ebook img

How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys PDF

0.1 MB·English
Save to my drive
Quick download
Download
Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.

Preview How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys

How Perfect Offline Wallets Can Still Leak Bitcoin Private Keys Stephan Verbücheln∗ 5 January 5, 2015 1 0 2 n Abstract a J ECDSAhasbecomeapopularchoiceaslightweightalternativetoRSA and classic DL based signature algorithms in recent years. As standard- 2 ized,thesignatureproducedbyECDSAforapairofamessageandakey ] isnot deterministic. This workshows howthis non-deterministicchoice R canbeexploitedbyanattackertoleakprivateinformationthroughthesig- C naturewithoutanysidechannels,anattackfirstdiscoveredbyYoungand YungforclassicDL-basedcryptosystemsin1997, andhowthisattack af- . s fectstheapplicationofECDSAintheBitcoinprotocol. c [ 1 1 Introduction v 7 Bitcoin is decentralized payment scheme first described in a publication by 4 4 pseudonymous author Satoshi Nakamoto in 2008.[N08] Because its design is 0 basedoncryptographicprotocols,thetermcryptocurrencyhasbecomecommon 0 torefertosystemslikeBitcoinanditsvariants.Inanutshell,usersholdpublic- . 1 privatekeypairs,wherethepublickeysfunctionasanaccountnumbers,and 0 theprivatekeysenablethemtospendmoneyfromthoseaccounts. 5 Bitcoinhasbecomeverypopularandcommerciallyadoptedinrecentyears. 1 Theexchangeratehasrisentoapointthatthevalueofallcoinsincirculation : v addsup to $5 billion as of November 2014(peaking evenhigher before). Be- i cause of the value of Bitcoin assets, it has become more and more important X for users–especiallylarge-scaleuserslike online shops – toprotecttheir pri- r a vatekeys, asstealingaBitcoinprivatekeyenablesanadversarytostealtheir money. Many ideas have come up on how to keep the user’s private keys secret. TheregularBitcoinwalletsoftwareforPCoperatingsystemsencryptsthepri- vatekeysusingAESandonlydecryptsthemwhenthe userwantstocreatea transaction. This gives basic protection against PC malware for the time the userdoesnotusehisprivatekey. Butwhentheuserwantstogenerateatrans- actionand entershis passphrase, the unencryptedkeys areinthe application memory,andthusarenotprotectedagainstmalware. The next step is to use a dedicated PC for Bitcoin only, and keep it dis- connected from the Internet. This prevents the PC from being infected with ∗Humboldt-UniversitätzuBerlin 1 malware,andevenincaseitgetsinfected,themalwarehasahardjobtosend thesecretkeyshometotheattacker. Asanevenfurtherstep,somecompanies startproducing special purpose hardwarewhich is designed to manage keys andcreatetransactions,buttoneverreleasethekeysthemselves. The strengthof the lattertwo settings comes fromthe factthatevenif the devicewiththeBitcoinprivatekeysonitismalicious, itcannotsendanypri- vateinformationtoattackersaslongastheusermakessurethatonlytransac- tionsleavethedevice. Thisissupposedlyachieved,ifthe deviceforexample writes the transaction into a file, and the user copies the file using a portable storagemedium. But, as we will see later, even if the user actually ensures that only the transaction leaves the wallet device, there is still a problem: ECDSA. Bitcoin transactions contain ECDSA signatures. In the process of creating a ECDSA signature,likeintheclassicDSA,thecreatorhastochoosearandomnumber. AdamYoungandMotiYungshowedin[YY97],howthisrandomnumbercan be used by a malicious implementation of DSA to leak private information. Thiscanbedoneinsuchawaythatonlytheattacker,whomadethemalicious implementation,canextractthesecretfromthesignature,andthatthedistribu- tionofmalicioussignaturesispolynomiallyindistinguishablefromlegitimate signaturesbyanybodyelse. ThispaperwilloutlinehowthisattackcanbeusedforECDSAaswell,and whatsecurityissuesarisefromthatforapplicationsofECDSAlikeBitcoin. 2 Definitions Inourconsiderations,theuseristheperson,whowantstouseapubliclyspec- ifiedcryptosystem, e.g. ECDSA.Theattackeristhe person, whocreatesama- liciousimplementationwhichisusedbythe user. Theintuitionisthattheat- tacker’simpementationcandifferfromhowthecryptosystemisspecified,but thattheinputsandoutputshavetocomplywiththespecification. Inaddition wedon’twanttheuseroranythirdpartytobeabletodistinguishtheoutputs generated by the malicious implementation from the outputs generated by a specification-compliantimplementation. 2.1 KleptographicSETUP WewillusethedefinitionofkleptographicsetupsgivenbyYoungandYungin [YY97]. Definition. Let C be the black-box implementation of a cryptosystem with publicly known specification. A kleptographic (regular) SETUP (SecretlyEm- beddedTrapdoorwithEmbeddedProtection)isamodifiedalgorithmC′ such that: 1. TheinputofC′ agreeswithhepublicspecificationsoftheinputofC. 2. C′computesefficientlyusingtheattacker’spublicencryptionfunctionE (andpossiblyotherfunctionsaswell),containedwithinC′. 2 3. The attackers private decryption function D is not contained within C′ andisknownonlybytheattacker. 4. The output of C′ agrees with the public specifications of the output of C. Atthesame time, itcontainspublishedbits(ofthe user’ssecretkey) which are easily derivable by the attacker (the output can be generated duringkeygenerationorduringsystemoperationlikemessagesending). 5. Furthermore,theoutputofCandC′ arepolynomiallyindistinguishable (asin[GM84])toeveryoneexcepttheattacker. 6. Afterthe discoveryof the specificsofthe setup algorithmandafterdis- coveringitspresenceintheimplementation(e.g. reverse-engineeringof hardwaretamper-proofdevice),users(excepttheattacker)cannotdeter- minepast(orfuture)keys. 3 A Kleptogram for Elliptic Curves Inthissection,wewillseehowellipticcurvescanbeusedtohideinformation inthechoiceofarandomnumberlikeitisperformedinECDSA.Thiswillbe thecentralbuildingblockinourlaterattack. Given an elliptic curve E. Let G be a point on E of order n. Let d be the attacker’sprivatekey and Q = dG the corresponding public key. Let R be a cryptographicallystrongpseudo-randomnumbergeneratorwithhiddenseed. Without loss of generality, we assime that R outputs a value less than n. Let α,β,ωbefixedintegerconstants,withωbeingodd. 3.1 Generation The maliciousimplementation of a elliptic-curvecryptosystemgeneratestwo subsequentchoicesc ,c thefollowingway: 1 2 Firstround. 1. Pickrandomc <n. 1 2. Compute M = c G. 1 1 3. Storec innon-volatilememory. 1 4. Output M . 1 Secondround. 1. Pickrandombitt ∈ {0,1}. 2. ComputeZ = (c −ωt)G + (−αc −β)Q. 1 1 3. Computec = R(Z). 2 4. Compute M = c G. 2 2 5. Output M . 2 3 3.2 Recovery Nowtheattackerisabletoextractthe(secret)valueofc from M ,M andhis 2 1 2 privatekeydasfollows: 1. ComputeR=αM +βG. 1 2. ComputeZ = M −dR. 1 1 3. If M =R(Z )Gthenoutputc = R(Z ). 2 1 2 1 4. ComputeZ = Z −ωG. 2 1 5. If M =R(Z )Gthenoutputc = R(Z ). 2 2 2 2 3.3 Indistinguishability Values in the first round arechosen atrandom. An attackerwants the distri- bution of values from the second round to be indistinguishable from values generatedatrandomlikeinthefirstround. For this reason, the second round makes use of a seeded pseudo-random numbergenerator. Tomakethedistributionofthegenerator’soutputashard to distinguish as possible, the attacker wants the number of potential values forZaslargeaspossible,ideallyndifferentvalues. The attacker can achieve this by tweaking the constants α, β and ω such that G =(−dβ−ω)G 1 G =(−dβ)G 2 G =(1−dα)G 3 have preferablyhigh orders, the idealbeing n. In that case, Z and thus c = 2 R(Z)cantakeonanyvalueupton. AssumingthattheoutputofRispolyno- mially indistinguishable fromrandom numbers of equaldistribution, we can followthatonlytheattackerhimselfcandistinguishthetwo(byblindlyapply- inghisrecoveryprocedure). 4 ECDSA and Bitcoin Inthissection,wewillseehowtheaboveconstructioncanbeusedtocreatea SETUPforECDSA. 4.1 Setup forECDSA Let’s recallECDSA. For an elliptic curve E with a generator point G of order n, an ECDSA user’s private key is a number d < n. The public key is the correspondingcurvepointQ = dG. LetHbethecryptographichashfunction used. Asignatureforamessagemisgeneratedasfollows: 1. Pickarandomvaluek < n. 4 2. ComputeR=(r ,r ) =kG. 1 2 3. Computer =r mod n. 1 4. Computes=k−1(H(m)+dr) mod n. 5. Outputσ =(r,s) Thesignatureisverifiedbyanotherpartyasfollows: 1. ComputeR′ =(r′,r′)= s−1H(m)G+s−1rQ. 1 2 2. Computer′ =r′ mod n. 1 3. Acceptthesignatureifandonlyifr =r′. Note thata number k ischosen bythe algorithm for eachsignature σ. A i i black-box implementation of ECDSA cansubstitute the values k , k in two i i+1 consecutivesignaturesσ,σ byc ,c generatedlikeinsection3.Thisenables i i+1 1 2 theattackertoextractthevalueofk = c fromσ = (r ,s ),σ = (r ,s )as i+1 2 1 1 1 2 2 2 described,becauser ,r aretheequivalenttom ,m respectivelyfromsection 1 2 1 2 3. Now note that knowledge of the value k for a single signature σ already enablesanattackertocomputethe privatekeyd,since fromstep4inthesig- naturegeneration,itfollows: d =(H(m)−sk)r−1 mod n 4.2 Limitations One limitation with this attack is that the attacker has to know in advance whichcurveandwhich generatorpointtheuser willchoose tosetuphisim- plementation. Otherwise he cannotgeneratehisown public-privatekeypair. Thiswasabiglimitation, when[YY97]publishedtheattackforclassicDiffie- Hellman settings, because it was common that each user generates his own newgroupZ andageneratorg∈Z∗ foreachapplication. p p Withellipticcurvecryptography,thislimitationbecamelessrelevant.Since it is more expensive to generate a new strong pair of a curve and a genera- tor point from scratch, elliptic curves are generated and analyzed by scien- tists,andonlyafewellipticcurvesarepublished(withcorrespondingparam- etersincludingthegeneratorpoint)bystandardizationbodiessuchastheU.S. governments’NIST.SomeECDSAapplicationsevenspecifyaparticularsingle curvetobeused,e.g. Bitcoinusesonlythesecp256k11curveforECDSA. 4.3 Bitcoin Bitcoinisadecentralizedpaymentsystem,whichisimplementedasapeer-to- peer network.[N08] In order to pay money to one another, users create little files named transactions. These transactions arebroadcastedinto the network and collected in a large log file called blockchain, which is maintained by all participatingpeersinacooperativemanner. 1Publishedin2000byCerticomResearch. 5 OutsideWorld generalcommunication PC/Server requests,signedtransactions Offline Wallet Figure1: Bitcoinconfigurationwithanofflinewallet Forourconsiderationswedon’thavetogofurtherintohowtheblockchain ismaintainedindetail. Wejust havetokeepinmind thattheblockchaincol- lects all valid transactions, and that the previous blockchain history is what givestheuserabalancethathecanspend. Toparticipateinthepaymentandreceivemoney,ausercreatesaBitcoinad- dress. HecreatesanECDSApublic-privatekeypair.2 Togeneratetheaddress, thepublickeyishashedtwiceusingtheSHA256algorithm. Now astandardtransaction isa file thatspecifies a number of inputs and outputs. For inputs, the transaction refers to a previous transaction that has chargedoneormoreoftheuser’saddresseswithcoins. Foroutputs,thetrans- actionspecifiesoneormoreBitcoinaddressesownedbythereceiver.Tomake thetransactionvalid,ithastosatisfythefollowingconditions: • Thespecifiedinputsmusthaveahigherorequalvaluethantheoutputs arereceiving. • The transactions specified in the inputs must be part of the blockchain andnotyetspent. • Theuserhastoprovethatheownstheaddressesfromtheinputtransac- tionsbysigningthetransactionwiththecorrespondingprivatekeys. Thelastconditionistheonethatmakessurethatonlytheownerofanaddress canspendthereceivedcoins,becauseonlyheknowstheECDSAprivatekey. NownotethatsincethesignaturesinatransactionareplainECDSAsigna- tures,thekleptographicSETUPfromsection4canjustbeappliedinastraight forward manner. This means that a malicious programmer or hardware de- signercanimplementaBitcoinwalletinawaythatleaksthesecretkeywith- outanyside channelsusingonly twosignatures. Note thatsince theremight bemorethanonesignatureinatransaction,thiscanhappeninasingletrans- action if two inputs associated with the same address are used. Nobody but the attackerisable todistinguish sucha malicious transactionfroma normal one. 2Notethatthesecp256k1curveistheonlyellipticcurveusedinBitcoin. 6 4.4 DeterministicChoice of k The kleptographic attack on ECDSA is very easy, because the value k has to bechosenduringthesignaturecreation. Aswehaveseen,khastobesecretto preventadversariesfromextractingthesecretkeyd.OnlyR=kGispublished withthesignature. Another slightly related security issue also arose from the fact that k has to be chosen by the signature algorithm. If two values k , k in two different 1 2 signatures have a known linear relationship k = ak +b with a,b ∈ Z, the 2 1 privatekeydcanbeextractedfromthetwosignatureswithouttheknowledge of the values k ,k , since itresultsin twolinear equations with only d and k 1 2 1 unknown. Becauseof this known attack, some proposalshavebeenmade on how to choose the number k deterministically, e.g. [RFC6979] or the specification of EdDSA by [BDLSY12]. These proposals generate k deterministically using a cryptographic hash function with the message and the user’s private key as inputs. Theresultisthatthe sameuser alwayscreatesthe samesignature for a given message. Note that it is crucial here to have the private-key part of the input. If k would be derived from the message alone, it would be public informationandthereforeuseless. Thismeasuregivesonlylimitedprotectionagainstthekleptographicattack since it canonly be verified using the private key. The whole point of a ded- icatedBitcoinwalletisthattheuser wantstomake surethatthe privatekeys nevergetanywhereoutsideofit,whichmeansthateventheuserhimselfcan- notverifythesignatureusingasecondcomputer. 5 Potential Solutions Onepotentialcounter-measurecouldbethefollowing: 1. Thesignaturedevicegeneratesthesignaturewithdeterministickasspec- ifiedin[RFC6979]. 2. Inadditiontothat,thedevicedeliversazero-knowledgeproofthatkwas indeedgeneratedasspecified. Thisispossiblesinceitisknownthatzero-knowledgeproofsexistforanyNP statement. But with this solution, a new problem arises. The whole point of using an offline Bitcoin wallet is that it does not leak any information into the public exceptthe legitimately generatedtransactions. If we letthe device output a zero-knowledge proof in addition to that, this proof may introduce new ways for the adversary to leak information. This means that the zero- knowledgeprotocolforthisapplicationhastobechosencarefully. Anothercounter-measurewouldbetostrictlynotuseanyaddressmoreof- tenthanonce. AlthoughthiswayofusingBitcoinaddressesisrecommended already because of privacy considerations, there exist some use cases where thismaynotbefeasible. Forexample,apublicdonationaddressforacharita- blefoundationissupposedtobeusedbymultipledonorsoverandoveragain foralongperiodoftime. Inordertotransferthedonations,asignaturehasto becreatedforeachincomingpayment. 7 OutsideWorld generalcommunication PC/Server requests,validatedsignatures Supervisor interactivecommunication,unvalidatedsignatures Signer Figure2: Configurationwithasupervisor Adeterministicchoiceofkalone(asdescribedinthelastsection)wouldnot helpmucheither,becauseknowledgeoftheprivatekeyisnecessarytoverify thatk hasindeedbeenchosen asspecified. Buttherearestill twoadvantages arisingfromusingadeterministicmethod: First,itlimitsthechoiceofkifthe user signs the exact same document twice, as k has to be identical given the same message and private key. Secondly, it would enable the user to detect malicioussignatureslater,forexampleafterakeyhasexpiredanditissafeto transfertheprivatekeytoanothercomputer. 5.1 Interactively Generate k Theabilityofthesignertoleakinformationthroughhischoiceofkcomefrom thefactthatheisallowedtochoosekfreely.Ifanoutsideagentcouldforcethe signertochoosekfromtheequaldistribution,thatwouldn’tbepossible. Acommon wayto solve this cryptographic problemisaninteractive pro- tocol, where twopartieschoose a common randomstring. Suchaprotocol is arranged in a way that neither of the two parties can influence the resulting randomstringtohiswishes,becausebothpartieshavetomaketheirchoicefor theirpartbeforetheotherone’schoiceisrevealed. Thiscanbeenforcedusing acommitmentscheme. In a blogpost3 on firmcoin.com, the Certimix company describes such an interactive protocol that deals with the problem. In addition to the signing device(i.e.theofflinewallet),wehaveasupervisordevicethatcheckswhether thesigningisdoneproperly. Theprotocolworksasfollows: For an elliptic curve E with a generator point G of order n be d < n the privatekeyandthecorrespondingcurvepoint Q = dG thepublickey. LetH bethecryptographichashfunctionused. Asignatureforamessagemisgeneratedasfollows: 1. Supervisorandsignergeneratektogether: (a) Thesignerpicksarandomvaluet <n. 3BlogpostfromJune20,2013,“NosubliminalChannel”,http://firmcoin.com/?p=52 8 (b) ThesignercomputesT = tG. (c) Thesignercomputesh =H(T).4 T (d) Thesignersendsh tothesupervisor. T (e) Thesupervisorpicksarandomvalueu< n. (f) Thesupervisorsendsutothesigner. (g) ThesignersendsTtotheuser. (h) Thesupervisorverifiesthath =H(T). T (i) Thesignercomputesk =t·u mod n. 2. ThesignercomputesR=(r ,r ) =kG. 1 2 3. Thesignercomputesr =r mod n. 1 4. Thesignercomputess= k−1(H(m)+dr) mod n. 5. Thesignersendstheresultingsignatureσ =(r,s)tothesupervisor. 6. Thesupervisorreleasesthesignatureafterverifyingthatkwasgenerated correctly: (a) ThesupervisorcomputesR′ =(r′,r′) =uT. 1 2 (b) Thesupervisorverifiesthatr =r′ mod nholds. 1 Notethatonlythesupervisorhastocommunicatewiththeoutsideworld. Buttherearestillsomethingsthatwehavetobeawareof:Eventhoughneither the signer nor the supervisor can manipulate the choice of k/r as published with the signature, the signer might still leak information to the supervisor throughhischoicesoft. Therearestilladvantagescomingfromtheprotocol: i Asthesupervisordoesnothavetostoreanycriticaldatainpersistentmemory, thesecuritypropertiesaredifferent.Inaddition,aslongaseitheroneofsigner andsupervisorworkscorrectly,thesignaturecannotleakinformationthrough thechoiceofk. Thisprotocolhasthedisadvantagethatitrequiresalotofinteraction. But wecanmakethisprotocolmorepracticalbyperformingaprearrangementstep wherealistofrandomnumbersisgeneratedinadvance. LetEagainbeanellipticcurvewithageneratorpointGofordern,bed <n theprivatekeyandthecorrespondingcurvepointQ = dGthepublickey. Let Hbethecryptographichashfunctionused. Prearrangement 1. The signer chooses a list of random numbers t1,...,tℓ with ti < n for eachi ≤ℓ. 2. Fori ≤ℓ,thesignercomputesT =t Gandh =H(T). i i Ti i 3. Thesignerstoresthelustofchoicest1,...,tℓforlateruse. 4. Thesignersendsthelistofhashesh ,...,h tothesupervisor. T1 Tℓ 5. Thesupervisorstoresthelistofhashes. 4ThisisacommitmenttoT. 9 Signing 1. Thesupervisorgeneratesarandomnumberu< n. 2. Thesupervisorsends(m,u)tothesigner. 3. Thesigner computesk = ut˙ mod nand T = t G,where t isthefirst 1 1 1 1 elementfromthelistofchoices. 4. ThesignergeneratestheECDSAsignatureσ =(r,s)usingkasthenonce. 5. Thesignersends(σ,T )tothesupervisorandremovest fromthelistof 1 1 choices. 6. ThesupervisorcomputesR′ = (r′,r′) = uT . 1 2 1 7. Thesupervisorverifiesthatr =r1′ mod nandhT1 =T∞. 8. If successfully verified, the supervisor publishes the signature and re- movesh fromthelistofhashes. T1 Ifanyverificationstepfails,thesupervisorshouldcanceltheprotocolandalert theuser. 6 Conclusion Without a satisfying solution, there is only one conclusion to draw from this problem: UserscannottrustanyimplementationofECDSAorBitcoin, which theycannotfullyverify. Notethatthisdoesnotonlyaffectstrictblack-boximplementationssuchas closed-source programs. A user with high security requirements(like an on- lineshopthatwantstoacceptBitcoinpaymentsonalargescale)wouldhaveto useanimplementation,whichcanbeverifiedbyhisownstaff(oratleastare- liablepartnercompany). Anhard-to-readimplementationlikeOpenSSLmay beinsufficient,becausetheparticularimplementationofECDSAmaybehard toverify.Suchimplementationsfeaturemanyvariationsonthepurealgorithm toimproveperformance(e.g. usingCPU-dependentassemblylanguage)orto harden the implementation against timing attacks). In addition, it is hard to verifyinalargeprogramlikeOpenSSL,whichcodeisactuallyexecutedwhen youperformacertainoperation. A similar problem arises with embedded cryptographic chips like smart- cards.Suchdevicesaredesignedtoneverreleasetheprivatekeysandtomake it hard for an outside analysis to read out secret data. The fact that the leak in the kleptographic attack is so well hidden makes it hard for a chip man- ufacturer to prove to the customers that the device does not leak any secret informationinECDSAsignatures. Theparanoidamonguserswouldevenhavetocompiletheprogramthem- selves to be sure that the code their are reading reallymatches the code they arerunning. Toverifythattheexecutedcodeactuallymatchesthesourcecode is even harder for small embedded devices (like dedicated Bitcoin wallets or crpytosmartcards)thaninthesettingofanofflinePC. 10

See more

The list of books you might like

Most books are stored in the elastic cloud where traffic is expensive. For this reason, we have a limit on daily download.