Pages:
Author

Topic: Bad signatures leading to 55.82152538 BTC theft (so far) - page 7. (Read 65167 times)

hero member
Activity: 524
Merit: 500
The thesis that reusing an address is not "using Bitcoin correctly", is kind of weird, to say the least.
I'll just repost relevant part of my post from another forum

Even proper reuse of ECDSA private key makes it less secure. Satoshi did very good work protecting Bitcoin from possible future advances in cryptography - new addresses are created whenever it is appropriate, before first (and, ideally, the last) use public key is secret, only hash of it (address) is exposed to the public. But Satoshi did not forbid intentional address reuse, thus making key reuse possible.

CURVE    the elliptic curve field and equation used
G    elliptic curve base point, a generator of the elliptic curve with large prime order n
n    integer order of G, means that n * G = O

    Calculate e = \textrm{HASH}(m), where HASH is a cryptographic hash function, such as SHA-1.
    Let z be the L_n leftmost bits of e, where L_n is the bit length of the group order n.
    Select a random integer k from [1, n-1]. - This is what counts
    Calculate the curve point (x_1, y_1) = k * G.
    Calculate r = x_1 \pmod{n}. If r = 0, go back to step 3.
    Calculate s = k^{-1}(z + r d_A) \pmod{n}. If s = 0, go back to step 3.
    The signature is the pair (r, s).
And every (r, s) pair derived from the same dA and exposed to the public means more food for hyperlinearization and SAT-solvers. (Some day those two beasts will meet together and produce fertile offspring Smiley)
legendary
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).

Hmm... so none of the clients mentioned re-use an address for change (as this is not something the end-user generally has any control over)?
legendary
Activity: 2053
Merit: 1356
aka tonikt
If one has a screwed up RNG, not reusing addresses does not make him anyhow safer, if the same generator is used to make new private keys.
hero member
Activity: 524
Merit: 500
How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?
You mean they should crack the private key for the address and then re-do the signature?  That seems only semi-legal.
Accidentally disclosing private key by using flawed software is the same as accidentally publishing private key on this forum. The key holder effectively waives his right to bitcoins by disclosing the key.
jr. member
Activity: 34
Merit: 1
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).
That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"?
While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen.

If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass.

You can get every transaction which has been sent by that address and ensure none of its spent outputs have the same signature in the script. But the main problem is random number generation.

Even if you want to make recurring payments, you should still generate an address each time. Otherwise you seriously risk linking your address to your identity. It isn't a pain in the ass, its the best practice for anonymity, regardless of this current bad signature issue.
legendary
Activity: 2053
Merit: 1356
aka tonikt
Yeah. The thesis that reusing an address is not "using Bitcoin correctly", is kind of weird, to say the least. Especially said as a solution for a guy who plays SatoshiDice... Smiley
sr. member
Activity: 392
Merit: 250
This seems like a serious problem!

Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).
That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"?
While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen.

If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass.
jr. member
Activity: 34
Merit: 1
I saw this write up a while ago, seems like there are some web wallets which use poor random number generation for every transaction, or as in this case a hardware wallet.

http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
legendary
Activity: 2053
Merit: 1356
aka tonikt
the reuse of the same k value allows anyone to be able to recover the private key.

It appears that this is what may be happening.

It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications.
Ouch...

Thanks for the info - I spent the whole morning triple checking if my wallet would not make a similar mistake, by a chance.
Seems that I'm fine, but you got me scared, sir Smiley
legendary
Activity: 1008
Merit: 1000
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
No, no easy way to do that.  Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen.  (e.g. select the nonce as sha256(message||privkey||random value) — though if your RNG is bad you also need to worry about weak keys))


Thanks!
staff
Activity: 4284
Merit: 8808
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
No, no easy way to do that.  Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen.  (e.g. select the nonce as sha256(message||privkey||random value) — though if your RNG is bad you also need to worry about weak keys))
legendary
Activity: 2576
Merit: 1186
This seems like a serious problem!

Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).
legendary
Activity: 1008
Merit: 1000
This seems like a serious problem!

Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
staff
Activity: 4284
Merit: 8808
Of course, if these applications didn't constantly reuse addresses the exposure here— whatever the root cause ultimately turns out to be— would be a lot smaller.
legendary
Activity: 1232
Merit: 1094
How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?

You mean they should crack the private key for the address and then re-do the signature?  That seems only semi-legal.

It may not even fix the problem, all nodes receive all transactions directly.  It would make it slightly harder, the node would have to be always online, rather than only having to scan the block chain every hour or so.
hero member
Activity: 524
Merit: 500
It has been noticed that the coins are all transferred in a few hours after a client improperly signs a transaction by reusing the same random number.  As discussed here  http://en.wikipedia.org/wiki/Elliptic_Curve_DSA the reuse of the same k value allows anyone to be able to recover the private key.
How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
I have only seen this discussed in the newbies section so I thought I would open a thread here for a more technical discussion of this issue.

Several people have reported their BTC stolen and sent to https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

As you can see the address currently contains 55.82152538 stolen coins.

It has been noticed that the coins are all transferred in a few hours after a client improperly signs a transaction by reusing the same random number.  As discussed here:

http://en.wikipedia.org/wiki/Elliptic_Curve_DSA

the reuse of the same k value allows anyone to be able to recover the private key.

It appears that this is what may be happening.

It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications.

This has been discussed in this thread https://bitcointalksearch.org/topic/have-i-been-hacked-how-251743 with the more technical posts being these two:

https://bitcointalksearch.org/topic/m.2890179
https://bitcointalksearch.org/topic/m.2890736

Check out the two transactions posted here (which did lead to a theft of 0.9184236 BTC in this transaction https://blockchain.info/tx/211c135e58dc55bcce4c71dc02eae2dffc5a55387c29e8144bf1cd1e8878e52e)

@Xeno-Genesis

For you the bad transactions were
https://blockchain.info/tx/b6350f4339a59faf09bfc2a4086c2261598f46f257517ce53785145c964799bc
https://blockchain.info/tx/38fbb8a3ff718dd7c8006feb6aa9ed6add1772522781b0db95abb350a859220b

which use the same R-value in the signature.  It is strange that the same random number was generated in two transactions that are four days apart.  This doesn't fit the usual pattern. Which bitcoin client do you use?

The stealing transaction occured less then five hours after the transaction that reused the R-value.


Pages:
Jump to: