Re: Bad signatures leading to 55.82152538 BTC theft (so far)

I think we have discussed enough "politics" for now and would like to get back to the actual technical issue. If I get a chance later today I plan to download the source code for the android wallet and see if I can locate the actual signature code and see what they are doing.

Quote from: dice64 on August 11, 2013, 12:17:18 PM

I saw this write up a while ago, seems like there are some web wallets which use poor random number generation for every transaction, or as in this case a hardware wallet.

http://www.nilsschneider.net/2013/01/28/recovering-bitcoin-private-keys.html

Thanks for this write up. It describes exactly what they are doing.

This is the crux here (cleaned up this a bit):

Quote

Calculate e = HASH(m), where HASH is a cryptographic hash function, such as SHA-1.
   Let z be the L_n leftmost bits of e, where L_n is the bit length of the group order n.
   Select a random integer k from [1, n-1].
   Calculate the curve point (x₁, y₁) = k * G.
   Calculate r = x₁ (mod n). If r = 0, go back to step 3.
   Calculate s = k^-1(z + r d_A) (mod n). If s = 0, go back to step 3.
   The signature is the pair (r, s).

The same k will lead to the same x₁ coordinate, which will lead to the same r.