I don't believe it... I could never think of any sci-fi-ass machine capable of cracking SHA256. Of course with Snowden's verification, how could it be false? I'm horrified. Are our savings subject to overnight destruction?

2014 edit - No, they aren't. Go home.

can anyone think of a lower risk way to test...?

No, there is no backdoor.


See: http://en.wikipedia.org/wiki/Nothing_up_my_sleeve_number

SHA-2 is an open algorithm and it uses as its constants the sequential prime cube roots as a form of "nothing up my sleeve numbers".  For someone to find a weakness or backdoor in SHA would be the equivalent of the nobel prize in cryptography.   Everyone who is anyone in the cryptography community has looked at SHA-2.  Not just everyone with a higher degree in mathematics, computer science, or cryptography in the last 20 years but foreign intelligence agencies and major financial institutions.    Nobody has found a flaw, not even an theoretical one (a faster than brute force solution which requires so much energy/time as to be have no real world value).

To believe the the NSA has broken SHA-2 would be to believe that the NSA found something the entire rest of the world combined hasn't found for twenty years.  Also NIST still considers SHA-2 secure and prohibits the use of any other hashing algorithm (to include SHA-3 so far) in classified networks.  So that would mean the NSA is keeping a flaw/exploit from NIST compromising US national security. 

Anything is possible but occam's razor and all that.

I believe bitcoin is vulnerable to a well-funded 51% attack, for no other reason than the awareness that the productivity of ASICs scales more exponentially than linearly as funding increases.

I believe bitcoin would quickly recover from a successful 51% attack as "proof of stake tiebreaker" is introduced as a remedy.  For example, a remedy that would bring instant results might be a new rule that allows known entities as well as past miners (via their coinbase keys) to publish endorsement signatures on blocks they see/create.  These blocks are given a much greater weight than ones without such a signature.  Entities doing a good job of endorsing blocks would have their signatures weighted more, and any entities creating disruptive signatures (or at least their public keys) would quickly be banished by the community.  The disruption would be days, and at the most, weeks.  After the disrtuption, Bitcoin will be permanently stronger.

As an end unto itself, engaging in a 51% attack would be so futile as to not be worth it.  As always, a 51% attack constitutes nothing more than the ability to prevent transactions from confirming as well as reversing them... not stealing or creating bitcoins (other than via mining).

But being able to cause the days/weeks disruption at a time of one's choosing may be a very valuable tool for a state's (or banking industry) arsenal.  There's value in temporarily disrupting the network to somebody, and that value is in the eye of the beholder.

To that end, that's where I'd think of what the NSA (or any other state actor) may have put effort.

The question is, does someone, somewhere, have a lot of dormant mining power sitting there just in case?  I say it's safe to assume yes, and it's just a matter of when will it be worth it for them to use that to cause a temporary disruption to Bitcoin.  If you have only got one chance to rock the world of Bitcoin, it's reaosnable to assume you're going to want to time it for maximum value.

Even if so, I don't think anyone's bitcoins sitting in safe wallets (consisting of properly-generated properly-stored offline addresses that have never been used for sending payments) are at risk... only thing at risk is the temporary loss in confidence and in turn the USD/BTC value if/when such an entity decides to pull off such an attack.

Random numbers are only used for key generation, and the DEC algorithm is not used for that in most clients.

Quantum crypto, although "perfect", relies on hardware rather than software. Consequently, it's impractical to use it in Bitcoin.

Simple answer is no it isn't used by Bitcoin at all.  However it does provide a very good counter example of how difficulty it is to hide backdoors in public algorithms.  The algorithm noted is rather rare, I don't know of a single widespread usage of it and even still a cryptographer found and reported a vulnerability less than a year later.  SHA-2 has been around 20 years and is conservatively millions times more widespread and subject to much more peer review and cryptoanalysis and nobody has found even a theoretical flaw yet.

Post-quantum crypto, not quantum crypto