Bitcoin Storage Security Survey: Wallets Cold Storage...
Transcript of Bitcoin Storage Security Survey: Wallets Cold Storage...
![Page 1: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/1.jpg)
Bitcoin Storage Security Survey:
Wallets Cold Storage BIP032
Nicolas T. Courtois
- University College London, UK
![Page 2: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/2.jpg)
Security of Bitcoin
2
Dr. Nicolas T. Courtois
1. cryptologist and codebreaker
2. payment and smart cards (e.g. bank cards, Oyster cards etc…)
![Page 3: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/3.jpg)
Crypto Currencies
3 Nicolas T. Courtois 2009-2014
![Page 4: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/4.jpg)
Crypto Currencies
4 Nicolas T. Courtois 2009-2014
UCL Bitcoin Seminarresearch seminar
=>In central London, runs EVERY WEEK!
public web page:
blog.bettercrypto.com / SEMINAR
or Google "UCL bitcoin seminar"
![Page 5: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/5.jpg)
Security of Bitcoin
5
My Whole Life:
Tried to educate people about security…
![Page 6: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/6.jpg)
Security of Bitcoin
6
My Whole Life:
Tried to educate… AND frequently FAILED…
![Page 7: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/7.jpg)
Security of Bitcoin
7
My Whole Life:
Tried to improve the security baseline…
Crying Wolf!
51%, Elliptic Curve, OpenSSL...
![Page 8: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/8.jpg)
Security of Bitcoin
8
It did NOT help,
The Wolf was allowed to operate
![Page 9: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/9.jpg)
Security of Bitcoin
9
We failed to protect our DATA
![Page 10: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/10.jpg)
Security of Bitcoin
10
We failed to protect our MONEY
![Page 11: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/11.jpg)
Crypto Currencies
11 Nicolas T. Courtois 2009-2014
Solution = Decentralized P2P
![Page 12: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/12.jpg)
Crypto Currencies
12 Nicolas T. Courtois 2009-2014
Solution = BlockChain• Until recently, we’ve needed central bodies –
banks, stock markets, governments, police forces –to settle vital questions. – Who owns this money?
– …
– Now we have a small piece of […] computer code that will allow people to solve the thorniest problems without reference to “the authorities”.
http://www.telegraph.co.uk/technology/news/10881213/The-coming-digital-anarchy.html
[11 June 2014]
![Page 13: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/13.jpg)
Code Breakers
13
John Nash - 1955In 2012 the NSA declassified his hand-written letter:
He also says that:
[…] the game of cipher breaking by skilled teams, etc., should become a thing of the past.” […]
![Page 14: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/14.jpg)
Groups and ECC
14
Elliptic Curve Crypto
“exponential security”
![Page 15: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/15.jpg)
Crypto Currencies
15 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
TOTAL = 725,000 USD
![Page 16: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/16.jpg)
Cryptographic Security of ECDSA in Bitcoin
P vs. NP
• If you solve P vs. NP it: 1 M$.
• Nobel price, Abel price in mathematics: roughly 1M$
• Break bitcoin ECC: About 3 BILLION $.
![Page 17: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/17.jpg)
Crypto Currencies
17 Nicolas T. Courtois 2009-2014
ECC - Certicom Challenges [1997, revised 2009]
secp256k1NOT INCLUDEDno price if you
break it
![Page 18: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/18.jpg)
Crypto Currencies
18 Nicolas T. Courtois 2009-2014
Timely DenialDan Brown, chair of SEC [Certicom, Entrust, Fujitsu, Visa International…]
``I did not know that BitCoin is using secp256k1.
I am surprised to see anybody use secp256k1 instead of secp256r1'',
September 2013,
https://bitcointalk.org/index.php?topic=289795.80
![Page 19: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/19.jpg)
Groups and ECC
Nicolas T. Courtois, 2006-201419
Comparison:Used/recommended by: secp256k1 secp256r1
Bitcoin, anonymous founder, no one to blame… Y
SEC Certicom Research surprised! Y
TLS, OpenSSL ever used??? Y 98.3% of EC
U.S. ANSI X9.63 for Financial Services Y Y
NSA suite B, NATO military crypto Y
U.S. NIST Y
IPSec Y
OpenPGP Y
Kerberos extension Y
Microsoft implemented it in Vista and Longhorn Y
EMV bank cards XDA [2013] Y
German BSI federal gov. infosec agency, y=2015 Y
French national ANSSI agency beyond 2020 Y
![Page 20: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/20.jpg)
Bitcoin Crypto Bets
20
Wanna Bet?
20
![Page 21: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/21.jpg)
Crypto Currencies
21 Nicolas T. Courtois 2009-2014
Is Bitcoin Improving?
![Page 22: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/22.jpg)
Crypto Currencies
22 Nicolas T. Courtois 2009-2014
Bitcoin Troubles• Crypto gets broken?
• Monetary policy: genius, weird or mad?
• 51% attacks and double spending: easy!
• P2P network in decline (XX,000=>5,000)
• Slow speed
• Poor Anonymity
• Payment fees decline/stable
![Page 23: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/23.jpg)
Security of Bitcoin
23
Better Security Will Prevail?
NOT obvious, and even LESS obvious in financial systems.
A right amount of insecurity:
• allows you to sell insurance,
• trains our survival and cybersecurity skills,
• creates lots of interesting jobs for our students,
• possibly avoids criminals to engage in “more violent” crime…
![Page 24: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/24.jpg)
Security of Bitcoin
24
Better “Money” Will Prevail?
Crypto engineers like us sometimes naively hope that “better” currencies will drive “not so good” currencies out of business.
In fact the Gresham-Copernicus Law [1517] says exactly otherwise!
Bad currencies DO frequently drive better currencies out of business.
![Page 25: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/25.jpg)
Security of Bitcoin
25
Better “Money” Will Prevail?
The “bad” option is also happening with bitcoin: it has gained excessive popularity
NOT because it was technically very good (it never was) or had solid intrinsic value, or it was fast and convenient (it never was).
It has thrived because it has created huge expectations which temporarily bitcoin competitors could not meet.
Bitcoin remained the obvious choice, a sort of natural monopoly.
![Page 26: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/26.jpg)
Security of Bitcoin
26
Network Effects!Antonopoulos [former UCL student]
points out that "when you have a technology that is ‘good enough’ that achieves network scale [...]
good enough suddenly becomes perfect"
“I don’t see any altcoin displacing it”, he says.
If bitcoin crashes, again according to Antonopoulos it will be rather because “we blow it up by accident”.
[L.A. Bitcoin Meetup Jan 2014]
![Page 27: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/27.jpg)
Crypto Currencies
27 Nicolas T. Courtois 2009-2014
Our Works on Bitcoin
-cf. also blog.bettercrypto.com-Nicolas Courtois, Marek Grajek, Rahul Naik: The Unreasonable Fundamental Incertitudes
Behind Bitcoin Mining, http://arxiv.org/abs/1310.7935
-Nicolas Courtois, Marek Grajek, Rahul Naik: Optimizing SHA256 in Bitcoin Mining, CSS 2014.
-Nicolas Courtois, Lear Bahack: On Subversive Miner Strategies and Block Withholding Attack
in Bitcoin Digital Currency http://arxiv.org/abs/1402.1718
-Nicolas Courtois: On The Longest Chain Rule and Programmed Self-Destruction of Crypto Currencies http://arxiv.org/abs/1405.0534
-Nicolas T. Courtois, Pinar Emirdag and Daniel A. Nagy: Could Bitcoin Transactions Be 100x Faster? In proceedings of SECRYPT 2014, 28-30 August 2014, Vienna, Austria.
-Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848
-Poster: http://www.nicolascourtois.com/bitcoin/POSTER_100x_Secrypt2014_v1.0.pdf
![Page 28: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/28.jpg)
Crypto Currencies
28 Nicolas T. Courtois 2009-2014
Cryptome Renamed My Paper:
=> Actually I show that quite possibly bitcoin is EXEMPT from destruction [natural monopoly].
=> Whatever is Bad with bitcoin is even worse with most alt-coins.
http://cryptome.org/2014/05/bitcoin-suicide.pdf ?????????
![Page 29: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/29.jpg)
Security Engineering
29
Bitcoin vs.
Security Engineering
![Page 30: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/30.jpg)
Re-Engineering Bitcoin
30
Re-Engineering Bitcoin:We postulate:
1. Open design.
2. Least Common Mechanism
3. Assume that attacker controls the Internet [Dolev-Yao model, 1983].
4. The specification should be engineered in such a way that it is hard for developers to make it insecure on purpose (e.g. embed backdoors in the system).
[Saltzer and Shroeder 1975]
![Page 31: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/31.jpg)
Security Engineering
31
Open Design ≠ Open Source
Examples: cryptography such as SHA256 (used in bitcoin) is open source but NOT open design – it was designed behind closed doors!
![Page 32: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/32.jpg)
Open Source Critique
32
Open Source vs. Closed Source and Security
![Page 33: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/33.jpg)
Open Source Critique
33
Secrecy:
Very frequently an obvious
business decision.
• Creates entry barriers for competitors.
• But also defends against hackers.
![Page 34: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/34.jpg)
Open Source Critique
34
Kerckhoffs’ principle: [1883]
“The system must remain secure should it fall in enemy hands …”
![Page 35: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/35.jpg)
Open Source Critique
35
Kerckhoffs’ principle: [1883]
Most of the time: incorrectly understood.
Utopia. Who can force companies to publish their specs???
No obligation to disclose.
• Security when disclosed.
• Better security when not disclosed.
![Page 36: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/36.jpg)
Open Source Critique
36
Yes (1,2,3,4):
1. Military: layer the defences.
![Page 37: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/37.jpg)
Open Source Critique
37
Yes (2):
2)
Basic economics:these 3 extra months
(and not more )
are simply worth a a lot of money.
![Page 38: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/38.jpg)
Open Source Critique
38
Yes (3):
3)
Prevent the erosion of profitability / barriers for entry for competitors / “inimitability”
![Page 39: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/39.jpg)
Open Source Critique
39
Yes (4):
4)
Avoid Legal Risks• companies they don't know where their code is coming from, they want
to release the code and they can't because it's too risky!– re-use of code can COMPROMISE own IP rights and create unknown ROYALTY
obligations (!!!)
– clone/stolen code is more stable, more reliable, easier to understand!
![Page 40: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/40.jpg)
Open Source Critique
40
What’s Wrong with Open Source?
![Page 41: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/41.jpg)
Open Source Critique
41
Kerckhoffs principle:
• Rather WRONG in the world of smart cards…
– Reasons: • side channel attacks,
• PayTV card sharing attacks
• But could be right elsewhere for many reasons…
– Example: • DES,AES cipher, open-source, never really broken
• KeeLoq cipher, closed source, broken in minutes…
![Page 42: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/42.jpg)
Open Source Critique
42
*Kerckhoffs principle vs. Public Key Crypto vs. Financial Cryptography
• In Public Key Cryptography one key CAN be made public. In practice this means that– some group of people has it
– NO obligation to disclose, to make it really public (and it is almost never done in serious financial applications)
• Full disclosure for public keys is unbelievably stupid…– cf. next slide!
![Page 43: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/43.jpg)
Open Source Critique
43
Do NOT Disclose Public Keys!
• Full disclosure for public keys is simply BAD security engineering and BAD security management.
• Examples:
• ATMs have like 6 top-level public keys, not really public though
• in Bitcoin: the public key can remain a secret for years, only a hash is revealed, this is BRILLIANT key management which makes Bitcoin MUCH more secure that it would otherwise be!
• it does solve the problem raised by Diffie at CataCrypt in San Francisco: HOW DO YOU PROTECT AGAINST UNKNWOWN ATTACKS?
![Page 44: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/44.jpg)
Security of Bitcoin
44
CataCrypt Conference
Tried to improve the security baseline…
![Page 45: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/45.jpg)
Security of Bitcoin
45
Breaking Newsblog.bettercrypto.com
![Page 46: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/46.jpg)
Cryptographic Security of ECDSA in Bitcoin
46 Nicolas T. Courtois 2009-2014
Introducing Bitcoin
![Page 47: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/47.jpg)
Cryptographic Security of ECDSA in Bitcoin
47 Nicolas T. Courtois 2009-2014
Bitcoin In A Nutshell
• bitocoins are cryptographic tokens, binary data = 010100110101010… – stored by people on their PCs or mobile phones
• ownership is achieved through digital signatures: – you have a certain cryptographic key, you have the money.
– publicly verifiable, only one entity can sign
• consensus-driven, a distributed system which has no central authority– a major innovation: financial transactions CAN be executed and policed without trusted
authorities.
– bitcoin is a sort of financial cooperative or a distributed business.
• based on self-interest: – a group of some 100 K people called bitcoin miners own the bitcoin “infrastructure”
which has costed > 1 billion dollars (my estimation)
– they make money from newly created bitcoins and fees
– at the same time they approve and check the transactions.
– a distributed electronic notary system
![Page 48: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/48.jpg)
Cryptographic Security of ECDSA in Bitcoin
48 Nicolas T. Courtois 2009-2014
Two Key Concepts
• initially money are attributed through Proof Of Work (POW)to one public key A
– to earn bitcoins one has to “work” (hashing) and consume energy (pay for electricity)
– now in order to cheat one needs to work even much more (be more powerful than the whole network), more precisely:
• money transfer from public key A to public key B:
– like signing a transfer in front of one notary which confirms the signature,
– multiple confirmations: another notary will re-confirm it, then another, etc…
– we do NOT need to assume that ALL these notaries are honest.• at the end it becomes too costly to cheat
![Page 49: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/49.jpg)
Cryptographic Security of ECDSA in Bitcoin
49 Nicolas T. Courtois 2009-2014
In Practice
![Page 50: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/50.jpg)
Cryptographic Security of ECDSA in Bitcoin
50 Nicolas T. Courtois 2009-2014
Wallets
• Wallet: file which stores your “money".
• A Bitcoin client App is also called a wallet
![Page 51: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/51.jpg)
Cryptographic Security of ECDSA in Bitcoin
51 Nicolas T. Courtois 2009-2014
Digital Currency
Bitcoin is a
=>PK-based Currency:
– bank account = a pair of public/private ECDSA keys
– spend money = produce a digital signature
![Page 52: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/52.jpg)
Cryptographic Security of ECDSA in Bitcoin
52 Nicolas T. Courtois 2009-2014
Main Problem:
Bitcoins can be “spent twice”.
Avoiding this “Double Spending” is the main problem when designing a digital currency system.
![Page 53: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/53.jpg)
Cryptographic Security of ECDSA in Bitcoin
53 Nicolas T. Courtois 2009-2014
Block Chain
![Page 54: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/54.jpg)
Cryptographic Security of ECDSA in Bitcoin
54 Nicolas T. Courtois 2009-2014
Bitcoin Mining
• Minting: creation of new currency.
• Confirmation+re-confirmation of older transactions
Ownership:– “policed by majority of miners”:
HASH
must start with 64 zeros
data from previoustransactions RNG
miner’s public key
![Page 55: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/55.jpg)
Cryptographic Security of ECDSA in Bitcoin
55 Nicolas T. Courtois 2009-2014
Block Chain
Def:
A transaction database shared by everyone.
Also a ledger.
Every transaction since ever is public.
![Page 56: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/56.jpg)
Wallets and Key Management
56 ©Nicolas Courtois
Tx LifeCycle
It is possible to almost totally separate:
• Miner nodes– Hashing with public keys
• Peer Nodes– Relay and store transactions and blocks
• Wallet Nodes– Store and release funds,
– Focus on management of private keys, master keys etc etc...
tx
tx
public ledgerburn
![Page 57: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/57.jpg)
Cryptographic Security of ECDSA in Bitcoin
57 Nicolas T. Courtois 2009-2014
Bitcoin Address
![Page 58: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/58.jpg)
Cryptographic Security of ECDSA in Bitcoin
58 Nicolas T. Courtois 2009-2014
Ledger-Based Currency
A “Bitcoin Address” = a sort of equivalent of a bank account.
Reamrks:
• PK is NOT public!
• only H(public key) is revealed!
• PK remains confidential until some money in this account is spent.
• SK = private key: always keep private, allows transfer of funds.
![Page 59: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/59.jpg)
Cryptographic Security of ECDSA in Bitcoin
Bitcoin Ownership
Amounts of money are attributed to public keys.
Owner of a certain “Attribution to PK” can at any moment transfer it to some other PK (== another address).
Destructive, cannot spend twice:
not spent
![Page 60: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/60.jpg)
Cryptographic Security of ECDSA in Bitcoin
60 Nicolas T. Courtois 2009-2014
*Multi-Signature Addresses
![Page 61: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/61.jpg)
Cryptographic Security of ECDSA in Bitcoin
MultiSig = Addresses Starting with 3
Bitcoin can require simultaneously several private keys, in order to transfer the money. – For example 2 out of 3 signatures are required to spend bitcoins.
– The keys can be stored on different devices (highly secure).
– Can work without backups: if one device is lost, use other devices to transfer bitcoins to a new multisig address with another set of devices...
![Page 62: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/62.jpg)
Cryptographic Security of ECDSA in Bitcoin
Multi-Sig Concept is NOT new…
1993
K. Itakura, K. Nakamura: A public-key cryptosystem suitable for digital multi-signatures
1983
![Page 63: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/63.jpg)
Cryptographic Security of ECDSA in Bitcoin
63 Nicolas T. Courtois 2009-2014
BTC Transfer
![Page 64: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/64.jpg)
Cryptographic Security of ECDSA in Bitcoin
64 Nicolas T. Courtois 2009-2014
Bitcoin Transfer
Transactions have multiple inputs and multiple outputs.
Transaction Signed by All Owners with their SK
Output Bitcoin Addresses
Input Bitcoin Addresses0.2 BTC 1.3 BTC
0.001 BTC
0.499 BTC1.0 BTC + Fees
![Page 65: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/65.jpg)
Cryptographic Security of ECDSA in Bitcoin
65 Nicolas T. Courtois 2009-2014
Transaction Scripts
![Page 66: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/66.jpg)
Cryptographic Security of ECDSA in Bitcoin
Signed Tx / Final Tx
byte by byte (similar but not identical to raw blocks seen before)(this is done twice, with different scriptSig)
2 scripts
scriptSig length 1 byte
scriptPubKey length 1 byte
scriptPubKey
scriptSig
(not widely used)
![Page 67: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/67.jpg)
Cryptographic Security of ECDSA in Bitcoin
Second scriptSig
sign+PKey
scriptSig1signature(r,s)
scriptSig2=Pkey=(x,y)
len= 1+71+ 1+65 = 138 BUT NOT ALWAYS!
scriptSig
r
s
![Page 68: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/68.jpg)
Crypto Currencies
68 Nicolas T. Courtois 2009-2014
Is Bitcoin Secure?Satoshi claimed it is…
![Page 69: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/69.jpg)
Bitcoin Hardware Wallets
69 Nicolas T. Courtois 2009-2014
Wallets
![Page 70: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/70.jpg)
Bitcoin Hardware Wallets
70 Nicolas T. Courtois 2009-2014
Bottom Line
Main Functionality:
-Private Key Generation
-Export public key
-ECDSA sign
-optional:
• sign full BTC transactions
• confirm recipient on the screen!(huge classical pb with all smart cards and digital signature devices, Ledger has a clever solution: regurgitates inputs on another device USB keyboard)
Trezorbitcointrezor.com
BTChip HW1hardwarewallet.com
Ledgerledgerwallet.com
![Page 71: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/71.jpg)
Bitcoin Hardware Wallets
71 Nicolas T. Courtois 2009-2014
BTChip HW.1
since Jan 2013
![Page 72: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/72.jpg)
Bitcoin Hardware Wallets
72 Nicolas T. Courtois 2009-2014
*Features of USB card ST23YT66
2K
6K
1.0
NESCRYPT crypto-processor for PK crypto
•900 ms for 1 ECDSA signature •900 ms for key gen•encrypts private keys on the card (‘content’ key) 3DES CBC
•content key can be protected with “a GlobalPlatform Secure Channel”
authentication mechanism
![Page 73: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/73.jpg)
Bitcoin Hardware Wallets
73 Nicolas T. Courtois 2009-2014
Trezor
+ display: know to whom you send the money!
+- has open source firmware: https://github.com/trezor/trezor-mcu
by Satoshi Labs Prague, CZreleased March 2014
![Page 74: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/74.jpg)
Bitcoin Hardware Wallets
74 Nicolas T. Courtois 2009-2014
+ Trezor Lite App
Allows to see your money when you don’t have your device with you!
Based on BIP032 audit capability => quite dangerous: see
Nicolas T. Courtois, Pinar Emirdag and Filippo Valsorda: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events, 16 Oct 2014, http://eprint.iacr.org/2014/848
![Page 75: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/75.jpg)
Wallets and Key Management BIP032
HM
yL yR
i
y
xchain
M
Kpublic || i
yPrivateychain
ECC
ciKi
KKpublic
KL KRxchain
Parent Ext. Public
.G
right key=ki.G
HM
yL yR
k i
y
kPrivate xchain
kL kR
xchain
M
Kpublic || i
yPrivate ychain
.G
mod q
ciki
Parent Ext. Private
K K
75
![Page 76: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/76.jpg)
Bitcoin Hardware Wallets
76 Nicolas T. Courtois 2009-2014
Ledger
• have their own operating system! – closed source, their Chrome front-end is open source
– due to the current JavaCard limitiation: • cannot implement deterministic ECDSA (RFC6979)
• bitcoin tx processing implemented inside (unlike HW.1)– claimed to be a “more secure” evolution of HW.1
• communicates with Google Chrome directly, no middleware
• data retention: 30 years
• open: no NDA for any wallet to support this
![Page 77: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/77.jpg)
Bitcoin Hardware Wallets
77 Nicolas T. Courtois 2009-2014
It Implements:• Standard Multisig, P2SH style (BIP016)
• BIP032 : HD Walletsdanger?, they have fixed it!
solution: implements RFC 6979, deterministic signatures
• BIP039: seed mnemonic (list of words in English)
• BIP044: specific wallet structure
![Page 78: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/78.jpg)
Bitcoin Hardware Wallets
78 Nicolas T. Courtois 2009-2014
Security• master backup
– printed card with master private seed
+ long passhrase to be written on paper (used only to recover)
– recovery also possibly if the hardware is lost• standard method BIP39, no lock-in, can be recovered on 3rd party soft/hard
– enter wrong PIN 3 times=>all data are claimed to be erased
– claimed totally anonymous • except browser IP address will be revealed when you send Tx to the network
• each device is paired with a printed card A=>3, to be kept with the wallet, – this card=second factor authn. (malware cannot use the device)– duo edition has the same card: can create 2 identical hardware wallets
– Pb: PIN code is entered on a PC: BUT• to sign a transaction, need to enter correspondance codes A=>3
“based on a random sampling of the payment address”
![Page 79: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/79.jpg)
Bitcoin Hardware Wallets
79 Nicolas T. Courtois 2009-2014
CoinKite• card + terminal with HSM
+ supports multisig
• Pb. – “each new member receives a "welcome email"
which contains the "xpubkey" (extended public key) for their deposits.”
– super dangerous!
![Page 80: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/80.jpg)
Crypto Currencies
80 Nicolas T. Courtois 2009-2014
Are Known Wallet Solutions Secure???
![Page 81: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/81.jpg)
Cryptographic Security of ECDSA in Bitcoin
81 Nicolas T. Courtois 2009-2014
Incidents at Operation:
Bad Randoms
![Page 82: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/82.jpg)
Cryptographic Security of ECDSA in Bitcoin
Bad Randoms
First publicized by Nils Schneider:
28 January 2013
D47CE4C025C35EC440BC81D99834A624875161A26BF56EF7FDC0F5D52F843AD1
repeated more than 50 times…
Used twice by the SAME user!
![Page 83: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/83.jpg)
Cryptographic Security of ECDSA in Bitcoin
ECDSA Signatures
Let d be a private key, integer mod n = ECC [sub-]group order.
• Pick a random non-zero integer 0<a<n-1.
• Compute R=a.P, where P is the base point (generator).
• Let r = (a.P)x be its x coordinate.
• Let s = (H(m) + d*r ) / a mod n .
The signature of m is the pair (r,s).
(512 bits in bitcoin)
![Page 84: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/84.jpg)
Groups and ECC
84
Attack – 2 Usersrandom a: must be kept secret!
random a
RNG
R=a.P
s= (H(m)+dr) / a
mod n
r
(r,s)
same a used twice => detected in public blockchain =>(s1a-H(m1))/d1 = r =(s2a-H(m2))/d2 mod n=> r(d1-d2)+a(s1-s2)=H(m2)-H(m1) mod n
each person can steal the other person’s bitcoins!
=>any of them CAN recompute k used
has already happened 100 times in Bitcoin
![Page 85: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/85.jpg)
Cryptographic Security of ECDSA in Bitcoin
Our Graph Model
2 users have used the same
random
![Page 86: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/86.jpg)
Cryptographic Security of ECDSA in Bitcoin
Our Online Database
![Page 87: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/87.jpg)
Groups and ECC
87
Attack – Same Userrandom a: must be kept secret!
random a
RNG
R=a.P
s= (H(m)+dr) / a
mod n
r
(r,s)
same a used twice by the same user (d1=d2). In this case we have: (s1a-H(m1)) = rd =(s2a-H(m2)) mod n=> a=(H(m1)- H(m2))/(s1-s2)mod n AND now d=(sa-H(m))/r mod n
anybody can steal the bitcoins!
has also happened 100 times in Bitcoin
![Page 88: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/88.jpg)
Cryptographic Security of ECDSA in Bitcoin
Have These Problems Stopped in 2013?
Lots of problems in May 2012, fixed.
2013: Android bug was fixed…
And then there was another MASSIVE outbreak…
And then another…
![Page 89: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/89.jpg)
Cryptographic Security of ECDSA in Bitcoin
Dec. 2013
At 30C3 conference in Germany on 28 Dec 2013 Nadia Heninger have reported that they have identified a bitcoin user on the blockchain which has stolen some 59 BTC due to these bad randomness events,
The money from the thefts is stored at:
https://blockchain.info/address/1HKywxiL4JziqXrzLKhmB6a74ma6kxbSDj
Still sitting there, he is NOT trying to spend it… too famous? Afraid to be traced and caught?
![Page 90: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/90.jpg)
Cryptographic Security of ECDSA in Bitcoin
Second Major Outbreak – May 2014
Android RNGbug
![Page 91: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/91.jpg)
Cryptographic Security of ECDSA in Bitcoin
Third Major Outbreak December 2014
200,000 USD stolenby an “ethical thief” at Blockchain.info
![Page 92: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/92.jpg)
Cryptographic Security of ECDSA in Bitcoin
Dodgy Security Advice By A Thief
“johoe recommends a client that employs HD (hierarchical deterministic) wallets,
such as Bread Wallet on iOS and Armory, Electrum or Wallet32 on Android.”
![Page 93: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/93.jpg)
Cryptographic Security of ECDSA in Bitcoin
Dodgy Security Advice By A Thief
“johoe recommends a client that employs HD (hierarchical deterministic) wallets,
such as Bread Wallet on iOS and Armory, Electrum or Wallet32 on Android.”
Is he not aware that these solutions can lead to thefts at a much larger scale?
![Page 94: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/94.jpg)
Cryptographic Security of ECDSA in Bitcoin
Dodgy Security Advice By A Thief
“johoe recommends a client that employs HD (hierarchical deterministic) wallets,
such as Bread Wallet on iOS and Armory, Electrum or Wallet32 on Android.”
Is he not aware that these solutions can lead to thefts at a much larger scale?
=> see our paper 2014/848.
![Page 95: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/95.jpg)
Cryptographic Security of ECDSA in Bitcoin
Most Recent Bad Randoms
From my own scan:
c471b1ce535f6331d07759eeaafab4c1a276cdafa86245a7bf61f29236619367
Appears 7 times in block 337458
4 January 2015
Used by different users…
![Page 96: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/96.jpg)
Cryptographic Security of ECDSA in Bitcoin
96 Nicolas T. Courtois 2009-2014
New Risks
![Page 97: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/97.jpg)
Cryptographic Security of ECDSA in Bitcoin
So What?
Previous attacks:
• Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people's bitcoins
• Only a few hundred accounts in the whole history of bitcoin were affected until today
![Page 98: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/98.jpg)
Cryptographic Security of ECDSA in Bitcoin
98 Nicolas T. Courtois 2009-2014
Advanced Attacks October 2014
eprint/2014/848
![Page 99: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/99.jpg)
Cryptographic Security of ECDSA in Bitcoin
The Really Scary Attacks
New attacks [Courtois et al. October 2014]
=> under certain conditons ALL bitcoins in cold storagecan be stolen
=>millions of accounts potentially affected.
![Page 100: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/100.jpg)
Cryptographic Security of ECDSA in Bitcoin
cf.
eprint.iacr.org/2014/848/
New Paper:
![Page 101: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/101.jpg)
Cryptographic Security of ECDSA in Bitcoin
HD Wallets = Trees
![Page 102: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/102.jpg)
Cryptographic Security of ECDSA in Bitcoin
2 Trees Connected Due to Bad Randoms
2 users have used the same
random
[cycle]
![Page 103: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/103.jpg)
Bad RNG ECDSA Bitcoin Etc
More Cycles
!
!
!
!
![Page 104: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/104.jpg)
Bad RNG ECDSA Bitcoin Etc
! Even More
!
![Page 105: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/105.jpg)
Cryptographic Security of ECDSA in Bitcoin
Is There a Fix?
Solution: RFC6979 [Thomas Pornin]
BOTTOM LINE:
If you have NOT implemented RFC6979, you should be scared by this talk…
![Page 106: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/106.jpg)
Groups and ECC
Nicolas T.
106
RFC6979 [Pornin] = 5+ applications of HMAC
HMAC-SHA256
00….00256
M
01….01 || 00 || kpriv || H(m)256 + 1 + 256 + 256
K
HMAC-SHA256K
(normally a loop BUT not needed
for 256 bits output k)
V || 01 || kpriv || H(m)256 + 1 + 256 + 256
k256 ECDSA
http://www.rfc-editor.org/rfc/rfc6979.txt
K 256
01….01256
HMAC-SHA256M
V 256
K
V d.
e.
Mf.
K 256
HMAC-SHA256KMg.
V 256
HMAC-SHA256KMh.
v 256
V 256
![Page 107: Bitcoin Storage Security Survey: Wallets Cold Storage BIP032nicolascourtois.com/bitcoin/paycoin_secure_storage_3bef.pdfCryptographic Security of ECDSA in Bitcoin 48 Nicolas T. Courtois](https://reader030.fdocuments.net/reader030/viewer/2022040612/5ee0788aad6a402d666ba5bc/html5/thumbnails/107.jpg)
Cryptographic Security of ECDSA in Bitcoin
Which Systems Are Affected?
Solution: RFC6979 [Pornin]
• Alredy applied by – Electrum,Multibit,Trezor
• Patched very lately: – blockchain.info – insecure,
– Bitcoin Core – patch was applied 18M after being approved…