Hey guys, sorry again for my lack of communication recently, this family get-together has lasted a lot longer than I thought!
Anyway I'm not sure if you've heard
but a side-channel attack for ECDSA has been published, to be specific the ECDSA variant used in Bitcoin/Litecoin/TiPS/etccoin.
It allows an attacker to recover the private key for a given address/publickey, but only under certain circumstances. (in non-techie terms, it allows someone to make a wallet key mold from your wallet lock and unlock your wallet with it)
I tried looking around to see if any other coin devs talked about this yet but I haven't found anything (it's hard to search on a phone though, if you've heard anything a link would be appreciated!)
Maybe it's just not a priority to them, seeing as the attack depends on the factors below (might be incorrect, based on what I could understand from the paper and what others have said):
- Attacker knows target address/publickey
- Attacker can execute code on the same machine as the target (eg. attacker owns a VPS on the same machine as the targets VPS)
- Target has signed 200+ transaction/inputs from the target address
If all of these conditions are met then recovering the targets private key is only a matter of time, and while the probability of all of these being met is pretty slim it still leaves a possibility.
Maybe other coin developers have already marked it down as WONTFIX, but I won't stand by and allow the coin I develop to contain any public exploits.
A mitigation technique (aka: semi-fix) is already described in the paper, although it sounds like it might take some work to implement. I'll start looking into it as soon as I get back but that might not be until March 9th or so.
PS. sorry if this post reads a bit weird, had to rewrite it because my phone randomly skipped back a page and I lost the post before I could send it -.-
I will try to see what I can find for you, I just read the Abstract, Introduction and Mitigation portions of the paper. I will see if I can find anyone else talking about these type of attacks, I think it would certainly be wise to mitigate things like this before they even become an issue.
It sounds as if limiting the number of times a private key can be used for singing transactions would be the most optimal solution. I don't quite fully understand yet the second mitigation tactic however it seems it is not as binary of a solution and just provides a reduction in the effectiveness of the attack.
Thank-You for sharing this information, it is comforting to see the coins developer on the ball.
