Exploiting ECDSA Failures in the Bitcoin Blockchain

Exploiting ECDSA Failures in the Bitcoin Blockchain

9fdab9d005b82612cadbfe699b541f83?s=128

Filippo Valsorda

October 15, 2014
Tweet

Transcript

  1. 5.
  2. 6.

    Public key + Private key A wallet The address: hash

    ( public key ) 1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A
  3. 7.

    A signed statement, published to the world and recorded in

    the blockchain A transaction “This money I can spend, can now be spent by Y”
  4. 8.

    A: This money I can spend, can now be spent

    by X …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … X: This money I can spend, can now be spent by Y …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … Y has this money to spend
  5. 9.

    A: This money I can spend, can now be spent

    by X Signed with A’s private key Hash of X’s public key
  6. 11.
  7. 12.
  8. 13.

    A EC based signature scheme As seen in TLS, DNSSEc,

    the PS3… Elliptic Curve Digital Signature Algorithm
  9. 14.

    Global: point G on a curve Private key: a random

    number d Public key: d X G A summary
  10. 15.

    e = hash(message) k = a random number (x, y)

    = k X G r = x Signature Sig: [r,(e+r*d)/k]
  11. 17.

    k1 = k2 (x, y) = k X G r

    = x r1 = r2 If you reuse k Sig1: [r,(e1+r*d)/k] Sig2: [r,(e2+r*d)/k]
  12. 18.

    If you reuse k Sig1: [ r ,(e1+r*d)/k] Sig2: [

    r ,(e2+r*d)/k] k1 = k2 (x, y) = k X G r = x r1 = r2
  13. 19.

    If you reuse k Sig1: [r, (e1+r*d)/k ] Sig2: [r,

    (e2+r*d)/k ] k1 = k2 (x, y) = k X G r = x r1 = r2
  14. 20.

    k = (e1 - e2)/ (e1+r*d)/k - (e2+r*d)/k] If you

    reuse k d = [(e1+r*d)/k]*k-e1 r
  15. 21.
  16. 23.

    Text Text Text Text Text Text Text Text Text Sony’s

    ECDSA code Mittwoch, 29. Dezember 2010
  17. 24.
  18. 26.

    To spend money: the public key of the address; a

    signature w/ that key Reminder when money is moved a signature is published
  19. 27.

    for block in chain: for tx in block: for input

    in tx: ... An easy search A input is money being spent in the tx
  20. 28.

    Extract r from the signature; take note of where we

    found it in a lookup table; check if we found it before. An easy search
  21. 30.

    Well… No. I mean, yes, but there are 100M inputs

    in the blockchain. Done! Out of memory! :(
  22. 31.

    First pass: filter the possible r. Add to a Bloom

    filter, if present add to a set. ! Second pass: if r present in the set, export sig and pubkey. A smarter search
  23. 32.

    A smarter search r = 42 r = 42 Bloom

    filter + Blockchain Set
  24. 34.

    A smarter search ? ✓ Final list Sig, Pubkey, Tx…

    r = 42 r = 42 42 Set 19 36 Blockchain
  25. 35.
  26. 37.
  27. 49.

    Text Text Text Text Text Text Text Text Text TEXT

    TEXT TEXT TEXT Accent Accent Accent
  28. 51.
  29. 52.
  30. 53.
  31. 55.

    Generate k deterministically, as a function of private key and

    message. RFC 6979 k = HMAC_DRBG ( d, H (m) )
  32. 57.
  33. 61.