Bitcoin Forum
December 16, 2019, 05:02:54 AM *
News: Latest Bitcoin Core release: 0.19.0.1 [Torrent]
 
   Home   Help Search Login Register More  
Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 12 13 14 15 16 17 18 19 20 21 22 »  All
  Print  
Author Topic: Reused R values again  (Read 119737 times)
travis72682
Full Member
***
Offline Offline

Activity: 168
Merit: 100


View Profile
December 11, 2014, 08:34:34 AM
 #141

MUCH respect man.... ever thought about starting up a coin?  I would buy based on this alone. . .

Free coins for doing nothing https://qoinpro.com/d45ca89a36b0bfdd29925ca28760ef53
gimme free btc Tongue  :  14DsWStNquSGgJtekxd3CXZvnTsyLmGxeT
http://ribbit.me/?ref=mYUbs6r4OB  free coins or something
pimpcash:  PE4QF7MrgY6gvBuAiwFq2ckHyb7m2utTcF
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction. Advertise here.
1576472574
Hero Member
*
Offline Offline

Posts: 1576472574

View Profile Personal Message (Offline)

Ignore
1576472574
Reply with quote  #2

1576472574
Report to moderator
johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
December 11, 2014, 07:20:54 PM
 #142

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days Cheesy, you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.

Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
NxtChg
Hero Member
*****
Offline Offline

Activity: 840
Merit: 1000


Simcoin Developer


View Profile WWW
December 11, 2014, 07:24:51 PM
 #143

thanks for all the warm words.  I very much appreciated them.

A "thank you" from me too. You saved about 3 BTC of my users' money (I hope blockchain.info will return it).

Very noble of you, sir.

Simcoin: https://simtalk.org:444/ | The Simplest Bitcoin Wallet: https://tsbw.io/ | Coinmix: https://coinmix.to | Tippr stats: https://tsbw.io/tippr/
--
About smaragda and his lies: https://medium.com/@nxtchg/about-smaragda-and-his-lies-c376e4694de9
windpath
Legendary
*
Offline Offline

Activity: 1256
Merit: 1022


View Profile WWW
December 11, 2014, 09:13:27 PM
 #144

Hello,

thanks for all the warm words.  I very much appreciated them.

You very much earned them!

Thanks again for you honesty and the work you put in to protect people from theft.
MrGreenHat
Full Member
***
Offline Offline

Activity: 173
Merit: 100


View Profile
December 12, 2014, 02:09:38 AM
 #145

Very cool of you, didn't lose any funds but its refreshing to see this sort of thing.
Willisius
Sr. Member
****
Offline Offline

Activity: 364
Merit: 250

I'm really quite sane!


View Profile
December 12, 2014, 03:04:13 AM
 #146

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days Cheesy, you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.

Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)
itod
Legendary
*
Offline Offline

Activity: 1582
Merit: 1022


^ Will code for Bitcoins


View Profile
December 12, 2014, 11:24:27 AM
 #147

... could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store. At the bottom of this article http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/ you have two simple formulas how to calculate the private key from two reused R values. johoe monitored the blockchain to find repeating R values, they are public in every transaction.

Edit:
To be technically precise, R is the point on the curve you get as R=k*G, k being the random number and G being the reference point. Sony used k=4 as a random number.

 
                                . ██████████.
                              .████████████████.
                           .██████████████████████.
                        -█████████████████████████████
                     .██████████████████████████████████.
                  -█████████████████████████████████████████
               -███████████████████████████████████████████████
           .-█████████████████████████████████████████████████████.
        .████████████████████████████████████████████████████████████
       .██████████████████████████████████████████████████████████████.
       .██████████████████████████████████████████████████████████████.
       ..████████████████████████████████████████████████████████████..
       .   .██████████████████████████████████████████████████████.
       .      .████████████████████████████████████████████████.

       .       .██████████████████████████████████████████████
       .    ██████████████████████████████████████████████████████
       .█████████████████████████████████████████████████████████████.
        .███████████████████████████████████████████████████████████
           .█████████████████████████████████████████████████████
              .████████████████████████████████████████████████
                   ████████████████████████████████████████
                      ██████████████████████████████████
                          ██████████████████████████
                             ████████████████████
                               ████████████████
                                   █████████
.CryptoTalk.org.|.MAKE POSTS AND EARN BTC!.🏆
stv
Newbie
*
Offline Offline

Activity: 27
Merit: 0


View Profile
December 12, 2014, 12:04:20 PM
 #148

This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store.

It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based.


From his 1985 paper:
Quote
Note 2: If any k is used twice in the signing, then the system of equations is uniquely determined and x can be recovered. So for the system to be secure, any value of k should never be used twice.
gmaxwell
Moderator
Legendary
*
qt
Online Online

Activity: 2898
Merit: 2865



View Profile
December 12, 2014, 12:37:47 PM
 #149

And should have been obvious to anyone who has implemented the cryptosystem too,  if k didn't have to be secret/unique you could just make it a parameter of the system and eliminate r and halve the size of the signatures.
JorgeStolfi
Hero Member
*****
Offline Offline

Activity: 910
Merit: 1002



View Profile
December 12, 2014, 03:55:50 PM
 #150

Sony used k=4 as a random number.

You mean that 4 is not a random number?  It looks quite random to me.

More than 9, for sure...

Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
TheRealSteve
Hero Member
*****
Offline Offline

Activity: 686
Merit: 500

FUN > ROI


View Profile
December 12, 2014, 04:06:24 PM
 #151

You mean that 4 is not a random number?  It looks quite random to me.
Well, it was chosen by fair dice roll.  guaranteed to be random.

sumantso
Legendary
*
Offline Offline

Activity: 1050
Merit: 1000



View Profile
December 12, 2014, 05:18:03 PM
 #152

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days Cheesy, you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.


No, thank you. This could've been another black mark on Bitcoin to the people outside, but thanks to you it remained quiet, so much so even a lot on this forum is unaware.

Saying that I am now wary of Blockchain.info and probably will not trust it anymore.

johoe
Full Member
***
Offline Offline

Activity: 217
Merit: 141


View Profile
December 12, 2014, 05:46:40 PM
 #153

Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

A reused R value is easily identified.  Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out.  You need a set with more than 100 million elements, but this is technically not so difficult to manage.

I have two lists of addresses, broken and endangered, the latter contains all addresses that were used in connection with an reused R value or are equal to an R value (R is very similar to a public key).  The money of the broken list is now swiped except for some dust; less than 10 mBTC in total.  But there is still some money in the addresses of the endangered list.  Nonetheless, these addresses should be considered compromised and I think with a bit of brute force it should be possible to break them.   At least these users should have been warned by now, since blockchain also has these lists.

I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork.   These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all.  So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists.




Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
bcearl
Full Member
***
Offline Offline

Activity: 168
Merit: 100



View Profile
December 12, 2014, 05:54:39 PM
 #154

@johoe: Did you use the blockchainr tool or make your own?

Misspelling protects against dictionary attacks NOT
coins101
Legendary
*
Offline Offline

Activity: 1456
Merit: 1000



View Profile
December 12, 2014, 09:02:36 PM
 #155

Hello,

there has been a lot of reused R values in the signatures on the blockchain, recently.  This exposed many private keys.  After googleing the addresses, I think it is related to Counterparty (XCP).  Here is a list of the exposed addresses in alphabetic order.  Most keys were exposed very recently, i.e., in the last week.

If you own one of the following addresses, you should transfer the money to a fresh address (before someone else does it for you).  Also figure out, which client has the bug that revealed the private key by reusing R values.  Then notify the author of that tool.

Hey, Johoe

I wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community.

It's such a welcome and refreshing piece of news.

If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything.
TanteStefana2
Legendary
*
Offline Offline

Activity: 1232
Merit: 1000


View Profile
December 13, 2014, 02:21:57 AM
 #156

The money has been returned to blockchain.info.  Please write to blockchain support to claim refund.

Quote
From: Ben Reeves <...@blockchain.info>
If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic.

I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYa
DgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2
HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5
xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe
4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJ
WgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14=
=9MGK
-----END PGP SIGNATURE——

PGP key is available from https://blockchain.info/security.txt



https://blockchain.info/tx/ea8fa447d59000843910932a42bf7a28915772d97a006e97714d026b78885754

You look good in a white hat Wink  Sincere thanks for discovering this and seeing it through!

Another proud lifetime Dash Foundation member Smiley My TanteStefana account was hacked, Beware trading
"You'll never reach your destination if you stop to throw stones at every dog that barks."
Sir Winston Churchill  BTC: 12pu5nMDPEyUGu3HTbnUB5zY5RG65EQE5d
dexX7
Legendary
*
Offline Offline

Activity: 1106
Merit: 1005



View Profile WWW
December 13, 2014, 03:31:09 AM
 #157

My guess is that statistically there should be about 500 additional transactions with a weak R value, ...

What does "weak" mean in this context? I'm also wondering about the "endangered" list: since they already moved coins, I would assume they are now "secured", or is this a flawed assumption? This thread becomes more and more interesting, thanks for your input.

/tip 250000 bits Wink

bithernet
Hero Member
*****
Offline Offline

Activity: 648
Merit: 500

A simple and secure Bitcoin wallet!


View Profile WWW
December 13, 2014, 04:00:18 AM
 #158

Hi, johoe.

You are really a hero. Nice job!

Since the day before yesterday, Bitcoin users in China asked our team about blockchain.info's problem.
So we started digging into the issue and found out:
It was not only the repeated-R, and there were more users affected by this event.

Some bitcoins on these vulnerable addresses that we found were collected to here: 1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh

Currently we are continuing to evaluate the consequences.
After we finish all analysis, we will post more details here and try to return these bitcoins to correct users.

Wen Hao
Bither Team

http://Bither.net
Bither - a simple and secure Bitcoin wallet!
1BsTwoMaX3aYx9Nc8GdgHZzzAGmG669bC3
theymos
Administrator
Legendary
*
Offline Offline

Activity: 3598
Merit: 7356


View Profile
December 13, 2014, 04:13:13 AM
 #159

What does "weak" mean in this context?

It means that the k value used might be predictable due to the bad RNG. If someone can guess the k used in a transaction, then the private key can be recovered.

1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
LifeisGreat88088
Full Member
***
Offline Offline

Activity: 149
Merit: 100


View Profile
December 13, 2014, 08:09:16 AM
 #160

I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?

Pages: « 1 2 3 4 5 6 7 [8] 9 10 11 12 13 14 15 16 17 18 19 20 21 22 »  All
  Print  
 
Jump to:  

Sponsored by , a Bitcoin-accepting VPN.
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!