Private key Generator Bitcoin
Yesterday, on and approximately one year ago, issues were raised regarding the bitcore-js library, which investigated private key generation across different platforms.
A 12-word mnemonic passphrase is used to generate a key pair, which consists of both a private and public key, which can represent an account within Lisk (or Bitcoin). The bitcore-js library provides the necessary functionalities to generate this key pair out of the mnemonic passphrase.
In the referenced GitHub issues, it was noted that the bitcore-js private key generation eliminates leading zeros when creating the private keys, which results 31 byte string instead of the expected 32 bytes. This behaviour leads to different hash outputs on different machines, even though the same mnemonic passphrase is used. This could prevent account access on different machines.
Lisk is not affected by this. We are using the bitcore-js library to generate a 12-word mnemonic passphrase using the front-end. However, the private key generation is done by the NaCl library which is not affected by this bug.
The library explicitly demands: “The input must be 32 bytes long.”
As stated by Brian Warner. “Ed25519 keys start life as a 32-byte (256-bit) uniformly random binary seed such as might be produced by sha256, or better yet, PBKDF2 or scrypt.” More information about js-nacl can be found here.
In summary, the bug that led to creating different hashes by bitcore-js is found in the generation of private keys for solutions that use the library for cryptography. Lisk uses bitcore-js for the random 12-word mnemonic generation only, not for private key generation, therefore this bug does not apply to Lisk.