Adding to what @rocks said…
If ECDSA signatures are produced correctly, re-using an address for multiple outgoing transactions does not pose a security problem. When the first ECDSA signature associated with a particular bitcoin address becomes public, the address's public key becomes known. This reduces the security with which the remaining bitcoins are protected from 160 bits to 128 bits. Cracking 128-bit security is still far beyond our present capabilities. Also note that producing a bitcoin-signed message from that address (e.g., to publically prove control of funds) would have the same effect of reducing the security from 160 bits to 128 bits.
Producing additional ECDSA signatures (additional outbound TXs) from that address has no meaningful effect on security either, provided the k-values used in signature generation remain unknown. As an example, the address 12WRnQR85ZUT7dhmaHBNL5dde2QLYieW6v presently holds $24,000,000 of bitcoins and has made multiple outgoing transactions. For each outgoing transaction from this address, we can inspect the signatures and determine the R values. This doesn't help us "hack" the address to any meaningful extent except in the case where the signatures were produced incorrectly (for example, by using a low-entropy k-value).
The point I want to make is that this is not some "discovery" of some flaw in ECDSA. The thefts due to re-used or low-entropy R/k values are a result of buggy software.
The solution is for the community to demand that bitcoin hardware and software wallets use deterministic signatures, for example following RFC6979. When RFC6979 is used, the k-value used for producing the ECDSA signature is derived deterministically from the message and the private key. This has the benefit of
(1) eliminating the need for a RNG when producing signatures (and thus the risk of using a flawed RNG)
(2) making software/hardware audits much simpler (just load test private keys and make sure the signatures match what's expected [it's very difficult to audit a RNG, on the other hand])
Adding deterministic signatures is not a significant software project either. Basically, rather than calling a random number generator when selecting k:
k = random256bits()
we pass the private key and the message to an RFC6979 library function instead:
k = rfc6979(privkey, message)
This rest of the code remains unchanged.
Topic: Gold collapsing. Bitcoin UP. - page 611. (Read 2032266 times)
listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.
However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.
Sorry for being stupid. Thank you, rocks for pointing that out. Only with the same R value of 2 different signatures from the same address (and thus public/private key) the hacker would be able to calculate the private key. As the R value is a part of the signature, that would be a big problem, otherwise.
However, I remember reading something about similiar or related R values from which the private key can be calculated, too (by using a system of linear equations). Probably that is the thing, that confused me.
yeah, i was trying to follow that from johoe's discussion. apparently he was able to construct a RNG "prediction" table but i'm not sure exactly how he did it. i'm thinking that it must be specific to the blockchain.info lack of initialization bug in their software. once he figured out what the problem was, that being only 256 possible random #'s to choose from, and after he noticed a pattern of R values, he was then able to predict the overall sequence of RNG thereafter. did i get that right?
However, I remember reading something about similiar or related R values from which the private key can be calculated, too (by using a system of linear equations). Probably that is the thing, that confused me.
Hi flipperfish, if you find a link describing a related R value attack please post it, am also curious to understand that better. That said it sounds to be somewhat analogous to related key attacks against AES, related key or related R values are a worthwhile area of study in order to understand the algorithms better, but they are not real attacks. True cryptographically random R values are not related by definition.
Bitcoin is going to shine like a diamond in the midst of the smoldering wreckage of this god-forsaken SNAFU
I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.
I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.
Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.
hehe... and then they will diversify.
listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.
However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.
Sorry for being stupid. Thank you, rocks for pointing that out. Only with the same R value of 2 different signatures from the same address (and thus public/private key) the hacker would be able to calculate the private key. As the R value is a part of the signature, that would be a big problem, otherwise.
However, I remember reading something about similiar or related R values from which the private key can be calculated, too (by using a system of linear equations). Probably that is the thing, that confused me.
listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.
However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.
Address reuse is fine, not advised but fine regardless. The issue is if you use the exact same R value for 2 different signatures with the same private key. This an attribute of the DSA algorthim itself, and is not specific to ECDSA or any other DSA variant. As long as you use a truly random R value, then the odds of repeating an R value is less than someone randomly creating a private key that signs a specific address. The problem above is blockchain.info and other wallet software has at times not created random R values or used k values that are guessable, which is contrary to the DSA specification. Software that creates a truly random R value should never repeat an R value given the large numbers involved.
This is a great description of DSA and ECDSA if you are interested. It provides all the math required to understand Elliptical Curves and DSA , but in a descriptive manner for non-mathmatitions.
http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/
Towards the end it describes the R-reuse issue in the context of a hack on Sony where Sony used the same R value for everything, in gross violation of DSA's spec.
Quote from: article
Now I’ll discuss on how and why the ECDSA signatures that Sony used in the PS3 were faulty and how it allowed us to gain access to their private key.
So you remember the equations needed to generate a signature.. R = k*G and S= k^-1(z + dA*R) mod p.. well this equation’s strength is in the fact that you have one equation with two unknowns (k and dA) so there is no way to determine either one of those. However, the security of the algorithm is based on its implementation and it’s important to make sure that ‘k‘ is randomly generated and that there is no way that someone can guess, calculate, or use a timing attack or any other type of attack in order to find the random value ‘k‘. But Sony made a huge mistake in their implementation, they used the same value for ‘k‘ everywhere, which means that if you have two signatures, both with the same k, then they will both have the same R value, and it means that you can calculate k using two S signatures of two files with hashes z and z’ and signatures S and S’ respectively :
S – S’ = k^-1 (z + dA*R) – k^-1 (z’ + da*R) = k^-1 (z + da*R – z’ -dA*R) = k^-1 (z – z’)
So : k = (z – z’) / (S – S’)
Once you know k, then the equation for S because one equation with one unknown and is then easily resolved for dA :
dA = (S*k – z) / R
Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”. This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is impossible to find the private key.. if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack.
So you remember the equations needed to generate a signature.. R = k*G and S= k^-1(z + dA*R) mod p.. well this equation’s strength is in the fact that you have one equation with two unknowns (k and dA) so there is no way to determine either one of those. However, the security of the algorithm is based on its implementation and it’s important to make sure that ‘k‘ is randomly generated and that there is no way that someone can guess, calculate, or use a timing attack or any other type of attack in order to find the random value ‘k‘. But Sony made a huge mistake in their implementation, they used the same value for ‘k‘ everywhere, which means that if you have two signatures, both with the same k, then they will both have the same R value, and it means that you can calculate k using two S signatures of two files with hashes z and z’ and signatures S and S’ respectively :
S – S’ = k^-1 (z + dA*R) – k^-1 (z’ + da*R) = k^-1 (z + da*R – z’ -dA*R) = k^-1 (z – z’)
So : k = (z – z’) / (S – S’)
Once you know k, then the equation for S because one equation with one unknown and is then easily resolved for dA :
dA = (S*k – z) / R
Once you know the private key dA, you can now sign your files and the PS3 will recognize it as an authentic file signed by Sony. This is why it’s important to make sure that the random number used for generating the signature is actually “cryptographically random”. This is also the reason why it is impossible to have a custom firmware above 3.56, simply because since the 3.56 version, Sony have fixed their ECDSA algorithm implementation and used new keys for which it is impossible to find the private key.. if there was a way to find that key, then the security of every computer, website, system may be compromised since a lot of systems are relying on ECDSA for their security, and it is impossible to crack.
There is another recent attack on ECDSA specifically where an attacker with something on the order of 2^33 signatures for a private key might be able to back out the private key itself. But that is a gross usage of reuse, to put in context you would require more signatures than the total number of bitcoin transactions so far, all on a single address.
That said it demonstrates that ECDSA is still relatively new and not completely understood, it is possible (likely?) that more attacks or even fundamental flaws on ECDSA will be uncovered. This is why bitcoin has 2 forms of encryption protecting an address (a hash and a signature) and why every address I use that I care about are zero spend addresses, and thus still protected by both forms of encryption.
Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.
I guess it depends on how much BTC they have in their portfolio.
now's the time. seriously.
Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.
I guess it depends on how much BTC they have in their portfolio.
ordinary goldbugs and speculators having to liquidate tons of physical gold at local coin dealers is going to be a sight to behold.
Same holds true for Bitcoin, BTW. Holding both, and needing to at some point re-initiate a revenue stream, I'll probably draw down my BTC holding more than my phyz ones assuming that both maintain the current unhappy situation of being at an inopportune selling point over the next few years.
Your scenario is nothing especially new. We saw it during the 2008 crisis. Plenty of people did not leave themselves enough of a buffer and were forced to liquidate whatever they had. In some cases this was PMs and the impact was noticeable. My portfolio suffered, but not to nearly the extent that my more mainstream counterparts who were heavily into mainstream instruments did. Many enjoyable and productive conversations around the water-cooler ensued.
I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.
I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.
Or alternatively, in 10 years people with bitcoin in their portfolio will be rich.
ordinary goldbugs and speculators having to liquidate tons of physical gold at local coin dealers is going to be a sight to behold.
Gold collapsing, Bitcoin up 
heh, heh, heh. i'm the troll, remember?!
Gold collapsing, Bitcoin up
I think something is going to happen to gold soon. The price is being suppressed by counterfeit certificates. Rich people want real gold.
I don't think Rich people want gold, I think it's a part of their overall portfolio, they own paper gold. Rich people believe in the markets, real estate, and the USD because it's served them so well. They want diversity. In some cases they want to hide their money, but gold isn't a good way to do that. We all know the advantages of Bitcoin over gold and in 10 years I believe most rich people will have BTC as a part of their overall portfolio.
gold collapse incoming. c'mon gold! i wanna reset my shorts!:
listening to johoe is inspiring. but it appears to me that even if you're using a BIP32 wallet, you'll still be exposed to a hack from address reuse if you choose to accept multiple payments to a single address. for instance, if you accept 5 payments of 1BTC each to a single address, you will create 5 UTXO's of 1BTC each. if you then only spend 1BTC from that address, you will leave the other 4 UTXO's behind on that address which will force you to reuse that address later on when you decide to make another payment. so in that sense, HD wallets (BIP32) are still exposed if you're not careful and don't always force all tx's to empty an address. i understand that this is not directly related to the reuse of the r value that johoe talks about in this episode, but it's concerning to me nonetheless unless i have something wrong:
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
http://letstalkbitcoin.com/blog/post/the-bitcoin-game-7-bitcoin-hero-jochen-aka-johoe
Did johoe talk about BIP32 wallets in the stream? I just scanned through, but couldn't find any reference to BIP32 wallets.
However, AFAIK you're right. As soon as the hacker gets the R value of 2 signatures from the same address (e.g. from transactions, but could also be from signed messages (!) or a mixture of both), he can calculate the private key of the address and then spend all the funds still left on that address. So from 0 to 1 outgoing transactions (or publicly accessible signed messages) an address should be safe (from this specific problem). I think so far this is not related to HD/BIP32 wallets other than it's easier to not reuse a single address.
i think they did mention HD wallets somewhere in the interview but no matter.
the solution presented was to not reuse addresses as a way to solve the repeat R value problem with a poor RNG or implementation bug. at that point i remember HD wallet use being recommended. that's fine and good but HD wallet marketing has given what i think is a somewhat false impression of preventing address reuse as in the example i gave above. in fact, i could see a major chain store owner assigning a specific fixed xpub address to each member store which they print out in QR code form for posting at their checkout stations. hundreds if not thousands of tx's would serve to expand the UTXO set associated with a particular stores address. if the owner then only spends a fraction of the BTC associated with that address repeatedly over time, that would expose the xpubkey, which would decrease security not necessarily to the same R value problem encountered with blockchain.info but perhaps to some other insecurity yet to be found.
point being that HD wallets will require much greater use scrutiny than initially thought.
this looks bullish:
Just the first large green candle of many! We have been talking about this 2015 pump for a while now.......
Just weeks ago u were talking shit like how u could have bought at $2 and u knew better buying a digital currency especially after it hit $1100 u vowed never to buy so high... yet at $300 its low
enough to buy even though $2 was expensive? Sounds like a professional bct trololol
LOL? WTF are you talking about all I have done on these forums is make unbias opinions on how the market is moving at any given time... I was a permabear until we kept bottoming around $300
I never said anything about $2 lol wtf I talk as close to the money as possible. I don't talk about a crash and I don't talk about the moon
disclaimer: I have been fully leveraged long at approx. $317~ but everyone who follows my posts knows that already
Unbiased opinions on how the market is moving at any given time? bahahaha
just a few months ago, fewcoins said (and I quote),
"All of those "buy walls" are sooo fake... I watch many of those people cancel ALL THE TIME! That's what happens with unregulated things!!! As a perma-bear, I can tell you BTC price chart looks exactly the same as a penny stock pump and dump that waves widly in the wind back n forth back n forth until its literally worth $0.00"
So he wants you to think (at some points) that bitcoin is going to zero while at other points it's just going to go up and up. He's either a lying troll or an imbecile.
And just today in the Bull Run Initiated Thread (just look in his posting history) he says:
"Amazing buy walls at 330 & 325 now too... We will be lucky to get coins around the 315-320 level again before this bounce really goes up"
So my question is, do you think fewcoins still expects bitcoin to go to zero before it goes up?
My prediction: gold and bitcoin will find equilibrium and become tidal locked.
can you put a time on that?
Bitcoin (and the free market) really need to find some peg. Gold ETFs have served that purpose to some degree, but Bitcoin will drag gold much higher as its ad-hoc digital twin. If I were to venture a guess it would have to do with whichever country has enough gold and is willing to acquire bitcoins as well. When people start losing faith in fiat currency and bonds, they will trade gold for bitcoins.
I can think of unthinkable scenarios regarding confiscation of gold or its ownership belonging to a designated class. Bitcoin would be the only way the rest of us can be licensed to hold gold.
Most likely it will occur organically as fiat currencies fail. Both bitcoin and gold will see huge swings in the next few year, but 2019 will be when they become pegged.
thanks for putting a time on it.
by 'tidal locked' and 'pegged', do you mean they have a very high correllation coefficient or something else? 'peg' sounds like something that is being actively enforced through market operations or redemption offerings, but I doubt that's what you mean, right?
My prediction: gold and bitcoin will find equilibrium and become tidal locked.
can you put a time on that?
Bitcoin (and the free market) really need to find some peg. Gold ETFs have served that purpose to some degree, but Bitcoin will drag gold much higher as its ad-hoc digital twin. If I were to venture a guess it would have to do with whichever country has enough gold and is willing to acquire bitcoins as well. When people start losing faith in fiat currency and bonds, they will trade gold for bitcoins.
I can think of unthinkable scenarios regarding confiscation of gold or its ownership belonging to a designated class. Bitcoin would be the only way the rest of us can be licensed to hold gold.
Most likely it will occur organically as fiat currencies fail. Both bitcoin and gold will see huge swings in the next few year, but 2019 will be when they become pegged.
thanks for putting a time on it.
by 'tidal locked' and 'pegged', do you mean they have a very high correllation coefficient or something else? 'peg' sounds like something that is being actively enforced through market operations or redemption offerings, but I doubt that's what you mean, right?
Jump to: