Twitter | Search | |
Matthew Green
and Joachim Breitner discoverer nonce biases in several Bitcoin ECDSA implementations. They were able to recover 300 Bitcoin private keys holding a whopping $54.
Reply Retweet Like More
Matthew Green Jan 9
Replying to @matthew_d_green
Dropping the Bitcoin 0day.
Reply Retweet Like
Tony Arcieri Jan 9
Replying to @matthew_d_green
Countermeasures: should probably mention fault attacks. Oh well!
Reply Retweet Like
Tomas Susanka Jan 9
I've finally read it correctly, that it's 300 keys and not 300 Bitcoins.
Reply Retweet Like
dfinityexplorer.org Jan 9
Reply Retweet Like
Paul Wouters ☕️ Jan 9
$54 might indicate Nadia wasn’t the first to find this bias? 😜
Reply Retweet Like
Jeff Coleman Jan 9
Replying to @matthew_d_green
Can you call it a 0day if we have known about the vulnerability of nondeterministic signing for many years now?
Reply Retweet Like
Charlie Miller Jan 9
ah academia, please never change! 💋
Reply Retweet Like
Rahul Sridhar Jan 9
The paper seems to use the $54 to justify that the flaws are not known. "As of this writing $54 remain in Bitcoin accounts whose keys we were able to compute, suggesting that these flaws do not yet appear to be known, or else the funds would have already been stolen."
Reply Retweet Like
Rahul Sridhar Jan 9
Seems like dubious reasoning... I suspect the cost of running lattice reduction on 2000 cores is well above $54
Reply Retweet Like
Ryan Castellucci Jan 9
People who steal Bitcoin are often also people who steal compute time, but even so there is the opportunity cost to consider. Fees being large in comparison to value available is another potential consideration.
Reply Retweet Like
L. ☕️. Ritter Jan 9
much ado
Reply Retweet Like
The Doge Mocenigo Jan 9
That’s what they reported: maybe they are millionaires now and we do not know ;-)
Reply Retweet Like
Don Stewart Jan 9
makes it big
Reply Retweet Like
Dorian Nakamoto Jan 10
Replying to @matthew_d_green
Probably blockchain,info fucked it up again
Reply Retweet Like
Oscar Pacey Jan 10
Sounds like yet another reason to have been avoiding address re-use.
Reply Retweet Like
ⓢⓐⓛⓔⓔⓜ ⓡⓐⓢⓗⓘⓓ Jan 10
Replying to @matthew_d_green
maybe they're using deterministic nonce generation, but it's C so they accidentally overwrote the nonce with low-entropy garbage 🤔
Reply Retweet Like
Joachim Breitner Jan 10
Wanna find out? For 1000 USD dollars I will sell you 0.1% of my current wealth. Then you’ll know. (Offer only valid in January 2018 – I still want want to dream.)
Reply Retweet Like