1
00:00:00,000 --> 00:00:10,200
a warm welcome to filippova sorta and
2
00:00:02,280 --> 00:00:12,540
ryan castellucci I like to start out by
3
00:00:10,200 --> 00:00:15,059
thanking everyone for coming to our talk
4
00:00:12,540 --> 00:00:17,369
i'm ryan castellucci I work for a
5
00:00:15,059 --> 00:00:20,850
company called white ups but this is
6
00:00:17,369 --> 00:00:23,279
just a side project at DEFCON 23 i gave
7
00:00:20,850 --> 00:00:27,420
a talk called cracking cryptocurrency
8
00:00:23,279 --> 00:00:30,000
brain wallets at and since then I've
9
00:00:27,420 --> 00:00:34,860
co-authored a couple of papers about
10
00:00:30,000 --> 00:00:36,840
Bitcoin cracking so high I'm people sort
11
00:00:34,860 --> 00:00:39,420
of i work at cloud for about justice
12
00:00:36,840 --> 00:00:42,120
about this is a completely side personal
13
00:00:39,420 --> 00:00:44,610
project at the last hacking the boxing
14
00:00:42,120 --> 00:00:48,000
kuala lumpur I spoke about using ecsa
15
00:00:44,610 --> 00:00:52,289
mistakes to compromise Bitcoin private
16
00:00:48,000 --> 00:00:54,629
keys now we all know that death is scary
17
00:00:52,289 --> 00:00:56,219
and dangerous and you should ever if you
18
00:00:54,629 --> 00:01:01,559
see someone doing math you should say
19
00:00:56,219 --> 00:01:03,480
something right good but how do a how is
20
00:01:01,559 --> 00:01:06,270
math exactly dangerous for Bitcoin
21
00:01:03,480 --> 00:01:08,220
obviously to understand is we need to
22
00:01:06,270 --> 00:01:11,640
understand a bit more about how Bitcoin
23
00:01:08,220 --> 00:01:15,000
works now these are the fundamental
24
00:01:11,640 --> 00:01:17,369
pieces of Bitcoin you start with a
25
00:01:15,000 --> 00:01:21,840
private key which is nothing else then
26
00:01:17,369 --> 00:01:25,290
random bytes and you convert that into a
27
00:01:21,840 --> 00:01:27,570
public key using some crypto black magic
28
00:01:25,290 --> 00:01:30,689
that I'm not gonna go into the details
29
00:01:27,570 --> 00:01:32,460
of right now and then you hash that
30
00:01:30,689 --> 00:01:36,298
public key to get an address
31
00:01:32,460 --> 00:01:38,399
now that you have an address keep you
32
00:01:36,299 --> 00:01:40,259
can use it to receive Bitcoin from other
33
00:01:38,400 --> 00:01:43,619
people because people can use this
34
00:01:40,259 --> 00:01:47,820
address to send bitcoins they owned
35
00:01:43,619 --> 00:01:50,250
themselves to to you all these addresses
36
00:01:47,820 --> 00:01:52,710
are published on the Bitcoin public
37
00:01:50,250 --> 00:01:55,170
ledger which is called the blockchain so
38
00:01:52,710 --> 00:01:59,009
every time our address received some
39
00:01:55,170 --> 00:02:03,540
money some Bitcoin that that is locked
40
00:01:59,009 --> 00:02:07,170
on this up and only blockchain and
41
00:02:03,540 --> 00:02:10,110
anyone has a complete idea at any time
42
00:02:07,170 --> 00:02:12,900
of all the dresses that hold any balance
43
00:02:10,110 --> 00:02:15,120
now whether had
44
00:02:12,900 --> 00:02:17,700
the private key that generated this
45
00:02:15,120 --> 00:02:20,700
address can use this private key to
46
00:02:17,700 --> 00:02:23,548
spend the Bitcoin it just received on
47
00:02:20,700 --> 00:02:25,048
that address so far so good is probably
48
00:02:23,549 --> 00:02:28,140
something you already knew about Bitcoin
49
00:02:25,049 --> 00:02:30,930
and so obviously you can also imagine
50
00:02:28,140 --> 00:02:35,189
that if what we want to do is to is
51
00:02:30,930 --> 00:02:38,250
stealing Bitcoin without literally just
52
00:02:35,189 --> 00:02:42,030
hacking into the server that stores them
53
00:02:38,250 --> 00:02:44,220
or buying cod arrange a five-dollar
54
00:02:42,030 --> 00:02:47,069
wrench to get them out of the person
55
00:02:44,220 --> 00:02:50,040
that owns the bitcoins what we want to
56
00:02:47,069 --> 00:02:53,849
do is to somehow compromised or guess or
57
00:02:50,040 --> 00:02:55,739
figure out the private key and here
58
00:02:53,849 --> 00:02:59,310
obviously the simplest thing that could
59
00:02:55,739 --> 00:03:02,579
work is to just try them all especially
60
00:02:59,310 --> 00:03:05,189
now you start with the private key
61
00:03:02,579 --> 00:03:09,090
number one because the private key
62
00:03:05,189 --> 00:03:10,799
number 0 is not body and you do the crip
63
00:03:09,090 --> 00:03:13,829
the Blackmagic you get the public key
64
00:03:10,799 --> 00:03:16,290
you hashed internet dress you go to the
65
00:03:13,829 --> 00:03:20,340
blockchain and you check if that private
66
00:03:16,290 --> 00:03:21,900
key holds any any balance and then you
67
00:03:20,340 --> 00:03:24,810
do the same for to you do the same for
68
00:03:21,900 --> 00:03:26,489
trade now I swear that this is not all
69
00:03:24,810 --> 00:03:27,959
the talk is about we're not here to tell
70
00:03:26,489 --> 00:03:29,250
you that you can just go over all the
71
00:03:27,959 --> 00:03:32,489
private keys and steal everybody's
72
00:03:29,250 --> 00:03:38,639
Bitcoin but stupid things sometimes
73
00:03:32,489 --> 00:03:40,290
actually work as part of my defcon talk
74
00:03:38,639 --> 00:03:42,239
i released a tool called brain flare
75
00:03:40,290 --> 00:03:44,819
which was used for cracking brain
76
00:03:42,239 --> 00:03:46,799
wallets but I've since modified it so
77
00:03:44,819 --> 00:03:50,518
that it can also do this attack and
78
00:03:46,799 --> 00:03:52,530
sometimes doing is get as we posted
79
00:03:50,519 --> 00:03:58,919
doing a stupid thing really fast is a
80
00:03:52,530 --> 00:04:03,419
decent attack so i did a scan we
81
00:03:58,919 --> 00:04:06,930
actually did find some results know if
82
00:04:03,419 --> 00:04:08,459
I'd say I was surprised but results i
83
00:04:06,930 --> 00:04:10,590
went through about the first hundred and
84
00:04:08,459 --> 00:04:12,090
fifty billion possible keys got a
85
00:04:10,590 --> 00:04:15,449
hundred and forty nine hits this was
86
00:04:12,090 --> 00:04:17,548
back in February one interesting thing I
87
00:04:15,449 --> 00:04:20,039
noticed is that there were a lot of
88
00:04:17,548 --> 00:04:22,710
patterns that looked kind of like people
89
00:04:20,039 --> 00:04:24,539
were deliberately leaving Bitcoin around
90
00:04:22,710 --> 00:04:27,989
playfully too
91
00:04:24,540 --> 00:04:31,530
see who would take it and that's really
92
00:04:27,990 --> 00:04:33,480
interesting because from some of that i
93
00:04:31,530 --> 00:04:37,469
was able to infer that somebody has
94
00:04:33,480 --> 00:04:41,700
actually tried guessing the first seven
95
00:04:37,470 --> 00:04:43,740
hundred trillion keys and it looks like
96
00:04:41,700 --> 00:04:46,349
it was over the course of less than a
97
00:04:43,740 --> 00:04:48,540
year so i'm guessing they have something
98
00:04:46,350 --> 00:04:52,860
faster than brain fire probably a big ol
99
00:04:48,540 --> 00:04:56,490
botnet or a GPU cracker but the highest
100
00:04:52,860 --> 00:04:58,500
possible private key is really really
101
00:04:56,490 --> 00:05:05,640
big i don't know that we have a word for
102
00:04:58,500 --> 00:05:09,570
this number but its large um so you know
103
00:05:05,640 --> 00:05:11,849
sequentially searching keys got old and
104
00:05:09,570 --> 00:05:16,380
what's the next thing that I can do that
105
00:05:11,850 --> 00:05:20,550
is also dumb but slightly more creative
106
00:05:16,380 --> 00:05:23,219
well patterns so this first one appears
107
00:05:20,550 --> 00:05:27,240
to have been generated by taking the
108
00:05:23,220 --> 00:05:28,920
string 1234 in ascii and using it as the
109
00:05:27,240 --> 00:05:31,890
least significant bits of the private
110
00:05:28,920 --> 00:05:35,250
key these are all real private keys that
111
00:05:31,890 --> 00:05:38,159
were really associated with Bitcoin at
112
00:05:35,250 --> 00:05:41,730
some point they're all long since empty
113
00:05:38,160 --> 00:05:43,050
though so i tried putting strings in
114
00:05:41,730 --> 00:05:45,420
that didn't really work
115
00:05:43,050 --> 00:05:49,980
I tried keys that only had a few bits
116
00:05:45,420 --> 00:05:54,600
set that got a few some stupid patterns
117
00:05:49,980 --> 00:05:55,860
you know starting with 42 42 is a great
118
00:05:54,600 --> 00:06:01,620
number
119
00:05:55,860 --> 00:06:03,600
yeah patterns and so that got old too so
120
00:06:01,620 --> 00:06:07,290
i had to get a little creative again to
121
00:06:03,600 --> 00:06:09,270
find more things again these are all
122
00:06:07,290 --> 00:06:11,190
real private keys that really were
123
00:06:09,270 --> 00:06:16,169
associated with bitcoins at some point
124
00:06:11,190 --> 00:06:17,610
so the format addresses you see are
125
00:06:16,170 --> 00:06:20,370
actually what's used in the Bitcoin
126
00:06:17,610 --> 00:06:23,040
protocol there's actually a raw format
127
00:06:20,370 --> 00:06:24,960
so i took all of the raw format
128
00:06:23,040 --> 00:06:28,140
addresses and tried the nice least
129
00:06:24,960 --> 00:06:29,700
significant bits of private keys and I
130
00:06:28,140 --> 00:06:32,490
got hits there too
131
00:06:29,700 --> 00:06:39,389
I don't know why
132
00:06:32,490 --> 00:06:41,819
um and then I tried the this is a little
133
00:06:39,389 --> 00:06:44,699
out of scope of the talk but every block
134
00:06:41,819 --> 00:06:46,770
in the blockchain has a specific hash I
135
00:06:44,699 --> 00:06:49,680
tried running all of those through i got
136
00:06:46,770 --> 00:06:52,229
hits there too then I just tried to
137
00:06:49,680 --> 00:06:54,599
dumping the entire block chain each
138
00:06:52,229 --> 00:06:57,870
offset one bite at a time through there
139
00:06:54,599 --> 00:06:59,039
that got hits as well and I I don't even
140
00:06:57,870 --> 00:07:04,889
know what those are
141
00:06:59,039 --> 00:07:07,680
ok so this was all fun and laughs but
142
00:07:04,889 --> 00:07:10,650
obviously just searching the entire
143
00:07:07,680 --> 00:07:13,470
private key space sequential your by
144
00:07:10,650 --> 00:07:16,560
shooting in the dark is not exactly
145
00:07:13,470 --> 00:07:18,840
something we can keep doing so we need
146
00:07:16,560 --> 00:07:21,389
something to limit the search space of
147
00:07:18,840 --> 00:07:22,979
possible private keys and when you're
148
00:07:21,389 --> 00:07:25,080
looking for is something that is very
149
00:07:22,979 --> 00:07:27,990
useful to know about his brain wallets
150
00:07:25,080 --> 00:07:30,750
now the idea of bringing all that is to
151
00:07:27,990 --> 00:07:33,569
be able to control some money some
152
00:07:30,750 --> 00:07:36,690
Bitcoin we just something that you can
153
00:07:33,569 --> 00:07:38,340
keep your head and this may seem like a
154
00:07:36,690 --> 00:07:41,849
good idea because nobody can read your
155
00:07:38,340 --> 00:07:44,190
mind right but as we learned a fast
156
00:07:41,849 --> 00:07:46,409
computer can probably get take a very
157
00:07:44,190 --> 00:07:48,000
good guess at anything that you are able
158
00:07:46,409 --> 00:07:51,570
to remember yourself
159
00:07:48,000 --> 00:07:54,539
so how brain wallets work is that they
160
00:07:51,570 --> 00:07:57,599
just add another step in the derivation
161
00:07:54,539 --> 00:07:59,669
process we've seen before so to generate
162
00:07:57,599 --> 00:08:01,919
the private key they just take some
163
00:07:59,669 --> 00:08:03,690
memorable string-like correct horse
164
00:08:01,919 --> 00:08:07,440
battery stable or whatever you're using
165
00:08:03,690 --> 00:08:09,539
and hash it to get a private key that
166
00:08:07,440 --> 00:08:11,669
then it's used to generate the public
167
00:08:09,539 --> 00:08:14,699
key to join the address which they used
168
00:08:11,669 --> 00:08:17,159
to receive money and then by just
169
00:08:14,699 --> 00:08:18,509
remembering that string you can move
170
00:08:17,159 --> 00:08:19,590
that money and use it to pay for
171
00:08:18,509 --> 00:08:25,050
something else
172
00:08:19,590 --> 00:08:29,159
sure that you're using passwords for to
173
00:08:25,050 --> 00:08:31,469
save money is already kinda unsettling
174
00:08:29,159 --> 00:08:33,659
but since we've learned so much about
175
00:08:31,469 --> 00:08:35,789
pastor storage and how to make sure that
176
00:08:33,659 --> 00:08:36,510
database dance are not cracked you'd
177
00:08:35,789 --> 00:08:38,819
think
178
00:08:36,510 --> 00:08:42,059
well obviously they used something and
179
00:08:38,820 --> 00:08:44,730
slow something like bcrypt or s script
180
00:08:42,059 --> 00:08:45,520
that is hard to put force right you'd be
181
00:08:44,730 --> 00:08:50,410
wrong
182
00:08:45,520 --> 00:08:58,090
they use sha-256 a perfectly cromulent
183
00:08:50,410 --> 00:09:01,000
hash algorithm so for my defcon talk i
184
00:08:58,090 --> 00:09:02,650
did a bunch of research into cracking
185
00:09:01,000 --> 00:09:04,210
brain wallets and I went through the
186
00:09:02,650 --> 00:09:07,180
transaction history of a lot of them
187
00:09:04,210 --> 00:09:10,120
that I was able to find I correct worse
188
00:09:07,180 --> 00:09:12,760
battery staple was in fact used its had
189
00:09:10,120 --> 00:09:16,300
about 15 bitcoins go through it give her
190
00:09:12,760 --> 00:09:19,030
take on and over four thousand
191
00:09:16,300 --> 00:09:21,010
transactions there's a complicated
192
00:09:19,030 --> 00:09:23,680
reason for that if you want to know why
193
00:09:21,010 --> 00:09:27,880
find you later then bitcoin is awesome
194
00:09:23,680 --> 00:09:31,719
had 500 Bitcoin put into it at once and
195
00:09:27,880 --> 00:09:33,460
and then somebody else found it and
196
00:09:31,720 --> 00:09:37,120
whoever put it there originally was sad
197
00:09:33,460 --> 00:09:41,920
my favorite though is the empty string
198
00:09:37,120 --> 00:09:44,680
nobody would ever guess that one ah that
199
00:09:41,920 --> 00:09:48,400
has had almost 60 Bitcoin co through its
200
00:09:44,680 --> 00:09:51,699
and fifty of it was all at once somebody
201
00:09:48,400 --> 00:09:52,959
had a really bad day because it was
202
00:09:51,700 --> 00:09:55,570
stolen instantly
203
00:09:52,960 --> 00:09:58,450
the quick brown fox jumped over the lazy
204
00:09:55,570 --> 00:10:03,910
dog has had about a hundred Bitcoin go
205
00:09:58,450 --> 00:10:08,290
through it so yeah people to some things
206
00:10:03,910 --> 00:10:10,390
um so of course i'm not the only one
207
00:10:08,290 --> 00:10:12,610
who's had this idea there are plenty of
208
00:10:10,390 --> 00:10:16,150
other people who have gone through with
209
00:10:12,610 --> 00:10:19,600
quite extensive dictionaries and guests
210
00:10:16,150 --> 00:10:22,630
brain wallets this fellow was active on
211
00:10:19,600 --> 00:10:26,290
reddit and the Bitcoin forms for a while
212
00:10:22,630 --> 00:10:28,330
he would crack the addresses sweep them
213
00:10:26,290 --> 00:10:31,209
off for safekeeping
214
00:10:28,330 --> 00:10:34,420
I have no idea how much he actually kept
215
00:10:31,210 --> 00:10:35,890
but any time somebody would complain
216
00:10:34,420 --> 00:10:38,319
about getting the brain wallet ripped
217
00:10:35,890 --> 00:10:41,710
off if he if he had the key he'd show up
218
00:10:38,320 --> 00:10:46,120
and offer to return it
219
00:10:41,710 --> 00:10:48,520
some people were not so nice this other
220
00:10:46,120 --> 00:10:50,500
fellow came on reddit to complain
221
00:10:48,520 --> 00:10:53,890
because that's what people do on reddit
222
00:10:50,500 --> 00:10:55,860
he lost four big coins out of his brain
223
00:10:53,890 --> 00:11:00,510
wallet and the passphrase was
224
00:10:55,860 --> 00:11:02,940
line from an obscure poem in Africa so
225
00:11:00,510 --> 00:11:05,189
somebody had some pretty serious
226
00:11:02,940 --> 00:11:11,339
dictionaries they were throwing at this
227
00:11:05,190 --> 00:11:13,290
which is really interesting and if you
228
00:11:11,339 --> 00:11:15,510
create what sort of performance can be
229
00:11:13,290 --> 00:11:18,180
done with this rain fire itself in the
230
00:11:15,510 --> 00:11:20,250
latest version the biggest job I've
231
00:11:18,180 --> 00:11:22,739
running it was checking all six
232
00:11:20,250 --> 00:11:24,240
character ascii passwords that ended up
233
00:11:22,740 --> 00:11:27,480
being a search space of a little less
234
00:11:24,240 --> 00:11:30,540
than 750 billion i did that in less than
235
00:11:27,480 --> 00:11:42,060
24 hours for fifty dollars on amazon
236
00:11:30,540 --> 00:11:44,819
cloud computing service so so to hammer
237
00:11:42,060 --> 00:11:47,219
in the point of how dangerous it is to
238
00:11:44,820 --> 00:11:49,170
essentially take a password amp that is
239
00:11:47,220 --> 00:11:52,440
completely public because it's in dog
240
00:11:49,170 --> 00:11:55,380
chain and putting money on it after not
241
00:11:52,440 --> 00:11:57,690
even using a script we're gonna lose the
242
00:11:55,380 --> 00:12:00,870
manual stage so what we're going to run
243
00:11:57,690 --> 00:12:02,339
here is as simple script that now will
244
00:12:00,870 --> 00:12:05,370
generate a brain wallet
245
00:12:02,339 --> 00:12:07,890
we are short enough keys that's the the
246
00:12:05,370 --> 00:12:10,740
brain wallet password and it will send
247
00:12:07,890 --> 00:12:12,149
some management and if the demon gods
248
00:12:10,740 --> 00:12:15,810
are with us
249
00:12:12,149 --> 00:12:19,740
ok so this is the doctrine that info
250
00:12:15,810 --> 00:12:21,779
page and this is this our transaction
251
00:12:19,740 --> 00:12:23,940
that just deposited some money in this
252
00:12:21,779 --> 00:12:25,260
very vulnerable the brain wallet it's
253
00:12:23,940 --> 00:12:28,290
not currently spreading through the
254
00:12:25,260 --> 00:12:29,760
network and with a little luck somebody
255
00:12:28,290 --> 00:12:32,250
will be watching
256
00:12:29,760 --> 00:12:38,189
obviously nobody can happen here we go
257
00:12:32,250 --> 00:12:39,660
alright yeah yeah I'm sure this guy
258
00:12:38,190 --> 00:12:40,680
loves us he's been stealing our test
259
00:12:39,660 --> 00:12:41,439
wallets all day
260
00:12:40,680 --> 00:12:49,930
no no
261
00:12:41,440 --> 00:12:54,250
ok obviously nobody can compute all the
262
00:12:49,930 --> 00:12:55,180
ascii five characters phrases in such a
263
00:12:54,250 --> 00:12:56,770
short time
264
00:12:55,180 --> 00:13:01,510
so what happened here probably is that
265
00:12:56,770 --> 00:13:04,930
they have they have a huge huge database
266
00:13:01,510 --> 00:13:07,630
of all the possible addresses and mapped
267
00:13:04,930 --> 00:13:08,859
to the original private keys so that as
268
00:13:07,630 --> 00:13:12,010
soon as they see a transaction
269
00:13:08,860 --> 00:13:13,720
depositing my name such a such an
270
00:13:12,010 --> 00:13:16,480
address they can immediately
271
00:13:13,720 --> 00:13:18,670
it took 40 seconds or less steal the
272
00:13:16,480 --> 00:13:19,270
money that was deposited in it said
273
00:13:18,670 --> 00:13:21,339
enough
274
00:13:19,270 --> 00:13:23,949
it used to be that even stronger
275
00:13:21,340 --> 00:13:24,730
Rainwater's be stolen on the fly and
276
00:13:23,950 --> 00:13:26,590
instead
277
00:13:24,730 --> 00:13:29,080
right now we still have some money on a
278
00:13:26,590 --> 00:13:30,700
sick character their brain wallet that
279
00:13:29,080 --> 00:13:31,930
nobody has webbed which was kind of
280
00:13:30,700 --> 00:13:33,910
disappointing
281
00:13:31,930 --> 00:13:35,739
anyway this guy was not disappointed
282
00:13:33,910 --> 00:13:39,880
because you can see that it has for
283
00:13:35,740 --> 00:13:43,060
Bitcoin and that means just like since
284
00:13:39,880 --> 00:13:44,860
november 2015 it that's currently worth
285
00:13:43,060 --> 00:13:48,489
about three thousand dollars
286
00:13:44,860 --> 00:13:50,650
ok so not the point
287
00:13:48,490 --> 00:13:53,890
we shouldn't be using password to to
288
00:13:50,650 --> 00:13:55,329
save to save money on them after they
289
00:13:53,890 --> 00:13:59,949
get published
290
00:13:55,330 --> 00:14:02,620
good so brain wallet org had this other
291
00:13:59,950 --> 00:14:05,350
bottom that is inspired so much more
292
00:14:02,620 --> 00:14:06,940
trust this random pattern of random
293
00:14:05,350 --> 00:14:08,950
private key is definitely something that
294
00:14:06,940 --> 00:14:12,250
nobody can figure out because they the
295
00:14:08,950 --> 00:14:14,260
search space so vast right so what you
296
00:14:12,250 --> 00:14:16,540
will do instead of making a brain wallet
297
00:14:14,260 --> 00:14:19,390
with chorus horse battery stable is that
298
00:14:16,540 --> 00:14:21,819
you click the random pattern and you
299
00:14:19,390 --> 00:14:25,330
write down the private key me
300
00:14:21,820 --> 00:14:27,430
yeah good now something that you should
301
00:14:25,330 --> 00:14:29,380
be asking i guess is where does this
302
00:14:27,430 --> 00:14:32,170
random value come from
303
00:14:29,380 --> 00:14:33,910
well obviously the site owner is
304
00:14:32,170 --> 00:14:36,520
responsible and it's probably coming
305
00:14:33,910 --> 00:14:37,959
from the local browser from JavaScript
306
00:14:36,520 --> 00:14:41,439
so you can check the code that generates
307
00:14:37,960 --> 00:14:46,540
it and indeed it's this function called
308
00:14:41,440 --> 00:14:49,520
crypto utr run by its which I'm sure is
309
00:14:46,540 --> 00:15:05,329
absolutely fine
310
00:14:49,520 --> 00:15:07,100
function that is not fuck act sorry
311
00:15:05,330 --> 00:15:09,650
so there's no research to be done on
312
00:15:07,100 --> 00:15:11,900
this but the weakest case i could find
313
00:15:09,650 --> 00:15:15,290
was the firefox random number generator
314
00:15:11,900 --> 00:15:18,380
arm at the time this site was popular it
315
00:15:15,290 --> 00:15:20,930
would be seated with the number of
316
00:15:18,380 --> 00:15:25,010
milliseconds since the UNIX epoch which
317
00:15:20,930 --> 00:15:29,719
if you don't know is midnight january
318
00:15:25,010 --> 00:15:32,630
first nineteen seventy explored with two
319
00:15:29,720 --> 00:15:34,520
pointers and the way the two pointers
320
00:15:32,630 --> 00:15:36,890
were chosen they were almost always very
321
00:15:34,520 --> 00:15:39,770
close in value so you could just ignore
322
00:15:36,890 --> 00:15:42,380
the pointers and figure it would be
323
00:15:39,770 --> 00:15:47,270
about right if you just use milliseconds
324
00:15:42,380 --> 00:15:52,400
on so if the seat is predictable
325
00:15:47,270 --> 00:15:53,689
somebody can predict the seeds and
326
00:15:52,400 --> 00:15:58,880
replay what would have been generated
327
00:15:53,690 --> 00:16:00,500
and in fact this happened as we said
328
00:15:58,880 --> 00:16:03,500
earlier people go to read it to come
329
00:16:00,500 --> 00:16:05,960
complain about stuffed and this guy lost
330
00:16:03,500 --> 00:16:08,510
a couple bitcoins and posted his address
331
00:16:05,960 --> 00:16:09,770
hoping that somebody would be nice and
332
00:16:08,510 --> 00:16:13,340
return them
333
00:16:09,770 --> 00:16:16,880
unfortunately he was not in Lock there
334
00:16:13,340 --> 00:16:19,430
so I took a look at the transaction
335
00:16:16,880 --> 00:16:22,700
history on this address and looked at
336
00:16:19,430 --> 00:16:26,209
the time it was initially funded and I
337
00:16:22,700 --> 00:16:29,270
ran a scan and i was able to find the
338
00:16:26,210 --> 00:16:31,460
time stamp which was very close to the
339
00:16:29,270 --> 00:16:36,199
time the dress was originally funded
340
00:16:31,460 --> 00:16:38,030
this is I think that date mid-2013 and
341
00:16:36,200 --> 00:16:40,310
with the seed i was able to recover the
342
00:16:38,030 --> 00:16:43,730
private key and verify that it matched
343
00:16:40,310 --> 00:16:45,439
the address posted on reddit so good now
344
00:16:43,730 --> 00:16:48,860
we know another way not to generate
345
00:16:45,440 --> 00:16:53,240
private keys math.random okay note taken
346
00:16:48,860 --> 00:16:54,920
now to graduate to the next kind of
347
00:16:53,240 --> 00:16:57,920
attacks however we need to expand our
348
00:16:54,920 --> 00:16:58,640
big nine Bitcoin knowledge bit we're
349
00:16:57,920 --> 00:16:59,469
going to be talking now about
350
00:16:58,640 --> 00:17:02,110
transaction
351
00:16:59,470 --> 00:17:05,319
I've mentioned before that how many
352
00:17:02,110 --> 00:17:07,510
money moves in bitcoin is that something
353
00:17:05,319 --> 00:17:09,129
is published on the blockchain write a
354
00:17:07,510 --> 00:17:12,460
transaction on the high level is just
355
00:17:09,130 --> 00:17:15,070
this public statement that says so I
356
00:17:12,460 --> 00:17:18,160
owned this money and please make this
357
00:17:15,069 --> 00:17:22,179
money be owned by this order address now
358
00:17:18,160 --> 00:17:24,340
instead and is a payment you sign this
359
00:17:22,180 --> 00:17:26,800
statement with your private key which
360
00:17:24,339 --> 00:17:30,370
proves that whoever owned that man
361
00:17:26,800 --> 00:17:33,310
before on that address actually wants
362
00:17:30,370 --> 00:17:35,560
that money to change hands and this is
363
00:17:33,310 --> 00:17:38,800
recorded on blockchain so we have access
364
00:17:35,560 --> 00:17:41,830
to this gigantic database of statements
365
00:17:38,800 --> 00:17:44,680
with their signatures and public keys so
366
00:17:41,830 --> 00:17:48,250
we can take any transaction and we'll
367
00:17:44,680 --> 00:17:50,470
see the the public key that sent the
368
00:17:48,250 --> 00:17:53,290
money the signature from the
369
00:17:50,470 --> 00:17:55,060
corresponding public/private key and the
370
00:17:53,290 --> 00:17:59,170
target addresses which are meant to be
371
00:17:55,060 --> 00:18:02,169
the next owners okay so obviously the
372
00:17:59,170 --> 00:18:04,810
idea here is that anyone can verify that
373
00:18:02,170 --> 00:18:07,660
the public he actually hashes to address
374
00:18:04,810 --> 00:18:09,879
that used to him that money and they can
375
00:18:07,660 --> 00:18:12,820
use the public key and the signature to
376
00:18:09,880 --> 00:18:15,340
verify that the statement is true and so
377
00:18:12,820 --> 00:18:18,580
the entire network can go to terror
378
00:18:15,340 --> 00:18:21,520
later to their balance and say okay this
379
00:18:18,580 --> 00:18:25,030
address now has a different balance and
380
00:18:21,520 --> 00:18:29,320
this is how many is at how Bitcoin
381
00:18:25,030 --> 00:18:32,320
accounting works now obviously it's not
382
00:18:29,320 --> 00:18:33,850
exactly as simple as as i put it and
383
00:18:32,320 --> 00:18:36,340
it's much more flexible than that
384
00:18:33,850 --> 00:18:38,770
because transactions are truly food
385
00:18:36,340 --> 00:18:41,350
scripts that essentially pose a
386
00:18:38,770 --> 00:18:44,500
challenge to someone that has to be
387
00:18:41,350 --> 00:18:46,840
solved to need to be spent but usually
388
00:18:44,500 --> 00:18:49,570
this challenge is just sign a statement
389
00:18:46,840 --> 00:18:52,840
that says you want to move the man so
390
00:18:49,570 --> 00:18:54,280
back to our high-level approach because
391
00:18:52,840 --> 00:18:59,830
this is all we really need to start
392
00:18:54,280 --> 00:19:02,980
cracking now next step is what exactly
393
00:18:59,830 --> 00:19:05,679
is this signature right so this
394
00:19:02,980 --> 00:19:08,440
signature is a ecdsa signature in
395
00:19:05,680 --> 00:19:10,890
Bitcoin easy to say is the elliptic
396
00:19:08,440 --> 00:19:13,500
curve detail signature algorithm
397
00:19:10,890 --> 00:19:15,870
an algorithm that that does two jobs
398
00:19:13,500 --> 00:19:18,030
with the private key and the message
399
00:19:15,870 --> 00:19:20,639
makes a signature and with a signature
400
00:19:18,030 --> 00:19:22,320
public key and the message says yes it's
401
00:19:20,640 --> 00:19:26,880
true or no it's false
402
00:19:22,320 --> 00:19:31,200
now I fair warning here
403
00:19:26,880 --> 00:19:33,870
ecdsa is math so we are about to show
404
00:19:31,200 --> 00:19:36,750
math on the slides if there's anyone
405
00:19:33,870 --> 00:19:39,000
with serious sensibility to topic you
406
00:19:36,750 --> 00:19:41,730
should leave the room now there is
407
00:19:39,000 --> 00:19:45,930
matter head have been clearer
408
00:19:41,730 --> 00:19:49,170
excellent so this is how icts a
409
00:19:45,930 --> 00:19:52,920
signature looks like i want you now
410
00:19:49,170 --> 00:19:56,850
let's break it down into pieces of it we
411
00:19:52,920 --> 00:19:59,100
have G which is the global curve base
412
00:19:56,850 --> 00:20:01,379
point this is always the same is a
413
00:19:59,100 --> 00:20:04,800
property of the cure and all Bitcoin
414
00:20:01,380 --> 00:20:07,830
transactions use the same then there's k
415
00:20:04,800 --> 00:20:09,810
k is this random number that every time
416
00:20:07,830 --> 00:20:10,830
anyone makes a transaction they have to
417
00:20:09,810 --> 00:20:14,790
come up with
418
00:20:10,830 --> 00:20:17,280
it's a long number its 256 bits and it's
419
00:20:14,790 --> 00:20:19,379
supposed to be a beginning unpredictable
420
00:20:17,280 --> 00:20:22,889
random a new every time you make a
421
00:20:19,380 --> 00:20:24,630
transaction and then there's the which
422
00:20:22,890 --> 00:20:26,850
is the private key the private key is
423
00:20:24,630 --> 00:20:29,340
just the one we've seen the first slides
424
00:20:26,850 --> 00:20:32,340
just interpreted as an under because
425
00:20:29,340 --> 00:20:34,620
again easy to say is old math so all
426
00:20:32,340 --> 00:20:37,139
string of bytes are just interpreted as
427
00:20:34,620 --> 00:20:40,110
this very long asked number and used in
428
00:20:37,140 --> 00:20:42,660
normal math and finally there's said
429
00:20:40,110 --> 00:20:44,820
which is the hash of the message you're
430
00:20:42,660 --> 00:20:47,580
trying to sign in bit going to message
431
00:20:44,820 --> 00:20:50,460
is if you remember the center's that
432
00:20:47,580 --> 00:20:51,659
says the script that says this money i
433
00:20:50,460 --> 00:20:54,180
used to own
434
00:20:51,660 --> 00:20:55,830
now please let it owned by this folder
435
00:20:54,180 --> 00:21:02,280
address
436
00:20:55,830 --> 00:21:04,620
ok so we have the pieces now the the the
437
00:21:02,280 --> 00:21:07,530
signature is made of two parts one part
438
00:21:04,620 --> 00:21:11,189
is called are and it's just that random
439
00:21:07,530 --> 00:21:13,230
number x the cube base point that
440
00:21:11,190 --> 00:21:16,080
generates a coordinate on the cure and
441
00:21:13,230 --> 00:21:17,310
we take the x coordinate for as much as
442
00:21:16,080 --> 00:21:19,620
you need to know it's simply an
443
00:21:17,310 --> 00:21:22,020
operation that map's numbering to
444
00:21:19,620 --> 00:21:22,889
another number so you go from k which is
445
00:21:22,020 --> 00:21:25,650
this random
446
00:21:22,890 --> 00:21:29,580
long number two are which is this order
447
00:21:25,650 --> 00:21:31,500
very long number that could be as random
448
00:21:29,580 --> 00:21:35,189
as far as you know but it all depends on
449
00:21:31,500 --> 00:21:37,890
K because Jesus fixed okay and then you
450
00:21:35,190 --> 00:21:40,740
have s which is the other house of this
451
00:21:37,890 --> 00:21:43,080
of the signature which is just the
452
00:21:40,740 --> 00:21:46,860
result of that formula that that's
453
00:21:43,080 --> 00:21:49,350
literally big in math that the computer
454
00:21:46,860 --> 00:21:52,290
does it takes the hash interpreted as a
455
00:21:49,350 --> 00:21:54,360
number ads are times the which is a
456
00:21:52,290 --> 00:21:58,440
private key and divide everything by k
457
00:21:54,360 --> 00:22:00,719
now i'm not here to explain you why this
458
00:21:58,440 --> 00:22:03,030
work because that is what you need a
459
00:22:00,720 --> 00:22:04,380
cryptographer for but the important
460
00:22:03,030 --> 00:22:06,570
thing to know is that as long as you
461
00:22:04,380 --> 00:22:08,550
publish these two numbers anyone with
462
00:22:06,570 --> 00:22:10,530
the public he can verify the signature
463
00:22:08,550 --> 00:22:12,780
and that's exactly what bitcoin does
464
00:22:10,530 --> 00:22:15,510
every time you make a transaction you
465
00:22:12,780 --> 00:22:18,870
use your private key you generate a new
466
00:22:15,510 --> 00:22:21,180
k number and you publish these two huge
467
00:22:18,870 --> 00:22:24,000
numbers for everyone to know that you
468
00:22:21,180 --> 00:22:27,030
actually want that transaction to happen
469
00:22:24,000 --> 00:22:30,990
so far so good
470
00:22:27,030 --> 00:22:35,070
this was a lot of math sorry
471
00:22:30,990 --> 00:22:38,280
so now let's see what we can do a fan
472
00:22:35,070 --> 00:22:41,399
with this let's see what happens if we
473
00:22:38,280 --> 00:22:45,120
know k because we've said that he needs
474
00:22:41,400 --> 00:22:48,000
to be is a commonly called announced but
475
00:22:45,120 --> 00:22:50,010
this is kind of a misnomer in ecsa
476
00:22:48,000 --> 00:22:53,070
because it's not enough to use the
477
00:22:50,010 --> 00:22:57,240
number ones nones but it also must be
478
00:22:53,070 --> 00:23:01,200
unpredictable and run them looking so if
479
00:22:57,240 --> 00:23:04,920
you instead know k you can you can do
480
00:23:01,200 --> 00:23:08,070
what you've learned in algebra and just
481
00:23:04,920 --> 00:23:11,250
put does formula down as an equation and
482
00:23:08,070 --> 00:23:14,429
solve for the private key look at this
483
00:23:11,250 --> 00:23:16,830
formula here you have s which is this
484
00:23:14,430 --> 00:23:18,480
the other half of the signature which
485
00:23:16,830 --> 00:23:21,840
you have because it's published on the
486
00:23:18,480 --> 00:23:25,350
blockchain you have our which is
487
00:23:21,840 --> 00:23:27,480
published on the blockchain you have z
488
00:23:25,350 --> 00:23:30,810
which is the half of the message which
489
00:23:27,480 --> 00:23:34,140
is published on the blockchain and now
490
00:23:30,810 --> 00:23:34,918
if you also have k you can recover the
491
00:23:34,140 --> 00:23:38,129
private key
492
00:23:34,919 --> 00:23:41,609
so you take this from the from the dog
493
00:23:38,129 --> 00:23:45,209
chain you take these from hashing the
494
00:23:41,609 --> 00:23:45,840
message and then if you have that last
495
00:23:45,210 --> 00:23:49,409
piece
496
00:23:45,840 --> 00:23:52,470
k announced then you know the privately
497
00:23:49,409 --> 00:23:56,279
and you fall
498
00:23:52,470 --> 00:24:02,340
sorry i I'm sorry here
499
00:23:56,279 --> 00:24:03,570
so how would you know that you have our
500
00:24:02,340 --> 00:24:07,738
and you're about to fall
501
00:24:03,570 --> 00:24:11,668
well you know because you notice that
502
00:24:07,739 --> 00:24:15,029
our is exactly K times G so if you have
503
00:24:11,669 --> 00:24:18,509
a night poses about what up K that has
504
00:24:15,029 --> 00:24:24,929
been used is you can derive our and look
505
00:24:18,509 --> 00:24:27,210
for are on the blockchain and again the
506
00:24:24,929 --> 00:24:30,720
stupid attack that can possibly work we
507
00:24:27,210 --> 00:24:32,820
just searched sequentially on I i will
508
00:24:30,720 --> 00:24:35,429
point out that this is actually
509
00:24:32,820 --> 00:24:39,928
searching not for our for a particular
510
00:24:35,429 --> 00:24:43,619
transaction but if but for our in any
511
00:24:39,929 --> 00:24:47,639
transaction all at once so we let this
512
00:24:43,619 --> 00:24:49,709
run overnight it's it only got three
513
00:24:47,639 --> 00:24:52,229
hits and we only ran through the first
514
00:24:49,710 --> 00:24:58,289
nine billion or so when i did that like
515
00:24:52,230 --> 00:25:00,659
on thursday but now this is so this is
516
00:24:58,289 --> 00:25:03,210
what again the stupidest attack now we
517
00:25:00,659 --> 00:25:05,700
know that if we can figure out k we can
518
00:25:03,210 --> 00:25:07,980
break use a signature to recover the
519
00:25:05,700 --> 00:25:10,049
private key but again searching
520
00:25:07,980 --> 00:25:11,940
literally the entire space won't work
521
00:25:10,049 --> 00:25:14,460
because the nonce is just as long as the
522
00:25:11,940 --> 00:25:16,619
private key so there's another attack
523
00:25:14,460 --> 00:25:17,399
you can pull out the math doesn't stop
524
00:25:16,619 --> 00:25:22,499
and sorry
525
00:25:17,399 --> 00:25:24,928
now you can take 22 transactions that
526
00:25:22,499 --> 00:25:26,730
you've noticed have the same are and if
527
00:25:24,929 --> 00:25:30,269
they have the same are it means they
528
00:25:26,730 --> 00:25:32,009
have the same k right and take the other
529
00:25:30,269 --> 00:25:34,950
half which is the one that is different
530
00:25:32,009 --> 00:25:37,470
and try to figure out okay so what are
531
00:25:34,950 --> 00:25:41,279
the parts of this other half of this is
532
00:25:37,470 --> 00:25:43,320
well there's the private key which might
533
00:25:41,279 --> 00:25:46,160
be the same if it was two different
534
00:25:43,320 --> 00:25:51,200
transactions sent from the same one
535
00:25:46,160 --> 00:25:53,060
let from the same address the K we just
536
00:25:51,200 --> 00:25:54,740
said that is equal because we've noticed
537
00:25:53,060 --> 00:26:00,889
that our is the same in the two
538
00:25:54,740 --> 00:26:03,770
transactions are the same so we just
539
00:26:00,890 --> 00:26:09,260
group together all the parts that are
540
00:26:03,770 --> 00:26:14,960
the same this house and if we just do s1
541
00:26:09,260 --> 00:26:16,850
minus s2 what do you think is left all
542
00:26:14,960 --> 00:26:21,110
the parts that are equal
543
00:26:16,850 --> 00:26:25,459
cancel out so now we have this formula
544
00:26:21,110 --> 00:26:28,040
s1 minus s2 so the second half of the
545
00:26:25,460 --> 00:26:31,310
first signature and the second half of
546
00:26:28,040 --> 00:26:35,120
the second signature their difference is
547
00:26:31,310 --> 00:26:37,310
equal to that again group a lot of
548
00:26:35,120 --> 00:26:41,360
algebra turns out high school has been
549
00:26:37,310 --> 00:26:45,020
useful and finally we can derive a
550
00:26:41,360 --> 00:26:47,750
formula that only uses things we know
551
00:26:45,020 --> 00:26:50,180
because again hash of the first message
552
00:26:47,750 --> 00:26:52,010
which is public on the blockchain hash
553
00:26:50,180 --> 00:26:55,100
of the second message which is public on
554
00:26:52,010 --> 00:26:58,129
the blockchain second half of the first
555
00:26:55,100 --> 00:27:01,580
signature and second half of the second
556
00:26:58,130 --> 00:27:04,160
server using this formula we get back
557
00:27:01,580 --> 00:27:07,070
pain and again we've learned before that
558
00:27:04,160 --> 00:27:10,820
if we recover k we can get the private
559
00:27:07,070 --> 00:27:14,060
key so to wrap this up if you see two
560
00:27:10,820 --> 00:27:15,980
transactions when ecsa that we use the
561
00:27:14,060 --> 00:27:18,320
private key and announced at the same
562
00:27:15,980 --> 00:27:21,140
time you will notice because you'll see
563
00:27:18,320 --> 00:27:24,200
that are in the public hear the same and
564
00:27:21,140 --> 00:27:26,420
you can use this formula to compute k
565
00:27:24,200 --> 00:27:29,210
and then to compute the private key and
566
00:27:26,420 --> 00:27:31,820
this resin is that the actual work you
567
00:27:29,210 --> 00:27:34,310
just literally called them into math on
568
00:27:31,820 --> 00:27:37,439
the laptop and you get numbers and those
569
00:27:34,310 --> 00:27:46,769
are private keys i found that wonderful
570
00:27:37,440 --> 00:27:48,570
now obviously I can't claim any merit
571
00:27:46,769 --> 00:27:50,940
for coming up with this attack let's be
572
00:27:48,570 --> 00:27:55,860
clear this is a well-known shortcomings
573
00:27:50,940 --> 00:28:00,360
with ecsa and in at the CC i think it
574
00:27:55,860 --> 00:28:03,870
was 2073 the it it was shown how to use
575
00:28:00,360 --> 00:28:07,559
it to jailbreak the playstation 3 Sony
576
00:28:03,870 --> 00:28:15,268
had used a static number for their csa
577
00:28:07,559 --> 00:28:18,360
for their csa signatures relevant XKCD
578
00:28:15,269 --> 00:28:20,340
obviously up and they were able to use
579
00:28:18,360 --> 00:28:23,549
it to recover the private key and sign
580
00:28:20,340 --> 00:28:25,799
new firmware updates but others have
581
00:28:23,549 --> 00:28:28,980
used in different context for example in
582
00:28:25,799 --> 00:28:31,230
the context of TLS the factor built on
583
00:28:28,980 --> 00:28:32,639
that team has can be internet for
584
00:28:31,230 --> 00:28:35,190
certificates that we're doing this
585
00:28:32,639 --> 00:28:37,860
mistakes and got private keys and
586
00:28:35,190 --> 00:28:40,350
published it into mining your P's and
587
00:28:37,860 --> 00:28:44,129
Q's which is possibly my favorite type
588
00:28:40,350 --> 00:28:45,990
of academic paper title now for a
589
00:28:44,129 --> 00:28:48,330
complete analysis of this there's
590
00:28:45,990 --> 00:28:50,250
there's more on on the slide deck of my
591
00:28:48,330 --> 00:28:54,269
jack-in-the-box kuala lumpur
592
00:28:50,250 --> 00:28:56,879
presentation for example there is a Sun
593
00:28:54,269 --> 00:28:59,759
eyes of this happening on the blockchain
594
00:28:56,879 --> 00:29:03,090
this is over time and the different
595
00:28:59,759 --> 00:29:06,029
addresses and there are some pretty
596
00:29:03,090 --> 00:29:08,789
high-profile events that involve this
597
00:29:06,029 --> 00:29:11,490
for example here is a bitcoin forum past
598
00:29:08,789 --> 00:29:14,549
complaining about using up to 55
599
00:29:11,490 --> 00:29:17,549
bitcoins because of bed signatures
600
00:29:14,549 --> 00:29:19,769
this is about blockchain dot info not
601
00:29:17,549 --> 00:29:22,168
seeing the random number generator well
602
00:29:19,769 --> 00:29:24,539
enough on some browsers and again using
603
00:29:22,169 --> 00:29:26,370
money because if you have a bed random
604
00:29:24,539 --> 00:29:29,850
number generator you risk we're using
605
00:29:26,370 --> 00:29:33,029
the same cake Weiss and you end up with
606
00:29:29,850 --> 00:29:35,850
losing your private key and finally
607
00:29:33,029 --> 00:29:38,549
there was the very high-profile android
608
00:29:35,850 --> 00:29:41,039
bag where a lot of applications where in
609
00:29:38,549 --> 00:29:43,679
seeding the random number generator at
610
00:29:41,039 --> 00:29:45,720
all and even if you generated your key
611
00:29:43,679 --> 00:29:47,549
somewhere else and then imported it on
612
00:29:45,720 --> 00:29:50,160
your phone and made two transactions
613
00:29:47,549 --> 00:29:53,670
anyone would be able to recover you
614
00:29:50,160 --> 00:29:55,800
privately from the blockchain here we
615
00:29:53,670 --> 00:29:57,690
used to have a nice demo because there
616
00:29:55,800 --> 00:29:59,760
used to be about that would do this on
617
00:29:57,690 --> 00:30:02,820
the fly just like with the brain wallets
618
00:29:59,760 --> 00:30:06,270
and it's gone it's not running anymore
619
00:30:02,820 --> 00:30:10,050
and doing a demo where you depend on
620
00:30:06,270 --> 00:30:14,160
some third party has this negative
621
00:30:10,050 --> 00:30:16,680
outcomes but we didn't set up the sum
622
00:30:14,160 --> 00:30:19,530
test bullets and these very addresses
623
00:30:16,680 --> 00:30:21,270
have at least 20 bucks on them that if
624
00:30:19,530 --> 00:30:22,500
you followed the talk well enough and
625
00:30:21,270 --> 00:30:26,820
you're fast enough you can definitely
626
00:30:22,500 --> 00:30:29,250
steel we're we're gonna sweep it when we
627
00:30:26,820 --> 00:30:30,960
get off stage so if you can get it
628
00:30:29,250 --> 00:30:34,230
before then it's yours
629
00:30:30,960 --> 00:30:37,920
otherwise I'm gonna hide them
630
00:30:34,230 --> 00:30:39,540
ok so you've been thinking well but
631
00:30:37,920 --> 00:30:41,520
that's pretty dangerous and run the
632
00:30:39,540 --> 00:30:43,710
opportunity is are usually not that good
633
00:30:41,520 --> 00:30:46,080
so can't we do better answer is yes
634
00:30:43,710 --> 00:30:48,090
there is a way to do it ecdsa
635
00:30:46,080 --> 00:30:51,000
deterministically which means that
636
00:30:48,090 --> 00:30:52,919
instead of picking a random k we think
637
00:30:51,000 --> 00:30:56,670
about the three things that Cait needs
638
00:30:52,920 --> 00:30:59,580
to be needs to be random looking so high
639
00:30:56,670 --> 00:31:00,900
entropy he needs to be unpredictable and
640
00:30:59,580 --> 00:31:04,379
he needs to be different for every
641
00:31:00,900 --> 00:31:07,230
transaction so if we hash together the
642
00:31:04,380 --> 00:31:10,260
message we are trying to sign and the
643
00:31:07,230 --> 00:31:12,120
private key it's something that nobody
644
00:31:10,260 --> 00:31:13,920
can figure out because it it's a hash of
645
00:31:12,120 --> 00:31:16,679
the private key is something that is
646
00:31:13,920 --> 00:31:18,030
always different for different messages
647
00:31:16,680 --> 00:31:21,990
because the message will be different
648
00:31:18,030 --> 00:31:28,560
and we can just use that as the k value
649
00:31:21,990 --> 00:31:32,490
Stan now all these as we said only works
650
00:31:28,560 --> 00:31:35,370
if you use k ND at the same time
651
00:31:32,490 --> 00:31:37,740
everyone on the same page about this
652
00:31:35,370 --> 00:31:39,419
attack you see two transactions in the
653
00:31:37,740 --> 00:31:43,560
blockchain you notice they have the same
654
00:31:39,420 --> 00:31:45,180
are in the same public key and you say i
655
00:31:43,560 --> 00:31:47,610
can probably computer the private key
656
00:31:45,180 --> 00:31:49,470
from that but if the private keys are
657
00:31:47,610 --> 00:31:50,310
different this attack doesn't work out
658
00:31:49,470 --> 00:31:56,250
of the box
659
00:31:50,310 --> 00:31:59,220
however if you have a lot of people with
660
00:31:56,250 --> 00:32:02,130
bad random number generators that are
661
00:31:59,220 --> 00:32:06,000
prone to producing colliding results
662
00:32:02,130 --> 00:32:09,720
odds are eventually two people will
663
00:32:06,000 --> 00:32:12,840
independently produce the same bad
664
00:32:09,720 --> 00:32:18,090
random number generator
665
00:32:12,840 --> 00:32:20,970
this is another avenue for attack
666
00:32:18,090 --> 00:32:26,040
we haven't seen this documented anywhere
667
00:32:20,970 --> 00:32:31,770
we call it the ecdsa pivot attack so
668
00:32:26,040 --> 00:32:34,800
earlier we mentioned with simple reuse
669
00:32:31,770 --> 00:32:36,780
we see here that r is the same in these
670
00:32:34,800 --> 00:32:39,540
two transactions therefore they must
671
00:32:36,780 --> 00:32:41,550
have the same knots the public key is
672
00:32:39,540 --> 00:32:44,280
also the same which means the private
673
00:32:41,550 --> 00:32:48,030
key is the same so we are able to solve
674
00:32:44,280 --> 00:32:54,540
here for the private key and the knots
675
00:32:48,030 --> 00:32:56,580
for this specific our value so this guy
676
00:32:54,540 --> 00:32:59,790
we used an address
677
00:32:56,580 --> 00:33:01,860
oops well what happens if somebody else
678
00:32:59,790 --> 00:33:08,100
makes a transaction with that same not
679
00:33:01,860 --> 00:33:11,760
so we see that this has the same our
680
00:33:08,100 --> 00:33:14,070
value therefore the same nonce but the
681
00:33:11,760 --> 00:33:16,440
public key is different so the private
682
00:33:14,070 --> 00:33:19,620
key is different so the equation we used
683
00:33:16,440 --> 00:33:23,910
earlier wouldn't work but we already
684
00:33:19,620 --> 00:33:25,739
know this knots and as we saw earlier if
685
00:33:23,910 --> 00:33:28,950
you know the nonce you can simply solve
686
00:33:25,740 --> 00:33:35,040
for the private key and then this fellow
687
00:33:28,950 --> 00:33:38,160
does another transaction and since we
688
00:33:35,040 --> 00:33:39,930
know the private key we can rewrite our
689
00:33:38,160 --> 00:33:42,180
equations a little bit move things
690
00:33:39,930 --> 00:33:45,930
around write it in terms of the private
691
00:33:42,180 --> 00:33:47,730
key instead of in terms of the knots and
692
00:33:45,930 --> 00:33:50,460
we can solve for the nonce here too so
693
00:33:47,730 --> 00:33:53,610
now we know not for this new our value
694
00:33:50,460 --> 00:33:58,080
and then somebody else wouldn't you know
695
00:33:53,610 --> 00:34:01,530
it makes another transaction with that
696
00:33:58,080 --> 00:34:05,850
our value which has never been reused
697
00:34:01,530 --> 00:34:08,310
with the same public key but again since
698
00:34:05,850 --> 00:34:10,830
we were able to compute that non spy
699
00:34:08,310 --> 00:34:12,239
going back and forth between private
700
00:34:10,830 --> 00:34:13,400
keys and nonces across multiple
701
00:34:12,239 --> 00:34:16,429
transactions
702
00:34:13,400 --> 00:34:18,740
we can solve their to we know that
703
00:34:16,429 --> 00:34:22,250
nonsense we get that private key and
704
00:34:18,739 --> 00:34:27,620
this is not terribly difficult to scan
705
00:34:22,250 --> 00:34:31,370
for and so when that was run it turned
706
00:34:27,620 --> 00:34:34,310
up 719 additional private keys that were
707
00:34:31,370 --> 00:34:37,310
exposed as a second-order
708
00:34:34,310 --> 00:34:40,790
vulnerabilities in this weakness and
709
00:34:37,310 --> 00:34:42,799
close to a hundred thousand nonces and
710
00:34:40,790 --> 00:34:46,580
some of the chains back and forth were
711
00:34:42,800 --> 00:34:49,130
as much as seven hops long I'm another
712
00:34:46,580 --> 00:34:51,500
interesting thing is that we saw that
713
00:34:49,130 --> 00:34:54,350
blockchain dot info one of the sites
714
00:34:51,500 --> 00:34:55,670
that had some problems with this looks
715
00:34:54,350 --> 00:34:57,560
like they figured this attack out on
716
00:34:55,670 --> 00:35:00,050
their own and tried to protect as many
717
00:34:57,560 --> 00:35:02,360
of their customers funds as possible but
718
00:35:00,050 --> 00:35:04,250
there was a bot that was attacking this
719
00:35:02,360 --> 00:35:06,710
to for a while we also would have had
720
00:35:04,250 --> 00:35:08,690
the demo here but that but is also shut
721
00:35:06,710 --> 00:35:11,540
down up something we haven't waived
722
00:35:08,690 --> 00:35:13,580
before is that a Bitcoin wallet
723
00:35:11,540 --> 00:35:17,180
technically isn't usually not a single
724
00:35:13,580 --> 00:35:19,940
address the hole open wallet is made up
725
00:35:17,180 --> 00:35:22,730
of multiple addresses and so multiple
726
00:35:19,940 --> 00:35:25,520
private keys so this attack can allow
727
00:35:22,730 --> 00:35:28,010
the compromise of one of the addresses
728
00:35:25,520 --> 00:35:30,920
to cause the compromise of order
729
00:35:28,010 --> 00:35:33,710
addresses in the same bullet just
730
00:35:30,920 --> 00:35:36,410
because they were used to share gnosis
731
00:35:33,710 --> 00:35:43,640
across the different for private keys
732
00:35:36,410 --> 00:35:46,850
right so another interesting thing that
733
00:35:43,640 --> 00:35:50,390
we get out of this is that we see a lot
734
00:35:46,850 --> 00:35:53,930
more plain text nonces and we can
735
00:35:50,390 --> 00:35:57,710
analyze them and look at what might have
736
00:35:53,930 --> 00:36:00,589
gone wrong the first interesting cluster
737
00:35:57,710 --> 00:36:03,050
I found were these ones that had the
738
00:36:00,590 --> 00:36:06,110
first half of the knots filled out
739
00:36:03,050 --> 00:36:11,270
apparently at random and then the second
740
00:36:06,110 --> 00:36:13,010
half was all zeros somebody put 16 bytes
741
00:36:11,270 --> 00:36:16,340
where they should have put 32 I don't
742
00:36:13,010 --> 00:36:19,490
know a real cryptographer also tell you
743
00:36:16,340 --> 00:36:21,680
that such gnosis are probably normal
744
00:36:19,490 --> 00:36:24,350
just by themselves because using
745
00:36:21,680 --> 00:36:25,580
nonsense we just too strong patterns is
746
00:36:24,350 --> 00:36:27,890
vulnerable to what I'm too
747
00:36:25,580 --> 00:36:29,150
these lattices attacks but this is
748
00:36:27,890 --> 00:36:31,220
definitely not something you can easily
749
00:36:29,150 --> 00:36:33,530
scan for because you have to target the
750
00:36:31,220 --> 00:36:36,560
specific transaction that you know had
751
00:36:33,530 --> 00:36:38,210
this mistake right and we don't know of
752
00:36:36,560 --> 00:36:42,020
any specific way to find such
753
00:36:38,210 --> 00:36:44,960
transactions on the other one we saw is
754
00:36:42,020 --> 00:36:47,180
very similar to the first one except for
755
00:36:44,960 --> 00:36:52,130
there was something else at the end
756
00:36:47,180 --> 00:36:53,899
instead of zeros again
757
00:36:52,130 --> 00:36:56,210
somebody probably put the wrong number
758
00:36:53,900 --> 00:36:59,540
of random bytes in our code and bad
759
00:36:56,210 --> 00:37:01,490
things happened my favorite one though
760
00:36:59,540 --> 00:37:06,350
was this one
761
00:37:01,490 --> 00:37:11,299
this looks like it was uninitialized
762
00:37:06,350 --> 00:37:15,440
memory in a on a intel machine at the
763
00:37:11,300 --> 00:37:16,970
very end you can see it starts with you
764
00:37:15,440 --> 00:37:21,980
can see what looks like a pointer at the
765
00:37:16,970 --> 00:37:25,069
very end and so that's another inch
766
00:37:21,980 --> 00:37:32,210
yeah that's interesting but what else
767
00:37:25,070 --> 00:37:34,550
can we do the last one and very
768
00:37:32,210 --> 00:37:39,590
interesting one is a related non stack
769
00:37:34,550 --> 00:37:41,450
so we said earlier that if you reuse the
770
00:37:39,590 --> 00:37:43,910
same nonce and the same private key
771
00:37:41,450 --> 00:37:46,549
together into different transactions you
772
00:37:43,910 --> 00:37:49,670
can recover everything but if you know
773
00:37:46,550 --> 00:37:53,600
of a algebraic relationship between the
774
00:37:49,670 --> 00:37:57,140
two nonces for example the nonces were
775
00:37:53,600 --> 00:37:59,569
incremental e generated one was
776
00:37:57,140 --> 00:38:01,910
generated random and then out of
777
00:37:59,570 --> 00:38:03,740
laziness the next one was simply one
778
00:38:01,910 --> 00:38:05,509
more because after all their different
779
00:38:03,740 --> 00:38:10,279
numbers they're only used once that's
780
00:38:05,510 --> 00:38:12,440
probably okay right so if you know the
781
00:38:10,280 --> 00:38:19,100
difference between two nonces will call
782
00:38:12,440 --> 00:38:21,830
this different see you can solve for one
783
00:38:19,100 --> 00:38:23,750
of the nonces and then the other using
784
00:38:21,830 --> 00:38:26,299
this terrible message an equation right
785
00:38:23,750 --> 00:38:28,430
here and the derivation of this I'm
786
00:38:26,300 --> 00:38:30,860
unfortunately going to have to leave as
787
00:38:28,430 --> 00:38:35,629
an exercise to the audience
788
00:38:30,860 --> 00:38:39,530
but you may be asking how can we know
789
00:38:35,630 --> 00:38:41,570
that such a relationship exists
790
00:38:39,530 --> 00:38:43,520
well the answer is of course more math
791
00:38:41,570 --> 00:38:51,470
because this is stealing bitcoin with
792
00:38:43,520 --> 00:38:56,810
math I'm so our second nonce is the
793
00:38:51,470 --> 00:39:01,910
first non plus a constant R to R values
794
00:38:56,810 --> 00:39:05,150
are simply those two nonces plus the
795
00:39:01,910 --> 00:39:07,609
constant all x the base points and it
796
00:39:05,150 --> 00:39:13,340
turns out that this relationship carries
797
00:39:07,610 --> 00:39:15,800
through are so with with the first are
798
00:39:13,340 --> 00:39:17,780
you can simply try adding one to it and
799
00:39:15,800 --> 00:39:22,280
then see if that ever shows up
800
00:39:17,780 --> 00:39:25,670
um I was somewhat so so we ran the scan
801
00:39:22,280 --> 00:39:28,310
and I was actually quite surprised to
802
00:39:25,670 --> 00:39:34,100
see that this didn't ever happen
803
00:39:28,310 --> 00:39:36,290
we're confident that there are other
804
00:39:34,100 --> 00:39:38,990
patterns that you can look for that you
805
00:39:36,290 --> 00:39:41,120
can still scan for because nothing stops
806
00:39:38,990 --> 00:39:43,580
you from having see being not one but
807
00:39:41,120 --> 00:39:46,460
something else and for example maybe
808
00:39:43,580 --> 00:39:48,290
some bit patterns and we're confident
809
00:39:46,460 --> 00:39:50,150
that someone can run other scans you
810
00:39:48,290 --> 00:39:51,770
were to find interesting ones because
811
00:39:50,150 --> 00:39:54,200
here is really just a matter of
812
00:39:51,770 --> 00:39:57,140
creativity because the elliptic curves
813
00:39:54,200 --> 00:39:59,120
math to do of this is there and it's
814
00:39:57,140 --> 00:40:02,180
it's essentially just the fact that
815
00:39:59,120 --> 00:40:05,089
addition carries over to elliptic curves
816
00:40:02,180 --> 00:40:07,879
where you can instead of adding one you
817
00:40:05,090 --> 00:40:10,610
can add the point that corresponds to
818
00:40:07,880 --> 00:40:14,030
one endpoint edition results in the same
819
00:40:10,610 --> 00:40:20,750
result anyway this is faster
820
00:40:14,030 --> 00:40:22,820
ok excellent then oh and yet the
821
00:40:20,750 --> 00:40:25,640
American about faster is that is that we
822
00:40:22,820 --> 00:40:29,240
even an optimization Ryan figured out to
823
00:40:25,640 --> 00:40:32,240
scan faster for sequential sequential
824
00:40:29,240 --> 00:40:36,500
points instead of for each point first
825
00:40:32,240 --> 00:40:38,930
figure out at 12 care to the to the
826
00:40:36,500 --> 00:40:42,050
private key and then multiply the
827
00:40:38,930 --> 00:40:43,790
private key by G then you can instead
828
00:40:42,050 --> 00:40:45,980
add always the same one
829
00:40:43,790 --> 00:40:48,770
so the secret i kept from you here is
830
00:40:45,980 --> 00:40:51,440
that that black magic of turning the
831
00:40:48,770 --> 00:40:54,740
private key into a public key is nothing
832
00:40:51,440 --> 00:40:57,590
else than that multiplying by the base
833
00:40:54,740 --> 00:41:01,459
point so there's a lot of parallels
834
00:40:57,590 --> 00:41:03,950
between knowns and our and private key
835
00:41:01,460 --> 00:41:05,630
and public key so that's also why some a
836
00:41:03,950 --> 00:41:08,240
lot of attacks or optimizations
837
00:41:05,630 --> 00:41:09,890
carryover and even let us people between
838
00:41:08,240 --> 00:41:13,879
them and in fact there were even
839
00:41:09,890 --> 00:41:17,870
transactions where we found instances of
840
00:41:13,880 --> 00:41:20,090
nonces and private keys being in in
841
00:41:17,870 --> 00:41:25,190
various transactions the same value used
842
00:41:20,090 --> 00:41:26,570
as both an ounce and a private so i just
843
00:41:25,190 --> 00:41:30,650
said their semen are right
844
00:41:26,570 --> 00:41:33,350
yeah very very similar in fact and we're
845
00:41:30,650 --> 00:41:34,880
still experimenting with more nonsense
846
00:41:33,350 --> 00:41:37,279
cracking techniques we're going to try
847
00:41:34,880 --> 00:41:39,470
some weak random algorithms and see if
848
00:41:37,280 --> 00:41:43,730
we find anything there and I suspect
849
00:41:39,470 --> 00:41:44,959
well okay so this is it for math you can
850
00:41:43,730 --> 00:41:47,120
take a breath
851
00:41:44,960 --> 00:41:50,330
there are no other formulas for the rest
852
00:41:47,120 --> 00:41:52,910
of the slides now i will actually just
853
00:41:50,330 --> 00:41:55,580
mention a couple other attacks that can
854
00:41:52,910 --> 00:41:57,740
happen that remotely that that don't
855
00:41:55,580 --> 00:42:01,490
require hacking or you know wrenching
856
00:41:57,740 --> 00:42:04,790
and the first one is kind of well known
857
00:42:01,490 --> 00:42:07,910
in the Bitcoin industries it's double
858
00:42:04,790 --> 00:42:10,640
spending the idea is that Bitcoin works
859
00:42:07,910 --> 00:42:13,250
because all these transactions from
860
00:42:10,640 --> 00:42:16,220
time-to-time bundled into a block and
861
00:42:13,250 --> 00:42:18,740
that's not go over the reasons but it's
862
00:42:16,220 --> 00:42:21,470
very hard then to reverse this operation
863
00:42:18,740 --> 00:42:24,589
so they are etched in in stone forever
864
00:42:21,470 --> 00:42:27,589
after enough blocks have been wrapped
865
00:42:24,590 --> 00:42:29,750
around it if you trust the transaction
866
00:42:27,590 --> 00:42:32,930
and you accept a payment and maybe you
867
00:42:29,750 --> 00:42:37,160
ship an item or provide a service before
868
00:42:32,930 --> 00:42:40,100
this setting stone block operation which
869
00:42:37,160 --> 00:42:43,460
we call confirmation happens what the
870
00:42:40,100 --> 00:42:47,569
attacker can do is show you a payment to
871
00:42:43,460 --> 00:42:51,350
you and then send to be written into
872
00:42:47,570 --> 00:42:53,570
stone a payment to himself and now what
873
00:42:51,350 --> 00:42:55,220
happens is that the money actually it
874
00:42:53,570 --> 00:42:56,690
never reaches you because the one that
875
00:42:55,220 --> 00:42:59,569
is written down
876
00:42:56,690 --> 00:43:03,500
for posterity is the one that says oh
877
00:42:59,569 --> 00:43:05,060
yeah did this manna just went back so
878
00:43:03,500 --> 00:43:09,290
this is what's called a double spending
879
00:43:05,060 --> 00:43:11,690
attack attack is is called transaction
880
00:43:09,290 --> 00:43:15,440
malleability that is that a transaction
881
00:43:11,690 --> 00:43:19,130
which is rumored that r and s encoded in
882
00:43:15,440 --> 00:43:22,490
some format can be messed with it can be
883
00:43:19,130 --> 00:43:25,220
touched and changed without invalidating
884
00:43:22,490 --> 00:43:27,770
it while still being a valid transaction
885
00:43:25,220 --> 00:43:29,959
provides signature by the same private
886
00:43:27,770 --> 00:43:33,740
key for the same message for the same
887
00:43:29,960 --> 00:43:35,839
level so this is a problem per se and
888
00:43:33,740 --> 00:43:39,859
it's actually expect out in the protocol
889
00:43:35,839 --> 00:43:43,339
but if your accounting system relies on
890
00:43:39,859 --> 00:43:46,819
transaction hashes to not do operations
891
00:43:43,339 --> 00:43:48,920
twice now what i can do is send you a
892
00:43:46,819 --> 00:43:52,369
transaction that says i have deposited
893
00:43:48,920 --> 00:43:54,890
some money on my account on my mount cox
894
00:43:52,369 --> 00:43:55,940
account for example they liked it a lot
895
00:43:54,890 --> 00:43:58,940
of money this way
896
00:43:55,940 --> 00:44:01,069
yes and then change it a bit so that
897
00:43:58,940 --> 00:44:02,990
their hash changes but it's still the
898
00:44:01,069 --> 00:44:05,180
same transaction and send it to you
899
00:44:02,990 --> 00:44:07,368
again and you'll be in Mount Cox was
900
00:44:05,180 --> 00:44:09,828
like oh look your transaction
901
00:44:07,369 --> 00:44:12,260
what's the value than Bitcoin well now
902
00:44:09,829 --> 00:44:14,270
this account has 10 more bitcoins and
903
00:44:12,260 --> 00:44:16,220
you if you could keep it up and find
904
00:44:14,270 --> 00:44:18,800
other ways to change it you could keep
905
00:44:16,220 --> 00:44:21,049
changing the same transaction and
906
00:44:18,800 --> 00:44:23,270
deposit the same time bitcoins over and
907
00:44:21,050 --> 00:44:25,010
over and over again that there there
908
00:44:23,270 --> 00:44:28,460
were two main ways to do it
909
00:44:25,010 --> 00:44:32,210
bitcoins protocol has been changed to
910
00:44:28,460 --> 00:44:35,150
enforce normalized representations which
911
00:44:32,210 --> 00:44:38,420
as far as anybody can tell has fixed
912
00:44:35,150 --> 00:44:41,329
this but anyway they're the two methods
913
00:44:38,420 --> 00:44:44,210
that were available were changing the
914
00:44:41,329 --> 00:44:47,390
sign bit on the s portion of the
915
00:44:44,210 --> 00:44:50,329
signature that is going from a positive
916
00:44:47,390 --> 00:44:53,540
value for s2 a negative one or a
917
00:44:50,329 --> 00:44:55,640
negative 12 a positive one due to some
918
00:44:53,540 --> 00:44:59,270
quirks about the way
919
00:44:55,640 --> 00:45:01,910
ecdsa works both are valid the other
920
00:44:59,270 --> 00:45:03,589
trick is due to the fact that these
921
00:45:01,910 --> 00:45:07,519
signatures are encoded
922
00:45:03,589 --> 00:45:09,529
in a scheme called asn dot one abstract
923
00:45:07,519 --> 00:45:10,910
syntax notation
924
00:45:09,529 --> 00:45:13,910
I don't know what the dot one stands for
925
00:45:10,910 --> 00:45:15,649
anyway um if anybody here is familiar
926
00:45:13,910 --> 00:45:18,950
with that you're probably cringing right
927
00:45:15,650 --> 00:45:22,670
now because it's terrible the trick
928
00:45:18,950 --> 00:45:25,819
there is it's a very flexible encoding
929
00:45:22,670 --> 00:45:29,479
standard and you can do things like have
930
00:45:25,819 --> 00:45:31,430
variable with number representations so
931
00:45:29,479 --> 00:45:33,680
one method of track the other method of
932
00:45:31,430 --> 00:45:36,379
transaction really malleability that was
933
00:45:33,680 --> 00:45:39,649
used punch against mapbox in particular
934
00:45:36,380 --> 00:45:43,219
was adding extra bytes of zero at the
935
00:45:39,650 --> 00:45:46,430
beginning of the AR and/or s portion of
936
00:45:43,219 --> 00:45:49,309
the signature and all these things that
937
00:45:46,430 --> 00:45:52,279
start going wrong or in weird ways when
938
00:45:49,309 --> 00:45:54,920
you start looking at bites as numbers
939
00:45:52,279 --> 00:45:56,450
and try to apply next to them is really
940
00:45:54,920 --> 00:45:58,789
one of my favorite things of
941
00:45:56,450 --> 00:46:02,269
cryptography and let's be honest here
942
00:45:58,789 --> 00:46:11,599
all these weird attacks is actually why
943
00:46:02,269 --> 00:46:17,180
we love Bitcoin thank you
944
00:46:11,599 --> 00:46:19,160
looks like even if everything else
945
00:46:17,180 --> 00:46:19,848
happen we still have time for a few
946
00:46:19,160 --> 00:46:24,348
questions
947
00:46:19,849 --> 00:46:26,359
so mike i don't i don't believe that
948
00:46:24,349 --> 00:46:28,099
everyone got everything else I've said
949
00:46:26,359 --> 00:46:30,049
i'm not i'm not that good of a speaker
950
00:46:28,099 --> 00:46:35,180
so get there and ask me what you didn't
951
00:46:30,049 --> 00:46:36,499
get over i spent at least at least
952
00:46:35,180 --> 00:46:37,910
twenty percent of the time we were
953
00:46:36,499 --> 00:46:40,488
working on these slides having no idea
954
00:46:37,910 --> 00:46:43,009
what was going on so don't feel bad
955
00:46:40,489 --> 00:46:47,299
alright like a like a good question ah
956
00:46:43,009 --> 00:46:49,849
like do you know like what uh curves you
957
00:46:47,299 --> 00:46:52,819
know did they use you know in those like
958
00:46:49,849 --> 00:46:54,950
oh I they use like development like
959
00:46:52,819 --> 00:46:58,009
Edwards curve like on Bitcoin
960
00:46:54,950 --> 00:47:03,649
specifically uses a curve called sec
961
00:46:58,009 --> 00:47:06,319
p200 256k one which is defined in a
962
00:47:03,650 --> 00:47:08,569
document called standards for efficient
963
00:47:06,319 --> 00:47:11,210
photography from sir calm and if you
964
00:47:08,569 --> 00:47:12,920
would like the details you can read them
965
00:47:11,210 --> 00:47:14,599
in that document i might be terribly
966
00:47:12,920 --> 00:47:17,180
wrong but I think the case there's four
967
00:47:14,599 --> 00:47:19,219
couplets yet it does that is correct if
968
00:47:17,180 --> 00:47:21,859
so it's easy to say over a couple its
969
00:47:19,219 --> 00:47:25,549
curve but these these attacks would work
970
00:47:21,859 --> 00:47:29,029
on any look any of the curve and what do
971
00:47:25,549 --> 00:47:31,940
you see as the future of Bitcoin well
972
00:47:29,029 --> 00:47:33,799
don't think honestly personally I'm
973
00:47:31,940 --> 00:47:36,589
concerned with is the future of attacks
974
00:47:33,799 --> 00:47:40,339
on Bitcoin so i'm i'm sure that would be
975
00:47:36,589 --> 00:47:42,890
many mistakes they're coming but
976
00:47:40,339 --> 00:47:45,259
honestly the more economic side and
977
00:47:42,890 --> 00:47:48,739
changing the word side is about my pay
978
00:47:45,259 --> 00:47:50,869
grade and definitely more drama and
979
00:47:48,739 --> 00:47:54,229
geeks with opinions
980
00:47:50,869 --> 00:47:56,059
did you guys look at any of the early
981
00:47:54,229 --> 00:47:57,468
transactions before they changed the
982
00:47:56,059 --> 00:47:59,839
script cash and were there any attacks
983
00:47:57,469 --> 00:48:04,670
against those that were you guys have
984
00:47:59,839 --> 00:48:06,710
ever looked at to be honest there there
985
00:48:04,670 --> 00:48:10,160
weren't enough of pay to public key
986
00:48:06,710 --> 00:48:12,710
transactions for it to be worth adding
987
00:48:10,160 --> 00:48:14,118
person code for it but if you're
988
00:48:12,710 --> 00:48:19,249
interested in that information you could
989
00:48:14,119 --> 00:48:22,460
certainly add to the decode that's up on
990
00:48:19,249 --> 00:48:23,629
github and do that search yourself just
991
00:48:22,460 --> 00:48:26,600
to clarify
992
00:48:23,630 --> 00:48:27,350
you say that G was the same for every
993
00:48:26,600 --> 00:48:29,360
transaction
994
00:48:27,350 --> 00:48:34,279
yeah and then how is it picked like what
995
00:48:29,360 --> 00:48:37,280
is this ah up ellipticals black magic
996
00:48:34,280 --> 00:48:40,580
the base point of the elliptic curve is
997
00:48:37,280 --> 00:48:44,780
essentially this fixed parameter of the
998
00:48:40,580 --> 00:48:47,630
curve which in this case is the 256 256
999
00:48:44,780 --> 00:48:49,220
sec key so it's a unique piece of the
1000
00:48:47,630 --> 00:48:53,060
current so it does its use
1001
00:48:49,220 --> 00:48:54,830
yeah yes it is it is chosen by whoever
1002
00:48:53,060 --> 00:48:55,759
chooses the rest of the parameters of
1003
00:48:54,830 --> 00:48:57,920
the curve
1004
00:48:55,760 --> 00:49:04,640
hopefully in a totally trustworthy
1005
00:48:57,920 --> 00:49:09,080
manner like I'm sure it's fine
1006
00:49:04,640 --> 00:49:10,609
God abides by huh think I people won't
1007
00:49:09,080 --> 00:49:12,380
be using application-specific integrated
1008
00:49:10,610 --> 00:49:13,940
circuits to crack some of the brain
1009
00:49:12,380 --> 00:49:17,600
wallets out there what do you think's
1010
00:49:13,940 --> 00:49:20,810
behind uh so I actually have a blog
1011
00:49:17,600 --> 00:49:22,160
posts on why bitcoin mining asics are
1012
00:49:20,810 --> 00:49:25,549
completely useless for cracking
1013
00:49:22,160 --> 00:49:28,850
passwords and it is because bitcoin
1014
00:49:25,550 --> 00:49:30,650
mining a6 accelerates Bitcoin mining
1015
00:49:28,850 --> 00:49:34,940
they do not generically accelerate
1016
00:49:30,650 --> 00:49:37,130
hashing you could totally make Ann a
1017
00:49:34,940 --> 00:49:38,390
brain wallet cracking asic but I don't
1018
00:49:37,130 --> 00:49:41,720
know why you would
1019
00:49:38,390 --> 00:49:44,210
and considering the shuttle 56 yeah but
1020
00:49:41,720 --> 00:49:47,120
anyway sorry have you tried this many
1021
00:49:44,210 --> 00:49:50,540
altcoins or any of the newer yes
1022
00:49:47,120 --> 00:49:52,940
yeah in fact there is a website called
1023
00:49:50,540 --> 00:49:54,830
either camp where if you click new
1024
00:49:52,940 --> 00:49:56,990
address it makes a brain wallet for you
1025
00:49:54,830 --> 00:49:59,840
on a serious and it does not say it's a
1026
00:49:56,990 --> 00:50:03,080
brain well let's be and the guy who runs
1027
00:49:59,840 --> 00:50:04,940
this site so he and i don't agree on
1028
00:50:03,080 --> 00:50:07,850
this i will i will just say that
1029
00:50:04,940 --> 00:50:08,420
question and i have found brain wallets
1030
00:50:07,850 --> 00:50:11,299
on
1031
00:50:08,420 --> 00:50:13,610
litecoin-dogecoin and a couple of other
1032
00:50:11,300 --> 00:50:16,340
points out something interesting would
1033
00:50:13,610 --> 00:50:18,470
be to truck notices and private keys and
1034
00:50:16,340 --> 00:50:21,920
people came between us coins by the way
1035
00:50:18,470 --> 00:50:23,720
yes this is just a tip is if then you
1036
00:50:21,920 --> 00:50:25,760
can ask me for a Bitcoin address and you
1037
00:50:23,720 --> 00:50:28,279
if you find money that i won't ask where
1038
00:50:25,760 --> 00:50:31,010
they cut come from you can you know sent
1039
00:50:28,280 --> 00:50:34,160
me tapes because of this dip
1040
00:50:31,010 --> 00:50:37,400
anyway sorry yeah graduated last request
1041
00:50:34,160 --> 00:50:40,250
so all of these attacks are almost these
1042
00:50:37,400 --> 00:50:41,810
attacks seem too sorry arise from mostly
1043
00:50:40,250 --> 00:50:43,670
from client vulnerabilities you know
1044
00:50:41,810 --> 00:50:44,930
poorly coded none of them arise from the
1045
00:50:43,670 --> 00:50:46,700
protocol you think there are protocol
1046
00:50:44,930 --> 00:50:48,649
level changes we can make to make things
1047
00:50:46,700 --> 00:50:50,660
safer the bad programmers just going to
1048
00:50:48,650 --> 00:50:52,580
always put people with money at risk
1049
00:50:50,660 --> 00:50:54,379
he's right that all of these are
1050
00:50:52,580 --> 00:50:56,810
vulnerabilities on the client sites but
1051
00:50:54,380 --> 00:50:59,090
essentially definitely something that
1052
00:50:56,810 --> 00:51:02,750
could have been done was standardizing
1053
00:50:59,090 --> 00:51:04,640
easy to say only as deterministic but i
1054
00:51:02,750 --> 00:51:09,830
can think of any other specific ones
1055
00:51:04,640 --> 00:51:12,350
right now and I the the of mine that the
1056
00:51:09,830 --> 00:51:14,630
malleability liability form enforcement
1057
00:51:12,350 --> 00:51:16,540
ok we all decade the stage now
1058
00:51:14,630 --> 00:51:31,010
thank you to a matter
1059
00:51:16,540 --> 00:51:31,009
[Applause]