Posts

Showing posts from January 10, 2019

What is the origin of insecure 64-bit nonces in signatures in the Bitcoin chain?

Image
3 In Biased Nonce Sense: Lattice Attacks against Weak ECDSA Signatures in Cryptocurrencies Joachim Breitner and Nadia Heninger use a lattice based algorithm to recover private keys from signatures in the Bitcoin chain that were produced by insecure signers that generated biased nonces. One large category of insecure signature that they discovered were 5,863 signatures between July 26, 2014 and June 1st, 2015 that were used in multisignature scripts where the nonces were only 64-bits in size. In the paper when a single key was used multiple times to sign multiple messages (which could be multiple inputs on a single transaction) with a small difference between the nonces their algorithm was able to determine the actual nonces used and the private keys with high probability. Using a small nonce in multiple signatures is...