Topic: Reused R values again - page 13. (Read 121128 times)

If you mean "Can I send my whole balance from blockchain.info to a paper wallet that is not created by blockchain.info" Than yes it is pretty safe if you generated that paper wallet in an offline mode.But after that never use that blockchain.info wallet.

Can I send my entire blockchain wallet to a paper wallet without it being compromised, at least on the blockchain.info end?

Yes it is safe to transfer all of the funds from your blockchain.info account to a newly created wallet with bitcoin core and never use that blockchain.info wallet again.

As far as I understand they are from a previous bug of blockchain.info but this time johoe uses all possible values of k.

Were R values re-used again today? I see that johoe has ~250 BTC more in his wallet today with messages saying "Contact Blockchain support".

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

I may give more details on the rng later.  At the moment there is still too much money lying around.

Does anyone know how to check if there is an unconfirmed transaction trying to spend an output?
Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

I hate that signtransaction or sendtransaction don't tell me which input it is that I shouldn't spend .

I only can say for myself: it was too hard for me to reproduce this RNG.
I found sources http://code.google.com/p/srp-js/source/browse/trunk/javascript/prng4.js?r=12
But I do not know how Math.random works in java-script
By the way. The implementation for Math.random can be different in browsers

I am looking at the addresses from which the coins were swept and I am trying to get the priv key of those addresses but I fail over and over again.

 

the answer is in the post directly above yours (by bcearl).

Seems to me that johoe can do that nobody else can on this planet.
https://blockchain.info/address/1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
awesome!
(he just saved/swept more ~300 btc)

@johoe: I bet you could swipe even more addresses, if you analyze the weak random generator and try all possible values of k. This way you would even swipe those who used k only once.

Was reading through some articles and came upon this
Good job Johoe you have my respect
I tip my hat to you

Well, I bet it won't take long for bots to adjust to this tactic.

This is a typical example.  It was broken in several steps:

1LT8zYr6WW5zcnWiYr5gbLT621rPhPGyP2  has two signatures with R-value 2a6f8c926...
This gives us the corresponding k value.
Using this k value, we can now break 1NaMT8A9FysDGRXEL1YdY6VCJUwvXEUedz that uses the same R value.
This key has another signature with R value 460ba0d.... so we can compute the k value for this.
Using this k value, we can break 1Ep4E6WF6jZRhnLCBrFF96fQ8ocvNX728C,
Similarly we get the k value for R value f3b5c9...., that is used with the 1Ep4 key.
This gives us the private key for 1FRDgmxVrUUNiiB7GN3NNcJDEEXtFB22rm.
Finally this has a signature with the R value 6bcc247f1... that was also used to sign with 19owWJc.

Many keys require this multi-step reasoning.  This is probably why the bots couldn't break the keys.  My tool follows these chains.  I think this is why I was the first who could swipe the keys despite doing it manually.

This is the chain my program chooses now.  I'm not sure if all these signatures were present when I broke the key the first time.  But there are other chains leading to this key.  I shouldn't say may program chooses chains.  It just computes K values and private keys until it cannot compute any new K value or private key.

At least a consultant.

I assume any address which was not created nor did any transaction during that window should be fine?

but there is already that smart guy:





(PS: nice job johoe)

I know there was another 3 pages of people saying thanks, but I want to do it too. Thank you.
Also now that there is no coins in those addresses, how did you got the private keys of those addresses? Lets for example use this https://blockchain.info/address/19owWJcPbTEe1mVYer1ymnbduJDza9jpRH There is only one sending tx https://blockchain.info/tx/f10d5c469c634de25276aae9c4e14add80ad9c66000182fac1b30e72a99298fb
The R is R=6bcc247f1259262b4035bfa84f0397a69f69baa01659daaf94fe1164b650c86a
The S is S=a044b38e8264a1c928ddd28b4657aa7109d1ea30e911208c7ce57abcb1451fe6
The spending from 1FRD...... https://blockchain.info/tx/cf0b65ec6a2f9b5e003358d7b9bb6e04b30138c4dba30724f600bf753bfc3f4a uses the same R but if I don't know the private key of 1FRDgmxVrUUNiiB7GN3NNcJDEEXtFB22rm I don't know the private key of 19owWJcPbTEe1mVYer1ymnbduJDza9jpRH
So how did you done it how did you got the private key of 19owWJcPbTEe1mVYer1ymnbduJDza9jpRH?

We want to see Johoe as the chairmain of  bitcoin foundation !

@bcearl: I used my own tools.  Basically finds repeated R values as I have written before.

@lifeisgreat88088: Definitely not bc.i.  Your address 1CAsR... was exposed in April by the counterparty bug.  They refunded the users back then.  You probably can still claim the 0.0017228 BTC you lost in April (doesn't help you much I fear), but I doubt it extends to the new money you put on the address afterwards. 
 
@dexX7: I received it, thanks.  Weak R values = values produced by the broken RNG.  I never looked into the RNG. I only looked at the random numbers random people produced when signing transactions.  Assuming there were about 2000 signature affected by that bug, I only see a weak R value if it was produced twice in these 2000 signatures (otherwise I see it only once and assume that it is not special).  Note that not only the k/R values (k is the private key for the public R) are generated by the RNG but also new private/public keys.  I only did a very basic search for them but there are 83 public keys that match an R value.

My estimate on how many weak R values I don't see is based on the distribution of R values I see 2, 3, 4 or more times.  This should give a geometric series from which the number of weak R values seen only once can be estimated. The data basis is too small to give precise results.  I would say from 300-700 such transactions should exists.