3

I the news I read this:

The firm was forced to make a security disclosure on its blog and on Reddit, admitting that a development error had led to a problem with the generation of private keys. Private keys (effectively the private addresses used to hold bitcoin) were generated with a low degree of entropy, making them easy for attackers to retrieve.

Is there a detailed analysis available of what exactly happened or perhaps you could share your thoughts on this? I understand a concept of information entropy just want to know what should be done and what should be avoided to achieve a high degree of entropy.

src091
  • 253
  • 1
  • 9

1 Answers1

1

I have not seen a thorough technical review. However, after reading about the issue, my understanding is that the issue related to reusing the same k nonce value for ECDSA, not in generating private keys.

Blockchain.info's blog post about the issue is here.

Blockchain.info's GitHub commit that fixed the issue is here.

The individual who noticed its effect on transactions is a forum user by the name of "johoe" and you can see the discussion that unfolded beginning with this post.

It is a known requirement for ECDSA that for each signature with a particular private key, a unique k value must be used, otherwise with even just two signatures of the same k the private key used in the signature can be recovered. This issue is described in depth here.

Here is an open source project that discovers vulnerable private keys on the blockchain. This slide show discusses the issue, the open source project, and some investigation into which wallets are susceptible (Blockchain.info is among the unsafe ones listed).

The solution for this has been known for a while: use RFC 6979.

Chuck Batson
  • 645
  • 4
  • 6