Strengthen Digital Signature Order with airSlate SignNow

Strengthen digital signature order

okay great so I'm going to talk about some this is like a fun paper but we're here for fun so that's good this is not there's no sort of major vulnerabilities here which is good so we'll just have some fun the sort of setting for this work is this is kind of the theme of like a lot of my research so you guys are all familiar with the law of large numbers right that these sort of statistics your the average behavior converges almost surely to the expected value as the number of samples increases you know kind of you expect things to essentially converge this way so there is a sort of counterpoint to this law which was formulated by diaconis and most eller which is that when a sample size is large enough any outrageous thing is likely to happen okay so if you want to show the existence of some kind of strange then you just collect enough data points and you will find some weird outliers then okay so in the cryptographic context I would like to formulate a cryptographic law of truly large numbers which is that if you're given samples from enough independent cryptographic implementations any outrageous vulnerability is likely to be present so this is essentially this is my conjecture i conjecture the space off of a number of data points which is essentially my publication record so this is my form you know this is how i got tenure i don't know about you guys so so in that spirit this paper this work which i should mention is joint with you walking Breitner who has a Definity is taking advantage of this observation so i guess it was sort of nice that we got an introduction to elliptic curve diffie-hellman in the last talks and now we're going to talk about ECDSA in this talk so we don't care about the elliptic curve aspect at all we just care about the DSA aspect but most people are using ECDSA and not find that field DSA so we'll push ahead with elliptic curves so ECDSA we have a global parameters we have an elliptic curve e we have some generator which has order and your private key is some integer your public key is you know that integer times your generator point we also don't really care about those details so in order to sign a message you hash it possibly in some complicated way did you know that most ECDSA implementations hash the message twice it's kind of weird or one bit less secure than than once it's yeah it's a little odd I did not know this until doing this paper for whatever reason so you learn amazing things okay so you hashed the message and we really we don't care about the details of that that doesn't really come into this so we'll just say the message hatch we're going to treat it as an integer H and we don't really care so each signature so the ECDSA their waves originally written it is a randomized signature scheme so you have a person ature nonce which is really like an ephemeral private key at some integer K this K is extremely important as we will see very shortly and so this should be generated sort of person ature and then your signature itself is a pair of values R and s R is the x-coordinate of K times your generator point and this s value is computed as written down K inverse times the hash of the message plus the private key times this R value mod n so that's just an integer and for our purposes is useful that like this is just an integer and this is done using normal integer modulo arithmetic so we don't care about like all of this elliptic curve garbage we can ignore that part because that's hard and confusing so okay as much many of you put in this room probably know as I said the value of K is extremely important so this K must remain secret for all of the signatures you ever generate or else your long-term secret key D is revealed and using basic integer arithmetic you just like invert this question okay very straightforward like good good undergrad intro crypto like exercise probably you can amplify this a little bit this is also super well-known if this secret nonce K is ever reused to sign two distinct messages with different hashes H 1 and H 2 then it is trivial to compute this value of K basically by solving two equations with two unknowns and then you get this value of K and then using the sort of equation on the previous slide then you can Peete the long term secret key and then you're good so this comes up over and over again random number generation issues blah blah blah this is well-known flaw people have been explaining it for a long time ok also a fun undergrad project the thing that we are going to be playing with in this talk is kind of an amplification of this maybe but it's much more complicated so this these nonsense must be generated sort of perfectly uniformly at random or else if they haven't been we can possibly use a number of signatures to compute the long term secret key D so and the way this works is we essentially have some nice linear relations that we can dump into a lattice there's also an algorithm that uses Fourier analysis we're going to ignore that for the purposes of this talk so we dump this into a lattice and then it the secret key is just spat out and kind of the high-level version of these attacks is that if these secret nonces ki are small then the system of equations likely has only one solution and the lattice map like lattices can magically find it and if they are not smaller than an other other there are other kinds of biases that that can be exploited so that's the big picture of of what we're doing here the sort of formulation of this problem we're going to be you we already heard about the hidden number problem invoked once earlier this morning so the way that you the way that we will formulate this problem is that essentially we have a system of equations with some unknowns in the signature nonces and the secret key D and it looks something like this these are nice linear equations we know the coefficients here and so we're just trying to solve for this secret key d this is a alternative formulation of the hidden number problem which was originally described by Pony and Vic Edison in the context of actually breaking diffie-hellman with its known I haven't seen that exploited in the wild actually just sort of interesting move around I like moving around they'll deal with it will prioritize the people in the room okay I've been tied to my podium tragically so roomful of attackers okay anyway so this is this is where we will briefly get into the scary lattice section so half of you will be happy and half of you will be unhappy but it's only a few slides so then then everybody can be happy because we'll start breaking things okay so we've already seen we've already seen some of these lattice constructions this is all sort of well-known so I will just go through the lattice constructions briefly so the hidden number problem as I said the way that I'm thinking about it we want to find solutions to a set of linear system of linear equations that look something like this where we have unknowns K 1 through K m and the secret key D and for the moment we're going to say that all of the K eyes are small so they're less than some bound capital B in absolute value so the if you read Bonet and Mecca descends paper they construct a lot of spaces that look something like this so you have your modulus and on the diagonal and then you have your one of your 1 set of coefficients kind of along the bottom row and then you want to solve the closest vector problem with a target vector that consists of the other set of coefficients and it just so happens that once you find the closest lattice vector conveniently the distance will consist of a vector of all the nonsense so you expect this to be small since we said the nonces are all small and so then this is just sort of spat out the solution and we can solve for ok you can you can work out how well this works we don't have if you actually try to implement this you know solving CVP is annoying we have if you just want to like press a button it's much easier to find short vectors than closest vectors unless if you're super lazy so what everybody who is doing side channel attacks and stuff does now is basically sort of embed this lattice into one dimension larger lattice and then you can just find a short vector and it will just spit out the answer for you and so you don't even have to like back solve for anything so here we've just sort of added the target vector to the bottom and added some scaling factors and it will just spit out the private key as a shortest vector so that's cool so this is what we are doing there's a lot of papers actually that get these scaling factors I'm going to get off the stage again okay there's a bunch of papers that get these scaling factors wrong actually which is kind of interesting ok but the only thing that matter that means is that like you have to look hard a little bit harder for the secret key ok so this works how well does this work well we do a little bit of back-of-the-envelope lattice math ignoring all of the approximation factors because we're only dealing with really small lattices here so the dimension of our lattice is say the number of signatures that we have plus two the determinant is whatever this is it depends on the bound and the modulus so ignoring the approximation factors cuz the largest lattice that we look at is like 40 dimensions if we use the lol or bkz lattice reduction algorithms we should find some vector that is approximately determinate of the lattice to the one over dimension and we're looking for a vector with length that's basically square root of M times whatever our bound is and if we plug that in and solve then we get that the log of our bounds should be less than that and if you want to put in the approximation factor for a lattice reduction then that adds like a little turn here okay but generally the thing that we care about as we as we increase the number of signatures we expect this to grow towards log in but never actually reach it so this means that our bound you know it starts relatively small so we expect it to start like and over to four for two signatures and then grow to approach but never quite reach and the length of it okay so the original point McKenna's on paper they cared about the limiting behavior so you can reach that limit essentially or you can't really get past setting m equals square root of log n if we care much more about concrete parameters so with two signatures we we get a pretty good success rate with and we specialize for a 256-bit curve curve so we have a 256-bit and so the length of a small knots that we can solve for with two signatures is 128 bits this has some failure rate with three signatures we can solve for 170 bit nonce with four signatures we can solve for 190 bit knots and so on and so forth I got these empirically so yeah and the point at which lattice reduction starts to get sort of too slow to run millions of times is like say forty dimensional lattices so we stop there with so we can solve for 248 bit nonces with the forty dimensional lattice yeah sure do you want to come to a mic okay so in order for this to be solvable that you need the prot you need a property of these nonces that they are you keep saying that they're short yes they're small so this is a little different from the way you'd normally think of this where the problem is that the Nazis have like a few bits that are predictable mm-hmm so if they've danced if the Nazis have a few bits that are predictable then you have you just add the term of like the most significant bits and then you have like the rest of it is this short piece okay so it would have to be specific bits it wouldn't just be that there's something about them that's slightly distinguishable or something they'd have to be like some specific bits are biased yeah okay so with the with the lattice attacks basically if you have a side channel attack that's giving you some predictable bits you can say shift them to the most significant bits and then you have a small piece that is not predictable or that's not predictable that's what you're solving for and then you just add the term that corresponds to the bits that you do know and you have to know where they are okay thanks oh yeah Fourier analysis is a little bit works a little bit differently we are specializing to the lattice attacks this is great really breaking all the rules here okay a few variants of this so we don't necessarily have to have most significant bits all zeroes we can solve for most significant bits known and this are not not known but the same by adding one more signature so say we have to nonces that our have most significant bits that are the same but we don't know what they are we just know that the same we can subtract them and then the difference we can subtract the signatures and subtracting the signatures gives you a difference of nonces that's going to be all the all zeroes and so now we're back in the short nods case so that that is totally straightforward so we can just add if if for some reason somebody has generated a bunch of signatures with most of you think it's all the same we can just subtract one from all the rest of them and solve and then we're done so we just added one more signature to the number of signatures we need to solve for and if we can also do pretty easily the least significant bits case or middle bits but we didn't even bother looking at that it works the same so you can subtract your your signatures which results in just subtracting the nonces which gives you Sayle significant bits better all zeros and then we can multiply by a power of two to shift those know and Lisa needs to the most significant bits and then we get the same cases before of a short unknown sequence of bits so everybody on board with our lattice technique so we have a magic box we can dump a bunch of signatures in and it will spit out the private key that's the part that we care about so that is the end of the scary lattice section we are done with math for this talk no now we start breaking stuff all right so fun times where can we possibly find billions of ECDSA keys and signatures many of them generated by amateur enthusiasts cryptocurrencies this is so great so I wore I wore my theme shirt today this was the shirt is not my fault I'm just wearing it so okay unfortunately we do have to worry about some of the details of the way that cryptocurrencies use cryptography in order to implement this stuff and this caused a huge amount of grief you have no idea how complicated this is unless you've tried to do it in which case like I'm with you in our shared sort of suffering so Bitcoin aetherium and ripple all use the same elliptic curve for ECDSA SEC P 256 K one widely known weird choice so the weight like sort of the cartoon version of the way that they use it is that the sender is signing some hash of a transaction and this gets recorded on the blockchain Jane look and sort of publish to the internet so identities are addresses and these addresses are hashes of a public key which is interesting because the hashes are both like a cryptographic hash and it loses information so in fact if you sort of parse the blockchain and you see a bunch of hashes and or you see a bunch of addresses you don't actually know the public keys until an address sends currency somewhere else by and generates a signature which is which is interesting so there can be lots of cryptocurrency associated with an address in going but until it generates a signature itself with an outgoing transaction we are cryptographically we have our cryptographic hands tied because we can't do anything with the address itself so we are we can only look at addresses that have already spent money so okay so these transactions are recorded on each currencies blockchain which is convenient for the attacker everything is public so if you want to say start analyzing the cryptography you can download a client you can sync the blockchain and you can start parsing and extracting the signatures and there's a star here because this is way more annoying at practice than it sounds how many of you have tried to do this is it like painful and the grief inducing like this is I have no idea why it's so complicated like the way that and I should say that my co-author yaki him was the one who did kind of this last part and I was just like can you please send me signatures I think this is because the way that Bitcoin like generates hashes of transactions is incredibly complicated and it's like changed and so the only way that like we could figure out to do this is to just like modify the client to have it like print stuff out because like while it was validating the signature because it was just impossible to compute otherwise and let's see are there other weirdnesses I think there's a few more so okay but the the cartoon version of this is that you can just download the blockchain you get a bunch of signatures and and it's great the non cartoon and the non cartoon version is that if you start looking at all of the like Bitcoin analysis libraries that are that people have published out there for some reason they assume that people don't want to actually examine the signatures so they don't make it easy to get get to them and they for some reason they assume that you don't actually want the concrete value of a hash of like the hash of the transaction why would anybody ever want that so it's hard to get anyway okay so this like much research so like what you know Matt was talking about earlier today where there's like a great little cryptographic component and then there's like months of engineering this is like the months of engineering for this this work so all right once we have a convenient way of extracting the signatures here is our cryptanalysis program so we will scrape the blockchains so the Bitcoin blockchain when we were looking at it had a billion signatures in it which is pretty cool we can group them by public key that generated each signature so this resulted in say sixty million public keys for Bitcoin that had generated more than one signature then we can check for the two attacks that we we talked about so the easy attack is checking for repeated nonces which is you can just look for a duplicated R value in the signature or you can also look for latus attacks on the biased nonces as we described we spent about 50 CPU years running these and at that point either you're rich and you can retire to some island without an extradition treaty or you are not rich in which case you publish a paper and I'm here so you can see what happened all right so sort of the details of what we ran we clustered the signatures by the public key we selected random subsets of two three four and forty signatures and optimistically just ran the attacks for the short prefix and suffix nonces so kind of if the collection of signatures that we chose happen to be vulnerable we would get the private key if not we would get nothing and so I want to add one little extra weird snag in the way that these crypto currencies generate signatures which is that they're really worried about having unique signatures so fact about you see DSA the signatures are an S and are a negative s both validate and Bitcoin makes the signatures unique by choosing this smaller of s and negative s Mata to make them unique this has the effect of negating K like the the nonce so for the prefix and suffix attacks where we had to do the the subtraction we actually have to root for the signs of all the nonces which is like super annoying maybe there's a clever way to get around this maybe for analysis gets around this but uh we did not do that so there's some brute-forcing going on ok so what did we find okay so I'll start with the easy case which is the repeated nonce K values so this has been analyzed many times by academics since 2013 so we'll just sort of summarize what you find so here is so the x axis is signatures over time with repeated values and then the size of the little circles there is the number of signatures on that date with repeated with a repeated knots so Bitcoin out of the billions signature is two and a half million of them have a non unique K this come from 1,300 unique keys etherium there's a smaller number of keys and smaller number of signatures and ripple also there there are multiple attackers who are systematically scanning the Bitcoin blockchain and stealing all the money from anybody who produces a signature with a non unique nonce so there was no money in the Bitcoin there there actually were funds in the etherium and ripple cases so people were not looking for this yet and aetherium and ripple you may notice that there's a interesting something interesting going on here with one of the values so I'll talk about that shortly okay what do we find with a lattice attacks you might expect that we would find nothing because of course who would be stupid enough to input like make a mistake there but in fact we found a number of things so the y-axis is the sort of format of the nonce that we found prefixes or suffixes in the lung length of the random part and so we actually found 6,000 signatures from 300 keys in Bitcoin these can it contained point 0:08 Bitcoin which is I think 30 something dollars and etherium there were five signatures from one key they contained some ether and we also found some SSH keys that were vulnerable due to this attack so I will now go through a few stories so what is going on with this giant circle here so this value so 99.9% of the repeated Bitcoin nonce values are that that number this is n minus 1 over 2 where n is the order of the elliptic curve used for a Bitcoin and it is weird fact the x coordinate of 1/2 times the generator point has 166 bits instead of 256 so all of these signatures the R value is shorter by 11 bytes I I'm really I'm doing Kelsie's expression right now for those of you at home ok so why are people doing this well apparently the suggestion to do this in the context of Bitcoin and like well the reason that people are generating these these signature values is that Greg Maxwell suggested this to clear dust transaction so like sort of small amounts of cryptocurrency left in particular addresses and I guess you pay for the length of your transaction and so by having a signature that is shorter by 11 bytes you save a small amount in transaction fees ok that's what people are doing this but the bigger question is why does this value have this property and somehow the Bitcoin people figured this out and are taking advantage of it but then like this isn't actually like a documented property of this curve it seems to be an artifact from the way it was generated and nobody I have talked to you know knows why it has this property but it is the case that a number of the the other purpose of this type also have this property some of them produce the same value and some of them have kind of variants of this value it also turns out that the generation procedure for these curves was not documented so this this is this tells us something perhaps I mean so I've talked to a number of people about this and is an ongoing mystery but if you we're discovering more things as we go along so this is this is telling us something about how these curves is generate are generated properly probably because you would never expect this to happen at random and you you may notice that 166 bits is intriguingly close to 160 bits which is the length of say a sha-1 hash of something but it's not 160 bits it's 166 bits so they're not just like merely like hashing something and incrementing it's like hashing and then appending and like I can I can like if people would like to see more I can show you a little bit of what we figured out but so this is fun things that you find when you look at public key infrastructure so okay we will continue on to further fun things that we found so one of the compromise keys from repeated nonces we traced to dark wallet is we were basically just like googling addresses to figure out what they were because of course there isn't much metadata in Bitcoin itself that would tell us so this was part of a three out of five multi signature address so that means that you need signatures like this address is associated with a number of keys and you need signatures from at least three of those keys in order to send money out of the address and this was used for donations to dark wallet is at the time that we were looking this address held a large number of funds like pretty pretty significant so we thought that they might care the fact that one of their keys had been compromised and so I got in contact with one of the authors of this site who is very interesting person both of the people are very interesting cryptocurrency people are strange so so I'm chatting with him and I was like so can you like tell me how you generated these signatures because it would be interesting to know what implementation it was and we could like sort of trace this down and he said it's either me I was calculating the signatures manually or my friend who was working on dark wallet it might have been an earlier version so calculating the signatures manual there's like a lot of money in here and it's just like kind of hand generating ECDSA signatures and oops you forget to seed your your energy and and then you've compromised your key so this is the state of cryptographic software so some more human factors so after finding some very small announces we've forced all the 32-bit nonces so this compromise 275 signatures from 52 keys some of the nonce values that we observed were obviously not randomly generated so people are having fun yes I mean I guess we could like try to get some confidence values like if we had some prior here then I could like I don't know what the with the confidence interval for this is anyway so okay sort of more like on a slightly more serious note there there have been a number of random number generation of vulnerabilities that have impacted Bitcoin over several years two of the most prominent ones there was a bad vulnerability and Android secure random they were I think he was not like getting a fresh state on a fork and so there were a number of repeated nonces and a lot of people got large numbers of funds stolen because it repeated nonces generated from Android Bitcoin wallets in 2013 there was also a vulnerability in the blockchain dot info wallet from 25th I think the vulnerability started in 2015 there was an issue where they were seeding from random.org and random.org to redirect from HTTP to HTTPS and so the blockchain info was pulling the the data from here but then when this redirect happened they were just getting the 403 redirect rather than the actual output that was supposed to be coming from random.org and so this resulted in a constant seed for the random number generator so we can see I mean it's it's hard to tell I mean these were two of the like most highly publicized random number generator vulnerabilities in Bitcoin wallets but these don't really seem to quite line up with with what's going on here so there's clue what a lot of other stuff happening okay I would like to talk about sort of the small knots as what is going on there so most of the small announces that we found were in like one cluster of 64-bit nonces almost all of which were multi signature addresses and they seem to be confined to a particular set of dates but this was like all of the metadata that we had we like looked for the addresses we cannot figure this out and so actually after we posted our paper online Greg Maxwell wrote to us and he's like based off of the set of characteristics I think I know what caused this and so it turns out that there was this library written by bitpay this bitpay organization and when they they made an update to their library update sign function to use elliptic in which they gave the wrong length of buffer for the length of the knots that they were the length of the randomness that they were generating and this update corresponds exactly with the beginning of the generation of these nonces this was fixed relatively quickly this was fixed only a few weeks later to have the correct length of knot so what is going on here well so I've marked the two dates here so this is this is the beginning date and this is the the date at which it was fixed but by this point the data which had been fixed this library had already been fortunate was being used in a number of other projects and the bug fix did not make it into these downstream projects and so it continued to be used for quite a while afterward before being fixed so yes I think this has something about the fragility of ECDSA general okay this may also be a familiar story to everybody who's tried to report a vulnerability or fix a vulnerability in a product so okay more fun we can we tried looking for more 64-bit nonces since our lattice attacks we were just sort of running them on a random subset of signatures we were not guaranteed to find all of the vulnerable keys but a 64-bit nan so you can actually compute outright if you want so using Pollard Rho or baby steps ient stuff you could basically compute a 64-bit nonsan in 32 and 2 to the 32 work 2 to the 32 work times a billion signatures is not feasible still so we altered the parameters a little bit to try to search for this so essentially we did a pre computation we can pre computed a hash table of two to the thirty nine elements this took up 2.2 terabytes this was sized because the largest amount of RAM that I had on a single machine was three terabytes so this is intended to fit into RAM and then we pre computed a 232 lookup table of the logs of these elements so this took a few days on a few hundred nodes of my cluster to pre-compute so then this led us do 2 to the 25 work to lookup signature unfortunately the lookup was still 2 to the 25 should be feasible but because you're looking up in this huge amount of memory there is no caching possible and so it turns out to actually be pretty slow it's about 10 seconds per lookup our machines to do this so we ran it for a couple weeks and checked a random subset of 140,000 signatures and the conclude tentative conclusion that we have is that 64-bit nonces are not much more common than the ones that we found so we found most of them probably okay so other fun here is a set of signatures that were generated by SSH servers that had a shared 32 bit suffix so you can see this value in blue is shared among all of these signatures so what is this if you google this value it turns out to be one of the round constants for sha-2 with change byte order of course but I don't know how this happened I don't know how you like I mean I assume somebody was trying to like use like sha to to generate their nonces which is like a good procedure but I don't know how you screw up your shot to implementation so that you get like a fixed value in the least significant bits of this so interesting we also have no idea what implementation this is so the final sort of screw up that I want to talk about is probably memory unsafe code so there were 54 signatures with a shared 128-bit suffix and the shared suffix is you can look so they have been grouped by suffix here and you can see that actually if you compare these to the secret keys that were associated with the nonces the 128 least significant bits of the nonce where the same as the 128 most significant bits of the secret key just weird so you might hypothesize that you know a possible explanation is that somebody writes some code where they get the length of the the secret key wrong and they accidentally like sort of overwrite a buffer and or sort of cops start copying things into the the key but the thing that's really interesting about this case is that these signatures when we looked at the addresses that were where the money was being transferred out of a lot of them had been published on the web somewhere so they were associated with mem like memory while many memory wallets that had easy to guess passwords like Android or something or they were contained in like example code from various implementations that had like just you know here's a sample address and here's how you generate like a transaction to sent to that address and people had like sent money to that address presumably copying the sample code and then someone had like then taken the money out of that address because the the secret key was there and so our hypothesis is that these transactions were actually generated by an attacker who is stealing money from these vulnerable addresses that have been revealed somehow already on the web and that the attackers code is the one with the memory safety vulnerabilities so I don't feel that bad about sort of dropping O'Dea here so there is a simple and well-known countermeasure to everything that I have been talking about and this has been known for years which is to use determining terminus to ECDSA you can generate your secret nonce by you know hashing or H Mac or whatever your secret key and your message hash and probably like basically any combination of this is essentially secure if and there's an RFC that does this all of the official libraries for the cryptocurrencies that we looked at Bitcoin etherion ripple or already do this and have been doing it for years so everything that we have been talking about is not from the official core libraries of these crypto currencies at two five five one nine bills and deterministic non generation from the start ECDSA probably should have but it didn't so sort of backing up a little bit sort of what are we doing here essentially we spend a lot of time thinking about cryptographic assumptions like as cryptographers these explicit assumptions like discrete log as hard a hash function behaves like a random Oracle you can argue about these maybe they're secure maybe they're not but you can actually sort of this is what we talked about like at conferences like this but there's a lot of implicit assumptions and cryptography also like the implementation is correct the random number generator is functioning the code implements all the required validation checks we've seen this be violated multiple times today and so like it seems useful to say to think more about these implicit assumptions when we're designing cryptographic schemes so I would sort of hypothesize that essentially fragility under human error should be a cryptographic design consideration we know that developers will make mistakes how do you minimize the damage one idea is to tie security to basic functionality like say a two five five one nine is trying to do that like it that your scheme is not correctly implemented if you don't do this and we'll see how this go like goes moving forward and sort of in general there's sort of a tension between diversity of having like a bunch of different primitives and implementations and baseline security so what we would like is to have like one library that's like really great it's been like formally verified it's been vetted but then if that library breaks them like everything breaks all at once so then you might think well okay maybe it's good to have diversity like not everything would break at once but then you get kind of this long tail of implementations which is what I've been exploiting in this talk so here is my last slide so we have other stuff in the paper like tables with numbers and more examples about implementations this paper was at financial crypto this year and it is on ePrint so thank you [Applause] okay thank you very much Nadia and there are already some questions I can imagine that there are other questions after this as well so anybody question or everybody wants to go to enjoy the reception okay so maybe I asked about this char to overflow or what was it can you imagine oh that it could be some other flow or boundary valuation that could be produced in the code or something possibly I mean I guess it feels sort of like but I mean it's unclear like why sort of these values would be sort of allocated next to the value that you're producing yeah yeah I mean I guess if you I guess if you like allocated this whole table and then like the next thing that's allocated is like the buffer your copy and then you and then it's the wrong length and so you accidentally like copy over into the last value yeah maybe so we have we have no idea what this library is so I mean you can rerun the calculation and find the same list of hosts and play with them maybe without violating the CFA and but yes we don't know what they are okay so I would say thank you very much for attending this workshop and enjoy the reception the second workshop day tomorrow and the rest of the conference so thank you very much [Music] [Applause]