 Show Posts
|
|
Pages: [1] 2 3 4 5 6 »
|
Hi
Is it worth to brute force the K nonce?
How fast is it? Is it faster than bsgs mode?
no thats slower. bsgs is better. |
|
|
|
I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months # 130 Although only one rsz is know , but 1000 rsz can be produced using the public key, the nonce K value will be 240~256 bits 50% - nonce is 256 bit 25% - nonce is 254 bit 25% - nonce is 253~240 bit However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use lattice-attack # 130 Public Key 0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70 create #130 rsz # 130 rsz 1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9
# 130 rsz 2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2
# 130 rsz 3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e
# 130 rsz 4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632
# 130 rsz 5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04
....
....
....
would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you |
|
|
|
Offtop, how if your twist attack?
thats done. awhile ago. |
|
|
|
Saw some comments of users looking for R,S,Z Signatures and public key sample for research purposes. So i created a script where you can have a little more details than you need. Its a simple script so you can do your various research that you wish on ECDSA Secp256k1 signatures. you can download it here. https://github.com/KrashKrash/ecdsa-rsz-signature
=== ECDSA Signature Details ===
BTC Address: 1JvF4Bn4yF6GThYEA7pfhp3j8Xb6wu2t8D
Private Key: edb01804beb2e95898648ae87f1fa072d53b3b6f4564e092065bac907f063b9d
Signature (r, s, z):
r: 634e6e5d85360927c64d66bdd616dc58ac6b72cd22fac01c544236b63734ad35
s: 7fe9088b3849cddb82f38ef9244a06c413addb38031ee01a38e675ff28579d8a
z: 6ad532092bb3f4ee012e61df35c95efc7d9e9fa5653c371bc843fa4b3627f01f
k (nonce): 695e5e4c01e8ac9d77b7ecdd9881d50bb397ff7e54e082240a19b714c4de7ef8
PubKey: 034f966cdcc502d17876270349736f6a20f13edb5eccb5a92d1c702a0e059a9ba9
Signature Verification: Valid
just a little more info for you who are just starting out to do the research, some call it z, some call it message(hash) some just call it h. but it means the same thing. message or m = the original message H(m) or h or z = the hash of the message H(m), h or z depending on who you talk to, is the hash of the message. same meaning. I just want to have this information out here so you don't waste your time thinking what is h and what is z. Good luck on your research. |
|
|
|
Interesting, but I'll give you some opinions and if you want, you can implement them in your code to get better and better: Do you know the BIP39 iancolaman website? It's a website that generates a mnemonic, seed, xprivs, derived keys, addresses, etc. It would be great to have a tool like this without needing to be on the website. It's possible to create this all in a script and run it on your machine. It'd also be interesting for the script to generate all types of existing bitcoin addresses: legacy - p2pkh
p2sh-segwit - p2wpkh-p2sh
bech32 - p2wpkh (native segwit v0)
bech32m - p2tr (taproot - native segwit v1) Another similar interesting site for you to base yourself on, each with one more or less functionality: https://bitcoiner.guide/seed/https://gugger.guru/cryptography-toolkit/#!/hd-wallet I don't advise anyone to generate wallets based on scripts we find out there, especially from strangers (unless you know how to review the code), as a bug could happen that could make you lose your funds. But as long as you only use it for learning and testing, it's fine. There are several similar scripts that we can find here on the forum and on this board. you mean like a stand alone? ahh. nice... ok. i will get back to you on this. interesting. |
|
|
|
I like the idea and the implementation. I haven't checked the technical aspect of the code, but the structure and the outcome look good.
I have a similar BASH script in my signature. You can check it out in case you find it interesting too.
thank you. ❤️ |
|
|
|
I saw some comments looking for a sample btc wallet with private and public key so you can run your programs on some samples or you just want to create a wallet so you can be anonymous. i created the btc program that can generate 10 sets of btc address that can give you the btc and eth address from 1 hexadecimal private key. you can download it here. https://github.com/KrashKrash/btc-addr-generatorresult:
----------------------------------------
--------- Crypto Address Set 9 ---------
Private Key (Hexadecimal): e7d0e560866f6937e5e88ada34c618591fb18bb82d79f92b344405cadcc34596
Private Key (Decimal): 104853355314434413654784855654564514135795858537712704988978113470536008025494
Uncompressed Bitcoin Address:
- Bitcoin Address: 1MfYXZomYUCuohussdVB589Pk5F7fny8o2
- Private Key (WIF): 5KaP1YEDyn9B8Fro1jm8mwYiRivXBmkjGG7GE8QZ8i4E4BgSfdE
- Public Key: 0471541d2a80ae53183b511bc69411926eae7a871b36c7fac0c335a2db64156be3e0fff493eed9d00d4e0a873b28a3e5f315ab8a7924cd202e7e53647e2be04694
Compressed Bitcoin Address:
- Bitcoin Address: 1JcAnTReAwE2c77wXoxNYpffGKQWXPLHC5
- Private Key (WIF): L4zL9NqNHcF5h2an6FjoKMkyr83EEYY1YMgeCwgxq2DEcgwAauNt
- Public Key: 0271541d2a80ae53183b511bc69411926eae7a871b36c7fac0c335a2db64156be3
P2SH Bitcoin Address:
- Bitcoin Address: 3NMZT7JD6NXHtscJzj9mVkWKtbXqCce5nb
Bech32 Bitcoin Address:
- Bitcoin Address: bc1qcysd6vyhc7x732xf7p3jkjh0lazgc0tffwt9fc
Ethereum Address:
- Ethereum Address: 0xb334353fb3a4a26ef5388e9554eac930a3f28318
----------------------------------------
|
|
|
|
This is a common post pattern people make to trick people into running malware.
Step 1. Have trouble getting things working (perhaps pretending).
Step 2. claim to have some magic attack that works and can recover private keys, explained with a bunch of opaque jargon.
Step 3. When people ask for copies of the tools, send them malware. Usually the people at step 3 are coin thieves themselves, but not always.
Often these threads will use real terms so simple googling will "confirm" them, but they're misapplied. A "twist attack" isn't an attack on secp256k1 but a related insecure curve. You cannot engage in a twist attack except by getting the victim to produce an invalid pubkey or signature using faulty software. Of course, if you could do that you could likely just have the backdoored code send you the key directly.
The only case I'm aware of where it's perhaps more interesting is when you have a signing or key-generating device that you can potentially glitch with some kind of fault attack, getting it to temporarily produce a point on the faulty related curve rather than the real one. Though this is why all such devices ought to verify keys and signatures after generating them, making it harder to ever get a corrupted point out of the device.
Step 1: Libellious. Step 2: its no magic. its just maths. its not opaque. it has already been explain here. https://github.com/secp8x32/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md .. Its a good read but dont follow every steps. Step 3: Then you obviously is not as good as you think. You still got more to learn. Coz your awareness seems to be begging for a reboot. Step 4: I will be uploading the codes on Github soon. and i think you might need to re-read what i wrote. i never said its an attack on secp256k1. but thanks for explaining anyways but a simple job like googling would have help anyone here explain better, weak. 20+ years of experience, then it will be my first time hearing a hacker using sagemath to send malware. When the main moderator had to come out to dispute me when he had never done this before, no matter what kind of attacks i had put up in this forum, we know i am right. he had never dispute or give any kind of advice before this. so this is quite surprising. if you want me to share my code, just say so. stop whining and stomping your feet. Update: I had so many of you messaging me. When you run the code from my Github, Not all public key is on some of the twisted curve. remove the twisted curve and add other/more b twist. To ensure your twist attack works, you need to ensure 3 basic rules for your public key on the twisted curve: its co-primeness, endomorph, validation. I will be updating the code again to help you do this 3 basic checks before you can use the program. cheers. |
|
|
|
Hi everyone. Thank you for messaging me and giving me links. This method has now been solved. I was hinted by 1 of the user here on using the in build function of discrete logarithm problem function within sagemath. i had tested this code on real pubx and puby on a 256 bit keys. it had lead to the real private key. i must say this is the most potent attack. the time taken to solve for private key was within 15minutes. i will not be sharing the full code here but only to those who had message me and helped me. besides, i dont think i really can, its going to get deleted by the moderators anyways. here is the sample from sage.all import *
p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
E1 = EllipticCurve(GF(p), [0,1])
P11 = E1([85121563011366687025707822879925964033143920255507899862530934382179124106759, 42409656727948788569510737393982221864295921023467166630061319157315739523945])
ord11 = 20412485227
E2 = EllipticCurve(GF(p), [0,2])
P21 = E2([34450129095809207277443089178970023159365999968937291419691966854030888759742, 103113457269188258644933175729489183329932073011449500633910298163941611786454])
ord21 = 3319
P22 = E2([24677754846515895310822934803022252124056730057362245386150209044791887143233, 41719207854450575864606406013013508426241430134433644860265981543689324807921])
ord22 = 22639
E3 = EllipticCurve(GF(p), [0,3])
P31 = E3([93579283295185043256820683457089915228054046133395133419577655037763911527649, 112632096923660630255684142108084503413038643268482102767008195691777477419906])
ord31 = 109903
P32 = E3([58789712228735767534689054670947929274317202597024413724449599685590434047265, 107321344524132116458593462114893821989989072136438106411838048313086057432231])
ord32 = 12977017
P33 = E3([47858481801281315626533839795712036122864957874172974111026342690985232356030, 63537630893779210652619453277142775650521136639503000828326021732442685337139])
ord33 = 383229727
E4 = EllipticCurve(GF(p), [0,4])
P41 = E4([44959049921401095561708555029356671875656137150174062590365663013295388555357, 83434812528180346320431259926231725911951822121210091498845843183726829396473])
ord41 = 18979
E6 = EllipticCurve(GF(p), [0,6])
P61 = E6([80405269462255682739463837712137497998977949201059835857866434498654712080197, 48691579481383569995627909330664108505064081380828260061217816961756876411246])
ord61 = 10903
P62 = E6([12432617283785513902347690216509117019297835774706912333697948746440679211150, 83708142459295252500884287758641092902751782412362742187118587574926797876389])
ord62 = 5290657
P63 = E6([111791420809596458879302671914977681383209776367646894239671494718518178664717, 49961896499747108603390684299676279195265984395588907081892517506172789566751])
ord63 = 10833080827
P64 = E6([68559020522988484359921009775181052297262355171078713712064230001578345410040, 5828734597053595677172176259754174961452737034616688535269967754301263707463])
ord64 = 22921299619447
Q11 = E1([34618671789393965854613640290360235391647615481000045539933705415932995630501, 99667531170720247708472095466452031806107030061686920872303526306525502090483])
Q21 = E2([68702062392910446859944685018576437177285905222869560568664822150761686878291, 78930926874118321017229422673239275133078679240453338682049329315217408793256])
Q22 = E2([36187226669165513276610993963284034580749604088670076857796544959800936658648, 78047996896912977465701149036258546447875229540566494608083363212907320694556])
Q31 = E3([14202326166782503089885498550308551381051624037047010679115490407616052746319, 30141335236272151189582083030021707964727207106390862186771517460219968539461])
Q32 = E3([92652014076758100644785068345546545590717837495536733539625902385181839840915, 110864801034380605661536039273640968489603707115084229873394641092410549997600])
Q33 = E3([13733962489803830542904605575055556603039713775204829607439941608751927073977, 70664870695578622971339822919870548708506276012055865037147804103600164648175])
Q41 = E4([46717592694718488699519343483827728052018707080103013431011626167943885955457, 6469304805650436779501027074909634426373884406581114581098958955015476304831])
Q61 = E6([47561520942485905499349109889401345889145902913672896164353162929760278620178, 23509073020931558264499314846549082835888014703370452565866789873039982616042])
Q62 = E6([54160295444050675202099928029758489687871616334443609215013972520342661686310, 61948858375012652103923933825519305763658240249902247802977736768072021476029])
Q63 = E6([80766121303237997819855855617475110324697780810565482439175845706674419107782, 43455623036669369134087288965186672649514660807369135243341314597351364060230])
Q64 = E6([27687597533944257266141093122549631098147853637408570994849207294960615279263, 8473112666362672787600475720236754473089370067288223871796416412432107486062])
x11 = discrete_log_rho(Q11, P11, ord=ord11, operation='+')
x21 = discrete_log_rho(Q21, P21, ord=ord21, operation='+')
x22 = discrete_log_rho(Q22, P22, ord=ord22, operation='+')
x31 = discrete_log_rho(Q31, P31, ord=ord31, operation='+')
x32 = discrete_log_rho(Q32, P32, ord=ord32, operation='+')
x33 = discrete_log_rho(Q33, P33, ord=ord33, operation='+')
x41 = discrete_log_rho(Q41, P41, ord=ord41, operation='+')
x61 = discrete_log_rho(Q61, P61, ord=ord61, operation='+')
x62 = discrete_log_rho(Q62, P62, ord=ord62, operation='+')
x63 = discrete_log_rho(Q63, P63, ord=ord63, operation='+')
x64 = discrete_log_rho(Q64, P64, ord=ord64, operation='+')
privkey = crt([x11, x21, x22, x31, x32, x33, x41, x61, x62, x63, x64], [ord11, ord21, ord22, ord31, ord32, ord33, ord41, ord61, ord62, ord63, ord64])
print('')
print('Discrete_log_rho:')
print('')
print(x11)
print(x21)
print(x22)
print(x31)
print(x32)
print(x33)
print(x41)
print(x61)
print(x62)
print(x63)
print(x64)
print('')
print('PRIVATE KEY:')
print('')
print(privkey)
f = open("privkey.txt", 'a')
f.write(str(privkey) + "\n")
f.close()
found on https://github.com/demining/CryptoDeepTools/blob/main/18TwistAttack/discrete.py , i had followed the format on this script after getting all the information needed for this DLP script to work specific to my public key xy. all i needed was to copy and paste my information. and add verification method to the found private key. i had check, it is the real private key. unlike what COBRAS said above, no, you do not need a private key to start this attack, that would made this method a useless attack. unless you have given a malicious point xy to a person who is sending you btc. its like phishing. then you can follow the tutorial given on github. but i had modified the code without relying on the private key but shared secrets on twisted curves. i shall now lock this thread and wish all of you the best of luck in looking for answers to break the ecdsa secp256k1. i had spent 2 years on understanding this curve in this forum and everywhere else on the net.. so take your time. ignore those pricks that will insult you and not even help you. they too actually dont know much about network penetration testing but like to pretend that they do. people i recommend that will help you are names like Wandering_Philosopher, Pooya87, ecdsa123. My conclusion is whoever told you that the ECDSA SECP256k1 is safe, are out of their minds. it took me 15 mins running the code. thats it. all those kangaroo algorithm crap is out there, dont waste your time on it. it cant solve for 256 bit keys in reasonable time. again, take care and good luck. and again im reminding you. study twist attack on ecdsa secp256k1. the rest are useless for a 256 bit keys. dont waste time. |
|
|
|
i realize we cannot attack the SECP256k1 directly but we could create a twist on the curve by creating another Y coordinate on the twisted curve. This i had validated for the public key xy that i am working on, i had to first find the correct curve and validate whether the public key x and y generated are valid on the curves.
from sage.all import *
# Define the prime modulus and the original and twisted curves
p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
E_original = EllipticCurve(GF(p), [0, 7]) # Original curve
E_twist = EllipticCurve(GF(p), [0, 2]) # Twisted curve
# Define the public key coordinates in hexadecimal
pubx_hex = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
puby_hex = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
# Convert hexadecimal coordinates to integers
pubx_int = int(pubx_hex, 16)
puby_int = int(puby_hex, 16)
# Check if negating y coordinate results in a valid point on the twisted curve
try:
P_twist = E_twist(pubx_int, -puby_int)
print("Valid point on the twisted curve:", P_twist)
except TypeError as e:
print("The negated y-coordinate does not result in a valid point on the twisted curve. Error:", e)
then i generate the generators and its group order for the sub group attack this is a sample code
p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
E = EllipticCurve(GF(p), [0,2])
Grp = E.abelian_group()
g = Grp.gens()[0]
numElements = g.order()
print( "{0} = {1}".format(numElements, factor(numElements)) )
so i have created the twist and the sub groups, encrypted and decrypt a random message but my problem is implementing the pollard rho. i cannot seems to get my pollard rho working right. how should i implement the pollard rho to reveal the partial private keys? i already know how to combine the partial private keys by using the Chinese Remainder Theorem. im just having issues implementing the Pollard rho correctly. to understand where i am at currently, this was my result.
Valid point on Twist Curve 1: ( xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx 1)
Valid point on Twist Curve 1: (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: 1)
Encrypted: b'gAAAAABmTUdg-Rk9DqTmm--qHL60H7Y-xyhsMGj-hN9b3nblwwbX1889rW_xkV4YH_CGgLoDfmhUG1kWMLbqBtvkMAkBLA1TpRorPS54bE1tq1GqRI7qBw0='
Decrypted: b'Hello, secure world!'
Valid point on Twist Curve 2: (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: 47708717901745451695269673872143322736860462806065126161610255669643023187654 : 1)
Valid point on Twist Curve 2: (xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx: 68083371335570743728301311136544585116409521859575437877847328338265811484009 : 1)
Encrypted: b'gAAAAABmTUdgKPTxiD2aMkmdpCzLWRS6Jf_XoAFbt9Clh-tdswEJ1FDEEHh_sq6afzgwXIRs-eKoEwNUN73OXMbbxIVAtd0X3RzEPgEP2PpfQivQP7qRhls='
Decrypted: b'Hello, secure world!'
Twist Curve 1 Group order = 38597363079105398474523661669562635951234135017402074565436668291433169282997 = 3 * 13^2 * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031
Twist Curve 1 Subgroup order = 3, Generator = (0 : 50963827496501355358210603252497135226159332537351223778668747140855667399507 : 1)
Order of Twist Curve 1 subgroup generator: 3
Twist Curve 1 Subgroup order = 169, Generator = (91164871848594737862768174215169171472460815325023337256982466157377582150694 : 54646643330104885507641247315265108556098632006153847263625810111733477892887 : 1)
Order of Twist Curve 1 subgroup generator: 169
Twist Curve 1 Subgroup order = 3319, Generator = (49641695783380705441863914470097077227662211652601803324085660923742365263160 : 89281496541081277276977076535930330329582005484476040255539757979590838221110 : 1)
Order of Twist Curve 1 subgroup generator: 3319
Twist Curve 1 Subgroup order = 22639, Generator = (10021123062458088894446150280359520640128025932612284848351832795773216324717 : 33134482615870340366158544218799569485176944747118922797673428463800194468702 : 1)
Order of Twist Curve 1 subgroup generator: 22639
Twist Curve 1 Subgroup order = 1013176677300131846900870239606035638738100997248092069256697437031, Generator = (43086371182196866264220149108646285325782077581279956481812453050446572867683 : 109763028338610447371257252989326091593538936103419315546844713211988264521923 : 1)
Order of Twist Curve 1 subgroup generator: 1013176677300131846900870239606035638738100997248092069256697437031
Twist Curve 2 Group order = 57896044618658097711785492504343953926299326406578432197819248705606044722122 = 2 * 3 * 20412485227 * 83380711482738671590122559 * 5669387787833452836421905244327672652059
Twist Curve 2 Subgroup order = 2, Generator = (115792089237316195423570985008687907853269984665640564039457584007908834671662 : 0 : 1)
Order of Twist Curve 2 subgroup generator: 2
Twist Curve 2 Subgroup order = 3, Generator = (0 : 1 : 1)
Order of Twist Curve 2 subgroup generator: 3
Twist Curve 2 Subgroup order = 20412485227, Generator = (50449539541316674207477363366507552115465638394234836904449225130473837382091 : 80363753873261753286015549575781926318984919054617925324218269836097034766859 : 1)
Order of Twist Curve 2 subgroup generator: 20412485227
Twist Curve 2 Subgroup order = 83380711482738671590122559, Generator = (83543468359757805417872841911952785816288256608507084865154631040033706800216 : 52903578783579604025064706819317913975696169589285557320540215565103030246608 : 1)
Order of Twist Curve 2 subgroup generator: 83380711482738671590122559
Twist Curve 2 Subgroup order = 5669387787833452836421905244327672652059, Generator = (17259079428563320272860564359789267099765221528537797750223165832777237041052 : 102165722087967769036780071178483201673699309749066796530810114163377241704265 : 1)
Order of Twist Curve 2 subgroup generator: 5669387787833452836421905244327672652059
im feeling like ...so close but yet so far.... thanks for your help. do PM me as well if you wish. |
|
|
|
Can we recreate the rsz with same r value but different s z values to solve with duplicate R method? Are there any script for that?
hey man.. no you cant create another s and z values without knowing the k nonce that was used. so im going to save you alot of time. dont bother, i tried this 2 years back. and it was impossible. |
|
|
|
i have created twist attack on ecdsa secp256k1. can read about Twist Attack on ECDSA SECP256k1 here. https://github.com/demining/Twist-AttackIt gets the partial private key correctly. my issue now is how to write the code to get to the full private key. PM Me Bruhhh.... im lost.
from fastecdsa.curve import secp256k1
from fastecdsa.point import Point
from fastecdsa.keys import gen_private_key, get_public_key
from sympy import mod_inverse
# Generate a private key
private_key = gen_private_key(secp256k1)
# Get the corresponding public key
public_key = get_public_key(private_key, secp256k1)
# Print the private key and its bit length
print("Original Private Key:", hex(private_key))
print("Private Key Bit Length:", private_key.bit_length())
# Print the public key coordinates (x, y)
print("Original Public Key (x, y):", public_key.x, public_key.y)
# Twist Attack
n = secp256k1.q # Order of the curve
Gx, Gy = public_key.x, public_key.y
# Calculate the twist point
twist_x = Gx
twist_y = (-Gy) % secp256k1.p
print("twist_y:", hex(twist_y))
# Perform twist attack to find the partial private key
partial_private_key = (twist_y * mod_inverse(Gy, n)) % n
# Print the partial private key and its bit length
print("Partial Private Key:", hex(partial_private_key))
print("Partial Private Key Bit Length:", partial_private_key.bit_length())
|
|
|
|
How do you set the range to search for the key? Also what is h and which y should we use in this line "h = y # Use the integer value of y" ?
Here's a simplified explanation of how the Kangaroo algorithm works in this context: Tame Kangaroos: These kangaroos make small jumps and keep track of their positions as they move along the curve. They're responsible for exploring the region near the expected position of 𝑘 k and 𝑄 Q. Wild Kangaroos: These kangaroos make large jumps and are used to cover a wider range of possible positions of 𝑘 k and 𝑄 Q. Collision Detection: The algorithm looks for collisions, which occur when a tame kangaroo and a wild kangaroo land on the same point on the curve. This indicates a potential match for 𝑘 k and 𝑄 Q. Private Key Extraction: Once a collision is detected, you can extract the private key 𝑘 k from the positions of the kangaroos at the collision point. The key concept here is that you're not searching through a numerical range of 𝑘 k values linearly. Instead, you're using kangaroos to explore the curve in a smart way, leveraging collisions to pinpoint the private key without exhaustively trying every possible 𝑘 k value. h = y means the public key xy coordinates. in this part we are just using y. |
|
|
|
Hi, im hoping to get some advice on how i can fine tune, optimized or enhance my code further to calculate the 256 bit private key. your advice is very much appreciated.
import random
from math import gcd
# Function to extract public key coordinates from hex string
def extract_public_key_coordinates(public_key):
try:
x, y = public_key.split(',')
print("Public key coordinates extracted successfully.")
return int(x, 16), y
except ValueError:
print("Error: Invalid public key format.")
return None, None
# Function for Pollard's Rho factorization
def pollard_rho_factorization(n, limit=1000000):
print("Performing Pollard's Rho factorization...")
def f(x):
return (x ** 2 + 1) % n
x = random.randint(1, n - 1)
y = x
d = 1
while d == 1:
x = f(x)
y = f(f(y))
d = gcd(abs(x - y), n)
return d if d != n else None
# Function to perform the Kangaroo algorithm with factors
def kangaroo_algorithm(g, h, n, factors, B):
print("Performing Kangaroo algorithm...")
P = 0
Q = 0
wild_kangaroos = [(random.randint(1, n - 1), random.randint(1, n - 1)) for _ in range(10)] # Multiple parallel wild kangaroos
wild_jump_size = random.randint(1, B // 10) # Randomized wild kangaroo step size
while True:
for wild_x, wild_y in wild_kangaroos:
u = wild_x
v = wild_y
for _ in range(wild_jump_size):
u = (u * g) % n
v = (v * h) % n
d = gcd(u - v, n)
if 1 < d < n:
return d
if d == 1:
alpha = kangaroo_attack(P, Q, g, n, h, B) # Using kangaroo_attack
if alpha is not None:
return alpha
P += B
Q += B
else:
return d
# Simple Kangaroo Attack (Floyd's Cycle Detection Algorithm)
def kangaroo_attack(P, Q, g, n, h, B):
print("Performing Kangaroo attack...")
u = P
v = Q
u_iterations = 0
v_iterations = 0
while True:
# Tame Kangaroo
u = (u * g) % n
u_iterations += 1
# Wild Kangaroo
v = (v * h) % n
v_iterations += 1
if u == v:
# Collision detected, solve for alpha
alpha = (P - Q) * pow(g, -1, n) % n # Inverse of g modulo n
return alpha
if max(u_iterations, v_iterations) > B:
# Maximum iterations reached without collision
return None
if __name__ == "__main__":
# Example usage
public_key = "d6xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx,3xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
x, y_hex = extract_public_key_coordinates(public_key)
if x is not None and y_hex is not None:
# Convert y-coordinate from hex to integer
try:
y = int(y_hex, 16)
print("Y-coordinate converted to integer successfully.")
except ValueError:
print("Error: Unable to convert y-coordinate to integer.")
# Perform factorization using Pollard's Rho
try:
factors = [pollard_rho_factorization(number) for number in [x, y, x + y]]
print("Factorization complete:", factors)
except Exception as e:
print("Error during factorization:", e)
# Parameters for Kangaroo algorithm
p = 115792089237316195423570985008687907853269984665640564039457584007908834671663
n = 115792089237316195423570985008687907852837564279074904382605163141518161494337
g = 55066263022277343669578718895168534326250603453777594175500187360389116729240
h = y # Use the integer value of y
B = 2**42 # Adjust based on your system's memory constraints
# Find private key using the Kangaroo algorithm with factors
try:
private_key = kangaroo_algorithm(g, h, n, factors, B)
print("Private Key:", private_key)
except Exception as e:
print("Error during Kangaroo algorithm:", e)
else:
print("Error: Public key extraction failed.")
|
|
|
|
this flaw is a known flaw in old software. most version these days dont have these flaws. as k =will always be random.randint in the code these days
Many people prefer their own codes, and since error is human, a little reminder never hurts. ah ok.. yeah... i was wondering why you put up old flaws...but yeah.. i get it now. you are right. |
|
|
|
This is an educational example, the K nonce must always be Random, do not sign real messages using this script.We first sign the two different messages using the following script. message 1 = "Hello, BitcoinTalk"
message 2 = "Hello, BitcoinTalk 2"import hashlib
import random
import binascii
################################################################################################
privKey = 2457876789644357800744426
message = "Hello, BitcoinTalk"
nonce= 64338999543366
################################################################################################
Pcurve = 115792089237316195423570985008687907853269984665640564039457584007908834671663
Acurve = 0
Bcurve = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
GPoint = (Gx, Gy)
N = 115792089237316195423570985008687907852837564279074904382605163141518161494337
def modinv(a, b):
lm, hm = 1, 0
low, high = a % b, b
while low > 1:
ratio = high // low
nm, new = hm - lm * ratio, high - low * ratio
lm, low, hm, high = nm, new, lm, low
return lm % b
def ECAdd(a, b):
if a == 'infinity':
return b
if b == 'infinity':
return a
if a[0] == b[0] and a[1] == -b[1] % Pcurve:
return 'infinity'
if a[0] == b[0] and a[1] == b[1]:
return ECDouble(a)
LambdaAdd = ((b[1] - a[1]) * modinv((b[0] - a[0]), Pcurve)) % Pcurve
x = (LambdaAdd * LambdaAdd - a[0] - b[0]) % Pcurve
y = (LambdaAdd * (a[0] - x) - a[1]) % Pcurve
return (x, y)
def ECDouble(a):
if a == 'infinity':
return 'infinity'
LambdaDouble = ((3 * a[0] * a[0] + Acurve) * modinv((2 * a[1]), Pcurve)) % Pcurve
x = (LambdaDouble * LambdaDouble - 2 * a[0]) % Pcurve
y = (LambdaDouble * (a[0] - x) - a[1]) % Pcurve
return (x, y)
def ECMultiply(GenPoint, privKeyHex):
if privKeyHex == 0 or privKeyHex >= N:
raise Exception("Invalid Private Key")
privKeyBin = str(bin(privKeyHex))[2:]
Q = 'infinity'
for i in privKeyBin:
Q = ECDouble(Q)
if i == "1":
Q = ECAdd(Q, GenPoint)
return Q
def signECDSA(privKeyDec, message):
Q = ECMultiply(GPoint, privKeyDec)
hash_message = hashlib.sha256(message.encode()).digest()
k = nonce#random.randint(1, N - 1)
r = (ECMultiply(GPoint, k)[0] % N) % N
s = (modinv(k, N) * (int.from_bytes(hash_message, 'big') + r * privKeyDec)) % N
return r, s, hash_message
privKeyHex = int(privKey)
pubKey = ECMultiply(GPoint, privKeyHex)
pubKeyX, pubKeyY = pubKey
r, s, hash_message = signECDSA(privKeyHex, message)
print("message hash:",(hashlib.sha256(message.encode()).digest()).hex())
print("r:", hex(r)[2:])
print("s:", hex(s)[2:]) Once the corresponding signatures and hashes are obtained, we place them in the following script to derive the private key. import hashlib
Pcurve = 115792089237316195423570985008687907853269984665640564039457584007908834671663
Acurve = 0
Bcurve = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
GPoint = (Gx, Gy)
N = 115792089237316195423570985008687907852837564279074904382605163141518161494337
def modinv(a, b):
lm, hm = 1, 0
low, high = a % b, b
while low > 1:
ratio = high // low
nm, new = hm - lm * ratio, high - low * ratio
lm, low, hm, high = nm, new, lm, low
return lm % b
#msg 1
hash1 = int( "6eb1db1a144d94df76be0d2d2721df7839aff7b5899873a1ed9013f3fbbbd0d0" ,16)
r1 = int( "bda653c3ebcbbfd1d550462d4030c140bafc4ed9ca17d32ac598a7cedb942947" ,16)
s1 = int( "7ebff2f8199f0700e80297659424ca7eda26dde1afc1d226c08c377896b0ebda" ,16)
#msg 2
hash2 = int( "619e86eb7f8689b2b1ed260be14fcab2b2b31ae5e6a7df5e393ec4e272bd6f37" ,16)
r2 = int( "bda653c3ebcbbfd1d550462d4030c140bafc4ed9ca17d32ac598a7cedb942947" ,16)
s2 = int( "f37ba9033df153303c893a029b7aa80b3eb0e1d6099b14133661658455375487" ,16)
k = ((hash1 - hash2) * modinv((s1 - s2), N)) % N
privKey = ((s1 * k - hash1) * modinv(r1, N)) % N
print("Private Key:", privKey)
this flaw is a known flaw in old software. most version these days dont have these flaws. as k =will always be random.randint in the code these days |
|
|
|
Hello, this scrypt find privkey or not ?
I was try your previous scrypt and hi find for me only smoth numbers ...
this code is still in the experimental phase. i am not sure if it is sound. thats why i am here |
|
|
|
Not sure where in the code should it go the definitions you mentioned.
I get another error, but I think I am closer now. I think I simply need to change of private_value to integer, But I am not sure how.
There is a comment in the lattice_attack.py that says how to convert between integer and hex, but it doesnt say where those given equations should go:
# To convert to integer :
# if got bytes use : int.from_bytes(bytesvar, bytesorder="big")
# if got hex use : int(hexintvar, 16)
#
Has anyone got this to actually work? just curious...
theres no point running this. as the rsz created will not point to the correct private key or public key. ran it a long time ago. |
|
|
|
Hi, i am currently exploring methods to find private key. i have already gone through several methods and some had been adjusted for 256 bit keys. some work really good, others are just not able to solve in a reasonable amount of time. i had done up this code. first script is to generate smooth numbers and its exponents.
import random
import math
import multiprocessing as mp
import torch
from fastecdsa.curve import secp256k1
from fastecdsa.point import Point
import time
from decimal import Decimal, getcontext
# Set decimal precision
getcontext().prec = 1000 # Adjust precision as needed
# Define your public key coordinates here
pub_key_x = 0x123abc
pub_key_y = 0x456def
print("Definitions loaded.")
# Function to generate a prime factor base
def generate_factor_base(limit):
print("Generating factor base...")
primes = []
num = 2
try:
while len(primes) < limit:
if all(num % i != 0 for i in range(2, int(num**0.5) + 1)):
primes.append(num)
num += 1
print("Factor base generated.")
return primes
except Exception as e:
print(f"Error in factor base generation: {e}")
return []
# Precompute the factor base
factor_base_size = 150 # Adjusted for secp256k1
factor_base = generate_factor_base(factor_base_size)
if not factor_base:
exit(1)
print("Factor base precomputed.")
# Function to find smooth numbers in a range
def find_smooth_numbers(start, end, stop_index=1000000):
print(f"Finding smooth numbers in range {start}-{end}...")
smooth_numbers = []
device = torch.device('cuda' if torch.cuda.is_available() else 'cpu')
print(f"Using {device} for finding smooth numbers.")
# Read the last line from the file to get the stop index
try:
with open('smooth_numbers.txt', 'r') as file:
lines = file.readlines()
if lines:
last_line = lines[-1]
stop_index = int(last_line.split(',')[0].split(':')[1].strip())
print(f"Resuming from stop index: {stop_index}")
else:
print("No previous smooth numbers found in the file.")
except Exception as e:
print(f"Error reading last line of smooth_numbers.txt: {e}")
def write_smooth_numbers(smooth_numbers):
try:
with open('smooth_numbers.txt', 'a') as file: # Open file in append mode
for num, exps in smooth_numbers:
file.write(f"Number: {num}, Exponents: {exps}\n")
except Exception as e:
print(f"Error writing smooth numbers: {e}")
for num in range(max(start, stop_index + 1), end + 1):
exps = []
num_tensor = torch.tensor(num, device=device)
for p in factor_base:
count = 0
while num_tensor % p == 0:
count += 1
num_tensor //= p
exps.append(count)
if num_tensor == 1:
smooth_numbers.append((num, exps))
print(f"Smooth number found: {num} with exponents {exps}")
write_smooth_numbers([(num, exps)])
# Introduce a short sleep interval to reduce CPU load
time.sleep(0.001) # Sleep for 1 millisecond
print(f"Found {len(smooth_numbers)} smooth numbers in range {start}-{end}.")
return smooth_numbers
# Function for multiprocessing
def process_range(args):
start, end, G, n = args
smooth_nums = find_smooth_numbers(start, end)
if not smooth_nums:
return [] # Return an empty list if no smooth numbers found
else:
return smooth_nums
# Use freeze_support for multiprocessing
if __name__ == '__main__':
mp.freeze_support()
# Parameters for secp256k1 curve and public key
n = secp256k1.q
G = secp256k1.G
pub_key = Point(pub_key_x, pub_key_y, curve=secp256k1)
print("Parameters set.")
print("Calculating private key...")
# Split the range into chunks for multiprocessing
num_chunks = mp.cpu_count()
chunk_size = (n // num_chunks) + 1
ranges = [(i, min(i + chunk_size - 1, n), G, n) for i in range(1, n + 1, chunk_size)]
# Perform multiprocessing
with mp.Pool(processes=num_chunks) as pool:
try:
results = pool.map(process_range, ranges)
print("Multiprocessing completed.")
except Exception as e:
print(f"Error in multiprocessing: {e}")
results = []
# Combine results from multiprocessing
logs = []
for logs_chunk in results:
if logs_chunk:
logs.extend(logs_chunk)
# Define the file name for private keys
private_key_file = 'private_keys.txt'
# Function to write private keys to a file
def write_private_keys(file_name, private_keys):
try:
with open(file_name, 'w') as file:
for key in private_keys:
file.write(f"{key}\n")
print(f"Private keys written to {file_name}.")
except Exception as e:
print(f"Error writing private keys to {file_name}: {e}")
# Write private keys to the file
write_private_keys(private_key_file, private_keys)
2nd script is to solve via kangaroo method and taking the exponents to create a table so it can find the private key faster.
import random
import math
import multiprocessing as mp
import torch
from fastecdsa.curve import secp256k1
from fastecdsa.point import Point
import time
from decimal import Decimal, getcontext
# Set decimal precision
getcontext().prec = 1000 # Adjust precision as needed
# Define the generator point G for secp256k1 curve
G = Point(
0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8,
curve=secp256k1
)
# Define your public key coordinates here
pub_key_x = 0x1233xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
pub_key_y = 0xab123
# Function to load smooth numbers from file
def load_smooth_numbers(file_path):
smooth_numbers = []
try:
with open(file_path, 'r') as file:
for line in file:
if line.startswith('Number:'):
number = int(line.split(':')[1].split(',')[0].strip())
exponents = []
for exp in line.split(':')[2].strip().strip('[').strip(']').split(','):
exponents.append(int(exp.strip()))
smooth_numbers.append({'number': number, 'exponents': exponents})
except FileNotFoundError:
print(f"Error: File '{file_path}' not found.")
except Exception as e:
print(f"Error occurred while loading the file: {e}")
return smooth_numbers
file_path = 'smooth_numbers.txt'
smooth_numbers_data = load_smooth_numbers(file_path)
if smooth_numbers_data:
for smooth_number in smooth_numbers_data:
print(f"Smooth Number: {smooth_number['number']}, Exponents: {smooth_number['exponents']}")
else:
print("No smooth numbers found or error occurred while loading the file.")
# Function to calculate weighted steps for smooth numbers
def calculate_weighted_steps(smooth_numbers):
weighted_steps = {}
for item in smooth_numbers:
num, exps = item['number'], item['exponents']
exps = [int(x) for x in exps] # Convert string exponents to integers
weight = sum(exps) # Using the sum of exponents as the weight
if weight not in weighted_steps:
weighted_steps[weight] = []
weighted_steps[weight].append(num)
return weighted_steps
# Function to adjust kangaroo steps dynamically based on smooth number weights
def dynamic_kangaroo_steps(weighted_steps, target_weight):
target_weight_tuple = (target_weight,) # Convert target_weight to a tuple
if target_weight_tuple in weighted_steps: # Check if the tuple is in weighted_steps
return weighted_steps[target_weight_tuple] # Use target_weight_tuple as key
else:
# Find the nearest weight to the target weight
nearest_weight = min(weighted_steps.keys(), key=lambda x: abs(x - target_weight))
return weighted_steps[nearest_weight] # Return the steps for the nearest weight
# Function to calculate private keys using Kangaroo algorithm
def kangaroo(sorted_smooth_numbers, lookup_table, collision_distance):
print("Calculating private key using Kangaroo algorithm...")
private_keys = []
num_kangaroos = 5 # Number of kangaroos
kangaroo_steps = 1000 # Number of steps for each kangaroo
# Calculate weighted steps for smooth numbers
weighted_steps = calculate_weighted_steps(sorted_smooth_numbers)
for k in range(num_kangaroos):
if k == 0:
tame_pos, wild_pos = tame_start, wild_start
else:
tame_pos, wild_pos = sorted_smooth_numbers[k]['number'], sorted_smooth_numbers[-(k+1)]['number']
for step in range(kangaroo_steps):
# Calculate the step for the wild kangaroo using the lookup table and smooth numbers
target_weight = abs(wild_pos - pub_key_x) % collision_distance
target = dynamic_kangaroo_steps(weighted_steps, target_weight)
if isinstance(target, list):
target = tuple(target) # Convert list to tuple if needed
if target in lookup_table:
step = lookup_table[target]
wild_pos += step
tame_pos += 1
if tame_pos == wild_pos:
# Private key found
private_key = (wild_pos - tame_start) * G.x # Define G as the generator point for secp256k1
private_keys.append(private_key)
print(f"Private key found: {private_key}")
break
return private_keys
# Main code
while True:
if smooth_numbers_data:
print("Loaded smooth numbers. Starting Kangaroo algorithm...")
# Define the parameters for the Kangaroo algorithm
collision_distance = 10 # Static collision distance for all kangaroos
# Define and populate the lookup_table
lookup_table = {tuple(num['exponents']): num['number'] for num in smooth_numbers_data}
# Initialize the starting points for tame and wild kangaroos
if smooth_numbers_data:
tame_start, wild_start = smooth_numbers_data[0]['number'], smooth_numbers_data[-1]['number']
else:
tame_start, wild_start = 2, 1000 # Default starting points if no smooth numbers are loaded
# Sort the loaded smooth numbers in ascending order
sorted_smooth_numbers = sorted(smooth_numbers_data, key=lambda x: x['number'])
# Calculate private keys using the Kangaroo algorithm
private_keys = kangaroo(sorted_smooth_numbers, lookup_table, collision_distance)
if private_keys:
print("Private keys:", private_keys)
break # Exit loop if private keys are found
else:
print("No private keys found. Reloading smooth numbers file and retrying...")
smooth_numbers_data = load_smooth_numbers(file_path)
else:
print("No smooth numbers loaded. Exiting.")
break # Exit loop if no smooth numbers are loaded initially
my question is, is there a better method i could have done implementing index calculus without solving for linear just finding smooth numbers and its exponents, create a table and have kangaroo decipher the private key? Basically, is my method sound? your advice are much appreciated. |
|
|
|
Your Index Calculus Algorithm looks pretty good. As for how to increase efficiency, for large data sets it is necessary to manage core utilization with threads or processes. SymPy, which is supposed to be that powerful and elegant, memory use is higher than desired; Try some lighter alternatives. Variations in factor base and chunk size may be used as experiments to see which brings a better performance. Further, delves into improving speed by applying some modular mathematics optimizations. You can think about whether there are algorithmic tweaks and whether you need special libraries to assist in these tasks. By making improvements in this direction, your implementation can advance still further.
thannk you so much. i will look into it. |
|
|
|
|
