
Stealing Bitcoin with Math - marksamman
https://speakerdeck.com/filosottile/stealing-bitcoin-with-math-hope-xi
======
marksamman
Video:
[http://livestream.com/internetsociety/hopeconf/videos/130745...](http://livestream.com/internetsociety/hopeconf/videos/130745035)

~~~
KngFant
thanks a lot for this link, google didnt reveal it (for me at last) :D <3

------
KirinDave
I see these headlines and I put on my math bib and pick up my math fork and
get ready for a hefty meal. But all for naught each time; it inevitably comes
down to, "Oh yeah someone doesn't protect against nonce reuse and then lols
occur."

It should no longer be the case that platform vendors are able to abrogate
responsibility for bad RNGs or RNG bugs. The stakes are too high for people to
get it wrong. Even in 2016 we're still seeing repeats of browsers and OS's
with "predictable random number generator" bugs even though we have a pretty
clear handle in the literature for how to do it well.

------
dcousens
That point when you realise you're responsible for the data in someones
presentation.

~~~
ryan-c
Any details you'd be willing to share?

~~~
dcousens
The graph displayed of ECDSA duplicate r-value exploits shows 2 prominent
"columns" of addresses, the latter of which was in April/May 2014. That latter
column was directly related to a commit that I made to the bitcoinjs-lib
master branch (which was undergoing major refactoring at the time).

The commit that fixed the issue: [https://github.com/bitcoinjs/bitcoinjs-
lib/commit/bc37e65014...](https://github.com/bitcoinjs/bitcoinjs-
lib/commit/bc37e650148db2e5d947c84e51167cbd8f37b8a6#diff-
dac4a0f35ab99ccdd0234335f29bae2bR63)

The issue itself was that a `Buffer` was being interpreted as `0` by crypto-
js's cryptographic hash functions in our implementation of RFC6979, thus
creating a case of duplicate `k` values.

The second most interesting point was the majority of the funds (>20k USD)
stolen from Counterparty (the only known users of our master branch at that
time) was returned by a grey hat.

------
45h34jh53k4j
Brilliant work ryan and fillipo! I was at the talk, and very impressed with
both the content and your presentation style.

------
Retr0spectrum
I'm curious, would stealing bitcoin like this actually break any laws?

~~~
KirinDave
Theft is theft when value is converted or transferred without consent. If
someone leaves their house unlocked and the door open and a neighbor pinches
objects, it is still a crime to take said things. Most jurisdictions recognize
this even if the actual mode of theft or the goods are somewhat unprecedented
so long as you can demonstrate that it is property.

Bitcoin's classification in the US means that it's SUPPOSED to be subject to
all the scrutiny and protections that convertible currencies are supposed to
have, although I can't speak to the regulation of that.

~~~
raphinou
I think in some juridictions you might be viewed as having provoked the theft.
And provoking the theft seems to annihilate the prosecution at least when it
is done by police (eg leaving laptop on seat in car under surveillance to
arrest thieves), as has been the case in the past in (I think) belgium.

~~~
KirinDave
> I think in some juridictions you might be viewed as having provoked the
> theft.

That's a question of intent and reasonable interpretation. I'm fairly sure "I
didn't audit the browser PRNG," will not be looked upon by any court you can
name as a reasonable thing to expect people to do.

