* [Bitcoin-development] Electrum 1.9.8 release
@ 2014-03-16 13:24 Thomas Voegtlin
2014-03-16 13:54 ` Gregory Maxwell
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Voegtlin @ 2014-03-16 13:24 UTC (permalink / raw)
To: bitcoin-development
I am happy to announce the release of Electrum 1.9.8.
This release includes some features initially planned for version 2.0.
Packages are available on https://electrum.org/download.html (signed by me)
Binaries for windows and mac will be available in the coming days
enjoy
Thomas
-----------------------
RELEASE NOTES
# Release 1.9.8
(This release includes features initially planned for version 2.0)
* Electrum servers were upgraded to version 0.9. The new server stores
a Patrica tree of all UTXOs, an idea proposed by Alan Reiner in the
bitcointalk forum. This property allows the client to directly
request the balance of any address. The new commands are:
1. getaddressbalance <address>
2. getaddressunspent <address>
3. getutxoaddress <txid> <pos>
* In addition, two commands for message encryption were added:
1. encrypt <pubkey> <message>
2. decrypt <pubkey> <message>
The encryption algorithm is ECIES, and code was was borrowed from
https://github.com/jackjack-jj/jeeq. In order to know the public
key corresponding to a Bitcoin address in your wallet, you can use
the 'getpubkeys' command. The 'decrypt' command assumes that the
wallet has the private key corresponding to the public key passed as
argument.
* The encrypt and decrypt functions are available in the Qt GUI (from
the menubar, or right click on one of your addresses if you want to
use its public key).
* Command-line commands that require a connection to the network spawn
a daemon, that remains connected and handles subsequent
commands. The daemon terminates itself if it remains unused for more
than one minute. The purpose of this is to make scripting more
efficient. For example, a bash script using many electrum commands
will open only one connection.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] Electrum 1.9.8 release
2014-03-16 13:24 [Bitcoin-development] Electrum 1.9.8 release Thomas Voegtlin
@ 2014-03-16 13:54 ` Gregory Maxwell
2014-03-16 14:31 ` Thomas Voegtlin
0 siblings, 1 reply; 5+ messages in thread
From: Gregory Maxwell @ 2014-03-16 13:54 UTC (permalink / raw)
To: Thomas Voegtlin; +Cc: Bitcoin Development
On Sun, Mar 16, 2014 at 6:24 AM, Thomas Voegtlin <thomasv1@gmx•de> wrote:
> The encryption algorithm is ECIES, and code was was borrowed from
> https://github.com/jackjack-jj/jeeq. In order to know the public
> key corresponding to a Bitcoin address in your wallet, you can use
> the 'getpubkeys' command. The 'decrypt' command assumes that the
> wallet has the private key corresponding to the public key passed as
> argument.
The cryptosystem in that repository appears to be insecure in several
ways and is not actually implementing ECIES.
The most important of which is that instead of using a
cryptographically strong mac tied to the ephemeral secret it uses a
trivial 16 bit check value. This means that that I can decode an
arbitrary message encrypted to a third person if they allow me to make
no more than 65536 queries to a decryption oracle to decrypt some
other message.
Also, in the event that a random query to a decryption oracle yields a
result (1:2^16 times) the result directly reveals the ECDH value
because it is only additively combined with the message value. If the
implementation does not check if the nonce point is on the curve (an
easy implementation mistake) the result can yield a point on the twist
instead of the curve which is far more vulnerable to recovery of the
private key. ECIES uses a KDF instead of using the ECDH result
directly to avoid this.
There may be other problems (or mitigating factors) as it was very
hard for me to follow what it was actually doing.
(The particular implementation has a number of other issues, like
apparently not using a cryptographically strong RNG for its EC nonce..
but I assume you didn't copy that particular flaw)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] Electrum 1.9.8 release
2014-03-16 13:54 ` Gregory Maxwell
@ 2014-03-16 14:31 ` Thomas Voegtlin
2014-03-16 14:39 ` Gregory Maxwell
0 siblings, 1 reply; 5+ messages in thread
From: Thomas Voegtlin @ 2014-03-16 14:31 UTC (permalink / raw)
To: Bitcoin Development
thanks for your feedback!
I was not aware that that implementation was flawed.
I will see how I can fix that code and get back to you.
Thomas
Le 16/03/2014 14:54, Gregory Maxwell a écrit :
> On Sun, Mar 16, 2014 at 6:24 AM, Thomas Voegtlin <thomasv1@gmx•de> wrote:
>> The encryption algorithm is ECIES, and code was was borrowed from
>> https://github.com/jackjack-jj/jeeq. In order to know the public
>> key corresponding to a Bitcoin address in your wallet, you can use
>> the 'getpubkeys' command. The 'decrypt' command assumes that the
>> wallet has the private key corresponding to the public key passed as
>> argument.
> The cryptosystem in that repository appears to be insecure in several
> ways and is not actually implementing ECIES.
>
> The most important of which is that instead of using a
> cryptographically strong mac tied to the ephemeral secret it uses a
> trivial 16 bit check value. This means that that I can decode an
> arbitrary message encrypted to a third person if they allow me to make
> no more than 65536 queries to a decryption oracle to decrypt some
> other message.
>
> Also, in the event that a random query to a decryption oracle yields a
> result (1:2^16 times) the result directly reveals the ECDH value
> because it is only additively combined with the message value. If the
> implementation does not check if the nonce point is on the curve (an
> easy implementation mistake) the result can yield a point on the twist
> instead of the curve which is far more vulnerable to recovery of the
> private key. ECIES uses a KDF instead of using the ECDH result
> directly to avoid this.
>
> There may be other problems (or mitigating factors) as it was very
> hard for me to follow what it was actually doing.
>
> (The particular implementation has a number of other issues, like
> apparently not using a cryptographically strong RNG for its EC nonce..
> but I assume you didn't copy that particular flaw)
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] Electrum 1.9.8 release
2014-03-16 14:31 ` Thomas Voegtlin
@ 2014-03-16 14:39 ` Gregory Maxwell
2014-03-16 15:48 ` Thomas Voegtlin
0 siblings, 1 reply; 5+ messages in thread
From: Gregory Maxwell @ 2014-03-16 14:39 UTC (permalink / raw)
To: Thomas Voegtlin; +Cc: Bitcoin Development
On Sun, Mar 16, 2014 at 7:31 AM, Thomas Voegtlin <thomasv1@gmx•de> wrote:
> thanks for your feedback!
>
> I was not aware that that implementation was flawed.
> I will see how I can fix that code and get back to you.
It also leaks on the order of 7 bits of data about the message per
message chunk. I'm also think it's likely that there are some
messages which are just incorrectly decrypted. ... it's really
screwy and suspect.
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [Bitcoin-development] Electrum 1.9.8 release
2014-03-16 14:39 ` Gregory Maxwell
@ 2014-03-16 15:48 ` Thomas Voegtlin
0 siblings, 0 replies; 5+ messages in thread
From: Thomas Voegtlin @ 2014-03-16 15:48 UTC (permalink / raw)
To: Bitcoin Development
Thanks again for having a look.
Given these problems, I have decided to remove
the encryption methods from the current release.
I retagged 1.9.8 and updated the packages.
Thomas
Le 16/03/2014 15:39, Gregory Maxwell a écrit :
> On Sun, Mar 16, 2014 at 7:31 AM, Thomas Voegtlin <thomasv1@gmx•de> wrote:
>> thanks for your feedback!
>>
>> I was not aware that that implementation was flawed.
>> I will see how I can fix that code and get back to you.
> It also leaks on the order of 7 bits of data about the message per
> message chunk. I'm also think it's likely that there are some
> messages which are just incorrectly decrypted. ... it's really
> screwy and suspect.
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2014-03-16 15:48 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2014-03-16 13:24 [Bitcoin-development] Electrum 1.9.8 release Thomas Voegtlin
2014-03-16 13:54 ` Gregory Maxwell
2014-03-16 14:31 ` Thomas Voegtlin
2014-03-16 14:39 ` Gregory Maxwell
2014-03-16 15:48 ` Thomas Voegtlin
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox