Ethan Heilman EthanHeilman

FAQ on the xz-utils backdoor

Background

On March 29th, 2024, a backdoor was discovered in xz-utils, a suite of software that gives developers lossless compression. This package is commonly used for compressing release tarballs, software packages, kernel images, and initramfs images. It is very widely distributed, statistically your average Linux or macOS system will have it installed for

The following script allows everyone to spend; the shorter your signature the earlier you can spend.

OP_SIZE
OP_CHECKSEQUENCEVERIFY OP_DROP

OP_CHECKSIGVERIFY

The point R = 1/2 G has the smallest known x coordinate -- x = 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63. If the public key is chosen P = 1 G then the ECDSA signature becomes s=2(H(m)+x). So, the smaller H(m) the smaller s (as long as it is bigger than x ~ 2^165). Thus, the above output is spendable by the miner mining the lowest TX hash.

	8th of September

	IOTA team has already responded to the paper published by Neha Narula.
	It was me who created Curl and IOTA signature scheme in those old days when there was no IOTA Foundation.
	I feel obliged to provide my own response, but it will take several days.
	To speed-up the process I'm publishing my letters sent to Neha's team, they contain a lot of technical details which will be helpful to those who understand IT and Cryptography.
	I've removed the words written by the others, so I don't need to ask them for a permission (which would take a lot of time to get).

	Spoiler for those who don't like reading walls of text:
	For more than a decade I have been working on techniques of open-source software protection.