[ANNOUNCE] Android key rotation

[n4ru]

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time

Nothing can generate a random number. Us included. Only pseudo-random.

[1713863923]

1713863923

[Mike Hearn]

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.

[JoelKatz]

Ive always thought computers could not generate random numbers.    I once won a large prize buying the last ticket before a lotto draw, computer random number generator was the source though I didnt complain at the time

Nothing can generate a random number. Us included. Only pseudo-random.

So you believe that radioactive decay is deterministic? If so, you are in the minority. Say I have two uranium atoms and one of the decays before the other, what do you think accounts for that?

[elebit]

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.

Here are some reasons why:

You might only have only a couple of pennies in your wallet (for novelty purposes).

Those who have moved beyond fiat pricing might like the idea of keeping their 1.0 bitcoins instead of having 0.99999 bitcoins.

Old money which is not broken in many thin slices don't need to pay fees, they don't need to wait more than a few hours anyway.

[JoelKatz]

If an address is generated by a computer or other source, and then imported into a blockchain wallet, is it still vulnerable?

I think only if it's generated by Android.

Unfortunately, it is still vulnerable. The signature algorithm uses the random number generator as well and if a signature is generated improperly, it can compromise the private key. This was, in fact, the way the vulnerability was exploited.

"... some signatures have been observed to have colliding R values, allowing the private key to be solved and money to be stolen." -- Mike Hearn

[candtalan]

..... Payment addresses should not be re-used after money is spent. If you do not re-use the address then you can not fall victim to this if your random generator is not as random as it should be.

Novice here.
I guess, or understand, that 'receive' addresses can be safely used more than once? Presumably the receive process is much more passive than a payment process? Is my understanding ok here please?

[NeedChangeNow]

Is this flaw related to why "Error Response Invalid signature" keeps happening to certain users attempting to send funds from the Blockchain.info Android app? (thread here: https://bitcointalk.org/index.php?topic=240548.0). I'd love to be able to get my btc out of this wallet but it seems less likely by the day.

[justusranvier]

I guess, or understand, that 'receive' addresses can be safely used more than once?

Receive addresses should be used exactly one time, then never again.

If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.

[elor70]

Thanks for the warning

[Lauda]

Oh boy, we didn't need this.
Thanks for the heads up.

[candtalan]

I guess, or understand, that 'receive' addresses can be safely used more than once?

Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.

Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?

[n4ru]

I guess, or understand, that 'receive' addresses can be safely used more than once?

Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.

Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?

Oh boy... justusranvier is totally confusing the newbies.

[rumak]

Thanks for the quicks news and update.

[Sukrim]

Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.

I wouldn't mind actually waiting some time if that meant my transaction was free. I didn't want or plan to transfer these funds in the first place and I don't mind them being stuck for some time in limbo. Once the TX is out there, it would be hard to double spend it anyways.

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.

Schildbach allowed this (0 fees) too some time ago so I consider it a regression. If I use PayPal, I pay for a service that goes beyond simple money transfer (I get fraud protection etc.).

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.

This is just stupidity on deepbit's end - they could always include their payouts for free in their own blocks and I suggested something like that (pools accepting each other's payouts for free) long time ago. Back then it was anyways easy to get anything transacted for free, so they never went forward with it. I don't want to pay a whole penny for a few bytes of storage that will be pruned away sooner or later anyways.

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.

The wallet used to have a setting that let me set fees to 0 on my own risk. This setting seems to be gone...
Anyways, fee handling and transaction priorization is a big mess in my opinion still in Bitcoin, especially in the reference client that everyone seems to use unreflected without even thinking about the settings.


About receiving coins at the same address:
In the end it means that you potentially loose privacy (e.g. the free bitcoins site could link your IP to your address, then you sell a obile phone on the web and let them pay to the same address - now the free bitcoin site can see that you received some more coins + the buyer of the phone sees that you probably used this site). Security wise it means that once you send something from your address, you expose the public key belonging to that address. In this case, the signature generated with it is weakening security - there is also the possibility of a breach of ECDSA keys in general. As long as nothing has been transfered off an address, it is as safe as possible from a current security standpoint.

[ashish12]

totally agree 

Well what do you expect? The minimum I always pay is 0.0006 or 0.0005 on the -Qt client. Non-fee transactions usually means hours to days waiting for confirmations.

I wouldn't mind actually waiting some time if that meant my transaction was free. I didn't want or plan to transfer these funds in the first place and I don't mind them being stuck for some time in limbo. Once the TX is out there, it would be hard to double spend it anyways.

I cant find any wallet other than bitcoin-qt that lets you put a 0.00 tx fee. Surprising to see people in here wondering about fees. it's a penny. Go sell something on PayPal and tell me about fees.

Schildbach allowed this (0 fees) too some time ago so I consider it a regression. If I use PayPal, I pay for a service that goes beyond simple money transfer (I get fraud protection etc.).

I second this. While mining with deepbit, their tx fees are not included. One payment sat for almost 4 days before being picked up by eligius pool. Just send the penny.

This is just stupidity on deepbit's end - they could always include their payouts for free in their own blocks and I suggested something like that (pools accepting each other's payouts for free) long time ago. Back then it was anyways easy to get anything transacted for free, so they never went forward with it. I don't want to pay a whole penny for a few bytes of storage that will be pruned away sooner or later anyways.

Fees have to be attached due to a strange quirk of bitcoind mining code - it only allocates 27kb per block for free transactions. There's no obvious reason that should be the case and I'm sure it'll get fixed at some point. Even a penny is a high fee to pay, IMO.

The wallet used to have a setting that let me set fees to 0 on my own risk. This setting seems to be gone...
Anyways, fee handling and transaction priorization is a big mess in my opinion still in Bitcoin, especially in the reference client that everyone seems to use unreflected without even thinking about the settings.


About receiving coins at the same address:
In the end it means that you potentially loose privacy (e.g. the free bitcoins site could link your IP to your address, then you sell a obile phone on the web and let them pay to the same address - now the free bitcoin site can see that you received some more coins + the buyer of the phone sees that you probably used this site). Security wise it means that once you send something from your address, you expose the public key belonging to that address. In this case, the signature generated with it is weakening security - there is also the possibility of a breach of ECDSA keys in general. As long as nothing has been transfered off an address, it is as safe as possible from a current security standpoint.

[kangasbros]

I guess, or understand, that 'receive' addresses can be safely used more than once?

Receive addresses should be used exactly one time, then never again.
If you reuse addresses for receiving bitcoins you have no financial privacy, and you're vulnerable to issues like this.

Oh bother. Thanks. In my case I have never used an android device for any Bitcoin stuff so I trust I am safe from the current non random number issue(?)
However, it has been convenient to gather occasional small amounts from the (get free bitcoins) site http://netlookup.se/free-bitcoins/247552
Just to be very clear here, I now should not offer the same receive address more than once then?
tia
(edit)
I note that  this site mentioned above works on the basis of a receive address being used repeatedly.... Is it a scam site? or is it just  doing rather bad things?

If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.

[candtalan]

If you are receiving miniscule amounts, then it doesn't matter. You can use common sense. The site isn't scam.

Ah thanks, I was hoping that, it also helps to confirm my limited understanding of this stuff.

[ISAWHIM]

Nothing can generate a random number. Us included. Only pseudo-random.

That is an opinion...

Fact is... any number which is not sequential and read from a list, is random. Might not be "as random as you would like", but it is still random. Even pseudo-random selection is non-sequential and not read from a list. (Unless you start at the beginning, start at the same seed/list or the seed is the same seed/list as another seed. Which is the repeat of a list.)

But I digress...

The problem is that these devices and programs, made by programmers with little knowledge, failed to understand the devices they were working with. That is what happens when you just copy-n-paste code and don't actually KNOW what it is doing.

One year... This has been known about android since the first program "solitaire" which used random numbers to shuffle, released before the phone was even physically made, in the emulator.

Oh, and the comment about "Glad I have an i-phone"... LOL... Might want to look at all the exploits your phone has, before you open your mouth. You are worse-off than the android phone, because you are naive and oblivious to the reality of the flaws of the device in your hands. Yay, you don't have THIS FLAW... You have your own, and no-one is fixing shit for you, unless you pay them for the app to secure the flaws.

[elebit]

2. It's an Android issue, not a Java issue.

Also, could we please get a link to the relevant Android bug tracker item?

It's a bit frustrating to piece together rumors in order to know what actually happened here.

[E.Sam]

Just wondering, would this affect Electrum as well?

I m asking as it uses Google Scripting Layer & Python for Android

http://electrum.org/android.html