Bitcoin Forum
May 19, 2022, 07:43:56 PM
 Welcome, Guest. Please login or register.
 News: Latest Bitcoin Core release: 23.0 [Torrent]
 Home Help Search Login Register More
 Show Posts Pages: [1] 2
 1 Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 13, 2015, 03:21:10 AM Quote from: pythonpro1337 on February 07, 2015, 11:02:01 PMThough you possibly qualified it by saying "at least in the context of...", I just thought I'd note that 2 is not necessarily a generator of ℤp× where p is prime. Consider, for example, p = 7.My bad, pythonpro1337 is correct.  However, 2 is a generator of the multiplicative group of integers modulo 7237005577332262213973186563042994240857116359379907606001950938285454250989 (the order of the Curve25519 elliptic curve group), so the rest of my argument holds.ProofFor convenience:N = 7237005577332262213973186563042994240857116359379907606001950938285454250989Note that saying 2 is a generator of ℤN× is the same as saying 2 is primitive root modulo N.Since N is prime, ϕ(N) = N-1If 2 isn't a primitive root then then it's order must divide N-1.Given the prime factorization of N-1 = 276602624281642239937218680557139826668747 * 198211423230930754013084525763697 * 33 * 2 * 2and the fact that:2(N-1)/276602624281642239937218680557139826668747 ≢ 1 (mod N)   2(N-1)/198211423230930754013084525763697 ≢ 1 (mod N)2(N-1)/33 ≢ 1 (mod N)2(N-1)/2 ≢ 1 (mod N)We can conclude that 2 is indeed a primitive root (and thus a generator of ℤN×).
 2 Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 07, 2015, 01:20:10 AM Thanks!
 3 Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 06, 2015, 02:02:56 AM What Evil hints at is correct.  If you have a generator element b of an additive group of order N, and you know it takes x repeated doubling operations (squaring operations in the context of a multiplicative group) on this element in order to reach q then you have effectively solved [multiplicative group notation]:   q = b2xfor x.What we really want to do is crack the discrete logarithm, which means finding x in the context of:   q = bxSo the question becomes: if we can solve the first equation can we solve the second?  The answer is yes.  The reason is that the exponent of b is itself an element of it's own multiplicative group ℤN× of which 2 is a generator since N is prime (at least in the context of Curve25519 or secp256k1).So if you find x that satisfies:   q = b2xthen you can use your solution to solve the discrete log easy peasy lemon squeezy.:   logb(q) = 2x mod NHaving at this point successfully solved the discrete log, you can happily collect your 30 BTC which will shortly be worthless since the security of bitcoin relies on the discrete logarithm assumption.
 4 Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 04, 2015, 09:45:31 PM Here's my attempt to restate the original problem in a way that is less ambiguous and hopefully reveal more clearly the OP's intent.Challenge: Optimize the 'find' function in the code below so that on average it can be computed for less than 1M USD in EC2 compute cost.Code: (python)# http://en.wikipedia.org/wiki/Curve25519 parametersP = 2 ** 255 - 19A = 486662N = 7237005577332262213973186563042994240857116359379907606001950938285454250989def expmod(b, e, m):    if e == 0: return 1    t = expmod(b, e / 2, m) ** 2 % m    if e & 1: t = (t * b) % m    return tdef inv(x):    return expmod(x, P - 2, P)# doubles a point on a montgomery curve (x-coordinate only representation)# https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3def double(x1):    xx1 = x1 * x1 % P    x3 = (xx1 - 1) * (xx1 - 1) % P    z3 = 4 * x1 * (xx1 * A * x1 + 1) % P    return x3 * inv(z3) % Pdef find(target, initial_point=9):    assert 0 < target < P     assert 0 < initial_point < P    x = initial_point    i = 0    while i < N:        if x == target:            return i         x = double(x)        i += 1
 5 Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 04, 2015, 08:42:55 PM Quote from: Supercomputing on February 04, 2015, 08:25:58 PMThe bounty is invalid because the problem description is ambiguous. However, it may be an attempt to solve the ECDLP based on Curve25519 for all instances: http://en.wikipedia.org/wiki/Curve25519My thoughts exactly.Is the organizer willing to offer a consolation prize to anyone who can produce a proof that the original problem is impossible given the Elliptic Curve Discrete Logarithm assumption?
 6 Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 04, 2015, 07:39:58 PM Quote from: Evil-Knievel on February 04, 2015, 06:29:48 PMEnough to collect the first bounty. Address please.  I see you've already merged my changes.  My address is 14cPUyRS9KqXBuRGV8Eyk4ckxD9EfPaXvo  It would seem that my submission qualifies for the second bounty because the performance of your version checked into github at the time of my submission was closer to 800000 not 4000000.  I've verified this fact by testing with different compilers on different os's and on different platforms.  This fact is further corroborated by statements you made here and here.I'm going to charitably assume that the 4M number you cited earlier was from a dev version you had on your machine but had not yet pushed to github master (and therefore would not qualify as a basis for comparison per the rules of the bounty).
 7 Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 04, 2015, 06:13:38 PM I wrote a CPU darknxt miner  about 6 months ago that is ~9 times faster than your current one.  Would committing modifications to my code so that it submits shares to your pool, www.bitprobing.com, be sufficient to collect the first two bounties?
 8 Alternate cryptocurrencies / Announcements (Altcoins) / Re: NXT :: descendant of Bitcoin - Updated Information on: February 13, 2014, 01:21:22 PM If the MIT/Johns Hopkins folks can't/won't do your Crypto/Curve25519 audit for the bounty, I would have time later this month to do it (I'm DoctorEvil on Nextcoin.org BTW).  I already reviewed the primary literature on Curve25519/ECKCDSA, examined several implementations of both and am working on a clean room implementation of the relevant algorithms myself just to make sure I understand them 100%.  As a bonus I'd make my extra implementation part of the deliverable.  My implementation wouldn't be meant to replace the existing highly optimized one.  However, since it's aim would be comprehensibility/correctness as opposed to speed, it would make writing ports easier.Given my pseudonymous identity, I can't present credentials other than my online reputation ... so depending on exactly what the community wants out of this audit, there is that to consider.
 9 Alternate cryptocurrencies / Announcements (Altcoins) / Re: NXT :: descendant of Bitcoin - Updated Information on: February 07, 2014, 04:48:16 PM Quote from: Come-from-Beyond on February 07, 2014, 03:59:26 PMCritical bug disclosureFew days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm. ...I can't explain details of the flaw, coz it's out of my area of expertise. U can contact him directly via nextcoin.org forum.I'm the guy.  I just created a thread providing more technical details https://nextcoin.org/index.php/topic,3884.0.html and to answer questions.  I don't really check this forum/thread so posting there is the best way to reach me.
 10 Bitcoin / Development & Technical Discussion / Re: Cold / Brain wallet security question on: October 25, 2013, 04:26:42 AM Quote from: User705 on October 24, 2013, 09:59:25 PMBut if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.That is true, but he is simply going to try all 1 mutation variations, then 2, ... then 3 ... up to whatever budget he's allocated for the attack.No need to create a bounty ... the corrected version of your private key is:6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C
 11 Bitcoin / Development & Technical Discussion / Re: Cold / Brain wallet security question on: October 24, 2013, 08:47:54 PM If the private key is represented in hex and n characters are mutated then there are 64! * 15 n / (64 - n)! possibilities to search through.The attacker knowing the address (or even the full public key) doesn't tell him anything beyond giving him a way to know if a private key guess is correct or incorrect.Assume a hardcore attacker (one e.g. with a repurposed GPU mining rig) can test 14e9 keys for 1 USD, then here are the attack costs:mutations   possibilities   cost to crack-----------------------------------------1           960             ~02           907e3           ~03           844e6           0.06 USD4           772e9           55.14 USD5           695e12          49652.86 USDAs you can see, changing at least 5 digits in totally random locations makes an attack prohibitively expensive.  However, most humans will make less than totally random choices about which characters to mutate ... e.g. if I were attacking someone who I suspected of using the scheme you described I would assume they would be more likely to mutate successive digits ... especially at  the very beginning or end.  E.g. if I knew for sure only the last 8 digits were mutated it would only cost 0.19 USD to check.
 12 Bitcoin / Bitcoin Discussion / Re: my wallets were stolen just now, can any one help me? on: August 22, 2013, 10:34:19 PM Quote from: watertech666 on August 22, 2013, 01:01:21 PMget answer from Jesse James (blockchain.info) as bellow  https://bitcointalk.org/index.php?topic=277595.newI did a bit more transaction following ... it appears another address implicated with the thief address is 13KLNHPWLtWKTtKtr4fY5pu4Di4aQVLzPf.  This address received a coinad payout on 2013-04-10 07:54:10.Coinad probably has the guy's email address.  Could be a dead end if their policy prevents them from handing this information out, or if they don't validate email addresses of members, or if he gave them a throwaway address.Keep in mind, my evidence linking these two addresses is not 100% ... but it's pretty high.Another possible lead is that the thief seems to think using Satoshi Dice a few times after a heist is an effective laundering technique.  In this transaction he apparently submitted his gambling transaction directly to blockchain.info ... so depending on how much they log, they may have the IP address of the thief.  This could also be a dead end if he's using Tor or some other proxy ... but seeing as he apparently thinks using Satoshi Dice makes tracking stolen coins harder, he probably isn't the brightest hacker in the world.
 13 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 22, 2013, 10:42:32 AM Quote from: watertech666 on August 22, 2013, 09:01:27 AM@Jesse JamesIf there are any possible? I keep 4 backup file in same fold. 2 address lose and 2 address still there. And I use 2 FA. If thief stole backup file. Must 4 address all lose. Am I right?It's hard to speculate.  Assuming this is due to a stolen wallet backup file, it would make sense for the thief to sweep all addresses in the wallet simultaneously.  However, you don't know how many keys were in the wallet when the thief may have had access to it ...  he/she might have waited a long time for funds to accumulate before swooping in.I did some transaction following and it appears your thief is accumulating loot in the address 1HackerRpwYH7F6uGu8422dScNxaHAtWYz ... which currently has 647 BTC.
 14 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 22, 2013, 08:34:26 AM Quote from: watertech666 on August 22, 2013, 03:05:41 AMQuote from: Jesse James on August 20, 2013, 07:17:40 AMAfter reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.Jesse James. I'm so sad. I lose 263.84btc total from 2 difference address in blockchain.info on 29th Aug. 2013. Details Please check  https://bitcointalk.org/index.php?topic=277601.0Can you help me to check it's because of bug?@watertech666: Sorry for your loss.  However, neither of your victimized addresses 1 2 appears on my published list nor in johoe's additions to it so neither of your addresses was specifically effected by the repeated signature nonce issue.  Also, it's clear the thief knows the private key for 1CzAncjXYjtiXNC4CNAw4RoKdQLoi72xn, so you should remove it from your forum signature.  He could steal from either address in the future at any time.Quote from: Aajo on August 21, 2013, 09:55:07 PMHello, my blockchain.info wallet was cleaned in April - back then there was a wave of stolen coins but only a speculation about the reason having to do with the alias and offline copies.can someone check my old address / transactions with the script?https://blockchain.info/address/1N2ctCxet8zjeyQMQngfmkvC2h9qzF3c6kBack then I used to do alot of outgoing transactions with Blockchain on Firefox..@Aajo: Sorry for your loss as well, but your victimized address is not listed either.
 15 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 21, 2013, 03:05:33 AM Quote from: johoe on August 20, 2013, 09:05:38 PMJesse James, you missed a few addresses:16mWzkk6iznyJQ3sKQRYxQ1Zr8xWpGMFWi1B2wqabcETtQxPuacB5whni7GUjDn1oQQX1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv1K5XZhjCwbLYHwys86FvepaHt6tFiWb35T1LfuyRkm9MrEXTz72hzpPsL46mzHEXfqWj1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb1NujNX3cvbikAZMnKtETgSd7kvw7o93MRg1PCrHhXxS8ZotDvgSA5WxpmtC1qNQchrPr1Q4VVTsx6vgYth7iD9WnAgHvAj239PMaoL1rPAkJSXWgnLFEiCzv3APUFLsi8Kzv3pXOnly one of these addresses is very recent.  Maybe my script finds more keys, because I also catch an addresses when the R-value was used only once as long as the same R-value was used on another address twice.Moreover, the two addresses 1Q8eetJs5wRpqR3b5FT9EHe6GD8Bges9Hm and 195Tycz7nVhV7aKw98nq74FdVYtyYyE1K7 are endangered by this transaction:https://blockchain.info/tx/127da3144a02f16e1a5ccb67778a2f5f9924023ce9aa20c1c4d08be576cbb0b9I think it is not exploitable but as soon as one of the private keys is revealed, the other is also revealed.I reran my script to try to catch the special case you mentioned but oddly was only able to confirm a subset of the ones you reported.1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb1NujNX3cvbikAZMnKtETgSd7kvw7o93MRgChecking my logic ... Edit 1: My bad ... I think the discrepancy is caused by my parser ignoring transactions with non-canonical signatures (which stopped being allowed a while ago).  On an unrelated note I also just checked if there was any overlap between the set of signature r-values and the set of public key x coordinates ... ∅ ... if there were any that would have indicated the potential for more RNG issues.
 16 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 21, 2013, 01:39:24 AM Quote from: manic on August 21, 2013, 12:54:07 AMJesse James,While I appreciate your efforts with this,  I think deleting the reply to johoe is more questionable than the way you replied..I don't follow?  My reply simply acknowledged I had overlooked the cases he pointed out.  I deleted it because I thought it prudent to double check his additions first.
 17 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 07:10:24 PM Quote from: flibbr on August 20, 2013, 06:02:34 PMI have a friend with a blockchain info wallet who had 170 btc emptied... how can I determine if this theft is a result of the same thing ? This is the tree of his theft: https://blockchain.info/tree/74475039 Your friend's private key was never exposed due to a signature nonce collision.Here's every address that has been exposed from genesis through block 253081 ... obviously only a few of these are due to blockchain.info:121Zna8Dy9W2qDvsJEH2ALeHQkteXaeGng12CkZeZvwDwiTvFm5H8bABpEqQHXJ6gWc112JDjmk2fGMPRK9GaT98vBFDc3MDHoPV9r12RFNoJK2MSiWfXt3fFG7F4urUpLGnTBxh12WhvZTWMv9XLfyM2g7XFSUgpwzuQUX5Mq12a7gpjZDQBDhVSknfQzL3ygcASNQcocnd12c1XuVdjQwyftTbqnWMT94CYW6vKFknwm12ekVy8duhBMLGd1JhxcgxrTN1fchmVcTo138VcLyoAb5sdjo3cDw7d14fUGLKRwQ9VK13CWujDi4g6DWB9bWDXT3TfRU635NPJdPF13GXRxeyR9UTDQojZYv9NZ1j3VA6Butc9U13LRBbvgCSXsUs4JNmYhzHRo3re8vYVDid13ds2bCrxe68w8WD4R7bWSjGq4uK7XbzWH13fZF8aZcSjpxhukHkyVtHsLnPnVszQaLm13oCG1VNMAGtNp9RcAmUieRf8NayAJ7xj713x6i5itrvR8Rf75xP8PZaPtNTNxZLReLe143CugrdSngLmDaLWoLrWJzb4AU1xLMqoY1494Wwkf8QN4nC3gSYz3qjZVNuVZSHw2zi14FguDL7teNFCctazjUxCxCfZtssycq11h14RJsWTjq9q2a9tNQSdpxbMaViWoXxRbjt14ih1qxbcFmwLm8Hc7qTr3BhzdmWTWRmpC14reTqqg8r4qriHozsYoydugzLjYtpVoMZ154nELZtftuW951oQY7erHnN4L196c98Wp15E8CUjvHDVj8mBzhkNHErXtz4AeEHycpH15GieELLKTruUdzmTDVYP1TsjnzNRDg8Qa15p65cNbtB3bQYf9GB78edRo5Ppux3uaU316He3EDsvTKYRSQGsZeoooTbYAjy9fiLoQ16NCxA48LPKdSr5fACPnrLxgkrFnDJAzLp16SchApeKZEc86CVJCc1vLQ17TEJCRJNef16UkUnbqW8PXRrwgxRdb2UTivbgNnBYqwC16io8zfbhStqe9WVdHN3JLzc29D73okaoy16y2wAieZE9VknMK29J7EAhC8fmRtdLy8p17AHXAodFQ33A4DqFENVHCG59qiaRNbhcq17HHdLh4oXncuTejALwC6fgArVqPUxh2Sr17Lq1nrktyEFV3AVPAbsbDXWuWoUNMhws817Vjk88w6fy5YRVUGD6Aa9w545UA6K4tYZ17gDnz5TU8T16Pgzo93M7Dm1j5HS3UuS2Q17sDdDiW2dNRQvTu2NkwwCbfXNFxVCpbZW18KZdcnGaqaXnHiRPb8rVGCztyA4jJPKtS18mmzMizs5CHtLJwchtPMuiYqVqWjw3rLe18pqzCLA17hdnzxFnf5Cad2feA1RHKtW2P18yDksipyvWEX14KTd4DHvj6ZDcXvNqtpB196SL6bZEvBT8A9z46df54zE3rzZfXzwe819DcmnrhqpLgn8L6Exay1sJiKZPtYUAw1Y19cRkXQfonjdJT9K8TMuDxV1PKLSdHZtPh19qnLpn9it7csR9sEay1XrFyfAmUNoXYk419yCy4mFWJVsdJbgtG79VwHGxQpcx4uhcr1A8TY7dxURcsRtPBs7fP6bDVzAgpgP49621ALsXt19tBxMr29WfM2Zd7EU8HwzooLGHx1AgVauV4U1tt3KbRiehht56NoZeKprLUXe1AnFEpvs8a41T3ZpfPtXBENvkL5oatQ64D1AyTNQRvz6fo7EvebGpKfJB7jJeppxY4yc1B8vhS5umMNKvwQFHJ3Hgres4NJeoe8U7Y1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm1BMzWp77j7x3GKDYNbCP3df7YG3UEw1vVE1BRwmguCycCWSbueTcpn1vSJddMJXEhyjH1BvQyALiTSgKwVYzDL3ANoqmdWaoyRZazS1C3G6y8Cyi7ECDaaDhG34sLzrv1dd7Xo331C8x2hqqgE2b3TZPQcFgas73xYWNh6TK9W1CFVxqxX3i9L9dm6Gw2QKJ2fH18HSJ9H8k1CNHzFKNCkCwYecVUfmahmqDFrn5uuRzsU1CRcBxVoXCqL7cEiq7b7rTYQyMhUrCu5Mf1CozShbCQwFqa3iw2AUE3zn7Pp1f3HR3D1CqEdApNprZzgqUsuyLocXKH5yMdFTnTJQ1CxZGXpNLDmr7eDmgMiGc1n1gAyE6LKBig1DHmu7BvzjpQQxbKEuqTU2zSvZmgZBBrne1DQK1Xb1gKBRXLi4PEegWCZ1giELgBqhq71DWhHeTnoZAFPehoM1W6S37hn7nVjZLrQN1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A1DcNJeexQV2kM78AdMKSzmsQ8DeNMHLTJ11Df8hDiS6RSeu9WDUqUtBpBmBoepzo24pD1Dka5AAYwdZkrPJZHjKmdZkaVATnwYeSqG1E67dSKMyrEoqfAjSsE1SNpeeau4pmyc5j1E9ffsnXjMnZxmJaqCLXWhqWzKqx1sZXP91ECvZ9ojebv5TVWySf2roXRP4XyQb5rNCy1EFET6LSLabV5KR55XqRzzhQ1rBUGTD1SQ1ENrnLCxp9srcWCCE3kQFNqHRGDijespb91EPXZfTX6TD3L7TQdRu2nqMT8mrAAPSTST1EUDdSvFGmZCa5zUXSXFSQD7r2qBZaSWJU1F48AGnDGLBbDr5Uk7DfUhrhe8U14eHKaH1F9tB2p9NWsGEt1TjiGAa3WEEGs9Wc779R1FPSVbypWa7rBWbciKHJ983YWcucBn7aUQ1FPgs8ZaxXUAp61jkd53U7zWj9NQq8yM341FX2xLHNxcT77bxLZXHzet6e8kMSS53uDK1FY4Ny2ZTvDGDHshB1Rpp5Di9x6Q9GVd5a1FYXLjfFJ1qsngiArLsrBVEGRaKkV15FGV1Fcj89eqk1xCe6PqkMpaUuWCaK7MUXeYbZ1FwbYs6UL2fzB9crvhWNCZyr9oqNjEXzcu1FxWoGvwzjWGKk69vFumyoBaUCqzsndVck1G3BjSLWsWH6tbPYs29fYMYaz9k8EStQM1G4TqNcKTRRuQ3brQSv85Fohf3jQiaGAbL1GTFFqbHGp6xwcKVmLkbLqHiauUbKT7jxs1GUqD7UATGzbEBrMjweP5GCTQeU51TsZbj1GYRDPaCm3hrzUcgfT49w7mcvoQu2Y4MmX1GjDS84eNBx6QQoo7dBddvgYArSttxLYdk1GysfXJbf5FREeJetrwuANNZi8pcz4n1v61HWEyVbuyPmXfR9eBnrh4v2Npjnp9UJQCw1HWYEGYNgVc7bc28RCAa8mCJPv9eEnHieR1HXSnvNGK8oYQCyLDkpHNZ2sWPvFsYQcFU1HmJh2b8iS64WgX5snSzKYrNXqbnKkuBvE1J8THH46JdkjiGYLQyPQDHVk4gtftahDUx1JCMAUG9P8X4PHM7rF4ywDFHaAK2FMRrkN1JFMHv7ijwXDQYQrehhSxn6u9bTfkGCmK1JNC3iaxA95NbWrSro5me2BM27wohuucKD1JNMvqdUYP9eDR3mEkxxCne4BYabc93Nwh1JZ5NjZCDrnj84mZnv2fuAmAb7w4v5LiEu1JjcWuJDRNkw3XcMfE7khhRg1UCxU8eKua1JmMcWWy1mFuubbsBRPuVXdjFdtM2ENJXE1JnqZ6Djhncs9YHe74CbkLaXXAbA1phsTU1Js2D8Fj1AWQ2aB7TMtmJ6rn4bYDFtcjgF1K5CgovB1c4vX22MvUq8cfRsuctG86Jmx51KSFgqcm6mc4Aaq6EsR6Awfr65S6RmVeHh1L8DFt7yYA3iZsr6RA3d1mpf4J7TgBsYF1L9a8dXMgq2xWV1zaDUGje2FAbzCG18QQh1LKu5b7jUoM7MJzeuTCmvDWsJrBgBhcvhb1LnBTt9TYRMt4aABcDYSoaMQ9jV8Qgajkx1Lr9tUFz4mypFzc3PYitgGU1dTg21ubM9p1LspNcTjkzFQRrsr4iGGxD5RSKehB5fHnA1M5edBFjjFJhQhgSuCUQnX3uytcskgnqQB1Mjwi2LnE6oz3p8dNFXWgMpAPBs6ZpPPA21N2aQiQ5LjNQ3C3cKCmHHnnq65RH3zRD9B1NCRgUAgJnzBGcLNX7iQD1d9Cn9ZyKF2PC1NEb41nDgxWwVzhHSsk4obURJ13KauJRsF1NRtYCGVo2vR7WmYVussK6sVva2wZsYTep1NSLj5xdCyRmMYVtM7bwZxZarYLm6EGZJf1NSnZPRR32mrfAADxNJcPRP647gseqEMyj1NuSEboWF7YJ3bozo5H1JDpH5yc7zyHZm81NvfCyqRh6cuh8dCQDJmboriifg1eaYDnV1PUv3XNWWCDmEK6o9VerPK81qVfo4Wtvv21PWTFonhiXCdTZ4Nd2J726rqWnNsTVeVMY1PXU5aD3fzgAm2E56o2VSaHpVe4bhe3d2m1Pbt1LGM2JNgMjtnEscEmntsSrcYofeaoa1Pde4CbEitkdPiwwKvd6s3znWw7EXZMYjD1Pq6Ygv3kdMVX2TdNhUSPadxaShiGJUAoS1YWwSaXTESKgDpitb6Rp8bteXzUR6hjDg1ZBRXLZEzSukVDEDDJjtHYmrpkEGH94nS1kJwZbv3dhUowPyRHcxJMknoJpPYfwaGf1kMEr9W4YeAnzFcuSWwj3ShYGANdLHSxG1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK1yiQRuB3KRxZTrSHBNZK9NdjbyJskHiVs
 18 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 07:03:53 PM Quote from: kyledrake on August 20, 2013, 06:46:21 PMI wanted to ask you what your thoughts were on my skipping Arcfour (RC4) for window.crypto.getRandomValues. The blockchain.info implementation appears to still use the RC4 code (it uses window.crypto.getRandomValues for the seeding of RC4), but I didn't see why it was necessary here if I can just always get a nice random number from the newer browsers. Is this what you meant by mainlining?Yep,  that's what I meant.
 19 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 06:11:39 PM Quote from: kyledrake on August 20, 2013, 04:37:17 PMWas this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.window.crypto.getRandomValues is not available in webworkers because the window object doesn't exist in webworkers (by design).Quote from: kyledrake on August 20, 2013, 04:37:17 PMI am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.jsYou can see where the RNG gets fed in here: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser: https://github.com/kyledrake/randjs.I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is kyledrake@gmail.com if you want to IM/email me directly. Thanks!IMHO, it's worth looking at puik's modifications to bitcoinjs-lib that he's maintaining in his branch ... he's made fixes to the RNG in particular.Honestly, if I were doing JS crypto my approach would be to just mainline randomness directly from window.crypto.getRandomValues and bail if it's not available.  If you need randomness from the context of a webworker, you have no choice but to message pass it into the worker from the foreground.I don't have time at the moment to do a comprehensive audit, sorry    ... but javascript honestly isn't really my bag baby so I'm not sure I would be the best person to look at it.
 20 Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 10:16:12 AM Quote from: VTC on August 20, 2013, 09:47:31 AMQuote from: Jesse James on August 20, 2013, 07:17:40 AMAfter reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.Do you advise to meanwhile sweep funds to a fresh new address with blockchain wallet?  Is the blockchain wallet safe to make transactions with manual key rotation?If you are feeling careful, IMHO it would be wise to move to a non-javascript wallet for the time being ... and when you move, do it with a single transaction ... that way even if your signature(s) expose the private key you're moving from, they'll be nothing there left to spend.
 Pages: [1] 2