How To Make A Million in Cryptocurrency

In Ethereum we use ECC (Elliptic Curve Cryptography) to create a public key and a private key. The private key is kept secure, and then…

Guessable Private Keys: How To Make A Million in Cryptocurrency

DIO: 10.13140/RG.2.2.19142.93764 ResearchGate link: here.

In Ethereum, we use ECC (Elliptic Curve Cryptography) to create a public key and a private key. The private key is kept secure, and then the public key is used to derive the Ethereum address. When we sign for a transaction, we use our private key, and to create a signature, and which is automatically checked against our Ethereum address. A transfer then appears as a transaction between two Ethereum addresses, and with a transaction value (as defined in Ether):

In creating the keys (for our wallet) we first generate a 256-bit private key, and then the public key is a point on the secp256k1 ECDSA curve (x,y point) [here]. This key is then hashed using Keccak-256 (aka SHA-3), and the lower 160 bits becomes the public Ethereum address [here]:

The private key should be completely random, and there are 2²⁵⁶ different keys that can be generated, so the chance of us matching a private key to a public key is:

1 in 1,550 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 000 … 000 (75 zeros — 1.55 quattuorvigintillion)

An outline of the code is [here]:

import codecs
import ecdsa
from Crypto.Hash import keccak
import os

private_key_bytes = os.urandom(32)

key = ecdsa.SigningKey.from_string(private_key_bytes, curve=ecdsa.SECP256k1).verifying_key

key_bytes = key.to_string()
private_key = codecs.encode(private_key_bytes, 'hex')
public_key = codecs.encode(key_bytes, 'hex')

print "Private key: ",private_key
print "Public key: ",public_key

public_key_bytes = codecs.decode(public_key, 'hex')

hash = keccak.new(digest_bits=256)
hash.update(public_key_bytes)
keccak_digest = hash.hexdigest()

address = '0x' + keccak_digest[-40:]
print "Address:",address

A sample run is:

Private key:  18dd1dcd752466afa3d1fac1424333c6461c3a0f1d6702e9c45bc9254ec74e5f
Public key:  bdfb71e2d953406c45279ac434667a6a1ea9fae608af91e7f6bfb0792011df760895a528e8b83622886039b4803b6182d708fb40a16919bddaef84493ef1d4cf
Address: 0xaae47eae4ddd4877e0ae0bc780cfaee3cc3b52cb

But, Adrian Bednarkek decided to investigate whether someone has created a private address that could be guessed — and which is a bit like trying ‘password’ when matching a hashed password. And so he tried a private address of 1, and discovered that it had at one time it had stored some cryptocurrency, and which had since been stolen. Overall it is relatively easy to steal cryptocurrency once you have the private key, as the intruder just signs a transaction with the private address, and then can transfer the cryptocurrency (Ether) to their account.

And so then Adrian tried values of 2 onwards, and found that these addresses also had currency at one time, but had been since emptied. Next, his team tried billions of addresses, and found hundreds of guessable addresses. In the end they scanned 34 billion address and found 732 guessable keys. They think that at least one account gathered around 45,000 Eth from the guessable addresses, and which would be worth over $7 million in today’s valuations.

Conclusions

In the cryptocurrency space, you need to be aware of the risks involved. If someone takes a copy of your private key, or generates a weak address, you could leave yourself open for it being hacked, and no bank in the world will give you your money back.