(YouTube) Nicolas Courtois: How To Steal Bitcoins?
How To Steal Bitcoins?
Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events
In this paper we study the question of key management and practical operational security in bitcoin digital currency storage systems. We study the security two most used bitcoin HD Wallet key management solutions (e.g. in BIP032 and in earlier systems). These systems have extensive audit capabilities but this property comes at a very high price. They are excessively fragile. One small security incident in a remote corner of the system and everything collapses, all private keys can be recovered and ALL bitcoins within the remit of the system can be stolen. Privilege escalation attacks on HD Wallet solutions are not new. In this paper we take it much further. We propose new more advanced combination attacks in which the security of keys hold in cold storage can be compromised without executing any software exploit on the cold system, but through security incidents at operation such as bad random number or related random events. In our new attacks all bitcoins over whole large security domains can be stolen by people who have the auditor keys which are typically stored in hot systems connected to the Internet and can be stolen easily. Our combination attacks allow to recover private keys which none of the earlier attacks in isolation could hope to recover. Classical bad random attacks typically concern only very few bitcoin accounts, and only some very lucky holders of bitcoins can actually steal other people's bitcoins. In this paper we go beyond identical random attacks and show several attacks which also work with related random events, which events are more probable and yet less likely to be detected before it is too late. We also present several attacks which work across distinct security domains which share no common setup, code or keys. Yet in certain circumstances all the bitcoins in each domain can be stolen. All our attacks are practical and realistic given the numerous relevant events have already happened in the bitcoin blockchain hundreds of times, some as recently as September 2014. It is not clear if this problem can be repaired, i.e. if there exists a key management solution with similar audit capabilities as BIP032 which would be immune against this sort of advanced combination attacks.
Dr Nicolas T. Courtois is a cryptologist at University College London, UK. He has authored a number of research papers about bitcoin and digital currencies. His main interest is to study the security of bitcoin against a variety of miner and network attacks. A number of events predicted by Dr. Courtois have happened later on, for example regarding the Block Withholding Attacks, see Section XI.A in arxiv.org/abs/1402.1718.
More importantly Dr Courtois is the author of the so called "Theory of Programmed Self Destruction" of crypto currencies (cf. arxiv.org/abs/1405.0534). It is about how a combination of factors such as the Longest Chain rule of Satoshi Nakamoto, the built-in monetary policies, deficiencies in timestamping, and the possibility to shift hash power rapidly from one crypto currency to another, may rapidly erode the protection against double spending and 51% attacks. This can lead to rapid decline in their hash power and their security. For example Unobtanium and Dogecoin have quite serious built-in problems unfolding in the recent months, and these currencies can hardly survive in the current form without some changes in the code, see Sections 10 and 11 in arxiv.org/abs/1405.0534.
These security questions have important practical implications for a majority of ordinary users: today people wait for tens of minutes to accept a payment transaction precisely because they fear there might be a victim of an attack. It is clear that improved security for bitcoin transactions also implies improved speed, making digital currencies more attractive for ordinary commercial transactions. In a new paper presented at SECRYPT 2014 in Vienna, Courtois, Emirdag and Nagy discuss whether there is a solution to this problem and whether bitcoin transactions could be like 100x faster, this WITHOUT changing the speed at which the blocks are generated (which is what makes it a difficult and challenging question).
Nicolas Courtois blog