Filippo Valsorda
October 15, 2014
1.3k

# Exploiting ECDSA Failures in the Bitcoin Blockchain

October 15, 2014

## Transcript

1. Filippo Valsorda
Exploiting ECDSA
Failures in the
Bitcoin Blockchain
HITB2014KUL

2. CloudFlare security team
@FiloSottile
I mess with cryptography.
And open source.
!
ﬁlippo.io
Filippo Valsorda

3. But you probably
know me for this

4. https://filippo.io/heartbleed

5. Bitcoin

6. Public key +
Private key
A wallet
The address: hash ( public key )
1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A

7. A signed statement,
published to the world
and recorded in the blockchain
A transaction
“This money I can spend, can now be spent by Y”

8. A: This money I can spend, can now be spent by X
…: This money I can spend, can now be spent by …
…: This money I can spend, can now be spent by …
…: This money I can spend, can now be spent by …
X: This money I can spend, can now be spent by Y
…: This money I can spend, can now be spent by …
…: This money I can spend, can now be spent by …
Y has this money to spend

9. A: This money I can spend, can now be spent by X
Signed with A’s private key
Hash of X’s public key

10. OP_DUP OP_HASH160

OP_EQUALVERIFY
OP_CHECKSIG

Actually

11. ECDSA

12. A EC based signature scheme
As seen in TLS, DNSSEc, the PS3…
Elliptic Curve Digital
Signature Algorithm

13. Global: point G on a curve
Private key: a random number d
Public key: d X G
A summary

14. e = hash(message)
k = a random number
(x, y) = k X G r = x
Signature
Sig: [r,(e+r*d)/k]

15. Unless…
Seems fine, right?
What happens if that k is not
random?

16. k1 = k2
(x, y) = k X G r = x
r1 = r2
If you reuse k
Sig1: [r,(e1+r*d)/k]
Sig2: [r,(e2+r*d)/k]

17. If you reuse k
Sig1: [ r ,(e1+r*d)/k]
Sig2: [ r ,(e2+r*d)/k]
k1 = k2
(x, y) = k X G r = x
r1 = r2

18. If you reuse k
Sig1: [r, (e1+r*d)/k ]
Sig2: [r, (e2+r*d)/k ]
k1 = k2
(x, y) = k X G r = x
r1 = r2

19. k = (e1 - e2)/
(e1+r*d)/k - (e2+r*d)/k]
If you reuse k
d = [(e1+r*d)/k]*k-e1
r

20. Boom.

21. Text Text Text Text Text
Text Text Text Text
Imperialviolet
Accent Accent Accent

22. Text Text Text Text Text
Text Text Text Text
Sony’s ECDSA code
Mittwoch, 29. Dezember 2010

23. the
blockchain

24. To spend money:
the public key of the address;
a signature w/ that key
Reminder
when money is moved a signature is published

25. for block in chain:
for tx in block:
for input in tx:
...
An easy search
A input is money being spent in the tx

26. Extract r from the signature;
take note of where we found
it in a lookup table;
check if we found it before.
An easy search

27. Done!
If anyone reuses k,
we will ﬁnd two equal r.

28. Well… No.
I mean, yes, but there are
100M inputs in the blockchain.
Done!
Out of memory! :(

29. First pass: ﬁlter the possible r.
if present add to a set.
!
Second pass: if r present in
the set, export sig and pubkey.
A smarter search

30. A smarter search
r = 42 r = 42
Bloom filter
+
Blockchain
Set

31. A smarter search
Bloom filter
? Blockchain
42

r = 42 r = 42
+
Set

32. A smarter search
? ✓
Final list
Sig, Pubkey, Tx…
r = 42 r = 42
42
Set
19
36
Blockchain

33. Group the list by (r, pubkey)
and recover d
from pairs of signatures!
Finally

34. A ready to use tool
Blockchainr
github.com/filosottile/blockchainr

35. Results

36. https://ﬁlippo.io/hitb
If you want to

37. Does this happen?

38. Yes.
Does this happen?

40. weird Multisignature transactions

41. 1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT
1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

43. “gomez”
1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

44. Repeated r in the same transaction

45. https://bitcointalk.org/index.php?topic=271486
55.82152538 BTC theft (so far)”

46. https://bitcointalk.org/index.php?topic=277595
Blockchain.info security
[FUNDS STOLEN]

47. Text Text Text Text Text
Text Text Text Text
TEXT TEXT TEXT TEXT
Accent Accent Accent

48. Nick sullivan “exploiting randomness” demo

49. The fix

50. k must be secret and unique
What’s needed
Not necessarily random

51. Generate k deterministically,
as a function of private key
and message.
RFC 6979
k = HMAC_DRBG ( d, H (m) )

52. Bitcoin core
unsafe: openssl
patch by AGL waiting on master

53. electrum
safe since v1.9
correct use of python-ecdsa

54. Multibit / bitcoinj
safe
correct use of bouncycastle

55. Blockchain.info
Unsafe
relies on the browser RNG (if any!)

56. bitrated / bitcoinjs-lib
Safe
Hashes privkey, message and random

57. Armory
unsafe (? - 90%)
crypto++ seems to use a random value

58. Trezor
Safe
Implements RFC 6979

59. Q&A
@filosottile
filippo.io/hitb-slides