A long-held bitcoin secret is about to be revealed.
No, itâs not the identity of Satoshi Nakamoto, itâs a private key the cryptocurrencyâs creator entrusted to several bitcoin developers that activates the protocolâs so-called âalert system,â once used to flash a text warning to those running the software in case something happened that could impact the security of their funds.
If you didnât know bitcoin had a warning system like this, thatâs because it was retired in 2016Â due to security concerns and frequent confusion about its use.
âThe alert system was a frequent source of misunderstanding about the security model and âeffective governance,'â well-known Bitcoin Core contributor Greg Maxwell wrote in a public email from September 2016.
In short, some in the bitcoin community thought it could be used to change that network rules that unite users, which isnât really the case. For example, a BitcoinJ developer once wanted to use the key to control fees, while a Bloq staffer pressed for Bitcoin Core developers to use the key to change the networkâs mining difficulty.
Plus, developers were worried that if the wrong person got ahold of the key, they could broadcast false messages or potentially cause panic.
As such, to some, the reveal â being undertaken by Bitcoin Core contributor Bryan Bishop â is a long time coming.
âFolks, itâs going to be an interesting show,â Bishop tweeted, followed by a string of tweets cryptographically proving heâs in possession of the secret key, without fully revealing it quite yet.
The reveal is the final step to destroying the system. After Bitcoin Core developers released new code in 2016 without the alert system, in January 2017, a âfinal alert messageâ was broadcast, which â by law of the code â made that message unable to be overridden by any other messages in the future.
Still, the private key needs to be displayed publicly so thereâs no possibility of reputation attacks against those developers that hold it.
Bishop told CoinDesk he plans to release it soon, though heâs not sure about the exact date, adding:
âItâs time. Iâm thinking about releasing the private key early July at Building on Bitcoin, though itâs not finalized yet.â
Still, it isnât as easy as it sounds.
Revealing the key is potentially dangerous for any cryptocurrencies that used an older version of bitcoinâs code to create their cryptocurrency and have not disabled the alert key mechanism in their own code.
âIf the copycats have not disabled the alert system, nor changed the alert key [public key], and if they have not sent whatâs known as a final alert message, then once the [bitcoin] keys are released, anyone will be able to send alerts on those [other] networks,â Bishop told CoinDesk.
Itâs happened before actually. Litecoin creator Charlie Lee recounted on Twitter just last week how the lesser-known Feathercoin protocol (which copied litecoinâs code) received litecoinâs alert about upgrading to the latest litecoin client.
And while that isnât a particularly nefarious example, Bishop said, controlling what alert messages are sent on various networks âsounds dangerous.â
As such, in Maxwellâs 2016 email, he said he had spent and would continue spending some time searching through other cryptocurrency codebases. If they were found to contain the alert key code from bitcoin, he vowed to notify those projects to remove that code.
Maxwell concluded:
âAt some point after that, I would then plan to disclose this private key in public, eliminating any further potential of reputation attacks and diminishing the risk of misunderstanding the key as some special trusted source of authority.â
But, two years later, neither Maxwell â nor any other Bitcoin Core developer â has revealed the key.
âItâs something we have wanted to release for a few years. Nobody took any action, though,â Bishop said.
But by now, the projects susceptible to this vulnerability have had time to remove the code and upgrade. Although, some of those projects might not have developers anymore, even though users and still trading and using the cryptocurrencies, which could mean thereâs been no update.
That said, Bishopâs giving these projects one last chance by sending messages on Twitter and through other channels.
Adding pressure that could prioritize the reveal, though, is that Bishop and others are worried about attacks on their reputation. For instance, if the private key was compromised and used to sign a message with bad intentions, it could be blamed on one of the Bitcoin Core developers whoâs known to have the key.
âNobody knows the full list of people that have access to the private key. A message could be signed by the private key, and the secrecy is a liability because some of the people who have the key are known in public to have the key,â Bishop said, pointing to the fact that those with the key that are unknown could blame people who are known to hold the key for nefarious messages.
Bishop recently used the alert key (without revealing it) to sign a simple text message that he then tweeted out, displaying how it could be used to trick users or cause confusion within the community.
Plus, he told CoinDesk, there are other long-standing vulnerabilities within the alert key setup that he plans to disclose when he reveals the key to the public.
As such, Bishop concluded:
âIt would be better if the key was released.â
Antique keys image via Shutterstock
