Pages:
Author

Topic: Reused R values again - page 14. (Read 121311 times)

legendary
Activity: 1260
Merit: 1116
December 13, 2014, 04:17:21 AM
Quote
could you tell me the price of BTC 2016.1.1?
I can. Less than $10. Wanna bet?
But discussing price / loses / investing / risk / insurance / obligations is offtopic here.

zing
legendary
Activity: 1260
Merit: 1019
December 13, 2014, 04:16:10 AM
Quote
could you tell me the price of BTC 2016.1.1?
I can. Less than $10. Wanna bet?
But discussing price / loses / investing / risk / insurance / obligations is offtopic here.

UPD: sorry, i do not understand chinese.
full member
Activity: 149
Merit: 100
December 13, 2014, 04:14:26 AM
Quote
How about you?   No one but you chose to use counterparty or blockchain.info.
Great.
A have to add:
No one but you chose to use crypto-currency instead of national money.
You pay nothing to community - you have nothing back from it. Point.
This is law of conservation. Even Satoshi Nakamoto can not break it.

天网恢恢 疏而不漏

善有善报 恶有恶报

不是不报 时候未到

时候一到 一切报销
full member
Activity: 149
Merit: 100
December 13, 2014, 04:04:12 AM
I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?
How about you?   No one but you chose to use counterparty or blockchain.info.  I'm sorry to hear about your loss, but this is what happens when you use unreviewed cryptographic software-- especially things which have already been publicly criticized and have even suffered similar failures in their past.


Sorry ,I do not understand your logic.


I invested the safecoin at 2014.4.22. https://blockchain.info/zh-cn/tx/917c77c3e6953c4d96ab9627fc809bd3731d7093cbfc3d1074b1ff23bdd90682

and the problem exposed at 2014.4.23.https://bitcointalksearch.org/topic/m.6354731

How could I know thing happened in the future?

could you tell me the price of BTC 2016.1.1?

could you ?

I am a victim here, all right?
full member
Activity: 149
Merit: 100
December 13, 2014, 03:47:17 AM
I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?



How many places are you planning to post this?

https://bitcointalksearch.org/topic/m.9825935

Just two threads.

I think the two threads are relatively.

legendary
Activity: 1260
Merit: 1019
December 13, 2014, 03:44:18 AM
Quote
How about you?   No one but you chose to use counterparty or blockchain.info.
Great.
A have to add:
No one but you chose to use crypto-currency instead of national money.
You pay nothing to community - you have nothing back from it. Point.
This is law of conservation. Even Satoshi Nakamoto can not break it.
legendary
Activity: 1260
Merit: 1116
December 13, 2014, 03:39:07 AM
I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?



How many places are you planning to post this?

https://bitcointalksearch.org/topic/m.9825935
staff
Activity: 4284
Merit: 8808
December 13, 2014, 03:30:51 AM
I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?
How about you?   No one but you chose to use counterparty or blockchain.info.  I'm sorry to hear about your loss, but this is what happens when you use unreviewed cryptographic software-- especially things which have already been publicly criticized and have even suffered similar failures in their past.
full member
Activity: 149
Merit: 100
December 13, 2014, 03:09:16 AM
I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?

administrator
Activity: 5222
Merit: 13032
December 12, 2014, 11:13:13 PM
What does "weak" mean in this context?

It means that the k value used might be predictable due to the bad RNG. If someone can guess the k used in a transaction, then the private key can be recovered.
hero member
Activity: 661
Merit: 503
A simple and secure Bitcoin wallet!
December 12, 2014, 11:00:18 PM
Hi, johoe.

You are really a hero. Nice job!

Since the day before yesterday, Bitcoin users in China asked our team about blockchain.info's problem.
So we started digging into the issue and found out:
It was not only the repeated-R, and there were more users affected by this event.

Some bitcoins on these vulnerable addresses that we found were collected to here: 1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh

Currently we are continuing to evaluate the consequences.
After we finish all analysis, we will post more details here and try to return these bitcoins to correct users.

Wen Hao
Bither Team
legendary
Activity: 1106
Merit: 1026
December 12, 2014, 10:31:09 PM
My guess is that statistically there should be about 500 additional transactions with a weak R value, ...

What does "weak" mean in this context? I'm also wondering about the "endangered" list: since they already moved coins, I would assume they are now "secured", or is this a flawed assumption? This thread becomes more and more interesting, thanks for your input.

/tip 250000 bits Wink
legendary
Activity: 1260
Merit: 1001
December 12, 2014, 09:21:57 PM
The money has been returned to blockchain.info.  Please write to blockchain support to claim refund.

Quote
From: Ben Reeves <[email protected]>
If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic.

I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYa
DgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2
HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5
xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe
4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJ
WgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14=
=9MGK
-----END PGP SIGNATURE——

PGP key is available from https://blockchain.info/security.txt



https://blockchain.info/tx/ea8fa447d59000843910932a42bf7a28915772d97a006e97714d026b78885754

You look good in a white hat Wink  Sincere thanks for discovering this and seeing it through!
legendary
Activity: 1456
Merit: 1000
December 12, 2014, 04:02:36 PM
Hello,

there has been a lot of reused R values in the signatures on the blockchain, recently.  This exposed many private keys.  After googleing the addresses, I think it is related to Counterparty (XCP).  Here is a list of the exposed addresses in alphabetic order.  Most keys were exposed very recently, i.e., in the last week.

If you own one of the following addresses, you should transfer the money to a fresh address (before someone else does it for you).  Also figure out, which client has the bug that revealed the private key by reusing R values.  Then notify the author of that tool.

Hey, Johoe

I wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community.

It's such a welcome and refreshing piece of news.

If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything.
full member
Activity: 168
Merit: 103
December 12, 2014, 12:54:39 PM
@johoe: Did you use the blockchainr tool or make your own?
full member
Activity: 217
Merit: 259
December 12, 2014, 12:46:40 PM
Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

A reused R value is easily identified.  Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out.  You need a set with more than 100 million elements, but this is technically not so difficult to manage.

I have two lists of addresses, broken and endangered, the latter contains all addresses that were used in connection with an reused R value or are equal to an R value (R is very similar to a public key).  The money of the broken list is now swiped except for some dust; less than 10 mBTC in total.  But there is still some money in the addresses of the endangered list.  Nonetheless, these addresses should be considered compromised and I think with a bit of brute force it should be possible to break them.   At least these users should have been warned by now, since blockchain also has these lists.

I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork.   These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all.  So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists.



legendary
Activity: 1050
Merit: 1000
December 12, 2014, 12:18:03 PM
Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days Cheesy, you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.


No, thank you. This could've been another black mark on Bitcoin to the people outside, but thanks to you it remained quiet, so much so even a lot on this forum is unaware.

Saying that I am now wary of Blockchain.info and probably will not trust it anymore.
hero member
Activity: 686
Merit: 500
FUN > ROI
December 12, 2014, 11:06:24 AM
You mean that 4 is not a random number?  It looks quite random to me.
Well, it was chosen by fair dice roll.  guaranteed to be random.
hero member
Activity: 910
Merit: 1003
December 12, 2014, 10:55:50 AM
Sony used k=4 as a random number.

You mean that 4 is not a random number?  It looks quite random to me.

More than 9, for sure...
staff
Activity: 4284
Merit: 8808
December 12, 2014, 07:37:47 AM
And should have been obvious to anyone who has implemented the cryptosystem too,  if k didn't have to be secret/unique you could just make it a parameter of the system and eliminate r and halve the size of the signatures.
Pages:
Jump to: