Private key generation on Lisk; are we affected by the latest Bitcore issues?
Yesterday, on February, the 23rd 2017 and approximately one year ago, on February, the 25th 2016 issues were raised regarding the bitcore-js library, which investigated private key generation across different platforms.
A 12-word mnemonic passphrase is used to generate a key pair, which consists of both a private and public key, which can represent an account within Lisk (or Bitcoin). The bitcore-js library provides the necessary functionalities to generate this key pair out of the mnemonic passphrase.
In the referenced GitHub issues, it was noted that the bitcore-js private key generation eliminates leading zeros when creating the private keys, which results 31 byte string instead of the expected 32 bytes. This behaviour leads to different hash outputs on different machines, even though the same mnemonic passphrase is used. This could prevent account access on different machines.
Lisk is not affected by this. We are using the bitcore-js library to generate a 12-word mnemonic passphrase using the front-end. However, the private key generation is done by the NaCl library which is not affected by this bug.
The library explicitly demands: “The input must be 32 bytes long.”
As stated by Brian Warner. “Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed such as might be produced by sha256, or better yet, PBKDF2 or scrypt.” More information about js-nacl can be found here.
In summary, the bug that led to creating different hashes by bitcore-js is found in the generation of private keys for solutions that use the library for cryptography. Lisk uses bitcore-js for the random 12-word mnemonic generation only, not for private key generation, therefore this bug does not apply to Lisk.
About the Author
Tobias Schwarz is a full stack developer at lightcurve who is working on the Lisk project. Before he has been working for/with Nxt, Waves, Komodo and other Blockchain Softwares. Main interests are Cryptography, Blockchain, Javascript, NodeJS, Python, PHP and several other topics related to IOT and programming.
Contact Details:
Github: GitHub.com/tosch110
Twitter: @toschdev
Email: tobias@lightcurve.io
If you enjoyed reading this, please log in and click “Recommend” below. This will help to share the story with others.
