Researchers find vulnerabilities for Bitcoin, Ethereum and Ripple digital signatures in incorrect implementations

Recently, researchers have identified vulnerabilities in cryptographic signatures for Bitcoin, Ethereumand Ripple, which allowed attackers to calculate private keys and, consequently, steal any crypts in this wallet. In total, the researchers calculated hundreds of Bitcoin private keys and dozens of EthereumPrivate keys Ripple, SSH and HTTPS that use this unique form of cryptanalytic attack.

In the card Biased Nonce Sense: latex attacks against weak ECDSA in Cryptocurrencies, researchers use a method to calculate private keys by analyzing Bitcoin signatures. The researchers were also able to apply these techniques to Ethereum and Ripple.

That said, these vulnerabilities only occur in borderline cases where the code is not implemented correctly by the developers, or probably due to faulty multi-signature hardware. The research emphasizes the resilience of cryptographic schemes used by cryptocurrencies, as well as highlighting the importance of correct implementation.

Background on the search

Whenever cryptographic holders make a transaction, they are required to create a cryptographic signature using an elliptical curve digital signature algorithm (ECDSA). In this algorithm, the software generates an arbitrary number that is used only once for communications: this number is called a there is not.

It is essential that the software sign each transaction with another there is not, otherwise hackers can (rather easily) find and calculate signatories private key. There is also evidence that hackers continually monitor the blockchain for this type of repeated nonce, extracting money from compromised keys.

What is less well known is that attackers can calculate the keys to signatures using different but similar nonce. For example, if nonces have similar characters at the beginning of the signature, or if the there is not he has similar characters at the end of a signature, so something big and terrible will happen.

What the researchers say

CryptoSlate contacted both authors of the paper: Dr. Nadia Heninger is an associate professor of computer science at the University of California. Joachim Breitner, is a senior researcher at DFINITY. According to Dr. Heninger, the vulnerability has been described as follows:

"L & # 39; ECDSA digital signature algorithm requires the generation of a random number for each signature, which is often called "there is not"(This is different from the nonces used in cryptocurrency extraction). If these random values ​​used in signatures are not generated correctly, in some cases an attacker can calculate the private signature keys. The types of there is not The vulnerabilities we exploited were implementations that generated values ​​much shorter than those that should have been, or values ​​that shared the more or less significant bits. "

And, using a bit of advanced mathematics called lattice, the two were able to make some of them wallet addresses and find private keys:

"For nerds in the audience, the lattice algorithms allow us to find small solutions to underdeveloped systems of linear equations.There are a number of cryptanalytic techniques that use reticular algorithms as a fundamental element."

As stated in the document, any non-uniformity in the generation of these signature nonce can reveal private key information. Given enough signatures, hackers can calculate private keys and gain access to a user wallet and drain its funds.

Do Crypto users have to worry?

According to Dr. Heninger and Breitner, the overwhelming majority of cryptocurrency users need not worry:

"The only reason why this would happen is if there's any kind of bug in the digital signature code."

Furthermore, as long as developers use the appropriate techniques and documented methods to ensure user security, the signature scheme is considered secure:

"As far as we know, ECDSA is safe digital signature algorithm if implemented correctly. We concluded that these were not common implementations based on the fact that we found a few thousand vulnerable signatures on almost a billion Bitcoin signatures that we examined. "

Furthermore, these vulnerabilities are only "specific to distinct implementations." In addition, the authors hypothesize that the faulty implementation could be the result of some multifactor security devices:

"The mention of multifactor security is specific to the case of the signatures we found with 64-bit noces on the Bitcoin blockchain. multisig addresses, which is not the usual case on the blockchain, so our hypothesis on the source. Since then, further speculations on specific implementation have been made ".

Now, there are ways for developers to implement ECDSA without the vulnerabilities described in the document, even for hardware devices. According to Breitner:

"Official blockchain clients have their own cryptography … since 2016, the Bitcoin client uses deterministic signatures (RFC6979) that completely removes the need for randomness in the process [eliminating the possibility of the kind of attack employed by the researchers]. If you use non-standard libraries or write your own encryption routines … you must make sure that they use RFC6979. This is even more important on embedded devices or hardware tokens where it could be difficult to find a good source of randomness. "

Useful for aggressors?

Ultimately, these types of attacks are not economically viable given the amount of time, electricity and computing power needed to drive them, even with this new tool added to their arsenal:

"Given that attackers are already exploiting other cryptographic vulnerabilities to compromise their portfolios, it seems likely that this will be added to their arsenal, but if you have to pay the calculation time to perform the calculation, it is probably not a financial attack given the balances we found associated with the vulnerable keys. "

At the end of the day, the research reassures cryptocurrency users that the cryptography that underlines Bitcoin and other digital currencies is solid. With tens of thousands of people scrutinizing the underlying code for these systems, it is a testimony that the main security schemes, if used correctly, still adequately protect the user for now.