Realtime Analysis for transactions reusing R values (Robot)

[lontivero]

I've been studing bitcoin for a couple of weeks and I was able to understand it (partially) after creating some little and useless tools (that's how I learn new things) so, I was very surprised by the bci issue and all the technical discussions about security especially about ECDSA and how to get the private key from the signature that reuse the same R values.  In fact in for a while I though there was a robot stoling bitcoins and that idea hit my head all the day so, yesterday I created a bitcoin transaction sniffer (a tcp sniffer that filters the 8333 port) that watches for transactions sent to my full node and checks if two or more inputs are reusing the same R value in the scriptSig, if there is a reuse then it calculates the private key and imports it to the wallet.

I know it sounds like a hacking tool with no good intentions but currently it is a harmless tool and an example about how to obtain the private key from two signatures that are reusing the same R value (the math is interesting). It can be used for other kind of realtime transactions analysis and the idea to implement it with a sniffer instead of doing a fake node could be useful too because we can analyse the traffic and collaborate with the network at the same time.

Here you can see a console output when it is sniffing the tcp/ip traffic for incoming transactions.



And the code is in github https://github.com/lontivero/BitcoinWatcher.git

[n3rvi0zz0]

nice tool im going to check now


im get in toucj with u

[yakuza699]

Where can I get the calculation examples only as I haven't touched the code in my entire life it would be fun to implement it myself.

[lontivero]

Here you have the calculation explained:

http://bitcoin.stackexchange.com/questions/25814/ecdsa-signature-and-the-z-value

In code, it is:

Code:

        
        private static BigInteger CalculatePrivateKey(BigInteger m1, BigInteger m2, BigInteger s1, BigInteger s2, BigInteger r)
        {
            var q = BigInteger.Two.Pow(256).Subtract(new BigInteger("432420386565659656852420866394968145599"));

            var m1m2 = m1.Subtract(m2);
            var s1s2 = s1.Subtract(s2);
            var s1s2_inv = s1s2.ModInverse(q);

            var k = m1m2.Multiply(s1s2_inv).Mod(q);
            var t = s1.Multiply(k).Subtract(m1).Mod(q);

            var prk = t.Multiply(r.ModInverse(q)).Mod(q);
            return prk;
        }

[gmannnnn]

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions. the days of johnoe are unfortunately over, coins lost this way will not be returned

[lontivero]

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions.

There are dozens of people running different kind of scripts for all kind of purposes. I did it for self education and others with the same curiosity can do it too because the protocol and the maths are on the public domain. Another important point is that this robot is useless because it looks for an old and very specific problem that happened almost a year ago.

the days of johnoe are unfortunately over, coins lost this way will not be returned

The good old times of Johoe. System must be secure and we have to work with that goal in mind, we cannot base all our hope in johoe, superman or robocop, we must build a reliable system in part with tools like this one which could be a ble to detect problem earlier and save money without any superhero intervention.

[gmannnnn]

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions.

There are dozens of people running different kind of scripts for all kind of purposes. I did it for self education and others with the same curiosity can do it too because the protocol and the maths are on the public domain. Another important point is that this robot is useless because it looks for an old and very specific problem that happened almost a year ago.

the days of johnoe are unfortunately over, coins lost this way will not be returned

The good old times of Johoe. System must be secure and we have to work with that goal in mind, we cannot base all our hope in johoe, superman or robocop, we must build a reliable system in part with tools like this one which could be a ble to detect problem earlier and save money without any superhero intervention.

no, i completely agree. I have nothing against this tool. Hopefully mistakes based on non-random r values will happen less and less.