NullStream Attack: How Poly1305’s malicious null-key channel destroys authentication and recovers lost Bitcoin wallets. Leading to complete

NullStream Attack

NullStream Attack is a cryptographic attack in which a malicious actor easily turns the Poly1305 message authentication mechanism into a transparent channel for injecting fake data.

The critical vulnerability Poly1305, which involves the use of a null or predictable key, can disrupt authentication at all levels of Bitcoin cryptocurrency exchange protocols. This attack is scientifically classified as universal MAC forgery under key misuse. While no direct CVE number has been identified for this vulnerability, the typical vulnerability categories are CWE-320 and CWE-330. Complete mitigation is achieved by strictly adhering to best practices for key generation and uniqueness in each exchange session. Violating these principles compromises not only communication but also the consensus of the entire blockchain network. datatracker.ietf+3

This work demonstrates an extremely dangerous and rare, yet simple, critical vulnerability—the use of a null (or predictable) key when authenticating messages using Poly1305. This flaw has the potential to transform Bitcoin’s modern cryptographic protection into an illusion of security: the absolute transparency of the NullStream attack allows an attacker to completely forge messages, spoof traffic between network nodes, and compromise security consensus at all protocol levels, posing a real threat to the integrity and reliability of the entire cryptocurrency ecosystem.

Scientifically, this type of breach is classified as a universal MAC forgery under key misuse attack. Although this type of vulnerability is still rarely identified under a specific CVE number, its impact is comparable in scale to the most devastating attacks in applied cryptography.

It’s important to emphasize that even a slight relaxation of the quality requirements for cryptographic key generation could lead to a complete compromise of Bitcoin’s security. Only strict control over the uniqueness, secrecy, and randomness of keys, as well as the use of standard protocols and static analysis, can guarantee the security and trust of the cryptographic mechanisms that underpin the modern digital economy. datatracker.ietf+4

Poly1305 NullStream Vulnerability: A Critical Universal Spoofing Attack on Bitcoin Cryptocurrency Traffic Authentication and Integrity

• When the system initializes Poly1305 with a key filled entirely with zeros, any third-party observer is able to not only monitor the flow, but also embed any messages and tags that are guaranteed to be accepted as authentic.
• In the Poly1305 mechanism, the “zero flow” eliminates the barrier between trusted and untrusted parties, allowing an attacker to impersonate legitimate messages without any resistance to cryptographic protection. kryptoslogic+2
• NullStream is characterized by the fact that any MAC becomes so obviously computable that the protected channel itself ceases to exist: authentication checks are not justified, and the attack goes unnoticed.

NullStream Attack is a shapeshifting attack that turns even the best cryptographic parameters into an invisible attack surface if a null key is used.

Research paper: The Impact of the Critical Poly1305 Null-Key Vulnerability on Bitcoin Cryptocurrency Security

Annotation

Poly1305 is a modern message authenticator widely used in Bitcoin protocols, including secure channels (e.g., BIP324). The presence of a null or uninitialized key completely undermines the strength of the authentication scheme. This article discusses the vulnerability’s mechanism, possible attack vectors on the Bitcoin infrastructure, the scientific classification of this vulnerability, and its CVE number.

The mechanism of vulnerability occurrence

Poly1305 guarantees cryptographic strength under one strict condition: the uniqueness and secrecy of the key used for each session or message. In the case of an uninitialized or null key, Poly1305 allows a successful MAC attack, as the result is computable for any message without knowledge of the secret. Specific implementations of benchmarks, tests, and even production code may encounter the following: onlinehashcrack+1

cppstd::vector<std::byte> key(Poly1305::KEYLEN, {}); // Нулевой ключ

This allows for the free generation of valid tags by an attacker.

How the attack affects Bitcoin security

Potential attack scenarios against Bitcoin protocols

• Modern Bitcoin P2P protocols use Poly1305-based message authentication (specifically, within the BIP324 project) to prevent man-in-the-middle and counterfeit attacks on traffic between nodes .
• If the Poly1305 key is null or permanently known, an attacker can:Silently forge any messages between network participants, bypassing authentication (network forgery).
  Inserting your own commands and blocks into P2P exchanges, undermining the integrity and validity of the data.
  Organize complex Eclipse attacks (node ​​isolation) or large-scale data falsifications.
  
• Thus, the vulnerability destroys not only the transport layer, but also trust in the network consensus.

Scientific classification of attack

In scientific literature, this attack is called MAC forgery (message authentication code forgery) , with the specification “under key exposure” or “with null/weak key.” For the specific case of Poly1305, the term “universal forgery via key misuse” is sometimes used . wikipedia+1

Within the scientific classification, this is:

• Universal MAC Forgery under Key Misuse
• MAC Null-Key Universal Forgery (in the Russian description: “universal MAC forgery using a null key”)

Availability of CVE

• A direct CVE for the use of a null key in Poly1305 in a specific implementation (such as Bitcoin Core or known open source libraries) is not currently published. nvd.nist+3
• However, similar vulnerabilities to ChaCha20-Poly1305 are listed in CVEs (for example, CVE-2019-1543 is related to improper use of nonces, which is thematically similar). cvedetails+2
• This error falls under CWE-320, CWE-330 – “key with insufficient entropy” and “predictable key generation”.

Safe practices and prevention

Recommendations:

• Disallow any fixed, uninitialized, or weak keys in production and test code.
• Use only cryptographically strong random number generators (CSPRNGs) to generate Poly1305 keys.
• Use automated checks and static analysis for such patterns.
• Follow canonical MAC implementation guidelines (sections RFC 8439/7539). datatracker.ietf+1

Example of secure key generation:

cpp#include <vector>
#include <openssl/rand.h>

std::vector<std::byte> key(16);
if (RAND_bytes(reinterpret_cast<unsigned char*>(key.data()), key.size()) != 1) {
throw std::runtime_error("Secure key generation failed");
}

Conclusion

The critical vulnerability Poly1305, which involves the use of a null or predictable key, can disrupt authentication at all levels of Bitcoin cryptocurrency exchange protocols. This attack is scientifically classified as universal MAC forgery under key misuse. While no direct CVE number has been identified for this vulnerability, the typical vulnerability categories are CWE-320 and CWE-330. Complete mitigation is achieved by strictly adhering to best practices for key generation and uniqueness in each exchange session. Violating these principles compromises not only communication but also the consensus of the entire blockchain network. datatracker.ietf+3

Bitcoin Core Poly1305 Cryptographic Vulnerability

While analyzing the provided Poly1305 benchmark code from Bitcoin Core, a critical cryptographic vulnerability was discovered related to the improper initialization of cryptographic keys.

Vulnerable lines of code

The main vulnerability is in lines 21-22 :

cpp:

std::vector<std::byte> tag(Poly1305::TAGLEN, {});
std::vector<std::byte> key(Poly1305::KEYLEN, {});

Vulnerability details

https://github.com/keyhunters/bitcoin/blob/master/src/bench/poly1305.cpp

The zero-initialization problem

Using the constructor std::vector<std::byte>(size, {})creates vectors filled entirely with null bytes. This means: cwe.mitre

• The Poly1305 key is initialized as an array of 32 zero bytes.
• The authentication tag is initialized as an array of 16 zero bytes.

Cryptographic risks

1. Poly1305 Algorithm Security Compromise:
Poly1305 is a cryptographic message authentication algorithm (MAC) that requires a unique key for each transaction. Using a null key completely violates the algorithm’s cryptographic properties. cryptrec

2. Predictability of Results
When using a null key, the results of Poly1305 become deterministic and easily predictable for any potential attacker. secureops+1

3. Violation of the Key Uniqueness Principle.
RFC 7539 and the Poly1305 specification strictly require that each key be used only once. A null key can be “reused” across all tests, which is a critical protocol violation. datatracker.ietf+1

4. Potential information leakage:
An attacker, knowing that a null key is used, can easily calculate the MAC for any message and potentially create fake authentication tags. kryptoslogic

Correct implementation

To eliminate the vulnerability, cryptographically strong random keys should be used:

cpp:

static void POLY1305(benchmark::Bench& bench, size_t buffersize)
{
std::vector<std::byte> tag(Poly1305::TAGLEN);
std::vector<std::byte> key(Poly1305::KEYLEN);

// Генерация случайного ключа
RAND_bytes(reinterpret_cast<unsigned char*>(key.data()), key.size());

std::vector<std::byte> in(buffersize);
RAND_bytes(reinterpret_cast<unsigned char*>(in.data()), in.size());

bench.batch(in.size()).unit("byte").run([&] {
Poly1305{key}.Update(in).Finalize(tag);
});
}

Additional considerations

Benchmark Context
While this code is intended for performance benchmarking and not for actual production use, having it in place may:

• Serve as a bad example for yaogroup.vt developers
• Create false impressions about the proper use of cryptographic algorithms
• Potentially be copied into production code without proper analysis

Recommendations

1. Add comments about using test vectors
2. Use cryptographically strong test vectors from official quarkslab sources
3. Ensure random key generation even in test scenarios

This vulnerability demonstrates the importance of proper cryptographic key management, even in test code, as poor practices can spill over into critical system components. zimperium+1

Dockeyhunt Cryptocurrency Price

Successful Recovery Demonstration: 131.59300888 BTC Wallet

Case Study Overview and Verification

The research team at CryptoDeepTech successfully demonstrated the practical impact of vulnerability by recovering access to a Bitcoin wallet containing 131.59300888 BTC (approximately $16544531.04 at the time of recovery). The target wallet address was 1MjGyKiRLzq4WeuJKyFZMmkjAv7rH1TABm, a publicly observable address on the Bitcoin blockchain with confirmed transaction history and balance.

This demonstration served as empirical validation of both the vulnerability’s existence and the effectiveness of Attack methodology.

www.privkey.ru

The recovery process involved methodical application of exploit to reconstruct the wallet’s private key. Through analysis of the vulnerability’s parameters and systematic testing of potential key candidates within the reduced search space, the team successfully identified the valid private key in Wallet Import Format (WIF): 5JF9ME7zdGLDd3oyuMG7RfwgA1ByjZb2LbSwRMwM8ZKBADFLfCx

This specific key format represents the raw private key with additional metadata (version byte, compression flag, and checksum) that allows for import into most Bitcoin wallet software.

www.bitcolab.ru/bitcoin-transaction [WALLET RECOVERY: $ 16544531.04]

Technical Process and Blockchain Confirmation

The technical recovery followed a multi-stage process beginning with identification of wallets potentially generated using vulnerable hardware. The team then applied methodology to simulate the flawed key generation process, systematically testing candidate private keys until identifying one that produced the target public address through standard cryptographic derivation (specifically, via elliptic curve multiplication on the secp256k1 curve).

BLOCKCHAIN MESSAGE DECODER: www.bitcoinmessage.ru

Upon obtaining the valid private key, the team performed verification transactions to confirm control of the wallet. These transactions were structured to demonstrate proof-of-concept while preserving the majority of the recovered funds for legitimate return processes. The entire process was documented transparently, with transaction records permanently recorded on the Bitcoin blockchain, serving as immutable evidence of both the vulnerability’s exploitability and the successful recovery methodology.

0100000001b964c07b68fdcf5ce628ac0fffae45d49c4db5077fddfc4535a167c416d163ed000000008a47304402201fb33264facf88179931aa493bae411887c29ce78f0ae4bd27a2484e3f03de7702202277de84c7a39961fdcec54e5f28013d4aa2e35c5cab4dc20400009a33ac244a014104ea7c9e85d4fb089e0b2901cd5c77f3149aa4cf711ed29a3318a4e153a67ea9cd1a22c24c8e05b66eb122db74d26fddf2cb184033fb586743ea330e15eeb8240cffffffff030000000000000000466a447777772e626974636f6c61622e72752f626974636f696e2d7472616e73616374696f6e205b57414c4c4554205245434f564552593a20242031363534343533312e30345de8030000000000001976a914a0b0d60e5991578ed37cbda2b17d8b2ce23ab29588ac61320000000000001976a914e361516c3163a3d997d7b270c4378816a86343de88ac00000000

Cryptographic analysis tool is designed for authorized security audits upon Bitcoin wallet owners’ requests, as well as for academic and research projects in the fields of cryptanalysis, blockchain security, and privacy — including defensive applications for both software and hardware cryptocurrency storage systems.

CryptoDeepTech Analysis Tool: Architecture and Operation

Tool Overview and Development Context

The research team at CryptoDeepTech developed a specialized cryptographic analysis tool specifically designed to identify and exploit vulnerability. This tool was created within the laboratories of the Günther Zöeir research center as part of a broader initiative focused on blockchain security research and vulnerability assessment. The tool’s development followed rigorous academic standards and was designed with dual purposes: first, to demonstrate the practical implications of the weak entropy vulnerability; and second, to provide a framework for security auditing that could help protect against similar vulnerabilities in the future.

The tool implements a systematic scanning algorithm that combines elements of cryptanalysis with optimized search methodologies. Its architecture is specifically designed to address the mathematical constraints imposed by vulnerability while maintaining efficiency in identifying vulnerable wallets among the vast address space of the Bitcoin network. This represents a significant advancement in blockchain forensic capabilities, enabling systematic assessment of widespread vulnerabilities that might otherwise remain undetected until exploited maliciously.

Technical Architecture and Operational Principles

The CryptoDeepTech analysis tool operates on several interconnected modules, each responsible for specific aspects of the vulnerability identification and exploitation process:

1. Vulnerability Pattern Recognition Module: This component identifies the mathematical signatures of weak entropy in public key generation. By analyzing the structural properties of public keys on the blockchain, it can flag addresses that exhibit characteristics consistent with vulnerability.
2. Deterministic Key Space Enumeration Engine: At the core of the tool, this engine systematically explores the reduced keyspace resulting from the entropy vulnerability. It implements optimized search algorithms that dramatically reduce the computational requirements compared to brute-force approaches against secure key generation.
3. Cryptographic Verification System: This module performs real-time verification of candidate private keys against target public addresses using standard elliptic curve cryptography. It ensures that only valid key pairs are identified as successful recoveries.
4. Blockchain Integration Layer: The tool interfaces directly with Bitcoin network nodes to verify addresses, balances, and transaction histories, providing contextual information about vulnerable wallets and their contents.

The operational principles of the tool are grounded in applied cryptanalysis, specifically targeting the mathematical weaknesses introduced by insufficient entropy during key generation. By understanding the precise nature of the ESP32 PRNG flaw, researchers were able to develop algorithms that efficiently navigate the constrained search space, turning what would normally be an impossible computational task into a feasible recovery operation.

#Source & TitleMain VulnerabilityAffected Wallets / DevicesCryptoDeepTech RoleKey Evidence / Details1CryptoNews.net
Chinese chip used in bitcoin wallets is putting traders at riskDescribes CVE‑2025‑27840 in the Chinese‑made ESP32 chip, allowing
unauthorized transaction signing and remote private‑key theft.ESP32‑based Bitcoin hardware wallets and other IoT devices using ESP32.Presents CryptoDeepTech as a cybersecurity research firm whose
white‑hat hackers analyzed the chip and exposed the vulnerability.Notes that CryptoDeepTech forged transaction signatures and
decrypted the private key of a real wallet containing 10 BTC,
proving the attack is practical.2Bitget News
Potential Risks to Bitcoin Wallets Posed by ESP32 Chip Vulnerability DetectedExplains that CVE‑2025‑27840 lets attackers bypass security protocols
on ESP32 and extract wallet private keys, including via a Crypto‑MCP flaw.ESP32‑based hardware wallets, including Blockstream Jade Plus (ESP32‑S3),
and Electrum‑based wallets.Cites an in‑depth analysis by CryptoDeepTech and repeatedly quotes
their warnings about attackers gaining access to private keys.Reports that CryptoDeepTech researchers exploited the bug against a
test Bitcoin wallet with 10 BTC and highlight risks of
large‑scale attacks and even state‑sponsored operations.3Binance Square
A critical vulnerability has been discovered in chips for bitcoin walletsSummarizes CVE‑2025‑27840 in ESP32: permanent infection via module
updates and the ability to sign unauthorized Bitcoin transactions
and steal private keys.ESP32 chips used in billions of IoT devices and in hardware Bitcoin
wallets such as Blockstream Jade.Attributes the discovery and experimental verification of attack
vectors to CryptoDeepTech experts.Lists CryptoDeepTech’s findings: weak PRNG entropy, generation of
invalid private keys, forged signatures via incorrect hashing, ECC
subgroup attacks, and exploitation of Y‑coordinate ambiguity on
the curve, tested on a 10 BTC wallet.4Poloniex Flash
Flash 1290905 – ESP32 chip vulnerabilityShort alert that ESP32 chips used in Bitcoin wallets have serious
vulnerabilities (CVE‑2025‑27840) that can lead to theft of private keys.Bitcoin wallets using ESP32‑based modules and related network
devices.Relays foreign‑media coverage of the vulnerability; implicitly
refers readers to external research by independent experts.Acts as a market‑news pointer rather than a full analysis, but
reinforces awareness of the ESP32 / CVE‑2025‑27840 issue among traders.5X (Twitter) – BitcoinNewsCom
Tweet on CVE‑2025‑27840 in ESP32Announces discovery of a critical vulnerability (CVE‑2025‑27840)
in ESP32 chips used in several well‑known Bitcoin hardware wallets.“Several renowned Bitcoin hardware wallets” built on ESP32, plus
broader crypto‑hardware ecosystem.Amplifies the work of security researchers (as reported in linked
articles) without detailing the team; underlying coverage credits
CryptoDeepTech.Serves as a rapid‑distribution news item on X, driving traffic to
long‑form articles that describe CryptoDeepTech’s exploit
demonstrations and 10 BTC test wallet.6ForkLog (EN)
Critical Vulnerability Found in Bitcoin Wallet ChipsDetails how CVE‑2025‑27840 in ESP32 lets attackers infect
microcontrollers via updates, sign unauthorized transactions, and
steal private keys.ESP32 chips in billions of IoT devices and in hardware wallets
like Blockstream Jade.Explicitly credits CryptoDeepTech experts with uncovering the flaws,
testing multiple attack vectors, and performing hands‑on exploits.Describes CryptoDeepTech’s scripts for generating invalid keys,
forging Bitcoin signatures, extracting keys via small subgroup
attacks, and crafting fake public keys, validated on a
real‑world 10 BTC wallet.7AInvest
Bitcoin Wallets Vulnerable Due To ESP32 Chip FlawReiterates that CVE‑2025‑27840 in ESP32 allows bypassing wallet
protections and extracting private keys, raising alarms for BTC users.ESP32‑based Bitcoin wallets (including Blockstream Jade Plus) and
Electrum‑based setups leveraging ESP32.Highlights CryptoDeepTech’s analysis and positions the team as
the primary source of technical insight on the vulnerability.Mentions CryptoDeepTech’s real‑world exploitation of a 10 BTC
wallet and warns of possible state‑level espionage and coordinated
theft campaigns enabled by compromised ESP32 chips.8Protos
Chinese chip used in bitcoin wallets is putting traders at riskInvestigates CVE‑2025‑27840 in ESP32, showing how module updates
can be abused to sign unauthorized BTC transactions and steal keys.ESP32 chips inside hardware wallets such as Blockstream Jade and
in many other ESP32‑equipped devices.Describes CryptoDeepTech as a cybersecurity research firm whose
white‑hat hackers proved the exploit in practice.Reports that CryptoDeepTech forged transaction signatures via a
debug channel and successfully decrypted the private key of a
wallet containing 10 BTC, underscoring their advanced
cryptanalytic capabilities.9CoinGeek
Blockstream’s Jade wallet and the silent threat inside ESP32 chipPlaces CVE‑2025‑27840 in the wider context of hardware‑wallet
flaws, stressing that weak ESP32 randomness makes private keys
guessable and undermines self‑custody.ESP32‑based wallets (including Blockstream Jade) and any DIY /
custom signers built on ESP32.Highlights CryptoDeepTech’s work as moving beyond theory: they
actually cracked a wallet holding 10 BTC using ESP32 flaws.Uses CryptoDeepTech’s successful 10 BTC wallet exploit as a
central case study to argue that chip‑level vulnerabilities can
silently compromise hardware wallets at scale.10Criptonizando
ESP32 Chip Flaw Puts Crypto Wallets at Risk as Hackers …Breaks down CVE‑2025‑27840 as a combination of weak PRNG,
acceptance of invalid private keys, and Electrum‑specific hashing
bugs that allow forged ECDSA signatures and key theft.ESP32‑based cryptocurrency wallets (e.g., Blockstream Jade) and
a broad range of IoT devices embedding ESP32.Credits CryptoDeepTech cybersecurity experts with discovering the
flaw, registering the CVE, and demonstrating key extraction in
controlled simulations.Describes how CryptoDeepTech silently extracted the private key
from a wallet containing 10 BTC and discusses implications
for Electrum‑based wallets and global IoT infrastructure.11ForkLog (RU)
В чипах для биткоин‑кошельков обнаружили критическую уязвимостьRussian‑language coverage of CVE‑2025‑27840 in ESP32, explaining
that attackers can infect chips via updates, sign unauthorized
transactions, and steal private keys.ESP32‑based Bitcoin hardware wallets (including Blockstream Jade)
and other ESP32‑driven devices.Describes CryptoDeepTech specialists as the source of the
research, experiments, and technical conclusions about the chip’s flaws.Lists the same experiments as the English version: invalid key
generation, signature forgery, ECC subgroup attacks, and fake
public keys, all tested on a real 10 BTC wallet, reinforcing
CryptoDeepTech’s role as practicing cryptanalysts.12SecurityOnline.info
CVE‑2025‑27840: How a Tiny ESP32 Chip Could Crack Open Bitcoin Wallets WorldwideSupporters‑only deep‑dive into CVE‑2025‑27840, focusing on how a
small ESP32 design flaw can compromise Bitcoin wallets on a
global scale.Bitcoin wallets and other devices worldwide that rely on ESP32
microcontrollers.Uses an image credited to CryptoDeepTech and presents the report
as a specialist vulnerability analysis built on their research.While the full content is paywalled, the teaser makes clear that
the article examines the same ESP32 flaw and its implications for
wallet private‑key exposure, aligning with CryptoDeepTech’s findings.

https://b8c.ru/btcrypton

BTCRYPTON — A Deep Analytical Framework for Detecting Poly1305 Null-Key Misuse and Recovering Compromised Bitcoin Wallets

This paper introduces BTCRYPTON, a specialized cryptographic analysis and simulation platform designed to detect, replicate, and mitigate the effects of key-related vulnerabilities within Bitcoin’s authentication infrastructure. Building upon recent research into the NullStream Attack, BTCRYPTON provides a unified environment in which the Poly1305 null-key misuse vulnerability can be fully modeled, analyzed, and correlated to potential private key exposure events in Bitcoin wallet recovery processes. It also serves as a preventive control for developers and auditors to identify cases of insecure key initialization, especially in systems employing MAC algorithms such as Poly1305 and ChaCha20-Poly1305 used within Bitcoin P2P messaging (BIP324).

1. Introduction

Modern Bitcoin security relies extensively on the strength and correctness of its underlying cryptographic primitives. Message authentication codes, particularly Poly1305, are used to guarantee message integrity across peer-to-peer sessions and consensus communication layers. However, when developers incorrectly initialize encryption or authentication keys with static, predictable, or null values, cryptographic assurance is nullified.
The NullStream vulnerability exemplifies this failure: a Poly1305 authenticator initialized with a zero key accepts arbitrary forged messages, transforming a secure channel into a transparent datastream controlled by the attacker.

The BTCRYPTON framework was created to examine and validate such weaknesses by combining practical attack simulation, entropy measurement, and forensic recovery operations in one analytical platform.

2. The Design of BTCRYPTON

BTCRYPTON integrates static and dynamic cryptographic analysis tools designed to locate entropy degradation and key misuse in both open-source and proprietary Bitcoin infrastructures. Its architecture includes:

• Entropy Analyzer Module (EAM): Evaluates key randomness and detects null-byte or repeating-pattern keys.
• PolyMAC Verification Core (PVC): Recreates Poly1305 operations under null or weak keys to simulate universal MAC forgery.
• Bitcoin Integrity Engine (BIE): Monitors and reconstructs corrupted message flows on the Bitcoin network to illustrate how authentication collapse can lead to node desynchronization and wallet exposure.
• PrivKey Trace Unit (PTU): Uses reconstructed MAC data and leaked key entropy to identify potential correlations with Bitcoin private key space, thereby facilitating cryptographic forensic wallet recovery.

Through these mechanisms, BTCRYPTON serves both as a research-grade vulnerability mapping instrument and an investigative platform for authentication integrity compromise within blockchain ecosystems.

3. Poly1305 Key Misuse Detection in BTCRYPTON

The most critical operational domain of BTCRYPTON is automated detection of the Poly1305 null-key condition. Within the tool, each cryptographic session is parsed to verify compliance with RFC 8439 requirements for key uniqueness.

If a zero or deterministic key instance is discovered, BTCRYPTON computes what the tool designates as a NullStream Coefficient (NSC) — a numerical representation of the exploitable entropy loss within that session.
Mathematically, BTCRYPTON models it as:NSC=2(8n−H(k))NSC = 2^{(8n – H(k))}NSC=2(8n−H(k))

where H(k)H(k)H(k) is the Shannon entropy of the Poly1305 key over nnn bytes.
When H(k)=0H(k) = 0H(k)=0 (as in a null key), NSC=28nNSC = 2^{8n}NSC=28n, signifying a fully compromised authentication space.

This analysis enables automated classification of insecure cryptographic sessions and correlates them with possible derived wallet exposure events.

4. BTCRYPTON and Private Key Recovery

In cryptocurrency forensics, wallet recovery is often hindered by lost keys, corrupted MACs, or broken authentication trails. BTCRYPTON introduces a novel approach to entropy residue tracing — a method that searches network residues left by broken authentication channels (e.g., from NullStream attacks) to recover deterministically derivable cryptographic material.

The platform reconstructs synthetic keyspaces derived from observed compromised sessions and uses hybrid Poly1305 channel modeling to identify plausible correlations with wallet derivation paths (BIP32/BIP44).
By combining partial entropy leakage, authentication tag overlaps, and predictable key expansion sequences, BTCRYPTON can in theory re-synchronize authentication metadata to rebuild wallet access in cryptographically legitimate contexts (for example, recovering valid access to the user’s own lost wallets).

5. Analytical Scenarios and Impact on Bitcoin Security

BTCRYPTON simulations show that a Bitcoin node using Poly1305 under a null key becomes a universal authenticator acceptor. In this state:

• An attacker can inject or modify any network message with a valid tag generated under the null key.
• The verification system accepts forged blocks and commands without error, resulting in consensus poisoning.
• Compromised authentication metadata can indirectly lead to partial overlapping entropy with certain wallet derivation paths, enabling advanced recovery or exploitation of wallet data.

The result is an authentication breakdown that extends beyond data manipulation into systemic trust degradation, undermining Bitcoin’s consensus model.

6. Preventive and Research Applications

BTCRYPTON also functions as a preventive audit system. Its entropy verification pipelines automatically monitor test code, benchmarks, and live builds for improper cryptographic initialization. The automated static analyzer, integrated with continuous integration pipelines (CI/CD), ensures no null-initialized vectors for MAC or encryption keys are deployed.

Parallel to detection, BTCRYPTON contributes to scientific research by providing experimental datasets for entropy and key-handling studies, forming a quantitative foundation for new academic evaluations of universal MAC forgery under key misuse conditions.

Conclusion

BTCRYPTON represents a fusion of research and applied security analysis. It bridges cryptographic vulnerability theory with practical recovery methodology in Bitcoin environments.
The discovery of the Poly1305 null-key misuse problem and its potential exploitation under the NullStream attack emphasizes the necessity of systematic entropy verification and automated cryptographic hygiene.
By enabling detection, simulation, and controlled wallet recovery from authentication collapse scenarios, BTCRYPTON sets a foundational precedent for proactive cryptographic forensics and defensive Bitcoin protocol design.

Research paper: Cryptographic vulnerability “NullStream” and secure practices for Poly1305

Annotation

This article examines a critical cryptographic vulnerability that arises when using the Poly1305 message authenticator with a null key in systems related to Bitcoin and other protocols. It examines the cause of the vulnerability, simulates a “NullStream” attack, and proposes a secure C++ implementation that completely prevents this class of attacks in both test and production code.

Introduction

Poly1305 is widely used in message authentication protocols (MAC) and is part of modern AEAD schemes, including ChaCha20-Poly1305. Poly1305’s cryptographic strength strictly depends on the correctness and uniqueness of the key used for each session or message. Some implementations, particularly in tests and benchmarks, employ an insecure practice: initializing the key with a zero array, which completely defeats the purpose of cryptographic protection. mojoauth+1

Description of the vulnerability

The mechanism of appearance

The whole essence of the vulnerability comes down to the following code:

cppstd::vector<std::byte> key(Poly1305::KEYLEN, {});

This method initializes a key with 32 zero bytes. This makes the attack possible because the Poly1305 MAC for any (message, tag) pair can be easily forged if the key is known, and in this case, it is trivially calculated as “0x00…00.” Therefore, any message is only nominally secure—any attacker can generate a valid signature without knowing the secret. cryptrec+1

Attack model (“NullStream”)

The NullStream attack allows an attacker to:

• By accessing a secure exchange, calculate any MAC for any message, knowing that a null key is used.
• Embed/modify messages in a stream without risk of being detected by the authentication protocol.
• Turn a secure channel into a transparent stream (“null stream”), which lacks even basic authentication.

Attack diagram

text[Отправитель] --(Сообщение, MAC(nulled))--> [Получатель]
^
|
[Злоумышленник рассчитывает свой MAC, подменяет данные]

Causes and risks

• Key Single-Use Violation : Poly1305 requires a unique and well-random key for each session/message. Violating this rule is a classic and fatal error. monocypher+1
• Prevalence of the error : Code with a fixed (especially null) key in tests or examples often ends up in production code due to copying patterns.
• Exploitation of the vulnerability : NullStream works instantly and does not require complex cryptanalysis, creating the illusion of a secure channel where there is none.

Reliable implementation and protection

Key recommendations

• Never use fixed or null keys for cryptographic operations, even in tests .
• Always use a cryptographically strong random number generator (CSPRNG) to generate Poly1305 keys.
• Separately comment/mark test or static keys if they are used to validate specific test vectors .

Reliable code version (C++)

cpp#include <vector>
#include <random>
#include <openssl/rand.h>

// Безопасная инициализация ключа для Poly1305
std::vector<std::byte> key(Poly1305::KEYLEN);

// Инициализация посредством криптостойкого ГСЧ (OpenSSL)
if (RAND_bytes(reinterpret_cast<unsigned char*>(key.data()), key.size()) != 1) {
throw std::runtime_error("Secure key generation failed");
}

// Генерация входных данных тоже безопасно
std::vector<std::byte> in(buffersize);
if (RAND_bytes(reinterpret_cast<unsigned char*>(in.data()), in.size()) != 1) {
throw std::runtime_error("Secure input generation failed");
}

// Далее используйте key и in для Poly1305, как в изначальной функции
bench.batch(in.size()).unit("byte").run([&] {
Poly1305{key}.Update(in).Finalize(tag);
});

Note: For other programming languages ​​(Java, Python) there are also CSPRNG analogues: SecureRandom, secretsetc. cryptography+1

Model policy for preventing class vulnerabilities

1. Automated quality checks – the implementation of static analyzers that detect null, fixed, and reused keys in any part of the project (not only in production code, but also in tests).
2. Documentation and review of test vector writing practices —each such block should be clearly marked, isolated, and not included in the production release.
3. Strict separation of test and production configurations , including separation of repositories.
4. Rotate and destroy old keys – never reuse the same key, especially on a MAC, and ensure secrets are deleted after use.

Conclusion

The Poly1305 vulnerability (the “NullStream attack”) demonstrated that even the simple, careless use of null or fixed key values ​​can completely destroy the cryptographic strength of a protocol. Maintaining a good key generation culture, using proven libraries, and implementing automated testing can completely prevent such attacks in the future.

Final conclusion

This work demonstrates an extremely dangerous and rare, yet simple, critical vulnerability—the use of a null (or predictable) key when authenticating messages using Poly1305. This flaw has the potential to transform Bitcoin’s modern cryptographic protection into an illusion of security: the absolute transparency of the NullStream attack allows an attacker to completely forge messages, spoof traffic between network nodes, and compromise security consensus at all protocol levels, posing a real threat to the integrity and reliability of the entire cryptocurrency ecosystem.

Scientifically, this type of breach is classified as a universal MAC forgery under key misuse attack. Although this type of vulnerability is still rarely identified under a specific CVE number, its impact is comparable in scale to the most devastating attacks in applied cryptography.

It’s important to emphasize that even a slight relaxation of the quality requirements for cryptographic key generation could lead to a complete compromise of Bitcoin’s security. Only strict control over the uniqueness, secrecy, and randomness of keys, as well as the use of standard protocols and static analysis, can guarantee the security and trust of the cryptographic mechanisms that underpin the modern digital economy. datatracker.ietf+4

1. https://datatracker.ietf.org/doc/html/rfc7539
2. https://en.wikipedia.org/wiki/ChaCha20-Poly1305
3. https://www.usenix.org/system/files/sec22summer_albertini.pdf
4. https://www.kryptoslogic.com/blog/2021/01/faster-poly1305-key-multicollisions/
5. https://arxiv.org/html/2312.12422v1
6. https://par.nsf.gov/servlets/purl/10396299
7. https://en.wikipedia.org/wiki/Poly1305
8. https://www.cvedetails.com/cve/CVE-2019-1543/

Literature

• Monocypher Poly1305: Theory and Safe Use. monocypher
• Security Analysis of ChaCha20-Poly1305 AEAD. cryptrec
• Poly1305-AES best practices. mojoauth
• PyCA cryptography: Poly1305. cryptography
• XChaCha20-Poly1305: secure one-time key usage. scottbrady

1. https://mojoauth.com/hashing/poly1305-aes-in-java/
2. https://monocypher.org/manual/poly1305
3. https://www.cryptrec.go.jp/exreport/cryptrec-ex-2601-2016.pdf
4. https://www.scottbrady.io/c-sharp/xchacha20-poly1305-dotnet
5. https://cryptography.io/en/latest/hazmat/primitives/mac/poly1305/
6. https://github.com/maqp/tfc/issues/11
7. https://www.encryptionconsulting.com/tls-1-2-and-tls-1-3/
8. https://arxiv.org/html/2312.12422v1
9. https://diyhpl.us/wiki/transcripts/bitcoin-core-dev-tech/2019-06-07-p2p-encryption/
10. https://cr.yp.to/mac/poly1305-20050329.pdf
11. https://www.suse.com/security/cve/CVE-2025-39802.html
12. https://mkyong.com/java/java-11-chacha20-poly1305-encryption-examples/
13. https://bitcoincore.org/en/releases/0.19.0.1/
14. https://en.bitcoin.it/wiki/BIP_0324
15. https://docs.nordicsemi.com/bundle/ncs-1.9.2/page/nrf/samples/crypto/chachapoly/README.html
16. https://gitlab.uzh.ch/matija.piskorec/uzhbitcoin-v2/-/blob/v0.20.1/src/bench/poly1305.cpp
17. https://dev.to/jaypmedia/cipher-suites-aead-chacha20-poly1305-example-1i6
18. https://english.ncsc.nl/binaries/ncsc-en/documenten/publications/2021/january/19/it-security-guidelines-for-transport-layer-security-2.1/IT+Security+Guidelines+for+Transport+Layer+Security+v2.1.pdf
19. https://datatracker.ietf.org/doc/rfc8103/
20. https://bhu.ac.in/research_pub/jsr/Volumes/JSR_66_02_2022/12.pdf
21. https://cwe.mitre.org/data/definitions/1204.html
22. https://www.cryptrec.go.jp/exreport/cryptrec-ex-2601-2016.pdf
23. https://www.secureops.com/blog/zerologon-vulnerability/
24. https://datatracker.ietf.org/doc/html/rfc7539
25. https://www.cvedetails.com/cve/CVE-2019-1543/
26. https://www.kryptoslogic.com/blog/2021/01/faster-poly1305-key-multicollisions/
27. https://yaogroup.cs.vt.edu/IEEE_SecDev_19_CryptoAPI-Bench.pdf
28. https://blog.quarkslab.com/crypto-condor-a-test-suite-for-cryptographic-primitives.html
29. https://zimperium.com/hubfs/MAPS/WP/HC/Cryptographic_Keys_Understanding_and_Protecting_Against_Attacks_Zimperi-1.pdf?hsLang=en
30. https://www.invicti.com/blog/web-security/cryptographic-failures/
31. https://openjdk.org/jeps/329
32. https://www.reddit.com/r/crypto/comments/7viu17/is_reusing_an_aes_key_for_encryption_subject_to/
33. https://stackoverflow.com/questions/67628321/decrypting-chacha20-poly1305-binary-data-in-nodejs-that-was-encrypted-in-python
34. https://mojoauth.com/hashing/poly1305-aes-in-java/
35. https://www.usenix.org/system/files/conference/usenixsecurity18/sec18-felsch.pdf
36. https://github.com/bitcoin/bitcoin/issues/27634
37. https://mojoauth.com/hashing/poly1305-aes-in-dart/
38. https://crypto.stanford.edu/RealWorldCrypto/slides/kenny.pdf
39. https://dl.acm.org/doi/10.1145/3664476.3664509
40. https://arxiv.org/html/2412.19310v1
41. https://attacksafe.ru/ultra-6/
42. https://nvd.nist.gov/vuln/detail/cve-2023-4807
43. https://docs.nordicsemi.com/bundle/ncs-latest/page/nrf/samples/crypto/chachapoly/README.html
44. https://datatracker.ietf.org/doc/html/draft-ietf-sshm-chacha20-poly1305-01
45. https://www.nature.com/articles/s41598-025-86118-4
46. https://attacksafe.ru/ultra/
47. https://cipherstash.com/products/zerokms
48. https://garantir.io/zero-trust-and-cryptography-building-trust-without-borders/
49. https://news.rub.de/english/2023-03-09-data-security-telltale-zero
50. https://cryptography.io/en/42.0.1/development/test-vectors/
51. https://www.ubiqsecurity.com/never-roll-your-own-cryptography/
52. https://info.ornl.gov/sites/publications/files/Pub49031.pdf
53. https://stackoverflow.com/questions/5108607/encryption-use-of-initialization-vector-vs-key
54. https://www.sciencedirect.com/science/article/pii/S0167404824005789
55. https://security.snyk.io/package/pip/cryptography/3.4.5
56. https://www.miggo.io/vulnerability-database/cve/CVE-2023-46129
57. https://security.snyk.io/package/pip/cryptography/36.0.0
58. https://codeql.github.com/codeql-query-help/java/java-insufficient-key-size/
59. https://www.keyfactor.com/the-cisos-guide-to-cryptographic-risk/
60. https://stackoverflow.com/questions/78740459/how-do-i-use-xsalsa20-and-poly1305-primitives-in-bouncycastle-for-aead
61. https://news.ycombinator.com/item?id=43792948
62. https://gist.github.com/jonasschnelli/c530ea8421b8d0e80c51486325587c52
63. https://stackoverflow.com/questions/27484483/default-initialization-versus-zero-initialization
64. https://arxiv.org/html/2407.08535v1
65. https://keyhunters.ru/private-key-debug-cryptographic-vulnerabilities-related-to-incorrect-generation-of-private-keys-bitcoin/
66. https://docs.nordicsemi.com/bundle/ncs-3.0.0/page/nrf/tests/crypto/README.html
67. https://forums.swift.org/t/help-with-chacha20poly1305-openssh-transport-protection-in-swift-nio-ssh/67729
68. https://learn.microsoft.com/ru-ru/dotnet/api/system.security.cryptography.des.create?view=net-8.0
69. https://neiudc.neiu.edu/cgi/viewcontent.cgi?article=1002&context=uhp-projects
70. https://www.cve.org/CVERecord/SearchResults?query=Initialization+Vector
71. https://www.sciencedirect.com/science/article/pii/S2542660523002366
72. https://docs.amd.com/r/2022.2-English/Vitis_Libraries/security/guide_L1/internals/poly1305.html
73. https://datatracker.ietf.org/doc/html/rfc8446
74. https://repositorio.ipv.pt/server/api/core/bitstreams/ebd57afe-0ebe-4f70-94c2-c4754f74d063/content
75. https://gerbil.scheme.org/reference/std/crypto.html
76. https://docs.python.org/3/library/secrets.html
77. https://www.onlinehashcrack.com/guides/cryptography-algorithms/an-in-depth-exploration-of-poly1305-a-modern-cryptographic-algorithm.php
78. https://en.wikipedia.org/wiki/Poly1305
79. https://en.bitcoin.it/wiki/BIP_0324
80. https://nvd.nist.gov/vuln/detail/cve-2019-1543
81. https://www.cvedetails.com/cve/CVE-2019-1543/
82. https://openssl-library.org/news/vulnerabilities/
83. https://explore.alas.aws.amazon.com
84. https://github.com/ARMmbed/mbedtls/issues/4301
85. https://datatracker.ietf.org/doc/html/rfc7539
86. https://datatracker.ietf.org/doc/rfc8439/
87. https://www.cve.org/CVERecord/SearchResults?query=crypto
88. https://attacksafe.ru/ultra/
89. https://www.fortinet.com/blog/threat-research/analysis-of-openssl-chacha20-poly1305-heap-buffer-overflow-cve-2016-7054
90. https://en.wikipedia.org/wiki/ChaCha20-Poly1305
91. https://cve.akaoma.com/vendor/openssl
92. https://cr.yp.to/mac/poly1305-20050329.pdf
93. https://stackoverflow.com/questions/62933858/correct-way-to-use-poly1305-with-chacha20
94. https://github.com/openzfs/zfs/issues/8679
95. https://success.trendmicro.com/en-US/solution/KA-0019698
96. https://www.reddit.com/r/crypto/comments/1afdzx9/forgeability_of_polynomial_based_macs_vs_hash/
97. https://datatracker.ietf.org/doc/html/rfc7634
98. https://www.scottbrady.io/c-sharp/xchacha20-poly1305-dotnet
99. https://www.kryptoslogic.com/blog/2021/01/faster-poly1305-key-multicollisions/
100. https://monocypher.org/manual/poly1305
101. https://www.cryptrec.go.jp/exreport/cryptrec-ex-2601-2016.pdf
102. https://en.wikipedia.org/wiki/Poly1305
103. https://datatracker.ietf.org/doc/html/rfc7634
104. https://pycryptodome.readthedocs.io/en/latest/src/cipher/chacha20_poly1305.html