As an experiment I sent 0.0005 BTC to the address corresponding to the private key in the documentation (L1uyy5qTuGrVXrmrsvHWHgVzW9kKdrp27wBC7Vs6nZDTF2BRUVwy -> 17XBj6iFEsf8kzDMGQk5ghZipxX49VXuaV). Within seconds someone had already transferred it out to 1ENnzep2ivWYqXjAodTueiZscT6kunAyYs.
Wow! Tried it with the other private key[0] and the same thing happened. Upon some searching it looks like the recipient belongs to a Russian named amaclin on the Bitcoin forum[1] who has a script running to empty published private keys as soon as a transaction hits the network.
Help me please to understand the following transactions:
https://blockchain.info/address/1HcBw7XNKm6NoVJ4s5sSZPL9JGeB...
(look from bottom to top)
Send 0.0001 to 1HcBw7XNKm6NoVJ4s5sSZPL9JGeB8a9STj , then spend change to 1HcBw7XNKm6NoVJ4s5sSZPL9JGeB8a9STj, then spend change to 1HcBw7XNKm6NoVJ4s5sSZPL9JGeB8a9STj... etc 9 times. And the last transaction is sending 9 utxos to 1Q76cQw9Rmw4TathPdYdR34GXSGKZKnLQy - the address of private key which was published earlier on page https://www.npmjs.org/package/simplebtc
You can also send coins to any brainwallet (using the simple sha256(sha256(input))) that is under 10 characters or so and see the coins immediately get swept. Someone's obviously monitoring the blockchain for new transactions to known keys for sweeping.
While I'm not aware of such a naive brainwallet algorithm being used, it's fairly unlikely that all <= 10 character SHA or double-SHA hashes are being monitored. While the number crunching hardware to generate the rainbow table exists, and it could be done overnight, the storage required of such a beast would be pretty immense.
Case insensitive alphanumeric is 36 (26+10) case sensitive alphanumeric is 62 (26 + 26 +10). Second you don't need to store all the data.
Your solution to just stores the hashes and uses their position to calculate the key. Saving 10 bytes out of (10byte key+16byte hash.) However, you would then need to check every hash in order which is slow at look up time.
Next thought is sorting the hashes so lookups are fast. Notice that the first byte is repeated frequently so break the list up into 256 lists and you don't need to save the first byte. Continuing this idea you end up a tree data structure: http://en.wikipedia.org/wiki/Radix_tree. Problem is it's still a lot of data.
However, look up is now so fast you don't need to full key any more store say 8 bytes and test the next 2. Wait, do we really need ASCII key values or just a number to reduce the search space 2 bytes cuts things from 1 day to (1/256^2) or ~1second. But wait, we don't need to store the full hash just enough that false positives are low. A 4 byte hash + 3 bytes in a radix tree gives means ~1 in 256^4th hashes match and you spend 1/200th of a second looking at each match, which seems vary reasonable. Unfortunately even at ~1/4 the storage it's still to much space.
The first thing I did when seeing private keys in the documentation was to check if they had anything in them. When they came up empty, I figured someone else would come along and do the same thing. I suppose my experiment was to see how quickly it would happen.
You are correct. Both projects come from Stefan Thomas's original BitcoinJS.
Both projects (bitcore vs bitcoinjs) are very similar. I would say the main difference you will find is mostly at a DSL level. I find that bitcoinjs has nicer syntax than bitcore.
Bitcore has a fairly loose syntax. And a function can takes many different types of argument. As an example:
This function only takes a string key in base58 format.
In my experience of using both, it is easy to have programmer error in bitcore, because its syntax is so loose. Whereas it is a lot harder to make programmer errors in bitcoinjs-lib. Given that this is financial software, I prefer the bitcoinjs-lib approach.
For example, One problem I encountered with bitcore was I made a mistake in the derivation path of a bip32 key. Instead path of 'M/1/0/1', I mistakenly used 'M/1/0/1/undefined'. Bitcore happily derived a key for me. This is the type of errors you don't tend to get with bitcoinjs.
Bitcore and BitcoinJS achieve a lot of the same basic functions like generating addresses (and now multi-signature addresses), building, and signing transctions. You will still need to be able to connect to a Bitcoind peer (via an API or run your own) to promulgate the transaction on the Bitcoin network.
http://cryptocoinjs.com/ is another library that performs some of these functions. Rubyists may be interested in https://github.com/lian/bitcoin-ruby
We're game to make any library changes. I did want to say though, that raw performance is not a high priority for BitcoinJS. We're far more interested in good testing and correctness than in performance (though performance certainly is a good thing).
Which is not to say that your library is incorrect or has bad testing, just to say that the way to our hearts is to convince us that elliptic is better than what we're using, not that it is faster, which it certainly is (and that's awesome). :)
Lead developer of http://cryptocoinjs.com here. Also maintainer of https://github.com/cryptocoinjs/ecurve (what bitcoinjs-lib) uses for EC operations. I've worked with the lead developers of bitcoinjs-lib on ecurve so I think that I'd be qualified to answer this.
The main reason was that (1-2 months) ago when we were cleaning up ecurve, we had considered using your elliptic library, but we had problems with such simple operations in bn.js (your big integer library that elliptic depends upon) where arithmetic was incorrect for simple operations like -1 + 2 = -3 (don't quote me on that exact one). So at the time, we felt it wasn't battle tested. But they (we?) have every intention of switching to elliptic in the future.
I took a quick look at your implementation of ECDSA and I think it has a bug at line 311 [1]. It looks like I could bypass the check if r or s is negative.
One thing that I don't understand is why big integer libraries developed exclusively for crypto need negative numbers. The library [2] that I contribute to doesn't need them, and it works just fine. Actually I could argue that having only non-negative numbers make it simpler and faster.
Its not really a bug, the operations after it would still be valid (it is almost immediately reduced to the field order), its just that those parameters would not be akin to the SEC paper specification.
I agree that the honus isn't on the users to check that though, so I'm probably going to make a pull request to change this.[1]
Thanks for pointing this out, thankfully the implementation already failed on a negative s value, but you're correct in that it wasn't definitive.
I also whole-heartedly agree with your comment about the unnecessary inclusion of a bignum that allows for negative values.
The lack of typing in this (and other cases) has lead to several problematic scenarios for users to the point we have littered the code with assertions to enforce whatever we can.
bn.js is just kind of sharpened for a elliptic.js usage. Though, the low footprint of the bn.js means that you could just use it for ECDSA operations, and use your own thing for the rest of the bitcoin stuff.
Bitpay does like your work. Will you sometimes contribute to one of the existing projects or prefer that they keep integrating your work? The former is sometimes more efficient, possibly more impactful. I don't think it will be great for community if there are too many JS bitcoin libs: 3 might be ok but IMO it's close to a reasonable practical limit.
Why not? 1.0.0 is yet another version number. We have significant API changes since the original 0.1.3 tag. The sooner we get on 1.0.0, the sooner we can move on with proper semver in our lives.
Documentation is still lacking for bitcoinjs-lib. PRs and volunteers welcome =) Meanwhile, developers can reference our tests for examples; and join IRC #bitcoinjs-dev if you have any questions.
I don't think the maintainers posted this HN post. So this is a premature launch. Given that they have an upcoming release with their transaction builder. I think they would have liked to do a Show HN later
[address] https://blockchain.info/address/17XBj6iFEsf8kzDMGQk5ghZipxX4...
[thief?] https://blockchain.info/address/1ENnzep2ivWYqXjAodTueiZscT6k...