Topic: Reused R values again - page 7. (Read 121128 times)

I do not understand. Sorry. I do not have expirience with js and different browsers.
What brunch do we use? 'Real Rand' case or Math.random? Why key.length is 0 and how does "% key.length" works? Division by zero?

https://github.com/blockchain/My-Wallet/commit/98d5a7ca59ef04d06ac6aee468634b12975a0f5c

In a nutshell, just poor seeding of the RNG.

Because line 29 was missing from the original source code file (rng.js), the length of the key variable used in the function below ARC4init(key) from prng4.js is always 0. Which means you are left with only 256 possible seeds. Each of the 256 possible seeds produces its own sequence of numbers (which you can assign to some variable, for example k or d, etc) which can be used for secp256k1 point multiplication.

secp256k1: (G=base point, k=ECDSA nonce, d=private key)
point R = k*G (used for ECDSA: k and x-coordinate)
point Q = d*G (public key)

// Initialize arcfour context from key, an array of ints, each from [0..255]
function ARC4init(key) {
  var i, j, t;
  for(i = 0; i < 256; ++i)
    this.S = i;
  j = 0;
  for(i = 0; i < 256; ++i) {
    j = (j + this.S + key[i % key.length]) & 255;
    t = this.S;
    this.S = this.S[j];
    this.S[j] = t;
  }
  this.i = 0;
  this.j = 0;
}

@amaclin the problem that I see with all companies providing bitcoin services is that they introduce almost systemic risks in the bitcoin ecosystem. I mean, even when this is not a systemic issue, it is big enough to be an *almost* systemic issue. That is not good, sadly.

I just noticed that I accidently swiped 7041 Satoshi from an address not related to this incident and sent it to blockchain.info  .

https://blockchain.info/address/127sp9ZQ2y2NbW3p8L37wgkvfRfxceWL64

To the owner of 127sp9ZQ2y2NbW3p8L37wgkvfRfxceWL64:
I still have >.9 BTC that I swiped from one of your other addresses.  You can contact me if you want it back.  Send me a message signed with the address from which I took the BTC, and I try to verify that you didn't just crack the address the same way I did.  And please tell us, which program is producing the weak signatures.

This was an address that I already cracked in October so it is not blockchain.info related.

Exactly.  Blockchain.info != bitcoin.

The issues here are not with the Bitcoin protocol but with blockchain.info's poor quality software.

It would probably have been better that ECDSA sigs didn't rely upon *random* values at all (then none of this mess would have happened).

My guess is we probably have the NSA to thank for *encouraging* the use of such random values (being a great attack vector).

Let us make fixes on https://bitcoin.org/en/faq#what-are-the-advantages-of-bitcoin

What are the advantages of Bitcoin?

Payment freedom - It is possible to send and receive any amount of money instantly anywhere in the world at any time. No bank holidays. No borders. No imposed limits. Bitcoin allows its users to be in full control of their money.

Very low fees - Bitcoin payments are currently processed with either no fees or extremely small fees. Users may include fees with transactions to receive priority processing, which results in faster confirmation of transactions by the network. Additionally, merchant processors exist to assist merchants in processing transactions, converting bitcoins to fiat currency and depositing funds directly into merchants' bank accounts daily. As these services are based on Bitcoin, they can be offered for much lower fees than with PayPal or credit card networks.

Fewer risks for merchants - Bitcoin transactions are secure, irreversible, and do not contain customers’ sensitive or personal information. This protects merchants from losses caused by fraud or fraudulent chargebacks, and there is no need for PCI compliance. Merchants can easily expand to new markets where either credit cards are not available or fraud rates are unacceptably high. The net results are lower fees, larger markets, and fewer administrative costs.

Security and control - Bitcoin users are in full control of their transactions; it is impossible for merchants to force unwanted or unnoticed charges as can happen with other payment methods. Bitcoin payments can be made without personal information tied to the transaction. This offers strong protection against identity theft. Bitcoin users can also protect their money with backup and encryption.

Transparent and neutral - All information concerning the Bitcoin money supply itself is readily available on the block chain for anybody to verify and use in real-time. No individual or organization can control or manipulate the Bitcoin protocol because it is cryptographically secure. This allows the core of Bitcoin to be trusted for being completely neutral, transparent and predictable.

Strange things happening...
https://blockchain.info/address/1NEBmytquNcVKcQtVbVYCEXg7tNkN12QGK

this address was fine until today. It had 10 outgoing transactions last week but all with good R values.
Today it had a new transaction with bad R value.

AFAIK bc.i has set up an autosweeper for known addresses (and they have the complete list from me).  Also their wallet should forbid sending money to such an address.  At the moment I see no funds in any weak address.

Private keys are already compromised.
bc.i can not do anything with it now. They even can not determine who moves funds out "owner" or "hacker"
In fact they also can sweep funds.

They have already fixed the code - the main issue now is that people have not "refreshed their browser pages" who were using the buggy code (and of course the funds that have not been swept from the compromised keys) and people still using compromised addresses (I am assuming that blockchain.info would have sent all affected users an email - but not all may have received that email or acted on it).

When can we assume bc.i have sorted this fuck up out?

with all this talk can  please have a noob friendly opinion

would green address it be a safer option ? or breadwallet for IOS ?
i want to keep a small wallet with $20 so i can buy beer and show my mates 

Are they still not using deterministic “k” by now? Even a simple k = H(m||secretkey) would be better than any home-baked RNG that is considering Date().getTime().

Can some JS pro tell me what Browsers still don't provide good entropy from the operating system and why users should generate keys on them?

It doesn't have too much to do with closeness. There is a linear relationship between any pair of two numbers in the “Z_n” (with n from Bitcoin's secp256k1 curve). The question is whether you know it. Easier “k” is much easier to break, because it results in identical “r” appearing in the blockchain. Anybody can detect them immediately. But for an evil programmer who manipulates the generation of “k”, there is much more potential to leak values, without having obvious appearances in the blockchain.

Does not help against the attack from here, because the manipulated random numbers are provably indistinguishable, but it would have prevented the ridiculous bug in MyWallet.

There have been again some bad transactions this night, including this big one from bitcoin gambling guide:
https://blockchain.info/tx/6bde86ea2a9892d955443d2bf3d716fa2c0c8947e2cddcc54e2a61930405f3df

The other exposed addresses are 12bGnGuxW6LRyCE8peAYnAFxS7fzVnSALZ, 1BCzSb27A3Ky8HuLNeAE9L17EVjXvo66z
and 1ALzByRJDvFH18CSVZ3YsTdGUkg8fmD5Fw

I uploaded a list of public keys (in compressed hex format).  To get a list of weak R values just remove the 02/03 from the beginning of the line.  I leave it up to you to compute a list of weak addresses from it.

I found out, yesterday that it is possible to compute the private keys from this list alone without breaking the RNG but it is probably more difficult than just breaking the RNG  Using the same trick, I think I found a way to compute this list 30 times faster if I need to do that again.


Edit: This transaction looks suspicious
https://blockchain.info/tx/45615ef3bba30a29561249a581e59b6e2b44e7612219735a1afdf3f76dbff849
I think others know how to break the RNG.

Edit2: I just tried my download link and noticed that it downloads a Download.exe.  Is this site (sendspace) safe  to use?  I disabled the link for now.
Edit3: I changed the download link to solidfiles.com.

That sounds bad. Blockchain.info should put a general warning on their page to clear the cache. Till now there has been no warning at all, they are trying to hide their incompetence.

Well, that's not absolutely horrifying, is it? damn.

Also new wallets created.  And "this time period" is somewhat ambiguous due to caching. For all I know there is some browser tab up someplace running this code that could generate an address and and receive 1000 BTC at any moment.

This seems to be recovery address from the disaster, 914 BTC total, they've been slowly returning funds to users:
https://blockchain.info/address/1PLn3ru1n7wERPP1BLVV9oAEGGuXUP1eoC

Does this mean the problem was not limited to the reused R values, all transfers were compromised during the few hours while the bug was not discovered? If I understood you correctly, if you seed the RNG with time-stamps from that short period you bump into the transactions which haven't had reused R values, that's how you got this private key?