|
Title: Reuse Nonce Faulty Sig Attack Post by: krashfire on January 18, 2023, 06:31:19 PM In this article,
https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9 Author incremented the R signature. Which I find quite difficult coz this method also requires you knowing the priv key to calculate for the faulty s signature. So my question is... How can I safely increment the S and Hash value? I tried Code: sf= sig.s + 1 Obviously, Its wrong. Coz the private key does not correspond to the correct address. How do increment the S and H signatures Correctly so I can find out the K and X Value? Because I assume if I can correctly increment the signatures of S and H. I can solve K. When I solve K=nonce, I get D=Private Key. Title: Re: Reuse Nonce Faulty Sig Attack Post by: COBRAS on January 19, 2023, 12:18:30 AM R or Sci not remember exact is like public key. So ..
Title: Re: Reuse Nonce Faulty Sig Attack Post by: pooya87 on January 19, 2023, 04:40:52 AM You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable. The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong. Title: Re: Reuse Nonce Faulty Sig Attack Post by: ymgve2 on January 19, 2023, 04:08:38 PM You can't just increment h and s! H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable. The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong. The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. As OP have finally noticed, you can't create faulty signatures without the private key, so this attack means nothing if you already only have a single, valid, signature. OP: Any kind of manipulation of an existing signature will create two linearly dependent signatures, which in practice is just the same as having a single signature. You can't use the info in the article to get a private key out of a single good signature in any way. Title: Re: Reuse Nonce Faulty Sig Attack Post by: BlackHatCoiner on January 19, 2023, 06:15:07 PM The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test (https://asecuritysite.com/ecdsa/ecd7)), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?Title: Re: Reuse Nonce Faulty Sig Attack Post by: krashfire on January 21, 2023, 03:17:08 PM The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test (https://asecuritysite.com/ecdsa/ecd7)), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?Right?! Waste my time in researching his method. And I don't know why no one is calling this "professor" out yet. Felt scammed. Geez... 😂 |