travis72682



Offline



Activity: 168

Merit: 100







Full MemberActivity: 168Merit: 100 Re: Reused R values again December 11, 2014, 08:34:34 AM #141 MUCH respect man.... ever thought about starting up a coin? I would buy based on this alone. . .

gimme free btc : 14DsWStNquSGgJtekxd3CXZvnTsyLmGxeT

free coins or something

pimpcash: PE4QF7MrgY6gvBuAiwFq2ckHyb7m2utTcF Free coins for doing nothing https://qoinpro.com/d45ca89a36b0bfdd29925ca28760ef53 gimme free btc: 14DsWStNquSGgJtekxd3CXZvnTsyLmGxeT http://ribbit.me/?ref=mYUbs6r4OB free coins or somethingpimpcash: PE4QF7MrgY6gvBuAiwFq2ckHyb7m2utTcF

johoe



Offline



Activity: 217

Merit: 149







Full MemberActivity: 217Merit: 149 Re: Reused R values again December 11, 2014, 07:20:54 PM #142



thanks for all the warm words. I very much appreciated them.



I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days , you can get a trezor



To answer some of the questions:



In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page.



If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.

Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured



If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money).



For the record, I used these addresses:



1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68

1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG

1HdqdZudnV681xapavSJp3LqaCcJn12eSE

1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7

17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa



the money to these addresses have been returned.



I see that there are several different 1xy... addresses related with this incident. These are not mine.



I hope that all remaining issues will be resolved soon.

Hello,thanks for all the warm words. I very much appreciated them.I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days, you can get a trezor here To answer some of the questions:In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page.If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured Dec. 7 21:53:26 UTC If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money).For the record, I used these addresses:1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U681L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG1HdqdZudnV681xapavSJp3LqaCcJn12eSE1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ717TifxwuGSor7woQ64gL57KJzwPAjSf3Qathe money to these addresses have been returned.I see that there are several different 1xy... addresses related with this incident. These are not mine.I hope that all remaining issues will be resolved soon. Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3

Willisius



Offline



Activity: 364

Merit: 250



I'm really quite sane!







Sr. MemberActivity: 364Merit: 250I'm really quite sane! Re: Reused R values again December 12, 2014, 03:04:13 AM #146 Quote from: johoe on December 11, 2014, 07:20:54 PM



thanks for all the warm words. I very much appreciated them.



I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days , you can get a trezor



To answer some of the questions:



In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page.



If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.

Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured



If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money).



For the record, I used these addresses:



1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U68

1L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG

1HdqdZudnV681xapavSJp3LqaCcJn12eSE

1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ7

17TifxwuGSor7woQ64gL57KJzwPAjSf3Qa



the money to these addresses have been returned.



I see that there are several different 1xy... addresses related with this incident. These are not mine.



I hope that all remaining issues will be resolved soon.



Hello,thanks for all the warm words. I very much appreciated them.I have to say, I already got a reasonable reward from bc.i. Also many thanks to the satoshilabs people who offered me a new trezor (could be handy as a backup next time). If you still want to donate I added one of my bitcoin addresses to the signature. And if you ever need to store 267 BTC safely for a few days, you can get a trezor here To answer some of the questions:In principle, it should be safe to use blockchain again, but I still see some bad transactions. The last occurred six hours ago. There are only very few now and the guess is that this is because of browser cache issues. So clear your browser cache and reload the blockchain page.If you generated a new address on blockchain in the night from Dec. 7/8 (UTC) before the bug was fixed, you should consider this as broken.Even if it is not on my list. The same holds for every address you sent money from during that period using the blockchain service. If you accessed the website during that period, you may have gotten the buggy script in your browser cache, so you may still be affected if you later created a new address or sent money. I'm not sure of the end of the time window. The first buggy transaction occured Dec. 7 21:53:26 UTC If you lost money during the last days you can reclaim it by writing to the blockchain support. They can see whether your claim is valid and will refund you. That said, I'm not affiliated with blockchain.info (I just returned them their money).For the record, I used these addresses:1HuqM18GMVaLxTRGdmSgytzVYnhRzu7U681L7gfUxCY5bDmzp1xA6CjA3qXZwsbzWGbG1HdqdZudnV681xapavSJp3LqaCcJn12eSE1EjXAe3WRqipdQdP5qeESjZRhxLVfe6cJ717TifxwuGSor7woQ64gL57KJzwPAjSf3Qathe money to these addresses have been returned.I see that there are several different 1xy... addresses related with this incident. These are not mine.I hope that all remaining issues will be resolved soon.



(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more) Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)

stv



Offline



Activity: 27

Merit: 0







NewbieActivity: 27Merit: 0 Re: Reused R values again December 12, 2014, 12:04:20 PM #148 Quote from: itod on December 12, 2014, 11:24:27 AM This information is public from 2010, since the Sony PlayStation fiasco where they used R=4 to sign *all* the games in their online store.

It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based.





From his

Quote Note 2: If any k is used twice in the signing, then the system of equations is uniquely determined and x can be recovered. So for the system to be secure, any value of k should never be used twice. It was known right from the beginning, when ElGamal published his signature scheme, on which Schnorr signatures are based, on which classical DSA is based, on which ECDSA is based.From his 1985 paper

gmaxwell

Legendary





Offline



Activity: 3178

Merit: 4301









ModeratorLegendaryActivity: 3178Merit: 4301 Re: Reused R values again December 12, 2014, 12:37:47 PM #149 And should have been obvious to anyone who has implemented the cryptosystem too, if k didn't have to be secret/unique you could just make it a parameter of the system and eliminate r and halve the size of the signatures.

johoe



Offline



Activity: 217

Merit: 149







Full MemberActivity: 217Merit: 149 Re: Reused R values again December 12, 2014, 05:46:40 PM #153 Quote from: Willisius on December 12, 2014, 03:04:13 AM Do you think the majority of the reused "R' values issue has been resolved? If so could you explain how you were able to identify which addresses had the reused R value and how to calculate the private key from the public key?



(maybe you could delay releasing such information until after the flawed transactions slow down a little bit more)



A reused R value is easily identified. Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out. You need a set with more than 100 million elements, but this is technically not so difficult to manage.



I have two lists of addresses,



I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork. These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all. So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists.







A reused R value is easily identified. Just go through the blockchain data extract the r values (the first part of the signature), put them into a set and, if it was already in this set before, print it out. You need a set with more than 100 million elements, but this is technically not so difficult to manage.I have two lists of addresses, broken and endangered , the latter contains all addresses that were used in connection with an reused R value or are equal to an R value (R is very similar to a public key). The money of the broken list is now swiped except for some dust; less than 10 mBTC in total. But there is still some money in the addresses of the endangered list. Nonetheless, these addresses should be considered compromised and I think with a bit of brute force it should be possible to break them. At least these users should have been warned by now, since blockchain also has these lists.I detectected a bit more than 1500 transactions with reused R values since Dec.7 (some of them are related to another problem that is going on since September). My guess is that statistically there should be about 500 additional transactions with a weak R value, where the R value was never reused; but this is pure guesswork. These should also be considered compromised, but I have no way to detect them, so the users cannot be warned directly. Also newly generated keys should be considered compromised, even if they had no transactions at all. So if you used blockchain in that time-window consider yourself affected even if you are not in one of my lists. Donations to 1CF62UFWXiKqFUmgQMUby9DpEW5LXjypU3

coins101



Offline



Activity: 1456

Merit: 1000









LegendaryActivity: 1456Merit: 1000 Re: Reused R values again December 12, 2014, 09:02:36 PM #155 Quote from: johoe on April 23, 2014, 01:21:01 PM Hello,



there has been a lot of reused R values in the signatures on the blockchain, recently. This exposed many private keys. After googleing the addresses, I think it is related to Counterparty (XCP). Here is a list of the exposed addresses in alphabetic order. Most keys were exposed very recently, i.e., in the last week.



If you own one of the following addresses, you should transfer the money to a fresh address (before someone else does it for you). Also figure out, which client has the bug that revealed the private key by reusing R values. Then notify the author of that tool.



Hey, Johoe



I wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community.



It's such a welcome and refreshing piece of news.



If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything. Hey, JohoeI wasn't affected, but I just wanted to say thanks for being such an honest member of the global Bitcoin community.It's such a welcome and refreshing piece of news.If you ever need any help with anything, PM and I'll see if I can do anything to help or put you in contact with someone who might be able to help - with anything.

TanteStefana2



Offline



Activity: 1232

Merit: 1000







LegendaryActivity: 1232Merit: 1000 Re: Reused R values again December 13, 2014, 02:21:57 AM #156 Quote from: johoe on December 10, 2014, 12:57:10 AM



Quote

If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic.



I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week.

From: Ben Reeves < ...@blockchain.info If you could return the funds to address 15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP that would be fantastic.I should also add if that using our admin tools, if users supply us with the correct wallet information, we are able to accurately determine which refund claims are valid and which are not. So far we have processed over 30 refund requests and will be processing more over the rest of this week.

-----BEGIN PGP SIGNED MESSAGE-----

Hash: SHA1



15tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP

-----BEGIN PGP SIGNATURE-----

Comment: GPGTools -



iQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYa

DgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2

HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5

xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe

4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJ

WgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14=

=9MGK

-----END PGP SIGNATURE



PGP key is available from







https://blockchain.info/tx/ea8fa447d59000843910932a42bf7a28915772d97a006e97714d026b78885754

The money has been returned to blockchain.info. Please write to blockchain support to claim refund.-----BEGIN PGP SIGNED MESSAGE-----Hash: SHA115tXHJCjehqCEL6zRCkGwvuDY6YzZV5sKP-----BEGIN PGP SIGNATURE-----Comment: GPGTools - http://gpgtools.org iQEcBAEBAgAGBQJUh5AdAAoJEP3NqDUC96SQqH0H/3pTTawCXZWfWAwIoVQPkSYaDgpioEvHLDHXegfAfXyo8X9vc50kEseQVeZ5FAvoeC3Hy76gNIgEDllP5o6FUXL2HsEj7qcafY5AxlxMgRRG9p1OcbeJS6mlbZrjB78BD+zrtzZaLFoSAf4+lw3YZHg5xvA0WyNoHE1Hzg8+pdPbg1PPN6dHT38+PCyqFgYIjkjq07UbxxtyyWs8KIQqSuTe4XIh0gjd73Wqtxm4CAHtnwy0PA5Pi/lE7v0d6qqF2l86SlxDkT6067asMw9Te0JJWgnFM8fePrM8HU980n0xvamae7J71zlFMN2/RYfj2t/pTIEWz25ZI2iVS0MGg14==9MGK-----END PGP SIGNATUREPGP key is available from https://blockchain.info/security.txt

You look good in a white hat Sincere thanks for discovering this and seeing it through! You look good in a white hatSincere thanks for discovering this and seeing it through! My TanteStefana account was hacked, Beware trading

"You'll never reach your destination if you stop to throw stones at every dog that barks."

Sir Winston Churchill BTC: 12pu5nMDPEyUGu3HTbnUB5zY5RG65EQE5d Another proud lifetime Dash Foundation memberMy TanteStefana account was hacked, Beware tradingSir Winston Churchill BTC: 12pu5nMDPEyUGu3HTbnUB5zY5RG65EQE5d