Address creation in standard client - random library?

3

1

Is the random library used by the standard client in any way deterministic, or can one count on it being truly random?

For example, often random libraries are initialized with seed value of the current time, like in C++:

srand(time(NULL));

But if someone was to iterate over reasonable ranges of time when a client started, eventually one would use the same seed value, and thus be able to generate the same addresses.

Is the random library used by the standard client vulnerable to such an attack, or does it also use some other variables that are unpredictable (say, temperature of the processor down to such decimal places it becomes an unpredictable noise)?

ThePiachu

Posted 2012-01-31T16:17:01.960

Reputation: 41 594

Answers

6

In addition to microsecond time, Bitcoin seeds the random number generator with GUI events, /dev/urandom on Unix, and HKEY_PERFORMANCE_DATA on Windows (very random, constantly-changing data).

theymos

Posted 2012-01-31T16:17:01.960

Reputation: 8 228

No CryptGenRandom on Win?CodesInChaos 2012-11-14T22:19:44.157

@CodesInChaos No.theymos 2012-11-15T04:52:11.957

5

It uses a cryptographically-secure random number generator, specifically the one included in OpenSSL. Generating a key from a source with less entropy than the equivalent bit strength of the key would be an inexcusable rookie coder error. It wouldn't survive in any popular open source program for more than a few days.

David Schwartz

Posted 2012-01-31T16:17:01.960

Reputation: 46 931

We would all like that to be true, but unfortunately it's not. Debian's broken patch to OpenSSL survived over a year and a half. It was caused by a change that reduced the entropy used. It's certainly easier to root out vulnerabilities in open source software. But that doesn't mean it always happens right away.

Matthew Flaschen 2012-02-01T00:21:48.953

1That's a much different kind of error than the one contemplated in this question. But you're right that, unfortunately as it happened, the effect was the same.David Schwartz 2012-02-01T01:03:03.850

0

There has been some discussion on flaws on key generation entropy in standard Bitcoin client. Check https://bitcointalk.org/index.php?topic=113496.0.

Basically, RandAddSeedPerfmon() and RegQueryValueExA(HKEY_PERFORMANCE_DATA,..) calls done in Bitcoin source code can fail without the user getting notice.

The single only reliable source of entropy in the standard Bitcoin client is OpenSSL RAND_Screen(), function which is called on initialization of the rand pool.

SDL

Posted 2012-01-31T16:17:01.960

Reputation: 509

Asked: 2012-01-31T16:17:01.960

Viewed: 316 times

Active: 2014-09-12T00:52:30.783