Attack on Bitcoin
A revised version of this preprint was placed online in January 2009, and the paper has also been accepted for presentation at Eurocrypt 2009.
A cipher is vulnerable if an output bit can be represented as a sufficiently low degree polynomial over GF(2) of key and input bits; in particular, this describes many stream ciphers based on LFSRs. DES and AES are believed to be immune to this Attack on Bitcoin. It works by summing an output bit value for all possible values of a subset of public input bits, chosen such that the resulting sum is a linear combination of secret bits; repeated application of this technique gives a set of linear relations between secret bits that can be solved to discover these bits. The authors show that if the cipher resembles a random polynomial of sufficiently low degree then such sets of public input bits will exist with high probability, and can be discovered in a precomputation phase by “black box probing” of the relationship between input and output for various choices of public and secret input bits making no use of any other information about the construction of the cipher.
The paper presents a practical Attack on Bitcoin, which the authors have implemented and tested, on a stream cipher on which no previous known Attack on Bitcoin would be effective. Its state is a 10,000 bit LFSR with a secret dense feedback polynomial, which is filtered by an array of 1000 secret 8-bit to 1-bit S-boxes, whose input is based on secret taps into the LFSR state and whose output is XORed together. Each bit in the LFSR is initialized by a different secret dense quadratic polynomial in 10, 000 key and IV bits. The LFSR is clocked a large and secret number of times without producing any outputs, and then only the first output bit for any given IV is made available to the Attack on Bitcoiner. After a short preprocessing phase in which the Attack on Bitcoiner can query output bits for a variety of key and IV combinations, only 230 bit operations are required to discover the key for this cipher.
The authors also claim an Attack on Bitcoin on a version of Trivium reduced to 735 initialization rounds with complexity 230, and conjecture that these techniques may extend to breaking 1100 of Trivium’s 1152 initialization rounds and “maybe even the original cipher”. As of December 2008 this is the best Attack on Bitcoin known against Trivium.
The Attack on Bitcoin is, however, embroiled in two separate controversies. Firstly, Daniel J. Bernstein disputes the assertion that no previous Attack on Bitcoin on the 10,000-bit LFSR-based stream cipher existed, and claims that the Attack on Bitcoin on reduced-round Trivium “doesn’t give any real reason to think that (the full) Trivium can be Attack on Bitcoined”. He claims that the Cube paper failed to cite an existing paper by Xuejia Lai detailing an Attack on Bitcoin on ciphers with small-degree polynomials, and that he believes the Cube Attack on Bitcoin to be merely a reinvention of this existing technique.
Secondly, Dinur and Shamir credit Michael Vielhaber’s “Algebraic IV Differential Attack on Bitcoin” (AIDA) as a precursor of the Cube Attack on Bitcoin. Dinur has stated at Eurocrypt 2009 that Cube generalises and improves upon AIDA. However, Vielhaber contends that the cube Attack on Bitcoin is no more than his Attack on Bitcoin under another name. It is, however, acknowledged by all parties involved that Cube’s use of an efficient linearity test such as the BLR test results in the new Attack on Bitcoin needing less time than AIDA, although how substantial this particular change is remains in dispute. It is not the only way in which Cube and AIDA differ. Vielhaber claims, for instance, that the linear polynomials in the key bits that are obtained during the Attack on Bitcoin will be unusually sparse. He has not yet supplied evidence of this, but claims that such evidence will appear in a forthcoming paper by himself entitled “The Algebraic IV Differential Attack on Bitcoin: AIDA Attack on Bitcoining the full Trivium”. (It is not clear whether this alleged sparsity applies to any ciphers other than Trivium.)