(The subtitle of the blog is "Computer history, restoring vintage computers, IC reverse engineering, and whatever" and it is full of fascinating articles, several of which have been featured here on HN)
Cool that this article implements the cryptography primitives, though!
e: Funnily, like the article, I also stored some BTC in a wallet and challenged people to (manually) take/steal it. At the time it was worth $10 USD.. now it's worth $123 USD!
A lot of busy, smart people have seemingly random side-projects. For example, Von Neumann:
"A professor of Byzantine history at Princeton once said that von Neumann had greater expertise in Byzantine history than he did" [1]
I don't know for sure why, but I think two possibilities are likely: (1) An extremely strong, natural intellectual curiosity and/or (2) Working on other things allows them to bring fresh ideas/insights to their "main" work, and in this sense is also rejuvenating.
This stuff isn't that hard to figure out, given the number of specifications and tutorials already out there. What's impressive is the fact that he thought of a reasonably sized task, and (presumably) executed it efficiently and completely without getting stuck or distracted.
I think he’s a natural teacher - someone who loves sharing what he’s learnt with others - and it pleases to me know such people exist.
Everything I learned about deep neural networks, enough to apply it in a live product, was essentially all his notes, videos and exercises. And it’s all out there for free!
Implementing things from scratch is probably the ultimate test of thorough understanding. Chapeau! On another note I am amused that Mr. Karphathys name describes exactly what he is doing in his day job.
"NIST publishes recommendations on which ones to use, but people prefer to use other curves (like secp256k1) that are less likely to have backdoors built into them"
Does this make any sense? How is a curve going to have backdoors on it? Or he means a specific implementation? Or is this a joke? I'm confused
“Working in collaboration with the NSA, NIST included three sets of recommended elliptic curves in FIPS 186-2 that were generated using the algorithms in the American National Standard (ANS) X9.62 standard and Institute of Electrical and Electronics Engineers (IEEE) P1363 standards.”: What exactly is NIST’s justification for making claims regarding the method that NSA used to generate these curves? The fact that a hash matches is publicly verifiable, but the distribution of “random” inputs is not. I have heard NSA employees claiming that the “random” inputs were actually generated as hashes of English text chosen (and later forgotten) by Jerry Solinas."
The standard given by the NIST gives a list of explicit parameters ... describing the elliptic curve behind the algorithm.
Examining the points P and Q here, it is obvious why cryptographers were suspicious of
the Dual EC ... once the scalar k is known, it is a “simple matter to determine the secret internal state s of the pseudo-random bit generator” [6], by observing as few as 32 bytes of output.
It goes on to quote one of the NSA contractors who admitted that instead of being randomly chosen, "Q is (in essence) the public key for some random private key."
"It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there."
Straying from the prescribed points was discouraged, and NIST only provided FIPS validation to clients using the original P and Q.
More recently, GPRS was also shown to have been intentionally weakened - presumably to pass export controls - although in this case I think it was the algorithm and not a "cherry picked" curve: https://eprint.iacr.org/2021/819.pdf
There's been a history of mathematical information used in cryptography produced by the NSA, for which it's later revealed, they had pre-developed an attack. Example: the s-boxes of DES.
> steal my bitcoins from my 3rd identity wallet (mgh4VjZx5MpkHRis9mDsF2ZcKLdXoP3oQ4) to your own wallet ;) If done successfully, the 3rd wallet will show “Final Balance” of 0. At the time of writing this is 0.00095000 BTC, as we intended and expected.
Guessing it's because the private key is right in the code:
>secret_key3 = int.from_bytes(b"Andrej's Super Secret 3rd Wallet", 'big') # or just random.randrange(1, bitcoin_gen.n)
(Obviously a private key intended for actual use generally wouldn't just be some ASCII bytes of an English phrase and wouldn't be posted publicly. Though, of course, there have been instances of both...)
Fees are dictated by the user and the time they have for the transaction to take place. The fee could have been much lower.
I think we are well past the point of debating if bitcoin layer one will be used for day to day transactions however. A custodial service or lighting will have to be used for that. Additionally most people treat bitcoin closer to gold than a dollar currently.
I’ve made something similar in order to learn how everything works and made it into a python library. Everything is in pure python with no dependencies, only std lib. I’ve implemented all the crypto stuff, address generation including HD, transaction serialization and even the bitcoin script. https://github.com/mcdallas/cryptotools
One little nitpick: the checksum error probability should be more like 9 nines. The checksum contains 4 bytes, not 4 bits, and so the false positive rate should be about 1 in 2^32, not 1 in 2^4.
"The raw 25 bytes of our address though contain 1 byte for a Version (the Bitcoin “main net” is b'\x00', while the Bitcoin “test net” uses b'\x6f'), then the 20 bytes from the hash digest, and finally 4 bytes for a checksum so we can throw an error with 1 - 1/2*4 = 93.75% probability in case a user messes up typing in their Bitcoin address into some textbox."
Readit News
(The subtitle of the blog is "Computer history, restoring vintage computers, IC reverse engineering, and whatever" and it is full of fascinating articles, several of which have been featured here on HN)
Cool that this article implements the cryptography primitives, though!
e: Funnily, like the article, I also stored some BTC in a wallet and challenged people to (manually) take/steal it. At the time it was worth $10 USD.. now it's worth $123 USD!
https://github.com/yjjnls/awesome-blockchain#implementation-... and https://github.com/openblockchains/awesome-blockchains#pytho... list a few more ~"blockchain from scratch" [in Python] examples.
... FWIU, Ethereum has the better Python story. There was a reference implementation of Ethereum in Python? https://ethereum.org/en/developers/docs/programming-language...
http://www.righto.com/2014/09/mining-bitcoin-with-pencil-and...
https://gizmodo.com/mining-bitcoin-with-pencil-and-paper-164...
Was on front page yesterday for a presentation on Tesla's Autopilot / Autonomous features: https://www.youtube.com/watch?v=NSDTZQdo6H8
[0] http://badmephisto.com
Cool to learn this is the same guy.
― Bill Gates
"A professor of Byzantine history at Princeton once said that von Neumann had greater expertise in Byzantine history than he did" [1]
I don't know for sure why, but I think two possibilities are likely: (1) An extremely strong, natural intellectual curiosity and/or (2) Working on other things allows them to bring fresh ideas/insights to their "main" work, and in this sense is also rejuvenating.
[1] https://en.m.wikipedia.org/wiki/John_von_Neumann
Deleted Comment
Agreed though - impressive he has that kind of sidebar time or is so capable he doesn't need that much time to figure it out.
Everything I learned about deep neural networks, enough to apply it in a live product, was essentially all his notes, videos and exercises. And it’s all out there for free!
Thanks Andrej and keep doing cool stuff!
https://keys.lol/bitcoin/22486853933768128433444208678976948...
Finding one with a balance is the hard part.
Does this make any sense? How is a curve going to have backdoors on it? Or he means a specific implementation? Or is this a joke? I'm confused
https://miracl.com/blog/backdoors-in-nist-elliptic-curves/
“Working in collaboration with the NSA, NIST included three sets of recommended elliptic curves in FIPS 186-2 that were generated using the algorithms in the American National Standard (ANS) X9.62 standard and Institute of Electrical and Electronics Engineers (IEEE) P1363 standards.”: What exactly is NIST’s justification for making claims regarding the method that NSA used to generate these curves? The fact that a hash matches is publicly verifiable, but the distribution of “random” inputs is not. I have heard NSA employees claiming that the “random” inputs were actually generated as hashes of English text chosen (and later forgotten) by Jerry Solinas."
https://csrc.nist.gov/CSRC/media/Publications/sp/800-186/dra...
It's all quite public.
Quoting from the paper:
The standard given by the NIST gives a list of explicit parameters ... describing the elliptic curve behind the algorithm.
Examining the points P and Q here, it is obvious why cryptographers were suspicious of the Dual EC ... once the scalar k is known, it is a “simple matter to determine the secret internal state s of the pseudo-random bit generator” [6], by observing as few as 32 bytes of output.
It goes on to quote one of the NSA contractors who admitted that instead of being randomly chosen, "Q is (in essence) the public key for some random private key."
"It could also be generated like a(nother) canonical G, but NSA kyboshed this idea, and I was not allowed to publicly discuss it, just in case you may think of going there."
Straying from the prescribed points was discouraged, and NIST only provided FIPS validation to clients using the original P and Q.
More recently, GPRS was also shown to have been intentionally weakened - presumably to pass export controls - although in this case I think it was the algorithm and not a "cherry picked" curve: https://eprint.iacr.org/2021/819.pdf
> Money was changing hands between the NSA and companies, to have them install this as their standard for number generation. That's deeply suspicious.
(-from the video)
That's one piece of information I didn't know, and doesn't usually get mentioned in the discussions I've seen about this.
https://en.wikipedia.org/wiki/Data_Encryption_Standard#NSA's...
https://en.wikipedia.org/wiki/Differential_cryptanalysis#His...
Can someone explain how this was executed?
>secret_key3 = int.from_bytes(b"Andrej's Super Secret 3rd Wallet", 'big') # or just random.randrange(1, bitcoin_gen.n)
(Obviously a private key intended for actual use generally wouldn't just be some ASCII bytes of an English phrase and wouldn't be posted publicly. Though, of course, there have been instances of both...)
On the test net! On the real net it would be like 20% or more in fees.
I think we are well past the point of debating if bitcoin layer one will be used for day to day transactions however. A custodial service or lighting will have to be used for that. Additionally most people treat bitcoin closer to gold than a dollar currently.
"The raw 25 bytes of our address though contain 1 byte for a Version (the Bitcoin “main net” is b'\x00', while the Bitcoin “test net” uses b'\x6f'), then the 20 bytes from the hash digest, and finally 4 bytes for a checksum so we can throw an error with 1 - 1/2*4 = 93.75% probability in case a user messes up typing in their Bitcoin address into some textbox."