[Bitcoin-development] New side channel attack that can recover Bitcoin keys
Peter Todd
pete at petertodd.org
Wed Mar 12 09:44:24 UTC 2014
On Wed, Mar 05, 2014 at 12:54:04PM -0800, Gregory Maxwell wrote:
> On Wed, Mar 5, 2014 at 12:32 PM, Peter Todd <pete at petertodd.org> wrote:
> > That's nice, but I wrote my advice to show people how even if they don't
> > know any crypto beyond what the "black boxes" do - the absolute minimum
> > you need to know to write any Bitcoin software - you can still defend
> > yourself against that attack and many others.
>
> But it's still incomplete.
>
> Say you have an address— used only once!— with a txout with a lot of value.
>
> Someone starts paying you small amounts to that address over and over
> again. You haven't asked them to, they're just doing it.
>
> Do you ignore the funds?— maybe tell some customer that was ignorantly
> paying you over and over again to a single address "sorry, those are
> my rules: I only acknowledge the first payment, those funds are
> lost!".
>
> No, of course not. You spend the darn coins and if you're on a shared
> host perhaps you disclose a private key.
>
> The probability of an attack actually going on is low enough compared
> to the cost of spending the coins in that case that even someone with
> good knoweldge of the risks will choose to do so.
>
> So absolutely, not reusing addresses massively increases your safety
> and limits losses when there is theft. But it isn't enough alone. (Nor
> is smarter signing, considering complex software like this has bugs
> and its hard to be confident that something is side channel free— esp
> when you allow attacker interference).
I think you're misunderstanding me: I'm assuming one of the n parties
signing transactions in my multi-factor authentication scheme is
uncompromised - much easier to do when it's a low-bandwidth box sitting
in a secure location.
Not re-using keys is nice too of course, and while not perfect - your
above scenario - certainely helps limit losses.
--
'peter'[:-1]@petertodd.org
0000000000000000afcad9265e8b44bf1171a08165c09b329fab2893bf13ec69
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 685 bytes
Desc: Digital signature
URL: <http://lists.linuxfoundation.org/pipermail/bitcoin-dev/attachments/20140312/5cbcef28/attachment.sig>
More information about the bitcoin-dev
mailing list