Bitcoin Forum
November 09, 2024, 01:55:13 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 [3]  All
  Print  
Author Topic: More Signatures with Repeated Nonces.  (Read 8179 times)
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 06:25:24 PM
 #41

Okay, others have setup their bots.  Looks like amaclin's bot is the best (he likes 1aa addresses):
https://blockchain.info/tx/a4bd89209d53585ed0b5ef8980873c7b112358dca7bbb008acb711573ccdc782
Why speculate when you can ask this question directly?

As others pointed out  Grin I don't have to speculate.  It is easy to link the address to your forum posts.

The speculation was more, whether the bot is really the best; I think the second transaction today settles this question  Cheesy.  BTW the double spends are not from my bot, there are one or two other bots trying to sweep the wallets.

In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 11, 2016, 06:39:01 PM
 #42

I am still looking for some technical explanation regarding this.
1.If Deterministic wallets solves this bad RNG r value problems then how's its happening again?
"Deterministic signatures" (RFC 6979) solve it (HD wallet is orthogonal; you can have both, only one of them, or none).  However, not every wallet uses rfc 6979 (but most do).

2.Can this same r value be generated twice by deterministic or HD wallets?
I assume you mean deterministic signatures.  In theory, yes.  In practice, no.  
If you created a few quadrillion yottabytes (is there an SI-prefix for this?) of transactions you should start worrying about that  Grin

Now MOST IMPORTANT Question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
4.Now even if someone recovers the private key from the address i send 2 bitcoins from then only the address that send 2 bitcoins is affected right? not the one which recieved the 2 BTC right?

Only the address sending is affected.  If another address uses the same r value again it is also affected even it uses this r value only once.  The receiving address is safe.  

However, for HD wallet if one of the keys is broken and the xpub key is leaked, then all keys are broken.  HD wallets used with repeated r values are also breakable (if the xpub key is leaked) even if every address is used only once.  So use deterministic signatures!  From both security and privacy standpoint a HD wallet with a leaked xpub key has the same properties as a single address that is reused.

Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?

achow101
Staff
Legendary
*
Offline Offline

Activity: 3542
Merit: 6886


Just writing some code


View Profile WWW
April 11, 2016, 06:54:22 PM
 #43

Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar.

johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 07:14:14 PM
 #44

Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar.

Yes, or the step-by-step instruction:  Look up your transaction on blockchain.info (click on the transaction id to see a single transaction), click on "show scripts & coinbase" (if not already enabled), scroll down, look for a huge number with 130+hexdigits starting with 304 and ending with 01.  Write down the part between the first 0220 (or 0221 or 021f) and the next 0220 (or 021f).  This is the r value.  Do this for all your transactions and check if the same value occurs twice.  (There is a small chance that r contains 0220 by accident; it should be 62-66 digits long).

You can also look at http://johoe.mooo.com/bitcoin/endangered.txt  It is not always up to date and it contains a few false positives, though.  And I omitted the addresses used only with r = 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63.


Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
trashman43
Full Member
***
Offline Offline

Activity: 298
Merit: 100



View Profile
April 11, 2016, 07:16:20 PM
 #45

sorry if i missed it while reading through the thread -- are there any known wallets with this vulnerability? i saw that electrum uses the correct type of signature....others? thanks in advance.

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
April 11, 2016, 07:22:36 PM
 #46

In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races.
I do not want to give advices how to win in race. Smiley
Last time i did it https://bitcointalk.org/index.php?topic=1175321.440 i lost some btc Smiley
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 07:32:12 PM
 #47

sorry if i missed it while reading through the thread -- are there any known wallets with this vulnerability? i saw that electrum uses the correct type of signature....others? thanks in advance.

No, otherwise it would occur more often.  Most use rfc 6979 now, bitcoind/bitcoin-qt could be an exception.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 07:38:34 PM
 #48

In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races.
I do not want to give advices how to win in race. Smiley
Last time i did it https://bitcointalk.org/index.php?topic=1175321.440 i lost some btc Smiley
I wonder if I hadn't started this thread, how long my bot would have been the only one.

You cannot always win: https://blockchain.info/tx/877d3b07be05fa13782881711f87e04291fec104c92935eb9d69c9b5b4a23a8e
(Not my transaction either)

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
April 11, 2016, 07:50:32 PM
 #49

Amazon free VPS server does not have a lot of memory and fast CPU Sad
And I do not have a possibility to spend funds to a more robust one.
There are at least 5-10 bots running 24/7/365 and monitoring compromised addresses. Only one is mine.

Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 11, 2016, 07:56:08 PM
 #50

Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar.

Yes, or the step-by-step instruction:  Look up your transaction on blockchain.info (click on the transaction id to see a single transaction), click on "show scripts & coinbase" (if not already enabled), scroll down, look for a huge number with 130+hexdigits starting with 304 and ending with 01.  Write down the part between the first 0220 (or 0221 or 021f) and the next 0220 (or 021f).  This is the r value.  Do this for all your transactions and check if the same value occurs twice.  (There is a small chance that r contains 0220 by accident; it should be 62-66 digits long).

You can also look at http://johoe.mooo.com/bitcoin/endangered.txt  It is not always up to date and it contains a few false positives, though.  And I omitted the addresses used only with r = 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63.



Ok
This https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7
and
https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879eb
as same R value
r=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951
Now S1 (from first tx)=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951

S2 (from second tx)=1bbcbd5d556d056c822a1ccb080d66d8144b4cb49a3bbf5c8e24a822248edf32

I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
But i do not understand how he calculated z1 and z2. Care to explain plz?

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
April 11, 2016, 08:00:55 PM
 #51

I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
But i do not understand how he calculated z1 and z2. Care to explain plz?
This is very easy question.
Follow the steps 1..14 in this beautiful instruction
http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx
and you will receive z on step 14
johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 08:23:53 PM
 #52

I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
But i do not understand how he calculated z1 and z2. Care to explain plz?
This is very easy question.
Follow the steps 1..14 in this beautiful instruction
http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx
and you will receive z on step 14


They make it too easy these days.  I remember how long I stared on https://en.bitcoin.it/wiki/OP_CHECKSIG until I grasped how this works.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 11, 2016, 08:38:35 PM
 #53

I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html
But i do not understand how he calculated z1 and z2. Care to explain plz?
This is very easy question.
Follow the steps 1..14 in this beautiful instruction
http://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx
and you will receive z on step 14


They make it too easy these days.  I remember how long I stared on https://en.bitcoin.it/wiki/OP_CHECKSIG until I grasped how this works.

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
This will really help a lot instead of checking each tx seperately.
I found this https://bitcointalk.org/index.php?topic=977070.0
but this script is only usefull if the address has less then 50 tx. Any easy solution?

amaclin
Legendary
*
Offline Offline

Activity: 1260
Merit: 1019


View Profile
April 11, 2016, 08:43:29 PM
 #54

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
Yes, there is. But you do not want to pay for it, do you?  Grin
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 11, 2016, 09:08:49 PM
 #55

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
Yes, there is. But you do not want to pay for it, do you?  Grin
How much?

johoe (OP)
Full Member
***
Offline Offline

Activity: 217
Merit: 259


View Profile
April 11, 2016, 10:43:30 PM
 #56

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
This will really help a lot instead of checking each tx seperately.
I found this https://bitcointalk.org/index.php?topic=977070.0
but this script is only usefull if the address has less then 50 tx. Any easy solution?

BTW, the easiest way to see, if you reused an r value for an address is to send some small amount of bitcoins to it.  If it is not immediately moved to another address, you are fine.  Cheesy

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
Answerme2
Member
**
Offline Offline

Activity: 108
Merit: 10


View Profile
April 12, 2016, 02:07:01 AM
 #57

Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
This will really help a lot instead of checking each tx seperately.
I found this https://bitcointalk.org/index.php?topic=977070.0
but this script is only usefull if the address has less then 50 tx. Any easy solution?

BTW, the easiest way to see, if you reused an r value for an address is to send some small amount of bitcoins to it.  If it is not immediately moved to another address, you are fine.  Cheesy
Lol i wanted to check if my cold storage storage addeess is fine that i often use to send bitcoins from but it has more then 150 tx so it's pain to check all tx manually and the script i mentioned earlier here only allows to check address upto 50 tx

mrxtraf
Member
**
Offline Offline

Activity: 255
Merit: 27


View Profile WWW
January 27, 2021, 02:25:41 PM
 #58

My script that I still occasionally run has detected repeated nonces (r-value) in signatures again.  Looks like a bad random number generator; the repetitions usually happen some days apart.  The problem seems already to be fixed but the addresses that were compromised are still used.

There were at least 135 keys involved of which at least 82 are compromised now.  Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction).

I setup a bot to sweep the compromised keys.  If you can prove that it is your address, you can contact me to get the collected funds back.

But don't use the addresses again.  There will probably be other persons setting up bots soon...

EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b.  This address doesn't seem to be compromised yet.  Note that this address has also been exposed and should not be used any more.

So far I have collected about 7 BTC.

EDIT2: Fixed the number of addresses.  I accidently counted five unrelated addresses.  Here is a complete list (addresses marked with + can be cracked):
http://johoe.mooo.com/bitcoin/2016-03-compromised.txt
Immediately I apologize for raising such an old topic, but I have not found any discussion at this address anywhere else.
I'm wondering what's the problem with the 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b address? He doesn't have a double R. And also he has the balance in place. What is the problem there?
Pages: « 1 2 [3]  All
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!