cryptographic community doesn't trust standards like SHA because they were created by NIST or the NSA; they trust these standards because they have looked at it themselves and failed to break it in practice. Cryptographic algorithms like SHA are under constant scrutiny by the community of security researchers, both in academia and in industry, that look for ways to break their security.
More recent NIST standards like SHA-3 and AES (the U.S. standard for encryption) are the results of multi-round competitions with participants from all around the world. Both competitions ran for ~4 years, and candidate algorithms are examined both by NIST and by the wider community publishing papers and cryptanalysis results left and right. For the winning algorithms, the cryptographic community has had so much time to look at them that trust in either NIST or the NSA is not required, since any "funny business" would have probably revealed itself in the process.
As an aside, we do have one known instance of the NSA attempting to backdoor a cryptographic standard (Dual EC DRBG), and it went poorly: researchers almost immediately found the suspicious part of the standard, and nobody went out of their way to use it. The NSA had to bribe RSA Security to use it as a default in their software for the backdoor to actually be deployed somewhere promient and enabled by default. The NSA probably doesn't actively try to backdoor NIST standards anymore not because of some sense of alturism; it is just very difficult and probably leads to embarrassment further down the line when it gets found out.
Very much to the point. Why do people trust cryptos could be the core philosophical point to be asked in the near future. My quick two cents are that people's trust in cryptos fundamentally derives from people's trust in the digital revolution and its promises of access, equality and sustainability, but I would love to read your take on the matter.
You ask: “Shouldn’t the origin of SHA-256 upend a large part of the crypto narrative?” as if you wouldn’t know that any one of the crazy-ass stupidities done by Trump haven’t upended his election. That any one of his otherworldly idiocies haven’t upended his presidency. Or the mountain of brexiteer lies, Brexit. – Man, I think it would be high noon to wake up!
The crypto world is completely delusional. And it’s just one of the many symptoms of today’s society reveling in ignorance, because it has found companions globally and forgot shame.
You are talking about the Kerckhoffs's principle. Auguste Kerckhoffs stated that one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.
Ngl this is one of the weaker post I read recently, still highly insightful :)
But saying crypto is weakened because NIST curves are used is silly. You only need to look at Ethereum's use of keccak256 and secp256k1 to see that there are other cryptographic and hashing algos that are not built by the "state"...
Additionally against, "It points to the unique computing resources and IT-expertise commanded by the state." crypto is in part pointing towards a different model of governance and the state. Just because some of the tech developments were made by the state doesn't mean they can't be used to build a different future. Else let's go back to feudalism...
Anyway my writing isn't as eloquent as that of AT so apologies to anyone who reads it :)
I am neutral as regards Bitcoin and crypto, but if and to the extent that Bitcoin is suspect because its source code and/or founder are linked with the NSA, that to me begs the question why not build a cryptocoin that has neither of these attributes?
That seems to be an indictment of Bitcoin in particular but not crypto in general.
Yes. what Tooze is fascinated by is but a small modular piece of the entire concep that is Bitcoin. Ok, say we find out SHA-256 has some problem in future...... Bitcoin 2.0 or X.0...
yeah, stop writing public articles on topics you clearly don't understand at all... talk to some experts at least. pure drivel. SHA-256 it's still fine so far. eventually, like all hashes so far (md5, sha1) when cracks begin to show, another better hash will be phased in to replace it before it is too badly broken.
Sorry, but you waved your hands over the most important piece of this story. Yes, if the SHA code were licensed from the NSA as a compiled library, the way we license Excel or Zoom or Chrome then we should worry about backdoors or other gotchas hiding in the code. But that is not how SHA works.
The algorithm and source code for SHA are published for all to see and analyze. Anyone is free to re-implement SHA however they please. This is how we have custom chips designed for hashing and code running on graphics cards.
It is possible that someday, some mathematician will find a flaw, or that some quantum computer algorithm will be able to brute force a solution in a day, but here in 2022 there is enough analysis of the SHA algorithm for us all to trust that there is no shortcut.
Having the NSA in the processing of picking this algorithm is no different than having NASA in the process of analyzing airplane wings or rocket engines. You don’t have to trust the government to produce those goods, but there is nothing sinister about expertise that happens to be organized into a government agency rather than a university or corporation. Especially when that expertise openly publishes its results for everyone to analyze.
In fall 2013, I was wrapping up my degree in mathematics at the University of British Columbia, taking a course in number theory, which is the mathematics field that gives rise to this kind of technology. Since it was 2013, the professor, along with many other Canadian professors, had much to say about the Snowden revelations. One thing was that the NSA and British intelligence service had solved many cryptographic puzzles the world thought had not been solved, and the other was his speculation that Bitcoin was created by an intelligence service, given its technological basis in cryptography.
For these reasons, in addition to the fact that there seems to be a disconnect between how difficult number theory is and the number of crypto ‘experts’ there are out there, I have been deeply
Missing in the discussion is mention of the recent book by N Perlroth, "This is how they tell me the world ends' --a journalist covering cyber security for the New York Times, its an accessible account of a how code travels and to what effect.
The private/public key encryption used in bitcoin is secp256k1 which was not made by the NSA.
SHA-256 meanwhile has been battle tested over long periods of time. Many coders are skeptical of what comes from the NSA and some encryption they’ve released has had backdoors. SHA-256 though has earned trust through the years of study and analysis of it.
In the programmer world, much like science or math, it doesn’t matter a things origins, what matters is the peer review. It actually is in the interest of the NSA to create unbreakable encryption, because any backdoor could be exploited by someone else.
(Another software engineer here, not a particular expert on cryptography but I use hash functions routinely as part of my work, and have read about the history of my field)
I think your second hypothesis on "the unacknowledged spin-off of publicly-funded investment" is closer to the mark and indeed helps answer your first question as well.
The history of cryptography is a series of expansion of applications that surprised everyone involved. The earliest pioneers thought of themselves as doing number theory, the purest subfield of math and one of the least likely to have any applications. During the cold war, it became a field dominated by national-security institutions like the NSA, with a small number of publicly funded academics popularizing their work. During the dot-com boom it started to become primarily associated with doing business/banking on the Internet: but at the time SHA-2 was published in 2001, the deepest experts in the field still worked at institutions like the NSA, with Silicon Valley cryptographers being relative amateurs in comparison. So the pragmatic dot-coms were happy to make use of the NSA's superior work.
By 2008 when Satoshi wrote the whitepaper, cryptography had largely passed this liminal period and was now as a primarily commercial enterprise. The best new hash functions published in 2008 were mostly authored by private actors (with NIST playing an increasingly minor role as contest organizer). But Satoshi did not trust these because they were too new and unseasoned. He instead picked a slightly older hash function which had by then matured to very wide use. He trusted it because if there had been a problem, commercial users would have found it because they staked their businesses on it, or academics would've found it because they could've published a high-profile conference paper about it.
You ask "My question is this: Shouldn’t the origin of SHA-256 upend a large part of the crypto narrative?" and say "So you trust the code not its author?".
For computer science/math types, your question is a guilt by association question. So it's not that nobody has noticed, but rather to the STEM mindset that question is silly.
Here's a thought example to illustrate. Suppose in an alternate reality, Adolf Hitler discovered the pythagorean theorem. That in a right triangle, the length of the sides are related by a^2 + b^2 = c^2. Now, you say all these people who use this math identity should be questioning their work because of the origin of that particular piece of math. Since that was from a bad bad bad person. It's Hitler math. It's a guilt by association claim. Or use an even simpler example, 2+2=4 was discovered by Hitler. So anyone who adds 2+2 should question that bad bad bad source of that bit of math.
Now, to you, SHA-256 seems exotic and complicated. And hard to believe. But to people who use this math in the real world, it's merely another 2+2=4 basic piece of every day math. The inventor of it does't mean the math is bad. Math is an identity. It has no moral valence. Of course you can use math in a bad way. But to people who use it, once that math is out in the world, it's just another tool in the toolkit, and the providence of it just doesn't matter.
Maybe it matters to you, because it is appears so complex and odd. But to people who use these tools, it's just another software math library call. So your question will get completely ignored by people who actually use these tools. Why? It will appear to them as a very weird claim they shouldn't add 2+2=4 because the historic originator of that math was someone they are supposed to hate.
Still, to us non-cryptographers the probability is non-zero that the NSA knows how to break SHA-256 while nobody else does. How do you respond to that? I believe the theoretical computational complexity limit of generating SHA-256 collisions is unknown. Scientists have a way of overestimating their own expertise.
The defense community did have adaptive optics imaging long before the academic community caught on.
SHA hashes are used everywhere on the internet, including the basic encryption used in web browsers with https, and have a long history of people trying to crack them, and then a new improved version getting rolled out. Because there's such massive financial value in cracking them, they are an incredibly well tested and widely used standard. If you glance at this wikipedia page, it'll give you a better feeling for why the idea of there being some evil conspiracy behind such a widely used and heavily tested standard sounds completely silly to anyone who writes code and knows what they are talking about.
https://en.wikipedia.org/wiki/Secure_Hash_Algorithms
That page does not give me confidence. SHA-256 seems to be part of the SHA-2 family, which was adopted after weaknesses were found in SHA-1 (also designed by the NSA). Without mathematical proof of computational complexity, SHA-256 is a faith-based algorithm.
Weaknesses were not “discovered” in SHA-1. It’s just that SHA-1 was invented at a time when computers were much slower and could not brute-force it the way they can now.
The study demonstrating the first full SHA-1 collision says: "We were able to find this collision by combining many special cryptanalytic techniques in complex ways and improving upon previous work. [...] As a result while the computational power spent on this collision is larger than other public cryptanalytic computations, it is still more than 100 000 times faster than a brute force search." https://shattered.io/static/shattered.pdf
Edit: The definition of brute-force is also changing with GPU computing, FPGAs, and made-for-hash ASICs.
That’s misrepresents the argument. The point is that for a currency which aims to take the faith and state out of fiat currency and outsource trust to a code it involves a lot of faith in the code and the state that created it. How many of the libertarian crypto crowd have a sufficient understanding of the core code and SHA-256 to form their own sound basis for trusting it?
The core argument is the points 1 and 2 towards the end. The fundamental contradiction goes further that your by association stuff which only the pure minded STEM/math types can interpret.
I would instead suggest that the STEM mindset is all too willing to trust “the science” (i.e. the assumption that some guy who knows better has already tested it) whilst being incapable of verifying that trust.
That’s completely okay and is the basis of modern liberal thinking but the point Tooze makes is that when “the science” is “the state” then how far do bitcoin’s libertarian ideals go and are they a sound basis for a currency let alone a political ideology?
This article isn’t an article against bitcoin or crypto it’s an argument against the argument for bitcoin and crypto; a subtlety that what you’ve charitably called the “STEM mindset” failed to identify.
The point isn’t that “2+2=4 is hitler math. Hitler is bad. Therefore 2+2=4 is wrong.” The point is “You say Hitler is always wrong. He invented 2+2=4. 2+2=4 is right. So premise 1 is false.”
> Or is there an underlying sociology of professional expertise which means that Satoshi Nakamoto and his ilk trust their counterparts at the NSA and NIST because they are essentially part of the same expert community?
The cryptographic community doesn't trust standards like SHA because they were created by NIST or the NSA; they trust these standards because they have looked at it themselves and failed to break it in practice. Cryptographic algorithms like SHA are under constant scrutiny by the community of security researchers, both in academia and in industry, that look for ways to break their security.
More recent NIST standards like SHA-3 and AES (the U.S. standard for encryption) are the results of multi-round competitions with participants from all around the world. Both competitions ran for ~4 years, and candidate algorithms are examined both by NIST and by the wider community publishing papers and cryptanalysis results left and right. For the winning algorithms, the cryptographic community has had so much time to look at them that trust in either NIST or the NSA is not required, since any "funny business" would have probably revealed itself in the process.
As an aside, we do have one known instance of the NSA attempting to backdoor a cryptographic standard (Dual EC DRBG), and it went poorly: researchers almost immediately found the suspicious part of the standard, and nobody went out of their way to use it. The NSA had to bribe RSA Security to use it as a default in their software for the backdoor to actually be deployed somewhere promient and enabled by default. The NSA probably doesn't actively try to backdoor NIST standards anymore not because of some sense of alturism; it is just very difficult and probably leads to embarrassment further down the line when it gets found out.
Very much to the point. Why do people trust cryptos could be the core philosophical point to be asked in the near future. My quick two cents are that people's trust in cryptos fundamentally derives from people's trust in the digital revolution and its promises of access, equality and sustainability, but I would love to read your take on the matter.
History of science is replete with problems that were impossible to solve until they were not.
You ask: “Shouldn’t the origin of SHA-256 upend a large part of the crypto narrative?” as if you wouldn’t know that any one of the crazy-ass stupidities done by Trump haven’t upended his election. That any one of his otherworldly idiocies haven’t upended his presidency. Or the mountain of brexiteer lies, Brexit. – Man, I think it would be high noon to wake up!
The crypto world is completely delusional. And it’s just one of the many symptoms of today’s society reveling in ignorance, because it has found companions globally and forgot shame.
You are talking about the Kerckhoffs's principle. Auguste Kerckhoffs stated that one ought to design systems under the assumption that the enemy will immediately gain full familiarity with them.
Ngl this is one of the weaker post I read recently, still highly insightful :)
But saying crypto is weakened because NIST curves are used is silly. You only need to look at Ethereum's use of keccak256 and secp256k1 to see that there are other cryptographic and hashing algos that are not built by the "state"...
Additionally against, "It points to the unique computing resources and IT-expertise commanded by the state." crypto is in part pointing towards a different model of governance and the state. Just because some of the tech developments were made by the state doesn't mean they can't be used to build a different future. Else let's go back to feudalism...
Anyway my writing isn't as eloquent as that of AT so apologies to anyone who reads it :)
I am neutral as regards Bitcoin and crypto, but if and to the extent that Bitcoin is suspect because its source code and/or founder are linked with the NSA, that to me begs the question why not build a cryptocoin that has neither of these attributes?
That seems to be an indictment of Bitcoin in particular but not crypto in general.
Yes. what Tooze is fascinated by is but a small modular piece of the entire concep that is Bitcoin. Ok, say we find out SHA-256 has some problem in future...... Bitcoin 2.0 or X.0...
Of course you have to trust something else. That's what Ivermectin is for.
It's not just blockchain that is built on NSA-funded tools; this is also true for the entirety of the internet (which was originally bastion for an earlier generation of crypto-anarchists). Yasha Levine maps this out in his book "Surveillance Valley." https://medium.com/@willszal/the-military-history-of-the-internet-a-book-review-90446a5daa77
yeah, stop writing public articles on topics you clearly don't understand at all... talk to some experts at least. pure drivel. SHA-256 it's still fine so far. eventually, like all hashes so far (md5, sha1) when cracks begin to show, another better hash will be phased in to replace it before it is too badly broken.
Sorry, but you waved your hands over the most important piece of this story. Yes, if the SHA code were licensed from the NSA as a compiled library, the way we license Excel or Zoom or Chrome then we should worry about backdoors or other gotchas hiding in the code. But that is not how SHA works.
The algorithm and source code for SHA are published for all to see and analyze. Anyone is free to re-implement SHA however they please. This is how we have custom chips designed for hashing and code running on graphics cards.
It is possible that someday, some mathematician will find a flaw, or that some quantum computer algorithm will be able to brute force a solution in a day, but here in 2022 there is enough analysis of the SHA algorithm for us all to trust that there is no shortcut.
Having the NSA in the processing of picking this algorithm is no different than having NASA in the process of analyzing airplane wings or rocket engines. You don’t have to trust the government to produce those goods, but there is nothing sinister about expertise that happens to be organized into a government agency rather than a university or corporation. Especially when that expertise openly publishes its results for everyone to analyze.
Actually, I had a similar intuition about it.
In fall 2013, I was wrapping up my degree in mathematics at the University of British Columbia, taking a course in number theory, which is the mathematics field that gives rise to this kind of technology. Since it was 2013, the professor, along with many other Canadian professors, had much to say about the Snowden revelations. One thing was that the NSA and British intelligence service had solved many cryptographic puzzles the world thought had not been solved, and the other was his speculation that Bitcoin was created by an intelligence service, given its technological basis in cryptography.
For these reasons, in addition to the fact that there seems to be a disconnect between how difficult number theory is and the number of crypto ‘experts’ there are out there, I have been deeply
skeptical of crypto-currency.
Missing in the discussion is mention of the recent book by N Perlroth, "This is how they tell me the world ends' --a journalist covering cyber security for the New York Times, its an accessible account of a how code travels and to what effect.
The private/public key encryption used in bitcoin is secp256k1 which was not made by the NSA.
SHA-256 meanwhile has been battle tested over long periods of time. Many coders are skeptical of what comes from the NSA and some encryption they’ve released has had backdoors. SHA-256 though has earned trust through the years of study and analysis of it.
In the programmer world, much like science or math, it doesn’t matter a things origins, what matters is the peer review. It actually is in the interest of the NSA to create unbreakable encryption, because any backdoor could be exploited by someone else.
(Another software engineer here, not a particular expert on cryptography but I use hash functions routinely as part of my work, and have read about the history of my field)
I think your second hypothesis on "the unacknowledged spin-off of publicly-funded investment" is closer to the mark and indeed helps answer your first question as well.
The history of cryptography is a series of expansion of applications that surprised everyone involved. The earliest pioneers thought of themselves as doing number theory, the purest subfield of math and one of the least likely to have any applications. During the cold war, it became a field dominated by national-security institutions like the NSA, with a small number of publicly funded academics popularizing their work. During the dot-com boom it started to become primarily associated with doing business/banking on the Internet: but at the time SHA-2 was published in 2001, the deepest experts in the field still worked at institutions like the NSA, with Silicon Valley cryptographers being relative amateurs in comparison. So the pragmatic dot-coms were happy to make use of the NSA's superior work.
By 2008 when Satoshi wrote the whitepaper, cryptography had largely passed this liminal period and was now as a primarily commercial enterprise. The best new hash functions published in 2008 were mostly authored by private actors (with NIST playing an increasingly minor role as contest organizer). But Satoshi did not trust these because they were too new and unseasoned. He instead picked a slightly older hash function which had by then matured to very wide use. He trusted it because if there had been a problem, commercial users would have found it because they staked their businesses on it, or academics would've found it because they could've published a high-profile conference paper about it.