Professional Documents
Culture Documents
net/publication/332683948
CITATION READS
1 3,925
1 author:
William J Buchanan
Edinburgh Napier University
707 PUBLICATIONS 3,897 CITATIONS
SEE PROFILE
Some of the authors of this publication are also working on these related projects:
Securing Our Future 5G Health Care against Malicious Attempts with Adaptive Machine Learning. View project
FI-STAR - Future Internet Social and Technological Alignment Research View project
All content following this page was uploaded by William J Buchanan on 26 April 2019.
Abstract
Within cryptocurrencies we create a wallet which has a private key and a
public key. The private key is used to sign for transaction, and the public
key proves that the signer was the one who signed the transaction. Most
cryptocurrencies use Elliptic Curve Cryptography for the generation of the
keys, and where a 256-bit random key for the private key. This gives us
1.55 quattuorvigintillion different keys, and it should not be possible - within
a reasonable amount of time - to discover a private key, if the private key
is generated from a random seed. But, Adrian Bednarkek found that the
private key of "1" has been used on the Ethereum network, along with other
low numbers. This means that a guessable private key could be attacked by
an intruder, and whether cryptocurrencies can be stolen. This work has thus
involved the scanning of billions of addresses, and he found that there were
around 732 guessable addresses.
Keywords: Cryptocurrency, Ethereum, private key, public key, ECDSA
1. Introduction
In Ethereum, we use ECC (Elliptic Curve Cryptography) to create a pub-
lic key and a private key. The private key is kept secure, and then the public
key is used to derive the Ethereum address. When we sign for a transaction,
we use our private key, and to create a signature, and which is automati-
cally checked against our Ethereum address. As seen in Figure 1, a transfer
then appears as a transaction between two Ethereum addresses, and with a
transaction value (as defined in Ether).
In creating the keys (for our wallet) we first generate a 256-bit private
key, and then the public key is a point on the secp256k1 ECDSA curve (x,y
point) [1]. This key is then hashed using Keccak-256 (aka SHA-3), and the
lower 160 bits becomes the public Ethereum address (Figure 2).
1 in 1,550 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 ... 000 (75 zeros)
import codecs
import ecdsa
from Crypto.Hash import keccak
import os
private_key_bytes = os.urandom(32)
key = ecdsa.SigningKey.from_string(private_key_bytes,
curve=ecdsa.SECP256k1).verifying_key
2
Figure 2: Cryptocurrency transaction
key_bytes = key.to_string()
private_key = codecs.encode(private_key_bytes, ’hex’)
public_key = codecs.encode(key_bytes, ’hex’)
hash = keccak.new(digest_bits=256)
hash.update(public_key_bytes)
keccak_digest = hash.hexdigest()
3
address = ’0x’ + keccak_digest[-40:]
print "Address:",address
3. Conclusions
In the cryptocurrency space, you need to be aware of the risks involved.
If someone takes a copy of your private key, or generates a weak address, you
could leave yourself open for it being hacked, and no bank in the world will
give you your money back. Ref:
4
References
[1] W. J. Buchanan, Node.js Ethereum. [Online]. Available:
https://asecuritysite.com/encryption/jse th