See discussions, stats, and author profiles for this publication at: https://www.researchgate.

net/publication/332683948

Guessable Private Keys: How To Make A Million in Cryptocurrency

Preprint · April 2019

DOI: 10.13140/RG.2.2.19142.93764/1

CITATION READS
1 3,925

1 author:

William J Buchanan
Edinburgh Napier University
707 PUBLICATIONS   3,897 CITATIONS   

SEE PROFILE

Some of the authors of this publication are also working on these related projects:

Securing Our Future 5G Health Care against Malicious Attempts with Adaptive Machine Learning. View project

FI-STAR - Future Internet Social and Technological Alignment Research View project

All content following this page was uploaded by William J Buchanan on 26 April 2019.

The user has requested enhancement of the downloaded file.

 Guessable Private Keys: How To Make A
Million in Cryptocurrency
William J Buchanana
a
Edinburgh Napier University

Abstract
Within cryptocurrencies we create a wallet which has a private key and a
public key. The private key is used to sign for transaction, and the public
key proves that the signer was the one who signed the transaction. Most
cryptocurrencies use Elliptic Curve Cryptography for the generation of the
keys, and where a 256-bit random key for the private key. This gives us
1.55 quattuorvigintillion different keys, and it should not be possible - within
a reasonable amount of time - to discover a private key, if the private key
is generated from a random seed. But, Adrian Bednarkek found that the
private key of "1" has been used on the Ethereum network, along with other
low numbers. This means that a guessable private key could be attacked by
an intruder, and whether cryptocurrencies can be stolen. This work has thus
involved the scanning of billions of addresses, and he found that there were
around 732 guessable addresses.
Keywords: Cryptocurrency, Ethereum, private key, public key, ECDSA

1. Introduction
In Ethereum, we use ECC (Elliptic Curve Cryptography) to create a pub-
lic key and a private key. The private key is kept secure, and then the public
key is used to derive the Ethereum address. When we sign for a transaction,
we use our private key, and to create a signature, and which is automati-
cally checked against our Ethereum address. As seen in Figure 1, a transfer
then appears as a transaction between two Ethereum addresses, and with a
transaction value (as defined in Ether).
In creating the keys (for our wallet) we first generate a 256-bit private
key, and then the public key is a point on the secp256k1 ECDSA curve (x,y

Preprint submitted to Journal of The Cyber Academy April 26, 2019

 Figure 1: Cryptocurrency transaction

point) [1]. This key is then hashed using Keccak-256 (aka SHA-3), and the
lower 160 bits becomes the public Ethereum address (Figure 2).

2. Generating the keys

The private key should be completely random, and there are 2256 different
keys that can be generated, so the chance of us matching a private key to a
public key is 1.55 quattuorvigintillion:

1 in 1,550 000 000 000 000 000 000 000 000 000 000 000 000
000 000 000 000 000 000 000 000 000 000 000 ... 000 (75 zeros)

An outline of the code is [1]:

import codecs
import ecdsa
from Crypto.Hash import keccak
import os

private_key_bytes = os.urandom(32)

key = ecdsa.SigningKey.from_string(private_key_bytes,
curve=ecdsa.SECP256k1).verifying_key

2
 Figure 2: Cryptocurrency transaction

key_bytes = key.to_string()
private_key = codecs.encode(private_key_bytes, ’hex’)
public_key = codecs.encode(key_bytes, ’hex’)

print "Private key: ",private_key

print "Public key: ",public_key

public_key_bytes = codecs.decode(public_key, ’hex’)

hash = keccak.new(digest_bits=256)
hash.update(public_key_bytes)
keccak_digest = hash.hexdigest()

3
address = ’0x’ + keccak_digest[-40:]
print "Address:",address

A sample run is:

Private key: 18dd1dcd752466afa3d1fac1424333c6461c3a0f1d6702e9

c45bc9254ec74e5f
Public key: bdfb71e2d953406c45279ac434667a6a1ea9fae608af91e7f
6bfb0792011df760895a528e8b83622886039b4803b6182d708fb40a16919
bddaef84493ef1d4cf
Address: 0xaae47eae4ddd4877e0ae0bc780cfaee3cc3b52cb

But, Adrian Bednarkek [2] decided to investigate whether someone has

created a private address that could be guessed - and which is a bit like
trying password when matching a hashed password. And so he tried a private
address of "1", and discovered that it had at one time it had stored some
cryptocurrency, and which had since been stolen. Overall it is relatively
easy to steal cryptocurrency once you have the private key, as the intruder
just signs a transaction with the private address, and then can transfer the
cryptocurrency (Ether) to their account.
And so then Adrian tried values of "2" onwards, and found that these ad-
dresses also had currency at one time, but had been since emptied. Next, his
team tried billions of addresses, and found hundreds of guessable addresses.
In the end they scanned 34 billion address and found 732 guessable keys.
They think that at least one account gathered around 45,000 Eth from the
guessable addresses, and which would be worth over $7 million in today’s
valuations.

3. Conclusions
In the cryptocurrency space, you need to be aware of the risks involved.
If someone takes a copy of your private key, or generates a weak address, you
could leave yourself open for it being hacked, and no bank in the world will
give you your money back. Ref:

W. J. Buchanan, “Guessable private keys: How to make a million in cryp-

tocurrency,” Journal of The Cyber Academy, DIO: 10.13140/RG.2.2.19142.93764

4
 References
[1] W. J. Buchanan, Node.js Ethereum. [Online]. Available:
https://asecuritysite.com/encryption/jse th

[2] E. Lacey, A ’Blockchain Bandit’ Is Guessing Private Keys and Scoring

Millions. [Online]. Available: https://www.wired.com/story
/blockchain-bandit-ethereum-weak-private-keys/

[3] W. J. Buchanan, “Guessable private keys: How to make a mil-

lion in cryptocurrency,” Journal of The Cyber Academy, DIO:
10.13140/RG.2.2.19142.93764.

View publication stats