travis72682
|
|
December 11, 2014, 08:34:34 AM |
|
MUCH respect man.... ever thought about starting up a coin? I would buy based on this alone. . .
|
|
|
|
johoe (OP)
|
|
December 11, 2014, 07:20:54 PM |
|
Hello, thanks for all the warm words. I very much appreciated them. I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days , you can get a trezor here. To answer some of the questions: In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page. If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken. Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured Dec. 7 21:53:26 UTC. If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money). For the record, I used these addresses: 1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68 1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG 1HdqdZudnV681xapavSJp3LqaCcJn12eSE 1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7 17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa the money to these addresses have been returned. I see that there are several different 1xy... addresses related with this incident. These are not mine. I hope that all remaining issues will be resolved soon.
|
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
NxtChg
|
|
December 11, 2014, 07:24:51 PM |
|
thanks for all the warm words. I very much appreciated them.
A "thank you" from me too. You saved about 3 BTC of my users' money (I hope blockchain.info will return it). Very noble of you, sir.
|
|
|
|
windpath
Legendary
Offline
Activity: 1258
Merit: 1027
|
|
December 11, 2014, 09:13:27 PM |
|
Hello,
thanks for all the warm words. I very much appreciated them.
You very much earned them! Thanks again for you honesty and the work you put in to protect people from theft.
|
|
|
|
MrGreenHat
|
|
December 12, 2014, 02:09:38 AM |
|
Very cool of you, didn't lose any funds but its refreshing to see this sort of thing.
|
|
|
|
Willisius
Sr. Member
Offline
Activity: 364
Merit: 250
I'm really quite sane!
|
|
December 12, 2014, 03:04:13 AM |
|
Hello, thanks for all the warm words. I very much appreciated them. I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days , you can get a trezor here. To answer some of the questions: In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page. If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken. Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured Dec. 7 21:53:26 UTC. If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money). For the record, I used these addresses: 1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68 1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG 1HdqdZudnV681xapavSJp3LqaCcJn12eSE 1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7 17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa the money to these addresses have been returned. I see that there are several different 1xy... addresses related with this incident. These are not mine. I hope that all remaining issues will be resolved soon. Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key? (maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)
|
|
|
|
itod
Legendary
Offline
Activity: 1974
Merit: 1077
^ Will code for Bitcoins
|
|
December 12, 2014, 11:24:27 AM |
|
... could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?
(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)
This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store. At the bottom of this article http://kakaroto.homelinux.net/2012/01/how-the-ecdsa-algorithm-works/ you have two simple formulas how to calculate the private key from two reused R values. johoe monitored the blockchain to find repeating R values, they are public in every transaction. Edit: To be technically precise, R is the point on the curve you get as R=k*G, k being the random number and G being the reference point. Sony used k=4 as a random number.
|
|
|
|
stv
Newbie
Offline
Activity: 27
Merit: 0
|
|
December 12, 2014, 12:04:20 PM |
|
This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store. It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based. From his 1985 paper: Note 2: If any k is used twice in the signing, then the system of equations is uniquely determined and x can be recovered. So for the system to be secure, any value of k should never be used twice.
|
|
|
|
gmaxwell
Moderator
Legendary
Offline
Activity: 4242
Merit: 8702
|
|
December 12, 2014, 12:37:47 PM |
|
And should have been obvious to anyone who has implemented the cryptosystem too, if k didn't have to be secret/unique you could just make it a parameter of the system and eliminate r and halve the size of the signatures.
|
|
|
|
JorgeStolfi
|
|
December 12, 2014, 03:55:50 PM |
|
Sony used k=4 as a random number.
You mean that 4 is not a random number? It looks quite random to me. More than 9, for sure...
|
Academic interest in bitcoin only. Not owner, not trader, very skeptical of its longterm success.
|
|
|
TheRealSteve
|
|
December 12, 2014, 04:06:24 PM |
|
You mean that 4 is not a random number? It looks quite random to me.
Well, it was chosen by fair dice roll. guaranteed to be random.
|
|
|
|
sumantso
Legendary
Offline
Activity: 1050
Merit: 1000
|
|
December 12, 2014, 05:18:03 PM |
|
Hello, thanks for all the warm words. I very much appreciated them. I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days , you can get a trezor here. To answer some of the questions: In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page. If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken. Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured Dec. 7 21:53:26 UTC. If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money). For the record, I used these addresses: 1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68 1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG 1HdqdZudnV681xapavSJp3LqaCcJn12eSE 1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7 17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa the money to these addresses have been returned. I see that there are several different 1xy... addresses related with this incident. These are not mine. I hope that all remaining issues will be resolved soon. No, thank you. This could've been another black mark on Bitcoin to the people outside, but thanks to you it remained quiet, so much so even a lot on this forum is unaware. Saying that I am now wary of Blockchain.info and probably will not trust it anymore.
|
|
|
|
johoe (OP)
|
|
December 12, 2014, 05:46:40 PM |
|
Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?
(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)
A reused R value is easily identified. Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out. You need a set with more than 100 million elements, but this is technically not so difficult to manage. I have two lists of addresses, broken and endangered, the latter contains all addresses that were used in connection with an reused R value or are equal to an R value (R is very similar to a public key). The money of the broken list is now swiped except for some dust; less than 10 mBTC in total. But there is still some money in the addresses of the endangered list. Nonetheless, these addresses should be considered compromised and I think with a bit of brute force it should be possible to break them. At least these users should have been warned by now, since blockchain also has these lists. I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork. These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all. So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists.
|
Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3
|
|
|
bcearl
|
|
December 12, 2014, 05:54:39 PM |
|
@johoe: Did you use the blockchainr tool or make your own?
|
Misspelling protects against dictionary attacks NOT
|
|
|
coins101
Legendary
Offline
Activity: 1456
Merit: 1000
|
|
December 12, 2014, 09:02:36 PM |
|
Hello,
there has been a lot of reused R values in the signatures on the blockchain, recently. This exposed many private keys. After googleing the addresses, I think it is related to Counterparty (XCP). Here is a list of the exposed addresses in alphabetic order. Most keys were exposed very recently, i.e., in the last week.
If you own one of the following addresses, you should transfer the money to a fresh address (before someone else does it for you). Also figure out, which client has the bug that revealed the private key by reusing R values. Then notify the author of that tool.
Hey, Johoe I wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community. It's such a welcome and refreshing piece of news. If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything.
|
|
|
|
TanteStefana2
Legendary
Offline
Activity: 1260
Merit: 1001
|
|
December 13, 2014, 02:21:57 AM |
|
The money has been returned to blockchain.info. Please write to blockchain support to claim refund. From: Ben Reeves < ...@blockchain.info> If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic. I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week. -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP -----BEGIN PGP SIGNATURE----- Comment: GPGTools - http://gpgtools.orgiQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYa DgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2 HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5 xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe 4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJ WgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14= =9MGK -----END PGP SIGNATURE—— PGP key is available from https://blockchain.info/security.txthttps://blockchain.info/tx/ea8fa447d59000843910932a42bf7a28915772d97a006e97714d026b78885754You look good in a white hat Sincere thanks for discovering this and seeing it through!
|
Another proud lifetime Dash Foundation member My TanteStefana account was hacked, Beware trading "You'll never reach your destination if you stop to throw stones at every dog that barks."Sir Winston Churchill BTC: 12pu5nMDPEyUGu3HTbnUB5zY5RG65EQE5d
|
|
|
dexX7
Legendary
Offline
Activity: 1106
Merit: 1026
|
|
December 13, 2014, 03:31:09 AM |
|
My guess is that statistically there should be about 500 additional transactions with a weak R value, ... What does "weak" mean in this context? I'm also wondering about the "endangered" list: since they already moved coins, I would assume they are now "secured", or is this a flawed assumption? This thread becomes more and more interesting, thanks for your input. /tip 250000 bits
|
|
|
|
bithernet
|
|
December 13, 2014, 04:00:18 AM |
|
Hi, johoe.
You are really a hero. Nice job!
Since the day before yesterday, Bitcoin users in China asked our team about blockchain.info's problem. So we started digging into the issue and found out: It was not only the repeated-R, and there were more users affected by this event.
Some bitcoins on these vulnerable addresses that we found were collected to here: 1PGfLgFtRHgdgvPNvmHMjtsWwF4fyG1jvh
Currently we are continuing to evaluate the consequences. After we finish all analysis, we will post more details here and try to return these bitcoins to correct users.
Wen Hao Bither Team
|
http://Bither.netBither - a simple and secure Bitcoin wallet! 1BsTwoMaX3aYx9Nc8GdgHZzzAGmG669bC3
|
|
|
theymos
Administrator
Legendary
Offline
Activity: 5334
Merit: 13306
|
|
December 13, 2014, 04:13:13 AM |
|
What does "weak" mean in this context?
It means that the k value used might be predictable due to the bad RNG. If someone can guess the k used in a transaction, then the private key can be recovered.
|
1NXYoJ5xU91Jp83XfVMHwwTUyZFK64BoAD
|
|
|
LifeisGreat88088
|
|
December 13, 2014, 08:09:16 AM |
|
I lost 23800 safecoin linked to my btc address , who would take the responsibility? XCP or blockchain.info?
|
|
|
|
|