 Show Posts
|
|
Pages: « 1 2 [3] 4 5 6 »
|
Hi everyone, im currently using this calculation written by ecdsa123 to get to K nonce. # Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
i got the correct k nonce (256 bits) using his method after 6 weeks. i am just wondering is there a more effective way to solve for k nonce faster? is there a way for direct calculations from the given the values? |
|
|
|
Hi.. I need help. 1) I have been getting this error. I downloaded it here.>>> https://github.com/bitlogik/lattice-attackhowever, i have been getting errors. i wanted to check on weak edcsa but i couldn't get this program to run properly. even when i use the sample that comes with it and the gen_data.py ...it still dont work. is there something i need to change? python3 lattice_attack.py ----- Lattice ECDSA Attack ----- Loading data from file data.json Running with 6 bits of k (LSB) Starting recovery attack (curve SECP256K1) Constructing matrix Solving matrix ... LLL reduction Traceback (most recent call last): File "/home/krash/lattack/lattice_attack.py", line 259, in <module> lattice_attack_cli(arg.f, arg.l) File "/home/krash/lattack/lattice_attack.py", line 239, in lattice_attack_cli result = recover_private_key( File "/home/krash/lattack/lattice_attack.py", line 195, in recover_private_key res = test_result(lattice, pub_key, curve) File "/home/krash/lattack/lattice_attack.py", line 93, in test_result if target_pubkey == ecdsa_lib.privkey_to_pubkey(cand1, curve): File "/home/krash/lattack/ecdsa_lib.py", line 129, in privkey_to_pubkey ec.derive_private_key(pv_key_int, ec_backend, backends.default_backend()) File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 332, in derive_private_key raise TypeError("private_value must be an integer type.") TypeError: private_value must be an integer type. What is wrong here?? 2)If i wanna input my own datas in (RSZ,hashes) which file should i change it at? Thank you for your advise and help in advance. It seems like you're encountering an error related to the type of the private key value in the lattice_attack.py script. The error message "private_value must be an integer type" suggests that there might be an issue with the format of the private key value being used. To troubleshoot this issue, you should check the data file data.json that you're loading. Make sure that the private key values are stored as integers. If they are stored as strings or in a different format, you may need to convert them to integers before passing them to the relevant functions. Regarding your second question, if you want to input your own data for (RSZ, hashes), you'll need to modify the data.json file directly. This file likely contains a JSON object with keys corresponding to different parameters used in the attack, such as the number of bits of the secret key k, the public key pubkey, and possibly other parameters like RSZ and hashes. Simply locate the relevant keys in the JSON object and replace the existing values with your own data. Ensure that the format of your data matches what the script expects. After making the changes, save the file and rerun the script. Make sure to follow any specific instructions or conventions regarding the format of the data within the script's documentation or comments. this was posted back in september 2022. i already figure it out. it was the fpylll library. cant run with sagemath. need to uninstall the sagemath and then fpylll can be use. |
|
|
|
|
but thats for probably 128 bits? sure it can be that fast but 256 bits, i dont think so. im running your code. been 5 hours in so far.
|
|
|
|
# Compute the new signature point
P = k * G (k = your new k on test)
# Check if the x-coordinate of the signature point matches r
if P.x() == r:
print(f"Found k candidate: {k:x} ")
private_key = (s * k - z) * mod_inv(r, n) % n
print("Private Key : %02x " % private_key)
Thank You!! |
|
|
|
on sagemath
-------------------------------
sage:#prime [type:integer] but prime
sage:P = 115792089237316195423570985008687907853269984665640564039457584007908834671663
sage:#Elliptic Curve y2=x3+7 for P [type:curve]
sage:E = EllitpicCurve(GF(P),[0,7])
sage:#Elliptic Curve Order [type:integer]
sage:N = E.order()
sage:#Base Point G [type:point]
sage:G= E(55066263022277343669578718895168534326250603453777594175500187360389116729240,32670510020758816978083085130507043184471273380659243275938904335757337482424)
sage:# "public_key = secret*G" or "public_key = E(pubkey_x,pubkey_y)" [type:point], we know "pubkey_x,pubkey_y"
sage:public_key = E(pubkey_x,pubkey_y)
sage:# "K=random_number*G" [type:point] than "r = K[0]" [type:integer] , you known "r"
sage:K = E.lift_x(r)
sage:#K is_correct ? we don't know
sage:r = your_value #[type:integer]
sage:s = your_value #[type:integer]
sage:z = your_value #[type:integer]
sage:w = 1/s %N
sage:u1 = z * w %N
sage:u2 = r * w %N
sage:#correct "K" point [type:point]
sage:u2*public_key + u1*G #[type:point]
sage:+K == u2*public_key + u1*G #(true or false)
sage:-K == u2*public_key + u1*G #(true or false)
sage r == Integer(+K[0]) #(true or false) [type:integer]
sage r == Integer(-K[0]) #(true or false) [type:integer]
sage:var("k x")
sage:k*s == r*x+z #[type:variable]
sage : K*s == r*public_key + z*G #[type:point] (true or false)
this line type: point
R = E.lift_x(r)
Ok. Got it. Thank you so much! But I still need to verify the K value found. How do I do it correctly? Your method only shows whether K+ or K- is the correct one. But I still need to verify the K value by brute forcing. So how do I write the code to verify the K found? |
|
|
|
Hello there
"R = E.lift_x(r)"
there are 2 possibilities in this line for point R
"R" or "-R"
If "public_key" is not a string but a "point" object(like G) with "E" element (Ellipric Curve)
"R= u2*public_key + u1*G"
it's the right thing to do.
Thank you.
So you are saying i should instead write it like this?
def verify(r, s, z, public_key, k):
# Compute modular inverse of s
w = modinv(s, n)
# Compute u1 and u2
u1 = z * w % n
u2 = r * w % n
# Compute R using the provided x-coordinate r
R = E.lift_x(r)
# Compute the candidate public key using the provided k value
candidate_public_key = u1 * public_key + u2 * G
# Check if the x-coordinate of the computed R matches that of the candidate public key
if R[0] == candidate_public_key[0]:
print("Signature matches")
return True
else:
print("Invalid signature")
return False
|
|
|
|
How do i verify if the found K value is the correct value given for an R signature and a public key? i really need help for someone to check my code.
def verify(r, s, z, public_key, k):
w = modinv(s, n)
u1 = z * w % n
u2 = r * w % n
R = E.lift_x(r)
# Compute the candidate public key using the known k value
candidate_public_key = u1 * G + u2 * R
if public_key == candidate_public_key:
print("Signature matches")
return True
else:
print("Invalid signature")
return False
def find_k_bruteforce(r, s, z, pub):
i = 1
max_iterations = 1000 # Add a maximum iteration limit
while i <= max_iterations:
k = (r * i + z) * modinv(s, n) % n
print("i=", i, "k==", hex(k))
# Verify the signature using the candidate k
if verify(r, s, z, pub, k):
print("Found k:", hex(k))
return k
else:
print(f"Attempt {i}: Incorrect k value {hex(k)}")
i += 1 # Increment i for the next iteration
raise Exception("Failed to find a valid k value within the maximum iterations")
how do i verify the k value found? my calculations are wrong. it verifies the wrong k value. |
|
|
|
OK i would like to say, till now i get all the puzzles from 1 to 65 faster than letīs say kangaroo, and the code i have, is write in python !!
I would like to put a picture here in, so maybe it explain more, but i donīt know how to do it.
My maths. but something is off. i still feel its not right somewhere. import random
import hashlib
from sage.crypto.util import ascii_to_bin
from sage.arith.misc import random_prime
from sage.crypto.util import ascii_to_bin
from sage.crypto.util import bin_to_ascii
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
r = 0x
s = 0x
z = 0x
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r, s, z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
u_n2 = modinv(u2, n) % n
u_n1 = - u1 * modinv(u2, n) % n
pub = u_n1 * G + u_n2 * R
pub2 = u_n1 * G + u_n2 * (-R)
return pub, pub2
def calc_u(r, s, z):
mod_s = modinv(s, n) % n
u1 = mod_s * z % n
u2 = mod_s * r % n
print("u1 =", hex(u1), "n-u1 =", hex(n - u1))
print("u2 =", hex(u2), "n-u2 =", hex(n - u2))
return u1, u2
u1, u2 = calc_u(r, s, z)
def verify(r, s, z, pub, k):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D = u1 * G + u2 * pub
x, y = D.xy()
x = int(x)
if (r % n) == (x % n):
print(f"Signature k matches: {hex(k)} ")
return True
else:
print(f"Signature k is invalid {hex(k)} ")
return False
# Calculate the modular inverse of s (w = s^(-1) mod n)
g, x, y = egcd(s, n)
w = x % n
def find_k(r, s, z, pub):
# Step 1: Calculate w = s^(-1) mod n
w = int(modinv(s, n))
# Step 2: Calculate u1 and u2
u1 = int((z * w) % n)
u2 = int((r * w) % n)
# Step 3: Recover the elliptic curve point R
R = u1 * G + u2 * pub
# Extract x-coordinate from R
x_R, _ = R.xy()
x_R = int(x_R)
# Calculate k
k = (x_R - z) * modinv(w, n) % n
print("k:",k)
return k
# Call the function to find k
k = find_k(r, s, z, pub1)
print("Found k:", hex(k))
pub1, pub2 = make_public(r, s, z)
print("public_key1", pub1)
print("pub1_x=", hex(pub1.xy()[0]))
print("public_key2", pub2)
print("pub2_x=", hex(pub2.xy()[0]))
print("Step 1: Calculate g, x, y using extended Euclidean algorithm")
print("g:", hex(g))
print("x:", hex(x))
print("y:", hex(y))
print("Step 2: Calculate w (modular inverse of s)")
print("Calculated w:", hex(w))
print()
def find_k_bruteforce(r, s, z, pub):
i = 1
while True:
k_candidate = (r * i + z) * modinv(s, n) % n
# Verify the signature using the candidate k
if verify(r, s, z, pub, k_candidate):
print("Found k:", hex(k_candidate))
break
else:
print(f"Attempt {i}: Incorrect k value {hex(k_candidate)}")
i += 1 # Increment the attempt counter
# Call the function to find k using brute force
find_k_bruteforce(r, s, z, pub1)
def find_private_key(r, s, z, k, pub):
# Calculate w = s^(-1) mod n
w = int(modinv(s, n))
# Calculate u1 and u2
u1 = int((z * w) % n)
u2 = int((r * w) % n)
# Recover the elliptic curve point R
R = u1 * G + u2 * pub
# Extract x-coordinate from R
x_R, _ = R.xy()
x_R = int(x_R)
# Calculate private key d
d = (k * x_R - z) * modinv(r, n) % n
return d
def find_private_key_bruteforce(r, s, z, k, pub, i):
k_candidate = (r * i + z) * modinv(s, n) % n
# Calculate private key d
d = (k_candidate * r - z) * modinv(k_candidate, n) % n
return d
# Call the function to find k using the formula-based approach
k_formula = find_k(r, s, z, pub1)
d_formula = find_private_key(r, s, z, k_formula, pub1)
print("Private key (formula-based):", hex(d_formula))
# Call the function to find k using brute force
k_bruteforce = find_k_bruteforce(r, s, z, pub1)
i_bruteforce = 1
d_bruteforce = find_private_key_bruteforce(r, s, z, k_bruteforce, pub1, i_bruteforce)
print(f"Private key (brute-force attempt {i_bruteforce}):", hex(d_bruteforce))
guessed_k_values = []
i = 1
while True:
k = (r * i + z) * modinv(s, n) % n
# Calculate R using the guessed k value
guessed_R = k * G
guessed_k_values.append((i, k, guessed_R))
# Check if the guessed R value matches the original r value
if guessed_R.xy()[0] == r:
print(f"The correct k value ({k}) for iteration {i} is found.")
# Calculate the private key using the correct k value
d_bruteforce = find_private_key_bruteforce(r, s, z, k, pub1, i)
print(f"Corresponding private key: {hex(d_bruteforce)}")
break # Exit the loop if the correct k is found
i += 1 # Increment the iteration counter
|
|
|
|
@krashfire it works, but you need more knowledge -> write PM
the correct code
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)) # Base point
r=0x00fc5e2ab560be4649b85511940daf8302cf2e2e06bfd60a75c8bae5f832da289c
s=0x45c4c9d548699bbc5f3484a2d6d59ac07ea3328a1deb6b2bb9f2f8f0727be1de
z=0x6559f4e4b8d7824a641418b992f913411a1995fa35668c8c634b5a19a93a944c
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
def calc_u(r,s,z):
mod_s= modinv(s,n)%n
u1=int(mod_s*z%n)
u2=int(mod_s*r%n)
print("u1:",hex(u1) , "n-u1:",hex(n-u1))
print("u2:",hex(u2) , "n-u2:",hex(n-u2))
return u1,u2
u1 , u2 = calc_u(r,s,z)
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
i = 1
u_matches = []
while True:
k = (r * i + z) * modinv(s, n) % n
print("Invalid nonce K:", hex(k))
if k == u1:
print("Match found for u1 at i =", i)
u_matches.append(("u1", i))
if k == u2:
print("Match found for u2 at i =", i)
u_matches.append(("u2", i))
if k == (n - u1):
print("Match found for n - u1 at i =", i)
u_matches.append(("n - u1", i))
if k == (n - u2):
print("Match found for n - u2 at i =", i)
u_matches.append(("n - u2", i))
if len(u_matches) == 4:
print("Matches found for u values:", u_matches)
break # Break the loop if matches for all u values are found
i += 1
|
|
|
|
so how can we know the range of K that was used for a set of rsz signature? if we do not know, then jean luc's kangaroo algorithm https://github.com/JeanLucPons/Kangaroo is not much help too isnt't it? coz to search the vast amount of keys even with kangaroo algorithm is time consuming. |
|
|
|
Demining - SCAMER !!!! ALL HIS CODES FAKE AND NOTHING FOUND !!! HI USE TRANSLATOR FROM ARTICLES, HI NO AUTHOR OF MANY OF HIS RESEARCH
Shit. I really thought he had one. Im just going to leave this post here then. So everyone else is aware. Thanks brother. |
|
|
|
So I have been testing the Kangaroo Algorithm by Jean Luc and upgraded by @NotATether for 256 bits. I'm just wondering is there a script to find the range of our private key or K nonce? From demining upload on GitHub it has a range nonce script but you have to pay for it. https://github.com/demining/Kangaroo-by-JeanLucPons?tab=readme-ov-fileIs there a script to find the private key or nonce range that someone here is aware of? |
|
|
|
This have anyone actually tried this? How realistic is this programme? It somehow sends fake information to the mining pool on the amount of hashes it actually has and squat on the same network as other Bitcoin miners and take a share too.. can someone explain this? Or... Make it better ? 🤭 https://github.com/TheBes3rdsGroup/Bitcoin-Hijacking/blob/main/rewards.py |
|
|
|
What are the chances of anyone accidentally creating the same Bitcoin address? Is it remotely possible or there is some kind of checks before network, software, God or something would do a check first before approving the Bitcoin address. Again, I'm just thinking out loud. Hmmm...🤔
This question is just like you asking your parents to give birth to somebody just exactly like you in resemblance, character, attitude and every aspect of you and do you think you will be of the same age too? This question you have asked is rhetorical. If that should happen then what is the possibility that your funds would be safe because the probability of having same wallet keys is narrow if it is feasible. So OP, I do not think you will really get a clearer picture of what you want neither will you get a direct answer for this question you have just asked. Just as LoyceV has said, you can start that way and wait for your answer. that's a stupid anology. But kudos for trying to act your thoughts mattered. Go fuck yourself. |
|
|
|
Here is a good parable. Given your example of 1 billion users at 10 addresses each:
There are 2^160 or about 1,460,000,000,000,000,000,000,000,000,000,000,000,000,000,000,000 possible addresses
In your scenario, 1,000,000,000 people are using 10 addresses each for a total of 10,000,000,000 possible addresses
10,000,000,000 / 2^160 should yield the probability of a collision occurring
10,000,000,000 / 2^160 = 0.00000000000000000000000000000000000000684
So the chances of a collision occurring in your scenario are approximately 0.000000000000000000000000000000000000684%
Possibility increases drastically when there is divine intervention.  lol I like your answer.
There's an answer in old thread, my suggestion if you have a question, it's better to use google search by type "bitcointalk.org: your question", but if you don't find any answer then you can create new thread. AFAIK I haven't see anyone create a thread when they create a new wallet, the wallet have been funded (which mean someone have been use this existing wallet). This would be called a "collision" and is highly unlikely.
Keys are 256 bit in length and are hashed in a 160 bit address.(2^160th power) Divide it by the world population and you have about 215,000,000,000,000,000,000,000,000,000,000,000,000 addresses per capita.(2.15 x 10^38)
alright. Noted. [moderator's note: consecutive posts merged] |
|
|
|
|
What are the chances of anyone accidentally creating the same Bitcoin address? Is it remotely possible or there is some kind of checks before network, software, God or something would do a check first before approving the Bitcoin address. Again, I'm just thinking out loud. Hmmm...🤔
|
|
|
|
https://bitcointalk.org/index.php?topic=428589.0 go there ask them. Ps, OpenAI is just a dumb mockup, ask here again and tell her and you are getting wrong results, she'll probably say; my apology, here is the correct code, which again is a wrong code. Lol. yup. This dude is not lying. I tried it. 1 week. Pisses me off so much. If it's not indent issues..then they give you the correct code..but indentation issues again... I somehow realize too... That they are limited by the a certain number in their response. It always seem to cut off before completing the code. |
|
|
|
I would just like to open a technical discussion about K nonce in ECDSA SECP256k1. There are mathematical methods to solve for k. One common mathematical method is called the "Gauss's algorithm". This algorithm can solve for k given the values of r, s, z, and the public key. However, it involves some complex mathematical operations. Another approach is to use the "Fermat's little theorem". This theorem states that if p is a prime number, then for any integer a, a raised to the power of p minus one is congruent to 1 modulo p, i.e., a^(p-1) = 1 (mod p). In the context of ECDSA, this means that if we have the values of r, s, and z, we can solve for k using the following formula: k = (z / s)^(1/(p-1)) % p where p is the order of the curve. However, this formula assumes that the curve order is known, and that s is not equal to 0. Am i right? In any case, here is my python code for the Gaussian Algorithm
import ecdsa
from ecdsa.numbertheory import inverse_mod
import os
# Define the signature parameters
r = 0xXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
s = 0xXxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
z = 0xabfe1xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
# Define the file to store tried k values
k_file = 'tried_k.txt'
# Define the public key
public_key_hex = '02xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx'
public_key = bytes.fromhex(public_key_hex)
# Define the secp256k1 curve parameters
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a = 0x0000000000000000000000000000000000000000000000000000000000000000
b = 0x0000000000000000000000000000000000000000000000000000000000000007
Gx = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
Gy = 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8
curve = ecdsa.SECP256k1
# Define the helper functions
def mod_inv(a, n):
"""Return the modular inverse of a mod n."""
return inverse_mod(a, n)
def mod_sqrt(a, p):
"""Return the modular square root of a mod p."""
return pow(a, (p + 1) // 4, p)
# Define the signature point
R = ecdsa.ellipticcurve.Point(curve.curve, r, mod_sqrt((r**3 + a*r + b) % p, p), curve.generator.order())
# Define the function to find the value of k
def get_k(r, s, z):
"""Find the value of k given r, s, and z."""
# Load previously tried values of k
if os.path.exists(k_file):
with open(k_file, 'r') as f:
for line in f:
tried_k.add(int(line.strip()))
k_candidates = []
for j in range(1, 2**16):
# Compute k = (z + j*order) / r
k = (z + j * curve.generator.order()) * mod_inv(r, curve.generator.order()) % curve.generator.order()
# Compute the signature point
P = s * R + (-k % curve.generator.order()) * curve.generator
# Check if the x-coordinate of the signature point matches r
if P.x() == r:
k_candidates.append(k)
# Print progress message
if j % 2 == 0:
print(f"Processed {j} values of j...")
return k_candidates
# Call the function to get the value of k
k_candidates = get_k(r, s, z)
print(k_candidates)
And here for the Fermat's little theorem
import ecdsa
import time
import os
from ecdsa import SigningKey, VerifyingKey, SECP256k1
from hashlib import sha256
def nonce_recovery(r, s, z, k_guess, public_key_bytes):
public_key = VerifyingKey.from_string(public_key_bytes, curve=SECP256k1).to_string()[:32]
private_key = SigningKey.from_string(public_key, curve=SECP256k1)
# Load previous guesses from a file if it exists
previous_guesses = set()
if os.path.exists('previous_guesses.txt'):
with open('previous_guesses.txt', 'r') as f:
previous_guesses = set(int(line.strip()) for line in f)
# Load the last guess from a file if it exists, otherwise use the supplied guess
if os.path.exists('last_guess.txt'):
with open('last_guess.txt', 'r') as f:
k_guess = int(f.read())
k_inv = pow(k_guess, -1, SECP256k1.order)
r_inv = pow(r, -1, SECP256k1.order)
s_inv = pow(s, -1, SECP256k1.order)
x = ((z % SECP256k1.order) * s_inv) % SECP256k1.order
k_guess = ((x * r_inv) % SECP256k1.order) - k_inv
signature = (r, s)
while True:
# Check if the new guess has already been made before
if k_guess in previous_guesses:
k_guess += 1
continue
private_key = SigningKey.from_secret_exponent((k_guess % SECP256k1.order), curve=SECP256k1)
test_signature = private_key.sign_digest(sha256(str(z).encode()).digest(), sigencode=ecdsa.util.sigencode_der)
if test_signature == signature:
return k_guess
# Store the guess in the set of previous guesses
previous_guesses.add(k_guess)
# Store the last guess in a file
with open('last_guess.txt', 'w') as f:
f.write(str(k_guess))
k_guess += 1
# Print progress
if k_guess % 5 == 0:
print(f"Cracking: {k_guess}")
# Sleep for a short time to avoid overwhelming the console
time.sleep(0.01)
# Example usage:
r = 0x00e1dexxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
s = 0x1dd56xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
z = 0xabfe106fbxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
k_guess = 1000000000
public_key= bytes.fromhex('0245axxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx')
result = nonce_recovery(r, s, z, k_guess, public_key)
print(result)
If there is anything i can do to optimise my program further. please do advise me. thank you. |
|
|
|
|
Twist attack formula. I understood now. Let me code it but cannot be done on Python. Too slow. Will do in C Or Go Lang. I will figure it out. Get back to you.
|
|
|
|
Python code for those of you who are looking to create 100 or more R,s,z signatures. The sigs are created via the public key. However, it is important to note that these signatures would not be unique and would not have any real-world meaning or value. Here is an example in Python using the cryptography library:
import os
import hashlib
from cryptography.hazmat.backends import default_backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import ec
private_key = ec.generate_private_key(ec.SECP256K1(), default_backend())
public_key = private_key.public_key()
for i in range(100):
data = os.urandom(32)
signature = private_key.sign(data, ec.ECDSA(hashes.SHA256()))
# Extract the values of 'r', 's', 'z' from the signature
r, s = signature
z = int.from_bytes(hashlib.sha256(data).digest(), 'big')
# Print the values of 'r', 's', 'z'
print("r:", r)
print("s:", s)
print("z:", z)
If you need to make more, change the 100 here to any amount you need. Just giving you guys a little help. Cheers. And here is the code to generate 100 signatures with k nonce reveal.
import ecdsa
import random
# Define the secp256k1 curve
curve = ecdsa.SECP256k1
# Generate 100 random private keys
private_keys = [ecdsa.SigningKey.generate(curve=curve) for i in range(100)]
# Create signatures using the private keys and random messages (z)
signatures = []
for i in range(100):
z = random.randint(0, 2**256)
private_key = private_keys[i]
public_key = private_key.get_verifying_key()
signature = private_key.sign_digest(z.to_bytes(32, 'big'), sigencode=ecdsa.util.sigencode_der)
r, s = ecdsa.util.sigdecode_der(signature, curve.generator.order())
signatures.append((z, r, s))
# Get the nonce (k) for each signature
nonce = []
for i in range(100):
z, r, s = signatures[i]
k = ecdsa. SigningKey.from_public_key(public_key, curve=curve).verifying_key.recover_session_key(z.to_bytes(32, 'big'), (r, s), hashfunc=ecdsa.util.sha256, sigdecode=ecdsa.util.sigdecode_der)
nonce.append(k)
# The 100 signatures, Z values, and nonce values are stored in the signatures, Z, and nonce lists, respectively.
Bro can you make a code for sigh with enother curve with enother order and another base point ? This curve is a twist of secp256k1 data of a curve: p = 115792089237316195423570985008687907853269984665640564039457584007908834671663 E1 = EllipticCurve(GF(p), [0,1]) data of a Bae Point P11 = E1([85121563011366687025707822879925964033143920255507899862530934382179124106759, 42409656727948788569510737393982221864295921023467166630061319157315739523945]) Data of curve order: ord11 = 20412485227 ? If you make this code maybee our R os S will be poin at a TWIST additional info about twit https://cryptodeeptech.ru/twist-attack/ sure bro. give me a day or 2. i get back to you on the post here. |
|
|
|
|
