Bitcoin Forum

My script that I still occasionally run has detected repeated nonces (r-value) in signatures again.  Looks like a bad random number generator; the repetitions usually happen some days apart.  The problem seems already to be fixed but the addresses that were compromised are still used.

There were at least 135 keys involved of which at least 82 are compromised now.  Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

But don't use the addresses again.  There will probably be other persons setting up bots soon...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

So far I have collected about 7 BTC.

EDIT2: Fixed the number of addresses.  I accidently counted five unrelated addresses.  Here is a complete list (addresses marked with + can be cracked):
http://johoe.mooo.com/bitcoin/2016-03-compromised.txt

The mentioned signature can be used in wallets typically hardware wallets Only?

Please also give us the link to generate new Signature with repeated nonces.

The last time this happened was the Blockchain.info December 2014 incident.  You can read it up here

  https://bitcointalk.org/index.php?topic=581411.0

AFAIK all hardware wallets use deterministic signatures by now, so I don't think it is a hardware wallet.  The wallet is reusing random nonces to generate the signatures.  It could be a bad random number generator or someone cloned the random state (e.g. by cloning a virtual machine or forking processes) or maybe even another openssl problem.  I guess a cloned virtual machine is most likely from the pattern I observe.  It wouldn't have happened if they had used deterministic signatures.

https://blockchain.info/tx/fc9c8c56ce09b48f1e593a0df3f9a03f8dc33ba2027621e047fc5fc4f86f93f6
https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb

All three transactions use r = 538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951

Please tell me this wouldn't affect paper wallets generated with bitaddress.org.

Only, if you spend the paper wallet with a broken client.  But if you don't reuse paper wallets after emptying them, you are not affected by this problem.

Great job johoe, i admire your honesty Sir.  What in your estimation is the source of this problem?

After looking at some of the tx going into and out of one of the compromised addresses,
it seems to me (but of course in Bitcoin we can never really know), the address's connections
may have some associations with a few different darknet markets.

So, if the above is true, I assume we will never hear from the true owner of the compromised addresses
and learn what was the wallet used and the cause of this reuse issue.

My guess is a cloned virtual machine state. 

Observation: The reuse happened several days apart and then the nonces are repeated in roughly the same order.  This happened three times.  Then another completely different set of 10 nonces were repeated again after a few days. 

Possible Explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine image.  After a few days the machine was restored to an earlier snapshot and restarted.  Then again after a few days the machine was restored to this state. 

I would have thought that among all the other noise that an RNG should be using to seed itself, one of those inputs would be tied to the date and time? So that even if you had cloned a VM, and started it a few days late, it would have new seed data to generate randoms from than the original before it was cloned?

Don't reuse paper wallets after emptying them, and don't reuse paper wallets before emptying them

So how much BTC have you so far "swept"?

I have a paper wallet from bitcoinpaperwallet.com, created a few years ago and use mycelium to spend a little from it every so often. The change always goes back to the address should I move all those funds to a new wallet and not spend from paper wallets like that?

I updated the first post, so far 7 BTC.


It's better to empty the paper wallet at once into Mycelium and never use it again.  If that contains too much, create several paper wallets with smaller amounts.
Mycelium is not affected by this bug (I think they use deterministic signatures).

I have a few questions here...

1. If I use an address for receive only over a long time and never spend, can that be affected by this ?

2. Blockchain.info has recently introduced HD wallets. Are they safe now ?

3. Are multisig addresses (starting with 3) unaffected by this ?

4. If https://coinb.in (https://github.com/OutCast3k/coinbin/) is run from local machine to spend from addresses generated by https://www.bitaddress.org (https://github.com/pointbiz/bitaddress.org) running at local machine, will that be safe ?

Hey, OP once again thank you for your honesty. I doubt if these funds will be claimed if they connected to the Darkweb. A typical reason to setup a virtual machine is to evade

tracking and eliminating footprints. {Starting from a clean image} If this is in any way linked to illegal activities, please report it to the authorities. We do not need any bad

publicity. Good work, I hope you will run your script more regularly to expose these compromised signatures.  ;)

You won't be affected if you NEVER spend, of course


yes

EDIT: yes, they are affected

1. If you empty the wallet with a single transaction there is only a very tiny chance that you are affected.  For this the client must be really buggy selecting the same nonce twice in this transaction, and someone (amaclin  ;D) needs to have his bot running that tries to immediately double spend your transaction after seeing it.  I have seen such a double-spend attempt once but it didn't succeed; although if it had succeeded, I wouldn't have seen it.

2. Probably no bitcoin client is completely safe.  With regards to this problem, they are safe since they use deterministic signatures (January 2015).

3. No.  My script also scans for multisig (at least I intended to do that).  But I haven't found a reused nonce in a multisig so far.

4. They claim to use deterministic signatures.  If that is correct, they are safe.

Hello
i have 1 question.
Suppose i use two electrum wallets on two different machines one offline and one online.If i use offline machine to just sign transactions via electrum and then transfer the signed transaction to the online electr wallet on another PC for broadcasting.Am i safe?
Do i risk getting my bitcoins stolen?Can my private keys leak? and if so how's that possible?

If the wallet on the online machine is watch only, if you are not using a virtual machine and electrum the keys will not leak. There is always the risk that someone will break in and take the offline machine. A virus will most likely not reach the offline machine.

No as i said i am not using a virtual machine.
I am using a completely different PC that's running linux and my online watch online wallet is on different PC running windows so would i be at risk of this attack mentioned by the OP in this thread?  or any other attack?

Can anyone describe exactly how a cloned VM might cause problems? I was thinking of isolating some dubious altcoin wallets in cloned VMs.

The fact that you are signing on a offline wallet/computer, and then pushing that sighed tx on
an online wallet/computer is irrelevant to the issue johoe is addressing.
What you have done with your setup is attempt to prevent your offline wallet/computer from being
compromised from malware and other malicious programs. Your setup it best for cold storage and etc.

Very simply, the r-value issue talked about in this thread is related to when, in the tx signing process,
there is a fundamental error within the wallet's code (usually random number generators not being random),
which causes the potential of patterns to be seen when looking at all of that address's output txs.
A hacker or etc can potentially backwards engineer the private key for that address, thus stealing the btc.

As a rule to prevent this:
(1) use a wallet program that is known to be reliable, tested, and etc.
(2) never send more than 30 txs out of a specific address, since a pattern could develop over time.
(2) always, as habit, try to always use a new address after each tx (changes addresses, etc).

The above "rules" are steps to help prevent this from happening.

But i am using 1 address from years having transactions more then 100 on the same address.
It's blockchain.info anddress.I never faced such issue that someone steals my bitcoin by backtracking the private key.Anyways,if I use electrum the RNG of electrum is reliable?

The r issue from to multiple output txs (30 or more) is related to how many txs you sent out
 from your address, not coming into it. As the number of txs (above 30) that leave your wallet increase,
potentially it is easier for someone to find a pattern, and ultimately figure out your private key.

This is a known issue with address reuse and that is why it is advised to use a new address after each tx.

I do not personally know Electrum and its RNG, but it is widely used and respected.
Others could chime in on this, but I believe it will be fine for you.

And do yourself a favor and get a new address.

Okay, others have setup their bots.  Looks like amaclin's bot is the best (he likes 1aa addresses):

https://blockchain.info/tx/a4bd89209d53585ed0b5ef8980873c7b112358dca7bbb008acb711573ccdc782

Electrum uses deterministic signature (RFC 6979) since version 1.9.  So it is not affected.

Ok but how to know if any particular transaction is safe? i mean how to know on blockchain if particular transaction can be used to find its private key? If the two inputs in tx are slightly equal at the start and end does that mean they have identical r value?
And if i use paper wallet that has one address and only receive bitcoins and never send then it's safe right to reuse that address for receiving purposes?

Because the software that produced it is known to produce safe r values because of the way that it generates those values.

Not slightly equal, but the r values in the signature have be exactly equal. If you look on a block explorer and look at the inputs, the first several bytes (probably 30 something bytes, which is 60 something characters) have to be exactly equal for the r values to be equal (because those bytes are the r values)

yes.

Why speculate when you can ask this question directly?

 ;D

HAHAHAHAHAHA

Why the hell someone don't explain in details how to avoid such problems?
Can't i even spend in small amounts using my cold storage wallet? >:(
It's my wallet i do whatever i want with it . It's upto me if i want to use a single address or multiple addresses . What's the problem with a single address? I use a single address for sending and receiving funds.How can my wallet be hacked? It's been 7 years since bitcoin developed and still problems like this occurs now and then? why? and people like OP just setup bots to steal people's bitcoin :/
Tell me anyone i want to use electrum and only 1 address.Can the OP hack my address and private key?

Why someone should do it for you?
OK. To avoid such problems do not use bitcoins. Point.
This is free advice. Wanna more? Ready to pay?

This is what you do. Don't use wallets that no one has ever heard of. Use the wallets listed here https://bitcoin.org/en/choose-your-wallet and you will be safe because to get listed there, those wallets had to meet very specific criteria which includes safety against this attack. That is all you need to do.

Lol i won't pay you a shit? You think you are smart because you have knowledge lol.
You can't hack my account if you do consider yourself a hacker :/

Please Just tell me if electrum is safe? If i just use 2 electrum wallets one for signing transactions on offline PC and one for broadcasting it on online PC and i will only use 1 address not multiple address.Will i be safe in this case?No one can access my private key unless it gets stolen.Right?

miser pays twice
stupid pays always

Yes that is safe.

I am still looking for some technical explanation regarding this.
1.If Deterministic wallets solves this bad RNG r value problems then how's its happening again?
2.Can this same r value be generated twice by deterministic or HD wallets?

Now MOST IMPORTANT Question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
4.Now even if someone recovers the private key from the address i send 2 bitcoins from then only the address that send 2 bitcoins is affected right? not the one which recieved the 2 BTC right?

P.S I am newbee in technical understanding of bitcoins.So i would like to someone please explain me and give the answers to my questions if you got time :)

"Deterministic signatures" (RFC 6979) solve it (HD wallet is orthogonal; you can have both, only one of them, or none).  However, not every wallet uses rfc 6979 (but most do).

I assume you mean deterministic signatures.  In theory, yes.  In practice, no. 
If you created a few quadrillion yottabytes (is there an SI-prefix for this?) of transactions you should start worrying about that  ;D


Only the address sending is affected.  If another address uses the same r value again it is also affected even it uses this r value only once.  The receiving address is safe. 

However, for HD wallet if one of the keys is broken and the xpub key is leaked, then all keys are broken.  HD wallets used with repeated r values are also breakable (if the xpub key is leaked) even if every address is used only once.  So use deterministic signatures!  From both security and privacy standpoint a HD wallet with a leaked xpub key has the same properties as a single address that is reused.

As others pointed out  ;D I don't have to speculate.  It is easy to link the address to your forum posts.

The speculation was more, whether the bot is really the best; I think the second transaction today settles this question  :D.  BTW the double spends are not from my bot, there are one or two other bots trying to sweep the wallets.

In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races.

Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?

To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar.

Yes, or the step-by-step instruction:  Look up your transaction on blockchain.info (click on the transaction id to see a single transaction), click on "show scripts & coinbase" (if not already enabled), scroll down, look for a huge number with 130+hexdigits starting with 304 and ending with 01.  Write down the part between the first 0220 (or 0221 or 021f) and the next 0220 (or 021f).  This is the r value.  Do this for all your transactions and check if the same value occurs twice.  (There is a small chance that r contains 0220 by accident; it should be 62-66 digits long).

You can also look at http://johoe.mooo.com/bitcoin/endangered.txt  It is not always up to date and it contains a few false positives, though.  And I omitted the addresses used only with r = 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63.

sorry if i missed it while reading through the thread -- are there any known wallets with this vulnerability? i saw that electrum uses the correct type of signature....others? thanks in advance.

I do not want to give advices how to win in race. :)
Last time i did it https://bitcointalk.org/index.php?topic=1175321.440 i lost some btc :)

No, otherwise it would occur more often.  Most use rfc 6979 now, bitcoind/bitcoin-qt could be an exception.

I wonder if I hadn't started this thread, how long my bot would have been the only one.

You cannot always win: https://blockchain.info/tx/877d3b07be05fa13782881711f87e04291fec104c92935eb9d69c9b5b4a23a8e
(Not my transaction either)

Amazon free VPS server does not have a lot of memory and fast CPU :(
And I do not have a possibility to spend funds to a more robust one.
There are at least 5-10 bots running 24/7/365 and monitoring compromised addresses. Only one is mine.

Ok
This https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
and
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb
as same R value
r=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951
Now S1 (from first tx)=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951

S2 (from second tx)=1bbcbd5d556d056c822a1ccb080d66d8144b4cb49a3bbf5c8e24a822248edf32

I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
But i do not understand how he calculated z1 and z2. Care to explain plz?

This is very easy question.
Follow the steps 1..14 in this beautiful instruction
http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx
and you will receive z on step 14

They make it too easy these days.  I remember how long I stared on https://en.bitcoin.it/wiki/OP_CHECKSIG until I grasped how this works.

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
This will really help a lot instead of checking each tx seperately.
I found this https://bitcointalk.org/index.php?topic=977070.0
but this script is only usefull if the address has less then 50 tx. Any easy solution?

Yes, there is. But you do not want to pay for it, do you?  ;D

How much?

BTW, the easiest way to see, if you reused an r value for an address is to send some small amount of bitcoins to it.  If it is not immediately moved to another address, you are fine.  :D

Lol i wanted to check if my cold storage storage addeess is fine that i often use to send bitcoins from but it has more then 150 tx so it's pain to check all tx manually and the script i mentioned earlier here only allows to check address upto 50 tx

Immediately I apologize for raising such an old topic, but I have not found any discussion at this address anywhere else.
I'm wondering what's the problem with the 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b address? He doesn't have a double R. And also he has the balance in place. What is the problem there?