Author

Topic: Can a signature be reused in a new transaction to steal coins ? (Read 973 times)

legendary
Activity: 3472
Merit: 4801
Wasnt there an issue before with re-used K values?

Yes.  There have been a few poor implementations of wallets and a few faulty operating systems that have resulted in re-use of the unique and unknown value that I was talking out.

That value is typically called a "k" value, but I figured that the OP wouldn't be asking if he knew what a K value was.
legendary
Activity: 1862
Merit: 1011
Reverse engineer from time to time
shorena and knightdk have provided reasonably good answers.

Under normal circumstances with a properly operating wallet, a signature of one or more transactions will not provide enough information for an attacker to create valid signatures for other transactions that use inputs that were sent to the same address.

However, when generating a signature, it the signing software needs to generate a unique and unknown (to anyone else) number that will be used for that signature.  It is VERY important that that number not be re-used for any other signatures for the same address.

If the software that's generating your transactions re-uses the same number in more than one signature, then an attacker would be able to use the two signatures that were both generated with the same value to calculate your private key.

Generally it would be safest to just use a new address for every transaction that you receive. Then you won't have to worry about this.  If you choose not to use a new address for every transaction that you receive, then make sure you are using well reviewed and well written open source software on an operating system that you can trust.
Wasnt there an issue before with re-used K values?
legendary
Activity: 3472
Merit: 4801
shorena and knightdk have provided reasonably good answers.

Under normal circumstances with a properly operating wallet, a signature of one or more transactions will not provide enough information for an attacker to create valid signatures for other transactions that use inputs that were sent to the same address.

However, when generating a signature, it the signing software needs to generate a unique and unknown (to anyone else) number that will be used for that signature.  It is VERY important that that number not be re-used for any other signatures for the same address.

If the software that's generating your transactions re-uses the same number in more than one signature, then an attacker would be able to use the two signatures that were both generated with the same value to calculate your private key.

Generally it would be safest to just use a new address for every transaction that you receive. Then you won't have to worry about this.  If you choose not to use a new address for every transaction that you receive, then make sure you are using well reviewed and well written open source software on an operating system that you can trust.
copper member
Activity: 1498
Merit: 1528
No I dont escrow anymore.
Blockchain explorers contain alot of signatures in spent coins transaction in the scriptSig part of the transaction, can the attacker reuse this signature in a new transaction to steal coins received on this address ?

No, the signature is only valid for the given inputs and the given outputs of a transaction. Once the transaction is confirmed the inputs are no longer valid so they can not be used again. The siganture however is not valid for different inputs. So an attacker could only create a replay attack (send the exact same transaction again) which would get them banned by their peers over time as they keep broadcasting invalid transactions.
staff
Activity: 3458
Merit: 6793
Just writing some code
Blockchain explorers contain alot of signatures in spent coins transaction in the scriptSig part of the transaction, can the attacker reuse this signature in a new transaction to steal coins received on this address ?
No. The signatures in a transaction applies only to that transaction due to hashes. The hash can only represent on specific set of data, that one specific transaction. If the data is different, then that hash will not match and thus the signature is invalid for that data. Unless the attacker is able to find a hash collision which also happens to be a proper transaction, then signatures cannot be reused. IIRC the current hash used is SHA256 which has no known attacks against it.
newbie
Activity: 38
Merit: 0
Blockchain explorers contain alot of signatures in spent coins transaction in the scriptSig part of the transaction, can the attacker reuse this signature in a new transaction to steal coins received on this address ?
Jump to: