A poor random number generator (RNG) can create the same ‘random’ number (‘k’ in the formula above) on more than one occasion. When the transaction is hashed, this number is multiplied by the same generator point (ie: same random number) as the public key.
Since one unknown has been removed from the equation, the private key can be revealed by effectively reversing the hash through additional mathematical operations.
The chance of even a bad RNG producing an identical number twice is very low, but it still poses a small risk.
While researching the vulnerability, Valsorda believes, he found evidence of bitcoin thefts exploiting the vulnerability dating back to 2013.
According to The Register, Valsorda said he identified one attacker who stole 59 BTC in August 2013.
He pinned the blame for the vulnerability on developers, as the problem could be tracked down to coding errors found in certain bitcoin clients.
Valsorda said:
“I found two really big events where someone probably made an error while writing their client that generated hundreds and hundreds of vulnerable transactions.”
Wallets examined
Valsorda has designed his Blockchainr tool to scan the block chain for vulnerable transactions.
While some might fear such information could be misused, Valsorda did not manage to find any wallets that could be raided. However, he said, this may be because they have been raided already.
In addition to testing old transactions, Valsorda also examined the ECDSA implementation in a number of popular wallets.
He claims that some providers like Electrun, MultiBit/Bitcoinj, Bitrated/Bitcoinjs-lib and Trezor used a safer, deterministic model of signature generation. Bitcoin Core, Blockchain and Armory were found to be less safe.
The use of an RNG within the browser was, in some cases, linked to reduced transaction safety. The chance of duplicate signature generation even on those wallets deemed less safe is still less than 1%, said Valsorda.
Conclusion criticised
Not everyone agrees with the conclusions, however. Armory’s CEO and founder Alan C Reiner told CoinDesk:
“Valsorda is criticizing the globally standardized use of ECDSA, which is implemented and applied properly in our software. Since ECDSA was created, it has always required a random number generator and all software that implements it should use a random number generator. That’s part of its specification.”
“The fact that people are moving to ‘deterministic signing’ is really an enhancement, to protect against weak random number generators,” he said. “But Armory doesn’t run on any platforms with weak RNGs, so our ‘unsafe’ rating should be 0%.”
Reiner further said that Armory follows the NIST-approved specification for ECDSA, which has been in place for 10 years, “the same way it is used in other secure systems throughout the Internet”.
Old browser issue
CoinDesk also spoke to Blockchain about Valsorda’s claims. A spokesperson said:
“This issue first came to our engineering team’s attention in August 2013. We took steps then to patch the vulnerability created by a small minority of users relying on old out-of-date web browser versions.
Blockchain’s My-Wallet tool relies on, not one, but three sources of entropy to generate ECDSA signing keys: the browser-based RNG, mouse movement & keyboard interaction, and a server-side RNG. This protects users from out-of-date browsers with weak RNGs while maintaining the ability run a fully client-side, non-custodial wallet that is easy to use across your desktop and mobile devices.”
Blockchain, the firm said, remains vigilant about potential security issues and continues to actively monitor potential threat vectors generated by common software such as web browsers.
Blockchain encouraged all users to make sure they are running the most up to date software to ensure better security.
Valsorda has made his code freely available to other developers by posting it on GitHub and has called on fellow developers to address the issue, taking care in their choice of random number generators.
ECDSAFilippo ValsordaSecurityWallets
Original author: Nermin Hajdarbegovic