Author

Topic: What libraries for secp256k1 have been used for bitcoin in the past? (Read 247 times)

legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
It's possible, but IMO it won't be easy to find. It's more likely we find exploit within CSPRNG/PRNG or someone put backdoor for k values of ECDSA.

How is it possible to backdoor 'k' value? I thought 'k' is generated from a hash of private key?

Not necessarily since it can be a random number inside (0
If there is a problem with implementation and you are not finding a random k and reuse the same value more than once, it is possible to calculate the private key from that.
member
Activity: 183
Merit: 25
It's possible, but IMO it won't be easy to find. It's more likely we find exploit within CSPRNG/PRNG or someone put backdoor for k values of ECDSA.


How is it possible to backdoor 'k' value? I thought 'k' is generated from a hash of private key?
legendary
Activity: 1042
Merit: 2805
Bitcoin and C♯ Enthusiast
It depends on which implementation of bitcoin you have in mind when you ask this question.

For example blockchain.com (.info) had a bug in one of their wallets (I believe it was the Android wallets) where they used random.org to generate k values and one day random.org changed their API and people lost money because it revealed their private keys!

bitcoin-core (QT) used to use OpenSSL library which had exploitable bug with its DER encodings which could be exploited and cause a fork, no keys were at risk though. https://lists.linuxfoundation.org/pipermail/bitcoin-dev/2015-July/009697.html

There was another "exploit" in the way mathematics of elliptic curves work where you could replace s in a signature with -s (malleability) which would have changed the hash. Now we enforce low s values only. No keys were at risk here either. https://en.bitcoin.it/wiki/Transaction_malleability#Signature_Malleability
sr. member
Activity: 279
Merit: 435
Is it possible that at least one of them had an exploit in them?
Making all of the transactions/addresses sent during that period vulnerable to attack?
Hi,

To answer the question in the title : since 0.10, bitcoin-core uses its own implementation of secp256k1 : https://github.com/bitcoin/bitcoin/tree/v0.10.0/src/secp256k1 (BIP66). It previously used OpenSSL.
To answer the question in the post :
Is it possible that at least one of them had an exploit in them?
A bug in OpenSSL which could have caused a consensus failure in Bitcoin is what accelerated the move to using libsecp.

Making all of the transactions/addresses sent during that period vulnerable to attack?
How ?
member
Activity: 183
Merit: 25
Is it possible that at least one of them had an exploit in them?
Making all of the transactions/addresses sent during that period vulnerable to attack?
Jump to: