Bitcoin Forum
May 19, 2022, 07:43:56 PM *
News: Latest Bitcoin Core release: 23.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1] 2 »
1  Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 13, 2015, 03:21:10 AM
Though you possibly qualified it by saying "at least in the context of...", I just thought I'd note that 2 is not necessarily a generator of ℤp where p is prime. Consider, for example, p = 7.

My bad, pythonpro1337 is correct.  However, 2 is a generator of the multiplicative group of integers modulo 7237005577332262213973186563042994240857116359379907606001950938285454250989 (the order of the Curve25519 elliptic curve group), so the rest of my argument holds.

Proof

For convenience:

N = 7237005577332262213973186563042994240857116359379907606001950938285454250989

Note that saying 2 is a generator of ℤN is the same as saying 2 is primitive root modulo N.

Since N is prime, ϕ(N) = N-1

If 2 isn't a primitive root then then it's order must divide N-1.

Given the prime factorization of N-1 = 276602624281642239937218680557139826668747 * 198211423230930754013084525763697 * 33 * 2 * 2

and the fact that:

2(N-1)/276602624281642239937218680557139826668747 ≢ 1 (mod N)   
2(N-1)/198211423230930754013084525763697 ≢ 1 (mod N)
2(N-1)/33 ≢ 1 (mod N)
2(N-1)/2 ≢ 1 (mod N)

We can conclude that 2 is indeed a primitive root (and thus a generator of ℤN).
2  Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 07, 2015, 01:20:10 AM
Thanks!
3  Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 06, 2015, 02:02:56 AM
What Evil hints at is correct.  

If you have a generator element b of an additive group of order N, and you know it takes x repeated doubling operations (squaring operations in the context of a multiplicative group) on this element in order to reach q then you have effectively solved [multiplicative group notation]:

   q = b2x

for x.

What we really want to do is crack the discrete logarithm, which means finding x in the context of:

   q = bx

So the question becomes: if we can solve the first equation can we solve the second?  The answer is yes.  The reason is that the exponent of b is itself an element of it's own multiplicative group ℤN of which 2 is a generator since N is prime (at least in the context of Curve25519 or secp256k1).

So if you find x that satisfies:

   q = b2x

then you can use your solution to solve the discrete log easy peasy lemon squeezy.:

   logb(q) = 2x mod N

Having at this point successfully solved the discrete log, you can happily collect your 30 BTC which will shortly be worthless since the security of bitcoin relies on the discrete logarithm assumption.
4  Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 04, 2015, 09:45:31 PM
Here's my attempt to restate the original problem in a way that is less ambiguous and hopefully reveal more clearly the OP's intent.

Challenge: Optimize the 'find' function in the code below so that on average it can be computed for less than 1M USD in EC2 compute cost.

Code: (python)
# http://en.wikipedia.org/wiki/Curve25519 parameters
P = 2 ** 255 - 19
A = 486662
N = 7237005577332262213973186563042994240857116359379907606001950938285454250989

def expmod(b, e, m):
    if e == 0: return 1
    t = expmod(b, e / 2, m) ** 2 % m
    if e & 1: t = (t * b) % m
    return t

def inv(x):
    return expmod(x, P - 2, P)

# doubles a point on a montgomery curve (x-coordinate only representation)
# https://www.hyperelliptic.org/EFD/g1p/auto-montgom-xz.html#doubling-dbl-1987-m-3
def double(x1):
    xx1 = x1 * x1 % P
    x3 = (xx1 - 1) * (xx1 - 1) % P
    z3 = 4 * x1 * (xx1 * A * x1 + 1) % P
    return x3 * inv(z3) % P

def find(target, initial_point=9):
    assert 0 < target < P
    assert 0 < initial_point < P
    x = initial_point
    i = 0
    while i < N:
        if x == target:
            return i
        x = double(x)
        i += 1

5  Economy / Services / Re: [30 BTC Bounty] - Find a mathematical / algorithmical formula on: February 04, 2015, 08:42:55 PM
The bounty is invalid because the problem description is ambiguous. However, it may be an attempt to solve the ECDLP based on Curve25519 for all instances:
http://en.wikipedia.org/wiki/Curve25519

My thoughts exactly.

Is the organizer willing to offer a consolation prize to anyone who can produce a proof that the original problem is impossible given the Elliptic Curve Discrete Logarithm assumption?
6  Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 04, 2015, 07:39:58 PM
Enough to collect the first bounty. Address please.  Grin

I see you've already merged my changes.  My address is 14cPUyRS9KqXBuRGV8Eyk4ckxD9EfPaXvo 

It would seem that my submission qualifies for the second bounty because the performance of your version checked into github at the time of my submission was closer to 800000 not 4000000.  I've verified this fact by testing with different compilers on different os's and on different platforms.  This fact is further corroborated by statements you made here and here.

I'm going to charitably assume that the 4M number you cited earlier was from a dev version you had on your machine but had not yet pushed to github master (and therefore would not qualify as a basis for comparison per the rules of the bounty).
7  Economy / Services / Re: [BOUNTY] 10 BTC Bounty for improving custom mining software on: February 04, 2015, 06:13:38 PM
I wrote a CPU darknxt miner  about 6 months ago that is ~9 times faster than your current one. 

Would committing modifications to my code so that it submits shares to your pool, www.bitprobing.com, be sufficient to collect the first two bounties?
8  Alternate cryptocurrencies / Announcements (Altcoins) / Re: NXT :: descendant of Bitcoin - Updated Information on: February 13, 2014, 01:21:22 PM
If the MIT/Johns Hopkins folks can't/won't do your Crypto/Curve25519 audit for the bounty, I would have time later this month to do it (I'm DoctorEvil on Nextcoin.org BTW).  

I already reviewed the primary literature on Curve25519/ECKCDSA, examined several implementations of both and am working on a clean room implementation of the relevant algorithms myself just to make sure I understand them 100%.  As a bonus I'd make my extra implementation part of the deliverable.  My implementation wouldn't be meant to replace the existing highly optimized one.  However, since it's aim would be comprehensibility/correctness as opposed to speed, it would make writing ports easier.

Given my pseudonymous identity, I can't present credentials other than my online reputation ... so depending on exactly what the community wants out of this audit, there is that to consider.
9  Alternate cryptocurrencies / Announcements (Altcoins) / Re: NXT :: descendant of Bitcoin - Updated Information on: February 07, 2014, 04:48:16 PM
Critical bug disclosure

Few days ago the guy who found a vulnerability in Blockchain.Info and picked the secret phrase of Nxt genesis account found a security flaw in NRS cryptographic algorithm.

...

I can't explain details of the flaw, coz it's out of my area of expertise. U can contact him directly via nextcoin.org forum.

I'm the guy.  I just created a thread providing more technical details https://nextcoin.org/index.php/topic,3884.0.html and to answer questions.  I don't really check this forum/thread so posting there is the best way to reach me.
10  Bitcoin / Development & Technical Discussion / Re: Cold / Brain wallet security question on: October 25, 2013, 04:26:42 AM
But if an attacker is unaware of which digit was changed or how many digits changed there is no way to deduce that from seeing the public address.  Is there?  Maybe I should send some BTC to the address to see if someone will crack it.

That is true, but he is simply going to try all 1 mutation variations, then 2, ... then 3 ... up to whatever budget he's allocated for the attack.

No need to create a bounty ... the corrected version of your private key is:

6108F178B39FF904C9F408741935554E042BDE257DB7F5621555175BACAC2A9C


11  Bitcoin / Development & Technical Discussion / Re: Cold / Brain wallet security question on: October 24, 2013, 08:47:54 PM
If the private key is represented in hex and n characters are mutated then there are 64! * 15 n / (64 - n)! possibilities to search through.

The attacker knowing the address (or even the full public key) doesn't tell him anything beyond giving him a way to know if a private key guess is correct or incorrect.

Assume a hardcore attacker (one e.g. with a repurposed GPU mining rig) can test 14e9 keys for 1 USD, then here are the attack costs:

mutations   possibilities   cost to crack
-----------------------------------------
1           960             ~0
2           907e3           ~0
3           844e6           0.06 USD
4           772e9           55.14 USD
5           695e12          49652.86 USD


As you can see, changing at least 5 digits in totally random locations makes an attack prohibitively expensive.  However, most humans will make less than totally random choices about which characters to mutate ... e.g. if I were attacking someone who I suspected of using the scheme you described I would assume they would be more likely to mutate successive digits ... especially at  the very beginning or end.  E.g. if I knew for sure only the last 8 digits were mutated it would only cost 0.19 USD to check.
12  Bitcoin / Bitcoin Discussion / Re: my wallets were stolen just now, can any one help me? on: August 22, 2013, 10:34:19 PM
get answer from Jesse James (blockchain.info) as bellow  https://bitcointalk.org/index.php?topic=277595.new

I did a bit more transaction following ... it appears another address implicated with the thief address is 13KLNHPWLtWKTtKtr4fY5pu4Di4aQVLzPf.  This address received a coinad payout on 2013-04-10 07:54:10.

Coinad probably has the guy's email address.  Could be a dead end if their policy prevents them from handing this information out, or if they don't validate email addresses of members, or if he gave them a throwaway address.

Keep in mind, my evidence linking these two addresses is not 100% ... but it's pretty high.

Another possible lead is that the thief seems to think using Satoshi Dice a few times after a heist is an effective laundering technique.  In this transaction he apparently submitted his gambling transaction directly to blockchain.info ... so depending on how much they log, they may have the IP address of the thief.  This could also be a dead end if he's using Tor or some other proxy ... but seeing as he apparently thinks using Satoshi Dice makes tracking stolen coins harder, he probably isn't the brightest hacker in the world.
13  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 22, 2013, 10:42:32 AM
@Jesse James
If there are any possible? I keep 4 backup file in same fold. 2 address lose and 2 address still there. And I use 2 FA. If thief stole backup file. Must 4 address all lose. Am I right?

It's hard to speculate.  Assuming this is due to a stolen wallet backup file, it would make sense for the thief to sweep all addresses in the wallet simultaneously.  However, you don't know how many keys were in the wallet when the thief may have had access to it ...  he/she might have waited a long time for funds to accumulate before swooping in.

I did some transaction following and it appears your thief is accumulating loot in the address 1HackerRpwYH7F6uGu8422dScNxaHAtWYz ... which currently has 647 BTC. 
14  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 22, 2013, 08:34:26 AM
After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.
Jesse James. I'm so sad. I lose 263.84btc total from 2 difference address in blockchain.info on 29th Aug. 2013. Details Please check  https://bitcointalk.org/index.php?topic=277601.0

Can you help me to check it's because of bug?

@watertech666: Sorry for your loss.  However, neither of your victimized addresses 1 2 appears on my published list nor in johoe's additions to it so neither of your addresses was specifically effected by the repeated signature nonce issue. 

Also, it's clear the thief knows the private key for 1CzAncjXYjtiXNC4CNAw4RoKdQLoi72xn, so you should remove it from your forum signature.  He could steal from either address in the future at any time.

Hello, my blockchain.info wallet was cleaned in April - back then there was a wave of stolen coins but only a speculation about the reason having to do with the alias and offline copies.

can someone check my old address / transactions with the script?
https://blockchain.info/address/1N2ctCxet8zjeyQMQngfmkvC2h9qzF3c6k

Back then I used to do alot of outgoing transactions with Blockchain on Firefox..

@Aajo: Sorry for your loss as well, but your victimized address is not listed either.
15  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 21, 2013, 03:05:33 AM
Jesse James, you missed a few addresses:

16mWzkk6iznyJQ3sKQRYxQ1Zr8xWpGMFWi
1B2wqabcETtQxPuacB5whni7GUjDn1oQQX
1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT
1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv
1K5XZhjCwbLYHwys86FvepaHt6tFiWb35T
1LfuyRkm9MrEXTz72hzpPsL46mzHEXfqWj
1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb
1NujNX3cvbikAZMnKtETgSd7kvw7o93MRg
1PCrHhXxS8ZotDvgSA5WxpmtC1qNQchrPr
1Q4VVTsx6vgYth7iD9WnAgHvAj239PMaoL
1rPAkJSXWgnLFEiCzv3APUFLsi8Kzv3pX

Only one of these addresses is very recent.  Maybe my script finds more keys, because I also catch an addresses when the R-value was used only once as long as the same R-value was used on another address twice.

Moreover, the two addresses 1Q8eetJs5wRpqR3b5FT9EHe6GD8Bges9Hm and 195Tycz7nVhV7aKw98nq74FdVYtyYyE1K7 are endangered by this transaction:
https://blockchain.info/tx/127da3144a02f16e1a5ccb67778a2f5f9924023ce9aa20c1c4d08be576cbb0b9
I think it is not exploitable but as soon as one of the private keys is revealed, the other is also revealed.

I reran my script to try to catch the special case you mentioned but oddly was only able to confirm a subset of the ones you reported.

1BH4hyBMH8NoiscwiPngP23fVNN8wpJwrT
1HRhPdTXhTDMTM8C9C3Y8FGD1EKszkPGv
1MmE9r9QTN2GnP1TF7JhZSKPsubuXguJkb
1NujNX3cvbikAZMnKtETgSd7kvw7o93MRg

Checking my logic ...

Edit 1: My bad ... I think the discrepancy is caused by my parser ignoring transactions with non-canonical signatures (which stopped being allowed a while ago).  

On an unrelated note I also just checked if there was any overlap between the set of signature r-values and the set of public key x coordinates ... ∅ ... if there were any that would have indicated the potential for more RNG issues.
16  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 21, 2013, 01:39:24 AM
Jesse James,

While I appreciate your efforts with this,  I think deleting the reply to johoe is more questionable than the way you replied..

I don't follow?  My reply simply acknowledged I had overlooked the cases he pointed out.  I deleted it because I thought it prudent to double check his additions first.
17  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 07:10:24 PM
I have a friend with a blockchain info wallet who had 170 btc emptied... how can I determine if this theft is a result of the same thing ?

This is the tree of his theft: https://blockchain.info/tree/74475039

Your friend's private key was never exposed due to a signature nonce collision.

Here's every address that has been exposed from genesis through block 253081 ... obviously only a few of these are due to blockchain.info:

121Zna8Dy9W2qDvsJEH2ALeHQkteXaeGng
12CkZeZvwDwiTvFm5H8bABpEqQHXJ6gWc1
12JDjmk2fGMPRK9GaT98vBFDc3MDHoPV9r
12RFNoJK2MSiWfXt3fFG7F4urUpLGnTBxh
12WhvZTWMv9XLfyM2g7XFSUgpwzuQUX5Mq
12a7gpjZDQBDhVSknfQzL3ygcASNQcocnd
12c1XuVdjQwyftTbqnWMT94CYW6vKFknwm
12ekVy8duhBMLGd1JhxcgxrTN1fchmVcTo
138VcLyoAb5sdjo3cDw7d14fUGLKRwQ9VK
13CWujDi4g6DWB9bWDXT3TfRU635NPJdPF
13GXRxeyR9UTDQojZYv9NZ1j3VA6Butc9U
13LRBbvgCSXsUs4JNmYhzHRo3re8vYVDid
13ds2bCrxe68w8WD4R7bWSjGq4uK7XbzWH
13fZF8aZcSjpxhukHkyVtHsLnPnVszQaLm
13oCG1VNMAGtNp9RcAmUieRf8NayAJ7xj7
13x6i5itrvR8Rf75xP8PZaPtNTNxZLReLe
143CugrdSngLmDaLWoLrWJzb4AU1xLMqoY
1494Wwkf8QN4nC3gSYz3qjZVNuVZSHw2zi
14FguDL7teNFCctazjUxCxCfZtssycq11h
14RJsWTjq9q2a9tNQSdpxbMaViWoXxRbjt
14ih1qxbcFmwLm8Hc7qTr3BhzdmWTWRmpC
14reTqqg8r4qriHozsYoydugzLjYtpVoMZ
154nELZtftuW951oQY7erHnN4L196c98Wp
15E8CUjvHDVj8mBzhkNHErXtz4AeEHycpH
15GieELLKTruUdzmTDVYP1TsjnzNRDg8Qa
15p65cNbtB3bQYf9GB78edRo5Ppux3uaU3
16He3EDsvTKYRSQGsZeoooTbYAjy9fiLoQ
16NCxA48LPKdSr5fACPnrLxgkrFnDJAzLp
16SchApeKZEc86CVJCc1vLQ17TEJCRJNef
16UkUnbqW8PXRrwgxRdb2UTivbgNnBYqwC
16io8zfbhStqe9WVdHN3JLzc29D73okaoy
16y2wAieZE9VknMK29J7EAhC8fmRtdLy8p
17AHXAodFQ33A4DqFENVHCG59qiaRNbhcq
17HHdLh4oXncuTejALwC6fgArVqPUxh2Sr
17Lq1nrktyEFV3AVPAbsbDXWuWoUNMhws8
17Vjk88w6fy5YRVUGD6Aa9w545UA6K4tYZ
17gDnz5TU8T16Pgzo93M7Dm1j5HS3UuS2Q
17sDdDiW2dNRQvTu2NkwwCbfXNFxVCpbZW
18KZdcnGaqaXnHiRPb8rVGCztyA4jJPKtS
18mmzMizs5CHtLJwchtPMuiYqVqWjw3rLe
18pqzCLA17hdnzxFnf5Cad2feA1RHKtW2P
18yDksipyvWEX14KTd4DHvj6ZDcXvNqtpB
196SL6bZEvBT8A9z46df54zE3rzZfXzwe8
19DcmnrhqpLgn8L6Exay1sJiKZPtYUAw1Y
19cRkXQfonjdJT9K8TMuDxV1PKLSdHZtPh
19qnLpn9it7csR9sEay1XrFyfAmUNoXYk4
19yCy4mFWJVsdJbgtG79VwHGxQpcx4uhcr
1A8TY7dxURcsRtPBs7fP6bDVzAgpgP4962
1ALsXt19tBxMr29WfM2Zd7EU8HwzooLGHx
1AgVauV4U1tt3KbRiehht56NoZeKprLUXe
1AnFEpvs8a41T3ZpfPtXBENvkL5oatQ64D
1AyTNQRvz6fo7EvebGpKfJB7jJeppxY4yc
1B8vhS5umMNKvwQFHJ3Hgres4NJeoe8U7Y
1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm
1BMzWp77j7x3GKDYNbCP3df7YG3UEw1vVE
1BRwmguCycCWSbueTcpn1vSJddMJXEhyjH
1BvQyALiTSgKwVYzDL3ANoqmdWaoyRZazS
1C3G6y8Cyi7ECDaaDhG34sLzrv1dd7Xo33
1C8x2hqqgE2b3TZPQcFgas73xYWNh6TK9W
1CFVxqxX3i9L9dm6Gw2QKJ2fH18HSJ9H8k
1CNHzFKNCkCwYecVUfmahmqDFrn5uuRzsU
1CRcBxVoXCqL7cEiq7b7rTYQyMhUrCu5Mf
1CozShbCQwFqa3iw2AUE3zn7Pp1f3HR3D
1CqEdApNprZzgqUsuyLocXKH5yMdFTnTJQ
1CxZGXpNLDmr7eDmgMiGc1n1gAyE6LKBig
1DHmu7BvzjpQQxbKEuqTU2zSvZmgZBBrne
1DQK1Xb1gKBRXLi4PEegWCZ1giELgBqhq7
1DWhHeTnoZAFPehoM1W6S37hn7nVjZLrQN
1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A
1DcNJeexQV2kM78AdMKSzmsQ8DeNMHLTJ1
1Df8hDiS6RSeu9WDUqUtBpBmBoepzo24pD
1Dka5AAYwdZkrPJZHjKmdZkaVATnwYeSqG
1E67dSKMyrEoqfAjSsE1SNpeeau4pmyc5j
1E9ffsnXjMnZxmJaqCLXWhqWzKqx1sZXP9
1ECvZ9ojebv5TVWySf2roXRP4XyQb5rNCy
1EFET6LSLabV5KR55XqRzzhQ1rBUGTD1SQ
1ENrnLCxp9srcWCCE3kQFNqHRGDijespb9
1EPXZfTX6TD3L7TQdRu2nqMT8mrAAPSTST
1EUDdSvFGmZCa5zUXSXFSQD7r2qBZaSWJU
1F48AGnDGLBbDr5Uk7DfUhrhe8U14eHKaH
1F9tB2p9NWsGEt1TjiGAa3WEEGs9Wc779R
1FPSVbypWa7rBWbciKHJ983YWcucBn7aUQ
1FPgs8ZaxXUAp61jkd53U7zWj9NQq8yM34
1FX2xLHNxcT77bxLZXHzet6e8kMSS53uDK
1FY4Ny2ZTvDGDHshB1Rpp5Di9x6Q9GVd5a
1FYXLjfFJ1qsngiArLsrBVEGRaKkV15FGV
1Fcj89eqk1xCe6PqkMpaUuWCaK7MUXeYbZ
1FwbYs6UL2fzB9crvhWNCZyr9oqNjEXzcu
1FxWoGvwzjWGKk69vFumyoBaUCqzsndVck
1G3BjSLWsWH6tbPYs29fYMYaz9k8EStQM
1G4TqNcKTRRuQ3brQSv85Fohf3jQiaGAbL
1GTFFqbHGp6xwcKVmLkbLqHiauUbKT7jxs
1GUqD7UATGzbEBrMjweP5GCTQeU51TsZbj
1GYRDPaCm3hrzUcgfT49w7mcvoQu2Y4MmX
1GjDS84eNBx6QQoo7dBddvgYArSttxLYdk
1GysfXJbf5FREeJetrwuANNZi8pcz4n1v6
1HWEyVbuyPmXfR9eBnrh4v2Npjnp9UJQCw
1HWYEGYNgVc7bc28RCAa8mCJPv9eEnHieR
1HXSnvNGK8oYQCyLDkpHNZ2sWPvFsYQcFU
1HmJh2b8iS64WgX5snSzKYrNXqbnKkuBvE
1J8THH46JdkjiGYLQyPQDHVk4gtftahDUx
1JCMAUG9P8X4PHM7rF4ywDFHaAK2FMRrkN
1JFMHv7ijwXDQYQrehhSxn6u9bTfkGCmK
1JNC3iaxA95NbWrSro5me2BM27wohuucKD
1JNMvqdUYP9eDR3mEkxxCne4BYabc93Nwh
1JZ5NjZCDrnj84mZnv2fuAmAb7w4v5LiEu
1JjcWuJDRNkw3XcMfE7khhRg1UCxU8eKua
1JmMcWWy1mFuubbsBRPuVXdjFdtM2ENJXE
1JnqZ6Djhncs9YHe74CbkLaXXAbA1phsTU
1Js2D8Fj1AWQ2aB7TMtmJ6rn4bYDFtcjgF
1K5CgovB1c4vX22MvUq8cfRsuctG86Jmx5
1KSFgqcm6mc4Aaq6EsR6Awfr65S6RmVeHh
1L8DFt7yYA3iZsr6RA3d1mpf4J7TgBsYF
1L9a8dXMgq2xWV1zaDUGje2FAbzCG18QQh
1LKu5b7jUoM7MJzeuTCmvDWsJrBgBhcvhb
1LnBTt9TYRMt4aABcDYSoaMQ9jV8Qgajkx
1Lr9tUFz4mypFzc3PYitgGU1dTg21ubM9p
1LspNcTjkzFQRrsr4iGGxD5RSKehB5fHnA
1M5edBFjjFJhQhgSuCUQnX3uytcskgnqQB
1Mjwi2LnE6oz3p8dNFXWgMpAPBs6ZpPPA2
1N2aQiQ5LjNQ3C3cKCmHHnnq65RH3zRD9B
1NCRgUAgJnzBGcLNX7iQD1d9Cn9ZyKF2PC
1NEb41nDgxWwVzhHSsk4obURJ13KauJRsF
1NRtYCGVo2vR7WmYVussK6sVva2wZsYTep
1NSLj5xdCyRmMYVtM7bwZxZarYLm6EGZJf
1NSnZPRR32mrfAADxNJcPRP647gseqEMyj
1NuSEboWF7YJ3bozo5H1JDpH5yc7zyHZm8
1NvfCyqRh6cuh8dCQDJmboriifg1eaYDnV
1PUv3XNWWCDmEK6o9VerPK81qVfo4Wtvv2
1PWTFonhiXCdTZ4Nd2J726rqWnNsTVeVMY
1PXU5aD3fzgAm2E56o2VSaHpVe4bhe3d2m
1Pbt1LGM2JNgMjtnEscEmntsSrcYofeaoa
1Pde4CbEitkdPiwwKvd6s3znWw7EXZMYjD
1Pq6Ygv3kdMVX2TdNhUSPadxaShiGJUAoS
1YWwSaXTESKgDpitb6Rp8bteXzUR6hjDg
1ZBRXLZEzSukVDEDDJjtHYmrpkEGH94nS
1kJwZbv3dhUowPyRHcxJMknoJpPYfwaGf
1kMEr9W4YeAnzFcuSWwj3ShYGANdLHSxG
1szVke6ThJtfdUTi6Y5AAMDMePM4Ha8vK
1yiQRuB3KRxZTrSHBNZK9NdjbyJskHiVs
18  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 07:03:53 PM
I wanted to ask you what your thoughts were on my skipping Arcfour (RC4) for window.crypto.getRandomValues. The blockchain.info implementation appears to still use the RC4 code (it uses window.crypto.getRandomValues for the seeding of RC4), but I didn't see why it was necessary here if I can just always get a nice random number from the newer browsers. Is this what you meant by mainlining?

Yep,  that's what I meant.
19  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 06:11:39 PM
Was this an issue related to a problem with window.crypto.getRandomValues when webworkers are used? If so, please inform so that I can make Firefox aware of the problem.

window.crypto.getRandomValues is not available in webworkers because the window object doesn't exist in webworkers (by design).


I am working on Coinpunk, which is (like blockchain.info) using bitcoinjs-lib as a sort-of ancestor of the current code base. After the Android vulnerability was disclosed, I started looking at the existing RNG code and I was not impressed: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/jsbn/rng.js

You can see where the RNG gets fed in here: https://github.com/bitcoinjs/bitcoinjs-lib/blob/master/src/ecdsa.js#L237

I wanted to split the RNG code out into something that would use the best-available approach for its platform, so I put this together, which is the current development version, and has tests you can run in the browser: https://github.com/kyledrake/randjs.

I would really appreciate an audit and feedback on this code, as I intend to eventually use this in production. My e-mail is kyledrake@gmail.com if you want to IM/email me directly. Thanks!
IMHO, it's worth looking at puik's modifications to bitcoinjs-lib that he's maintaining in his branch ... he's made fixes to the RNG in particular.

Honestly, if I were doing JS crypto my approach would be to just mainline randomness directly from window.crypto.getRandomValues and bail if it's not available.  If you need randomness from the context of a webworker, you have no choice but to message pass it into the worker from the foreground.

I don't have time at the moment to do a comprehensive audit, sorry Sad   ... but javascript honestly isn't really my bag baby so I'm not sure I would be the best person to look at it.
20  Economy / Web Wallets / Re: Blockchain.info security [FUNDS STOLEN] on: August 20, 2013, 10:16:12 AM
After reviewing the blockchain.info wallet source code, I can not recommend using it at the moment.  I had a full monty write-up on this earlier, but as I've dug deeper I've decided to take it down so I can communicate my findings to blockchain.info exclusively first.  Stay tuned.

Do you advise to meanwhile sweep funds to a fresh new address with blockchain wallet?  Is the blockchain wallet safe to make transactions with manual key rotation?

If you are feeling careful, IMHO it would be wise to move to a non-javascript wallet for the time being ... and when you move, do it with a single transaction ... that way even if your signature(s) expose the private key you're moving from, they'll be nothing there left to spend.
Pages: [1] 2 »
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!