- Elliptic Curve Point Compression Vulnerability :
- In 2017, a vulnerability was discovered in the secp256k1 library related to elliptic curve point compression. The compression algorithm could return an incorrect compressed representation of a point under certain conditions, which could lead to loss of funds or data integrity in cryptocurrency projects 1 .
- This vulnerability has been fixed in an updated version of the library.
- Quantum attacks :
- Quantum computers could potentially break elliptic curve cryptographic systems, including secp256k1 , using Shor’s algorithm. This could lead to the compromise of digital signatures and access to private keys 2 .
- Researchers predict that quantum computers could crack Bitcoin by 2027 unless steps are taken to transition to post-quantum cryptographic schemes 2 .
- Signature Malleability Vulnerability :
- While not directly related to the secp256k1 parameters , but affecting ECDSA, which is used in Bitcoin, the Signature Malleability vulnerability allows attackers to change signatures without invalidating them. This can be used for a variety of attacks, including transaction forgery 4 .
- Jacobian Curve algorithm vulnerability:
- This vulnerability involves manipulating the mathematical properties of the Jacobi coordinates used in ECDSA. It allows forgeries to be created with valid signatures, potentially breaking consensus on the Bitcoin 5 network .
- Using AI to analyze patterns :
- Research has shown that simple neural networks can detect patterns in the sequence of points on the secp256k1 curve , which could potentially be used for future attacks 6 .
As is well known, the discrete logarithm problem is very difficult and people do not know how to calculate it quickly. Moreover, knowing a point on the curve P = n*G, it is very difficult to make a judgment about the value of n. Even about an approximate value. Let's try something even simpler: let's try to make judgments about the sequence
, or rather about the meanings
knowing the meanings
.
Let's try to determine how much this sequence differs from a random sequence. If the sequence
complex and difficult to predict, it will not differ from a random sequence. And if it does differ, it means that the sequence of points of the secp256k1 curve is not so complex.
Let's build a neural network that we will train on the training sequence to distinguish sequences.
If we can distinguish between a random sequence and a sequence of points, then this will mean that there is some algorithm that can be computed quickly enough to make judgments about the logarithm.
Let me remind you that calculating the discrete logarithm on an elliptic curve is a very difficult task.
Let us take a pre-calculated random sequence for repeatability of the experiment. The quality of this sequence can be checked
dieharder -f PM_rand_600.bin -g 201 -aYou can also check nist, but the result will be almost the same.
Let's create a program that will mix the y coordinate of the curve point sequence and a random sequence in a ratio of 1:8 and write it to the file x600_btc_32_LH.bin and simultaneously write a pointer to the source - curve or random - to y600_btc_32_LH.bin.
data_preparation.cpp
#include <iostream>
#include <stdlib.h>
#include <stdio.h>
#include <openssl/bn.h>
#include <openssl/ec.h>
#include <openssl/err.h>
#include <openssl/symhacks.h>
using namespace std;
int main() {
int bits = 256;
unsigned char buf[32];
char *pr;
EC_GROUP *group;
EC_KEY *eckey = EC_KEY_new();
EC_POINT *P;
BN_CTX *ctx = BN_CTX_new();
BIGNUM *x = BN_new();
BIGNUM *n = BN_new(); // начало последовательности точек кривой
BIGNUM *y = BN_new();
char e_buf[256];
FILE * xFile;
FILE * yFile;
FILE * rFile;
xFile = fopen("x600_btc_32_LH.bin", "wb");
yFile = fopen("y600_btc_32_LH.bin", "wb");
rFile = fopen("PM_rand_600_t.bin", "rb");
if (rFile==NULL)
{ cout<<" PM_rand.bin NOT FOUND"; return -1; }
srand(time(NULL));
// nid 714. curve secp256k1
int nid = 714;
if ((group = EC_GROUP_new_by_curve_name(nid)) == NULL) {
fprintf(stdout, "\nEC_GROUP_new_curve_name() failed with"
" curve %s\n nid %x", nid);
}
if (eckey == NULL) {
cout << "ABORT2 ";
ERR_error_string(ERR_get_error(), e_buf);
cout << "E_BUF " << e_buf << endl;
}
if (!EC_KEY_set_group(eckey, group)) {
cout << "ABORT3 ";
ERR_error_string(ERR_get_error(), e_buf);
cout << "E_BUF " << e_buf << endl;
}
EC_GROUP_precompute_mult(group, ctx);
P = EC_POINT_new(group);
BN_rand(n, bits, BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY);
// n - начало выборки
int NN = 60000;
for (int i = 0; i < NN; i++) {
if ((rand() % 128) < 16) {
pr = (char *) "1";
if (!EC_POINT_mul(group, P, n, NULL, NULL, ctx)) {
cout << "ABORT_10 ";
ERR_error_string(ERR_get_error(), e_buf);
cout << "E_BUF " << e_buf << endl;
}
if (!EC_POINT_get_affine_coordinates_GFp(group, P, x, y, ctx)) {
cout << "ABORT_11 ";
ERR_error_string(ERR_get_error(), e_buf);
cout << "E_BUF " << e_buf << endl;
}
BN_bn2bin(y, buf);
} else {
pr = (char *) "0";
int cind = fread(buf, 32, 1, rFile); // read 32 byte = 256 bit
}
fwrite(buf, 32, 1, xFile);
BN_add_word(n, 1L); // in P new point n+i
fwrite(pr, 1, 1, yFile);
}
fclose(xFile);
fclose (yFile);
BN_CTX_free(ctx);
EC_GROUP_free(group);
BN_free(x);
BN_free(y);
}And we will feed the two received files x600_btc_32_LH.bin and y600_btc_32_LH.bin to the network.
from keras.models import Model
from keras.utils import np_utils
from keras.layers import Dense, Input
from keras.layers import Bidirectional, GRU
from keras.models import Model
from keras.optimizers import RMSprop
import numpy as np
import keras as ks
num_classes = 2
length = 32
length_8 = length<<3
num_train = 50000
num_test = 10000
X_train = np.zeros(shape=(num_train, length_8), dtype='uint8')
y_train = np.zeros(shape=(num_train), dtype='uint8')
X_test = np.zeros(shape=(num_test, length_8), dtype='uint8')
y_test = np.zeros(shape=(num_test), dtype='uint8')
bx_train = np.zeros(shape=(num_train, length), dtype='uint8')
bx_test = np.zeros(shape=(num_test, length), dtype='uint8')
f_x = open("./input/x600_btc_32_LH.bin", 'rb')
for k in xrange(num_train):
for i in xrange(32):
bx_train[k, i] = ord(f_x.read(1))
for k in xrange(num_test):
for i in xrange(32):
bx_test[k, i] = ord(f_x.read(1))
f_x.close()
f_y = open("./input/y600_btc_32_LH.bin", 'rb')
for i in xrange(num_train):
y_train[i] = ord(f_y.read(1))
for i in xrange(num_test):
y_test[i] = ord(f_y.read(1))
f_y.close()
y_train -= 48
y_test -= 48Let's convert it to a bit-to-byte format. That is, we transfer one bit of the original sequence to a byte.
tab = np.zeros((256,8),dtype='int8')
for i in xrange(256):
mask = 1
for j in xrange(8):
if i & mask == 0:
tab[i,j] = 0
else:
tab[i,j] = 1
mask<<1
for k in xrange(num_train):
for i in xrange(length):
for j in xrange(8):
X_train[k,i*8+j] = tab[bx_train[k,i],j]
for k in xrange(num_test):
for i in xrange(length):
for j in xrange(8):
X_test[k,i*8+j] = tab[bx_test[k,i],j]Let's convert it to float format and scale it to 0.004 and prepare Y.
X_train = X_train.astype('float32')
X_test = X_test.astype('float32')
X_train /= 255.
X_test /= 255.
Y_train = np_utils.to_categorical(y_train, num_classes)
Y_test = np_utils.to_categorical(y_test, num_classes)We will take a fairly simple network, only slightly changing the activation function.
import math
from keras import backend as K
from keras.utils.generic_utils import get_custom_objects
from keras.layers import Activation
def gaussian(x):
mu = 64.
sigma = 10.
xx = -0.5*((x-mu)/sigma)**2 / sigma / math.sqrt(2*math.pi)
return K.exp(xx)
get_custom_objects().update({'gaussian': Activation(gaussian)})
batch_size = 32
num_epochs = 16
hidden_size_1 = 1024
hidden_size_2 = 1024
X_train = X_train.reshape(num_train,16,16)
X_test = X_test.reshape(num_test,16,16)
inp = Input(shape=(16,16,))
x = Bidirectional(GRU(1024, return_sequences=True))(inp)
x = Bidirectional(GRU(1024, return_sequences=False))(x)
x = Dense(hidden_size_1, activation='sigmoid')(x)
x = Dense(hidden_size_2, activation='gaussian')(x)
out = Dense(num_classes, activation='gaussian')(x)
model = Model(inputs=inp, outputs=out)
model.compile(loss='binary_crossentropy',
# optimizer='adam',
optimizer=RMSprop(lr=0.0001,clipvalue=1, clipnorm=1),
metrics=['accuracy'])The result is quite acceptable, the network distinguishes a sequence of curve points from a random sequence, not as accurately as we would like, but it makes a judgment about the logarithm.
mod = model.fit(X_train, Y_train, # Train the model using the training set...
batch_size=batch_size, epochs=2,
verbose=1, validation_data=(X_test, Y_test))
Train on 50000 samples, validate on 10000 samples
Epoch 1/2
val_loss: 0.3706 - val_acc: 0.8783
Epoch 2/2
val_loss: 0.3703 - val_acc: 0.8783We found that a simple regular neural network can distinguish between a random sequence and a sequence of secp256k1 curve points. This suggests that the network is detecting patterns in a sequence that must be very complex.
As of today, this is the most serious vulnerability of the secp256k1 curve and sooner or later the victory will be for AI.
This material was created for the CRYPTO DEEP TECH portal to ensure financial data security and cryptography on elliptic curves secp256k1 against weak ECDSA signatures in the BITCOIN cryptocurrency. The creators of the software are not responsible for the use of materials.
Telegram: https://t.me/cryptodeeptech
Video material: https://youtu.be/p62orC7WDUE
Video tutorial: https://dzen.ru/video/watch/67c3e91abbfa683a745a0aea
Source: https://cryptodeeptech.ru/quantum-attacks-on-bitcoin