Show Posts
|
Pages: « 1 [2] 3 4 5 6 »
|
How many operations alghorith take for 2**76 privkey ?
here, this code is for you guys who wanna try it on smaller values. you just need to adjust the values and curves accordingly. https://github.com/david-r-cox/pyDLP
|
|
|
Can you show in practice what your code does with some small values?
the index calculus algorithm is only meant for exponential numbers. it cant be done with small values.
|
|
|
Hi everyone, i am wondering whether is there any other way or is there a better way i could have implemented in my Index Calculus Algorithm or is this the best optimization i could have done already? Would like some suggestions please. My code is as below. from sympy import Matrix import numpy as np import multiprocessing as mp
# Define Montgomery power function for secp256k1 def montgomery_power(base, exp, mod): res = 1 base = base % mod while exp > 0: if exp % 2 == 1: res = (res * base) % mod exp = exp >> 1 base = (base * base) % mod return res
# Function to generate a prime factor base def generate_factor_base(limit): primes = [] num = 2 while len(primes) < limit: if all(num % i != 0 for i in range(2, int(num**0.5) + 1)): primes.append(num) num += 1 return primes
# Precompute the factor base factor_base_size = 100 factor_base = generate_factor_base(factor_base_size)
# Function to find smooth numbers in a range (optimized further) def find_smooth_numbers(start, end): smooth_numbers = [] for num in range(start, end + 1): exps = [] for p in factor_base: count = 0 while num % p == 0: count += 1 num //= p exps.append(count) if num == 1: smooth_numbers.append((num, exps)) return smooth_numbers
# Function to solve linear equations using Lanczos algorithms def solve_linear_equations(smooth_nums, G, n): A = Matrix([[f[1][i] for f in smooth_nums] for i in range(factor_base_size)]).T B = Matrix([G**f[0] % n for f in smooth_nums])
X = A.LUsolve(B)
logs = [(p, int(X[i])) for i, p in enumerate(factor_base)] return logs
# Function for multiprocessing def process_range(args): start, end, G, n = args print(f"Processing range: {start}-{end}") smooth_nums = find_smooth_numbers(start, end) print(f"Found {len(smooth_nums)} smooth numbers in range {start}-{end}") return solve_linear_equations(smooth_nums, G, n)
# Use freeze_support for multiprocessing if __name__ == '__main__': mp.freeze_support()
# Parameters for secp256k1 curve and public key p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F a = 0 b = 7 n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798 Gy = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
pub_key_x = 0x26597xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pub_key_y = 0x158b6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx pub_point = (pub_key_x, pub_key_y)
print("Calculating private key...") # Split the range into chunks for multiprocessing num_chunks = mp.cpu_count() chunk_size = (n // num_chunks) + 1 ranges = [(i, min(i + chunk_size - 1, n), Gx, n) for i in range(1, n + 1, chunk_size)]
# Perform multiprocessing with mp.Pool(processes=num_chunks) as pool: logs_list = pool.map(process_range, ranges)
# Combine results from multiprocessing logs = [] for logs_chunk in logs_list: logs.extend(logs_chunk)
# Calculate private key using index calculus d = 1 for p, a in logs: while montgomery_power(pub_point[0], d * a, p) != 1: d += 1 if d >= n: break
print(f"Private Key (d): {d}")
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found this result for this rsz: r= 115780575977492633039504758427830329241728645270042306223540962614150928364886 s= 115784413730767153834193500621449522112098284939719838943229029456606672741370 z= 2 hey bro... i had use z signature as the start range. it dont work on the keyhunt programme. its taking awhile. Anyways, i saw some of you looking how to get the r,s,z signatures, you can just clone the program from here https://github.com/iceland2k14/rsz
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well. Bro I know stride, this is theoreticaly simplify task, but I continue wok on it stride example: 0xfff97bd5755eeea420453a14355235d382f6472f8568a18b2f057a1460297556 so, for take range n is not so big task with sach stride, but, looks like may be needs brute range many many times because search is a collision search between R from your scrypt and K.... kangroo for ex example never stop and give good speed, so maybe. bro, start of search range is always z , in my formulas what I make from your srypt. I think you find a nonce what bigger then z , too. Br start of search range is always Z signature? yes ! I spend some time for make start range 0, moving z to enother part of formula. For mo understanding look to formula with i = 0 I think you understand why z is a start ...I was understand this using this way ok i try with different r,s,z. thanks.
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well. Bro I know stride, this is theoreticaly simplify task, but I continue wok on it stride example: 0xfff97bd5755eeea420453a14355235d382f6472f8568a18b2f057a1460297556 so, for take range n is not so big task with sach stride, but, looks like may be needs brute range many many times because search is a collision search between R from your scrypt and K.... kangroo for ex example never stop and give good speed, so maybe. bro, start of search range is always z , in my formulas what I make from your srypt. I think you find a nonce what bigger then z , too. Br start of search range is always Z signature?
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well.
|
|
|
oh f-k, you really find privkeys? you use kangaroo multy gpu from GL or keyhunt ? use Google .......so I find 2 private key from his 2 rsz 1: D:\python\bitcoin_rsz>python getz_input.py -txid a37f2f87bd371d621178605a79062010298c31fc884ed966a2041684eb8198f1 Starting Program... ====================================================================== [Input Index #: 0] R: 57a463b8ac30f2ed36767d5ccabf04fbe29c94b054b4309996f086556428c748 S: 5a4c7e96159688e8cd2525a3230ec5184597d6cfbaf037ca5815fa01097f67cc Z: a37f38a2db651ba57f68ef4d0ac297e732d0eb3954bb85ac069569f9b372daa0 PubKey: 02f9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9 2: puzzle #65 D:\python\bitcoin_rsz>python getz_input.py -txid 65c7e5cbff719ff7fd32645b777cb20b69db513f1cd6a064dfcc95b69ad77acc Starting Program... ====================================================================== [Input Index #: 0] R: 4f7f2657387cf1fef8152e2bbd39f153ee235e1f46294fded0d42dacbbe7ea S: 430773be7ebda7fba5ed2f829e9b47a7f92d526905c250780f044ed860de0786 Z: 76757e4b29801bbb747a125c0bb6752feeeabd84c58fe3dd71e94eed3839dfaa PubKey: 0230210c23b1a047bc9bdbb13448e67deddc108946de6de639bcc75d47c0216b1b Ok but how can I find these rsz with this script very fast? use this script https://github.com/iceland2k14/rsz to find rsz of a txid
|
|
|
import olll import random import math import secp256k1 as ice
G = ice.scalar_multiplication(1) N = ice.N
# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn)) # For most significant fix 128 bit leak at least 3 sig is required. fix_bits = 128 out_file_name = 'pseudo_sig_rsz.txt'
kbits = 256 - fix_bits
#============================================================================== def write_rsz_file(rr, ss, zz, pb): with open(out_file_name, 'w') as f: sz = len(rr) for i in range(sz): f.write('r = ' + hex(rr)[2:].zfill(64) + '\n') f.write('s = ' + hex(ss)[2:].zfill(64) + '\n') f.write('z = ' + hex(zz)[2:].zfill(64) + '\n') f.write('pubkey = ' + pb.hex()) def modinv(v): return pow(v, N-2, N)
def getx(Q): return int(Q[1:33].hex(), 16)
def minimum_sigs_required(num_bits): return math.ceil(1.03 * 4 / 3 * 256 / num_bits)
def identity_plus2(u, elem=1): m=[[0 for x in range(u+2)] for y in range(u)] for i in range(0,u): m = elem return m #============================================================================== n = 1 + minimum_sigs_required(fix_bits) print(f'\n Fixed Nonce bits = {fix_bits} Minimum Signature Required = {n}')
# example secret = 0x7cf5d79d200207963474c64e64bde80ff4cb3e225b6ac5b6e958522fdab60578 secret = random.randint(1,N) pub = ice.scalar_multiplication(secret) print('###############################################################################') print(f'secret: {hex(secret)}') print(f'Pubkey: {pub.hex()}') print('###############################################################################')
fixed_k_prefix = random.randrange(2**kbits, N)
#S = ((Z + (X * R)) / K) % N z = [random.randrange(1, N) for i in range(n)] nonces = [random.randrange(1, 2**kbits) + fixed_k_prefix for i in range(n)] sigs_r = [getx(ice.scalar_multiplication(nonces)) for i in range(n)] sigs_s = [( (z + secret * sigs_r) * modinv(nonces) )%N for i in range(n)] sinv = [modinv(sigs_s) for i in range(n)]
write_rsz_file(sigs_r, sigs_s, z, pub) ############################################################################### matrix = identity_plus2(n-1, N)
# Add last 2 rows row, row2 = [], [] [zn, rn, sn] = [z[-1], sigs_r[-1], sigs_s[-1]] rnsn_inv = rn * modinv(sn) znsn_inv = zn * modinv(sn)
# 2nd to last row: [r1(s1^-1) - rn(sn^-1), ... , rn-1(sn-1^-1) - rn(sn^-1), 2^176/order, 0 ] # last row: [m1(s1^-1) - mn(sn^-1), ... , mn-1(sn-1^-1) - mn(sn^-1), 0, 2^176] for i in range(n-1): row.append((sigs_r * modinv(sigs_s)) - rnsn_inv) row2.append((z * modinv(sigs_s)) - znsn_inv)
# add last elements of last two rows, B = 2**(256-80) for yubikey row.append((2**kbits) / N) row.append(0) row2.append(0) row2.append(2**kbits) matrix.append(row) matrix.append(row2)
print(' Original Matrix') print(matrix) ############################################################################### new_matrix = olll.reduction(matrix, 0.75) print('\n\n Reduced Matrix') print(new_matrix)
for row in new_matrix: potential_nonce_diff = row[0] # print('k=', hex(potential_nonce_diff)) # modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3)) potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff) potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn)) potential_priv_key = potential_priv_key % N # print('PK=', hex(potential_priv_key)) # check if we found private key by comparing its public key with actual public key if ice.scalar_multiplication(potential_priv_key) == pub: print('-'*75) print(f' found private key = {hex(potential_priv_key)}') print('-'*75)
I can't understand this Python code. Anyone write the Sagemath code? LLL_nonce_leakage.py -->> simple Sagemath code
download or clone the file from here to the same directory you have the LLL program. you need to use ice_secp256k1.dll or .so for linux to use this program.. https://github.com/iceland2k14/secp256k1
|
|
|
import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature") def calc_u(r,s,z): mod_s= modinv(s,n)%n u1=mod_s*z%n u2=mod_s*r%n print("u1==",u1,"n-u1=",n-u1) print("u2==",u2,"n-u2=",n-u2) return u1,u2 u1, u2 = calc_u(r,s,z) pub1,pub2=make_public(r,s,z)
print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0])) verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Find the real mod n for k and K nonce # Loop to search for k in hexadecimal for i in range(0, n): k = (r * i + z) * modinv(s, n) % n R = E.lift_x(Integer(r)) P = k * G print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal if hex(P.xy()[0]) == hex(r): print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal break
i just updated the code in sagemath. error again, I try remove error, same error: k = ((r * i%n + z%n)%n * modinv(s, n) % n)%n File "sage/structure/element.pyx", line 1921, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13675) File "sage/structure/coerce.pyx", line 1167, in sage.structure.coerce.CoercionModel_cache_maps.bin_op (build/cythonized/sage/structure/coerce.c:9612) File "sage/structure/element.pyx", line 1919, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13640) File "sage/structure/element.pyx", line 1954, in sage.structure.element.Element._mod_ (build/cythonized/sage/structure/element.c:13933) TypeError: unsupported operand parent(s) for %: 'Symbolic Ring' and 'Symbolic Ring' that's impossible. Have you insert your rsz? I did with 3 different sets of rsz. The signature verified. And the code works. im use this rsz bro: r= 115780575977492633039504758427830329241728645270042306223540962614150928364886 s= 115784413730767153834193500621449522112098284939719838943229029456606672741370 z= 2 ? lol. of course that wont work. its not real rsz
|
|
|
import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature") def calc_u(r,s,z): mod_s= modinv(s,n)%n u1=mod_s*z%n u2=mod_s*r%n print("u1==",u1,"n-u1=",n-u1) print("u2==",u2,"n-u2=",n-u2) return u1,u2 u1, u2 = calc_u(r,s,z) pub1,pub2=make_public(r,s,z)
print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0])) verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Find the real mod n for k and K nonce # Loop to search for k in hexadecimal for i in range(0, n): k = (r * i + z) * modinv(s, n) % n R = E.lift_x(Integer(r)) P = k * G print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal if hex(P.xy()[0]) == hex(r): print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal break
i just updated the code in sagemath. error again, I try remove error, same error: k = ((r * i%n + z%n)%n * modinv(s, n) % n)%n File "sage/structure/element.pyx", line 1921, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13675) File "sage/structure/coerce.pyx", line 1167, in sage.structure.coerce.CoercionModel_cache_maps.bin_op (build/cythonized/sage/structure/coerce.c:9612) File "sage/structure/element.pyx", line 1919, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13640) File "sage/structure/element.pyx", line 1954, in sage.structure.element.Element._mod_ (build/cythonized/sage/structure/element.c:13933) TypeError: unsupported operand parent(s) for %: 'Symbolic Ring' and 'Symbolic Ring' that's impossible. Have you insert your rsz? I did with 3 different sets of rsz. The signature verified. And the code works.
|
|
|
import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature") def calc_u(r,s,z): mod_s= modinv(s,n)%n u1=mod_s*z%n u2=mod_s*r%n print("u1==",u1,"n-u1=",n-u1) print("u2==",u2,"n-u2=",n-u2) return u1,u2 u1, u2 = calc_u(r,s,z) pub1,pub2=make_public(r,s,z)
print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0])) verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Find the real mod n for k and K nonce # Loop to search for k in hexadecimal for i in range(0, n): k = (r * i + z) * modinv(s, n) % n R = E.lift_x(Integer(r)) P = k * G print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal if hex(P.xy()[0]) == hex(r): print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal break
i just updated the code in sagemath.
|
|
|
I had made a little change in my code. im just hoping i could receive some advice on whether my method here is more efficient or sound? i got really lucky because i was told that 6 weeks was really fast. but.. i am hoping to go faster. so my question is, please take a look at my code in sagemath, and see what i might have miss out or can improve to make it much better? and while im here, i was told the u1 value some sort of give a "hint" on the k nonce. i realise that it just really is the real mod n of k nonce only but its not k nonce itself, please check my code to see where i can improve. thank you.
import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature") def calc_u(r,s,z): mod_s= modinv(s,n)%n u1=mod_s*z%n u2=mod_s*r%n print("u1==",u1,"n-u1=",n-u1) print("u2==",u2,"n-u2=",n-u2) return u1,u2 u1, u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z) print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0])) verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Find the real mod n for k and K nonce
for i in range(1, n): k = (r * i + z) * modinv(s, n) % n R = E.lift_x(Integer(r)) K = k * G u1 = (modinv(s, n) * z) % n u2 = (modinv(s, n) * r) % n if K == (u1 * G + u2 * R): print("Found real k:", k) break
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
you are suppose to fill in the rsz after each 0x in case you need the full code i had use in sagemath. import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature")
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Function to check if a point's x-coordinate matches r def check_k(k): P = k * G return P.x() == r
# Iterate to find the correct k for i in range(1, n): k = (r * i + z) * modinv(s, n) % n if check_k(k): print(f"Found correct k: {k}") private_key = (s * k - z) * modinv(r, n) % n print(f"Private Key: {private_key}") break
Thank you very mach for your code, mister @COBRAS @krashfire Please give me an example rsz if your code works correctly. sample rsz r=0x s=0x z=0x And, if 2 signatures match how long, it takes to K nonce editi got error, public_key1 (37231416379298332252575862495769965965364321245932635159006725536777825338696 : 9676366176353189190669004767334277632269117223198125569199055354600699161111 : 1) pub1_x= 0x52503c225437e35c61b9ee5ec88ea71600e7a710dbebac88b27c2d1a667ac548 public_key2 (84773528361026042599480815013664408603889872484555722313313932231857335756436 : 21504221066078790871098131651817310599861599747961732812418866800256292472755 : 1) pub2_x= 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694 signature matches signature matches--------------------------------------------------------------------------- AttributeError Traceback (most recent call last) Cell In [1], line 83 81 for i in range(Integer(1), n): 82 k = (r * i + z) * modinv(s, n) % n ---> 83 if check_k(k): 84 print(f"Found correct k: {k}") 85 private_key = (s * k - z) * modinv(r, n) % n Cell In [1], line 78, in check_k(k) 76 def check_k(k): 77 P = k * G ---> 78 return P.x() == r File /home/sc_serv/sage/src/sage/structure/element.pyx:489, in sage.structure.element.Element.__getattr__() 487 AttributeError: 'LeftZeroSemigroup_with_category.element_class' object has no attribute 'blah_blah'... 488 """ --> 489 return self.getattr_from_category(name) 490 491 cdef getattr_from_category(self, name) noexcept: File /home/sc_serv/sage/src/sage/structure/element.pyx:502, in sage.structure.element.Element.getattr_from_category() 500 else: 501 cls = P._abstract_element_class --> 502 return getattr_from_other_class(self, cls, name) 503 504 def __dir__(self): File /home/sc_serv/sage/src/sage/cpython/getattr.pyx:362, in sage.cpython.getattr.getattr_from_other_class() 360 dummy_error_message.cls = type(self) 361 dummy_error_message.name = name --> 362 raise AttributeError(dummy_error_message) 363 att
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
in case you need the full code i had use in sagemath. import random p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
r=0x s=0x z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y) def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z): R = E.lift_x(Integer(r)) w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) #R=u1*G + u2*public_key #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n u_n2=modinv(u2,n)%n u_n1=- u1*modinv(u2,n)%n pub=u_n1*G + u_n2*R pub2=u_n1*G + u_n2*(-R) return pub,pub2
def verify(r, s,z,public_key): w = int(modinv(s, n)) u1 = int((z * w) % n) u2 = int((r * w) % n) D=u1*G + u2*public_key x,y=D.xy() x=int(x)
if (r % n) == (x % n): print( "signature matches") else: print("invalid signature")
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1) print("pub1_x=",hex(pub1.xy()[0])) print("public_key2",pub2) print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1) verify(r,s,z,pub2) print()
# Function to check if a point's x-coordinate matches r def check_k(k): P = k * G return P.x() == r
# Iterate to find the correct k for i in range(1, n): k = (r * i + z) * modinv(s, n) % n if check_k(k): print(f"Found correct k: {k}") private_key = (s * k - z) * modinv(r, n) % n print(f"Private Key: {private_key}") break
|
|
|
I currently ran the program on i9 processor and a Nvidia 3090 GPU.
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
wow. Thank you. Please do. I still feel 6 weeks is too long though. I just got lucky.
|
|
|
Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r def check_k(k): P = k * G return P.x() == r
# Iterate to find the correct k for i in range(1, n): k = (r * i + z) * modinv(s, n) % n if check_k(k): print(f"Found correct k: {k}") private_key = (s * k - z) * modinv(r, n) % n print(f"Private Key: {private_key}") break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? 6 weeks is very fast !!! have you result from real srz from btc transaction ? yes the result is from real rsz from a dormant wallet of 8 years.
|
|
|
i did. it went i Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r def check_k(k): P = k * G return P.x() == r
# Iterate to find the correct k for i in range(1, n): k = (r * i + z) * modinv(s, n) % n if check_k(k): print(f"Found correct k: {k}") private_key = (s * k - z) * modinv(r, n) % n print(f"Private Key: {private_key}") break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? expand code,add formulas for r,s,z and after ask openai, in my situations this help. openai find bast and fastest solution regards i did it went into some imaginary calculations that wasted my time, sometimes 2 days until i realize the calculations are not right.
|
|
|
OH Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r def check_k(k): P = k * G return P.x() == r
# Iterate to find the correct k for i in range(1, n): k = (r * i + z) * modinv(s, n) % n if check_k(k): print(f"Found correct k: {k}") private_key = (s * k - z) * modinv(r, n) % n print(f"Private Key: {private_key}") break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? Maybe this can help, this about nonce https://bitcointalk.org/index.php?topic=5491531.0[/quote oh..ok thank you bro.
|
|
|
|