The Bitcoin "Lab Leak" Theory

In the late '80s and early '90s electronic cash was a hot topic among cryptographers. People such as David Chaum published extensively in journals such as Springer's Advances in Cryptology. Staff at the US National Security Agency (NSA) were naturally interested in developments in cryptography, so on 18^th June 1996 the NSA's Laurie Law, Susan Sabett and Jerry Solinas reviewed the academic literature on electronic cash and published HOW TO MAKE A MINT: THE CRYPTOGRAPHY OF ANONYMOUS ELECTRONIC CASH :

This report has surveyed the academic literature for cryptographic techniques for implementing secure electronic cash systems. Several innovative payment schemes providing user anonymity and payment untraceability have been found. Although no particular payment system has been thoroughly analyzed, the cryptography itself appears to be sound and to deliver the promised anonymity.

These schemes are far less satisfactory, however, from a law enforcement point of view. In particular, the dangers of money laundering and counterfeiting are potentially far more serious than with paper cash. These problems exist in any electronic payment system, but they are made much worse by the presence of anonymity.

Alas, this understandable effort by NSA staff has become the keystone in a bizarre theory that Satoshi Nakamoto is an alias for the NSA, who developed Bitcoin in secrecy as a "monetary bioweapon" a decade before it somehow leaked and infected the world.

I must apologize that, below the fold, I devote an entire post to this conspiracy theory.

On 14^th September Daniel Roberts tweeted:

The NSA invented Bitcoin?

1996 paper titled: HOW TO MAKE A MINT: THE CRYPTOGRAPHY OF ANONYMOUS ELECTRONIC CASH*

Sources include "Tatsuaki Okamoto" 😳

Who else would be able to sit anonymously on 1 million coins.

Oh, and they invented SHA-256...?

and linked to the Law et al paper. A week later prominent Bitcoin-bro Nic Carter responded:

I actually do believe this. I call it the bitcoin lab leak hypothesis. I think it was a shuttered internal R&D project which one researcher thought was too good to lay fallow on the shelf and chose to secretly release

The next day Martin Young at Cointelegraph posted Nic Carter doubles down on theory Bitcoin was invented by NSA:

Bitcoin advocate Nic Carter has come out to reiterate his support for the theory that the United States National Security Agency (NSA) had something to do with the creation of Bitcoin
...
The paper is one of the first known discussions of a Bitcoin-like system, which proposes using public-key cryptography to allow users to make anonymous payments without revealing their identity.
...
Carter has actually held the theory for several years, proposing back in 2020: “If Bitcoin was written by NSA cryptographers as a monetary bioweapon, if you will, and the code escaped those sensitive confines... does that make it a virus... that escaped from a lab?”

Note how Young asserts that a paper that surveyed the academic literature was somehow one of the first known discussions of a Bitcoin-like system. Law et al don't claim originality for anything, they merely report the state of the art among academic cryptographers, who had been publishing papers on electronic cash for a decade. The paper is merely evidence that the NSA was tracking academic work in applications of cryptography; it would be a scandal if they weren't.

There are a number of other problems with the theory that in the mid-90s NSA developed Bitcoin based on this paper, kept it secret for over a decade, and then some rogue employee published it in the depths of the global financial crisis:

1. The techniques academic researchers were publishing in the early 90s had some features that Bitcoin adopted, primarily public-key cryptography, but were not decentralized. As Law et al wrote:
   

   We will assume throughout the remainder of this paper that some authentication infrastructure is in place, providing the four security features.

   Nakamoto assembled the well-known techniques of public-key cryptography, blockchain and proof-of-work, and added the innovation of the longest-chain consensus rule to build a decentralized system that Law et al never even saw as a goal.
2. Law et al were very aware of the threat pseudonymous electronic cash posed to government functions such as taxation and law enforcement For example:
   

   The untraceability property of electronic cash creates problems in detecting money laundering and tax evasion because there is no way to link the payer and payee. To counter this problem, it is possible to design a system that has an option to restore traceability using an escrow mechanism. If certain conditions are met (such as a court order), a deposit or withdrawal record can be turned over to a commonly trusted entity who holds a key that can decrypt information connecting the deposit to a withdrawal or vice versa. This will identify the payer or payee in a particular transaction.

   Law et al did not have trustlessness as a goal; most of the systems they discuss involve trusted entities.
3. Thus the idea that the NSA would develop a decentralized, trustless cryptocurrency as a "monetary bioweapon" that would impair their own government's functions and which they would be unable to control is implausible.
4. Further, if the legendary skills of the NSA were to develop a "monetary bioweapon" it would presumably be a good one, but Bitcoin isn't. It took about 6 years to achieve significant usage, then another 7 years to blow a $3T bubble of notional value. Even before it burst, that wasn't enough to have a major effect on the real or monetary economies.
5. Roberts' flagging of "Tatsuaki Okamoto" seems typical conspiracy theorizing - the NSA paper cites three of Okamoto's papers from '91, '94 and '95 in crypto conferences. It appears that Okamoto was among many cryptographers publishing on electronic cash at that time who moved to other topics because the then state of the art turned out to be a blind alley.

Law et al's paper is evidence that the NSA was tracking developments in academic research on electronic cash in the mid-90s. It provides no evidence that the NSA was interested in, or had developed, a decentralized, trustless cryptocurrency. Although Nakamoto was skilled in applying cryptography, he did not need NSA-level skills in creating cryptosystems. It is of course possible that Nakamoto was one or more presumably rogue NSA staffers, but this is an additional hypothesis that adds nothing, so should be rejected by Occam's Razor.