Nxt source code flaw reports - page 2.

Eadeqa

hero member

Activity: 644

Merit: 500

Quote from: TwinWinNerD on March 22, 2014, 04:24:31 PM

Quote from: Come-from-Beyond on March 22, 2014, 04:23:35 PM

Quote from: ?? on ??

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

Checking against a list of all HiberNXT accounts would significantly lower the rate of 10millionaccs/s

Targeting just one account will be very slow though. 146 years to find it with 4 billion per second rate. If you get very lucky (just after 10% of search), it will still take 14 years.

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

Eadeqa

hero member

Activity: 644

Merit: 500

Quote from: TwinWinNerD on March 22, 2014, 04:20:23 PM

Quote from: intmain() on March 22, 2014, 04:03:23 PM

Quote from: Evil-Knievel on March 22, 2014, 03:22:29 PM

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

10,000,000 accounts/s per PC would need about 317097 years to check all possible digits.
Faster PCs + a mass of miners would lower that number significantly, but then again i thought this was a feature and not a bug?

Even 4 billion accounts/per sec will take 146 years to recover all accounts with no outgoing transactions. However, if there are 1000 accounts with no public key that will mean 0.146 years to recover one account on average

TwinWinNerD

legendary

Activity: 1680

Merit: 1001

CEO Bitpanda.com

Quote from: Come-from-Beyond on March 22, 2014, 04:23:35 PM

Quote from: ?? on ??

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

Checking against a list of all HiberNXT accounts would significantly lower the rate of 10millionaccs/s

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: ?? on ??

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

TwinWinNerD

legendary

Activity: 1680

Merit: 1001

CEO Bitpanda.com

Quote from: intmain() on March 22, 2014, 04:03:23 PM

Quote from: Evil-Knievel on March 22, 2014, 03:22:29 PM

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

10,000,000 accounts/s per PC would need about 317097 years to check all possible digits.
Faster PCs + a mass of miners would lower that number significantly, but then again i thought this was a feature and not a bug?

Eadeqa

hero member

Activity: 644

Merit: 500

Quote from: Come-from-Beyond on March 22, 2014, 01:36:47 PM

Quote from: Evil-Knievel on March 22, 2014, 01:31:56 PM

To be more precise, you can theoretically "mine" twice as fast as the BTC Mining Hardware (as you only need one round of sha256 and the Curve25519 stuff comes at no cost as it is just incerementing the pubkey by 9 = basepoint in each round). So on a FPGA you could try 1,6 billion accounts per second, and on a 7990 GPU around 4 billion accounts per second. Only a matter of time, until you find one public key, which SHA256 hash matches an existing account in the first 8 bytes.

Interesting approach! Can u get the private key out of this? Or sign a transaction?

PS: Ability to "mine" accounts not secured by a 256-bit key was made on purpose.

Not all accounts without outgoing transactions are lost nxt. This should be be made even more clear to users who login to their accounts but don't have outgoing transactions.

I deposited 100 nxt to crypsty account but there is no outgoing transactions in that account. I hope crypsty (and other exchanges) are aware this could be a problem

intmain()

newbie

Activity: 28

Merit: 0

Quote from: Evil-Knievel on March 22, 2014, 03:22:29 PM

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

Come-from-Beyond

legendary

Activity: 2142

Merit: 1010

Newbie

Quote from: Evil-Knievel on March 22, 2014, 01:48:04 PM

Well we can delete all these things if you prefer, and discuss in private Wink

The problem is, that you do not need to use a secret phase, which is SHA256ed and mapped to a public key on the curve.
With a little tweaking of the GUI you can replace the login commands, so you can enter private keys directly when unlocking an account.

And 9, 18, 27, 36 ... are all fine public keys (of which 1,2,3,4 are the trivial private keys). And one hash of those eventually will match a present AccountID.

No, better discuss it in public.

Meizirkki

hero member

Activity: 616

Merit: 500

Quote from: Evil-Knievel on March 22, 2014, 01:31:56 PM

I have still doubts about the account mining issue ;-) I have made a small reference implementation (which I would never make public except give it to the devs) which is capable of doing 10 Megahashes (or Megaaccounts) per second on a simple CPU. At some point in the future, this might be an issue.

To be more precise, you can theoretically "mine" twice as fast as the BTC Mining Hardware (as you only need one round of sha256 and the Curve25519 stuff comes at no cost as it is just incerementing the pubkey by 9 = basepoint in each round). So on a FPGA you could try 1,6 billion accounts per second, and on a 7990 GPU around 4 billion accounts per second. Only a matter of time, until you find one public key, which SHA256 hash matches an existing account in the first 8 bytes.

Thank you. I've been told since the beginning that NXT is totally future proof and this is a feature, not a bug. Nxtcrypto.org should show a gigantic warning for every newbie that unless they do an outcoming transaction their accounts are subject to mining. As hardware gets faster each year it's just a matter of time before someone loses their coins.

Congrats for winning the bounty Wink

LiQio

legendary

Activity: 1181

Merit: 1002

Congrats Evil-Knievel, fast and efficient

PS: I really didn't like your first appearance on the main NXT thread, you came across as way too haughty.
Hope you change that, because I really like the NXT community and would like you to stick around

PPS: Should be empowering for your "Transaction Malleability Reloaded" - watching with interest

instacalm

hero member

Activity: 798

Merit: 500

Congratulations, Evil-Knievel!

jkoil

hero member

Activity: 834

Merit: 524

Nxt NEM

Quote from: Evil-Knievel on March 22, 2014, 12:35:21 PM

I can only imagine this to be the flaw:

Code:

if (lastBlock.getHeight() < Constants.TRANSPARENT_FORGING_BLOCK) {
                byte[] generationSignature = Crypto.sign(lastBlock.getGenerationSignature(), secretPhrase);
                generationSignatureHash = digest.digest(generationSignature);
            } else {
                digest.update(lastBlock.getGenerationSignature());
                generationSignatureHash = digest.digest(publicKey);
            }

            BigInteger hit = new BigInteger(1, new byte[] {generationSignatureHash[7], generationSignatureHash[6], generationSignatureHash[5], generationSignatureHash[4], generationSignatureHash[3], generationSignatureHash[2], generationSignatureHash[1], generationSignatureHash[0]});

So forging before the Transparent Forging Block is really vulnerable to "Mining".
After the transparent forging block you take the generation signature and use the hash of it to look which user gets rewarded with the fees. Before the transparent forging block, the hash of a SIGNATURE of the GenerationSignature has to meet certain criteria. Due to the random "k" in the signing process, you get different values when resigning.

Here you can just start mining with a decent hardware, resigning the generation signature until one of their hashes meets the requirements to collect the fees.

Congrats

... also from saving my bloody time Wink

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

BloodyRookie

hero member

Activity: 687

Merit: 500

Quote from: ?? on ??

Sure, the private key is just the number of times you incremented your Public Key by 9 (which has to be set to 9 itself in the beginning).

Check your comment in the core function of Curve25519.java.

Code:

/* P = kG   and  s = sign(P)/k  */

The public key is just a k * G ( G = 9 = basepoint). k is directly proportional to s which is the private key for signing.

P=kG means skalar multiplication on curve25519, not multiplying integers.

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

farl4web

legendary

Activity: 1205

Merit: 1000

Thanx a lot Evil-Knievel! Enjoy your 100K!

Evil-Knievel

legendary

Activity: 1260

Merit: 1168

This message was too old and has been purged

Topic: Nxt source code flaw reports - page 2. (Read 113378 times)