There is a wave of new powerful cryptographic attacks on bitcoin systems.
There are several types of attacks:
- Attacks which use poor random number events.
- More advanced new attacks in which randoms are not identical but related (see our paper).
- Further attacks in which the private keys are related (also studied in the same paper).
- Attacks which use vulnerabilities of popular key management solutions such as BIP032.
- And there are new deadly COMBINATION attacks.
They combine all the above vulnerabilities and lead to several new families of attacks which allow to recover a lot more keys than each of the above vulnerabilities alone.
Which systems are concerned? We don’t know exactly but in our opinion, most existing bitcoin storage and management systems are concerned:
- bitcoin exchanges,
- cold storage systems,
- payment and wallets software systems,
- electronic commerce solutions,
- business key management solutions, etc.
We should also add that we don’t know if there exists a truly robust bitcoin key management standard which would be secure against powerful combination attacks such as described in our paper. More or less all bitcoin systems which do some systematic key management solutions and achieve some sort of separation between keys which allow to spend funds and those which allow only to receive money or monitor transactions, are vulnerable to large scale attacks where all the bitcoins in the whole system can potentially be stolen. The current bitcoin key management standard BIP032 is such that in theory it can be secure, but it will break apart as soon a number of pretty insignificant events or incidents in operation happens in some remote corners of various systems.
Some of our attacks also work across different systems which share no common setup, code or keys. Yet under certain circumstances all bitcoins within the remit of ALL systems can be stolen. Interestingly such vulnerabilities and resulting attacks/thefts cannot be detected by examining just one system. Events in several systems must be examined in combination in order to see if they can be exploited.
There is a well-known solution to this problem, it is the RFC6979 by Thomas Pornin.
However on the flip side no current bitcoin system which does not apply RFC6979 can really feel secure against attacks such as described in our paper. They should both upgrade their software and systems and also move all their bitcoins to new addresses.
We wonder why bitcoin developers and bitcoin foundation have been as usual so negligent about security so that this patch has NOT YET BEEN applied in bitcoin core software for like 18 months since January 2013. The fix was already applied by many companies such as Trezor, but not yet by bitcoin core client. Why?
Blockchain.info also uses a ridiculous method of asking the web browser to generate random numbers which opens avenues for attacks (added: few weeks after we wrote this words 100,000 USD were stolen from Blockchain.info).
The impact of our attacks could also be mitigated by multisig, however as usual there will be secure and insecure ways of using multisig. Ironically a large percentage of bad random events in the recent outbreak come from multisig applications. There is a very small percentage of multisig events in the blockchain, like less than 1%, and among these events there is an large proportion of vulnerable signatures with bad random events.
Added in 2015: there are now better ways to do key management than BIP032 in bitcoin, see this paper.