Professional Documents
Culture Documents
Bitcoin Key Recovery PDF Cryptography Bitcoin
Bitcoin Key Recovery PDF Cryptography Bitcoin
75
Download now
Date uploaded
Jul 22, 2017
Copyright
© © All Rights Reserved
Speed
Available Optimizations in Bitcoin Key Recovery Attacks
Formats
PDF, TXT or read
Nicolas online fromGuangyan
Courtois ScribdSong Ryan Castellucci
University College London University College London White Ops
n.courtois@ucl.ac.uk g.song@cs.ucl.ac.uk pubs@ryanc.org
ABSTRACT Everyone on the network can verify the signature that has
In this paper we study and give the first detailed benchmarks been sent out. Anyone can spend all the bitcoin in a bit-
on existing implementations of the secp256k1 elliptic curve coin address as long as they hold the cosponsoring private
used by at least hundreds of thousands of users in Bitcoin key. Once the private is lost, the bitcoin network will not
and other cryptocurrencies. Our implementation improves recognize any other evidence of ownership.
Facebook Twitter
the state of the art by a factor of 2.5, with focus on the Bitcoin uses digital signature protect the ownership bit-
cases where side channel attacks are not a concern and a coin and private key is the only evidence of owning bitcoin.
large quantity of RAM is available. As a result, we are able Thus it is very important to look at the technical details of
to scan the Bitcoin blockchain for weak keys faster than any the digital signature scheme used in bitcoin.
previous implementation. We also give some examples of
passwords which have we have cracked, showing that brain 1.1 Structure of the paper
wallets are not secure in practice even for quite complex In this paper we study and give the first detailed bench-
passwords. marks on existing secp256k1 elliptic curve implementations
used in Bitcoin. Section 2 introduces background knowledge
about elliptic curve cryptography and brain wallets. Section
Keywords 3 reviews previous research work in this area. Section 4 gives
Bitcoin, Elliptic Curve Cryptography, Crypto Currency, Brain detailed benchmark for existing method and our own imple-
Wallet
Email mentation. Our implementation improves the state of the
art by a factor of 2.5. Section 5 is the conclusion of this
1. INTRODUCTION paper.
Bitcoin is a cryptocurrency, an electronic payment system
based on cryptography. It was created by Satoshi Nako- 2. BACKGROUND
moto1 in 2008 [13]. In 2009, Bitcoin was launched as open-
y 2 mod p = x 3 + ax + b mod p
the elliptic curve equation and together with a special point their private key. Instead of storing the private key and
∞ call the point at infinity 2 . protecting it, one can store it in a human mind. A brain
The elliptic curve used in Bitcoin is called secp256k1. wallet creates private key from a (typically) human chosen
Secp256k1 curve is proposed in Certicom [7] in addition to password or a passphrase, using the SHA-256 hash algorithm
NIST curve for 256 bits prime. It is defined over prime field turn it into a 256-bit number. As SHA-256 is deterministic
Fp where method, users can always use the same password to recreate
their private key. Note that since brain wallets use the hash
p = 2256 − 232 − 29 − 28 − 27 − 26 − 24 − 1 directly as the private key, the security of storing private
The curve equation E is y2 = x 3 + ax + b where a = 0 and keys now depends only on how unpredictable the passwords
b = 7. are.
3. RELATED WORK
2.1.1 Key Pair Generation We are not the first ones try to crack Bitcoin brain wal-
An elliptic curve key pair is associated with a particular lets, a lot of other security researchers are doing it. Many
set of valid domain parameters [10]. Let E be an elliptic victims have found their money stolen and posted it in fo-
curve defined over a finite field Fp . Let P be a point in rums. The first ethical/research brain wallet cracker was an-
E (Fp ), and suppose that P has prime order n. Then the nounced publicly in a recent hacking conference DEF CON
cyclic subgroup of E (Fp ) generated by P is 23 (Aug 2015). Ryan Castellucci, a whitehat hacker pre-
P = {∞, P, 2P, 3P , . . . , (n − 1)P } sented his research on cracking brain wallets, and also pub-
lished his software [6]. Ryan’s attack was done on an Intel i7
The prime p, the equation of the elliptic curve E , the point P PC with 4 hyper-threaded cores. The attack speed can reach
and its order n are the public domain parameters. A private approximately 16,250 password per second on each thread
key is an integer d that is selected uniformly at random and he had cracked more than 18,000 brain wallet addresses.
from the interval [1, n − 1], and the corresponding public The software Ryan has published uses an existing open
key Q = dP . source secp256k1 bitcoin elliptic curve implementation mainly
written by Pieter Wuille, one of Bitcoin core developers.
Algorithm 1 Key pair generation [10] This implementation is widely used in Bitcoin clients and is
considered the current best in terms of code level optimisa-
Input: Domain parameters D = (p, E, P, n) tion (detailed benchmarks are given in table 2).
Output: Public key Q, private key d Later Vasek et al. published their cybercrime analysis
results on brain wallets addresses cracked using Ryan’s soft-
1: Select d ∈ R [1, n − 1]. ware implementation in FC 2016. Their work were more
2: Compute Q = dP . focused on brain wallets usage measurements and did not
3: Return (Q, d). try to improve the speed of the attack.
Note that the process of computing a private key d given 4. SPECIAL DESIGNED POINT MULTIPLI-
public key Q is exactly the elliptic curve discrete logarithm CATION METHOD FOR ATTACK
problem (ECDLP). Hence it is very important to chose a The process of cracking Bitcoin brain wallets is to repeat-
set of domain parameters so that the ECDLP is hard to edly generate public keys using guessed passwords. Key
solve. In addition the number d should be random in the generation method as we described in 2.1.1, is to compute
sense that it should have large entropy AND there should be Q = dP . Here d is a SHA256 hash of the generated pass-
no way to distinguish a source which produces these values word, P is a fixed point which is the base point G for
from a source which generates them uniformly at random. secp256k1. We first benchmark the current best implemen-
In particular the min-entropy should also be high and there tation, libsecp256k1. All benchmark results are running on
should be no efficient guessing strategy of any sort. a laptop with the following specifications:
2.2 Brain Wallet • CPU: Intel i7-3520m 2.9GHz
A Bitcoin wallet is a collection of Bitcoin addresses and
stores the corresponding keys for those addresses. Bitcoin • RAM: 4G
wallets come in different forms, including desktop software,
• OS: 64-bit Windows 8
mobile apps, online services, hardware, smart card and pa-
per. The time cost for computing one public key given a random
As we discussed earlier in section 2.1.1, the private key is private key takes : 47.2 us.
a number which we presume to be totally random. Normally
the private key will be a long hex string which is very hard 4.1 Fixed Point Multiplication Methods
for a person to remember and store safely. No matter what The most basic and naive method for point multiplication
form of wallet you are using, there always exists a chance Q = kP with a unknown point P is double-and-add method
that you might lose your wallet in a cybersecurity breach. [10]. The idea is to use binary representation for k:
Brain wallets are another solution, which do not need the
users to keep anything in safe and still be able to recover k = k0 + 2k1 + 2 2 k2 + · · · + 2m km
2
In code implementation, ∞ is normally be represented as where [k0 . . . km ] ∈ {0, 1} and m is the length of k, in bitcoin
point (0,0), but not always, as (0,0) might on the curve. elliptic curve, m = 256.
Brainwallet-passwordAddressesareidentifierswhichyouusetosendbitcoinstoanotherperson.
Summary Transactions
RequestPayment DonationButton
Algorithm 2 double-and-add method for point multiplica- Algorithm 3 Our implementation of windowing method
tion of unknown points[10] with larger precomputation table
1: Q := infinity INPUT: Window width w, d = [m/w], k =
2: for i from 0 to m do (Kd−1 , . . . , K1 , K0 )2w
Table 1: Time cost for different window width w, point addition method secp256k1 library [15]
secp256k1 gej add ge
w=4 w=8 w=12 w=16 w=20
d 64 32 22 16 13
number of additions 63 31 21 15 12
precomputation memory 81.92 KB 655.36 KB 7.21 MB 83.89 MB 1.09 GB
time cost 46.36 us 22.76 us 15.35 us 11.23 us 9.23 us
Table 2: Benchmarking openssl and MPIR library for field multiplication, square and modular inverse in
affine coordinate
multiplication mod p square mod p mod inverse
MPIR 0.07 us 0.15 us 0.13 us 0.15 us 1.8 us
openssl 0.08 us 0.43 us 0.06 us 0.43 us 18.0 us
secp256k1 0.049 us 0.039 us 1.1 us
elliptic curve is
U 2 = X 2 · Z12 , S 2 = Y 2 · Z13
Y 2 = X 3 + aXZ 4 + bZ 6 H = U 2 − X1 , I = 4H 2
The point at infinity ∞ corresponds to (1:1:0), while the J = H · I, r = 2(S 2 − Y1 ), V = X1 · I
negative of (X : Y : Z ) is (X : −Y : Z ).
The field operations needed for point addition and dou- 4.3 Detailed Field Operation Benchmarks
bling are shown in table 3. We see that Jacobian coordinates
yield the fastest point doubling, while mixed Jacobian-affine From the results of table 2 we saw that Wuille’s secp256k1
coordinates yield the fastest point addition. library [15] has much faster field multiplication and square
We refer the reader to [10, 5] for other detailed equations speed than openssl and mpir library. Wuille’s field imple-
in different coordinates. Here we only interested in point mentation is optimised based on the special prime used in
addition functions using mixed coordinates. secp256k1 curve. Libsecp256k1 has 5x52 and 10x26 field
implementations for 64 bits and 32 bits integers 4 . Here we
4.2.3 secp256k1 point addition formulas use the 10x26 representation and each 256 bit value is rep-
In the latest version, secp256k1 point addition formulas resented as a 32 bit integer array with size of 10. We refer
are based on [4] which introduced strongly unified addition readers to file field 10x26 impl.h in libsecp256k1 for more de-
formulas for standard projective coordinates. Bitcoin devel- tails. Libsecp256k1 already implemented the equation from
opers implemented a mixed coordinate formula (Jacobian- [1, 10] in method secp256k1 gej add ge var , which uses 8
Affine) version based on [4]. multiplications, 3 squares and 12 multiply integer / addition
Let P = (X1 : Y 1 : Z 1 ) be a Jacobian projective point on / negation. Equation 2 is implemented in another method
elliptic curve y2 = x3 + ax + b, and Q = (X2 : Y2 : 1) be called secp256k1 gej add ge , which uses 7 multiplications, 5
another point on the curve, suppose that P = ±Q, P + Q = squares and 21 multiply integer / addition / negation. We
(X3 : Y3 : Z3 ) is computed by the following equations: have implemented equation 3 which takes 7 multiplication,
4 squares and 22 multiply integer / addition / negation.
X3 = 4(K 2 − H ) It is important to notice the squaring and multiplication
differences we discussed in table 2. In [9] Bernstein listed
Y3 = 4(R(3H − 2K 2 ) − G2 ) (2)
the best operation counts based on different assumptions: S
Z3 = 2F Z1 = 0M, S = 0.2M, S= 0.67M, S=0.8M and S=1M. In [8], the
author showed that the ratio S/M is almost independent of
where
the field of definition and of the implementation, and can
A = Z 12 , B = Z1 · A, C = X2 · A, D = Y 2 · B, E = X 1 + C be reasonably taken equal to 0.8. Our benchmark results is
4
Depends on whether compiler and target support 64 bit
F = Y 1 +D, G = F 2 , H = E ·G, I = E 2 , J = X1 ·C, K = I −J integers
Table 3: Operation counts for point addition and doubling. A = affine, P = standard projective, J = Jacobian
[10, 5]
Doubling General addition Mixed coordinates*
2A → A 1I,2M,2S A+A → A 1I,2M,1S J+A → J 8M,3S
2P → P 7M,3S P+P → P 12M,2S
2J → J 4M,4S J+J → J 12M,4S
very similar to S = 0.8M. In [1], other field operations are including some quite difficult ones are listed in appendix A.
considered as 0M, in table 4 our benchmark results shows
field addition and other operations have approximately 0.1M 5. CONCLUSION
cost.
In this paper we have analysed and improved the state of
The secp256k1 gej add ge method which is also the de-
the art on the implementation of the secp256k1 elliptic curve
fault method for key generation, uses 6 secp256k1 fe cmov
and similar curves. We provide the first benchmarks on ex-
operations which has a cost approximately 0.2 M. The ra-
isting implementations and provide a faster implementation
tionale for writing code in this way is stated by Wuille in
for specific applications where private keys are not manip-
the following comment:
ulated or there exist other protections against side channel
attacks [e.g. physical and electro-magnetic isolation] and
”This formula has the benefit of being the same for both ad-
when larger amounts of RAM are available. For example
dition of distinct points and doubling”[15]
we are able to examine passwords in brain wallets 2.5 times
faster than the state of the art implementation presented at
DEF CON 2 months ago. We have released our source code.
The purpose of making addition and doubling using the
As an example application of this research, we have been
same function is to prevent side channel attacks, as point
able to crack thousands of passwords including some quite
doubling is otherwise much cheaper than point addition.
difficult ones. Our research demonstrates again that brain
Our experiments are done based on the benchmark results of
wallets are not secure and no one should use them.
S/M ratio with specified machine setting (earlier in section
4) and specific library configuration (footnote in section 4.2).
Different operating systems or library configurations might 6. REFERENCES
have different results. One should choose between our code [1] D. J. Bernstein and T. Lange. Explicit-formulas
and secp256k1 gej add ge method. Detailed benchmark re- database, 2007.
sults are given in table 5 [2] D. J. Bernstein and T. Lange. Faster addition and
DEF CON attack [6] published code on github in August doubling on elliptic curves. In Advances in
2015 uses a faster version of secp256k1 library 5 , and the cryptology–ASIACRYPT 2007, pages 29–50. Springer,
results is marked as * in table 5. Our best result using 2007.
1.09 GB precomputation memory gives ≈ 2.5 times speed [3] E. F. Brickell, D. M. Gordon, K. S. McCurley, and
up for key generation process than the current known best D. B. Wilson. Fast exponentiation with
attack. precomputation. In Advances in
In theory the best point addition method is 7M+4S intro- Cryptology-EUROCRYPT’92, pages 200–207.
duced in [2]. However in practice, when field multiplication Springer, 1993.
and square are well optimised, other field operations (such [4] E. Brier and M. Joye. Weierstraß elliptic curves and
as addition, negation) become more significant than theoret- side-channel attacks. In Public Key Cryptography ,
ical value, see table 4. Our results show that for our laptop pages 335–345. Springer, 2002.
specification, 8M+3S method is better than 7M+4S. [5] M. Brown, D. Hankerson, J. López, and A. Menezes.
In order to compare the results with DEF CON attack, we Software implementation of the NIST elliptic curves
also benchmark our implementation and the DEF CON re- over prime fields . Springer, 2001.
leased software on Amazon server. Experiments are done on
[6] R. Castellucci. Cracking cryptocurrency brainwallets.
an m4.4xlarge Amazon EC2 instance 6 . Results are shown in
https:
table 6. The results confirm a 2.5 times improvement. Note
//www.defcon.org/html/defcon-23/dc-23-index.html.
that when running on Amazon EC2 (Intel Haswell CPU),
the theoretical best method (7M+4S) performs a little bit [7] S. Certicom. Sec 2: Recommended elliptic curve
better than 8M+3S. domain parameters. Proceeding of Standards for
Based on the current price for Amazon EC2 service, we Efficient Cryptography, Version , 1, 2000.
observe the following cost for implementing such brain wallet [8] H. Cohen, A. Miyaji, and T. Ono. Efficient elliptic
attack: 17.9 billion passwords check per US dollar; 55.86 dol- curve exponentiation using mixed coordinates. In
lars to check a trillion passwords. We have found more than Advances in Cryptology ASIACRYPT 98 , pages 51–65.
18,000 passwords using this tool. Some sample passwords, Springer, 1998.
[9] T. L. Daniel J. Bernstein. Explicit-formulas database.
5
Also written by Pieter Wuille one year ago, this version is https://www.hyperelliptic.org/EFD/.
performance focused and using 8M+3S [10] D. Hankerson, A. J. Menezes, and S. Vanstone. Guide
6
https://aws.amazon.com/ec2/instance-types/ to elliptic curve cryptography . Springer Science &
Table 5: Time cost for different window width w for EC key generation
w=4 w=8 w=12 w=16 w=20
d 64 32 22 16 13
number of additions 63 31 21 15 12
precomputation memory 81.92 KB 655.36 KB 7.21 MB 83.89 MB 1.09 GB
secp256k1 gej add ge 45.85 us 22.16 us 15.35 us 11.23 us 9.23 us
secp256k1 gej add ge var 37.37 us* 17.86 us 12.21 us 8.89 us 7.16 us
7M + 4S code 39.01 us 18.79 us 12.77 us 9.23 us 7.48 us
covert Jacobian to Affine ≈ 10 us
Benchmark on my laptop
≈ 42 K guesses / sec (single thread)
i7-3520m 2.9 GHz CPU
DEF CON Attack**
≈ 130 K guesses / sec
i7-2600 3.5 GHz CPU
Improved DEF CON attack** ≈ 315 K guesses / sec
* DEF CON attack [6] is equivalent to this result
** Results are reported by Ryan Castellucci running his DEF CON code and our improved code on 8 threads with linux gcc
compiler.
APPENDIX
A. CRACKED PASSWORD SAMPLES
Our open source tool was given to students for our code
Document 98 pages
Document 7 pages
Blockio Backup
1639074050
SOUKAINA HANINE
No ratings yet
Document 41 pages
Bsidescbr18 Hacking
Bitcoin Slides
Paul Phoneix
No ratings yet
Magazines Podcasts
Sheet music
Document 4 pages
Bit Coin
dvegog
No ratings yet
Document 1 page
Document 3 pages
Document 99 pages
Document 3 pages
Document 9 pages
Using Bitgen
Slava Levine
No ratings yet
Document 1 page
Document 2 pages
Document 10 pages
Show more
About Support
Pinterest
Legal
Terms
Privacy
Copyright
Cookie Preferences
Documents
Language: English