"We broke 762 unique wallets. All of these had a zero balance.".... lmao, so.... they think they "hacked" a wallet because they got a private key in their equation and then the wallets were empty...?? LMAO They have no way to even check their work.. LMAO LMAO LMAO... They basically got a random answer, checked the wallet, and are claiming they hacked it.... I can come up with random math too and get a private key lmao.... ENTROPY

The DSA signature scheme is assumed to be a EUF-CMA or sEUF-CMA hard problem. However, after decades there has been no formal proof to be reducable to the DL-assumption (or Computational Diffie Hellman assumption or Decisional Diffie Hellman assumption). We also think that the mathematical problems on an elliptic curve and under Zp* are equivalent.

This is in stark contrast to the Schnorr Signature Sheme where there is a formal proof in the random oracle model under DL assumption to be EUF-CMA.

Any news about findings about DSA in Zp* or elliptic curve are worrisome. We basically wish that there shouldn't even be something to talk about. Especially any hints that there is a connection between signature, nonce and private key. Which is what this paper hints at.

To people that aren't familiar with cryptography: This might sound chinese to you. But what we're talking about here realistically is that in a few decades somebody finds out that the signature scheme is reducable to DL, DH or DDH - which would be huge news in cryptography but would still mean that nobody can forge signatures without breaking DL, DH or DDH - which they can't. Also, if somebody was to find a connection between signature, nonce and private key - that doesn't mean its exploitable by PPT algorthms - which wouldn't be surprising due to DSAs structure.

Not sEUF-CMA, i.e. not strongly unforgeable due to the sign flip of the s value in ECDSA, but i take it you're treating that as academic since the assumption is that that is the only malleability (still, it's a very relevant malleability!)

It's best practice to avoid reusing private keys anyway, this is why the recommendation to never use the same address again. I built a message segmenting algorithm that changes one of the keys every new packet but the other key is protected by a blinding factor so only the user knows which one it is. It skates straight through this vulnerability.

Identities encoded in a single private key might be a bad idea if this works. 4 different nonces with the same ECDH private/public key pair combination probably needs to always be different.

Just for prudence it might be wise therefore to adopt a rule where you don't sign more than 3 messages from a single private key, and aim to add a key change to any EC using protocol for identity keys.

It happens when you sign the same message twice. Then the attacker can potentially start to be more able to craft a fake message to fit the signature. The more, the easier. This is another reason why using different addresses every time should be and is generally the norm with bitcoin usage, except for donation addresses. These really should be protected with signatures and issued on demand, but that then requires a hot keychain somewhere.

I think for this reason also a challenge signing protocol should have the signer add their own random value to the provided challenge in order to avoid the other end getting multiply signed identical messages.

Because it is never spent it will be the hardest to hack. All the old wallets which contains addresses which AFTER spent left some funds on it will be first hacked. That's why all wallets now move funds to a fresh address after spending. This solution seems be to be rock solid (=unhackable) till now!

The estimated cost of the attack was about 285 USD. We broke 762 unique wallets. All of these had a zero balance. Interestingly enough, we could break all these wallets, not because of a linear or quadratic recurrence but because there was at least one repeated nonce in the signatures. So, it looks like the common mishap of ECDSA implementations using a repeated nonce was the cause of trouble.

"We broke 762 unique wallets. All of these had a zero balance.".... lmao, so.... they think they "hacked" a wallet because they got a private key in their equation and then the wallets were empty...?? LMAO They have no way to even check their work.. LMAO LMAO LMAO... They basically got a random answer, checked the wallet, and are claiming they hacked it.... I can come up with random math too and get a private key lmao.... ENTROPY

You are mistaken.

The DSA signature scheme is assumed to be a EUF-CMA or sEUF-CMA hard problem. However, after decades there has been no formal proof to be reducable to the DL-assumption (or Computational Diffie Hellman assumption or Decisional Diffie Hellman assumption). We also think that the mathematical problems on an elliptic curve and under Zp* are equivalent.

This is in stark contrast to the Schnorr Signature Sheme where there is a formal proof in the random oracle model under DL assumption to be EUF-CMA.

Any news about findings about DSA in Zp* or elliptic curve are worrisome. We basically wish that there shouldn't even be something to talk about. Especially any hints that there is a connection between signature, nonce and private key. Which is what this paper hints at.

To people that aren't familiar with cryptography: This might sound chinese to you. But what we're talking about here

realisticallyis that in a few decades somebody finds out that the signature scheme is reducable to DL, DH or DDH - which would be huge news in cryptography but would still mean that nobody can forge signatures without breaking DL, DH or DDH - which they can't. Also, if somebody was to find a connection between signature, nonce and private key - that doesn't mean its exploitable by PPT algorthms - which wouldn't be surprising due to DSAs structure.Even though I understood almost none of your comment, I'm glad we have people around that seem to understand these things.

It made me read the paper and it broadened my knowledge. For that, I thank you.

Not sEUF-CMA, i.e. not strongly unforgeable due to the sign flip of the s value in ECDSA, but i take it you're treating that as academic since the assumption is that that is the only malleability (still, it's a very relevant malleability!)

You can look at transaction history.

Might as well sit there and enter random seeds if you try this bullshit

it was a nice read i dont think they meant to imply any fud. they are just sharing their work

It's best practice to avoid reusing private keys anyway, this is why the recommendation to never use the same address again. I built a message segmenting algorithm that changes one of the keys every new packet but the other key is protected by a blinding factor so only the user knows which one it is. It skates straight through this vulnerability.

Identities encoded in a single private key might be a bad idea if this works. 4 different nonces with the same ECDH private/public key pair combination probably needs to always be different.

Just for prudence it might be wise therefore to adopt a rule where you don't sign more than 3 messages from a single private key, and aim to add a key change to any EC using protocol for identity keys.

https://twitter.com/danielvf/status/1563168400234258433

It happens when you sign the same message twice. Then the attacker can potentially start to be more able to craft a fake message to fit the signature. The more, the easier. This is another reason why using different addresses every time should be and is generally the norm with bitcoin usage, except for donation addresses. These really should be protected with signatures and issued on demand, but that then requires a hot keychain somewhere.

I think for this reason also a challenge signing protocol should have the signer add their own random value to the provided challenge in order to avoid the other end getting multiply signed identical messages.

сначала будут взламывать кошелёк сатоши. а потом узнаем что на это понадобилось 100 лет или 1000 или 25000

Because it is never spent it will be the hardest to hack. All the old wallets which contains addresses which AFTER spent left some funds on it will be first hacked. That's why all wallets now move funds to a fresh address after spending. This solution seems be to be rock solid (=unhackable) till now!

Extract from article:

The estimated cost of the attack was about 285 USD. We broke 762 unique wallets. All of these had a zero balance. Interestingly enough, we could break all these wallets, not because of a linear or quadratic recurrence but because there was at least one repeated nonce in the signatures. So, it looks like the common mishap of ECDSA implementations using a repeated nonce was the cause of trouble.

Makes one wonder if they actually did stop early with Ethereum or got lucky.. :)

😮

What a bullshit crap

They literally say you how many times you should avoid re-using keys. This is good.