Paper 2023/841

The curious case of the half-half Bitcoin ECDSA nonces

Dylan Rowe, University of California, San Diego
Joachim Breitner
Nadia Heninger, University of California, San Diego
Abstract

We report on a new class of ECDSA signature vulnerability observed in the wild on the Bitcoin blockchain that results from a signature nonce generated by concatenating half of the bits of the message hash together with half of the bits of the secret signing key. We give a lattice-based attack for efficiently recovering the secret key from a single signature of this form. We then search the entire Bitcoin blockchain for such signatures, and identify and track the activities of an apparently custom ECDSA/Bitcoin implementation that has been used to empty hundreds of compromised Bitcoin addresses for many years.

Metadata
Available format(s)
PDF
Category
Attacks and cryptanalysis
Publication info
Published elsewhere. AfricaCrypt 2023
Contact author(s)
drowe @ ucsd edu
mail @ joachim-breitner de
nadiah @ cs ucsd edu
History
2023-06-06: approved
2023-06-06: received
See all versions
Short URL
https://ia.cr/2023/841
License
Creative Commons Attribution
CC BY

BibTeX

@misc{cryptoeprint:2023/841,
      author = {Dylan Rowe and Joachim Breitner and Nadia Heninger},
      title = {The curious case of the half-half Bitcoin ECDSA nonces},
      howpublished = {Cryptology ePrint Archive, Paper 2023/841},
      year = {2023},
      note = {\url{https://eprint.iacr.org/2023/841}},
      url = {https://eprint.iacr.org/2023/841}
}
Note: In order to protect the privacy of readers, eprint.iacr.org does not use cookies or embedded third party content.