BurtW



Offline



Activity: 2604

Merit: 1078



All paid signature campaigns should be banned.







LegendaryActivity: 2604Merit: 1078All paid signature campaigns should be banned. Bad signatures leading to 55.82152538 BTC theft (so far) August 10, 2013, 10:53:13 PM

Last edit: August 11, 2013, 01:31:39 PM by BurtW Merited by LoyceV (8) #1



Several people have reported their BTC stolen and sent to



As you can see the address currently contains 55.82152538 stolen coins.



It has been noticed that the coins are all transferred in a few hours after a client improperly signs a transaction by reusing the same random number. As discussed here:



http://en.wikipedia.org/wiki/Elliptic_Curve_DSA



the reuse of the same k value allows anyone to be able to recover the private key.



It appears that this is what may be happening.



It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications.



This has been discussed in this thread



https://bitcointalk.org/index.php?topic=251743.msg2890179#msg2890179

https://bitcointalk.org/index.php?topic=251743.msg2890736#msg2890736



Check out the two transactions posted here (which did lead to a theft of 0.9184236 BTC in this transaction



Quote from: johoe on August 08, 2013, 12:55:52 PM



For you the bad transactions were

https://blockchain.info/tx/b6350f4339a59faf09bfc2a4086c2261598f46f257517ce53785145c964799bc

https://blockchain.info/tx/38fbb8a3ff718dd7c8006feb6aa9ed6add1772522781b0db95abb350a859220b



which use the same R-value in the signature. It is strange that the same random number was generated in two transactions that are four days apart. This doesn't fit the usual pattern. Which bitcoin client do you use?



The stealing transaction occured less then five hours after the transaction that reused the R-value.

@Xeno-GenesisFor you the bad transactions werewhich use the same R-value in the signature. It is strange that the same random number was generated in two transactions that are four days apart. This doesn't fit the usual pattern. Which bitcoin client do you use?The stealing transaction occured less then five hours after the transaction that reused the R-value.



I have only seen this discussed in the newbies section so I thought I would open a thread here for a more technical discussion of this issue.Several people have reported their BTC stolen and sent to https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj As you can see the address currently contains 55.82152538 stolen coins.It has been noticed that the coins are all transferred in a few hours after a client improperly signs a transaction by reusing the same random number. As discussed here:the reuse of the same k value allows anyone to be able to recover the private key.It appears that this is what may be happening.It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications.This has been discussed in this thread https://bitcointalk.org/index.php?topic=251743.0 with the more technical posts being these two:Check out the two transactions posted here (which did lead to a theft of 0.9184236 BTC in this transaction https://blockchain.info/tx/211c135e58dc55bcce4c71dc02eae2dffc5a55387c29e8144bf1cd1e8878e52e Our family was terrorized by Homeland Security. Read all about it here: http://www.jmwagner.com/ and http://www.burtw.com/ Any donations to help us recover from the $300,000 in legal fees and forced donations to the Federal Asset Forfeiture slush fund are greatly appreciated!

TierNolan



Offline



Activity: 1232

Merit: 1006







LegendaryActivity: 1232Merit: 1006 Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 02:16:10 AM #3 Quote from: smolen on August 10, 2013, 11:47:04 PM How long would it take to pool owners to start scanning mempool transactions and replace vulnerable ones?



You mean they should crack the private key for the address and then re-do the signature? That seems only semi-legal.



It may not even fix the problem, all nodes receive all transactions directly. It would make it slightly harder, the node would have to be always online, rather than only having to scan the block chain every hour or so. You mean they should crack the private key for the address and then re-do the signature? That seems only semi-legal.It may not even fix the problem, all nodes receive all transactions directly. It would make it slightly harder, the node would have to be always online, rather than only having to scan the block chain every hour or so. 1LxbG5cKXzTwZg9mjL3gaRE835uNQEteWF

gmaxwell

Legendary





Offline



Activity: 3178

Merit: 4298









ModeratorLegendaryActivity: 3178Merit: 4298 ::sigh:: August 11, 2013, 02:26:33 AM

Last edit: August 11, 2013, 02:41:28 AM by gmaxwell #4 Of course, if these applications didn't constantly reuse addresses the exposure here whatever the root cause ultimately turns out to be would be a lot smaller.

gmaxwell

Legendary





Offline



Activity: 3178

Merit: 4298









ModeratorLegendaryActivity: 3178Merit: 4298 Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 05:48:21 AM #7 Quote from: chriswilmer on August 11, 2013, 04:11:45 AM This seems like a serious problem!

Apologies if I am asking a question with an obvious answer, but is there a way a user can easily check to see if the same random number was used for a second transaction before broadcasting it?

No, no easy way to do that. Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen. (e.g. select the nonce as sha256(message||privkey||random value)  though if your RNG is bad you also need to worry about weak keys))

No, no easy way to do that. Plus the software to actually help you do that would be more complicated than the software required to make super-sure that this can't happen. (e.g. select the nonce as sha256(message||privkey||random value)  though if your RNG is bad you also need to worry about weak keys))

piotr_n



Offline



Activity: 2040

Merit: 1062





aka tonikt







LegendaryActivity: 2040Merit: 1062aka tonikt Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 11:49:08 AM

Last edit: August 11, 2013, 11:59:49 AM by piotr_n #9 Quote from: BurtW on August 10, 2013, 10:53:13 PM the reuse of the same k value allows anyone to be able to recover the private key.



It appears that this is what may be happening.



It appears that the bug occurs in both the blockchain.info android wallet and the Andreas Schildbach Android Wallet so I suspect a bug in a crypto library or an implementation detail shared by both applications. Ouch...



Thanks for the info - I spent the whole morning triple checking if my wallet would not make a similar mistake, by a chance.

Seems that I'm fine, but you got me scared, sir Ouch...Thanks for the info - I spent the whole morning triple checking if my wallet would not make a similar mistake, by a chance.Seems that I'm fine, but you got me scared, sir Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.

PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E

dice64



Offline



Activity: 34

Merit: 0







NewbieActivity: 34Merit: 0 Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 12:47:11 PM #13 Quote from: physalis on August 11, 2013, 12:29:22 PM Quote from: Luke-Jr on August 11, 2013, 05:40:08 AM It's not much of a problem if you're using Bitcoin correctly (ie, not reusing addresses).

That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"?

While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen.



If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass.

That can't possibly be your proposed solution to this problem - "Just never use a bitcoin address more than once"?While it makes sense for privacy reasons, it shouldn't need to be done just so you don't get your coins stolen.If for example I give someone a bitcoin address so he can make recurring payments of some sort to me, I need to reuse that address. Everything else would just be a major pain in the ass.

You can get every transaction which has been sent by that address and ensure none of its spent outputs have the same signature in the script. But the main problem is random number generation.



Even if you want to make recurring payments, you should still generate an address each time. Otherwise you seriously risk linking your address to your identity. It isn't a pain in the ass, its the best practice for anonymity, regardless of this current bad signature issue. You can get every transaction which has been sent by that address and ensure none of its spent outputs have the same signature in the script. But the main problem is random number generation.Even if you want to make recurring payments, you should still generate an address each time. Otherwise you seriously risk linking your address to your identity. It isn't a pain in the ass, its the best practice for anonymity, regardless of this current bad signature issue.

piotr_n



Offline



Activity: 2040

Merit: 1062





aka tonikt







LegendaryActivity: 2040Merit: 1062aka tonikt Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 12:57:12 PM #18 Quote from: smolen on August 11, 2013, 12:13:42 PM Even proper reuse of ECDSA private key makes it less secure. Satoshi did very good work protecting Bitcoin from possible future advances in cryptography - new addresses are created whenever it is appropriate, before first (and, ideally, the last) use public key is secret, only hash of it (address) is exposed to the public. But Satoshi did not forbid intentional address reuse, thus making key reuse possible. Of course - I fully agree with you and thanks for pointing it out.

But still, reusing addresses is one of the core features of Bitcoin - otherwise our life would be so much more complicated.

Bitcoin would have probably never got adopted, in the fist place, if one could not reuse an address.



Moreover, if this is so crucial for security, deterministic wallets do not seem to be a right way to go forward, do they? Of course - I fully agree with you and thanks for pointing it out.But still, reusing addresses is one of the core features of Bitcoin - otherwise our life would be so much more complicated.Bitcoin would have probably never got adopted, in the fist place, if one could not reuse an address.Moreover, if this is so crucial for security, deterministic wallets do not seem to be a right way to go forward, do they? Check out gocoin - my original project of full bitcoin node & cold wallet written in Go.

PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E PGP fingerprint: AB9E A551 E262 A87A 13BB 9059 1BE7 B545 CDF3 FD0E

smolen



Offline



Activity: 525

Merit: 500







Hero MemberActivity: 525Merit: 500 Re: Bad signatures leading to 55.82152538 BTC theft (so far) August 11, 2013, 01:21:23 PM #19 Quote from: piotr_n on August 11, 2013, 12:57:12 PM Of course - I fully agree with you and thanks for pointing it out.

But still, reusing addresses is one of the basic features of Bitcoin - otherwise our life would be so much more complicated.

Bitcoin would have probably never got adopted, in the fist place, if one could not reuse an address.



Moreover, if this is so crucial for security, deterministic wallets do not seem to be a right way to go forward, do they?

I don't pretend to be an expert here, but looks like Bitcoin itself and deterministic wallets are right now out of reach for SAT-solvers and XSL attacks. We'll be alerted about progress in those areas by new yottahashes in mining difficulty I don't pretend to be an expert here, but looks like Bitcoin itself and deterministic wallets are right now out of reach for SAT-solvers and XSL attacks. We'll be alerted about progress in those areas by new yottahashes in mining difficulty Of course I gave you bad advice. Good one is way out of your price range.