Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Speculation
Re: Wall Observer BTC/USD - Bitcoin price movement tracking & discussion
by
greenlion
on 30/12/2014, 10:27:57 UTC
Quote from: Richy_T on December 30, 2014, 01:10:59 AM
Quote from: JorgeStolfi on December 30, 2014, 12:30:20 AM
Quote from: aliro38 on December 29, 2014, 10:01:33 PM
Many thanks for your comprehensive answer!
It seems, as I've found in the last couple of hours, the use faulty PSRNG's might pose a threat, maybe significant enough to drive the price further down.
The unfolding story is here: https://bitcointalk.org/index.php?topic=107172.msg8939173#msg8939173 I hope you'll find it interesting enough to consider including it in your great work (I'm closely following your posts) that you're doing on studying/documenting the whole ecosystem.

Thanks for the link and the compliment!

As I understood it, those Hyena guys claim that many wallet tools use PSRNGs that generate less than the required 2^160 bits of entropy.  They claim that the entropy is low enough that the chance of a collision is not negligible; and they have set up a lot of disk and computing power to catch for such collisions.

I doubt whether good PSRNGs, correctly implemented and used, have such a low entropy.  However, the probability of coding errors makes the project more plausible.  In conditional probability notation:

P(security broken) =
  P(software is correct) * P(security broken IF software is correct) +
  P(software is buggy) * P(security broken IF software is buggy)

A strong cryptographic method only ensures that the factor P(security broken IF software is correct) in the first term is astronomically small.  However, the factors P(software is buggy) and P(security broken IF software is buggy) are large enough to matter.  For bitcoin, empirically, the second term may be on the order of 1 in 10'000 or more, and is unlikely to decrease. (As time passes, the best implementations may get somewhat more secure; but the number of implementations will grow, so there will be fewer competent eyes checking each of them, and reports of coin theft will get less attention.)  Thus, P(security broken) should be large enough to notice, and will not be improved by switching to 512 bit keys or whatever.

For anyone really concerned, they may want to generate a private key with some dice.

Trollfi has no understanding of the issue of poor PSRNGs, and is quoting this Hyena person that is making a completely spurious and ridiculous claim. Troll quoting a troll in order to troll.

The issue with poor PSRNGs has noting to do with address generation, the only way poor randomness could be exploited with addresses is if you could reproduce the poor randomness yourself.

The issue is that poor PSRNGs conceivably could reuse or have insufficient entropy in "R" values in signing transactions, which allows an attacker looking at the transactions either in the blockchain or mempool to reverse ECDSA. This scenario is the real attack, because it doesn't necessarily require anything other than an understanding of the elliptic curve mathematics and scanning through transactions until you find a vulnerable public key.

This "Hash Hyena" is making the ridiculous claim that running vanitygen plus having a very large hard drive equals some kind of production of a collision database that produces non-trivial amounts of hits. That has no relevance to the issue of poor randomness, but I guess it sure sounds like it does!

The only thing here more ridiculous than Hash Hyena's claim about address security, is that pedantic P(security broken) formula, which at this point might as well be a laxative.