Published on: 2014-03-16T15:48:21+00:00
In an email exchange on March 16, 2014, it was revealed that there were problems with the encryption methods in the current release of a software. Thomas Voegtlin, the developer, was not aware of the flaws and promised to fix the code. However, Gregory Maxwell pointed out that the implementation was leaking data and could result in incorrectly decrypted messages. As a result, Voegtlin decided to remove the encryption methods from the current release and updated the packages.Maxwell informed Voegtlin that the encryption algorithm used in the code was insecure and not actually implementing ECIES. The most significant issue was the use of a trivial 16-bit check value instead of a cryptographically strong MAC. This allowed anyone with access to a decryption oracle to decrypt any message encrypted to a third person by making no more than 65536 queries. Additionally, if a random query yielded a result, it directly revealed the ECDH value. If the implementation did not check if the nonce point was on the curve, the result could yield a point on the twist instead of the curve, making the private key more vulnerable to recovery. Maxwell also noted that there may be other problems or mitigating factors in the code. Voegtlin thanked Maxwell for informing him about the flaws and promised to fix the code.Voegtlin explained that the encryption algorithm used in the Bitcoin wallet was ECIES and the code was borrowed from a repository. However, the cryptosystem used in the repository was insecure and not actually implementing ECIES. The main issue was the use of a trivial 16-bit check value instead of a cryptographically strong MAC. This meant that an arbitrary message encrypted to a third person could be decoded with no more than 65536 queries to a decryption oracle. If a random query yielded a result, it directly revealed the ECDH value. Additionally, if the implementation did not check if the nonce point was on the curve, the result could yield a point on the twist instead of the curve, making the private key more vulnerable to recovery. The implementation also had other issues, such as not using a strong RNG for its EC nonce.Electrum 1.9.8 was released with features initially planned for version 2.0. The Electrum servers were upgraded to version 0.9, allowing the client to request the balance of any address directly. New commands, including getaddressbalance, getaddressunspent, and getutxoaddress, were added. Two commands for message encryption, encrypt and decrypt, were also added using the ECIES encryption algorithm. The key could be obtained using the 'getpubkeys' command. The Qt GUI also had access to these functions. Additionally, command-line commands that required a network connection spawned a daemon, making scripting more efficient. Packages for download were available on https://electrum.org/download.html, and binaries for Windows and Mac would be available soon.
Updated on: 2023-08-01T07:58:47.649348+00:00