 Show Posts
|
|
Pages: « 1 [2] 3 4 »
|
@abadon666999 Hello You can use second message sign/message for already discovered K to break X. x = (s*k-m)/r To recover second message private key use this one more user friendly. https://github.com/nlitsme/bitcoinexplainer |
|
|
|
|
@KudilCumil
Raw data is what we call hex or binary.
maxim 256 bit supported to be as bitcoin private key.
Most wallets support WIF keys or SEED etc
For you such case you need to convert answer from hex private key to compressed WIF private key to get compressed address
For example puzzle 64 key is
KwDiBf89QgGbjEhKnhXJuH7LrciVrZi3qZ6FxoaD5r1kYegmtbaT
|
|
|
|
|
Hello
lattice-attack need public key = coordinates.
if public is is compressed(02 or 03 in starting) you have to decompress it and use x/y coordinates of them.
You don't need 6000 signatures its depend on leaked bit lowest bit leak is 4 need 100 signatures .
ps: i prefer to answer public instead of private unless its too sensitive information.
|
|
|
|
Hello If you have sage installed this conflict with fpylll integers. Possible solution is just use int(cand1) and int(cand2) to avoid this. For second question. public transtion R,S,Z don't have leaked nonce. bitlogik lattice attack need leaked nonce min 4 bit with 100 sign pairs. If you consider you have weak nonce pairs in your R,S,Z you can use sage method from https://github.com/daedalus/BreakingECDSAwithLLLThis one don't need leaked nonce bit but its attack on weak nonce data in R. |
|
|
|
Hello You can use python to process this in multithread. For example read file split each then process with Key to address with fast python lib ( https://ofek.dev/bit/). Match with known funded address (both compressed & uncompressed) if match save his output WIF . This won't need internet i am unsure about process speed i tested myself 1000 line take less then 1min. |
|
|
|
|
I have spend 15 years in GSM reverse engineering and still continue.
S3 I9300 Exynos chipset base very first phone which that time was hot. data was not encrypted until android 4.1 released that's also optional.
Currently all latest android smartphones use FDE(Full disc encryption) so data is by default encrypted.
Apple devices X and older are considered unsafe & unsecure due to bootrom exploit.(data is encrypted but bruteforce possible for simple phone lock codes.)
Mediatek cpu base all phones are considered unsafe & unsecure due to boot rom exploit. (FDE can be dumped rpmb key can be dumped)
spreadtrum cpu also most used this days can be dumped if correct FDLs are available.
Some android vendor even use hidden signed message to unlock your phone via OTA . (everyone know this for FBI & NSA.)
|
|
|
|
@phrutis Hello Your exe and photo exactly searching same key you think it's that hard for any one to extract text you coded in your exe ? ************5bCRZhiS5sEGMpmcRZdpAhmWLRfMmutGmPHtjVob key range you searching can be found in exe but i just wanted to be sure from you. https://pastebin.com/UvdAMSvnCan you explain what your app is doing with api ? -ebat-ty-haker-eto-pizdec -ty-samiy-umniy -zagyan-v-svoyu-vzhopu -her-tebe -idi-v-zhopu -zaglyan-v-zhopu-eshyo-raz -ctfhecksdfbgrbgerjum777 |
|
|
|
|
@phrutis
Hello
You can write here key in text wif, add ? or * at missing location.
Wanted to see if i read correct photo you posted on github or not some part is hard to understand.
Also your github range check on K or L for compressed ? if you consider its compressed there are K starter and L too
|
|
|
|
|
@zahid888
Can you confirm if you or your pool already checked out range 8000000000000000:8fffffffffffffff ?
|
|
|
|
@king_of_1 Hello Until puzzle is solved it's always everyone think its impossible. I don't know if anyone notice or not, puzzle list below atlast have starting bit '0001' 1,9,17,25,33,41,49,57,65,73,81,89,97,105,113,121,129,137,145,153 So far my understanding following puzzle list have '01' in hex starting. Also there is pattern in puzzle list below. 5,13,21,29,37,45,53,61,69,77,85,93,101,109,117,125,133,141,149,157 expected to starting point from 0x10 in hex minimum can't be less then bit '0001 0000' |
|
|
|
@garlonicon Confuse with nonce and random int use in signing ? Even with nonce 1 random int in sign always in 250 or higher bit. From public key we can multiply random int which increase public key hidden number known as K, so random int is a * K = R is generated. private key 0x1000
public points
px: 0x175e159f728b865a72f99cc6c6fc846de0b93833fd2222ed73fce5b551e5b739
py: 0xd3506e0d9e3c79eba4ef97a51ff71f5eacb5955add24345c6efa6ffee9fed695
k:1
r: 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
s: 0xe667ef9dcbbac55a06295ce870b079d3efe3a465c532ef334320987bf4d736a5
z: 0x0
SIGN_U: 0x0000000000000000000000000000000000000000000000000000000000000000
SIGN_V: 0x13efffffffffffffffffffffffffffffe6a9fe543746b7faa740723d177739b5
as you can see example
0x13efffffffffffffffffffffffffffffe6a9fe543746b7faa740723d177739b5
Now same public key with 120 bit random int for multiplication K: 0x000000000000000000000000000000079d523ff7bb533dc6d6fabf75a30ac000
R: 0xdaff9f3f66aae00146a41c5401fa148a9f3945b9bb9045f12c21d0bf43b5b330
S: 0x45127dc4fbeffc546746250887e2aadcbd214576b74b0202a2667ae3ad900a59
Z: 0x0000000000000000000000000000000000000000000000000000000000000000
SIGN_U: 0x0000000000000000000000000000000000000000000000000000000000000000
SIGN_V: 0x000000000000000000000000000000000079d523ff7bb533dc6d6fabf75a30ac
Sign is := True
as you see, K is multiply whatever value we use for random int. How ever there is one more thing if we multiply any public key with (N//2)+1 strange K come if private key is EVEN. This break private key in half. K is half of private key so R is half of public key. Example K: 0x0000000000000000000000000000000000000000000000000000000000000800
R: 0x5d1bdb4ea172fa79fce4cc2983d8f8d9fc318b85f423de0dedcb63069b920471
S: 0xba37b69d42e5f4f3f9c9985307b1f1b3f863170be847bc1bdb96c60d372408e2
Z: 0x0000000000000000000000000000000000000000000000000000000000000000
SIGN_U: 0x0000000000000000000000000000000000000000000000000000000000000000
SIGN_V: 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a1
Sign is := True
|
|
|
|
@COBRAS hello This is puzzle 120 public calculated 100 sample with 120 bit random data MSB 16 bits is must "0000" in nonce, tested with multiple 120 bit range my own sample private keys. https://pastebin.com/RTg4PVv0For LLL.reduction its no issue but BKZ.reduction will show error "infinite loop in babai" Same in liner random. This can't be fixed so far i know. |
|
|
|
|
@garlonicon
i don't think its bug.
"infinite loop in babai"
I think it's like math divide by 0 on lattice attack.
First calculated sign must be higher int value like i have posted.
0xf000000000000000000000000000000000000000000000000000000000000000
Later sign can use divide by 14 or 10 etc, til int reach to 2 then can use random 128 bit int and all this is valid and give first 33 only non zero MSB rest all are 0 starting K on MSB.
i have tested with all possible combination no matter what i try i can't go lower then 33 kp requirement for 4 bit leaking.
|
|
|
|
|
Hello
By using 2 same K or weak K is already known weakness of ECDSA nothing new on this. and this happened long time go. Now days K is not only secure random 256 bit but hashed to make sure get valid 256 bit random.
|
|
|
|
|
@COBRAS
Its different attack with lowest nonce under 127 bit & his weakness.
Only bitlogik lattice-attack is most powerful i can feel.
For example if you have any private key under 128 bit. for example puzzle 120.
If you use liner random value or single known higher random(0xf000000000000000000000000000000000000000000000000000000000000000) to start with and divide it in each time till 100 sign is made.(after 51 sign can use 128 bit random to make sign.)
You just have 33 or less nonce kp to worry about, because rest is 0 on MSB
i tested on my single pc with 16 thread its not powerful to cover it.
need atlast 128 thread with 4/5 pc to finish whole range fast.
|
|
|
|
|
@fxsniper
Hello
You won't notice much speed difference on this case.
Only thing pubkey bruteforce fastest is BSGS, because it's come after only 1 step(value*G). no need double SHA2,RIPEMD160,BASE8
address or RIPEMD160 won't make much noticeable difference in bruteforce.
|
|
|
|
@stalker00075 For compressed just add 01 at end. fullkey = "80"+"7542FB6685F9FD8F37D56FAF62F0BB4563684A51539E4B26F0840DB361E0027C" + "01" Also i recommend use good python lib to do this not manually. For example this one https://ofek.dev/bit/ |
|
|
|
|
@garlonicon
Is there any reason why attack fail one of random value is liner ?
For example i used
u =randint(1, N);
v = randint(1, N);
then loop it
u = u +1 keep v same to get LSB of nonce only increasing.
but lattice attack fail with "infinite loop in babai"
Unless both value is random its not working and no way to leak nonce on that case. any idea ?
|
|
|
|
|
