Oleg Andreev

Software designer with focus on user experience and security.

You may start with my selection of articles on Bitcoin.

Переводы некоторых статей на русский.

Author of Gitbox version control app.

Author of CoreBitcoin, an implementation of Bitcoin in Objective-C.

Lead developer of FunGolf GPS, the best golfer's personal assistant.

I am happy to give you an interview or provide you with a consultation.
I am very interested in innovative ways to secure property and personal interactions: all the way from cryptography to user interfaces. I am not interested in trading, mining or building exchanges.

This blog enlightens people thanks to your generous donations: 1TipsuQ7CSqfQsjA9KU5jarSB1AnrVLLo

How to steal all coins

In Bitcoin all transactions and balances are visible to everyone. If you want to spend someone else’s coins, you just need to pick any unspent transaction, figure out a secret key and make another transaction moving money to some of your addresses. How hard can it be?

First of all, all transactions use elliptic curve crypto for creating public/private key pairs (ECDSA). The idea is that it is easy to compute a public key from a private one, but very hard to do it in reverse. Unfortunately, we cannot know for sure that in the future we will not discover a relatively fast way to find private keys. Also, there is already efficient quantum algorithm to do just that (provided you have big enough quantum computer).

But ECDSA public keys are not exposed. Every publicly visible address is a hash of a public key, not the key itself. More specifically, the public key is hashed with two algorithms: RIPEMD160(SHA256(pubkey)). If you wish to spend money from any given address, you not only have to find a private key, but also find a public key which produces the exact same address. It is called “pre image attack”. (Pedantic note: if you spend coins from an address, you expose its public key, so it is one more reason not to reuse addresses, but always generate new ones for accepting payments.)

Obviously, two different hash functions are used in case one of them becomes weak to preimage attacks. Lets say, you have efficient way to find preimages for RIPEMD-160 (faster than brute force). Then, you would have to attack SHA-256 in order to find its preimage. And even if you succeed there, you will have to start searching for ECDSA private key matching the SHA-256 preimage you have just discovered.

The interesting question is why these two specific hash functions were chosen? RIPEMD160 is nice because it produces the shortest possible hash among non-broken hash functions (which makes the address as compact as possible). But I couldn’t find any definitive answer why need for SHA-256 as well, so here’s my understanding.

Both algorithms are widely used and no weaknesses were found in them yet (although, there are known weaknesses in the reduced versions of them). Moreover, SHA-256 is designed in US by NIST while RIPEMD-160 in KU Leuven university in Belgium. In other words, both functions come from very different places and were designed for different customers. This reduces the likelihood of finding the common weakness and also acts as a precaution against potential backdoor left by US or EU.

In the end, all coins are available for everyone to inspect, but each address is protected by 3 independent unique algorithms. So if there is an intentional or accidental weakness in any of them, other two are likely to remain strong.