How Hackers Can Exploit Weak ECDSA Signatures

Digital signatures are designed to protect the integrity and authenticity of data on the blockchain.  Using a digital signature, it is possible to verify that a particular piece of data (such as a blockchain transaction) was generated by the owner of a private key and has not been modified since.

Blockchain protocols like Bitcoin use strong digital signature algorithms (such as ECDSA, which stands for Elliptic Curve Digital Signature Algorithm), which cannot be broken using modern technology.  However, algorithms like ECDSA are only secure if used correctly.

The potential for misused digital signatures to expose blockchain accounts’ private keys has been known since 2012.  However, this threat is still relevant today as demonstrated by a hack of the Anyswap protocol in July 2021 that exploited this vulnerability.

The ECDSA Digital Signature Algorithm Can Be Misused

The ECDSA digital signature algorithm used in protocols like Bitcoin takes a few parameters as input, including:

• Message: The message is the data to be signed.  This message will be hashed using a function like SHA-256 before being fed into the signature algorithm.

• Private Key: The private key is used to generate an account’s public key and also to create a digital signature.  The corresponding public key will be sent alongside the signature to enable signature verification.

• Random Value (K): Each digital signature should have a unique, random value K.  This value is used to calculate a random point on the elliptic curve, whose x coordinate (called R) is used in the signature calculation and is one of the two values sent as part of the digital signature.

Properly done, a digital signature verifies the data’s authenticity and integrity.  However, improperly done, it can reveal the user’s private key.

The mistake made in the case of the July 2021 Anyswap hack is that the same value K was used to generate multiple different digital signatures.  This mistake is obvious because R (part of the digital signature) is the same for both signatures.

If two signatures have the same value for R, then the private key can be calculated using the equation:

Private key = (Z1*S2-Z2*S1)/(R*(S1-S2))

Where Z1 and Z2 are the hashes of the messages and S1 and S2 are the other halves of the signatures with the same R value.  After calculating the private key from these values, an attacker has full access to and control over the blockchain account.

Protecting Your Blockchain Account

This vulnerability is made possible by misuse of the ECDSA digital signature algorithm.  The value of K is supposed to be random, which means that no two signatures should ever have the same values of K and R.   If this happens, then something has gone wrong.

The recent Anyswap hack demonstrates that attackers are actively monitoring the blockchain for digital signatures that contain the same values for R.  When performing transactions on the blockchain, make sure that your blockchain software is actually generating random values for K and that the value of R is different in all transactions.