I still doubt that there's a backdoor in the NIST curves because they're still widely used and recommended for top secret information, among other reasons.
If there were a backdoor and it leaked (or the math behind it was independently rediscovered!) the result could be catastrophic. Snowden showed that the NSA is absolutely vulnerable to leaks.
A trapdoor back door would require knowing some secret value. It is very much possible that this secret value could remain secret by not being written down in any electronic document. It would exist on some code breaking hardware, but like the cocoa cola recipe it could be known by only a few people in the world and still be useful.
Seems like the typical heist movie at first, but the main action arc is just to steal the hardware key. Steeling the actual (digital) coins is then the most boring part of the film.
That's why you make the thieves be white-hats hired by the government to steal the key. Then it becomes a cloak-and-dagger affair where you have to unravel who's working for who and which side is really the bad guy.
And decrypting cryptocoins is too obscure. For maximum effect, make the key able to break all encryption.
When someone puts some effort into making an indirect reference like that, they appreciate their work having been noticed. That's the role my comment was performing.
The construction of the NIST curves essentially preludes trapdoors.
It doesn't completely preclude having a purposefully weak curve based on some publicly unknown weakness. ... but at the same time it also doesn't preclude the the curves having been selected to be stronger against some publicly unknown weakness (as was done with DES).
My comment was pointing out that those NIST curves like P-256 and P-224 can't have a trapdoor-- meaning a hidden secret key that allows the NSA and only the NSA to compromise the use-- in the curve themselves.
Some application of the curve could have its own trapdoor, as dualECdrbg did.
Well the NIST curves use random primes, and they're not the obvious, largest possible primes that meet the necessary security requirements. So maybe they were chosen according to their susceptibility to some unknown attack (or, charitably, their non-susceptibility). I think we agree up to this point.
But when the space of potential attacks is an unknown-unknown, can we really constrain with confidence what attacks might exist? Maybe the prime group was chosen to have some relationship to a composite group for which the NSA knows the prime factors? I know this doesn't jive with our current understanding of number theory, but the point is it is hard to speculate about unknown-unknowns. Can we be certain that every crazy thing we think of is ruled out by our proven, not conjectured understanding of number theory?
My post specifically pointed out "It doesn't completely preclude having a purposefully weak curve based on some publicly unknown weakness." -- just that there is nowhere to embed a secret key that only the NSA would know. The only room in it would be for narrow vulnerabilities that others could discover-- just because there aren't that many bits of control.
[As an, aside, the NIST curves do not use random primes, E.g. P-256 is 2^256 - 2^224 + 2^192 + 2^96 - 1, which is a solinas prime with a pretty obvious performance driven structure. As is the case for all the other NIST P-whatever curves. Using primes chosen for field performance is pretty common, e.g. curve 25519 uses a crandall prime]
This is silly. secp256k1 and secp256r1 are curves (or, standards based on parameters describing a curve). Dual_EC is a PKRNG that uses curves.
You don't need curve magic to see the problem with Dual_EC; it's an RNG that works by transforming its state with a public key encryption primitive, which begs the obvious question "who holds the private key?". Dual_EC was so obviously problematic (and so slow) that many people, Schneier included, questioned whether it actually was a backdoor at all (full disclosure: I'm one of those people).
To believe the NIST curves generated from random numbers are backdoored, you essentially have to believe that there is a class of curves susceptible to some hitherto unknown attack that is large enough that NSA could find it by brute forcing hashes, but not so large that any other researcher got any inkling that the vulnerability existed. In particular: unlike Dual_EC, which is straightforwardly a backdoor, with its own special key, for NIST curves to be "backdoored" there has to be some underlying vulnerability in a particular curve structure to exploit. This isn't my argument, by the way; it's shoplifted from Koblitz and Menezes.
You shouldn't use the NIST curves! They're hard to implement securely. Curve25519 has better ergonomics and is much safer out of the box. But conspiracy-theoretic stuff linking Dual_EC to NIST curves is always painful to read.
I don't think it's really a conspiracy theory. Recall that before the Dual_EC affair, the reputation of the NSA was that they were a benevolent force that helped strengthen DES against differential cryptanalysis before it was publicly discovered. The Dual_EC affair marked a turning point where people started to seriously consider the possiblility that the NSA was a malevolent actor weakening primatives for their own benefit.
Also the problem with Dual_EC wasn't just the bad design, but that they had (reportedly) paid RSA corporation to use it.
I find comments like these absolutely baffling. I learned what the NSA was from Schneier's Applied Cryptography, which I bought when I was a senior in high school, back in 1994. Throughout the book, NSA is depicted as adversarial to cryptography. They're the NSA of the Clipper chip, and of global bans on cryptography, and "this t-shirt is a munition". There has never been a point in my professional life where NSA wasn't the global adversary.
Until I started talking about this stuff on HN, it never would have occurred to me that anyone would think NSA had this benevolent reputation. Based on the timing, I suspect that's not because I'm encountering people with different priors about NSA, but rather that I'm talking to people with no priors about NSA.
The NSA had a benevolent reputation with regards to primitives, not in general. The thinking was that the NSA would not structurally weaken encryption standards, because USG uses these primitives too, so they would be shooting themselves in the foot by inserting backdoors - don't shit in your own backyard basically.
They did this by 2-folds. One strengthening by changing its inner workings so it will be immune to cryptographic attacks, but on the other hand they lowered the key space, which allowed them to brute-force it. Luckily we learn it by now, the longer the key, the better.
Pseudorandom parameter selection of NIST P-curves, including secp256r1 has created much controversy within the cypherpunk community in the early 2000s. the theory is that the NSA discovered a class of secret curves with an unknown special weakness, and then bruteforced the random seed that would generate the weak curve. [0] On the other hand, secp256k1's parameters were not generated by random seeds. [1]
I think the important fact is not whether secp256r1 has a backdoor, but the decision of selecting secp256k1 by Satoshi Nakamoto for the use in Bitcoin. At the time, secp256k1 was the only widely-implemented non-P curve in various crypto libraries, and almost nobody used it at the time. It seems the entire decision of using secp256k1 was made to avoid secp256r1. This is another piece of evidence that Satoshi Nakamoto must have beee active in the 1990-2000 cypherpunk community, so that he was well-aware of those discussions. This should shed some light on his possible identity.
--
[0] DJB's paper how to manipulate curve standards [2] is DJB's attempt of creating the strongest argument for this claim. But even in his analysis, overall it's not too plausible, there's little evidence that such a class of secret curves exists and it required huge computation (2^80), it's on the edge of what was possible, but the pseudorandom parameter selection is certainly technically unfavorable as he demonstrated.
> It seems the entire decision of using secp256k1 was made to avoid secp256r1. This is another piece of evidence that Satoshi Nakamoto must have beee active in the 1990-2000 cypherpunk community, so that he was well-aware of those discussions. This should shed some light on his possible identity.
I was well aware of all that, at the time and now, without being active in the cypherpunk community. Granted, I was in college for a CS and math degree, but the cypherpunk community was pretty loud if you were listening at all.
Yes, it's another way to interpret his choice. "Satoshi being a member of the Cypherpunk" is only one possibility. It's entirely possible that he wasn't active at all, and his familiarity of Cypherpunks was from his learning, not from the participation.
karma -50 and account created in 2013 :D pg_is_a_butt is my alter ego. I'm not worthy. (though my account was hell banned for a long time and I soldiered on regardless :)
Ok I think it's our civic duty to follow pg_is_a_butt around and upvote his comments :D pg_is_a_butt 10k karma or bust!
"Evidence that Satoshi Nakamoto must have beee active in the 1990-2000 cypherpunk community, so that he was well-aware of those discussions. This should shed some light on his possible identity."
I dont think so .... that's just noise. He might have just asked around and received advise from friends/colleagues or random stranger what should be avoided. You are reading too much into this. This sheds no light on possible identity. Only identity it sheds light on is how your mind works with tiny information and how you confuse noise for signal.
You are claiming it is noise with no reasoning behind it. If his friends or colleagues knew about this curve, wouldn't that imply they were part of the community.and this he was part of the community?
I'm not sure why you would take such a strong position that amounts to 'nope just noise'.
Sometimes, people can make wrong assumptions by reading one's words alone. First, not everything is carefully worded, sometimes you choose the wrong words and didn't realize until someone responded. Also, not all context/information is necessarily expressed - for example, you know an argument, and you already know more information about your argument, you don't always write them down, because talking on a forum is not your exam. Another example is when you know an argument and its counterargument, and you talk about the argument, someone may come and say: "you are misguided, don't you know its counterargument"? Second, no tone, facial expression, or other social hints are preserved, when you talk about an argument casually, others may assume that you are serious.
When I claimed that Satoshi was active in the cypherpunk group, I didn't say that I was also thinking about the citations in the original Bitcoin paper, specifically, Wei Dai's "b-money" or Adam Back's "Hashcash", both came from the infosec community of the late 90s, and they are something that a member of the cypherpunk group should be intimately familiar with. An additional piece of information about his avoidance of using secp256r1 curve fits into the narrative well, and they can be circumstantial evidence if you buy into it. Also, I wasn't being serious at all, I mentioned it simply because it's just an interesting idea related to the original article and other readers may find the idea interesting as well, and I used the phrase "shed some lights", which, according to Merriam-Webster, is a phrase that means, "to make it possible to understand or know more about something", not a bad choice. Unfortunately, I misused the word "evidence", a pretty strong word. I should have used "circumstantial evidence" or "hints". while I was typing the original comment, I was also thinking about the possibility that Satoshi wasn't an active cypherpunk in the 2000s but simply a follower who had read the mailing list archive after the group became inactive, but I didn't mention either. I was not writing a background check for Satoshi, there's enough good articles on the Web.
When nonefromabove was replying my comment, nonefromabove, who was being unaware of anything of the above, must have deduced that I was fallen into the "connecting-the-dots" fallacy, or having a somewhat conspiracy theorist's attitude on Satoshi's identity, and I was being completely serious about it. Meanwhile, I was well-aware of the cognitive bias of overfitting data, and I was a fan of Nate Silver's The Signal and the Noise when his book came out. Nevertheless, I was told that I was "reading too much into this", and how "my mind works with tiny information and how I confuse noise for signal".
Perhaps, to avoid misunderstanding like this, we may use a "confidence" label, inc. "almost certain, likely, possible, unlikely", and a "tone" label, inc. "joke, casual, argument, serious", and so on.
Hey, can you please not cross into personal attack here? That's against the site rules, because we're trying for a bit better than internet default in this community.
If you wouldn't mind reading https://news.ycombinator.com/newsguidelines.html and participating in the spirit of this site, we'd be grateful. Your comment would be fine without the last sentence.
I don't know specifically about secp256r1, but in general, I think there were already a lot of suspicions and most people were wary of any ECC curves NIST or NSA had chosen by 2008 when Bitcoin was developed. [1]
In a purported email [2] (reasonably well attested to) from Satoshi Nakamato, he claimed
> I didn't find anything to recommend a curve type so I just... picked one.
Interesting, I didn't know the existence of the quote or the mail. So... if what Satoshi claimed is true, this choice was actually a pure coincidence and doesn't really have any significance, hmm. I don't know what to say - yet another strange coincidence in history I guess?
If there are fears and doubts, perhaps it would be safest to just assume the transport is clear text in risk ranking and adapt other counter-measures to fill perceived gaps.
For really sensitive flows, perhaps dark fiber + non standard ciphers + encrypting the payload with application layer encryption using non standard or custom ciphers. I mean, why not, if it's your own B2B flows. Take an existing cipher / protocol and make a few subtle changes. It's just math.
For end-user encryption, that would take some more thought and would probably get into layers of turtles.
There's a lot of ways to get encryption wrong. A few subtle changes could undo a very deliberate countermeasure for a somewhat obscure vulnerability. I don't think that's good advice.
I agree, but I would probably do it anyway if I were mitigating someones concerns. It could be a layer on top of the standard ciphers / protocols. I certainly would not do this for end-user comms. For B2B if you control both ends, maybe its a risk worth taking. Each entity would have to weigh the risks.
Rolling your own crypto is dreadful advice. You’re making tweaks to something to avoid a backdoor you don’t know exists and in the process likely opening yourself up a gaping hole in the middle.
Oh I would not suggest rolling your own crypto. Rather, just fork openssl and make a very subtle change to each formula. For in-house use of course.
Ages ago, I used to change up a rubix-cube for a friend. The more I changed it, the quicker he could solve it. If I made just a very subtle change, it would take him up to an extra 7 seconds to solve it.
That is likely to introduce vulnerabilities unless you are a subject-matter expert that understands the design of the things you are changing well enough to know which parameters were free choices.
My dude, there aren’t any “extra knobs” you can just turn and expect to maintain the security and integrity of a cryptographic solution. This isn’t some Node/React website we’re talking about. If you move one assembly opcode out of place you may end up disclosing your private key via side-channel attack — and that’s a best case outcome. The fact you’re so cavalier about this tells me you have no idea what you’re talking about. Ask an infosec person, then report back lol
This has nothing; and I do mean nothing to do with your Rubik’s cube analogy. One small tweak and the whole thing may be utterly worthless. It’s like if you were tweaking the starting position of the Rubik’s cube with a nuclear warhead.
So this article is six years old. Any update on the supposition? I guess no one's figured out yet whether the recommended magic number is a back door or not. My money is definitely on corrupted.
Odd the article doesn't mention the obvious conclusion; that Bitcoin was designed by NSA, or folks with intimate knowledge of NSA's back doors. I've long maintained that a US government agency is the most likely developer of Bitcoin (mostly because no one else could sit on that kind of $$$ forever). NSA is the most obvious agency. The question is.. why? I can speculate on lots of reasons.
Bitcoin was designed by an individual with intimate knowledge of the state of the art in suspicions of NSA backdoors.
You are assuming Satoshi is sitting on money. Satoshi took care to hide it’s identity, and thus would have switched mining to different addresses very early in bitcoins history.
It would have been obvious to Satoshi that spending from a known address would blow it’s identity, so only did so for testing.
Satoshi may well be a billionaire and spending bitcoin every day.
People seem to take comfort in this idea that bitcoin was created by a government... because bitcoin seems radical when you first learn about it. However the attempts to create it date back a couple decades before it was created. Satoshi combined existing inventions with just the new element of his time chain.
But even if the NSA were behind it, what could they do? Anything they could do could also be done by someone with a math breakthrough. So whether the attacker is the NSA or not bitcoin has to be robust against it.
So where is bitcoin vulnerable?
It’s easy to imagine vulnerabilities in the cryptography, but hard to produce them.
Further, if you did, it doesn’t necessarily affect bitcoin. This is bitcoin’s genius. It’s not software, it’s a set of incentives. Show an error in the software, it will be patched and bitcoin will carry on. Worst case is a hard fork.
> Bitcoin was designed by an individual with intimate knowledge of the state of the art in suspicions of NSA backdoors.
Insiders at the NSA (or any other TLA, foreign or domestic) also fit this description. The strongest position is to know both the truth, and the most compelling misconceptions.
I think it is a mistake for me to fight the “NSA created bitcoin” narrative. I am gleeful at Nelson not owning any bitcoin and want all like him who reject it for ideological reasons to continue to misunderstand it.
Freedom and human rights need financial backing, and bitcoin does that.
My thoughts exactly regarding the NSA creating Bitcoin. My theory is the blockchain gives them a way to do analysis on dirty money. Instead of having to hack or compel the next dirty bank they can look at the open ledger and figure it out. At first I thought it could be the CIA as a way to fund off the books ops but NSA makes more sense.
Either way there’s no way a single person holds on to a wallet that size. It’s also less likely someone/some group in China or Russia could hold on to wallet that size without it being pilfered.
You’re projecting your temptation into people based on your values, as is Nelson. But you are not Satoshi. Satoshi faces risk worse than Edward Snowden. The central bankers are far more formidable.
And the solution is easy: Satoshi mined initially to bootstrap bitcoin. He was the only one mining in the early days.
But then once there were enough other miners, all he had to do was destroy his private key.
If he’s greedy he just waited until he had enough bitcoin mined in other addresses that were never associated with him, before doing so.
Zero temptation. And hard to feel much regret... because he had opportunity to mine a great deal in those early years.
This is untrue-- we know other people who mined in the first days.
The way the initial released software worked, it wouldn't mine unless another peer was connected. So it's possible that there has never been a moment when there was only one party mining.
I know nothing of the Bitcoin structure now or then, but there’s a logic flaw there...
1) At some point during development he would have absolutely been the only one mining because the code only existed on his machine.
2) Requiring that another peer be available doesn’t mean that both peers couldn’t be run by the same person, even if they were run with different sets of keys. A peer in this case is a software construct, not a physical one.
Bitcoin is not a risk to the bankers. It’s just another vessel they can use to make money. It’s been 10 years and all bitcoin has done is make people think they can get rich by investing in it.
It the early 2010s it was billed as the Next Big Thing that was going to change the world. I’d argue Facebook has changed the world more than bitcoin, for better or worse.
Frankly, your response shows how revolutionary bitcoin is- it’s been ten years and you haven’t learned enough about it to understand it. That’s fine, most people haven’t, and bitcoin isn’t ready for the world to adopt it.
But not meeting your timeline expectations is not it’s fault. It doesn’t care.
62 comments
[ 1.5 ms ] story [ 122 ms ] threadIf there were a backdoor and it leaked (or the math behind it was independently rediscovered!) the result could be catastrophic. Snowden showed that the NSA is absolutely vulnerable to leaks.
And decrypting cryptocoins is too obscure. For maximum effect, make the key able to break all encryption.
When someone puts some effort into making an indirect reference like that, they appreciate their work having been noticed. That's the role my comment was performing.
It doesn't completely preclude having a purposefully weak curve based on some publicly unknown weakness. ... but at the same time it also doesn't preclude the the curves having been selected to be stronger against some publicly unknown weakness (as was done with DES).
[Not that I'd recommend them.]
My comment was pointing out that those NIST curves like P-256 and P-224 can't have a trapdoor-- meaning a hidden secret key that allows the NSA and only the NSA to compromise the use-- in the curve themselves.
Some application of the curve could have its own trapdoor, as dualECdrbg did.
But when the space of potential attacks is an unknown-unknown, can we really constrain with confidence what attacks might exist? Maybe the prime group was chosen to have some relationship to a composite group for which the NSA knows the prime factors? I know this doesn't jive with our current understanding of number theory, but the point is it is hard to speculate about unknown-unknowns. Can we be certain that every crazy thing we think of is ruled out by our proven, not conjectured understanding of number theory?
[As an, aside, the NIST curves do not use random primes, E.g. P-256 is 2^256 - 2^224 + 2^192 + 2^96 - 1, which is a solinas prime with a pretty obvious performance driven structure. As is the case for all the other NIST P-whatever curves. Using primes chosen for field performance is pretty common, e.g. curve 25519 uses a crandall prime]
You don't need curve magic to see the problem with Dual_EC; it's an RNG that works by transforming its state with a public key encryption primitive, which begs the obvious question "who holds the private key?". Dual_EC was so obviously problematic (and so slow) that many people, Schneier included, questioned whether it actually was a backdoor at all (full disclosure: I'm one of those people).
To believe the NIST curves generated from random numbers are backdoored, you essentially have to believe that there is a class of curves susceptible to some hitherto unknown attack that is large enough that NSA could find it by brute forcing hashes, but not so large that any other researcher got any inkling that the vulnerability existed. In particular: unlike Dual_EC, which is straightforwardly a backdoor, with its own special key, for NIST curves to be "backdoored" there has to be some underlying vulnerability in a particular curve structure to exploit. This isn't my argument, by the way; it's shoplifted from Koblitz and Menezes.
You shouldn't use the NIST curves! They're hard to implement securely. Curve25519 has better ergonomics and is much safer out of the box. But conspiracy-theoretic stuff linking Dual_EC to NIST curves is always painful to read.
Also the problem with Dual_EC wasn't just the bad design, but that they had (reportedly) paid RSA corporation to use it.
Until I started talking about this stuff on HN, it never would have occurred to me that anyone would think NSA had this benevolent reputation. Based on the timing, I suspect that's not because I'm encountering people with different priors about NSA, but rather that I'm talking to people with no priors about NSA.
I think the important fact is not whether secp256r1 has a backdoor, but the decision of selecting secp256k1 by Satoshi Nakamoto for the use in Bitcoin. At the time, secp256k1 was the only widely-implemented non-P curve in various crypto libraries, and almost nobody used it at the time. It seems the entire decision of using secp256k1 was made to avoid secp256r1. This is another piece of evidence that Satoshi Nakamoto must have beee active in the 1990-2000 cypherpunk community, so that he was well-aware of those discussions. This should shed some light on his possible identity.
--
[0] DJB's paper how to manipulate curve standards [2] is DJB's attempt of creating the strongest argument for this claim. But even in his analysis, overall it's not too plausible, there's little evidence that such a class of secret curves exists and it required huge computation (2^80), it's on the edge of what was possible, but the pseudorandom parameter selection is certainly technically unfavorable as he demonstrated.
[1] https://safecurves.cr.yp.to/rigid.html
[2] https://eprint.iacr.org/2014/571.pdf
I was well aware of all that, at the time and now, without being active in the cypherpunk community. Granted, I was in college for a CS and math degree, but the cypherpunk community was pretty loud if you were listening at all.
Ok I think it's our civic duty to follow pg_is_a_butt around and upvote his comments :D pg_is_a_butt 10k karma or bust!
I dont think so .... that's just noise. He might have just asked around and received advise from friends/colleagues or random stranger what should be avoided. You are reading too much into this. This sheds no light on possible identity. Only identity it sheds light on is how your mind works with tiny information and how you confuse noise for signal.
I'm not sure why you would take such a strong position that amounts to 'nope just noise'.
When I claimed that Satoshi was active in the cypherpunk group, I didn't say that I was also thinking about the citations in the original Bitcoin paper, specifically, Wei Dai's "b-money" or Adam Back's "Hashcash", both came from the infosec community of the late 90s, and they are something that a member of the cypherpunk group should be intimately familiar with. An additional piece of information about his avoidance of using secp256r1 curve fits into the narrative well, and they can be circumstantial evidence if you buy into it. Also, I wasn't being serious at all, I mentioned it simply because it's just an interesting idea related to the original article and other readers may find the idea interesting as well, and I used the phrase "shed some lights", which, according to Merriam-Webster, is a phrase that means, "to make it possible to understand or know more about something", not a bad choice. Unfortunately, I misused the word "evidence", a pretty strong word. I should have used "circumstantial evidence" or "hints". while I was typing the original comment, I was also thinking about the possibility that Satoshi wasn't an active cypherpunk in the 2000s but simply a follower who had read the mailing list archive after the group became inactive, but I didn't mention either. I was not writing a background check for Satoshi, there's enough good articles on the Web.
When nonefromabove was replying my comment, nonefromabove, who was being unaware of anything of the above, must have deduced that I was fallen into the "connecting-the-dots" fallacy, or having a somewhat conspiracy theorist's attitude on Satoshi's identity, and I was being completely serious about it. Meanwhile, I was well-aware of the cognitive bias of overfitting data, and I was a fan of Nate Silver's The Signal and the Noise when his book came out. Nevertheless, I was told that I was "reading too much into this", and how "my mind works with tiny information and how I confuse noise for signal".
Perhaps, to avoid misunderstanding like this, we may use a "confidence" label, inc. "almost certain, likely, possible, unlikely", and a "tone" label, inc. "joke, casual, argument, serious", and so on.
If you wouldn't mind reading https://news.ycombinator.com/newsguidelines.html and participating in the spirit of this site, we'd be grateful. Your comment would be fine without the last sentence.
In a purported email [2] (reasonably well attested to) from Satoshi Nakamato, he claimed
> I didn't find anything to recommend a curve type so I just... picked one.
[1] https://web.archive.org/web/20140621062515/http://archive.wi...
[2] https://archive.is/lHHSk
For really sensitive flows, perhaps dark fiber + non standard ciphers + encrypting the payload with application layer encryption using non standard or custom ciphers. I mean, why not, if it's your own B2B flows. Take an existing cipher / protocol and make a few subtle changes. It's just math.
For end-user encryption, that would take some more thought and would probably get into layers of turtles.
Ages ago, I used to change up a rubix-cube for a friend. The more I changed it, the quicker he could solve it. If I made just a very subtle change, it would take him up to an extra 7 seconds to solve it.
This has nothing; and I do mean nothing to do with your Rubik’s cube analogy. One small tweak and the whole thing may be utterly worthless. It’s like if you were tweaking the starting position of the Rubik’s cube with a nuclear warhead.
Odd the article doesn't mention the obvious conclusion; that Bitcoin was designed by NSA, or folks with intimate knowledge of NSA's back doors. I've long maintained that a US government agency is the most likely developer of Bitcoin (mostly because no one else could sit on that kind of $$$ forever). NSA is the most obvious agency. The question is.. why? I can speculate on lots of reasons.
You are assuming Satoshi is sitting on money. Satoshi took care to hide it’s identity, and thus would have switched mining to different addresses very early in bitcoins history.
It would have been obvious to Satoshi that spending from a known address would blow it’s identity, so only did so for testing.
Satoshi may well be a billionaire and spending bitcoin every day.
People seem to take comfort in this idea that bitcoin was created by a government... because bitcoin seems radical when you first learn about it. However the attempts to create it date back a couple decades before it was created. Satoshi combined existing inventions with just the new element of his time chain.
But even if the NSA were behind it, what could they do? Anything they could do could also be done by someone with a math breakthrough. So whether the attacker is the NSA or not bitcoin has to be robust against it.
So where is bitcoin vulnerable?
It’s easy to imagine vulnerabilities in the cryptography, but hard to produce them.
Further, if you did, it doesn’t necessarily affect bitcoin. This is bitcoin’s genius. It’s not software, it’s a set of incentives. Show an error in the software, it will be patched and bitcoin will carry on. Worst case is a hard fork.
Insiders at the NSA (or any other TLA, foreign or domestic) also fit this description. The strongest position is to know both the truth, and the most compelling misconceptions.
Freedom and human rights need financial backing, and bitcoin does that.
They are simply incapable of valuing any other human being, let alone comprehending that such human being might have superior knowledge in any area.
After all, the narcissist is the supreme being. At least in their reality.
To be fair, “Unabashedly elitist” was a confession — if one were wise enough to recognize it.
https://news.ycombinator.com/newsguidelines.html
Either way there’s no way a single person holds on to a wallet that size. It’s also less likely someone/some group in China or Russia could hold on to wallet that size without it being pilfered.
And the solution is easy: Satoshi mined initially to bootstrap bitcoin. He was the only one mining in the early days.
But then once there were enough other miners, all he had to do was destroy his private key.
If he’s greedy he just waited until he had enough bitcoin mined in other addresses that were never associated with him, before doing so.
Zero temptation. And hard to feel much regret... because he had opportunity to mine a great deal in those early years.
This is untrue-- we know other people who mined in the first days.
The way the initial released software worked, it wouldn't mine unless another peer was connected. So it's possible that there has never been a moment when there was only one party mining.
1) At some point during development he would have absolutely been the only one mining because the code only existed on his machine. 2) Requiring that another peer be available doesn’t mean that both peers couldn’t be run by the same person, even if they were run with different sets of keys. A peer in this case is a software construct, not a physical one.
Block 1 was created about 7 after the software was publicly released.
Whatever he did in development was thrown away, block 0 is an unspendable placeholder.
It the early 2010s it was billed as the Next Big Thing that was going to change the world. I’d argue Facebook has changed the world more than bitcoin, for better or worse.
Frankly, your response shows how revolutionary bitcoin is- it’s been ten years and you haven’t learned enough about it to understand it. That’s fine, most people haven’t, and bitcoin isn’t ready for the world to adopt it.
But not meeting your timeline expectations is not it’s fault. It doesn’t care.