waxwing on Nostr: Just read the "Dark Skippy" attack ( darkskippy.com ) from Lloyd Fournier and Robin ...
Just read the "Dark Skippy" attack ( darkskippy.com ) from Lloyd Fournier and Robin Linux (h/t Alex Waltz). Nice write up! I've always thought it should be simpler than grinding, though (but the grinding in that attack is very practical). I feel like a variant of what they call 'predetermined nonce attack' on that page could work. If I make a *big* assumption - that the attacker has access to the victim's wallet's xpub - then I think you can extract the master secret from only 1 signature or 2 signatures, without any grinding or pollard rho. With 2 signatures the full master secret of the wallet; with 1, only the xpriv for the (BIP32) account (so compromises only 1 account; but many wallets just use one account anyway!).
Let's see if there's any error in these steps:
1. Attacker uses RNG to generate sequence of 32 byte randoms (b1, b2 ..)
2. First signature that the client requests is generated using b1 as nonce. hence attacker can obviously extract the secret key x1 = (s1 - b1) / e1.
3. We have to assume knowledge of xpub. Given xpub and one private key (x1) from the account branch, then due to unhardened derivation, we can already derive the xpriv for the account (though not for the level above; so this is equivalent to master secret, only for single-account wallets, not for multiple account).
But if we have access to 2 signatures we can exfiltrate anything, including the full master secret:
4. Second signature that the client requests, on (currently unknown) private key x2, is generated using nonce = (b2 + master secret), which is still indistinguishable from random because b2 is. Here we need the xpriv as per above to regenerate (poss. by trial and error, but that's trivial) the correct x2 given the above xpriv derivation. Then attacker extracts master secret = s2 - b2 -ex2.
(Am I wrong somewhere there? Wouldn't be too surprised. But either way, exfiltration via these channels *one way or another* seems like it's very hard to prevent. (I know there *are* anti-exfil measures in existence, so please don't take this as me dismissing them - I haven't even really studied them!).To generate bitcoin signatures on serious amount, use the software that's as easy as possible to vet and has the least layers between your eyes and it .. is my extremely unconventional advice on this topic).
Let's see if there's any error in these steps:
1. Attacker uses RNG to generate sequence of 32 byte randoms (b1, b2 ..)
2. First signature that the client requests is generated using b1 as nonce. hence attacker can obviously extract the secret key x1 = (s1 - b1) / e1.
3. We have to assume knowledge of xpub. Given xpub and one private key (x1) from the account branch, then due to unhardened derivation, we can already derive the xpriv for the account (though not for the level above; so this is equivalent to master secret, only for single-account wallets, not for multiple account).
But if we have access to 2 signatures we can exfiltrate anything, including the full master secret:
4. Second signature that the client requests, on (currently unknown) private key x2, is generated using nonce = (b2 + master secret), which is still indistinguishable from random because b2 is. Here we need the xpriv as per above to regenerate (poss. by trial and error, but that's trivial) the correct x2 given the above xpriv derivation. Then attacker extracts master secret = s2 - b2 -ex2.
(Am I wrong somewhere there? Wouldn't be too surprised. But either way, exfiltration via these channels *one way or another* seems like it's very hard to prevent. (I know there *are* anti-exfil measures in existence, so please don't take this as me dismissing them - I haven't even really studied them!).To generate bitcoin signatures on serious amount, use the software that's as easy as possible to vet and has the least layers between your eyes and it .. is my extremely unconventional advice on this topic).