Quick theft

[o_e_l_e_o]

It's from the binary raw private key which is SHA256ed, made readable for us meatbags by the hex representation of the private key.

The private key 000....0002 I have given above is a raw private key. It is not passed through SHA256 as in the case of a brain wallet. It is simply used as-is, and multiplied by the generator point G to find the public key.

Fix: [0, ...

No. 0 is not a valid private key.

[pbies]

The private key 000....0002 I have given above is a raw private key. It is not passed through SHA256 as in the case of a brain wallet. It is simply used as-is, and multiplied by the generator point G to find the public key.

I don't agree.

Given 00..02 key is 64-digits hexadecimal representation of 32 bytes, which can be converted to WIF by Base58Encode_check (a function from Python, just for example). This goes: 1. current hexadecimal -> 2. bytes -> 3. add 0x80 at front -> 4. add checksum by sha256 (twice?) -> 5. base58encode it

I would name raw private key to be binary (with no direct ASCII representation on screen/web) and consist of any number of bytes, even zero, up to reasonable quantity, which also would go through sha256 and base58encode to make WIF from it.

[o_e_l_e_o]

Given 00..02 key is 64-digits hexadecimal representation of 32 bytes, which can be converted to WIF by Base58Encode_check (a function from Python, just for example). This goes: 1. current hexadecimal -> 2. bytes -> 3. add 0x80 at front -> 4. add checksum by sha256 (twice?) -> 5. base58encode it

The whole point of a WIF private key is simply to encode mainnet/testnet, compressed/uncompressed, and to include a checksum. If you import a WIF private key to your wallet, your wallet converts it back to the raw hex or binary before plugging it in to the elliptic curve multiplication equation to calculate your public key.

If you already have a raw private key in binary or hex, then you do not need to SHA256 it at any point to calculate the public key. You only need to use SHA256 to turn in to a WIF private key.

I would name raw private key to be binary (with no direct ASCII representation on screen/web) and consist of any number of bytes, even zero, up to reasonable quantity, which also would go through sha256 and base58encode to make WIF from it.

This is simply not correct. A private key must fall between the following hex numbers (inclusive):

Code:

0000000000000000000000000000000000000000000000000000000000000001
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140

Any number outside this range is invalid. This is not an arbitrary limit; it is inherent to the secp256k1 curve which bitcoin uses. n is the prime order of the generator point G, with the largest valid private key being n - 1. Trying to use a private key of zero will output the point at infinity on the curve.

[NotATether]

One of these days, somebody should make a database. With a few hundred gigabytes of memory. It should have all of the common brainwallet private keys and legacy addresses inside it.

Then, you make a "lite" version of Bitcoin Core with only methods for address check balance and make [RBF] transaction. So that Core loads faster.

Now, run a loop, checking each and every address for a balance, then you create a transaction that burns the ENTIRE balance in fees. Attackers won't be able to bump this transaction with their own, because nearly the entire balance has already been allocated to miners anyway.

Bitcoin - even the stolen coins contribute to the network security. (Denial-of-service for theives.)

[ABCbits]

Now, run a loop, checking each and every address for a balance, then you create a transaction that burns the ENTIRE balance in fees. Attackers won't be able to bump this transaction with their own, because nearly the entire balance has already been allocated to miners anyway.

Don't loop every address naively, the thief would get lots of time advantage to broadcast non-RBF transaction. I don't know if it's best option, but bloom filter could help. Also run it on few different region to handle transaction propagation delay.

[PawGo]

Now, run a loop, checking each and every address for a balance, then you create a transaction that burns the ENTIRE balance in fees. Attackers won't be able to bump this transaction with their own, because nearly the entire balance has already been allocated to miners anyway.
Bitcoin - even the stolen coins contribute to the network security. (Denial-of-service for theives.)

That's very interesting concept. It may be extended into "management of address", where owner signs kind of message which "blocks" given address (we may say it would be irreversible) and any output sent would be burn in the way you described (or any other). Or sends back. To have it working flawlessly, it had to be implemented in every node, not to have 'centralized' database. Which means there would be a way to mark address as 'closed' (like closed account in bank).
That would allow for example "addresses managers" (like exchanges, shops, casinos etc, any companies which produces deposit addresses for customers) to block used addresses of given/past clients.

[pbies]

Any number outside this range is invalid. This is not an arbitrary limit; it is inherent to the secp256k1 curve which bitcoin uses. n is the prime order of the generator point G, with the largest valid private key being n - 1. Trying to use a private key of zero will output the point at infinity on the curve.

No, it is not invalid as long as can be converted to WIF. We are talking about different things here.
And every string every length can be converted to WIF. Eventually it will give the same WIF as other string.

You are talking about soft limit, that all the given space (000...-fff...) would be used by this range. So there will be no more different keys produced.
The hard limit is bits in Base58check for WIF. But even then you can use shorter or longer WIF to/from which you can send BTC.

[seoincorporation]

One of these days, somebody should make a database. With a few hundred gigabytes of memory. It should have all of the common brainwallet private keys and legacy addresses inside it.

Then, you make a "lite" version of Bitcoin Core with only methods for address check balance and make [RBF] transaction. So that Core loads faster.

Now, run a loop, checking each and every address for a balance, then you create a transaction that burns the ENTIRE balance in fees. Attackers won't be able to bump this transaction with their own, because nearly the entire balance has already been allocated to miners anyway.

Bitcoin - even the stolen coins contribute to the network security. (Denial-of-service for theives.)

You don't have to check the address balance, you could check the wallet balance...

Code:

./bitcoin-cli getinfo | grep balance

The idea is to be faster than the Theft, so, if we can skip the steps of building the transaction maybe we can spend the coins faster.

Code:

./bitcoin-cli sendtoaddress "1MyColdWallet..." $balance

I was thinking about the full bashscript, and would be something like this:

Code:

balance=$(./bitcoin-cli getinfo | grep balance | cut -d " " -f7 | sed 's/,//')-0.0001 | bc); ./bitcoin-cli sendtoaddress "1MyColdWallet..." $balance

And most of people would think to put this on a while, but i would use the yes command for this task

Code:

yes $(my script)

[NotATether]

I was thinking about the full bashscript, and would be something like this:

Code:

balance=$(./bitcoin-cli getinfo | grep balance | cut -d " " -f7 | sed 's/,//')-0.0001 | bc); ./bitcoin-cli sendtoaddress "1MyColdWallet..." $balance

And most of people would think to put this on a while, but i would use the yes command for this task

Code:

yes $(my script)

Yeah, something like that, but the commands should be "inline".

I mean to say, each and every call to the JSON-RPC queues an additional task. This is an unacceptable latency when you have thousands of addresses to check. So the JSON-RPC layer has to be skipped completely once the loop is entered.

@PawGo

I'm not sure implementing this on a protocol level would be a good idea, this is tantamount to introducing an address blacklisting feature. Currently, there is no way for the protocol to know which addresses are cracked (i.e. stolen) or not, so such a feature would be abused by governments to enforce arbitrary closing of addresses i.e. asset freeze for any user.

[pbies]

...

This is a brilliant post!

Ready solution!

But...

The transactions are taken by the thieves immediately mostly (as I have seen) so the second transaction is made in the same block.
That means the thieves operate on protocol level, not bitcoin-cli. When you get the balance the BTC is already gone!
And that means there is very little chance to get BTC as when there is input, exactly in the same 5 seconds is made output transaction.

[o_e_l_e_o]

No, it is not invalid as long as can be converted to WIF. We are talking about different things here.

It is. Putting a number outside the range I have given through the same steps you would use to generate a WIF private key does not make it a valid private key.

And every string every length can be converted to WIF. Eventually it will give the same WIF as other string.

No, it won't. The process for generating a WIF from a hex key simply involves adding a network byte, an optional compression byte, a checksum, and then converting the whole thing from hex to Base58. There is a 1-to-1 relationship between private keys in hex and private keys in WIF. You will not find two different hex keys which generate the same WIF string.

[pbies]

No, it is not invalid as long as can be converted to WIF. We are talking about different things here.

It is. Putting a number outside the range I have given through the same steps you would use to generate a WIF private key does not make it a valid private key.

And every string every length can be converted to WIF. Eventually it will give the same WIF as other string.

No, it won't. The process for generating a WIF from a hex key simply involves adding a network byte, an optional compression byte, a checksum, and then converting the whole thing from hex to Base58. There is a 1-to-1 relationship between private keys in hex and private keys in WIF. You will not find two different hex keys which generate the same WIF string.

You are totally wrong.

Valid WIF does not need to come from hex number in a specific range. It can even have less than 1/3 characters of original length of WIFs.

Yes, it will give the same result, example: you have string which you convert to WIF and 64-digits hex - both will give the same WIF. The problem here is to compute them to give the same WIF.
If I go outside your range [1,...] with hex I can create such hex that will give the same WIF as in your range. Because the range is full space.
If I give some phrases and convert them to WIF I can still receive one of the WIFs created from hex within your range.

[pooya87]

Valid WIF does not need to come from hex number in a specific range.

WIF is just the string encoding and it doesn't matter at all. The numerical value  that the WIF represents is the important part. If it is not in range then the key is invalid so you either have to reject it as invalid or "change" it to become valid, one way is to reduce it modulo curve order to make it valid. But the original value was still invalid...

[BlackHatCoiner]

Valid WIF does not need to come from hex number in a specific range. It can even have less than 1/3 characters of original length of WIFs.

Do you contradict yourself here, acknowledging the "original" length of a WIF private key is not what you say it is?

Let's make some statements to clear up the situation:

• A WIF private key is a series of bytes encoded in base58. Specifically, it's a version byte (0x80 for mainnet) followed by the private key (in hex), followed by a compression byte (0x01 for compressed, empty for uncompressed) and finally, followed by a checksum.
• Compressed WIF private keys are 52 characters long and start with either a "L" or a "K". Uncompressed WIF private keys are 51 characters long and start with "5".
• You can encode any series of bytes to WIF (version_byte + number + compression_byte + checksum), but this won't make it a valid Bitcoin private key. To do so, the number has to be between [1, n-1] where n the prime order of the generator point of secp256k1.
• Each number gives a unique WIF private key. And that's true for beyond that range.
• If you take a phrase and convert it to WIF, it is highly unlikely to be a valid Bitcoin private key.

[o_e_l_e_o]

I think the confusion here is that it seems pbies is talking about taking any arbitrary string, passing it through SHA256 (or some other function) to create a (usually) valid private key in hex, and then encoding that as a WIF. In this case he is correct in saying that there are many different strings from outside the range given which when first SHA256ed will result in the same private key (although it is almost certainly impossible to find such a collision).

However, the point I made above is not incorrect: There is a 1-to-1 relationship between valid hex private keys and WIFs. All you are doing with a WIF is changing the encoding. Just as there is exactly one unique binary representation of each decimal number, there is exactly one unique WIF of each hex private key.

[PawGo]

I think the confusion here is that it seems pbies is talking about taking any arbitrary string, passing it through SHA256 (or some other function) to create a (usually) valid private key in hex, and then encoding that as a WIF. In this case he is correct in saying that there are many different strings from outside the range given which when first SHA256ed will result in the same private key (although it is almost certainly impossible to find such a collision).

Have you ever heard about any brainwallet (or simply saying just a sha256 hashed phrase) which produces wrong private key? As upper boundary is not fff...fff, but a little less, do we know any example of sha256 result which "bigger" than allowed private key?

[LoyceV]

It could be more efficient if you utilize walletnotify which automatically execute Bash script when you receive Bitcoin.

Will that be fast enough, compared the the (no doubt) specialized software used by brainwallet crackers?

[BlackHatCoiner]

Have you ever heard about any brainwallet (or simply saying just a sha256 hashed phrase) which produces wrong private key? As upper boundary is not fff...fff, but a little less, do we know any example of sha256 result which "bigger" than allowed private key?

Let's take the numbers. There is exactly this number of valid private keys:

Code:

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364140
(115792089237316195423570985008687907852837564279074904382605163141518161494336)

And this number of possible SHA256 outputs:

Code:

FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
(115792089237316195423570985008687907853269984665640564039457584007913129639935)

Dividing the first number by the second, and multiplying by 100, gives about 99.9999999999999999999999999999999999996%.
There's about 0.00000000000000000000000000000000000037% (!!!) chance to find a hash that can't be a valid private key.

Fact: The Bitcoin network uses so much computational power that has dropped the target to:

Code:

00000000000000000009FD7E0000000000000000000000000000000000000000
(956871428990014096800480126306339386063092842672160768)

This means there's a 0.0000000000000000000008% chance to solve the next block. Therefore, it's about 2 quintillion times more probable to solve the next block than to find a hash that isn't a valid Bitcoin private key. (Although, it's about 1 quintillion, because in mining you hash the block header twice, in comparison with brain wallets)

Edit: actually, the total SHA256 outputs are 2^256 (not 2^256-1), I forgot the value 0. Anyway, same results.

[o_e_l_e_o]

Have you ever heard about any brainwallet (or simply saying just a sha256 hashed phrase) which produces wrong private key? As upper boundary is not fff...fff, but a little less, do we know any example of sha256 result which "bigger" than allowed private key?

No, I haven't. To follow on from BlackHatCoiner's calculations above, there are this many outputs from SHA256 which generate an invalid private key:

Code:

432,420,386,565,659,656,852,420,866,394,968,145,599

So you would need to test, on average, 1.34*10³⁸ different strings to have a 50% chance of finding a single string whose SHA256 output falls outside of the valid range. That's 134 billion billion billion billion. So probably never going to happen. Although you could get round this near impossible scenario by simply coding your brain wallet generator to perform modulo n on any SHA256 output it generates. (Although technically speaking you will reduce your entropy since the first x number of keys are now twice as likely to be generated than any other key, with x being equal to the number I gave above.)

[NotATether]

WTF, creating such a big list of brainwallets might be possible after all.

So inside my site database, I was doing some routine maintenance, when I stumbled upon a table that had 27K+ records inside it (most of them junk words and phrases/numbers). To my surprise, it turned out to be the table for search queries.

I don't get that much traffic, compared to say Bitcoin Magazine, but I am pretty sure that there is at least some user input there, in the sea of robot input with random combinations of words inside my posts.