Author: Alan Reiner 2014-03-08 08:10:40
Published on: 2014-03-08T08:10:40+00:00
The conversation thread started with the statement that nothing is safe. To further explain this, Edmund Edgar presented a scenario where he gave Odinn Cyberguerrilla an ECC public key and received back a public key of Odinn's own devising, after which he paid some money to the address resulting from add_pubkeys(). He then asked if anyone could think of a way for Odinn to spend the resulting money without having the private key or opine on how difficult it would be to do so. A link to the relevant code was also provided.Alan then responded by presenting a scenario where he sees Odinn's public key before creating and sending his own public key. He creates a new keypair with an arbitrary value for c_priv, but instead of giving Odinn this value, he gives him c_pub = G * (c_priv - b_priv). Since Alan knows b_priv, he can calculate c_pub - b_pub = G * (c_priv - b_priv + a_priv), where a_priv is his secret key. He then spends the money by calculating the private key for c_pub - b_pub and using it to create a signature. However, since Odinn doesn't know what c_pub/c_priv Alan created, he can only detect the fraud after it's too late.
Updated on: 2023-06-08T03:56:13.267321+00:00