Poorly generated addresses cause Blockchain.info customer’s BTC loss

What happened?

repatedRvalues

Blockchain.info seems to be under much heat lately from all the recent attacks. Ranging from https redirection by rogue Tor nodes to phishing attempts.  During a scheduled update by the blockchain.info team an issue was present between 12:00am and 2:30am GMT on 12/8/14. According to the official blockchainwallet reddit account:

If you created a wallet, generated a new address via Blockchain.info’s web-wallet, or sent bitcoin from your wallet during this time period and have not provided us with your email address, please contact our support desk at [email protected] or simply create a new wallet.

What was the issue? How were the coins stolen? We are here to find out.

Repeated R values

A bitcoin transaction has inputs and outputs. It looks like this:

Input:
Previous tx: f5d8ee39a430901c91a5917b9f2dc19d6d1a0e9cea205b009ca73dd04470b9a6
Index: 0
scriptSig: 304502206e21798a42fae0e854281abd38bacd1aeed3ee3738d9e1446618c4571d10
90db022100e2ac980643b0b82c0e88ffdfec6b64e3e6ba35e7ba5fdd7d5d6cc8d25c6b241501

Output:
Value: 5000000000
scriptPubKey: OP_DUP OP_HASH160 404371705fa9bd789a2fcd52d2c580b65d35549d
OP_EQUALVERIFY OP_CHECKSIG

Here is a brief overview of what an input and an output in a transaction consits of (taken from the bitcoin wiki)

Input

An input is a reference to an output in a different transaction. Multiple inputs are often listed in a transaction. The values of the referenced outputs are added up, and the total is usable in the outputs of this transaction. Previous tx is a hash of a previous transaction. Index is the specific output in the referenced transaction. ScriptSig is the first half of a script. The script contains two components, a signature and a public key.

Output

An output contains instructions for sending bitcoins. Value is the number of Satoshi (1 BTC = 100,000,000 Satoshi) that this output will be worth when claimed. ScriptPubKey is the second half of a script (discussed later). There can be more than one output, and they share the combined value of the inputs.

The Script

A script is essentially a list of instructions recorded with each transaction that describe how the next person wanting to spend the Bitcoins being transferred can gain access to them. It contains a signature and a public key. According to Nils Schneider on 12/25/13 he discovered a potential weakness in some Bitcoin implementations. He gave an example of a transactions:

transaction: 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1

input script 1:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

input script 2:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

The above is an example of a transaction with 2 inputs. If you look closely you can see how the script has many similar bytes at the beginning and at the end. Since the beginning of the script is the signature (r,s) r1 = r2

r1: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
r2: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1

s1: 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2: 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab

This is where the repeating R values come from. Because the r values are equal Schneider was able to find a way to recover the private key to that public key which he shows in his blog post. At the very end he explains why the vulnerability works:

Why did this work? ECDSA requires a random number for each signature. If this random number is ever used twice with the same private key it can be recovered. This transaction was generated by a hardware bitcoin wallet using a pseudo-random number generator that was returning the same “random” number every time.

Blockchain.info’s role in the attack

bchain

Because the repeating R values come from a poorly generated “random” number it is blockchain.info’s fault that change addresses and user’s main addresses were generated using a poorly chosen random seed. As such, blockchain is taking full responsibility and is refunding it’s users who lost coins during the time period.

If you lost any coins during this time please make sure to email blockchain.info @ [email protected] to see what they can do for you. If you liked this article follow us on twitter @themerklenews and don’t forget to subscribe to our newsletter.