[tor-relays] Oniontip

isis isis at torproject.org
Tue Sep 30 10:40:13 UTC 2014 

Mike Perry transcribed 6.0K bytes:
> Thomas White:
> > Hmmm... appears to be have been upgraded since I last checked then
> > (which was only a few weeks ago!). Nicely done oniontip. I stand
> > corrected.
> 
> Well, my original ask was for everyone to be able to verify that all
> 12.36 BTC that oniontip has received (as of right now) has actually been
> distributed how the users have asked. 

Mike Perry and I took a look at the Oniontip codebase this afternoon. The
primary concern was with respect to the `ONIONTIP_BITCOIN_PUBLIC_SEED` in your
payment verification script, [0] which is passed to the
`bitcoin.electrum_address()` function. [1]

The `bitcoin.electrum_address()` function is meant to take what they call a
"masterkey". [2] (Check out that `crack_electrum_wallet()` function right
beneath it!) It appears as if `electrum_address()` is merely a thin wrapper
around `electrum_pubkey()` [3] which generates a new private key with the
incremented counter, concatenating it with the "masterkey", taking the sha256
of that, and then generating the key by doing a (really crappily implemented,
IMO) elliptic curve scalar multiplication of the (public, in the `bitcoin`
module source code [4]) group generator times the private key, then shoving it
into `privkey_to_pubkey()` to get the address. [5] Because all of these
one-way functions are computable if one knows the original "masterkey" plus
the incremented counter, this means that anyone who knows the
`ONIONTIP_BITCOIN_PUBLIC_SEED` can generate all your private keys.

If you plan to keep using that Electrum API, you should regenerate that
`ONIONTIP_BITCOIN_PUBLIC_SEED` and keep it secret.

[0]: https://github.com/DonnchaC/oniontip/blob/master/scripts/payment-check.py#L12
[1]: https://github.com/DonnchaC/oniontip/blob/master/scripts/payment-check.py#L30
[2]: https://github.com/vbuterin/pybitcointools/blob/fa9856fede9e601c4b9f5ed75f11f899c02a51a3/bitcoin/deterministic.py#L48
[3]: https://github.com/vbuterin/pybitcointools/blob/fa9856fede9e601c4b9f5ed75f11f899c02a51a3/bitcoin/deterministic.py#L34
[4]: https://github.com/vbuterin/pybitcointools/blob/master/bitcoin/main.py#L20
[5]: https://github.com/vbuterin/pybitcointools/blob/master/bitcoin/main.py#L342

-- 
 ♥Ⓐ isis agora lovecruft
_________________________________________________________
GPG: 4096R/A3ADB67A2CDB8B35
Current Keys: https://blog.patternsinthevoid.net/isis.txt
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 1154 bytes
Desc: Digital signature
URL: <http://lists.torproject.org/pipermail/tor-relays/attachments/20140930/133eb058/attachment.sig>

More information about the tor-relays mailing list