0 sats \ 1 reply \ @mcguffin 6 Mar 2023 freebie \ on: Novel ECDSA attack: 773 wallets broken bitcoin
Despite others poo-poo'ing this work, I think it's 1) indeed novel but de rigeur cryptanalytic research, and 2) a reasonably well-written exposition of a well-known and long-theorized cryptanalytic weakness of ECDSA actually being exploited adversarially "in the wild", with real economic consequences. That's pretty cool!
However, framing it as a novel attack is somewhat risible given that the actual novel part, the "polynonce attack", was irrelevant to finding those 773 private keys (they all used repeated nonces and so could each have been broken much more easily). And "773 wallets broken" should instead be "exposing 773 real-world cryptanalytic breaks of Bitcoin security due to faulty Bitcoin wallets"
For someone who knows nothing about EC cryptography, it would be illuminating and useful to learn the biggest flaw in ECDSA: how utterly crucial it is to use a truly random nonce for each and every signature, and if your wallet doesn't, someone's gonna snatch yo' coins. But the hyped-up headline and misleading framing makes it sound like typical clickbait academic journalism crap.
This is what it looks like to me also. Repeating nonces are huge no-no, only takes a few until you can start to execute a plaintext attack on the data. GCM-AES also cannot encrypt more than 4Gb of data without having a repeat in the cipher stream, unrelated, but similar reasons behind it.
Poor quality RNG is a very bad thing.
ChaChaPoly80 is in wide use and generates a high quality entropy with a lot less processing than using the kernel's /dev/random CSPRNG.
In my work there is a lot of shuffling done during selection operations and making that shuffle as random as possible to not open a side channel, a crypto random seed for every shuffle operation ensures an outside source could not possibly discover it. It also makes collision-free random identifiers for database keys identifying sessions and nodes and so forth internally.
reply