|
johoe (OP)
|
 |
April 11, 2016, 06:25:24 PM |
|
Why speculate when you can ask this question directly? As others pointed out  I don't have to speculate. It is easy to link the address to your forum posts. The speculation was more, whether the bot is really the best; I think the second transaction today settles this question  . BTW the double spends are not from my bot, there are one or two other bots trying to sweep the wallets. In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races. |
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
Answerme2
Member
 Offline
Activity: 108
Merit: 10
|
|
April 11, 2016, 06:39:01 PM |
|
I am still looking for some technical explanation regarding this.
1.If Deterministic wallets solves this bad RNG r value problems then how's its happening again?
"Deterministic signatures" (RFC 6979) solve it (HD wallet is orthogonal; you can have both, only one of them, or none). However, not every wallet uses rfc 6979 (but most do). 2.Can this same r value be generated twice by deterministic or HD wallets?
I assume you mean deterministic signatures. In theory, yes. In practice, no. If you created a few quadrillion yottabytes (is there an SI-prefix for this?) of transactions you should start worrying about that Now MOST IMPORTANT Question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
4.Now even if someone recovers the private key from the address i send 2 bitcoins from then only the address that send 2 bitcoins is affected right? not the one which recieved the 2 BTC right?
Only the address sending is affected. If another address uses the same r value again it is also affected even it uses this r value only once. The receiving address is safe. However, for HD wallet if one of the keys is broken and the xpub key is leaked, then all keys are broken. HD wallets used with repeated r values are also breakable (if the xpub key is leaked) even if every address is used only once. So use deterministic signatures! From both security and privacy standpoint a HD wallet with a leaked xpub key has the same properties as a single address that is reused. Please answer my 3rd question 3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not? i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security? |
|
|
|
achow101
Staff
Legendary
Offline
Activity: 3402
Merit: 6642
Just writing some code
|
|
April 11, 2016, 06:54:22 PM |
|
Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar. |
|
|
|
|
johoe (OP)
|
|
April 11, 2016, 07:14:14 PM |
|
Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar. Yes, or the step-by-step instruction: Look up your transaction on blockchain.info (click on the transaction id to see a single transaction), click on "show scripts & coinbase" (if not already enabled), scroll down, look for a huge number with 130+hexdigits starting with 304 and ending with 01. Write down the part between the first 0220 (or 0221 or 021f) and the next 0220 (or 021f). This is the r value. Do this for all your transactions and check if the same value occurs twice. (There is a small chance that r contains 0220 by accident; it should be 62-66 digits long). You can also look at http://johoe.mooo.com/bitcoin/endangered.txt It is not always up to date and it contains a few false positives, though. And I omitted the addresses used only with r = 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63. |
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
|
trashman43
|
|
April 11, 2016, 07:16:20 PM |
|
sorry if i missed it while reading through the thread -- are there any known wallets with this vulnerability? i saw that electrum uses the correct type of signature....others? thanks in advance.
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
April 11, 2016, 07:22:36 PM |
|
In fact I tried to write a better bot a year ago, but even when I connected to hundreds of nodes and the relay network I would only win about 1 out of 40 races. I do not want to give advices how to win in race.  Last time i did it https://bitcointalk.org/index.php?topic=1175321.440 i lost some btc |
|
|
|
|
|
johoe (OP)
|
|
April 11, 2016, 07:32:12 PM |
|
sorry if i missed it while reading through the thread -- are there any known wallets with this vulnerability? i saw that electrum uses the correct type of signature....others? thanks in advance.
No, otherwise it would occur more often. Most use rfc 6979 now, bitcoind/bitcoin-qt could be an exception. |
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
April 11, 2016, 07:50:32 PM |
|
Amazon free VPS server does not have a lot of memory and fast CPU  And I do not have a possibility to spend funds to a more robust one. There are at least 5-10 bots running 24/7/365 and monitoring compromised addresses. Only one is mine. |
|
|
|
|
Answerme2
Member
Offline
Activity: 108
Merit: 10
|
|
April 11, 2016, 07:56:08 PM |
|
Please answer my 3rd question
3.Say i send a tx worth 2 Bitcoins from my wallet and it's get confirmed.Now how can i be sure that this tx does not repeated R value that can later leak my private key or not?
i mean say i send 3 tx from 1 address now how do i manually check if they have same r value or not for security?
To manually check the r values, find the input script of a transaction and then look at the signatures. This site: https://crypto.stackexchange.com/questions/1795/how-can-i-convert-a-der-ecdsa-signature-to-asn-1?answertab=votes#tab-top gives a break down of the bytes in the signature so you can use that to find where the r value is and compare that to the r value of another signature. In order for the r's to be the same, they need to actually be identical, not just similar. Yes, or the step-by-step instruction: Look up your transaction on blockchain.info (click on the transaction id to see a single transaction), click on "show scripts & coinbase" (if not already enabled), scroll down, look for a huge number with 130+hexdigits starting with 304 and ending with 01. Write down the part between the first 0220 (or 0221 or 021f) and the next 0220 (or 021f). This is the r value. Do this for all your transactions and check if the same value occurs twice. (There is a small chance that r contains 0220 by accident; it should be 62-66 digits long). You can also look at http://johoe.mooo.com/bitcoin/endangered.txt It is not always up to date and it contains a few false positives, though. And I omitted the addresses used only with r = 00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63. Ok This https://blockchain.info/tx/34535e979bf3e0b960d7e3be85713fa6561a4d9642c7199a7bdf93b721b529a7and https://blockchain.info/tx/e1c9b009cfa861501ae6f3379148fcc5c0de98c5774a6c576fb9f9e6eb2879ebas same R value r=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951 Now S1 (from first tx)=538d2959108c11f0a34dd65c084af69765c66988b04e09eb0eebb7be69dde951 S2 (from second tx)=1bbcbd5d556d056c822a1ccb080d66d8144b4cb49a3bbf5c8e24a822248edf32 I visisted this link http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.htmlBut i do not understand how he calculated z1 and z2. Care to explain plz? |
|
|
|
|
|
|
johoe (OP)
|
|
April 11, 2016, 08:23:53 PM |
|
They make it too easy these days. I remember how long I stared on https://en.bitcoin.it/wiki/OP_CHECKSIG until I grasped how this works. |
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
Answerme2
Member
Offline
Activity: 108
Merit: 10
|
|
April 11, 2016, 08:38:35 PM |
|
Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability? This will really help a lot instead of checking each tx seperately. I found this https://bitcointalk.org/index.php?topic=977070.0but this script is only usefull if the address has less then 50 tx. Any easy solution? |
|
|
|
amaclin
Legendary
Offline
Activity: 1260
Merit: 1019
|
|
April 11, 2016, 08:43:29 PM |
|
Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
Yes, there is. But you do not want to pay for it, do you? |
|
|
|
|
Answerme2
Member
Offline
Activity: 108
Merit: 10
|
|
April 11, 2016, 09:08:49 PM |
|
Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability?
Yes, there is. But you do not want to pay for it, do you? How much? |
|
|
|
|
johoe (OP)
|
|
April 11, 2016, 10:43:30 PM |
|
Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability? This will really help a lot instead of checking each tx seperately. I found this https://bitcointalk.org/index.php?topic=977070.0but this script is only usefull if the address has less then 50 tx. Any easy solution? BTW, the easiest way to see, if you reused an r value for an address is to send some small amount of bitcoins to it. If it is not immediately moved to another address, you are fine. |
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
Answerme2
Member
Offline
Activity: 108
Merit: 10
|
|
April 12, 2016, 02:07:01 AM |
|
Is there any script where i just input any particular address and that script analyze all the tx in that address for the r-value vulnerability? This will really help a lot instead of checking each tx seperately. I found this https://bitcointalk.org/index.php?topic=977070.0but this script is only usefull if the address has less then 50 tx. Any easy solution? BTW, the easiest way to see, if you reused an r value for an address is to send some small amount of bitcoins to it. If it is not immediately moved to another address, you are fine. Lol i wanted to check if my cold storage storage addeess is fine that i often use to send bitcoins from but it has more then 150 tx so it's pain to check all tx manually and the script i mentioned earlier here only allows to check address upto 50 tx |
|
|
|
|
mrxtraf
|
|
January 27, 2021, 02:25:41 PM |
|
My script that I still occasionally run has detected repeated nonces (r-value) in signatures again. Looks like a bad random number generator; the repetitions usually happen some days apart. The problem seems already to be fixed but the addresses that were compromised are still used. There were at least 135 keys involved of which at least 82 are compromised now. Most keys are related to 1BTrViTDX... (in the sense that they are inputs in the same transaction). I setup a bot to sweep the compromised keys. If you can prove that it is your address, you can contact me to get the collected funds back. But don't use the addresses again. There will probably be other persons setting up bots soon... EDIT: To prove ownership, you can sign a message with 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b. This address doesn't seem to be compromised yet. Note that this address has also been exposed and should not be used any more. So far I have collected about 7 BTC. EDIT2: Fixed the number of addresses. I accidently counted five unrelated addresses. Here is a complete list (addresses marked with + can be cracked): http://johoe.mooo.com/bitcoin/2016-03-compromised.txtImmediately I apologize for raising such an old topic, but I have not found any discussion at this address anywhere else. I'm wondering what's the problem with the 1HGXq5Spi6NNXFKuQFfDDcYZmzTczKJi4b address? He doesn't have a double R. And also he has the balance in place. What is the problem there? |
|
|
|
|
|
