Title: Recreated Fault Sig Attack on Bitcoin Wallet Post by: krashfire on January 03, 2023, 11:23:28 AM I realize that you can't recreate the attack by using the R,S,Z(H) on blockchain.com. I am not sure why. I believe for different software, it can hash the signatures over and over and over again. So technically, we will never know whats the correct R,S,Z(H) Signatures.
The Only way is to create the R,S,Z signatures. Which i did by inputting my Public Keys X,Y Coordinates in the full code below. Input Code:
Output Code: "curve": "SECP256K1", Massive Credit to Bitlogik for the gen_input.py on https://github.com/bitlogik/lattice-attack then with the R,S,Z(H) signatures given, i input the signatures in the code below. Originally coded by William J. Buchanan And article written here: https://asecuritysite.com/ecc/ecd7 Modified by me to allow public keys and RSZ inputs. Input Code:
Output Code:
I took one of the RSZ generated and create the same R signature to give out the K value(Which does not matter cause it was randomly generated) and i got the correct Private Key. However, i want to create a different R signature and now try out another attack. (Same nonce K use to sign different message) What should i change at the R here? or What is the correct formula in python? Quote # Now generate a fault rf = r sf = (libnum.invmod(k,order)*(h+priv1*rf)) % order hf = int(hashlib.sha256(msg2.encode()).hexdigest(),base=16) kf = hf*(s-sf) * libnum.invmod(sf*r-s*rf,order) valinv = libnum.invmod( (sf*r-s*rf),order) dx = (hf*(s-sf)* valinv) % order Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: ymgve2 on January 04, 2023, 03:05:00 AM The ouptut of the first program doesn't contain a private key. How do you know 107749115139875514357274396597987236665757310837906895959705889341744968705665 is the correct private key for those values?
edit: just checked, the public key for that private key is 18937642771426163626487493468157767561404567341272835442397463474527806095299, 48085753477814850198787397705162128287610204980059015577563321458947326271695 which is NOT the public key you inputted in your script. In other words, your modified program gave the wrong solution. Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: ecdsa123 on January 04, 2023, 10:33:17 AM below link to Lattice-based weak curve fault attack on ECDSA first please read : https://eprint.iacr.org/2021/129.pdf (https://eprint.iacr.org/2021/129.pdf) maybe it will give you more information. calculating new coeff as R=a*G + b*pub and will not work. becouse then you must change generator of group. if change generator of group - > then must use crt, and so on. Will not work. and second very important link: link http://jbreier.com/files/papers/isic_2014_1.pdf (http://jbreier.com/files/papers/isic_2014_1.pdf) as A Survey of the State-of-the-Art Fault Attacks Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: ymgve2 on January 31, 2023, 12:56:21 AM what you think about this attack ? How to make pubkeys from another curve for realise this attack: [mod note: malware link removed] https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md haw you any ideas ? Russian website that requires you to install obscure binary executables? What could possibly go wrong? Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on January 31, 2023, 01:01:06 AM what you think about this attack ? How to make pubkeys from another curve for realise this attack: [mod note: malware link removed] https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md haw you any ideas ? Russian website that requires you to install obscure binary executables? What could possibly go wrong? This is without russian, English only https://github.com/demining/Twist-Attack Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: ymgve2 on January 31, 2023, 01:05:40 AM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on January 31, 2023, 01:15:35 AM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. you can try calculate yourself pubkeys Q11...Q64 without use safeattack and find priv https://github.com/demining/CryptoDeepTools/tree/bbd83042e7405508cd2e646ad1b0819da0f9c58d/18TwistAttack Question how to calculate Q11...Q64, using Sighnature and Base points P11..P64 ?? Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: krashfire on January 31, 2023, 10:02:05 AM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. you can try calculate yourself pubkeys Q11...Q64 without use safeattack and find priv https://github.com/demining/CryptoDeepTools/tree/bbd83042e7405508cd2e646ad1b0819da0f9c58d/18TwistAttack Question how to calculate Q11...Q64, using Sighnature and Base points P11..P64 ?? Thanks cobra.. I will be trying that attack next. Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on January 31, 2023, 12:12:32 PM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. you can try calculate yourself pubkeys Q11...Q64 without use safeattack and find priv https://github.com/demining/CryptoDeepTools/tree/bbd83042e7405508cd2e646ad1b0819da0f9c58d/18TwistAttack Question how to calculate Q11...Q64, using Sighnature and Base points P11..P64 ?? Thanks cobra.. I will be trying that attack next. Need to modify haved sighnature for send to fake base point(publick key) and after recalculate senders sighnature and get from recalculated sighnature new pubkey of sender. I ask at crypto.stackexchange now answer how to make attack !!! https://crypto.stackexchange.com/questions/103993/how-to-calculate-points-for-twist this attack can be imlosible to make it, or work only from bug sughnatures I think .. unfortunately. Bat maybe we can copy result of cryptodeep. I waiting then you start to try this attack. Br Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: krashfire on January 31, 2023, 07:41:59 PM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. you can try calculate yourself pubkeys Q11...Q64 without use safeattack and find priv https://github.com/demining/CryptoDeepTools/tree/bbd83042e7405508cd2e646ad1b0819da0f9c58d/18TwistAttack Question how to calculate Q11...Q64, using Sighnature and Base points P11..P64 ?? Thanks cobra.. I will be trying that attack next. Need to modify haved sighnature for send to fake base point(publick key) and after recalculate senders sighnature and get from recalculated sighnature new pubkey of sender. I ask at crypto.stackexchange now answer how to make attack !!! https://crypto.stackexchange.com/questions/103993/how-to-calculate-points-for-twist this attack can be imlosible to make it, or work only from bug sughnatures I think .. unfortunately. Bat maybe we can copy result of cryptodeep. I waiting then you start to try this attack. Br Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on January 31, 2023, 08:22:39 PM This is without russian, English only https://github.com/demining/Twist-Attack In the middle of that tutorial, it tells you to download a completely opaque "attacksafe" binary and run it. Some of the attack types listed for that program in the tutorial are pure nonsense and can't be done by a single program (like "supply chain attack" or "rowhammer attack") which makes me suspect it's just a trojan. you can try calculate yourself pubkeys Q11...Q64 without use safeattack and find priv https://github.com/demining/CryptoDeepTools/tree/bbd83042e7405508cd2e646ad1b0819da0f9c58d/18TwistAttack Question how to calculate Q11...Q64, using Sighnature and Base points P11..P64 ?? Thanks cobra.. I will be trying that attack next. Need to modify haved sighnature for send to fake base point(publick key) and after recalculate senders sighnature and get from recalculated sighnature new pubkey of sender. I ask at crypto.stackexchange now answer how to make attack !!! https://crypto.stackexchange.com/questions/103993/how-to-calculate-points-for-twist this attack can be imlosible to make it, or work only from bug sughnatures I think .. unfortunately. Bat maybe we can copy result of cryptodeep. I waiting then you start to try this attack. Br great ! Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: krashfire on February 04, 2023, 04:24:44 AM Cobra.. that one is a paid version. I don't have money.
So I code it myself. Just a simple twist attack in JavaScript. This works. Code: The following code is an example of an ECDSA secp256k1 twist attack. Test it man. Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on February 04, 2023, 04:32:59 AM Cobra.. that one is a paid version. I don't have money. So I code it myself. Just a simple twist attack in JavaScript. This works. Code: The following code is an example of an ECDSA secp256k1 twist attack. Test it man. Yes Bro. I will test and make a massage. Br Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: krashfire on February 04, 2023, 04:34:56 AM This is in python code.
Code: #This example twist attack on secp256k1 uses the Python library 'ecdsa' Title: Re: Recreated Fault Sig Attack on Bitcoin Wallet Post by: COBRAS on February 04, 2023, 05:09:11 AM This is in python code. Code: #This example twist attack on secp256k1 uses the Python library 'ecdsa' File "HelloWorld.py", line 18 if Q.x() == pub_key.pubkey.point.x() and Q.y ^ SyntaxError: invalid syntax ? twist atk is like invalid curve attack: "For an invalid curve attack, you are not so much mapping points from a curve to another. The attacker chooses an appropriate point P on the new curve and send this malicious point, and the victim computes Q=x∗P . But computing Q will simply use the "computation rules" of the malicious curve. The reason, you called n is not needed for computing Q . So, the victim is tricked to reveal some information on x . Repeat with different n until x can be fully revealed. And this is fixed by verifying that the point received indeed lies on the "secure" curve." this is a attac exp, all publick keys https://github.com/demining/CryptoDeepTools/blob/main/18TwistAttack/discrete.py and this https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/files/recover_private_key.sagews we need mult secret x to fake pub from twist ! so we neeb emulate sending btc from good wallet to twist publick key another help: https://cryptodeep.ru/kangaroo/ in this toturial R usead as Pubkey how to compute priv to pubkey from twist using sighnature ? why you think what this is a twist ? Q = P + pub_key.pubkey.point for twist we need poin of a cyrve for ex E3 = EllipticCurve(GF(p), [0,3]) P31 = E3([93579283295185043256820683457089915228054046133395133419577655037763911527649, 112632096923660630255684142108084503413038643268482102767008195691777477419906]) ord31 = 109903 ? does R of sighnature for twist pubkey will be from curve of twist ? |