 Show Posts
|
|
Pages: « 1 [2] 3 4 5 6 »
|
How many operations alghorith take for 2**76 privkey ?
here, this code is for you guys who wanna try it on smaller values. you just need to adjust the values and curves accordingly. https://github.com/david-r-cox/pyDLP |
|
|
|
Can you show in practice what your code does with some small values?
the index calculus algorithm is only meant for exponential numbers. it cant be done with small values. |
|
|
|
Hi everyone, i am wondering whether is there any other way or is there a better way i could have implemented in my Index Calculus Algorithm or is this the best optimization i could have done already? Would like some suggestions please. My code is as below.
from sympy import Matrix
import numpy as np
import multiprocessing as mp
# Define Montgomery power function for secp256k1
def montgomery_power(base, exp, mod):
res = 1
base = base % mod
while exp > 0:
if exp % 2 == 1:
res = (res * base) % mod
exp = exp >> 1
base = (base * base) % mod
return res
# Function to generate a prime factor base
def generate_factor_base(limit):
primes = []
num = 2
while len(primes) < limit:
if all(num % i != 0 for i in range(2, int(num**0.5) + 1)):
primes.append(num)
num += 1
return primes
# Precompute the factor base
factor_base_size = 100
factor_base = generate_factor_base(factor_base_size)
# Function to find smooth numbers in a range (optimized further)
def find_smooth_numbers(start, end):
smooth_numbers = []
for num in range(start, end + 1):
exps = []
for p in factor_base:
count = 0
while num % p == 0:
count += 1
num //= p
exps.append(count)
if num == 1:
smooth_numbers.append((num, exps))
return smooth_numbers
# Function to solve linear equations using Lanczos algorithms
def solve_linear_equations(smooth_nums, G, n):
A = Matrix([[f[1][i] for f in smooth_nums] for i in range(factor_base_size)]).T
B = Matrix([G**f[0] % n for f in smooth_nums])
X = A.LUsolve(B)
logs = [(p, int(X[i])) for i, p in enumerate(factor_base)]
return logs
# Function for multiprocessing
def process_range(args):
start, end, G, n = args
print(f"Processing range: {start}-{end}")
smooth_nums = find_smooth_numbers(start, end)
print(f"Found {len(smooth_nums)} smooth numbers in range {start}-{end}")
return solve_linear_equations(smooth_nums, G, n)
# Use freeze_support for multiprocessing
if __name__ == '__main__':
mp.freeze_support()
# Parameters for secp256k1 curve and public key
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a = 0
b = 7
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
Gx = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
Gy = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
pub_key_x = 0x26597xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pub_key_y = 0x158b6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pub_point = (pub_key_x, pub_key_y)
print("Calculating private key...")
# Split the range into chunks for multiprocessing
num_chunks = mp.cpu_count()
chunk_size = (n // num_chunks) + 1
ranges = [(i, min(i + chunk_size - 1, n), Gx, n) for i in range(1, n + 1, chunk_size)]
# Perform multiprocessing
with mp.Pool(processes=num_chunks) as pool:
logs_list = pool.map(process_range, ranges)
# Combine results from multiprocessing
logs = []
for logs_chunk in logs_list:
logs.extend(logs_chunk)
# Calculate private key using index calculus
d = 1
for p, a in logs:
while montgomery_power(pub_point[0], d * a, p) != 1:
d += 1
if d >= n:
break
print(f"Private Key (d): {d}")
|
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found this result for this rsz: r= 115780575977492633039504758427830329241728645270042306223540962614150928364886 s= 115784413730767153834193500621449522112098284939719838943229029456606672741370 z= 2 hey bro... i had use z signature as the start range. it dont work on the keyhunt programme. its taking awhile. Anyways, i saw some of you looking how to get the r,s,z signatures, you can just clone the program from here https://github.com/iceland2k14/rsz |
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well. Bro I know stride, this is theoreticaly simplify task, but I continue wok on it stride example: 0xfff97bd5755eeea420453a14355235d382f6472f8568a18b2f057a1460297556 so, for take range n is not so big task with sach stride, but, looks like may be needs brute range many many times because search is a collision search between R from your scrypt and K.... kangroo for ex example never stop and give good speed, so maybe. bro, start of search range is always z , in my formulas what I make from your srypt. I think you find a nonce what bigger then z , too. Br start of search range is always Z signature? yes ! I spend some time for make start range 0, moving z to enother part of formula. For mo understanding look to formula with i = 0 I think you understand why z is a start  ...I was understand this using this way ok i try with different r,s,z. thanks. |
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well. Bro I know stride, this is theoreticaly simplify task, but I continue wok on it stride example: 0xfff97bd5755eeea420453a14355235d382f6472f8568a18b2f057a1460297556 so, for take range n is not so big task with sach stride, but, looks like may be needs brute range many many times because search is a collision search between R from your scrypt and K.... kangroo for ex example never stop and give good speed, so maybe. bro, start of search range is always z , in my formulas what I make from your srypt. I think you find a nonce what bigger then z , too. Br start of search range is always Z signature? |
|
|
|
Bsgs work example: xman@localhost:~/keyhunt/keyhunt$ ./keyhunt -m bsgs -r ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000:ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff - Version 0.2.230519 Satoshi Quest (legacy), developed by AlbertoBSD
- Mode BSGS sequential
- Opening file addresses.txt
- Added 1 points from file
- Range
- -- from : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05000000000000
- -- to : 0xffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b05ffffffffffff
- N = 0x100000000000
- Bloom filter for 4194304 elements : 14.38 MB
- Bloom filter for 131072 elements : 0.88 MB
- Bloom filter for 4096 elements : 0.88 MB
- Allocating 0.00 MB for 4096 bP Points
- processing 3145728/4194304 bP points : 7
- processing 4194304/4194304 bP points : 100%
- Making checkums .. ... done
- Sorting 4096 elements... Done!
- Thread 0xffd8e700c03997d8c19f5c793fed42f
- Thread Key found privkey ffd8e700c03997d8c19f5c793fed42fb6c5b5a9bb408a8185b0503ba2fe979c1
- Publickey 02396651cb067749a3a54e1bafb3b589ce9a1ceed7c079e29d478af1c160448012
All points were found But this would require you knowing the key range. If you don't, it's going to take awhile. Like kangaroo as well. |
|
|
|
oh f-k, you really find privkeys? you use kangaroo multy gpu from GL or keyhunt ?  use Google .......so I find 2 private key from his 2 rsz 1: D:\python\bitcoin_rsz>python getz_input.py -txid a37f2f87bd371d621178605a79062010298c31fc884ed966a2041684eb8198f1 Starting Program... ====================================================================== [Input Index #: 0] R: 57a463b8ac30f2ed36767d5ccabf04fbe29c94b054b4309996f086556428c748 S: 5a4c7e96159688e8cd2525a3230ec5184597d6cfbaf037ca5815fa01097f67cc Z: a37f38a2db651ba57f68ef4d0ac297e732d0eb3954bb85ac069569f9b372daa0 PubKey: 02f9308a019258c31049344f85f89d5229b531c845836f99b08601f113bce036f9 2: puzzle #65 D:\python\bitcoin_rsz>python getz_input.py -txid 65c7e5cbff719ff7fd32645b777cb20b69db513f1cd6a064dfcc95b69ad77acc Starting Program... ====================================================================== [Input Index #: 0] R: 4f7f2657387cf1fef8152e2bbd39f153ee235e1f46294fded0d42dacbbe7ea S: 430773be7ebda7fba5ed2f829e9b47a7f92d526905c250780f044ed860de0786 Z: 76757e4b29801bbb747a125c0bb6752feeeabd84c58fe3dd71e94eed3839dfaa PubKey: 0230210c23b1a047bc9bdbb13448e67deddc108946de6de639bcc75d47c0216b1b Ok but how can I find these rsz with this script very fast? use this script https://github.com/iceland2k14/rsz to find rsz of a txid |
|
|
|
import olll
import random
import math
import secp256k1 as ice
G = ice.scalar_multiplication(1)
N = ice.N
# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn))
# For most significant fix 128 bit leak at least 3 sig is required.
fix_bits = 128
out_file_name = 'pseudo_sig_rsz.txt'
kbits = 256 - fix_bits
#==============================================================================
def write_rsz_file(rr, ss, zz, pb):
with open(out_file_name, 'w') as f:
sz = len(rr)
for i in range(sz):
f.write('r = ' + hex(rr)[2:].zfill(64) + '\n')
f.write('s = ' + hex(ss)[2:].zfill(64) + '\n')
f.write('z = ' + hex(zz)[2:].zfill(64) + '\n')
f.write('pubkey = ' + pb.hex())
def modinv(v):
return pow(v, N-2, N)
def getx(Q):
return int(Q[1:33].hex(), 16)
def minimum_sigs_required(num_bits):
return math.ceil(1.03 * 4 / 3 * 256 / num_bits)
def identity_plus2(u, elem=1):
m=[[0 for x in range(u+2)] for y in range(u)]
for i in range(0,u):
m = elem
return m
#==============================================================================
n = 1 + minimum_sigs_required(fix_bits)
print(f'\n Fixed Nonce bits = {fix_bits} Minimum Signature Required = {n}')
# example secret = 0x7cf5d79d200207963474c64e64bde80ff4cb3e225b6ac5b6e958522fdab60578
secret = random.randint(1,N)
pub = ice.scalar_multiplication(secret)
print('###############################################################################')
print(f'secret: {hex(secret)}')
print(f'Pubkey: {pub.hex()}')
print('###############################################################################')
fixed_k_prefix = random.randrange(2**kbits, N)
#S = ((Z + (X * R)) / K) % N
z = [random.randrange(1, N) for i in range(n)]
nonces = [random.randrange(1, 2**kbits) + fixed_k_prefix for i in range(n)]
sigs_r = [getx(ice.scalar_multiplication(nonces)) for i in range(n)]
sigs_s = [( (z + secret * sigs_r) * modinv(nonces) )%N for i in range(n)]
sinv = [modinv(sigs_s) for i in range(n)]
write_rsz_file(sigs_r, sigs_s, z, pub)
###############################################################################
matrix = identity_plus2(n-1, N)
# Add last 2 rows
row, row2 = [], []
[zn, rn, sn] = [z[-1], sigs_r[-1], sigs_s[-1]]
rnsn_inv = rn * modinv(sn)
znsn_inv = zn * modinv(sn)
# 2nd to last row: [r1(s1^-1) - rn(sn^-1), ... , rn-1(sn-1^-1) - rn(sn^-1), 2^176/order, 0 ]
# last row: [m1(s1^-1) - mn(sn^-1), ... , mn-1(sn-1^-1) - mn(sn^-1), 0, 2^176]
for i in range(n-1):
row.append((sigs_r * modinv(sigs_s)) - rnsn_inv)
row2.append((z * modinv(sigs_s)) - znsn_inv)
# add last elements of last two rows, B = 2**(256-80) for yubikey
row.append((2**kbits) / N)
row.append(0)
row2.append(0)
row2.append(2**kbits)
matrix.append(row)
matrix.append(row2)
print(' Original Matrix')
print(matrix)
###############################################################################
new_matrix = olll.reduction(matrix, 0.75)
print('\n\n Reduced Matrix')
print(new_matrix)
for row in new_matrix:
potential_nonce_diff = row[0]
# print('k=', hex(potential_nonce_diff))
# modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3))
potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff)
potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn))
potential_priv_key = potential_priv_key % N
# print('PK=', hex(potential_priv_key))
# check if we found private key by comparing its public key with actual public key
if ice.scalar_multiplication(potential_priv_key) == pub:
print('-'*75)
print(f' found private key = {hex(potential_priv_key)}')
print('-'*75)
I can't understand this Python code. Anyone write the Sagemath code?
LLL_nonce_leakage.py -->> simple Sagemath code
download or clone the file from here to the same directory you have the LLL program. you need to use ice_secp256k1.dll or .so for linux to use this program.. https://github.com/iceland2k14/secp256k1 |
|
|
|
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
def calc_u(r,s,z):
mod_s= modinv(s,n)%n
u1=mod_s*z%n
u2=mod_s*r%n
print("u1==",u1,"n-u1=",n-u1)
print("u2==",u2,"n-u2=",n-u2)
return u1,u2
u1, u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Find the real mod n for k and K nonce
# Loop to search for k in hexadecimal
for i in range(0, n):
k = (r * i + z) * modinv(s, n) % n
R = E.lift_x(Integer(r))
P = k * G
print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal
if hex(P.xy()[0]) == hex(r):
print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal
break
i just updated the code in sagemath. error again, I try remove error, same error: k = ((r * i%n + z%n)%n * modinv(s, n) % n)%n File "sage/structure/element.pyx", line 1921, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13675) File "sage/structure/coerce.pyx", line 1167, in sage.structure.coerce.CoercionModel_cache_maps.bin_op (build/cythonized/sage/structure/coerce.c:9612) File "sage/structure/element.pyx", line 1919, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13640) File "sage/structure/element.pyx", line 1954, in sage.structure.element.Element._mod_ (build/cythonized/sage/structure/element.c:13933) TypeError: unsupported operand parent(s) for %: 'Symbolic Ring' and 'Symbolic Ring' that's impossible. Have you insert your rsz? I did with 3 different sets of rsz. The signature verified. And the code works. im use this rsz bro: r= 115780575977492633039504758427830329241728645270042306223540962614150928364886 s= 115784413730767153834193500621449522112098284939719838943229029456606672741370 z= 2 ? lol. of course that wont work. its not real rsz |
|
|
|
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
def calc_u(r,s,z):
mod_s= modinv(s,n)%n
u1=mod_s*z%n
u2=mod_s*r%n
print("u1==",u1,"n-u1=",n-u1)
print("u2==",u2,"n-u2=",n-u2)
return u1,u2
u1, u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Find the real mod n for k and K nonce
# Loop to search for k in hexadecimal
for i in range(0, n):
k = (r * i + z) * modinv(s, n) % n
R = E.lift_x(Integer(r))
P = k * G
print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal
if hex(P.xy()[0]) == hex(r):
print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal
break
i just updated the code in sagemath. error again, I try remove error, same error: k = ((r * i%n + z%n)%n * modinv(s, n) % n)%n File "sage/structure/element.pyx", line 1921, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13675) File "sage/structure/coerce.pyx", line 1167, in sage.structure.coerce.CoercionModel_cache_maps.bin_op (build/cythonized/sage/structure/coerce.c:9612) File "sage/structure/element.pyx", line 1919, in sage.structure.element.Element.__mod__ (build/cythonized/sage/structure/element.c:13640) File "sage/structure/element.pyx", line 1954, in sage.structure.element.Element._mod_ (build/cythonized/sage/structure/element.c:13933) TypeError: unsupported operand parent(s) for %: 'Symbolic Ring' and 'Symbolic Ring' that's impossible. Have you insert your rsz? I did with 3 different sets of rsz. The signature verified. And the code works. |
|
|
|
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
def calc_u(r,s,z):
mod_s= modinv(s,n)%n
u1=mod_s*z%n
u2=mod_s*r%n
print("u1==",u1,"n-u1=",n-u1)
print("u2==",u2,"n-u2=",n-u2)
return u1,u2
u1, u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Find the real mod n for k and K nonce
# Loop to search for k in hexadecimal
for i in range(0, n):
k = (r * i + z) * modinv(s, n) % n
R = E.lift_x(Integer(r))
P = k * G
print("K:", hex(P.xy()[0])) # Print the x-coordinate of K in hexadecimal
if hex(P.xy()[0]) == hex(r):
print("Found real k:", hex(P.xy()[0])) # Print the real k in hexadecimal
break
i just updated the code in sagemath. |
|
|
|
I had made a little change in my code. im just hoping i could receive some advice on whether my method here is more efficient or sound? i got really lucky because i was told that 6 weeks was really fast. but.. i am hoping to go faster. so my question is, please take a look at my code in sagemath, and see what i might have miss out or can improve to make it much better? and while im here, i was told the u1 value some sort of give a "hint" on the k nonce. i realise that it just really is the real mod n of k nonce only but its not k nonce itself, please check my code to see where i can improve. thank you.
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
def calc_u(r,s,z):
mod_s= modinv(s,n)%n
u1=mod_s*z%n
u2=mod_s*r%n
print("u1==",u1,"n-u1=",n-u1)
print("u2==",u2,"n-u2=",n-u2)
return u1,u2
u1, u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Find the real mod n for k and K nonce
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
R = E.lift_x(Integer(r))
K = k * G
u1 = (modinv(s, n) * z) % n
u2 = (modinv(s, n) * r) % n
if K == (u1 * G + u2 * R):
print("Found real k:", k)
break
|
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
you are suppose to fill in the rsz after each 0x in case you need the full code i had use in sagemath.
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
Thank you very mach for your code, mister @COBRAS @krashfire Please give me an example rsz if your code works correctly. sample rsz  r=0x s=0x z=0x And, if 2 signatures match how long, it takes to K nonce editi got error, public_key1 (37231416379298332252575862495769965965364321245932635159006725536777825338696 : 9676366176353189190669004767334277632269117223198125569199055354600699161111 : 1) pub1_x= 0x52503c225437e35c61b9ee5ec88ea71600e7a710dbebac88b27c2d1a667ac548 public_key2 (84773528361026042599480815013664408603889872484555722313313932231857335756436 : 21504221066078790871098131651817310599861599747961732812418866800256292472755 : 1) pub2_x= 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694 signature matches
signature matches--------------------------------------------------------------------------- AttributeError Traceback (most recent call last) Cell In [1], line 83 81 for i in range(Integer(1), n): 82 k = (r * i + z) * modinv(s, n) % n ---> 83 if check_k(k): 84 print(f"Found correct k: {k}") 85 private_key = (s * k - z) * modinv(r, n) % n Cell In [1], line 78, in check_k(k) 76 def check_k(k): 77 P = k * G ---> 78 return P.x() == r File /home/sc_serv/sage/src/sage/structure/element.pyx:489, in sage.structure.element.Element.__getattr__() 487 AttributeError: 'LeftZeroSemigroup_with_category.element_class' object has no attribute 'blah_blah'... 488 """ --> 489 return self.getattr_from_category(name) 490 491 cdef getattr_from_category(self, name) noexcept: File /home/sc_serv/sage/src/sage/structure/element.pyx:502, in sage.structure.element.Element.getattr_from_category() 500 else: 501 cls = P._abstract_element_class --> 502 return getattr_from_other_class(self, cls, name) 503 504 def __dir__(self): File /home/sc_serv/sage/src/sage/cpython/getattr.pyx:362, in sage.cpython.getattr.getattr_from_other_class() 360 dummy_error_message.cls = type(self) 361 dummy_error_message.name = name --> 362 raise AttributeError(dummy_error_message) 363 att |
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
in case you need the full code i had use in sagemath.
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
|
|
|
|
|
I currently ran the program on i9 processor and a Nvidia 3090 GPU.
|
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
wow. Thank you. Please do. I still feel 6 weeks is too long though. I just got lucky. |
|
|
|
Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? 6 weeks is very fast !!! have you result from real srz from btc transaction ? yes the result is from real rsz from a dormant wallet of 8 years. |
|
|
|
i did. it went i Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? expand code,add formulas for r,s,z and after ask openai, in my situations this help. openai find bast and fastest solution regards i did it went into some imaginary calculations that wasted my time, sometimes 2 days until i realize the calculations are not right. |
|
|
|
OH Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? Maybe this can help, this about nonce https://bitcointalk.org/index.php?topic=5491531.0[/quote oh..ok thank you bro. |
|
|
|
|
