Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Exploiting ECDSA Failures in the Bitcoin Blockchain

Filippo Valsorda
October 15, 2014
Research
1
1.4k

Exploiting ECDSA Failures in the Bitcoin Blockchain

Presented at HITB2014KUL on Oct 15th 2014.

https://conference.hitb.org/hitbsecconf2014kul/sessions/exploiting-ecdsa-failures-in-the-bitcoin-blockchain/

Filippo Valsorda

October 15, 2014
Tweet

More Decks by Filippo Valsorda

See All by Filippo Valsorda
Asynchronous networking @ GopherCon 2018
filosottile
3
1.7k
Le note cifrate di Antonio Marzi
filosottile
1
240
Why cgo is slow @ CapitalGo 2018
filosottile
2
3.5k
Squeezing a key through a carry bit @ 34c3
filosottile
0
1.3k
Calling Rust from Go, without cgo @ GothamGo 2017
filosottile
1
2k
You, latency and profiling @ GolangUK 2017
filosottile
0
860
Encrypting the Internet with Go @ GopherCon 2017
filosottile
9
2.3k
You, latency and profiling @ GopherCon India 2017
filosottile
13
3.3k
TLS 1.3 @ 33c3
filosottile
4
6k

Other Decks in Research

See All in Research
太田博三
otanet
1
210
Bridging the Gap: AI Research and Real-World Deployment in AI Companies
shurain
0
310
2023 東工大 情報通信系 研究室紹介 (すずかけ台) / [email protected], Tokyo Tech (Suzukakedai Campus) 2023
icttitech
0
5.1k
Aqua beamer template
tasusu
1
230
NLPとVision-and-Languageの基礎・最新動向 (1) / DEIM Tutorial Part 1: NLP
kyoun
20
6.5k
ChatGPTの国際的な動向と著作権・ガイドラインついて
otanet
0
540
NLP for HCI: 人の行動変更を促すためのNLPベースのプロンプトの導入
hiromu1996
1
270
ウェブ・ソーシャルメディア論文読み会: How digital media drive affective polarization through partisan sorting
hkefka385
0
150
NLPとVision-and-Languageの基礎・最新動向 (2) / DEIM Tutorial Part 2 Vision-and-Language
kyoun
16
7k
熱を用いた2次元マーカの検討 / UBI77
yumulab
0
420
プルサーマルについて
hide2kano
0
500
第23回チャンピオンズミーティング・ピスケス杯ラウンド2集計 / Umamusume Aquarius 2023 Round2
kitachan_black
0
1.2k

Featured

See All Featured
Being A Developer After 40
akosma
50
580k
A designer walks into a library…
pauljervisheath
199
17k
YesSQL, Process and Tooling at Scale
rocio
158
13k
JazzCon 2018 Closing Keynote - Leadership for the Reluctant Leader
reverentgeek
176
9.4k
Optimizing for Happiness
mojombo
366
66k
Atom: Resistance is Futile
akmur
256
24k
Building Your Own Lightsaber
phodgson
96
5k
Adopting Sorbet at Scale
ufuk
66
8k
A better future with KSS
kneath
230
16k
Visualization
eitanlees
130
12k
Why You Should Never Use an ORM
jnunemaker
PRO
49
8.1k
In The Pink: A Labor of Love
frogandcode
133
21k

Transcript

  1. Filippo Valsorda
    Exploiting ECDSA
    Failures in the
    Bitcoin Blockchain
    HITB2014KUL

    View Slide

  2. CloudFlare security team
    @FiloSottile
    I mess with cryptography.
    And open source.
    !
    filippo.io
    Filippo Valsorda

    View Slide

  3. But you probably
    know me for this

    View Slide

  4. https://filippo.io/heartbleed

    View Slide

  5. Bitcoin

    View Slide

  6. Public key +
    Private key
    A wallet
    The address: hash ( public key )
    1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A

    View Slide

  7. A signed statement,
    published to the world
    and recorded in the blockchain
    A transaction
    “This money I can spend, can now be spent by Y”

    View Slide

  8. A: This money I can spend, can now be spent by X
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    X: This money I can spend, can now be spent by Y
    …: This money I can spend, can now be spent by …
    …: This money I can spend, can now be spent by …
    Y has this money to spend

    View Slide

  9. A: This money I can spend, can now be spent by X
    Signed with A’s private key
    Hash of X’s public key

    View Slide

  10. OP_DUP OP_HASH160

    OP_EQUALVERIFY
    OP_CHECKSIG

    Actually

    View Slide

  11. View Slide

  12. ECDSA

    View Slide

  13. A EC based signature scheme
    As seen in TLS, DNSSEc, the PS3…
    Elliptic Curve Digital
    Signature Algorithm

    View Slide

  14. Global: point G on a curve
    Private key: a random number d
    Public key: d X G
    A summary

    View Slide

  15. e = hash(message)
    k = a random number
    (x, y) = k X G r = x
    Signature
    Sig: [r,(e+r*d)/k]

    View Slide

  16. Unless…
    Seems fine, right?
    What happens if that k is not
    random?

    View Slide

  17. k1 = k2
    (x, y) = k X G r = x
    r1 = r2
    If you reuse k
    Sig1: [r,(e1+r*d)/k]
    Sig2: [r,(e2+r*d)/k]

    View Slide

  18. If you reuse k
    Sig1: [ r ,(e1+r*d)/k]
    Sig2: [ r ,(e2+r*d)/k]
    k1 = k2
    (x, y) = k X G r = x
    r1 = r2

    View Slide

  19. If you reuse k
    Sig1: [r, (e1+r*d)/k ]
    Sig2: [r, (e2+r*d)/k ]
    k1 = k2
    (x, y) = k X G r = x
    r1 = r2

    View Slide

  20. k = (e1 - e2)/
    (e1+r*d)/k - (e2+r*d)/k]
    If you reuse k
    d = [(e1+r*d)/k]*k-e1
    r

    View Slide

  21. Boom.

    View Slide

  22. Text Text Text Text Text
    Text Text Text Text
    Imperialviolet
    Accent Accent Accent

    View Slide

  23. Text Text Text Text Text
    Text Text Text Text
    Sony’s ECDSA code
    Mittwoch, 29. Dezember 2010

    View Slide

  24. View Slide

  25. the
    blockchain

    View Slide

  26. To spend money:
    the public key of the address;
    a signature w/ that key
    Reminder
    when money is moved a signature is published

    View Slide

  27. for block in chain:
    for tx in block:
    for input in tx:
    ...
    An easy search
    A input is money being spent in the tx

    View Slide

  28. Extract r from the signature;
    take note of where we found
    it in a lookup table;
    check if we found it before.
    An easy search

    View Slide

  29. Done!
    If anyone reuses k,
    we will find two equal r.

    View Slide

  30. Well… No.
    I mean, yes, but there are
    100M inputs in the blockchain.
    Done!
    Out of memory! :(

    View Slide

  31. First pass: filter the possible r.
    Add to a Bloom filter,
    if present add to a set.
    !
    Second pass: if r present in
    the set, export sig and pubkey.
    A smarter search

    View Slide

  32. A smarter search
    r = 42 r = 42
    Bloom filter
    +
    Blockchain
    Set

    View Slide

  33. A smarter search
    Bloom filter
    ? Blockchain
    42

    r = 42 r = 42
    +
    Set

    View Slide

  34. A smarter search
    ? ✓
    Final list
    Sig, Pubkey, Tx…
    r = 42 r = 42
    42
    Set
    19
    36
    Blockchain

    View Slide

  35. Group the list by (r, pubkey)
    and recover d
    from pairs of signatures!
    Finally

    View Slide

  36. A ready to use tool
    Blockchainr
    github.com/filosottile/blockchainr

    View Slide

  37. Results

    View Slide

  38. https://filippo.io/hitb
    If you want to
    follow from home

    View Slide

  39. Does this happen?

    View Slide

  40. Yes.
    Does this happen?

    View Slide

  41. Vertical: address Color: r

    View Slide

  42. weird Multisignature transactions

    View Slide

  43. 1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT
    1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

    View Slide

  44. Vertical: address Color: r

    View Slide

  45. “gomez”
    1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

    View Slide

  46. Repeated r in the same transaction

    View Slide

  47. https://bitcointalk.org/index.php?topic=271486
    “Bad signatures leading to
    55.82152538 BTC theft (so far)”

    View Slide

  48. https://bitcointalk.org/index.php?topic=277595
    Blockchain.info security
    [FUNDS STOLEN]

    View Slide

  49. Text Text Text Text Text
    Text Text Text Text
    TEXT TEXT TEXT TEXT
    Accent Accent Accent

    View Slide

  50. Nick sullivan “exploiting randomness” demo

    View Slide

  51. View Slide

  52. View Slide

  53. The fix

    View Slide

  54. k must be secret and unique
    What’s needed
    Not necessarily random

    View Slide

  55. Generate k deterministically,
    as a function of private key
    and message.
    RFC 6979
    k = HMAC_DRBG ( d, H (m) )

    View Slide

  56. Bitcoin core
    unsafe: openssl
    patch by AGL waiting on master

    View Slide

  57. View Slide

  58. electrum
    safe since v1.9
    correct use of python-ecdsa

    View Slide

  59. Multibit / bitcoinj
    safe
    correct use of bouncycastle

    View Slide

  60. Blockchain.info
    Unsafe
    relies on the browser RNG (if any!)

    View Slide

  61. View Slide

  62. bitrated / bitcoinjs-lib
    Safe
    Hashes privkey, message and random

    View Slide

  63. Armory
    unsafe (? - 90%)
    crypto++ seems to use a random value

    View Slide

  64. Trezor
    Safe
    Implements RFC 6979

    View Slide

  65. Q&A
    @filosottile
    filippo.io/hitb-slides

    View Slide