Nxt source code flaw reports

[farl4web]

Thanx a lot Evil-Knievel! Enjoy your 100K!

[Evil-Knievel]

This message was too old and has been purged

[BloodyRookie]

Sure, the private key is just the number of times you incremented your Public Key by 9 (which has to be set to 9 itself in the beginning).

Check your comment in the core function of Curve25519.java.

Code:

/* P = kG   and  s = sign(P)/k  */

The public key is just a k * G ( G = 9 = basepoint). k is directly proportional to s which is the private key for signing.

P=kG means skalar multiplication on curve25519, not multiplying integers.

[Evil-Knievel]

This message was too old and has been purged

[jkoil]

I can only imagine this to be the flaw:

Code:

if (lastBlock.getHeight() < Constants.TRANSPARENT_FORGING_BLOCK) {
                byte[] generationSignature = Crypto.sign(lastBlock.getGenerationSignature(), secretPhrase);
                generationSignatureHash = digest.digest(generationSignature);
            } else {
                digest.update(lastBlock.getGenerationSignature());
                generationSignatureHash = digest.digest(publicKey);
            }

            BigInteger hit = new BigInteger(1, new byte[] {generationSignatureHash[7], generationSignatureHash[6], generationSignatureHash[5], generationSignatureHash[4], generationSignatureHash[3], generationSignatureHash[2], generationSignatureHash[1], generationSignatureHash[0]});

So forging before the Transparent Forging Block is really vulnerable to "Mining".
After the transparent forging block you take the generation signature and use the hash of it to look which user gets rewarded with the fees. Before the transparent forging block, the hash of a SIGNATURE of the GenerationSignature has to meet certain criteria. Due to the random "k" in the signing process, you get different values when resigning.

Here you can just start mining with a decent hardware, resigning the generation signature until one of their hashes meets the requirements to collect the fees.

Congrats
... also from saving my bloody time 

[instacalm]

Congratulations, Evil-Knievel!

[LiQio]

Congrats Evil-Knievel, fast and efficient 

PS: I really didn't like your first appearance on the main NXT thread, you came across as way too haughty.
Hope you change that, because I really like the NXT community and would like you to stick around

PPS: Should be empowering for your "Transaction Malleability Reloaded" - watching with interest

[Meizirkki]

I have still doubts about the account mining issue ;-) I have made a small reference implementation (which I would never make public except give it to the devs) which is capable of doing 10 Megahashes (or Megaaccounts) per second on a simple CPU. At some point in the future, this might be an issue.

To be more precise, you can theoretically "mine" twice as fast as the BTC Mining Hardware (as you only need one round of sha256 and the Curve25519 stuff comes at no cost as it is just incerementing the pubkey by 9 = basepoint in each round). So on a FPGA you could try 1,6 billion accounts per second, and on a 7990 GPU around 4 billion accounts per second. Only a matter of time, until you find one public key, which SHA256 hash matches an existing account in the first 8 bytes.

Thank you. I've been told since the beginning that NXT is totally future proof and this is a feature, not a bug. Nxtcrypto.org should show a gigantic warning for every newbie that unless they do an outcoming transaction their accounts are subject to mining. As hardware gets faster each year it's just a matter of time before someone loses their coins.

Congrats for winning the bounty  

[Come-from-Beyond]

Well we can delete all these things if you prefer, and discuss in private  
The problem is, that you do not need to use a secret phase, which is SHA256ed and mapped to a public key on the curve.
With a little tweaking of the GUI you can replace the login commands, so you can enter private keys directly when unlocking an account.

And 9, 18, 27, 36 ... are all fine public keys (of which 1,2,3,4 are the trivial private keys). And one hash of those eventually will match a present AccountID.

No, better discuss it in public.

[Evil-Knievel]

This message was too old and has been purged

[Evil-Knievel]

This message was too old and has been purged

[intmain()]

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

[Eadeqa]

To be more precise, you can theoretically "mine" twice as fast as the BTC Mining Hardware (as you only need one round of sha256 and the Curve25519 stuff comes at no cost as it is just incerementing the pubkey by 9 = basepoint in each round). So on a FPGA you could try 1,6 billion accounts per second, and on a 7990 GPU around 4 billion accounts per second. Only a matter of time, until you find one public key, which SHA256 hash matches an existing account in the first 8 bytes.

Interesting approach! Can u get the private key out of this? Or sign a transaction?

PS: Ability to "mine" accounts not secured by a 256-bit key was made on purpose.

Not all accounts without outgoing transactions are lost nxt. This should be be made even more clear to users who login to their accounts but don't have outgoing transactions.

I deposited 100 nxt to crypsty account but there is no outgoing transactions in that account. I hope crypsty (and other exchanges) are aware this could be a problem

[TwinWinNerD]

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

10,000,000 accounts/s per PC would need about 317097 years to check all possible digits.
Faster PCs + a mass of miners would lower that number significantly, but then again i thought this was a feature and not a bug?

[Come-from-Beyond]

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

[TwinWinNerD]

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

Checking against a list of all HiberNXT accounts would significantly lower the rate of 10millionaccs/s

[Eadeqa]

wait i remember having a github account ... let me push it.

10M account/s? That's pretty impressive, I only could push 6.4M on a 3.4GHz laptop.

10,000,000 accounts/s per PC would need about 317097 years to check all possible digits.
Faster PCs + a mass of miners would lower that number significantly, but then again i thought this was a feature and not a bug?

Even 4 billion accounts/per sec will take 146 years to recover all accounts with no outgoing transactions. However, if there are 1000 accounts with no public key that will mean 0.146 years to recover one account on average

[Evil-Knievel]

This message was too old and has been purged

[Eadeqa]

Here is the Account Miner, and I hope to discuss it with you guys:

https://github.com/litecoin-extras/nxt-account-miner

Build it with simply running:

Code:

./make.sh

And run it with:

Code:

./bruteforcer

In the code specify:

Code:

unsigned long long global_iter = 33333333333LL;

which is the starting private key point P=global_iter * G

And specify the target AccountID:

Code:

unsigned long long target = 16386134630970163904LL;

Also play around with the number of parallely executed processes:

Code:

int ntimes = 2;

I am not sure if the code is all correct, so please review the code and let us make it better ;-)

Why do u need the target account? Mine all the accounts!

Checking against a list of all HiberNXT accounts would significantly lower the rate of 10millionaccs/s

Targeting just one account will be very slow though. 146 years to find it with 4 billion per second  rate. If you get very lucky (just after 10% of search), it will still take 14 years.

[TwinWinNerD]

@Twin: This is just a quick-and-dirty implementation, If we had a good structure (maybe some B-trees with a lookup complexity of O(log) ) where all NXT accounts were stored, we could mine them all parallely.
Thats what the github Repository is for ... let us make this "first approach" better ;-)

I am not doubting that.

We could make a mining pool/mining list where we add account numbers, where we are XX% sure that they are DarkNXT (not accessible because of lost/forgotten passphrase)