A serious vulnerability known as Signature Malleability has been discovered in cryptocurrencies like Bitcoin and Ethereum, which use the Elliptic Curve Digital Signature Algorithm (ECDSA). This vulnerability allows attackers to modify transaction signatures so that they remain valid for the system but appear different. This article discusses ways this vulnerability can be exploited, its security implications, and protection methods.
Signature Malleability Vulnerability and Its Impact on Cryptocurrencies
How ECDSA Works and What a Signature Consists Of
An ECDSA signature consists of two numbers-r and s. These are calculated using a random number (nonce) k and the user’s private key x. If an attacker can change the value of s without invalidating the signature, they can create alternative signatures for the same transaction.
Causes of the Signature Malleability Vulnerability
The ability to alter the value of s and generate new valid signatures for a single transaction forms the basis of the Signature Malleability vulnerability. If a system doesn’t check the range of r and s values (for example, ensuring they lie between 1 and n−1, where n is the order of the elliptic curve group), this opens the door for creating forged signatures.
CVE-2024-42461: Example of a Vulnerability in the Elliptic Library
A recent vulnerability-CVE-2024-42461-was found in the Elliptic library for Node.js. It allows the use of signatures in BER format, giving attackers the ability to modify signatures without making them invalid. This vulnerability is related to the Hidden Number Problem (HNP), the solution of which can lead to the exposure of users’ private keys.
Hidden Number Problem and Ricci Flow
The Hidden Number Problem (HNP), related to Ricci Flow, is used in cryptography to analyze information leaks about private keys. In the context of ECDSA, if an attacker solves the HNP, they can compute the private key from the signature data. Ricci Flow is a mathematical tool that helps analyze the geometry and topology of manifolds, as well as optimize computations in elliptic curve cryptography.
The N and P Parameters in the Context of secp256k1
- N is the order of the group of points on the elliptic curve, determining the maximum number of unique keys.
- P is a prime number that defines the field in which curve computations occur.
- N is responsible for the group structure of points, while P defines the field where the point coordinates exist.
Exploiting Signature Malleability in Bitcoin Transactions
To successfully attack Bitcoin via Signature Malleability, it is enough to change the s value in 32 transactions with ECDSA signatures. By analyzing the resulting (R, S, Z) values, one can compute the private key using Ricci Flow HNP and curvature theory methods.
How R and S Values Are Formed
- R is the coordinate of a point on the curve, calculated using the private key and a random number.
- S is computed based on the message hash and private key, and also depends on R and the nonce.
Extracting R, S, Z from RawTX
RawTX is the hexadecimal representation of a Bitcoin transaction. From it, you can extract the signature in DER format and obtain the R and S values. Z is the hash of the signed message, obtained by hashing the transaction data.
Practical Example: Lost Coins
The article provides an example with the wallet 1LeEbwu667oPtQC5dKiGiysUjFM3mQaxpw, which lost 21.2529214 BTC (about $1.74 million as of November 2024).
Solving Differential Equations for Signature Analysis
Methods for solving differential equations are used to analyze relationships between variables, allowing the modeling of system behavior when parameters change.
Obtaining the Public Key and R, S, Z Values
To obtain the public key from a Bitcoin address, the DarkSignature tool is used. Similarly, with Dockeyhunt Lattice Attack, you can get the public key and then extract R, S, Z values for 32 transactions.
Applying Machine Learning Methods
Machine learning methods are used to detect Signature Malleability vulnerabilities and protect Bitcoin and Ethereum wallets by analyzing anomalies and identifying forgery attempts.
Creating a Vulnerable Raw Transaction
The article describes the process of creating a vulnerable Raw transaction using Python scripts and specialized libraries. The transaction is then decoded and analyzed via the BlockCypher service.
Conclusions and Security Recommendations
To prevent attacks based on forged signatures, it is recommended to:
- Increase the number of transaction confirmations (at least six).
- Analyze blocks and transactions for anomalies.
- Use anomaly detection and machine learning systems.
- Apply tools for network traffic monitoring.
- Regularly update software and security protocols.
- Implement multi-level transaction confirmation systems.
Conclusion
A comprehensive approach to security, regular protocol updates, and the use of modern analysis methods make it possible to effectively protect the Bitcoin network from attacks related to forged signatures and the Signature Malleability vulnerability.