Researchers recently identified vulnerabilities in cryptographic signatures for Bitcoin, Ethereum, and Ripple, that allowed attackers to calculate private keys and, consequently, steal any crypto in that wallet. In total, the researchers calculated hundreds of Bitcoin private keys and dozens of Ethereum, Ripple, SSH, and HTTPS private keys using this unique form of cryptanalytic attack.
In the paper Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies, researchers utilize a method to calculate private keys by analyzing Bitcoin signatures. The researchers were also able to apply these techniques to Ethereum and Ripple.
That said, these vulnerabilities only occur in edge cases where code is not implemented by developers properly, or likely occurred because of faulty multi-signature hardware. The research emphasizes the resiliency of the cryptographic schemes used by cryptocurrencies, as well as highlights the importance of proper implementation.
Background on Research
Whenever crypto holders make a transaction, they are required to create a cryptographic signature using an elliptic curve digital signature algorithm (ECDSA). In this algorithm, the software comes up with an arbitrary number that is used just once for communication—this number is called a nonce.
It is critical that the software signs each transaction with a different nonce, otherwise hackers can (rather easily) find and calculate the signers’ private key. There is even evidence that hackers continuously monitor the blockchain for these kinds of repeated nonces, extracting money from compromised keys.
What’s less well-known is that attackers can calculate keys from signatures that use different, but similar nonces. For example, if nonces have characters that are similar at the beginning of the signature, or if the nonce has characters that are similar at the end of a signature, then some big bad terrible thing will happen.
What the Researchers Say
CryptoSlate contacted both authors of the paper: Dr. Nadia Heninger is an associate professor of computer science at the University of California. Joachim Breitner, is a senior researcher at DFINITY. According to Dr. Heninger, the vulnerability was described as follows:
“The ECDSA digital signature algorithm requires generating a random number for each signature, which is often called a “nonce” (This is different from the nonces used in cryptocurrency mining). If these random values used in the signatures are not generated properly, in some cases, an attacker can compute the private signing keys. The types of nonce vulnerabilities that we exploited were implementations that generated values that were much shorter than they should have been, or values that shared most or least significant bits.”
And, using some advance math called lattices, the two were able to crack some of these wallet addresses and find the private keys:
“For the nerds in the audience, lattice algorithms allow us to find small solutions to underconstrained systems of linear equations. There are a number of crypotanalytic techniques that use lattice algorithms as a building block.”
As stated in the paper, any non-uniformity in the generation of these signature nonces can reveal private key information. Given a sufficient number of signatures, hackers can compute private keys and gain access to a user’s wallet and drain its funds.
Do Crypto Users Need to Worry?
According to Dr. Heninger and Breitner, the vast majority of cryptocurrency users need not worry:
“The only reason this would happen is if there is some type of bug in the digital signature code.”
Furthermore, as long as developers use the proper techniques and documented methods to ensure user security, the signature scheme is considered secure:
“As far as we know, ECDSA is a secure digital signature algorithm if implemented correctly. We concluded that these were not common implementations based on the fact that we only found a few thousand vulnerable signatures out of nearly a billion Bitcoin signatures that we examined.”
Furthermore, these vulnerabilities are only “specific to distinct implementations. Furthermore, the authors speculate that the faulty implementationn could possibly be a result of a few multifactor security devices:
“The mention of multifactor security is specific to the case of the signatures we found with 64-bit nonces on the Bitcoin blockchain. Nearly all of them were part of multisig addresses, which is not the usual case on the blockchain, hence our guess of the source. There has since been some further speculation about the specific implementation.”
Now, there are ways for developers to implement ECDSA without the vulnerabilities described in the paper, even for hardware devices. According to Breitner:
“The official blockchain clients get their crypto right… since 2016, the Bitcoin client uses deterministic signatures (RFC6979) which completely removes the need for randomness in the process [eliminating the possibility of the kind of attack employed by the researchers]. If you are using non-standard libraries, or if you write your own crypto routines… you should make sure that these use RFC6979. This is even more important on embedded devices or hardware tokens where a good source of randomness might be hard to come by.”
Profitable for Attackers?
Ultimately, these kinds of attacks are not cost-effective given the amount of time, electricity, and computational power needed to conduct them—even with this new tool added to their arsenal:
“Given that attackers are already exploiting other cryptographic vulnerabilities to compromise wallets, it seems likely that this will be added to their arsenal. However, if one has to pay for the computing time to do the computation, it is probably not a cost-effective attack given the balances that we found associated with vulnerable keys.”
At the end of the day, the research reassures cryptocurrency users that the cryptography underlining Bitcoin and other digital currencies is sound. With tens of thousands of people scrutinizing the underlying code for these systems, it is a testimony that the core security schemes, if used properly, still adequately protect the user—for now.
Commitment to Transparency: The author of this article is invested and/or has an interest in one or more assets discussed in this post. CryptoSlate does not endorse any project or asset that may be mentioned or linked to in this article. Please take that into consideration when evaluating the content within this article.
Russian Official: BRICS Countries Continue Unified Payments Systems Developing, No Plans for Bitcoin in Near Future
Last week, the news that Russia is considering investing huge amount of money into Bitcoin as a means to invade US sanctions spread like fire.
Given the fact that Russia has been working on de-dollarization plans for a long time now while looking for an alternative reserve currency further put force behind this news. This got the crypto enthusiasts excited as this would have meant huge investment into the crypto market and that too directly from the government.
However, this might not be happening at least, any time soon, as the Russian news channel, Forklog, published an article quoting Elina Sidorenko, the chairperson of an interdepartmental working group of the State Duma for managing risks of cryptocurrency turnover, as saying,
“Under this statement, there is not a bit of common sense, much less ideas that would be considered in government circles. The Russian Federation, like any other country in the world, is simply not ready today to somehow combine its traditional financial system with cryptocurrencies. And to say that in Russia this idea can be implemented in the next at least 30 years is unlikely to be possible.”
She further pointed out that given the fact that there is lack of any legislative regulation of cryptocurrencies in the territory of the Russian Federation makes what Vladislav Ginko, a teacher at the Russian Academy of National Economy and Public Administration under the President of the Russian Federation, said sound absurd.
“Even if Russia wants to place its cryptocurrency assets now, it simply cannot do this, due to the fact that we do not have any mechanisms that would allow us to introduce a system, where these assets would be stored, which authorities would be responsible for it, which would be responsible for abuses and stuff. Such a model under the current criminal, financial and civil legislation, in general, does not fit. All over the world, a cryptocurrency is considered as a high-risk asset and a similar model, naturally, would not suit anyone.”
However, Sidorenko does note a different way to solve this issue which she states is the only way to use digital assets at the state level.
She says an interstate cryptocurrency can be created that would then become a unified system of payments between countries.
“A similar idea is already being considered within the framework of the EAEU, but the BRICS countries have moved closer to it. If a cryptocurrency unit had been invented, which allowed making payments only for energy, in fact, the Russian Federation could have made a long and long-term advance in the economy.”
Just recently, Russian Prime Minister Dmitry Medvedev talked about cryptocurrencies and their volatility being a cause for concern while acknowledging the fact that it has its own benefits that can’t be cast aside.
This Just In, Europe is Bullish on Bitcoin According to Binance Seeing Massive Registrations in EU
Binance has launched its European services only a day ago and the wave of registrations are already massive. With its new platform in Jersey and offering the British Pound (GBP) and Euro (EUR) trading pairs with Bitcoin (BTC), Binance has just seized a huge market. In less than 24 hours, the exchange’s European division is already full of new clients.
Changpeng “CZ” Zhao, the founder of Binance, has affirmed that the company is “overwhelmed” with so many people registering and that there is a backlog of Know Your Customer verifications that have to be made before whitelisting so many people.
He affirmed that they underestimated the market and did not believe that so many people would want to register so quickly, so the systems are running slightly slow for the moment.
Despite Bitcoin dropping around 80% in price in the last months, a lot of people are still interested in it and this is the ultimate proof of that. The efforts of companies like Binance which are in the process of continuous expansion, are actually paying off and are facilitating mainstream adoption little by little.
What is sure is that Binance will have a stiff competition in Europe. Many key players are already in the country, so it will be hard to carve out some space in this new market, but it looks like things are going smoothly, at least in the first 24 hours. Coinbase and Bitstampare two of the most important competitors that CZ will have to face in order to establish Binance in Europe as a winner.
According to the CFO of Binance, Wei Zhou, though, Binance’s expansion into Europe is good for the whole industry. He says that fiat to crypto “ramps” are critical for people to enter the market as new users will not buy crypto with crypto.
Because of this, Zhou believes that this will provide new important opportunities for both the company and the whole market as well and that they want to create a real channel for people in Europe to enter the crypto world just like a lot of people are doing in the U.S. and in Asia.
It is also important to notice that Binance really needs to up its game if it wants to be relevant in 2019. In 2018, Binance was the king of the market and companies like Coinbase had to watch it, but 2019 will be the year in which companies like Bakkt, the crypto exchange and liquidity provider created by the Intercontinental Exchange (ICE) will be in the field.
With large corporations from Wall Street entering the game to win, Binance has to evolve and grow or it may lose its place in the market and be left behind.
What To Expect From Europe?
While Europe already had a Bitcoin market way before Bitcoin exploded into the mainstream, its growth is somewhat slow when compared to Asian markets, for instance. According to data which was taken from CryptoCompare, the whole daily volume of Bitcoin in Europe is less than 4% of the world volume and the whole Europe ranks behind both the U. S. and Japan.
If Europe’s market will grow, 2019 is probably the year for it. During most of the year, the country had regulation problems and has seen a slow improvement in its crypto economy. Now, however, Binance is eyeing this market, so we may see some significant growth this year.
Cryptocurrency Investors in India Are Fighting Back in the Name of Having Their Bank Accounts Closed
India, the land of one of the oldest civilizations, has existed for thousands of years. To survive for so long, one needs great tenacity and a certain acceptance of fate. There is also an ability that is colloquially known as ‘jugaad,’ the closest English equivalent is a hack. So when Banks in India started to close the accounts of customers thought to be involved in crypto trading, people found simple jugaads to bypass the scrutiny.
Banks Caught In A Bind
While the Supreme court of India has yet again postponed the hearing of its case pertaining to Cryptos, Banks have gone ahead and implemented the central banks, the Reserve bank of India, directive. Compliance to the circular requires the banks to effect bans and deny services to customers or businesses that are found to be dealing in digital assets.
Thus banks are required to close accounts that might have made crypto related transactions. This means they are expected to carry massive sweeps on their customer base and check on how people are spending their own money.
To make things worse most people savvy with these things, have already found ways to circumvent the banks screening and workarounds to avoid account closures.
How Do The Users Avoid Account Closures?
According to Instashift, a local cryptocurrency exchange, banks are closing accounts based on a simple search of any cryptocurrency-related words in the transaction remarks. This means that when a customer’s bank account is being scrutinized by a banking official, they are looking for keywords such as crypto or bitcoin in the remarks. If found the account is most likely to be closed off.
As one would imagine, the solution is to just not leave such notations. As Nischal Shetty, the CEO of Wazirx explained,
“Majority of the people understand not to enter such terms in the remarks. So simply avoiding entering anything related to crypto in the payment remarks is more than enough to avoid any problems from banks.”
He went on to suggest that the banking system has no verifiable method to confirm if a P2P transaction was used for crypto or non-crypto purposes.
Echoing the exact sentiment many Indian twitteratis are posting similar suggestions. A user, Cryptomanic has suggested
“Use P2P without writing anything related to crypto in remarks. And don’t do heavy transactions.”
Another one, Vivekmacha, concurs and advised for making use of P2P, as it cant be tracked. He further repeated the importance of making sure no crypto- related terms are noted in the remarks, for any reason.
More Than Enough Options On Offer
A solution that has been gaining in popularity recently is P2P, exchange-escrowed peer-to-peer style of trading. The popularity is unsurprising, ever since the central bank initiated the ban on digital assets and more and more crypto exchanges in India are gravitating towards offering this type of trading.
Another simple solution offered is to open another account. An Instashift spokesperson suggested that if crypto users have their accounts closed, they can simply start “a fresh account in another bank.” With the new account, they merely need to be more cautious and ensure that if they are trading, they do so without using any crypto terms that might draw attention.
Since all bank accounts are created using a Permanent Account Number, Indias water-downed version of the US social security number, the same person opined
“It’s easy to open a new account for a person in India & banks also welcome people to open accounts.”
Rigorous Action By Multiple Banks
The closing of accounts is, unfortunately, not an isolated instance, with many people reporting problems with banks, big and small, closing accounts which shows any crypto activity. Kotak Mahindra Bank, the banking branch of a major Indian industrial family and Digibank, a bank backed by the powerful Asian financial group, DBS, recently made the news. They have been sending letters to their customers advising them of impending account closures. One person affected by this took to Twitter.
Indiancryptogirl posted letters she says were sent to her. The letter simply stated that it had found some transactions with brokers who dealt in virtual currencies. As India did not consider such transactions legal the bank was
“constrained to place a credit freeze in your account. Further as per the extant guidelines, we are required to exit such relationships where transactions with brokers/traders, dealing in virtual currencies are observed.”
The letter ended with the notification that
“Hence 30 days from the date of this communication your account will be closed by the bank.”
This is not an isolated incident of some bank targetting customers with an affiliation for cryptos, numerous such cases have come to light in the recent past. Telling a similar story is Pushpendra Singh, who banks with the smaller UCO bank, but claims that this same modus operandi was followed there as well. A similar complaint reverberated in the words of Bluecrypto on Twitter who said,
“the same happened to me and my HDFC account got closed.”
Not only that, but most Banks now also follow a similar policy like Standard Chartered bank which explicitly requires, those who are looking to open an account in India to specifically agree to not engage in any sort of dealings in digital assets.
The issue of banks deciding for their customers how they can spend their money is in the front and center of this story. However, as Yatharth Vashishth pointed out, that banks are not the sole bearers of this burden as they are only following RBI’s order.
“Bank is acting as per regulations by the RBI. All banks are instructed to shut accounts of all entities dealing in crypto. ”
It does appear that banks are hapless and forced to toe the line, set by the central banks and, many suspect, a government not trusting the technology. While one can hope that the nations notoriously lethargic judicial systems come to the rescue, it is already clear that the second most populated country on the planet is working on hacks to join the crypto marketand blockchain revolution.