On Bitcoin Security in the Presence of Broken Cryptographic Primitives

Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9879)


Digital currencies like Bitcoin rely on cryptographic primitives to operate. However, past experience shows that cryptographic primitives do not last forever: increased computational power and advanced cryptanalysis cause primitives to break frequently, and motivate the development of new ones. It is therefore crucial for maintaining trust in a cryptocurrency to anticipate such breakage.

We present the first systematic analysis of the effect of broken primitives on Bitcoin. We identify the core cryptographic building blocks and analyze the ways in which they can break, and the subsequent effect on the main Bitcoin security guarantees. Our analysis reveals a wide range of possible effects depending on the primitive and type of breakage, ranging from minor privacy violations to a complete breakdown of the currency. Our results lead to several observations on, and suggestions for, the Bitcoin migration plans in case of broken or weakened cryptographic primitives.


Hash Function Signature Scheme Contingency Plan Cryptographic Primitive Cryptographic Hash Function 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Alert, B.: Some miners generating invalid blocks, 4 July 2015. Accessed: 11 Feb 2016
  2. 2.
    Andreeva, E., Mennink, B.: Provable chosen-target-forced-midfix preimage resistance. In: Miri, A., Vaudenay, S. (eds.) SAC 2011. LNCS, vol. 7118, pp. 37–54. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  3. 3.
    Androulaki, E., Karame, G.O., Roeschlin, M., Scherer, T., Capkun, S.: Evaluating user privacy in Bitcoin. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 34–51. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  4. 4.
    Antonopoulos, A.M.: Mastering Bitcoin: Unlocking Digital Crypto-Currencies, 1st edn. O’Reilly Media Inc. (2014)Google Scholar
  5. 5.
    Barber, S., Boyen, X., Shi, E., Uzun, E.: Bitter to better — how to make Bitcoin a better currency. In: Keromytis, A.D. (ed.) FC 2012. LNCS, vol. 7397, pp. 399–414. Springer, Heidelberg (2012)Google Scholar
  6. 6.
    Benger, N., van de Pol, J., Smart, N.P., Yarom, Y.: “Ooh Aah.. Just a Little Bit”: a small amount of side channel can go a long way. In: Batina, L., Robshaw, M. (eds.) CHES 2014. LNCS, vol. 8731, pp. 75–92. Springer, Heidelberg (2014)Google Scholar
  7. 7.
    Bhargavan, K., Leurent, G.: Transcript collision attacks: breaking authentication in TLS, IKE, and SSH. In: Annual Network and Distributed System Security Symposium (NDSS) (2016)Google Scholar
  8. 8.
    Biryukov, A., Khovratovich, D., Pustogarov, I.: Deanonymisation of clients in Bitcoin P2P network. In: ACM Conference on Computer and Communications Security (CCS) (2014)Google Scholar
  9. 9.
    Blake-Wilson, S., Menezes, A.: Unknown key-share attacks on the station-to-station (STS) protocol. In: Imai, H., Zheng, Y. (eds.) PKC 1999. LNCS, vol. 1560, pp. 154–170. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  10. 10.
    Bonneau, J., Miller, A., Clark, J., Narayanan, A., Kroll, J., Felten, E.: SoK: research perspectives and challenges for Bitcoin and cryptocurrencies. In: IEEE Symposium on Security and Privacy (SP) (2015)Google Scholar
  11. 11.
    Nguyên, P.Q., Stern, J., Coron, J.-S., Dodis, Y., Malinaud, C., Puniya, P.: Merkle-Damgård revisited: how to construct a hash function. In: Shoup, V. (ed.) CRYPTO 2005. LNCS, vol. 3621, pp. 430–448. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  12. 12.
    Courtois, N.T., Bahack, L.: On subversive miner strategies and block withholding attack in Bitcoin digital currency. ArXiv e-prints 1402.1718 (2014).
  13. 13.
    Decker, C., Wattenhofer, R.: Bitcoin transaction Malleability and MtGox. In: Kutyłowski, M., Vaidya, J. (eds.) ICAIS 2014, Part II. LNCS, vol. 8713, pp. 313–326. Springer, Heidelberg (2014)Google Scholar
  14. 14.
    Dodis, Y., Ristenpart, T., Steinberger, J., Tessaro, S.: To hash or not to hash again? (in)differentiability results for H \(^\text{2 }\) and HMAC. In: Safavi-Naini, R., Canetti, R. (eds.) CRYPTO 2012. LNCS, vol. 7417, pp. 348–366. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  15. 15.
    Eyal, I.: The miner’s dilemma. In: IEEE Symposium on Security and Privacy (SP) (2015)Google Scholar
  16. 16.
    Eyal, I., Sirer, E.G.: Majority is not enough: Bitcoin mining is vulnerable. In: Christin, N., Safavi-Naini, R. (eds.) FC 2014. LNCS, vol. 8437, pp. 431–449. Springer, Heidelberg (2014)Google Scholar
  17. 17.
    Garay, J., Kiayias, A., Leonardos, N.: The Bitcoin backbone protocol: analysis and applications. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9057, pp. 281–310. Springer, Heidelberg (2015)Google Scholar
  18. 18.
    Gervais, A., Ritzdorf, H., Karame, G.O., Capkun, S.: Tampering with the delivery of blocks and transactions in Bitcoin. In: ACM Conference on Computer and Communications Security (CCS) (2015)Google Scholar
  19. 19.
    Goldwasser, S., Micali, S., Rivest, R.L.: A digital signature scheme secure against adaptive chosen-message attacks. SIAM J. Comput. (SICOMP) 17(2), 281–308 (1988)MathSciNetCrossRefzbMATHGoogle Scholar
  20. 20.
    Grover, L.K.: A fast quantum mechanical algorithm for database search. In: Annual ACM Symposium on Theory of Computing (STOC) (1996)Google Scholar
  21. 21.
    Heilman, E., Kendler, A., Zohar, A., Goldberg, S.: Eclipse attacks on Bitcoin’s peer-to-peer network. In: USENIX Security Symposium (USENIX Security) (2015)Google Scholar
  22. 22.
    Hoch, J.J., Shamir, A.: On the strength of the concatenated hash combiner when all the hash functions are weak. In: Aceto, L., Damgård, I., Goldberg, L.A., Halldórsson, M.M., Ingólfsdóttir, A., Walukiewicz, I. (eds.) ICALP 2008, Part II. LNCS, vol. 5126, pp. 616–630. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  23. 23.
    Joux, A.: Multicollisions in iterated hash functions. application to cascaded constructions. In: Franklin, M. (ed.) CRYPTO 2004. LNCS, vol. 3152, pp. 306–316. Springer, Heidelberg (2004)CrossRefGoogle Scholar
  24. 24.
    Karame, G.O., Androulaki, E., Roeschlin, M., Gervais, A., Čapkun, S.: Misbehavior in Bitcoin: a study of double-spending and accountability. ACM Trans. Inf. Syst. Secur. (TISSEC) 18(1), 2 (2015)CrossRefGoogle Scholar
  25. 25.
    Karame, G.O., Androulaki, E., Čapkun, S.: Double-spending fast payments in Bitcoin. In: ACM Conference on Computer and Communications Security (CCS) (2012)Google Scholar
  26. 26.
    Kelsey, J., Kohno, T.: Herding hash functions and the nostradamus attack. In: Vaudenay, S. (ed.) EUROCRYPT 2006. LNCS, vol. 4004, pp. 183–200. Springer, Heidelberg (2006)CrossRefGoogle Scholar
  27. 27.
    Kelsey, J., Schneier, B.: Second preimages on n-bit hash functions for much less than 2\(^{n}\) work. In: Cramer, R. (ed.) EUROCRYPT 2005. LNCS, vol. 3494, pp. 474–490. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  28. 28.
    Khovratovich, D., Rechberger, C., Savelieva, A.: Bicliques for preimages: attacks on Skein-512 and the SHA-2 family. In: Canteaut, A. (ed.) FSE 2012. LNCS, vol. 7549, pp. 244–263. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  29. 29.
    Kroll, J.A., Davey, I.C., Felten, E.W.: The economics of Bitcoin mining, or Bitcoin in the presence of adversaries. In: Workshop on the Economics of Information Security (WEIS) (2013)Google Scholar
  30. 30.
    Leurent, G., Wang, L.: The sum can be weaker than each part. In: Oswald, E., Fischlin, M. (eds.) EUROCRYPT 2015. LNCS, vol. 9056, pp. 345–367. Springer, Heidelberg (2015)Google Scholar
  31. 31.
    Mendel, F., Nad, T., Schläffer, M.: Improving local collisions: new attacks on reduced SHA-256. In: Johansson, T., Nguyen, P.Q. (eds.) EUROCRYPT 2013. LNCS, vol. 7881, pp. 262–278. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  32. 32.
    Mendel, F., Peyrin, T., Schläffer, M., Wang, L., Wu, S.: Improved cryptanalysis of reduced RIPEMD-160. In: Sako, K., Sarkar, P. (eds.) ASIACRYPT 2013, Part II. LNCS, vol. 8270, pp. 484–503. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  33. 33.
    Merkle, R.C.: A digital signature based on a conventional encryption function. In: Pomerance, C. (ed.) CRYPTO 1987. LNCS, vol. 293, pp. 369–378. Springer, Heidelberg (1988)Google Scholar
  34. 34.
    Nakamoto, S.: Bitcoin: a peer-to-peer electronic cash system (2008).
  35. 35.
    Nakamoto, S.: Bitcoin source code v0.1.0: Util.h. (2009). Accessed: 11 Feb 2016
  36. 36.
    Nakamoto, S.: Dealing with SHA-256 collisions (msg #6), 14 June 2010. Accessed: 11 Feb 2016
  37. 37.
    Nakamoto, S.: Hash() function not secure (msg #28), 16 July 2010. Accessed: 11 Feb 2016
  38. 38.
    Ohtahara, C., Sasaki, Y., Shimoyama, T.: Preimage attacks on step-reduced RIPEMD-128 and RIPEMD-160. In: Lai, X., Yung, M., Lin, D. (eds.) Inscrypt 2010. LNCS, vol. 6584, pp. 169–186. Springer, Heidelberg (2011)CrossRefGoogle Scholar
  39. 39.
    Okupski, K.: Bitcoin developer reference working paper (2015). Accessed: 11 Feb 2016
  40. 40.
    Proos, J., Zalka, C.: Shor’s discrete logarithm quantum algorithm for elliptic curves. Quantum Inf. Comput. 3(4), 317–344 (2003)MathSciNetzbMATHGoogle Scholar
  41. 41.
    Reid, F., Harrigan, M.: An analysis of anonymity in the Bitcoin system. In: Altshuler, Y., Elovici, Y., Cremers, A.B., Aharony, N., Pentland, A. (eds.) Security and Privacy in Social Networks, pp. 197–223. Springer, New York (2013)CrossRefGoogle Scholar
  42. 42.
    Ron, D., Shamir, A.: Quantitative analysis of the full Bitcoin transaction graph. In: Sadeghi, A.-R. (ed.) FC 2013. LNCS, vol. 7859, pp. 6–24. Springer, Heidelberg (2013)CrossRefGoogle Scholar
  43. 43.
    Standards for Efficient Cryptography: Sec 2: Recommended elliptic curve domain parameters version 2.0 (2010).
  44. 44.
    Tschorsch, F., Scheuermann, B.: Bitcoin and beyond: a technical survey on decentralized digital currencies. Cryptology ePrint Archive, Report 2015/464 (2015).
  45. 45.
    Wiki, B.: Protocol rules, 11 March 2014. Accessed: 11 Feb 2016
  46. 46.
    Wiki, B.: Contingency plans, 15 May 2015. Accessed: 11 Feb 2016
  47. 47.
    Yarom, Y., Benger, N.: Recovering OpenSSL ECDSA nonces using the FLUSH+RELOAD cache side-channel attack. Cryptology ePrint Archive, Report 2014/140 (2014).

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  1. 1.University of OxfordOxfordUK

Personalised recommendations