 Show Posts
|
|
Pages: [1] 2 3 4 5 6 7 »
|
Hi there! It looks like you all are crazy for nonces and signatures, so I have some special values for you  r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x24c8a42e8fe11d670633fa66ebedb1672c71a517a30cbbaa9e14f2d5a15a3783
z=SHA256('This is test 1.')
PubKey=0x3e42b3151f310f5f417f11b4c32d8360b22109dcc6432339243332b56cd596de, 0x7903116327cab6891b810588e4c909273c7eb013aea2162fa63afa1f11562b3a
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x768a0e3b0cfb3c8d9b7899f59f480555176ef25eefa1e96d3ac575ba4ffe85fd
z=SHA256('This is test 2.')
PubKey=0xc79fa242694e3148c8d50e667010e0c221f6004d108692c5040ff139595ed081, 0x525bd76c21c8e2d45725a378c973a646d5971acd8f240322e5f1fdf0ed4f8589
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0xd17c5ed9fb37692cd152f381c4a3f16a896f96d26100310fe818d6963c402b25
z=SHA256('This is test 3.')
PubKey=0xc03657988e2baf31a1a1061a87fa3da20f166dc8a22c02658f6d325dec722d84, 0x97ffbac6bec2de2b8d9f9bcaeced8e56abdd0b3996b48153cf0a1a92dc2d5529
Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course. You are right JohnnyTX, almost anybody can do this 
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x96b538e853519c726a2c91e61ec11600ae1390813a627c66fb8be7947be63c52
z=SHA256('This is test 4.')
PubKey=0x99c2b48be2177dfd0dcb1528f79393d1915eeca8697f85e02983e0c4c2de3475, 0x8cb2c8d83e8950523a7dab78a515fa19f2bb50a4b15bcd45a11110db445fe382
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x7211a824f55b505228e4c3d5194c1fcfaa15a456abdf37f9b9d97a4040afc073
z=SHA256('This is test 5.')
PubKey=0x2dc8f0256a8c55cf1ff41f92ed11f801e09c024923c89a590137b2642896ecf0, 0xb74fc19c671261dcd13edf02c59cab6aad5c7b99ea9b76f2622b19b89c639135
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x94b9d3e76c5b1629ecf97fff95d7a4bbdac87cc26099ada28066c6ff1eb91912
z=SHA256('This is test 6.')
PubKey=0xa73857b1dd23a714a3f78ab0cbc791f58524485bbb498640871eb21469cd55ee, 0x6606c989519b2b72999a0c5bfd5dd8d01ba4bfc78fb208c2264e6a18f89cb68b
Opinions are welcome! I tried to ask how it was done but to no avail, the only opinion that I but also others have, some have already written it, is that you, JhonnyTX and saatoshi_rising are either the same person or anyway you are all connected to the puzzle, it is also curious that you are ActiveC and in the forum there is a solver of no less than 3 puzzles, called RetiredCoder or even RetiredC for friends . So my opinion is that it is impossible, at least without further help, you can tell that they are constructed ad hoc, with some special method but to know the private key of the puzzle 130 and 135 you have to already have the private keys and be sure they are right, so either you solved it or anyway you already knew them, so you already have those keys in hand. If you would like to explain to me in private how to solve for the z of 135 that would be interesting  . Here, you can see how Z Signature is calculated. https://github.com/KrashKrash/public-key-signature-generator |
|
|
|
|
i was wondering if anyone here knows, how can i integrate cryptocurrency as a payment method on my website. so for example if, i own amazon, and i want to integrate etherum, bitcoin, usdt payments on my website.
how can i do that? im sure there are already payment methods or services that provided that. what i need is to read up on how i can create my own payment solution.
|
|
|
|
i have read it. hmm.. some ideas are running in my head now. the formula he had used is essentially what had been done above. its the same. 2 random scalar values for r sig but the things said in there are really giving me a few theories. thank you very much. |
|
|
|
First let me explain, the first part in the script is how you typically generate valid signatures using private key for ecdsa secp256k1. there are many libraries also that does the same. what i realize is, when we use the same verifying values of u1, u2 and the public key. we can generate signatures just by using the public key and it will have the same r, s, z signatures.
#!/usr/bin/env python3
import hashlib
import random
# secp256k1 curve parameters
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
G_x = 0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798
G_y = 0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8
def mod_inverse(k, p):
"""Calculate modular inverse: k^-1 mod p"""
return pow(k, p - 2, p)
def point_add(p1_x, p1_y, p2_x, p2_y):
"""Add two points on the curve"""
if p1_x is None:
return p2_x, p2_y
if p2_x is None:
return p1_x, p1_y
if p1_x == p2_x and p1_y != p2_y:
return None, None # Point at infinity
if p1_x == p2_x:
# Point doubling
lam = (3 * p1_x * p1_x) * mod_inverse(2 * p1_y, p) % p
else:
# Point addition
lam = ((p2_y - p1_y) * mod_inverse((p2_x - p1_x) % p, p)) % p
x3 = (lam * lam - p1_x - p2_x) % p
y3 = (lam * (p1_x - x3) - p1_y) % p
return x3, y3
def scalar_mult(k, p_x, p_y):
"""Multiply point by scalar"""
nx, ny = None, None
while k > 0:
if k & 1:
nx, ny = point_add(nx, ny, p_x, p_y)
k = k >> 1
p_x, p_y = point_add(p_x, p_y, p_x, p_y)
return nx, ny
def generate_keypair():
"""Generate private key and public key"""
private_key = random.randint(1, n - 1)
public_key_x, public_key_y = scalar_mult(private_key, G_x, G_y)
print(f"Private key: {hex(private_key)}")
print(f"Public key: ({hex(public_key_x)}, {hex(public_key_y)})")
return private_key, (public_key_x, public_key_y)
def sign_message(private_key, message):
"""Sign a message using ECDSA"""
message_hash = int(hashlib.sha256(message.encode()).hexdigest(), 16)
# Generate random k (nonce)
k = random.randint(1, n - 1)
# Calculate point R = k * G
r_x, r_y = scalar_mult(k, G_x, G_y)
# r is the x-coordinate modulo n
r = r_x % n
# Calculate s = k^(-1) * (hash + r * private_key) mod n
s = (mod_inverse(k, n) * (message_hash + r * private_key) % n) % n
# Calculate values used in verification
w = mod_inverse(s, n) # s^(-1) mod n
u1 = (message_hash * w) % n
u2 = (r * w) % n
print(f"Message: {message}")
print(f"k Nonce: {hex(k)}")
print(f"r: {hex(r)}")
print(f"s: {hex(s)}")
print(f"z: {hex(message_hash)}")
print(f"Verification values:")
print(f" u1: {hex(u1)}")
print(f" u2: {hex(u2)}")
return r, s, message_hash, u1, u2
def main():
"""Main function"""
# Generate keys and sign a message
private_key, public_key = generate_keypair()
message = "BitcoinTalk"
r, s, z, u1, u2 = sign_message(private_key, message)
print("\nPart 2: Generating signatures using public key, u1 and u2 values")
print("=" * 60)
def fast_add(p1, p2):
return point_add(p1[0], p1[1], p2[0], p2[1])
def fast_multiply(point, scalar):
return scalar_mult(scalar, point[0], point[1])
G = (G_x, G_y)
Q = public_key
# Use u1 and u2 values from first signature
a = u1
b = u2
# Calculate the signature using a and b
sig_point = fast_add(fast_multiply(G, a), fast_multiply(Q, b))
r1 = sig_point[0] % n
s1= (r1 * mod_inverse(b, n)) % n
# Calculate z (message hash) from the result
z1 = (a * r1 * mod_inverse(b, n)) % n
# Verify the signature
w1 = mod_inverse(s1, n)
u1_1 = (z1 * w1) % n
u2_1 = (r1 * w1) % n
verify_point = fast_add(fast_multiply(G, u1_1), fast_multiply(Q, u2_1))
# verification
verification_success = (r1 == verify_point[0] % n)
print(f"a = {hex(a)}")
print(f"b = {hex(b)}")
print(f"Generated Signature:")
print(f"r1 = {hex(r1)}")
print(f"s1 = {hex(s1)}")
print(f"z1 = {hex(z1)}")
if __name__ == "__main__":
main()
hence, i realize with random u1 and u2 values, you can create multiple valid signatures just by using the public key. you can download and test the code here. https://github.com/KrashKrash/public-key-signature-generatorcan you use this to create forge signatures? can you create same r values? can you introduce vulnerabilities mathematically? the answer to the first 2 question is No. the signatures are created deterministically. for a certain u1 and u2 values , you can only get a certain r,s,z values. but its interesting information for those of you who are into the mathematics of it. |
|
|
|
|
if we generate 2 signatures, and both have the same verifying u1 and u2 values. is this something to be concern about or its not an issue?
i had created 1 set of signature using the public key and the other is a standard ecdsa computation. when i was verifying the signatures, the u1 and u2 values were identical.
both does not have the same r. just in case you guys are wondering..
|
|
|
|
hi, im currently working on enhancing on Nonce Recurrence Attack. Read: https://eprint.iacr.org/2023/305.pdfWhile i was able to recreate the attack describe in the paper, im thinking of enhancing this method. however, the enhance method would require me to generate some fake signatures that still points to the same public key. i vaguely remember that there was a discussion in some topic and someone mention that we could create fake signatures that could still be verified against the targeted public key but it wont be valid. or something to that effect. Do you get what i am saying? does it make sense to you? i might not be explaining this correctly. but if you do, what is the formula to do that? i have forgotten the formula. I HAVE WHAT YOU'RE LOOKING FOR, TALK TO ME IN PM i have received your script. give me 1 day, and i will get back to you with my script. thanks buddy. but if you want the Nonce recurrence attack script i wrote, you can download here. this one uses a generator and not the enhanced version. https://github.com/KrashKrash/nonce-recurrence-attackthanks. it works.
------------------------------------------------------------------------------------------------------------------------------------------------------
Chosen recurrence relation for attack: k_next = 43511367934207785493205740240378275743609768675817908100722913788393695639657*k_prev + 78730372042131832072287759890573273005645422101261818863735891162602450516391 mod n
------------------------------------------------------------------------------------------------------------------------------------------------------
Generating artificial signatures...
Created artificial signature 1 between original signatures 1 and 2
r_new = 23298015045193904612586625097013013238434742231554167744515936879399869488397, s_new = 110955400697554132573244702028682455501659791587247294823293562059184441715205, z_new = 114348426784376972262212387491392248456909105810912478725596391450242197501624
Created artificial signature 2 between original signatures 1 and 2
r_new = 23298015045193904612586625097013013238434742231554167744515936879399869488397, s_new = 65922615754394972779235513816836497423895401971455841314960028650904449284001, z_new = 95651824604975196373056940850546687721428079367574184939506225302834722908348
Created artificial signature 3 between original signatures 2 and 3
r_new = 34559190504341613833450353695106665408056903224372678973840446297532206243167, s_new = 68474226316309826745487865238288822884863264116278386354529472763624044908668, z_new = 14119843862881681218543777296966920285776233738925951248823701482312902925979
Created artificial signature 4 between original signatures 2 and 3
r_new = 34559190504341613833450353695106665408056903224372678973840446297532206243167, s_new = 87856688150857517286884451144948438861914677933532768283681731806952275948583, z_new = 50454272941657236491777748105016448688256465114149558571605332890217841528754
Created artificial signature 5 between original signatures 3 and 4
r_new = 19464743338216844258300736972864389034943655834701603668204034612723902071488, s_new = 64530538090822446044806789889239841870632092828991942322079830579050702743505, z_new = 100696216182135497006398112131941561404271020258497146408493916851894222017995
Created artificial signature 6 between original signatures 3 and 4
r_new = 19464743338216844258300736972864389034943655834701603668204034612723902071488, s_new = 47235015937058937548982965514420387033624898602564791643518102370593631469157, z_new = 90587031616179313788031102499266527866257203397777530630520324049364149405545
Total number of signatures (original + artificial): 10
------------------------------------------------------------------------------------------------------------------------------------------------------
Generating polynomial to solve for the private key...
Nonces difference equation:
(((((((k12*k12-k23*k01)*k13*k23-(k23*k23-k34*k12)*k01*k02)*k14*k24*k34-((k23*k23-k34*k12)*k24*k34-(k34*k34-k45*k23)*k12*k13)*k01*k02*k03)*k15*k25*k35*k45-(((k23*k23-k34*k12)*k24*k34-(k34*k34-k45*k23)*k12*k13)*k25*k35*k45-((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k12*k13*k14)*k01*k02*k03*k04)*k16*k26*k36*k46*k56-((((k23*k23-k34*k12)*k24*k34-(k34*k34-k45*k23)*k12*k13)*k25*k35*k45-((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k12*k13*k14)*k26*k36*k46*k56-(((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k12*k13*k14*k15)*k01*k02*k03*k04*k05)*k17*k27*k37*k47*k57*k67-(((((k23*k23-k34*k12)*k24*k34-(k34*k34-k45*k23)*k12*k13)*k25*k35*k45-((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k12*k13*k14)*k26*k36*k46*k56-(((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k12*k13*k14*k15)*k27*k37*k47*k57*k67-((((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k37*k47*k57*k67-(((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k47*k57*k67-((k56*k56-k67*k45)*k57*k67-(k67*k67-k78*k56)*k45*k46)*k34*k35*k36)*k23*k24*k25*k26)*k12*k13*k14*k15*k16)*k01*k02*k03*k04*k05*k06)*k18*k28*k38*k48*k58*k68*k78-((((((k23*k23-k34*k12)*k24*k34-(k34*k34-k45*k23)*k12*k13)*k25*k35*k45-((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k12*k13*k14)*k26*k36*k46*k56-(((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k12*k13*k14*k15)*k27*k37*k47*k57*k67-((((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k37*k47*k57*k67-(((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k47*k57*k67-((k56*k56-k67*k45)*k57*k67-(k67*k67-k78*k56)*k45*k46)*k34*k35*k36)*k23*k24*k25*k26)*k12*k13*k14*k15*k16)*k28*k38*k48*k58*k68*k78-(((((k34*k34-k45*k23)*k35*k45-(k45*k45-k56*k34)*k23*k24)*k36*k46*k56-((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k23*k24*k25)*k37*k47*k57*k67-(((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k47*k57*k67-((k56*k56-k67*k45)*k57*k67-(k67*k67-k78*k56)*k45*k46)*k34*k35*k36)*k23*k24*k25*k26)*k38*k48*k58*k68*k78-((((k45*k45-k56*k34)*k46*k56-(k56*k56-k67*k45)*k34*k35)*k47*k57*k67-((k56*k56-k67*k45)*k57*k67-(k67*k67-k78*k56)*k45*k46)*k34*k35*k36)*k48*k58*k68*k78-(((k56*k56-k67*k45)*k57*k67-(k67*k67-k78*k56)*k45*k46)*k58*k68*k78-((k67*k67-k78*k56)*k68*k78-(k78*k78-k89*k67)*k56*k57)*k45*k46*k47)*k34*k35*k36*k37)*k23*k24*k25*k26*k27)*k12*k13*k14*k15*k16*k17)*k01*k02*k03*k04*k05*k06*k07) = 0
------------------------------------------------------------------------------------------------------------------------------------------------------
Polynomial in d:
10076378950690840322333303104212707217658418276379388800499402055322370197830*dd^29 + 9907754340187044042462333394731559996501271924517098312112490292652290220374*dd^28 + 25413118996992445384351078544952248707143401694174929858895015610527546784254*dd^27 + 54637476460606508381736836066201543629053576715917127510892537352262580074245*dd^26 + 112660205308610187075066405664391979505309077946149247712537995226455794436810*dd^25 + 41916469819176829829003617962051564034209293180602522782111440946370565287073*dd^24 + 79200169230764140950417025891323641817621003989352606693423673374557515131241*dd^23 + 6892011050106687223571788452179503704436289455822671952398809341012131076293*dd^22 + 87282091338451661877346906037796853908695573093119175349285366988383343671979*dd^21 + 11304997998728144123509981342384890488924738957001454069700450158894601413555*dd^20 + 43979018229079941203255031467982475320154780564095188717134688641454823445236*dd^19 + 75899029772163776616855855544521674685821741983222872578787604745827781681373*dd^18 + 111185857515521162710720049266785741959219058774265220255138138663908361369509*dd^17 + 90097802487495971394348001492670173807693450020911370453545320234648163713708*dd^16 + 91619490151160204957571842154554124171353946727089446509984910179141836095578*dd^15 + 33619806607511208853645921383885292007303237141080347372188866889704588006017*dd^14 + 98507260632833035704714521876291822323109177386128401580070683384149763516801*dd^13 + 30322200714711228447010355230180551241231394995885110745433945031787692193260*dd^12 + 7096479951060851309715641712092460614122972796251168231097030576464187818685*dd^11 + 40542171423306135701504689200828153305093321849084037823359721756352871767487*dd^10 + 69643050130527340465724621294234560230601973582750268941005387368948139703866*dd^9 + 87241409706175103059766549621140491981504711229707304358100814572131640990309*dd^8 + 61237513059092026569007272320630567118531728841589147251671505528852005631367*dd^7 + 1453725589557907817852160717443063393256773858393394886840189629397322782141*dd^6 + 48670189451632826179229665351532123528783509993012732650965262261411195940816*dd^5 + 1812573516712236544783329436796020444157609066755981011895459683138721491048*dd^4 + 110725644076326742608099456151642593983254672417300349789291108993460560776502*dd^3 + 2954658004812788114563058055514340074961271172864817687704379643190729804515*dd^2 + 13438906721576106075723197136896004432378483577017847622586678742441233468181*dd + 108712551478291873565295586254742667835744622857708672501710504063220089310291
------------------------------------------------------------------------------------------------------------------------------------------------------
Finding roots of the polynomial...
Found 1 roots.
Roots of the polynomial:
Root: 103944520760024560506038323186664680005228038115110724833232378297114715088318, Multiplicity: 1
------------------------------------------------------------------------------------------------------------------------------------------------------
SUCCESS! Private key found: d = 103944520760024560506038323186664680005228038115110724833232378297114715088318
Verifying the artificial signatures follow the specified recurrence relation:
Artificial signature 1:
Expected k: 90360872727669507550394887425756877359698428223587058630502028768486693956925
Actual k: 90360872727669507550394887425756877359698428223587058630502028768486693956925
Match: True
Artificial signature 2:
Expected k: 90360872727669507550394887425756877359698428223587058630502028768486693956925
Actual k: 90360872727669507550394887425756877359698428223587058630502028768486693956925
Match: True
Artificial signature 3:
Expected k: 20707329528702014598452831463605667149461823117219811019611191842061086457883
Actual k: 20707329528702014598452831463605667149461823117219811019611191842061086457883
Match: True
Artificial signature 4:
Expected k: 20707329528702014598452831463605667149461823117219811019611191842061086457883
Actual k: 20707329528702014598452831463605667149461823117219811019611191842061086457883
Match: True
Artificial signature 5:
Expected k: 19741724224496760945367500974295943818662631917946907732377899462187157547640
Actual k: 19741724224496760945367500974295943818662631917946907732377899462187157547640
Match: True
i will update the code properly and send you the enhance version tomorrow. cheers mate. |
|
|
|
hi, im currently working on enhancing on Nonce Recurrence Attack. Read: https://eprint.iacr.org/2023/305.pdfWhile i was able to recreate the attack describe in the paper, im thinking of enhancing this method. however, the enhance method would require me to generate some fake signatures that still points to the same public key. i vaguely remember that there was a discussion in some topic and someone mention that we could create fake signatures that could still be verified against the targeted public key but it wont be valid. or something to that effect. Do you get what i am saying? does it make sense to you? i might not be explaining this correctly. but if you do, what is the formula to do that? i have forgotten the formula. |
|
|
|
I created an ECDSA secp256k1 Security suite to check the signatures are vulnerable to what kind of attacks. So Developers can get a proper insight on the flaws of their software. Undoubtedly, i wish i can put all the known issues in it.did not have the time i wish i have. i do hope, if there are anyone interested to make this program better, to make a pull request and contribute to the development of this program together. If there are any issues with the code, do advice me accordingly. You can clone or download the program here, https://github.com/KrashKrash/ECDSA-Security-Analysis-Suite i wish i can be more detail or comprehensive in the advisory but i believe there are many more experience people like yourself who might be able to give a better advisory recommendations. Thank You.
╔════════════════════════════════╤═════════════════╤══════════════════════════════════════════╗
║ Vulnerability Type │ Risk Level │ Details ║
╟────────────────────────────────┼─────────────────┼──────────────────────────────────────────╢
║ Hidden Number Problem │ Low │ No significant findings ║
║ Lattice Attack │ Low │ No significant findings ║
║ Side Channel │ Low │ No significant findings ║
║ Bleichenbacher │ Low │ No significant findings ║
║ Prefix Lattice │ Low │ No significant findings ║
║ Fault Injection │ Low │ No significant findings ║
║ Quantum │ Critical │ Critical quantum vulnerability detected ║
║ │ │ | Safety Score: 5/100 ║
║ Zero Value │ Low │ No significant findings ║
║ Timing Correlation │ Low │ No significant findings ║
║ Entropy Patterns │ Low │ No significant findings ║
║ Modular Patterns │ Critical │ Found 6 vulnerable patterns | Type: None ║
╚════════════════════════════════╧═════════════════╧══════════════════════════════════════════╝
Detailed Analysis
╭─────────────────────────────────────────────────────────────────────────────── Quantum Analysis ────────────────────────────────────────────────────────────────────────────────╮
│ Quantum Vulnerability: True │
│ Required Qubits: 2048 │
│ Breaking Time: Hours to days on theoretical quantum computer │
│ Safety Score: 5/100 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────────────── Entropy Analysis ────────────────────────────────────────────────────────────────────────────────╮
│ Entropy Score: 1.00 │
│ Quality: High │
│ Weak Patterns Found: 0 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭───────────────────────────────────────────────────────────────────────────── Side Channel Analysis ─────────────────────────────────────────────────────────────────────────────╮
│ Timing Leakage: False │
│ Power Leakage: False │
│ Cache Vulnerability: False │
│ Vulnerability Score: 0.00 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
╭─────────────────────────────────────────────────────────────────────────── Machine Learning Analysis ───────────────────────────────────────────────────────────────────────────╮
│ ML Anomalies: False │
│ Detected Patterns: 0 │
│ Confidence: 0.00 │
╰─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯
Security Recommendations
Priority Title Description Actions
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
High Quantum Vulnerability Prepare for quantum threats • Plan migration to quantum-resistant
algorithms
Statistical Overview
╷
Metric │ Value
═════════════════════════════╪════════
Total Vulnerabilities Found │ 3
Critical Issues │ 2
Overall Security Score │ 10/100
╵
Analysis complete! Detailed report has been generated.
Please review the recommendations carefully.
|
|
|
|
Well after going through it the only point where i feel your method could fall short is in the potential noise in signature
The ECDSA signature may have noise and if the signature you are using is not perfectly aligned with the assumptions made in your model it could disrupt the entire process and this will make it hard for the lattice based approach to solve the problem accurately
Aside that I really can't think of anything
You should consider examining the impact of signature noise
I was warn about this yesterday. I totally forgot about it when i was coding. thank you so much for the reminder. I appreciate it. |
|
|
|
I had chance upon this research.. https://eprint.iacr.org/2024/296The author had through multiple signatures found the private key through less than 4 bits of nonce leakage. My problem is, i do not know the k nonce. there is no leakage. I do not know the private key. i do not know the message that was used.. So i modify the script accordingly. i believe if it takes less than 4 bits of nonce leakage to eventually gain the private key, I could 'leak' the 6 bits of the k nonce. try on every pattern (Total This script will try all 262,144 (64^3) possible combinations) and eventually get the right 'leak' for the full k nonce. Notwithstanding using GPU, CPU ONLY, it will take me roughly 22 hours to complete the full pattern. I tried following the method describe in the research very closely and as much as i can. What i want to ask is, why do you think my method won't work? Where am i going wrong with my code? Thank You. I Appreciate your opinion. Written in Sagemath / Python
import os
os.environ['CUDA_PATH'] = '/usr/local/cuda-11.5'
import time
import logging
import multiprocessing
import cupy as cp
import pickle
logging.basicConfig(level=logging.INFO, format='%(asctime)s - %(levelname)s - %(message)s')
logger = logging.getLogger(__name__)
# Print CUDA version for verification
logger.info(f"CUDA version: {cp.cuda.runtime.runtimeGetVersion()}")
logger.info(f"CuPy version: {cp.__version__}")
p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFC2F
a, b = 0, 7
E = EllipticCurve(GF(p), [a, b])
G = E(0x79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798,
0x483ADA7726A3C4655DA4FBFC0E1108A8FD17B448A68554199C47D08FFB10D4B8)
n = G.order()
def ecdsa_to_hnp(signatures, l):
logger.info(f"Converting {len(signatures)} ECDSA signatures to HNP instances")
q = n
w = q // (2**(l+1))
samples = []
for sig in signatures:
r = int(sig['r'], 16)
s = int(sig['s'], 16)
z = int(sig['z'], 16)
t = (Mod(r, q) * Mod(s, q)**(-1)) % q
a = (Mod(z, q) * Mod(s, q)**(-1) - w) % q
samples.append((t, a))
logger.info(f"Conversion complete. Generated {len(samples)} HNP samples")
return samples
def construct_lattice(samples, x, l):
logger.info(f"Constructing lattice with {len(samples)} samples, x={x}, l={l}")
m = len(samples)
q = int(n)
w = q // (2**(l+1))
B = matrix(ZZ, m+1, m+1)
for i in range(m-1):
B[i, i] = q
B[m-1, :m-1] = [x * t for t, _ in samples]
B[m-1, m-1] = x
B[m, :m-1] = [a for _, a in samples]
B[m, m] = int((w * w // 3)**0.5)
logger.info(f"Lattice construction complete. Dimension: {B.nrows()} x {B.ncols()}")
return cp.array(B.numpy())
def gpu_lll(B, delta=0.99):
logger.info(f"Starting GPU-accelerated LLL reduction on {B.shape[0]}x{B.shape[1]} matrix")
Q, R = qr(B)
n = B.shape[0]
k = 1
while k < n:
for j in range(k-1, -1, -1):
mu = cp.round(R[j,k] / R[j,j])
if mu != 0:
R[:j+1,k] -= mu * R[:j+1,j]
Q[:,k] -= mu * Q[:,j]
if delta * R[k-1,k-1]**2 > R[k,k]**2 + R[k-1,k]**2:
R[[k-1,k]] = R[[k,k-1]]
Q[:,[k-1,k]] = Q[:,[k,k-1]]
k = max(k-1, 1)
else:
k += 1
logger.info("GPU-accelerated LLL reduction complete")
return Q @ R
def gpu_bkz(B, block_size=20):
logger.info(f"Starting GPU-accelerated BKZ reduction with block size {block_size}")
n = B.shape[0]
for i in range(0, n - block_size + 1):
logger.debug(f"Processing block {i}/{n - block_size}")
block = B[i:i+block_size, i:i+block_size]
block = gpu_lll(block)
B[i:i+block_size, i:i+block_size] = block
logger.info("GPU-accelerated BKZ reduction complete")
return B
def gauss_sieve(B, target_norm, max_list_size=None):
logger.info(f"Starting Gauss sieve with target norm {target_norm}")
L = []
S = []
C = B.get().tolist() # Convert CuPy array to list
while C:
v = C.pop(0)
v = cp.array(v) # Convert back to CuPy array for GPU operations
if cp.linalg.norm(v) > target_norm:
continue
if not L:
L.append(v)
continue
changed = True
while changed:
changed = False
for w in L:
if cp.linalg.norm(v - w) < cp.linalg.norm(v):
v = v - w
changed = True
break
elif cp.linalg.norm(v + w) < cp.linalg.norm(v):
v = v + w
changed = True
break
if cp.linalg.norm(v) <= target_norm:
L.append(v)
if max_list_size and len(L) > max_list_size:
L.sort(key=lambda x: cp.linalg.norm(x))
L = L[:max_list_size]
else:
S.append(v)
logger.info(f"Gauss sieve complete. Found {len(L)} vectors")
return L
def interval_reduction(low, high, samples, q, l):
logger.info(f"Starting interval reduction: [{low}, {high}]")
M = high - low + 1
N = int(np.log2(M).ceil())
R = [(low, high)]
for t, a in samples[:N]:
R_new = []
for interval in R:
low, high = interval
n_min = ((t * low - a - q/(2**(l+1))) // q).ceil()
n_max = ((t * high - a + q/(2**(l+1))) // q).floor()
for n in range(n_min, n_max + 1):
new_low = max(low, ((a + n*q - q/(2**(l+1))) // t).ceil())
new_high = min(high, ((a + n*q + q/(2**(l+1))) // t).floor())
if new_low <= new_high:
R_new.append((new_low, new_high))
R = R_new
logger.info(f"Interval reduction complete. Resulting intervals: {len(R)}")
return R
def pre_screening(alpha0, samples, q, l, x):
logger.debug(f"Pre-screening candidate α₀: {alpha0}")
w = q // (2**(l+1))
result = all(abs(((x * t * alpha0 - a + q//2) % q) - q//2) <= w + q//(2**(l+4)) for t, a in samples)
logger.debug(f"Pre-screening result: {'Passed' if result else 'Failed'}")
return result
def improved_linear_predicate(v, samples, q, l, tau):
logger.debug(f"Checking improved linear predicate for v: {v}")
if v[0] == 0 or abs(v[0]) > q/(2**(l+1)) or abs(v[1]) != tau:
logger.debug("Predicate failed initial checks")
return None
k0 = -np.sign(v[1]) * v[0] + q/(2**(l+1))
alpha = (Mod(samples[0][1] + k0, q) * Mod(samples[0][0], q)**(-1)) % q
N = 2 * int(np.log2(q).ceil())
M = sum(1 for t, a in samples[:N] if abs((t * alpha - a) % q) < q/(2**l))
if M > N * (1 - np.log2(q)/(2**l) + 2**(-l)) / 2:
logger.debug(f"Predicate passed. Potential α: {alpha}")
return int(alpha)
logger.debug("Predicate failed final check")
return None
def decomposition_predicate(v, samples, q, l, tau, x):
logger.debug(f"Checking decomposition predicate for v: {v}")
if v[0] == 0 or abs(v[0]) > q/(2**(l+1)) or abs(v[1]) != tau:
logger.debug("Decomposition predicate failed initial checks")
return None
low = -np.sign(v[1]) * v[0] - x//2
high = -np.sign(v[1]) * v[0] + x//2
R = interval_reduction(low, high, samples, q, l)
for interval in R:
for h in range(interval[0], interval[1] + 1):
alpha = improved_linear_predicate((h, -tau), samples, q, l, tau)
if alpha is not None and pre_screening(alpha, samples, q, l, x):
logger.info(f"Decomposition predicate found potential solution: {alpha}")
return alpha
logger.debug("Decomposition predicate failed to find a solution")
return None
def progressive_bkz_sieve(B, predicate, start_dim=20, step=5, max_dim=None):
if max_dim is None:
max_dim = B.shape[0]
for d in range(start_dim, max_dim + 1, step):
logger.info(f"Processing dimension {d}")
B_sub = B[:d, :d]
B_sub = gpu_bkz(B_sub, block_size=min(20, d))
target_norm = cp.sqrt(4/3) * cp.linalg.det(B_sub)**(1/d)
logger.info(f"Target norm for dimension {d}: {target_norm}")
sieved_vectors = gauss_sieve(B_sub, target_norm, max_list_size=d*10)
logger.info(f"Checking predicates for {len(sieved_vectors)} vectors")
for v in sieved_vectors:
sk = predicate(v[-2:])
if sk is not None:
logger.info(f"Found potential solution: {sk}")
return sk
logger.info("Progressive BKZ-sieve completed without finding a solution")
return None
def try_nonce_patterns(args):
signatures, l, x, pubkey, patterns = args
logger.info(f"Trying nonce pattern: {patterns}")
modified_sigs = [{**sig, 'r': hex(int(sig['r'], 16) ^ (p << (256 - l)))[2:].zfill(64)}
for sig, p in zip(signatures, patterns)]
samples = ecdsa_to_hnp(modified_sigs, l)
B = construct_lattice(samples, x, l)
def predicate(v):
return decomposition_predicate(v, samples, int(n), l, int(B[-1, -1].get()), x)
sk = progressive_bkz_sieve(B, predicate, start_dim=20)
if sk:
recovered_pubkey_point = sk * G
recovered_pubkey = '04' + hex(recovered_pubkey_point[0])[2:].zfill(64) + hex(recovered_pubkey_point[1])[2:].zfill(64)
if recovered_pubkey == pubkey:
logger.info(f"Successfully recovered private key: {hex(sk)}")
return sk
logger.info(f"Failed to recover private key for pattern: {patterns}")
return None
def save_progress(completed_patterns):
logger.info(f"Saving progress. Completed patterns: {len(completed_patterns)}")
with open("progress.pkl", "wb") as f:
pickle.dump(completed_patterns, f)
def load_progress():
if os.path.exists("progress.pkl"):
with open("progress.pkl", "rb") as f:
completed_patterns = pickle.load(f)
logger.info(f"Loaded progress. Completed patterns: {len(completed_patterns)}")
return completed_patterns
logger.info("No previous progress found. Starting from scratch.")
return set()
def main():
signatures = [
{
'r': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
's': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'z': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
},
{
'r': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
's': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'z': 'xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
},
{
'r': '5caxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
's': '21bxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
'z': 'hexadecimalxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx',
}
]
l = 6 # 6-bit guessing
x = 2**15
pubkey = "04xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
all_patterns = list(itertools.product(range(2**l), repeat=len(signatures)))
completed_patterns = load_progress()
patterns_to_try = [p for p in all_patterns if p not in completed_patterns]
num_processors = min(24, multiprocessing.cpu_count())
logger.info(f"Using {num_processors} processors")
try:
with multiprocessing.Pool(num_processors) as pool:
args = [(signatures, l, x, pubkey, pattern) for pattern in patterns_to_try]
for i, result in enumerate(pool.imap_unordered(try_nonce_patterns, args)):
if result is not None:
print(f"Successfully recovered private key: {hex(result)}")
return
completed_patterns.add(patterns_to_try[i])
if (i+1) % 1000 == 0:
save_progress(completed_patterns)
logger.info(f"Completed {i+1}/{len(patterns_to_try)} pattern combinations")
except KeyboardInterrupt:
logger.info("Interrupted by user. Saving progress...")
save_progress(completed_patterns)
print("Failed to recover the private key.")
if __name__ == "__main__":
main()
The code is pretty much self explanatory. i already extended some definitions that has no #comments so its easier for you to read and understand what the code is achieving.. PS: i had remove some library imports. |
|
|
|
I was testing on 2 signatures. both created with different K nonce. as we all know, it will not lead to the correct private key unless the same nonce is reuse. However, i extended the code to include Babai's Nearest plane algorithm to readjust the wrong private key and get it closer to the correct private key by "guiding it " to the correct pubkey coordinates and it manage to only give me the partial private key from the closest vector. I think this is interesting and will be exploring further to recover full private key. result from my test.
root@MSI:/home/krash/test# python3 test.py
INFO:__main__:Using 2 signatures to build the lattice...
INFO:__main__:Short vectors after LLL reduction:
INFO:__main__:Short vector: (166728803922956164814674931204777127007, 0, -269917836034390020152096309044001076683, 0)
INFO:__main__:Short vector: (284880382552528911560114733869411675383, 0, 233299777452147397360970206987837337582, 0)
INFO:__main__:Short vector: (0, 115792089237316195423570985008687907853269984665640564039457584007908834671663, 0, 0)
INFO:__main__:Short vector: (191322878670180847261800180723017804593, 0, -63475476205101254537288001668546129622, 115792089237316195423570985008687907853269984665640564039457584007913129639936)
INFO:__main__:Completed LLL reduction.
INFO:__main__:partial private key from Babai: 000000000000000000000000000000007d6eccb306788626b5f389b33f092c5f
At this point, the experiment is not completed and i only consider something viable if we can recover the full private key. if anyone interested to work with me on how we can refine this experiment further, do DM me. hi, i send your dm reply me thankyou hi Cassandra. Yes I have received your dm.. thanks.
I was testing on 2 signatures. both created with different K nonce. as we all know, it will not lead to the correct private key unless the same nonce is reuse. However, i extended the code to include Babai's Nearest plane algorithm to readjust the wrong private key and get it closer to the correct private key by "guiding it " to the correct pubkey coordinates and it manage to only give me the partial private key from the closest vector. I think this is interesting and will be exploring further to recover full private key. result from my test.
root@MSI:/home/krash/test# python3 test.py
INFO:__main__:Using 2 signatures to build the lattice...
INFO:__main__:Short vectors after LLL reduction:
INFO:__main__:Short vector: (166728803922956164814674931204777127007, 0, -269917836034390020152096309044001076683, 0)
INFO:__main__:Short vector: (284880382552528911560114733869411675383, 0, 233299777452147397360970206987837337582, 0)
INFO:__main__:Short vector: (0, 115792089237316195423570985008687907853269984665640564039457584007908834671663, 0, 0)
INFO:__main__:Short vector: (191322878670180847261800180723017804593, 0, -63475476205101254537288001668546129622, 115792089237316195423570985008687907853269984665640564039457584007913129639936)
INFO:__main__:Completed LLL reduction.
INFO:__main__:partial private key from Babai: 000000000000000000000000000000007d6eccb306788626b5f389b33f092c5f
At this point, the experiment is not completed and i only consider something viable if we can recover the full private key. if anyone interested to work with me on how we can refine this experiment further, do DM me. Hi, bro You need ask questions in crypto.stackexchangr I think.This will be more productive. Hey man. How are you. Long time no talk. Yeah... I hate that place. They hate me too. It's mutual. We argued a lot there. Coz the admins was pretty rude. So I hack one of them This was 4 years ago. Not interested to go back there. |
|
|
|
I was testing on 2 signatures. both created with different K nonce. as we all know, it will not lead to the correct private key unless the same nonce is reuse. However, i extended the code to include Babai's Nearest plane algorithm to readjust the wrong private key and get it closer to the correct private key by "guiding it " to the correct pubkey coordinates and it manage to only give me the partial private key from the closest vector. I think this is interesting and will be exploring further to recover full private key. result from my test.
root@MSI:/home/krash/test# python3 test.py
INFO:__main__:Using 2 signatures to build the lattice...
INFO:__main__:Short vectors after LLL reduction:
INFO:__main__:Short vector: (166728803922956164814674931204777127007, 0, -269917836034390020152096309044001076683, 0)
INFO:__main__:Short vector: (284880382552528911560114733869411675383, 0, 233299777452147397360970206987837337582, 0)
INFO:__main__:Short vector: (0, 115792089237316195423570985008687907853269984665640564039457584007908834671663, 0, 0)
INFO:__main__:Short vector: (191322878670180847261800180723017804593, 0, -63475476205101254537288001668546129622, 115792089237316195423570985008687907853269984665640564039457584007913129639936)
INFO:__main__:Completed LLL reduction.
INFO:__main__:partial private key from Babai: 000000000000000000000000000000007d6eccb306788626b5f389b33f092c5f
At this point, the experiment is not completed and i only consider something viable if we can recover the full private key. if anyone interested to work with me on how we can refine this experiment further, do DM me. |
|
|
|
I will create two different wallets, one for Bitcoin, and one for Ethereum or any token.
With Ethereum, interaction through smart contracts is risky and I can not be sure that interact with them will not let my money stolen. What if I will lose not only tokens, ETH and also Bitcoin?
Use one wallet for all is convenient but the point here is simple and vital, creating one more wallet is not like a burden in our life so don't let convenience to bring more risk on our money.
you make a very good point. |
|
|
|
What is the Segwit v1 and Taproot in your example? How do they generated exactly? I put one of the WIF private keys here https://gugger.guru/cryptography-toolkit/#!/ecc and it shows that not all addresses match your generated info. Particularly, for private key Kyaezi5h3hvpFRmzfXZ5FeuEAWPKpqKmnNpubr9yTNJqQieCd3co the corresonding Taproot address is bc1p8a0d52uwlw0c4mhnu3alev6dhctaxw56hm3rwytmswt8ty9zsucse8g3xs and not bc1pqvnugwfratfw7yyg8y3yn9qmyrs8m95ws75ss7wn6cps2yucugckj855g5koh.. thanks for the info. i shall correct it now. |
|
|
|
An update from this previous post https://bitcointalk.org/index.php?topic=5500340.0where i have added taproot addr among others. The result will be,
----------------------------------------
--------- Crypto Address Set 9 ---------
Private Key (Hexadecimal): 46731fe2aaf7d392d8c835d700e218ce530f07bceecfbe7bdda563bccb9fe27d
Private Key (Decimal): 31865306878367898143325753650603785580817010066944666973741921704127557001853
Bitcoin P2PKH (Legacy) Address:
- Uncompressed: 19rVJHyPAeqGwEe2Y88ScEokNpJyXNYg9h
- Compressed: 1HfFPCkBPeM9n8oMdJsRBkLv5TsKqpS6eZ
Bitcoin P2SH-Segwit Address:
- Bitcoin Address: 3MavunaQnxHH64VhkQCs9eGEsKwfWwRxMg
Bitcoin Bech32 (Native Segwit v0) Address:
- Bitcoin Address: bc1qk67axs6mkuuku4ru4mslkt6plzc9jlvul6luk7
Bitcoin Bech32m (Native Segwit v1) Address:
- Bitcoin Address: bc1pmuy35pudravslw3v48tnmxnjtav9k9l3nxneqvktnw546pvnt38skhtp6u
Bitcoin P2TR (Taproot) Address:
- Bitcoin Address: bc1pqvnugwfratfw7yyg8y3yn9qmyrs8m95ws75ss7wn6cps2yucugckj855g5k
Ethereum Address:
- Ethereum Address: 0x050b637ee56b253057d65e2a27072d983795d1d5
WIF Private Keys:
- Uncompressed: 5JMK8BffyoRt2ujpW7vV9kvyTAq75VcyNA2LczMcSuromQTg57Q
- Compressed: Kyaezi5h3hvpFRmzfXZ5FeuEAWPKpqKmnNpubr9yTNJqQieCd3co
Public Keys:
- Uncompressed: 0427c43923ead2ef1088392249941b20e07d968e87a90879d3d603051398e2316952725d204255a3b3afc316f394a6605ee5be3b9a13bb084b618be451e5a21d9b
- Compressed: 0327c43923ead2ef1088392249941b20e07d968e87a90879d3d603051398e23169
----------------------------------------
--------- Crypto Address Set 10 ---------
Private Key (Hexadecimal): 1e718fbcc43ef27c65aaec995a39fdbce7809075755002897e075785deb2d440
Private Key (Decimal): 13770031214682617702920419222185887662192733509350067534825001918611160486976
Bitcoin P2PKH (Legacy) Address:
- Uncompressed: 1DprDrZavpEvGpxf4m3kfkTb6dvWmFRsss
- Compressed: 1F2Ytqn4a88wVc8soysByc1Xnf26X4JKkF
Bitcoin P2SH-Segwit Address:
- Bitcoin Address: 3Q4Yqp33nxWmXjMBTKK2bS6JjyVpbKUH4t
Bitcoin Bech32 (Native Segwit v0) Address:
- Bitcoin Address: bc1qn8wveuy7pram7m9h5zycs7y7yfygyjjja9ylma
Bitcoin Bech32m (Native Segwit v1) Address:
- Bitcoin Address: bc1p6cvs38kr6fzkcn5gknq3dvyc52x0vl49pe56wdwjw2p27np6jh4q02lymp
Bitcoin P2TR (Taproot) Address:
- Bitcoin Address: bc1pq2m299eh4ny80sqzvwnttspgqq76ymjfek5rg3kffxyhm6x47qp37zx0kl9
Ethereum Address:
- Ethereum Address: 0x0893bc713b611733f9fa196f8dfc771e4f5cb2c0
WIF Private Keys:
- Uncompressed: 5J3hDrQNzVhgqmnViyR3UCjzV6Tw6dscmHbzE961ntPTdVH43jn
- Compressed: KxEtXj4C4mgarGfonG17u4pkj17smskQrUHRazh8VXp8XuJDj4Cg
Public Keys:
- Uncompressed: 04b6a29737acc877c00263a6b5c028003da26e49cda83446c949897de8d5f0031f5ac4cb48ca44b39439ca43069f4b8899d5c5a0a516b47e0caf06f1912359df56
- Compressed: 02b6a29737acc877c00263a6b5c028003da26e49cda83446c949897de8d5f0031f
I tried my best to make the code as "readable" as possible. Do check out the code and give me your opinion. you may clone here if you like it. https://github.com/KrashKrash/btc-addr-generator |
|
|
|
Hi
Is it worth to brute force the K nonce?
How fast is it? Is it faster than bsgs mode?
no thats slower. bsgs is better. |
|
|
|
I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months # 130 Although only one rsz is know , but 1000 rsz can be produced using the public key, the nonce K value will be 240~256 bits 50% - nonce is 256 bit 25% - nonce is 254 bit 25% - nonce is 253~240 bit However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use lattice-attack # 130 Public Key 0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70 create #130 rsz # 130 rsz 1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9
# 130 rsz 2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2
# 130 rsz 3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e
# 130 rsz 4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632
# 130 rsz 5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04
....
....
....
would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you |
|
|
|
Offtop, how if your twist attack?
thats done. awhile ago. |
|
|
|
Saw some comments of users looking for R,S,Z Signatures and public key sample for research purposes. So i created a script where you can have a little more details than you need. Its a simple script so you can do your various research that you wish on ECDSA Secp256k1 signatures. you can download it here. https://github.com/KrashKrash/ecdsa-rsz-signature
=== ECDSA Signature Details ===
BTC Address: 1JvF4Bn4yF6GThYEA7pfhp3j8Xb6wu2t8D
Private Key: edb01804beb2e95898648ae87f1fa072d53b3b6f4564e092065bac907f063b9d
Signature (r, s, z):
r: 634e6e5d85360927c64d66bdd616dc58ac6b72cd22fac01c544236b63734ad35
s: 7fe9088b3849cddb82f38ef9244a06c413addb38031ee01a38e675ff28579d8a
z: 6ad532092bb3f4ee012e61df35c95efc7d9e9fa5653c371bc843fa4b3627f01f
k (nonce): 695e5e4c01e8ac9d77b7ecdd9881d50bb397ff7e54e082240a19b714c4de7ef8
PubKey: 034f966cdcc502d17876270349736f6a20f13edb5eccb5a92d1c702a0e059a9ba9
Signature Verification: Valid
just a little more info for you who are just starting out to do the research, some call it z, some call it message(hash) some just call it h. but it means the same thing. message or m = the original message H(m) or h or z = the hash of the message H(m), h or z depending on who you talk to, is the hash of the message. same meaning. I just want to have this information out here so you don't waste your time thinking what is h and what is z. Good luck on your research. |
|
|
|
Interesting, but I'll give you some opinions and if you want, you can implement them in your code to get better and better: Do you know the BIP39 iancolaman website? It's a website that generates a mnemonic, seed, xprivs, derived keys, addresses, etc. It would be great to have a tool like this without needing to be on the website. It's possible to create this all in a script and run it on your machine. It'd also be interesting for the script to generate all types of existing bitcoin addresses: legacy - p2pkh
p2sh-segwit - p2wpkh-p2sh
bech32 - p2wpkh (native segwit v0)
bech32m - p2tr (taproot - native segwit v1) Another similar interesting site for you to base yourself on, each with one more or less functionality: https://bitcoiner.guide/seed/https://gugger.guru/cryptography-toolkit/#!/hd-wallet I don't advise anyone to generate wallets based on scripts we find out there, especially from strangers (unless you know how to review the code), as a bug could happen that could make you lose your funds. But as long as you only use it for learning and testing, it's fine. There are several similar scripts that we can find here on the forum and on this board. you mean like a stand alone? ahh. nice... ok. i will get back to you on this. interesting. |
|
|
|
|
