Tweet
Tweet

Slide 1

Slide 1 text

Filippo Valsorda Exploiting ECDSA Failures in the Bitcoin Blockchain HITB2014KUL

Slide 2

Slide 2 text

CloudFlare security team @FiloSottile I mess with cryptography. And open source. ! filippo.io Filippo Valsorda

Slide 3

Slide 3 text

But you probably know me for this

Slide 4

Slide 4 text

https://filippo.io/heartbleed

Slide 5

Slide 5 text

Bitcoin

Slide 6

Slide 6 text

Public key + Private key A wallet The address: hash ( public key ) 1DY5YvRxSwomrK7nELDZzAidQQ6ktjRR9A

Slide 7

Slide 7 text

A signed statement, published to the world and recorded in the blockchain A transaction “This money I can spend, can now be spent by Y”

Slide 8

Slide 8 text

A: This money I can spend, can now be spent by X …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … X: This money I can spend, can now be spent by Y …: This money I can spend, can now be spent by … …: This money I can spend, can now be spent by … Y has this money to spend

Slide 9

Slide 9 text

A: This money I can spend, can now be spent by X Signed with A’s private key Hash of X’s public key

Slide 10

Slide 10 text

OP_DUP OP_HASH160 OP_EQUALVERIFY OP_CHECKSIG Actually

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

ECDSA

Slide 13

Slide 13 text

A EC based signature scheme As seen in TLS, DNSSEc, the PS3… Elliptic Curve Digital Signature Algorithm

Slide 14

Slide 14 text

Global: point G on a curve Private key: a random number d Public key: d X G A summary

Slide 15

Slide 15 text

e = hash(message) k = a random number (x, y) = k X G r = x Signature Sig: [r,(e+r*d)/k]

Slide 16

Slide 16 text

Unless… Seems fine, right? What happens if that k is not random?

Slide 17

Slide 17 text

k1 = k2 (x, y) = k X G r = x r1 = r2 If you reuse k Sig1: [r,(e1+r*d)/k] Sig2: [r,(e2+r*d)/k]

Slide 18

Slide 18 text

If you reuse k Sig1: [ r ,(e1+r*d)/k] Sig2: [ r ,(e2+r*d)/k] k1 = k2 (x, y) = k X G r = x r1 = r2

Slide 19

Slide 19 text

If you reuse k Sig1: [r, (e1+r*d)/k ] Sig2: [r, (e2+r*d)/k ] k1 = k2 (x, y) = k X G r = x r1 = r2

Slide 20

Slide 20 text

k = (e1 - e2)/ (e1+r*d)/k - (e2+r*d)/k] If you reuse k d = [(e1+r*d)/k]*k-e1 r

Slide 21

Slide 21 text

Boom.

Slide 22

Slide 22 text

Text Text Text Text Text Text Text Text Text Imperialviolet Accent Accent Accent

Slide 23

Slide 23 text

Text Text Text Text Text Text Text Text Text Sony’s ECDSA code Mittwoch, 29. Dezember 2010

Slide 24

Slide 24 text

No content

Slide 25

Slide 25 text

the blockchain

Slide 26

Slide 26 text

To spend money: the public key of the address; a signature w/ that key Reminder when money is moved a signature is published

Slide 27

Slide 27 text

for block in chain: for tx in block: for input in tx: ... An easy search A input is money being spent in the tx

Slide 28

Slide 28 text

Extract r from the signature; take note of where we found it in a lookup table; check if we found it before. An easy search

Slide 29

Slide 29 text

Done! If anyone reuses k, we will find two equal r.

Slide 30

Slide 30 text

Well… No. I mean, yes, but there are 100M inputs in the blockchain. Done! Out of memory! :(

Slide 31

Slide 31 text

First pass: filter the possible r. Add to a Bloom filter, if present add to a set. ! Second pass: if r present in the set, export sig and pubkey. A smarter search

Slide 32

Slide 32 text

A smarter search r = 42 r = 42 Bloom filter + Blockchain Set

Slide 33

Slide 33 text

A smarter search Bloom filter ? Blockchain 42 ✓ r = 42 r = 42 + Set

Slide 34

Slide 34 text

A smarter search ? ✓ Final list Sig, Pubkey, Tx… r = 42 r = 42 42 Set 19 36 Blockchain

Slide 35

Slide 35 text

Group the list by (r, pubkey) and recover d from pairs of signatures! Finally

Slide 36

Slide 36 text

A ready to use tool Blockchainr github.com/filosottile/blockchainr

Slide 37

Slide 37 text

Results

Slide 38

Slide 38 text

https://filippo.io/hitb If you want to follow from home

Slide 39

Slide 39 text

Does this happen?

Slide 40

Slide 40 text

Yes. Does this happen?

Slide 41

Slide 41 text

Vertical: address Color: r

Slide 42

Slide 42 text

weird Multisignature transactions

Slide 43

Slide 43 text

1KtjBE8yDxoqNTSyLG2re4qtKK19KpvVLT 1BkE8ttBRUKVNTj3Lx1EPsw7vVbhuLZhBt

Slide 44

Slide 44 text

Vertical: address Color: r

Slide 45

Slide 45 text

“gomez” 1GozmcsMBC7bnMVUQLTKEw5vBxbSeG4erW / 1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj

Slide 46

Slide 46 text

Repeated r in the same transaction

Slide 47

Slide 47 text

https://bitcointalk.org/index.php?topic=271486 “Bad signatures leading to 55.82152538 BTC theft (so far)”

Slide 48

Slide 48 text

https://bitcointalk.org/index.php?topic=277595 Blockchain.info security [FUNDS STOLEN]

Slide 49

Slide 49 text

Text Text Text Text Text Text Text Text Text TEXT TEXT TEXT TEXT Accent Accent Accent

Slide 50

Slide 50 text

Nick sullivan “exploiting randomness” demo

Slide 51

Slide 51 text

No content

Slide 52

Slide 52 text

No content

Slide 53

Slide 53 text

The fix

Slide 54

Slide 54 text

k must be secret and unique What’s needed Not necessarily random

Slide 55

Slide 55 text

Generate k deterministically, as a function of private key and message. RFC 6979 k = HMAC_DRBG ( d, H (m) )

Slide 56

Slide 56 text

Bitcoin core unsafe: openssl patch by AGL waiting on master

Slide 57

Slide 57 text

No content

Slide 58

Slide 58 text

electrum safe since v1.9 correct use of python-ecdsa

Slide 59

Slide 59 text

Multibit / bitcoinj safe correct use of bouncycastle

Slide 60

Slide 60 text

Blockchain.info Unsafe relies on the browser RNG (if any!)

Slide 61

Slide 61 text

No content

Slide 62

Slide 62 text

bitrated / bitcoinjs-lib Safe Hashes privkey, message and random

Slide 63

Slide 63 text

Armory unsafe (? - 90%) crypto++ seems to use a random value

Slide 64

Slide 64 text

Trezor Safe Implements RFC 6979

Slide 65

Slide 65 text

Q&A @filosottile filippo.io/hitb-slides