Reused R values again

[travis72682]

MUCH respect man.... ever thought about starting up a coin?  I would buy based on this alone. . .

[1714125926]

1714125926

[1714125926]

1714125926

[1714125926]

1714125926

[johoe]

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days , you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.

[NxtChg]

thanks for all the warm words.  I very much appreciated them.

A "thank you" from me too. You saved about 3 BTC of my users' money (I hope blockchain.info will return it).

Very noble of you, sir.

[windpath]

Hello,

thanks for all the warm words.  I very much appreciated them.

You very much earned them!

Thanks again for you honesty and the work you put in to protect people from theft.

[MrGreenHat]

Very cool of you, didn't lose any funds but its refreshing to see this sort of thing.

[Willisius]

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days , you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.

Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

[itod]

... could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store. At the bottom of this article http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/ you have two simple formulas how to calculate the private key from two reused R values. johoe monitored the blockchain to find repeating R values, they are public in every transaction.

Edit:
To be technically precise, R is the point on the curve you get as R=k*G, k being the random number and G being the reference point. Sony used k=4 as a random number.

[stv]

This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store.

It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based.


From his 1985 paper:

Note 2: If any k is used twice in the signing, then the system of equations is uniquely determined and x can be recovered. So for the system to be secure, any value of k should never be used twice.

[gmaxwell]

And should have been obvious to anyone who has implemented the cryptosystem too,  if k didn't have to be secret/unique you could just make it a parameter of the system and eliminate r and halve the size of the signatures.

[JorgeStolfi]

Sony used k=4 as a random number.

You mean that 4 is not a random number?  It looks quite random to me.

More than 9, for sure...

[TheRealSteve]

You mean that 4 is not a random number?  It looks quite random to me.

Well, it was chosen by fair dice roll.  guaranteed to be random.

[sumantso]

Hello,

thanks for all the warm words.  I very much appreciated them.

I have to say, I already got a reasonable reward from bc.i.  Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time).  If you still want to donate I added one of my bitcoin addresses to the signature.  And if you ever need to store 267 BTC safely for a few days , you can get a trezor here.

To answer some of the questions:

In principle, it should be safe to use blockchain again, but I still see some bad transactions.  The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues.  So clear your browser cache and reload the blockchain page.  

If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.  
Even if it is not on my list.  The same holds for every address you sent money from during that period using the blockchain service.  If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money.  I'm not sure of the end of the time window.  The first buggy transaction occured Dec. 7 21:53:26 UTC.  

If you lost money during the last days you can reclaim it by writing to the blockchain support.  They can see whether your claim is valid and will refund you.  That said, I'm not affiliated with blockchain.info  (I just returned them their money).

For the record, I used these addresses:

1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68
1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG
1HdqdZudnV681xapavSJp3LqaCcJn12eSE
1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7
17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa

the money to these addresses have been returned.

I see that there are several different 1xy... addresses related with this incident.  These are not mine.

I hope that all remaining issues will be resolved soon.

No, thank you. This could've been another black mark on Bitcoin to the people outside, but thanks to you it remained quiet, so much so even a lot on this forum is unaware.

Saying that I am now wary of Blockchain.info and probably will not trust it anymore.

[johoe]

Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?

(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

A reused R value is easily identified.  Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out.  You need a set with more than 100 million elements, but this is technically not so difficult to manage.

I have two lists of addresses, broken and endangered, the latter contains all addresses that were used in connection with an reused R value or are equal to an R value (R is very similar to a public key).  The money of the broken list is now swiped except for some dust; less than 10 mBTC in total.  But there is still some money in the addresses of the endangered list.  Nonetheless, these addresses should be considered compromised and I think with a bit of brute force it should be possible to break them.   At least these users should have been warned by now, since blockchain also has these lists.

I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork.   These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all.  So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists.

[bcearl]

@johoe: Did you use the blockchainr tool or make your own?

[coins101]

Hello,

there has been a lot of reused R values in the signatures on the blockchain, recently.  This exposed many private keys.  After googleing the addresses, I think it is related to Counterparty (XCP).  Here is a list of the exposed addresses in alphabetic order.  Most keys were exposed very recently, i.e., in the last week.

If you own one of the following addresses, you should transfer the money to a fresh address (before someone else does it for you).  Also figure out, which client has the bug that revealed the private key by reusing R values.  Then notify the author of that tool.

Hey, Johoe

I wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community.

It's such a welcome and refreshing piece of news.

If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything.

[TanteStefana2]

The money has been returned to blockchain.info.  Please write to blockchain support to claim refund.

From: Ben Reeves <...@blockchain.info>
If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic.

I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP
-----BEGIN PGP SIGNATURE-----
Comment: GPGTools - http://gpgtools.org

iQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYa
DgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2
HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5
xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe
4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJ
WgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14=
=9MGK
-----END PGP SIGNATURE——

PGP key is available from https://blockchain.info/security.txt



https://blockchain.info/tx/ea8fa447d59000843910932a42bf7a28915772d97a006e97714d026b78885754

You look good in a white hat   Sincere thanks for discovering this and seeing it through!

[dexX7]

My guess is that statistically there should be about 500 additional transactions with a weak R value, ...

What does "weak" mean in this context? I'm also wondering about the "endangered" list: since they already moved coins, I would assume they are now "secured", or is this a flawed assumption? This thread becomes more and more interesting, thanks for your input.

/tip 250000 bits

[bithernet]

Hi, johoe.

You are really a hero. Nice job!

Since the day before yesterday, Bitcoin users in China asked our team about blockchain.info's problem.
So we started digging into the issue and found out:
It was not only the repeated-R, and there were more users affected by this event.

Some bitcoins on these vulnerable addresses that we found were collected to here: 1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh

Currently we are continuing to evaluate the consequences.
After we finish all analysis, we will post more details here and try to return these bitcoins to correct users.

Wen Hao
Bither Team

[theymos]

What does "weak" mean in this context?

It means that the k value used might be predictable due to the bad RNG. If someone can guess the k used in a transaction, then the private key can be recovered.

[LifeisGreat88088]

I lost 23800 safecoin linked to my btc address , who would take the responsibility?  XCP or blockchain.info?