Reused R values again

[amaclin]

the answer is in the post directly above yours (by bcearl).

I only can say for myself: it was too hard for me to reproduce this RNG.
I found sources http://code.google.com/p/srp-js/source/browse/trunk/javascript/prng4.js?r=12
But I do not know how Math.random works in java-script
By the way. The implementation for Math.random can be different in browsers

[1713570590]

1713570590

[1713570590]

1713570590

[1713570590]

1713570590

[johoe]

I may give more details on the rng later.  At the moment there is still too much money lying around.

Does anyone know how to check if there is an unconfirmed transaction trying to spend an output?
Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

I hate that signtransaction or sendtransaction don't tell me which input it is that I shouldn't spend .

[LFC_Bitcoin]

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

[guitarplinker]

Were R values re-used again today? I see that johoe has ~250 BTC more in his wallet today with messages saying "Contact Blockchain support".

[yakuza699]

Were R values re-used again today? I see that johoe has ~250 BTC more in his wallet today with messages saying "Contact Blockchain support".

As far as I understand they are from a previous bug of blockchain.info but this time johoe uses all possible values of k.

[yakuza699]

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

Yes it is safe to transfer all of the funds from your blockchain.info account to a newly created wallet with bitcoin core and never use that blockchain.info wallet again.

[LFC_Bitcoin]

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

Yes it is safe to transfer all of the funds from your blockchain.info account to a newly created wallet with bitcoin core and never use that blockchain.info wallet again.

Can I send my entire blockchain wallet to a paper wallet without it being compromised, at least on the blockchain.info end?

[yakuza699]

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

Yes it is safe to transfer all of the funds from your blockchain.info account to a newly created wallet with bitcoin core and never use that blockchain.info wallet again.

Can I send my entire blockchain wallet to a paper wallet without it being compromised, at least on the blockchain.info end?

If you mean "Can I send my whole balance from blockchain.info to a paper wallet that is not created by blockchain.info" Than yes it is pretty safe if you generated that paper wallet in an offline mode.But after that never use that blockchain.info wallet.

[amaclin]

Does anyone know how to check if there is an unconfirmed transaction trying to spend an output?

No such tool exists.
Even your node has not unconfirmed output you can not be sure that all your peers do not have such txs in their mempools.
Note: you also can not spend coinbase outputs from Eligius before 100 confirmations

[LFC_Bitcoin]

Is it safe to send BTC from a blockchain.info wallet to another wallet or cold storage yet?

I'm hesitant to make any transactions on there now.

Am I safer just leaving what I have left there where it is for the moment?

Yes it is safe to transfer all of the funds from your blockchain.info account to a newly created wallet with bitcoin core and never use that blockchain.info wallet again.

Can I send my entire blockchain wallet to a paper wallet without it being compromised, at least on the blockchain.info end?

If you mean "Can I send my whole balance from blockchain.info to a paper wallet that is not created by blockchain.info" Than yes it is pretty safe if you generated that paper wallet in an offline mode.But after that never use that blockchain.info wallet.

Thanks boss

[defaced]

this is wild man

[johoe]

Okay, most is swept, I think less than a 1 BTC remaining

I can assure you that there were no massive new weak signatures appearing.   Instead I managed to analyze the broken RNG and produced the same "random" numbers again.  This enabled me to break most of the keys that were exposed last week.  I can break a key, even if the corresponding R value appeared only once in a signature, because my simulated RNG provides the k value.

As always I plan to return it to bc.i and you can contact their support to get your refund.

Thus far I generated 51200 random numbers.  I should check if I find more keys when generating more random numbers.

[bcearl]

the answer is in the post directly above yours (by bcearl).

I only can say for myself: it was too hard for me to reproduce this RNG.
I found sources http://code.google.com/p/srp-js/source/browse/trunk/javascript/prng4.js?r=12
But I do not know how Math.random works in java-script
By the way. The implementation for Math.random can be different in browsers

Just write a program with Javascript that prints out some k (and corresponding points R) and save them. I was just too lazy to do all that, I hope that my posting did not inspire some thief. I thought that if I post it maybe another good guy will do it before. Anyways everybody who used the wallet in the time it was broken should have known and sent their coins to new addresses already.

If you know k, you can compute the private key. Known k is even simpler than with two unknown reused values of k.



(If I saved your BTC, you're welcome. 1PMh3K3QrKwaKhmjH46ZqniHwHJvwW3xA)

[gabridome]

Okay, most is swept, I think less than a 1 BTC remaining

I can assure you that there were no massive new weak signatures appearing.   Instead I managed to analyze the broken RNG and produced the same "random" numbers again.  This enabled me to break most of the keys that were exposed last week.  I can break a key, even if the corresponding R value appeared only once in a signature, because my simulated RNG provides the k value.

As always I plan to return it to bc.i and you can contact their support to get your refund.

Thus far I generated 51200 random numbers.  I should check if I find more keys when generating more random numbers.

You are really someone in my personal hall of fame man.
Even if I don't keep a penny on b.I. I feel bad for them and for their customers and I know that many horrible things may happen in the future also to others and it is very good to know someone like you is around.

[BlindMayorBitcorn]

could you tell me the price of BTC 2016.1.1?

I can. Less than $10. Wanna bet?
But discussing price / loses / investing / risk / insurance / obligations is offtopic here.

UPD: sorry, i do not understand chinese.

This bet open to anyone?

[yakuza699]

Okay, most is swept, I think less than a 1 BTC remaining

Wrong this address alone holds 1.6BTC https://blockchain.info/address/1JLiqe4sbD2Qfj1cnmaPDiaxAjQTVBXaMk
This one has 0.15BTC https://blockchain.info/address/1Lp5FEqQf5dHeZyJpoB46gxMUqpbVtepBN
This one has 1.15BTC https://blockchain.info/address/1HYw2qecuFCL1CdXt1eShPF9fyUdXLUfBW
This one has 0.28BTC https://blockchain.info/address/1MY5sbAmgQyhZ5cAeqkiREnGdqvf7MbwfT

[bcearl]

Okay, most is swept, I think less than a 1 BTC remaining

Wrong this address alone holds 1.6BTC https://blockchain.info/address/1JLiqe4sbD2Qfj1cnmaPDiaxAjQTVBXaMk
This one has 0.15BTC https://blockchain.info/address/1Lp5FEqQf5dHeZyJpoB46gxMUqpbVtepBN
This one has 1.15BTC https://blockchain.info/address/1HYw2qecuFCL1CdXt1eShPF9fyUdXLUfBW
This one has 0.28BTC https://blockchain.info/address/1MY5sbAmgQyhZ5cAeqkiREnGdqvf7MbwfT

Maybe they don't have weak k?

[itod]

Do I have to use bitcoin-cli listtransactions and then dump each transaction to check which output was spent?

The wallet operations on bitcoind are so slow when you have 1400 private keys imported.

As I understand there's a new feature which will be introduced into bitcoind 0.10.0 to work with addresses without importing private keys (watch-only):
https://github.com/bitcoin/bitcoin/pull/4045
It should give you what you want with 'listtransactions', and should be working already in 0.10 branch in github, if you feel like working with it.

[bcearl]

Okay, most is swept, I think less than a 1 BTC remaining

I can assure you that there were no massive new weak signatures appearing.   Instead I managed to analyze the broken RNG and produced the same "random" numbers again.  This enabled me to break most of the keys that were exposed last week.  I can break a key, even if the corresponding R value appeared only once in a signature, because my simulated RNG provides the k value.

As always I plan to return it to bc.i and you can contact their support to get your refund.

Thus far I generated 51200 random numbers.  I should check if I find more keys when generating more random numbers.

I am glad that you could rescue them. I was too lazy to do all the coding, and I haven't started at all yet.

[yakuza699]

Maybe they don't have weak k?

Well he already swiped from those addresses once but he left some so he will probably swipe the remeaning ones

I am glad that you could rescue them. I was too lazy to do all the coding, and I haven't started at all yet.

I still don't really understand how to do it by hand not taking about the coding.