Topic: Why has my newly created Bitcoin address already been used? - page 2. (Read 1359 times)

You're the third person that reported the same issue here so far, there's something really "fishy" on that site.
It's either the code is flawed or there's a number of pre-generated keys that's being monitored by the owner.

On the service https: // bitcoinpaperwall ... on the second attempt, the address 1MfPqSDiraPRBVyYASNkF8oc5Ja1ZkdsZn was "generated". I even made a screenshot for memory.

The case is interesting, that's the reason why I always discouraged newbies to use paper wallet. Because a newbie couldn't determine which is scam or phishing website and they might get scam eventually. We should do good practice always, if you use Electrum original software and verify Signature then you may use it as a paper wallet as well since you are allowed to export private keys. Otherwise I will encourage to buy hardware wallet instead of paper wallet if you can afford small investment. Your fund alt least will be safe. But don't forget to write your seed or private keys on multiple paper and keep them safe on multiple places. Don't save into any online machine.

Be cautious with services generating your addresses, you should look into bitcore.io it's easy to use


Here is how you can install it and run it
https://github.com/bitpay/bitcore#bitcore

Or unless you read the source code to see how the k values were being generated, as I said above.

Provided you are importing your paper wallet to an airgapped computer in the privacy of your own house, and you don't have a camera pointed at you while you are doing it or something equally stupid, what kind of things are you referring to that make a paper wallet more risky than an airgapped wallet?

My described scenario would not necessarily reuse a k value. It could possibly use one of thousands of k values that would appear "random" unless you produced and inspected thousands of transactions that you ultimately did not broadcast.

No. The point of my hypothetical attack is to leak information that is more valuable than a single private key, such as a seed list. Your seed list might be able to calculate many private keys that hold a lot of coin, but each private key only contains a small amount of coin.

In my hypothetical example, there might be 12 combinations in the yyzzzzz portion of the k value that are produced at random, plus one additional message that indicates to an attacker that messages are being "sent", similar to a "ping". Once a single message hidden in the k value is detected, the hacker could look at change addresses for additional hidden messages in the k value.



I was actually referring to a wallet encrypted on a hard drive or computer. A paper wallet encrypted with the passphrase "LoyceV123" has less security than a private key encrypted on a hard drive/computer encrypted with the same passphrase. When you want to spend coin on a paper wallet, you need to load the private key, temporarily onto a computer to sign a transaction, and there are some things that could cause the private key to become compromised. Your private key could become compromised via your computer, and any of these things could happen regardless of if the private key is on a paper wallet or stored on a hard drive. There are additional things that could happen that could cause your private key to become compromised while you are transferring the private key from a paper wallet to your computer, and these things are not possible if your private key was stored on your hard drive.

That's actually a pretty neat feature of that BIP39 tool... Just need to pick a word that uses the same initial entropy as the N bits of entropy leftover (7 for 12 words, 3 for 24 words) and then pad it out to 11 bits, then click "entropy details" and it'll correct it automagically!

So, basically, an offline copy of the BIP39 tool and a coin... and one can randomly generate mnemonics to their hearts content, knowing that they don't need to worry about "bad" RNGs (assuming their coin isn't biased! )

If you are going to use something like Electrum on your airgapped device to import your hand-generated seed phrase to give you an address to send to, then you could skip manually calculating the hash for the checksum altogether and just brute force it, as Electrum will tell you when you are using an invalid checksum. With the first 3 bits of entropy already known, there will only be 256 possible words.

You still need to be sure that the software you are using isn't just spitting out pre-generated addresses regardless of what seed phrase you enter. You could go through the process of performing each operation from seed to address manually, or more simply (as Loyce has said above) you could import your seed phrase in to multiple different wallets (all airgapped of course) and ensure the generated addresses match up.

Yeah, there's no good reason to settle for an invalid checksum. If you input a 24 word phrase in to iancoleman which has an invalid checksum and then click "Show entropy details", it will automatically change the final word to the correct checksum, maintaining the same 3 bits of initial entropy. Doing so will obviously then lead to a different wallet with different addresses, so can only lead to more confusion down the line.

that's true but when someone is going around the conventional methods of creating a mnemonic then the assumption is that they are already using unconventional methods and codes that should take all of this into consideration.

Won't padding out the checksum cause issues down stream when you attempt to restore this in a wallet tho?

It'll complain that it's not a valid BIP39 mnemonic. I know Electrum will let you bypass that and go ahead and use it anyway... but surely for max compatibility you'd want a "valid" mnemonic!

But yes, I was being facetious about manually calculating the SHA256 hash ... the setup you are using has a really good mix of "randomness", security and convenience. I like it.

well you don't have to have a checksum since it is not mandatory. you can just pad the entropy with zeros and then derive the mnemonic from that.
besides the problem is never with checksum and things like that. the problem that makes people want to flip coins is the Random Number Generators, everything else can still be done with a computer after the number was physically generated using a coin or something like that.

Now all you need to do is do your SHA256 hash by hand to generate the checksum and you've got the complete no computer solution to generating a seed mnemonic

It would however blow out your 15-20 minute time frame to probably closer to a day... having to do 64 rounds of SHA256 to get your final hash at a rough speed of 1 round per 15 minutes or so


There are just some things that are better left to computers

To be fair, if an attacker is able to install probes on my power supply or a camera in my house, I've got far bigger problems than the safety of my cold storage.

It's a nice video, but he is only generating a single private key and not an entire seed phrase, which is far more straightforward. Once you've flipped a coin 256 times, all you have to do is convert the result to Base58Check and you've got yourself a private key. You don't need to worry about word lists or checksums as you would if you were generating a seed phrase.

This guys shows in this video how to do it
Very interesting, and if you want to do it it worth checking it out.
https://www.youtube.com/watch?v=ieHoQ4sGuEY

No.
The address is basically the hash of the public key. And the public key is derived from the private key.

Is it by chance possible to change the private key to that address?

Technically, this isn't completely true 

There are quite a few paper about how to exfiltrate data from air-gapped computers.
Those techniques are highly sophisticated and the chances of happening to are close to zero. But some would include:

• AirHopper: Malware to encode data into FM signals transmitted from a screen cable. This signal can be received by any smartphone with an FM receiver
• PowerHammer: Exfiltration via Powerline: With probes on the computer and the power control box, malware on the air-gapped computer can increase/decrease the cpu load by doing useless (but ressource heavy) calculations to transmit data via the power line.
• Another option requires a camers to be installed close to the computer: Using the hard disk led's to transmit data.

Those are not just theories, but they have been proven to work.
There are a few more extremely fascinating (and highly unlikely) attacks which could extract data from such an air-gapped setup.
Quite a few paper have been published which cover exactly that: Exfiltrating data from air-gapped computers. They are quite exciting to read.

It is obvious that no typical crypto holder will face such an attack, altough its interesting to know which techniques exist 

It could also be a problem if you have exposed your master public key to anyone. The combination of knowing a master public key and one of the child private keys allows you to derive all the other child private keys.

Once or twice, but mostly as a learning exercise for myself rather than any genuine concern that the software I am using is using a non-random k value. However, I generally use Electrum as my interface for accessing paper wallets or other cold storage, which has used RFC 6979 for generating k values since version 1.9, so this isn't an attack vector I am particularly concerned about.

That can't be a problem as long as you use the address only once, right?

Whenever I sign a message offline, I use different software to decode the raw transaction and see if it still does what I want. I've never seen a problem there, but it doesn't hurt to be sure.

I've seen the scenario before, and you're right. I've consolidated a paper wallet before, sending the funds back to the same wallet.

Have you ever checked this much before broadcasting a transaction?

I mean, sure, but that is completely irrelevant to what we are discussing here. Paper wallets which are generated via flipping a coin and paper wallets which are generated via third party code/software will be exactly as easy or difficult to spend from as each other, and exactly as secure or not to spend from as each other, depending on how and where you opt to import the seed/private key. Generating entropy by hand decreases your risk from malicious or flawed code generating non-random entropy. It is irrelevant to the spending process.

Perhaps I didn't explain myself clearly. My point wasn't "There is no method by which it could leak information", but rather "There is no method by which it could leak information that I can't detect before I choose to broadcast my transaction". If the wallet attempts to reuse a k value, as in your example, then I could detect that by reviewing the source code and realizing it is not using a deterministic process for generating the k value, or by generating multiple different transactions and comparing the R values. The amount of trust you need to place in an airgapped wallet is much lower than the trust you place in any "live" software or mobile wallet, which could steal all your coins immediately upon you importing your seed phrase.