|
|
|
smolen
|
 |
August 10, 2013, 11:47:04 PM |
|
It has been noticed that the coins are all transferred in a few hours after a client improperly signs a transaction by reusing the same random number. As discussed here http://en.wikipedia.org/wiki/Elliptic_Curve_DSA the reuse of the same k value allows anyone to be able to recover the private key. How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones? |
Of course I gave you bad advice. Good one is way out of your price range.
|
|
|
TierNolan
Legendary
 Offline
Activity: 1232
Merit: 1104
|
|
August 11, 2013, 02:16:10 AM |
|
How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?
You mean they should crack the private key for the address and then re-do the signature? That seems only semi-legal. It may not even fix the problem, all nodes receive all transactions directly. It would make it slightly harder, the node would have to be always online, rather than only having to scan the block chain every hour or so. |
1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8805
|
|
August 11, 2013, 02:26:33 AM
Last edit: August 11, 2013, 02:41:28 AM by gmaxwell |
|
Of course, if these applications didn't constantly reuse addresses the exposure here— whatever the root cause ultimately turns out to be— would be a lot smaller.
|
|
|
|
|
chriswilmer
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
August 11, 2013, 04:11:45 AM |
|
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
|
|
|
|
|
Luke-Jr
Legendary
Offline
Activity: 2576
Merit: 1186
|
|
August 11, 2013, 05:40:08 AM |
|
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses). |
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4270
Merit: 8805
|
|
August 11, 2013, 05:48:21 AM |
|
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
No, no easy way to do that. Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen. (e.g. select the nonce as sha256(message||privkey||random value) — though if your RNG is bad you also need to worry about weak keys)) |
|
|
|
|
chriswilmer
Legendary
Offline
Activity: 1008
Merit: 1000
|
|
August 11, 2013, 05:49:09 AM |
|
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
No, no easy way to do that. Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen. (e.g. select the nonce as sha256(message||privkey||random value) — though if your RNG is bad you also need to worry about weak keys)) Thanks! |
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2055
Merit: 1359
aka tonikt
|
|
August 11, 2013, 11:49:08 AM
Last edit: August 11, 2013, 11:59:49 AM by piotr_n |
|
the reuse of the same k value allows anyone to be able to recover the private key.
It appears that this is what may be happening.
It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications. Ouch... Thanks for the info - I spent the whole morning triple checking if my wallet would not make a similar mistake, by a chance. Seems that I'm fine, but you got me scared, sir  |
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
|
|
|
physalis
|
|
August 11, 2013, 12:29:22 PM |
|
This seems like a serious problem!
Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses). That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"? While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen. If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass. |
|
|
|
|
piotr_n
Legendary
Offline
Activity: 2055
Merit: 1359
aka tonikt
|
|
August 11, 2013, 12:33:26 PM
Last edit: August 11, 2013, 12:45:05 PM by piotr_n |
|
Yeah. The thesis that reusing an address is not "using Bitcoin correctly", is kind of weird, to say the least. Especially said as a solution for a guy who plays SatoshiDice... |
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
dice64
Jr. Member
Offline
Activity: 34
Merit: 1
|
|
August 11, 2013, 12:47:11 PM |
|
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).
That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"? While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen. If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass. You can get every transaction which has been sent by that address and ensure none of its spent outputs have the same signature in the script. But the main problem is random number generation. Even if you want to make recurring payments, you should still generate an address each time. Otherwise you seriously risk linking your address to your identity. It isn't a pain in the ass, its the best practice for anonymity, regardless of this current bad signature issue. |
|
|
|
|
|
smolen
|
|
August 11, 2013, 12:48:49 PM |
|
How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?
You mean they should crack the private key for the address and then re-do the signature? That seems only semi-legal. Accidentally disclosing private key by using flawed software is the same as accidentally publishing private key on this forum. The key holder effectively waives his right to bitcoins by disclosing the key. |
Of course I gave you bad advice. Good one is way out of your price range.
|
|
|
piotr_n
Legendary
Offline
Activity: 2055
Merit: 1359
aka tonikt
|
|
August 11, 2013, 12:52:35 PM
Last edit: August 11, 2013, 01:09:02 PM by piotr_n |
|
If one has a screwed up RNG, not reusing addresses does not make him anyhow safer, if the same generator is used to make new private keys.
|
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
CIYAM
Legendary
Offline
Activity: 1890
Merit: 1086
Ian Knowles - CIYAM Lead Developer
|
|
August 11, 2013, 12:53:29 PM |
|
It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).
Hmm... so none of the clients mentioned re-use an address for change (as this is not something the end-user generally has any control over)? |
|
|
|
|
smolen
|
|
August 11, 2013, 12:54:32 PM |
|
The thesis that reusing an address is not "using Bitcoin correctly", is kind of weird, to say the least.
I'll just repost relevant part of my post from another forum Even proper reuse of ECDSA private key makes it less secure. Satoshi did very good work protecting Bitcoin from possible future advances in cryptography - new addresses are created whenever it is appropriate, before first (and, ideally, the last) use public key is secret, only hash of it (address) is exposed to the public. But Satoshi did not forbid intentional address reuse, thus making key reuse possible. CURVE the elliptic curve field and equation used
G elliptic curve base point, a generator of the elliptic curve with large prime order n
n integer order of G, means that n * G = O
Calculate e = \textrm{HASH}(m), where HASH is a cryptographic hash function, such as SHA-1.
Let z be the L_n leftmost bits of e, where L_n is the bit length of the group order n.
Select a random integer k from [1, n-1]. - This is what counts
Calculate the curve point (x_1, y_1) = k * G.
Calculate r = x_1 \pmod{n}. If r = 0, go back to step 3.
Calculate s = k^{-1}(z + r d_A) \pmod{n}. If s = 0, go back to step 3.
The signature is the pair (r, s).
And every (r, s) pair derived from the same dA and exposed to the public means more food for hyperlinearization and SAT-solvers. (Some day those two beasts will meet together and produce fertile offspring ) |
Of course I gave you bad advice. Good one is way out of your price range.
|
|
|
piotr_n
Legendary
Offline
Activity: 2055
Merit: 1359
aka tonikt
|
|
August 11, 2013, 12:57:12 PM |
|
Even proper reuse of ECDSA private key makes it less secure. Satoshi did very good work protecting Bitcoin from possible future advances in cryptography - new addresses are created whenever it is appropriate, before first (and, ideally, the last) use public key is secret, only hash of it (address) is exposed to the public. But Satoshi did not forbid intentional address reuse, thus making key reuse possible. Of course - I fully agree with you and thanks for pointing it out. But still, reusing addresses is one of the core features of Bitcoin - otherwise our life would be so much more complicated. Bitcoin would have probably never got adopted, in the fist place, if one could not reuse an address. Moreover, if this is so crucial for security, deterministic wallets do not seem to be a right way to go forward, do they? |
Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E
|
|
|
|
smolen
|
|
August 11, 2013, 01:21:23 PM |
|
Of course - I fully agree with you and thanks for pointing it out.
But still, reusing addresses is one of the basic features of Bitcoin - otherwise our life would be so much more complicated.
Bitcoin would have probably never got adopted, in the fist place, if one could not reuse an address.
Moreover, if this is so crucial for security, deterministic wallets do not seem to be a right way to go forward, do they?
I don't pretend to be an expert here, but looks like Bitcoin itself and deterministic wallets are right now out of reach for SAT-solvers and XSL attacks. We'll be alerted about progress in those areas by new yottahashes in mining difficulty |
Of course I gave you bad advice. Good one is way out of your price range.
|
|
|
BurtW (OP)
Legendary
Offline
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
|
|
August 11, 2013, 01:22:13 PM |
|
I think we have discussed enough "politics" for now and would like to get back to the actual technical issue. If I get a chance later today I plan to download the source code for the android wallet and see if I can locate the actual signature code and see what they are doing. Thanks for this write up. It describes exactly what they are doing. This is the crux here (cleaned up this a bit): Calculate e = HASH(m), where HASH is a cryptographic hash function, such as SHA-1.
Let z be the Ln leftmost bits of e, where Ln is the bit length of the group order n.
Select a random integer k from [1, n-1].
Calculate the curve point (x1, y1) = k * G.
Calculate r = x1 (mod n). If r = 0, go back to step 3.
Calculate s = k-1(z + r dA) (mod n). If s = 0, go back to step 3.
The signature is the pair (r, s).
The same k will lead to the same x 1 coordinate, which will lead to the same r. |
Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated! |
|
|
|
