Exploiting ECDSA Failures in the Bitcoin Blockchain

Transcript

1. Filippo Valsorda Exploiting ECDSA Failures in the Bitcoin Blockchain HITB2014KUL

2. CloudFlare security team @FiloSottile I mess with cryptography. And open

   source. ! filippo.io Filippo Valsorda

3. But you probably know me for this

4. https://filippo.io/heartbleed

5. Bitcoin

6. Public key + Private key A wallet The address: hash

   ( public key ) 1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A

7. A signed statement, published to the world and recorded in

   the blockchain A transaction “This money I can spend, can now be spent by Y”

8. A: This money I can spend, can now be spent

   by X …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … X: This money I can spend, can now be spent by Y …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … Y has this money to spend

9. A: This money I can spend, can now be spent

   by X Signed with A’s private key Hash of X’s public key

10. OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG <sig> <pubKey> Actually

11. None

12. ECDSA

13. A EC based signature scheme As seen in TLS, DNSSEc,

    the PS3… Elliptic Curve Digital Signature Algorithm

14. Global: point G on a curve Private key: a random

    number d Public key: d X G A summary

15. e = hash(message) k = a random number (x, y)

    = k X G r = x Signature Sig: [r,(e+r*d)/k]

16. Unless… Seems fine, right? What happens if that k is

    not random?

17. k1 = k2 (x, y) = k X G r

    = x r1 = r2 If you reuse k Sig1: [r,(e1+r*d)/k] Sig2: [r,(e2+r*d)/k]

18. If you reuse k Sig1: [ r ,(e1+r*d)/k] Sig2: [

    r ,(e2+r*d)/k] k1 = k2 (x, y) = k X G r = x r1 = r2

19. If you reuse k Sig1: [r, (e1+r*d)/k ] Sig2: [r,

    (e2+r*d)/k ] k1 = k2 (x, y) = k X G r = x r1 = r2

20. k = (e1 - e2)/ (e1+r*d)/k - (e2+r*d)/k] If you

    reuse k d = [(e1+r*d)/k]*k-e1 r

21. Boom.

22. Text Text Text Text Text Text Text Text Text Imperialviolet

    Accent Accent Accent

23. Text Text Text Text Text Text Text Text Text Sony’s

    ECDSA code Mittwoch, 29. Dezember 2010
24. None

25. the blockchain

26. To spend money: the public key of the address; a

    signature w/ that key Reminder when money is moved a signature is published

27. for block in chain: for tx in block: for input

    in tx: ... An easy search A input is money being spent in the tx

28. Extract r from the signature; take note of where we

    found it in a lookup table; check if we found it before. An easy search

29. Done! If anyone reuses k, we will find two equal

    r.

30. Well… No. I mean, yes, but there are 100M inputs

    in the blockchain. Done! Out of memory! :(

31. First pass: filter the possible r. Add to a Bloom

    filter, if present add to a set. ! Second pass: if r present in the set, export sig and pubkey. A smarter search

32. A smarter search r = 42 r = 42 Bloom

    filter + Blockchain Set

33. A smarter search Bloom filter ? Blockchain 42 ✓ r

    = 42 r = 42 + Set

34. A smarter search ? ✓ Final list Sig, Pubkey, Tx…

    r = 42 r = 42 42 Set 19 36 Blockchain

35. Group the list by (r, pubkey) and recover d from

    pairs of signatures! Finally

36. A ready to use tool Blockchainr github.com/filosottile/blockchainr

37. Results

38. https://filippo.io/hitb If you want to follow from home

39. Does this happen?

40. Yes. Does this happen?

41. Vertical: address Color: r

42. weird Multisignature transactions

43. 1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT 1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

44. Vertical: address Color: r

45. “gomez” 1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

46. Repeated r in the same transaction

47. https://bitcointalk.org/index.php?topic=271486 “Bad signatures leading to 55.82152538 BTC theft (so far)”

48. https://bitcointalk.org/index.php?topic=277595 Blockchain.info security [FUNDS STOLEN]

49. Text Text Text Text Text Text Text Text Text TEXT

    TEXT TEXT TEXT Accent Accent Accent

50. Nick sullivan “exploiting randomness” demo

51. None
52. None

53. The fix

54. k must be secret and unique What’s needed Not necessarily

    random

55. Generate k deterministically, as a function of private key and

    message. RFC 6979 k = HMAC_DRBG ( d, H (m) )

56. Bitcoin core unsafe: openssl patch by AGL waiting on master

57. None

58. electrum safe since v1.9 correct use of python-ecdsa

59. Multibit / bitcoinj safe correct use of bouncycastle

60. Blockchain.info Unsafe relies on the browser RNG (if any!)

61. None

62. bitrated / bitcoinjs-lib Safe Hashes privkey, message and random

63. Armory unsafe (? - 90%) crypto++ seems to use a

    random value

64. Trezor Safe Implements RFC 6979

65. Q&A @filosottile filippo.io/hitb-slides