Skip to content

Ethereum Bug Bounty Submission: Breaking ecdsa that uses `privKey xor message` as nonce.

Notifications You must be signed in to change notification settings

jonasnick/ecdsaPredictableNonce

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

26 Commits
 
 
 
 
 
 

Repository files navigation

Ethereum Bug Bounty Submission: Predictable ECDSA Nonce

Breaks an ecdsa implementation that uses privKey xor message as nonce. Recovering the full private key requires 256 signatures. In other words, every signature leaks 1 bit. A detailed explanation of the attack can be found in the explanation.pdf.

main.go is the implementation of an attack specifically against a vulnerable version of github.com/obscuren/secp256k1-go and thus also against go-ethereum . It takes roughly 11 minutes for my 3.0Ghz processor to solve the system. The obvious fix is to use the operating system's PRNG to generate the nonce just like the original project by haltingstate.

Caveat

In its current form, this attack does not directly work against github.com/obscuren/secp256k1-go package. The reason for this is that in order to prevent s-malleability, libsecp256k1 enforces an s that is smaller than curve_order/2. If libsecp256k1 computes an s that is bigger it is negated, which essentially has the effect that the message is signed using the negative of the original nonce. Because this attack gets only 1 bit from each signature generated from the textbook algorithm and we don't know if nonce or -nonce has been used, the attacker looses 1 bit and thus learns nothing. See [this line] (https://github.com/jonasnick/ecdsaPredictableNonce/blob/master/main.go#L215) for the cheat that is used in order to ensure using the non-negated nonce.

Thanks to Pieter Wuille for some helpful discussion.

About

Ethereum Bug Bounty Submission: Breaking ecdsa that uses `privKey xor message` as nonce.

Resources

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published