NXT Coin Security

[miztaziggy]

Can someone here with better knowledge re Cryptography and security than me (or anyone on NXT forum it seems) please answer this:

NXT receiving address is 20 characters long made up of only numbers - therefore 10^20 combinations.

Passwords to open wallets can be many more characters, therefore many many more combinations to open only 10^20 possible wallets.

Secret phrase can be any 100 unicode chars.

SHA256(secret_phrase) gives private key.
Curve25519(private_key) gives public key.
SHA256(public_key) gives account id.
First 64 bits give VISIBLE account id.


Now, if I send coins to one account using their VISIBLE account ID (20 characters long) which is all that is required with NXT, then multiple passwords can open a wallet with the SAME visible account ID.

Apparently, the first account to send those coins on has ownership.

What am I missing here?

[1714963520]

1714963520

[1714963520]

1714963520

[1714963520]

1714963520

[1714963520]

1714963520

[1714963520]

1714963520

[1714963520]

1714963520

[kaito]

What am I missing here?

An opportunity to make lots of money.

[Jest3r]

I won't speak on how many hash collisions there are without doing the math myself but one thing I'd like to point out is that NXT addresses can be 18 to 20 digits long (As far as I know that is, the gap could be bigger). This increases the amount of possible addresses significantly.

[bitme]

Isn't it 1-20 digits for account?

[Jest3r]

Isn't it 1-20 digits for account?

Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

[miztaziggy]

Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

[Come-from-Beyond]

Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

U should post here ur math from nextcoin.org. It will make someone's day.

[bitme]

Isn't it 1-20 digits for account?

Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

Here is 16 digits
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337

[Come-from-Beyond]

Isn't it 1-20 digits for account?

Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

Here is 16 digits
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337

Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

[Hazard]

This thing has been a poorly designed cashgrab since day 1.

[miztaziggy]

Isn't it 1-20 digits for account?

Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

Here is 16 digits
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337

Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

So how does that affect chances of collision?

I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.

[Come-from-Beyond]

Isn't it 1-20 digits for account?

Is it? I've never seen NXT addresses shorter than 18 digits but I suppose my sample size isn't exactly huge.

Here is 16 digits
http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=5914888228532337

Look at this - http://87.230.14.1/nxt/nxt.cgi?action=3000&acc=648774468

So how does that affect chances of collision?

I keep seeing posts from you with no real answers. Never answers. The closest you have got is a post saying "wait until the source revealed and all will be clear".

It really is like one of those auctions where a guy tries to sell you a black box that looks like it contains something valuable, without actually telling you what's inside. When you buy it and open it, it's just junk.

I did answer ur questions. Sorry, but my English is not so good to explain something that requires knowledge of statistics or crypto. Any chance u speak Russian?

[miztaziggy]

You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?

[miztaziggy]

This from the NXT thread:

I can't work out whether you're intentionally lying or just wrong....

Tell me how I need the full 256 bit private key to access my coins?

Because the way I see it is that with only 10^20 possible RECEIVING addresses and MANY MANY more possibilities for passwords, then multiple passwords MUST have the same receiving addresses. Therefore if you send NXT to one receiving address, many many passwords will open a wallet that will have received those same coins.

Yes, many passphrases will open that account but only 1 will be able to spend the coins. Coz software checks that all 256 bits match.

Again, is this a lie or misunderstanding?

Tell me this:

You and I both have our own passwords, each happens to create the same 20 digit wallet number.

I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

We both open our wallets using our different passwords, both show our public address to be 111111111111111111111

Now, who sees which coins?

Do I see 1000 NXT and you see 2000 NXT, do we both see 3000 NXT?

If it's the former, how did NXT know you should receive 2000 and me 1000 just from our public addresses?

The fact is, it didn't.

The coins are sent to a public address that can be created by more than 1 password. How is that secure?

[Come-from-Beyond]

You spoke good enough english in the thread you argued that BTC was insecure because of a 10^24 chance of collision, whereas it's 10^20 with NXT. How does that figure?

Did u read my answer on nextcoin.org? I bet no, coz u again compare 10^24 apples with 10^20 oranges.

[dtothemt]

Still, compare the number of possible 'wallets' with the number of possible passwords.

The number of collisions is HUGE.

Screams EXTREMELY badly designed coin to me and backs up what I have thought all along, that this coin is a scam.

This is my thought exactly and if the dev wants NXT to grow and stick around, they need to fix this. I was just thinking about this yesterday. Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

Edit: Nevermind, just read the dev's response. Although I must say it is somewhat misleading for those who don't know that part of the address is hidden. I'm guessing the reason for this is that your mapping system isn't alphanumerical, thus to make things easier on the eyes you provide only that.

But what would happen if the first 20 digits of two addresses happen to be the same, and someone sends NXT to that address? That still seems risky of a conflict occurring.

[Come-from-Beyond]

I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

Ok, I'll repeat again. Add some math. What are the odds that u get the same address within a short period of time?

[artiface]

Yes it seems all it takes is the correct passphrase to open any wallet.  

I learned that the hard way, lost just about 30,000 nxt because my password was too easy. I saw in front of my eyes someone send my coins to a new account.  I've triple checked my machine and there is no back door or keylogger (if there was I think they would have gone for my btc first before the nxt anyday).  Someone used the same password as me and therefore they were able to spend all my coins.  

I didn't understand that the password was network wide, I thought it was local to my machine only so it was simple, despite the warning.

[Come-from-Beyond]

Migrating to a new addressing system seems like a tough transition though from my limited knowledge.

No. That requires little changes.

[miztaziggy]

I ask someone to send me 1000 NXT to my public 20 digit address say 111111111111111111111

Now you also ask someone to send you 2000 NXT to your 20 digit public address also 111111111111111111111

Ok, I'll repeat again. Add some math. What are the odds that u get the same address within a short period of time?

Again - full disclosure - are you an early adopter, do you have NXT and are you selling NXT?

My bet is yes you have NXT and are selling NXT.

You're an idiot if you think I am talking about some random fluke where 2 innocent users happen upon the same key. I am talking about brute forcing the system.

You create a thread and post about Bitcoin being open to a collision attack with a chance of finding same key 10^24. You, in your own words say it's not a big number and can easily be done with hashing power of BTC.

Now NXT has 10,000 fewer possibilities that this at 10^20 (though I suppose it's actually 10^20 + 10^19 + 10^18 etc....but this doesn't increase the order of magnitude by that much really).

FACT - NXT CAN BE BRUTE FORCE COLLISION ATTACKED VERY MUCH MORE EASILY THAN BTC.