So can I have a link for what happened exactly.
All I heard was that some keys were compromised.
Can I know more please?
Topic: Can we decide on RFC 6979 or an equilvalent before we have more issues? - page 2. (Read 2885 times)
December 19, 2014, 01:21:14 PM
December 19, 2014, 12:49:27 PM
It's funny - but as soon as I learned that ECDSA (at least in terms of what is used by Bitcoin) relied upon random values I saw a weakness.
So although not happy about it I am not surprised that we have ended up with this situation (I've never liked the idea of relying upon random numbers).
So although not happy about it I am not surprised that we have ended up with this situation (I've never liked the idea of relying upon random numbers).
December 19, 2014, 12:40:29 PM
If not ECDSA then what (RSA)?
DSA has the same problem. I don't know what would work well. Subliminal free signatures introduce other issues or are impractical IMO. But smart people are working hard in this field... December 19, 2014, 12:39:48 PM
It is NOT their code that is crappy.
It certainly was their code that was crappy - it lacked initialisation that led to the cracking of private keys (maybe you need to read up more on what happened).
Are you sure deterministic sigs will solve the problem though?
For sure deterministic sigs will get rid of the problems of poor random values (but of course that won't get rid of all problems).
Sorry, I was following your discussion with gmaxwell on the same subject but different thread but failed to see that.
Got a link?
When did this happen btw?
December 19, 2014, 12:29:03 PM
It is NOT their code that is crappy.
It certainly was their code that was crappy - it lacked initialisation that led to the cracking of private keys (maybe you need to read up more on what happened).
Are you sure deterministic sigs will solve the problem though?
For sure deterministic sigs will get rid of the problems of poor random values (but of course that won't get rid of all problems).
December 19, 2014, 12:19:34 PM
We have seen a big problem with compromised private keys due to bad random values used by crappy .js code (and this is not the first time we have seen such things) yet the Bitcoin devs seem to not be very enthused about changing things (presumably they are very busy with other things but I am asking them to consider what is most important at the moment).
I think this needs to be elevated to priority #1 as if people can't trust their private keys due to poor RNG (and we have been made aware that the NSA seems quite determined to compromise RNGs as much as they can) then we can't really trust anything to keep BTC safe.
We need deterministic sigs and we need them ASAP - if there is an issue with RFC 6979 then please solve it via another RFC or create a BIP that achieves the same thing.
The main thing is - stop with not doing anything and let's get deterministic sigs happening so no further such issues as have happened recently with blockchain.info happen again.
I think this needs to be elevated to priority #1 as if people can't trust their private keys due to poor RNG (and we have been made aware that the NSA seems quite determined to compromise RNGs as much as they can) then we can't really trust anything to keep BTC safe.
We need deterministic sigs and we need them ASAP - if there is an issue with RFC 6979 then please solve it via another RFC or create a BIP that achieves the same thing.
The main thing is - stop with not doing anything and let's get deterministic sigs happening so no further such issues as have happened recently with blockchain.info happen again.
It is NOT their code that is crappy.
Though I agree there is a problem.
Are you sure deterministic sigs will solve the problem though?
December 19, 2014, 12:11:30 PM
Huh ... many wallets already have this RFC implemented: nbitcoin, bitcoinj, libbitcoin, bitcoinjs.
Interesting - as the feedback I'd got from gmaxwell was that he didn't think that the RFC should be used.
IMHO, we shouldn't use ECDSA at all but I may be missing the big picture. Anyway, until then - no hardware wallets for me. I can't check that the software installed isn't doing anything harmful.
If not ECDSA then what (RSA)?
December 19, 2014, 11:46:48 AM
Huh ... many wallets already have this RFC implemented: nbitcoin, bitcoinj, libbitcoin, bitcoinjs.
The notable exception is bitcoin core but it's just a matter of time. It's in the dev branch and the next release will have it. (https://github.com/bitcoin/bitcoin/pull/5227)
Unfortunately, you cannot check if it was used because you would need to know the private key.
IMHO, we shouldn't use ECDSA at all but I may be missing the big picture. Anyway, until then - no hardware wallets for me. I can't check that the software installed isn't doing anything harmful.
The notable exception is bitcoin core but it's just a matter of time. It's in the dev branch and the next release will have it. (https://github.com/bitcoin/bitcoin/pull/5227)
Unfortunately, you cannot check if it was used because you would need to know the private key.
IMHO, we shouldn't use ECDSA at all but I may be missing the big picture. Anyway, until then - no hardware wallets for me. I can't check that the software installed isn't doing anything harmful.
December 19, 2014, 11:25:50 AM
We have seen a big problem with compromised private keys due to bad random values used by crappy .js code (and this is not the first time we have seen such things) yet the Bitcoin devs seem to not be very enthused about changing things (presumably they are very busy with other things but I am asking them to consider what is most important at the moment).
I think this needs to be elevated to priority #1 as if people can't trust their private keys due to poor RNG (and we have been made aware that the NSA seems quite determined to compromise RNGs as much as they can) then we can't really trust anything to keep BTC safe.
We need deterministic sigs and we need them ASAP - if there is an issue with RFC 6979 then please solve it via another RFC or create a BIP that achieves the same thing.
The main thing is - stop with not doing anything and let's get deterministic sigs happening so no further such issues as have happened recently with blockchain.info happen again.
I think this needs to be elevated to priority #1 as if people can't trust their private keys due to poor RNG (and we have been made aware that the NSA seems quite determined to compromise RNGs as much as they can) then we can't really trust anything to keep BTC safe.
We need deterministic sigs and we need them ASAP - if there is an issue with RFC 6979 then please solve it via another RFC or create a BIP that achieves the same thing.
The main thing is - stop with not doing anything and let's get deterministic sigs happening so no further such issues as have happened recently with blockchain.info happen again.
Jump to: