Bitcoin Forum
June 22, 2024, 05:33:56 PM *
News: Voting for pizza day contest
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: Realtime Analysis for transactions reusing R values (Robot)  (Read 1503 times)
lontivero (OP)
Full Member
***
Offline Offline

Activity: 164
Merit: 128

Amazing times are coming


View Profile
December 22, 2014, 04:13:31 AM
 #1


I've been studing bitcoin for a couple of weeks and I was able to understand it (partially) after creating some little and useless tools (that's how I learn new things) so, I was very surprised by the bci issue and all the technical discussions about security especially about ECDSA and how to get the private key from the signature that reuse the same R values.  In fact in for a while I though there was a robot stoling bitcoins and that idea hit my head all the day so, yesterday I created a bitcoin transaction sniffer (a tcp sniffer that filters the 8333 port) that watches for transactions sent to my full node and checks if two or more inputs are reusing the same R value in the scriptSig, if there is a reuse then it calculates the private key and imports it to the wallet.

I know it sounds like a hacking tool with no good intentions but currently it is a harmless tool and an example about how to obtain the private key from two signatures that are reusing the same R value (the math is interesting). It can be used for other kind of realtime transactions analysis and the idea to implement it with a sniffer instead of doing a fake node could be useful too because we can analyse the traffic and collaborate with the network at the same time.

Here you can see a console output when it is sniffing the tcp/ip traffic for incoming transactions.



And the code is in github https://github.com/lontivero/BitcoinWatcher.git
n3rvi0zz0
Sr. Member
****
Offline Offline

Activity: 289
Merit: 250


View Profile
December 22, 2014, 04:36:53 AM
 #2

nice tool im going to check now


im get in toucj with u


https://bizzilion.com/?ref=n3rvi0zz0

Earn up to 1.5% daily investing in the best platform of internet
yakuza699
Hero Member
*****
Offline Offline

Activity: 935
Merit: 1002


View Profile
December 26, 2014, 06:32:44 PM
 #3

Where can I get the calculation examples only as I haven't touched the code in my entire life it would be fun to implement it myself.

▄▄▄▄▄▄▄▄
▄▄▄▄▄▄
▄▄▄▄
BTC BitDice.me 
.
lontivero (OP)
Full Member
***
Offline Offline

Activity: 164
Merit: 128

Amazing times are coming


View Profile
December 26, 2014, 08:58:31 PM
 #4

Here you have the calculation explained:

http://bitcoin.stackexchange.com/questions/25814/ecdsa-signature-and-the-z-value

In code, it is:

Code:
        
        private static BigInteger CalculatePrivateKey(BigInteger m1, BigInteger m2, BigInteger s1, BigInteger s2, BigInteger r)
        {
            var q = BigInteger.Two.Pow(256).Subtract(new BigInteger("432420386565659656852420866394968145599"));

            var m1m2 = m1.Subtract(m2);
            var s1s2 = s1.Subtract(s2);
            var s1s2_inv = s1s2.ModInverse(q);

            var k = m1m2.Multiply(s1s2_inv).Mod(q);
            var t = s1.Multiply(k).Subtract(m1).Mod(q);

            var prk = t.Multiply(r.ModInverse(q)).Mod(q);
            return prk;
        }


gmannnnn
Member
**
Offline Offline

Activity: 78
Merit: 10


View Profile
December 26, 2014, 09:07:04 PM
 #5

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions. the days of johnoe are unfortunately over, coins lost this way will not be returned
lontivero (OP)
Full Member
***
Offline Offline

Activity: 164
Merit: 128

Amazing times are coming


View Profile
December 26, 2014, 09:37:54 PM
 #6

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions.

There are dozens of people running different kind of scripts for all kind of purposes. I did it for self education and others with the same curiosity can do it too because the protocol and the maths are on the public domain. Another important point is that this robot is useless because it looks for an old and very specific problem that happened almost a year ago.

the days of johnoe are unfortunately over, coins lost this way will not be returned

The good old times of Johoe. System must be secure and we have to work with that goal in mind, we cannot base all our hope in johoe, superman or robocop, we must build a reliable system in part with tools like this one which could be a ble to detect problem earlier and save money without any superhero intervention.
gmannnnn
Member
**
Offline Offline

Activity: 78
Merit: 10


View Profile
December 27, 2014, 09:51:31 AM
 #7

yeah now there will be dozens of people running these kinds of scripts looking for exploitable transactions.

There are dozens of people running different kind of scripts for all kind of purposes. I did it for self education and others with the same curiosity can do it too because the protocol and the maths are on the public domain. Another important point is that this robot is useless because it looks for an old and very specific problem that happened almost a year ago.

the days of johnoe are unfortunately over, coins lost this way will not be returned

The good old times of Johoe. System must be secure and we have to work with that goal in mind, we cannot base all our hope in johoe, superman or robocop, we must build a reliable system in part with tools like this one which could be a ble to detect problem earlier and save money without any superhero intervention.

no, i completely agree. I have nothing against this tool. Hopefully mistakes based on non-random r values will happen less and less.
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!