CryptoCurrency secp256k1 Vulnerability Mitigation

[commentUser]

Issue: Hanno Böck, Juraj Somorovsky (Hackmanit GmbH, Ruhr-Universität Bochum), Craig Young (Tripwire VERT) published a paper regarding the "Return Of Bleichenbacher's Oracle Threat" (ROBOT attack) on RSA ciphers. While the encryption team acknowledge that Bitcoin does not use RSA, they state the following about how the attack could be used against Bitcoin's secp256k1 elliptic curve. They recommend the following:

Can this attack be used against Bitcoin? Bitcoin does not use RSA, instead it uses elliptic curve cryptography based on the curve secp256k1. Our attack cannot be directly applied to that. However if you transform a quantum key exchange to a supersingular Isogeny you can attack post-quantum RSA and thus apply our attack indirectly to secp256k1.

We believe the only way Bitcoin can defend against this is to immediately switch to Quantum Blockchains.

Source (Section: Can this attack be used against Bitcoin?): https://robotattack.org/

Requested Action:

• That the Bitcoin core be reviewed, that the teams recommendation be analyzed, and if appropriate in light of analyzation to update the core in light of the encryption teams recommendations to provide mitigation from the attack being used against Bitcoin's core secp26k1 elliptic curve.

[harding]

The section on that page about Bitcoin is trolling (the rest of the page looks legit). I suggest closing the issue.

[commentUser]

Since this has been closed, and since it is security related, I realized I should have sent this to security@bitcoincore.org, and so I am doing that now.

But, please note, the https://robotattack.org/ site mentioned above is self reported from the authors of the attack (see: https://github.com/robotattackorg/robot-detect ), and the site is listed as an authoritative source from Qualys' SSL Labs SSL Test page (https://www.ssllabs.com/ssltest > see the ROBOT section near bottom of test> click the "more info" link).

I think the authors of this attack would be in a position to be authoritative on their supposition of the cryptographic vulnerability, and should warrant at least a serious analysis before dismissing it.

[crwatkins]

@commentUser I see this is your first issue on GitHub (congratulations). If you are serious, and not just going along with the joke, I'll clarify for you that what @harding implies above is that the section on Bitcoin is a joke. The "ha-ha", "funny", "April Fools" type of joke.

[commentUser]

Considering the site mentioned in my post above is posted by the authors of the ROBOT attack, and is linked by Qualys SSL Labs as authoratiative, and the ROBOT site associated with the attack team members mentions a potential vulnerability to Bitcoins use of secp256k1, yes I would appreciate it if you would clarify to show that it is not serious from a cryptographic point of view. Thank you.

[commentUser]

Just to clarify a bit. The point I am focusing on is this statement "However if you transform a quantum key exchange to a supersingular Isogeny you can attack post-quantum RSA and thus apply our attack indirectly to secp256k1." It is a serious enough topic that researchers are writing about the teams proposal, although I do realize that not everyone owns a quantum computer, but for that matter who would have thought that ASIC's would take the day when they focused them on the problem of hashing. I am just wondering if from a cryptographic standpoint if you show why this is "ha-ha" funny.

[commentUser]

One more point, I do not see myself as a cryptographic expert, and do recognize that both you Mr. Watkins and Mr. Harding are in a position to answer this question since you work with Bitcoin core, and I do not. I just wanted to make sure it was not just brushed off. If it really is of no concern at this point and time, then I can accept that answer (although a short answer from a cryptographic standpoint as to why it is of no concern at the present time would be helpful). Thank you both again for all you do.

[commentUser]

Note (if not helpful, just disregard):

• For a research team that has written on the ROBOT teams suggestion, see here, as one example: https://www.technologyreview.com/s/611022/if-quantum-computers-threaten-blockchains-quantum-blockchains-could-be-the-defense/

• Potentially Lattice based cryptography rather than ECDH with secp256k1?: https://www.wired.com/2015/09/tricky-encryption-stump-quantum-computers/

• Other sucessful attacks on secp256k1 (Flush and Reload Attack against secp256k1): https://eprint.iacr.org/2014/434.pdf

• Other successful attacks on secp256k1 (Biased Nonce): https://eprint.iacr.org/2019/023.pdf

[harding]

a short answer from a cryptographic standpoint as to why it is of no concern at the present time would be helpful

The ROBOT attack is about key exchange used by TLS servers, e.g. the process by which you and github.com exchange keys over a public channel (e.g. the Internet) and use that to derive a shared secret only you and github.com know for use as an encryption key so that your subsequent communication is not public. Bitcoin doesn't use key exchange or encryption (except for some protocol extensions which are mostly not recommended) and so there's no way such an attack would apply to Bitcoin.

There's really a lot more things wrong too, but trying to explain why it's wrong is like trying to explain why the warp drives of Star Trek are not realistic propulsion devices.

If you still have doubts, my suggestion would be to contact the authors directly. I'm sure they'll admit their joke. (You'll also note that the joke doesn't appear in their actual papers.)

[jonasnick]

See https://twitter.com/hanno/status/1107940325757202433 by Hanno Böck

I'm unsure if I should feel sorry for the poor Bitcoin developers who have to explain to people that my stupid jokes are not real vulnerabilities... https://github.com/bitcoin-dot-org/bitcoin.org/issues/2894

[commentUser]

Given that, as I pointed out above, a few researchers had published papers on post-quantum attacks (the paper cited above is by MIT researchers) and/or moving to Lattice based cryptography, that there are government actors who do have quantum computers (where many governments are using computer hacking as a new form of intelligence gathering), and I have not met too many cryptographers who joke around about security in public official sites (and I figured I had gone this far with their recommendation) - I did infact reach out to Hanno Böck to confirm Mr. Harding and Mr. Watkins.

Mr. Böck confirmed to me that it was in fact a blockchain joke. He also posted the above twitter feed as a result. I am glad that he, Mr. Harding, and Mr. Watkins have cleared this up.

With Thanks.