ECDSA weak randomness in Bitcoin

摘要

Bitcoin security draws more and more attention recently. One of Bitcoin vulnerabilities is caused by ECDSA weak randomness. A random number is not cryptographically secure, which leads to private key leakage and even fund theft. This security problem has been well known in Bitcoin community and fixed by applying RFC 6979 update in 2013.In this paper, we systematically revisit the cases where random numbers are reused and evaluate them based on practical Bitcoin transactions. After analyzing Bitcoin transaction dataset from January 2009 to July 2017, we find that there are still approximately 0.48 percent of transactions involving this vulnerability, and 1331 private keys have been compromised. In addition, the transactions related to some involved addresses have a common pattern, which gives us a clue that a spam transaction attack may take advantage of ECDSA weak randomness. We also examine mainstream Bitcoin software wallets to check whether they are susceptible to ECDSA weak randomness. Even the result is quite optimistic, an example that one of the influenced addresses leaked in April 2014 is still in use again in August 2017 reflects that the severity of ECDSA weak randomness may not be paid enough attention even after its discovery and solution in 2013. (C) 2019 Elsevier B.V. All rights reserved.