Bitcoin Forum
June 21, 2024, 12:06:01 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
  Home Help Search Login Register More  
  Show Posts
Pages: [1]
1  Bitcoin / Development & Technical Discussion / Z calculate from R, S || formula correct ??? on: May 05, 2024, 12:40:29 PM
Z calculate from R, S

EXAMPLE : R S

R = 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5
S = 0xf65bfc44435a91814c142a3b8ee288a9183e6a3f012b84545d1fe334ccfac25e
# target Z value for 0x9b076ad2fe6b2ce63acf4edf7fc82d5152d3c8bffb36b944da7a1cce038f544a

R = 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5
S = 0x9cae782a191f3e742d9d4ff8f726d097a3a256af9fbc1faf16e7ec4d9fcf6feb
# target Z value for 0x85e43d48a83d8713a0fe253bf6b1fc70b8ee780e54749dc500f2880b056c4383

R = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798
S = 0xb0fc6f098d906534447438c18cd892ab2fea7b5a24b7715f46a2ece08cd281de
# target Z value for 0x373e088a93b3a987eed3d62bbe5187a42d4e7e7ef6e94885ecb06b8575da6a46

R = 0xc6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5
S = 0x70b862a9bd712fbc70e5a30152f7951f1b46d40087b83d4330ed4eb6f39d640c
# target Z value for 0x5567c62af707649e8140c5257a6e308c384d6850a4daa172ca54e887fe8fcb8f

First, we look at signatures:
Code:
s=(z+rd)/k
sk=z+rd
sk-z=rd
(sk-z)/r=d
(s/r)k-(z/r)=d
(z/r)+d=(s/r)k
k=((z/r)+d)*(r/s)

any formula to find z form r s
my idea
r/s = z Huh
s/r =z Huh
s**r=z Huh

or r s using to calculate the valid z value Huh
2  Bitcoin / Development & Technical Discussion / S calculate From (priv_publickey _XY ,nonce_publickey_XY ,and Message(z)) on: April 29, 2024, 03:31:40 AM
S calculate From (priv_publickey _XY ,nonce_publickey_XY  ,and Message(z))
hi,
example  data:

priv_publickey _XY    = px: 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694  py: 0x2f8af53270bf045f2258834b6dad7481ad6fca009d80f5b54697b08d104fc7b3
nonce_publickey_XY  = px: 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5 py: 0xafa7746c07a124cb59e190f00955952a7329591b805c4d9d04d34abe8a803a74
Message(z))                = 0x9b076ad2fe6b2ce63acf4edf7fc82d5152d3c8bffb36b944da7a1cce038f544a


#S output need using S calculate From priv_publickey _XY ,nonce_publickey_XY  ,and Message(z)
S = 0xf65bfc44435a91814c142a3b8ee288a9183e6a3f012b84545d1fe334ccfac25e

My question is how to calculate the S value using only d publickey _XY, k publickey _XY, and z.

I understand the S calculation formula: s = (z+x*r)/k
but I need another method to get S,  s = (z+priv_publickey _XY*r)/nonce_publickey_XY   # my idea this is right  Huh


My English is a little bit

Edit:
share a possible idea.
3  Bitcoin / Development & Technical Discussion / Re: Can someone provide 3 examples of r,s,z and nonce data ? on: April 26, 2024, 08:30:23 PM
Thank you for your answer. What is nonces ?
I need them for tests and I need know nonces...
Br

Pubkey =  02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630
puzzle #120    Grin Grin

---
k1      =  0x00000000000000000000000000000000025d46d0bccbc08eafa03912b3f2c206
r1      =  0x890895144c4a40cd18126d1ce6534e03ab909c8c3692f1cc108fec8e2e4dea97
s1      =  0x51bc4ff0a414d66113e354a7070f47eba8ab76035e776ed2123c7d5ee991b800
z1      =  0xf11d940943f16b4117aea030d0b0cf7f6781e99f2babe05daa574a10b072bc44

k2      =  0x00000000000000000000000000000000029c9ececdceab18cfba91146e5ded7e
r2      =  0x2e772d6ea8cd5dc0b4f06a5f4e5ea057cb65b27a820acb0df711e2855052193f
s2      =  0x83e65d972d090e8d975e5ed99f55c9bbc20fcf692344cf847f3639f4ff026d63
z2      =  0x625ed03aa7e42bb1f65e5546861807a0a52fc52cb20a6b4bdc32b2028e70904b

k3      =  0x000000000000000000000000000000000141bf2eb7b3d7b7b5bbf78d4f28bcda
r3      =  0xb32f2f28d07cd0a9cc139905e1875379b9349fd21ccb838e380215afa5f26eac
s3      =  0x15d30ec6841a4e59bbb87bfc11ebf7cab78b5eb2e5ce742ebe7d07a060ebfc5b
z3      =  0x3677c07287e8742faf74b964476405f1f153466b26234b3461b268ee00676ce8


121 bit :    3  r,s,z      use  LLL_nonce_leakage.py  , you  can  found private key about 1~2 second



Thank you !!!! Wink


But, no logic with so big nonce, can you generate rsz with nonce 2**30 or less for ex to ,120 puzz pubkey ?

What are you trying to do? cloud, you share your rsz code. 
4  Bitcoin / Development & Technical Discussion / Re: Private key recovery with 120 bit nonce leakage possible? on: April 26, 2024, 08:17:46 PM
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh


5  Bitcoin / Development & Technical Discussion / Re: Can someone provide 3 examples of r,s,z and nonce data ? on: April 26, 2024, 04:39:07 AM
Good day

Can someone provide 3 examples of r,s,z and nonce data ?


nonce need <= 100

?

Thank you very much.
     R = 64c2e12a01585b692b28b3bfc172df41a865862719a45728298428bc790c48a7
     S = 7e7597a8553fda5bb3ebf990a8671c009a9b25211e873ddaa834e64034c98a53
     Z =  c69268be9eabc84554c2f4905b3977502aa3d52f077bb51dd8cadb502e87b258
PubKey =  02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630
======================================================================
[1]
     R =  4818f9d3c3ffa8d65678b626da395aaa34ea2bc5461ffbff5f32a4fe874865a5
     S =  3374c6d2bd43e4414d678b17c9495b09802e10031eac18e5eea7e3d66676f1c1
     Z =  25f297dd6a2a49dbb869b91f8b40d568e0d6e85d3ccc69e495da2552106316d0
PubKey = 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630
6  Bitcoin / Development & Technical Discussion / Re: SLA ATTACK INTRODUCTION! - try yourself! part 1 on: April 17, 2024, 09:30:05 AM

May the birth of Jesus fill your heart with hope and your life with peace. Wishing you a joyful Christmas and a prosperous New Year!
Merry Christmas!


Today I would like to share with you about SLA Attack with enhanced HNP version.

below you have the publick_key and 4 transactions for your lattice attack .


You can check , by yourself -> the normal LLL, BKZ, and other version Lattice attack can't work. But do WE are sure?

After the Merry Christmas I will explain you that is possible to get the privatekey, this is not magic, this is only math.

But it is not means that we can break all transactions, it is not possible ( in this time)


Code:

pub_x=78818948780003756257317958050830555774114574049345167555502776053755203387740
pub_y=85310869649124623199239678595534894888310458014006292835496616516506069461339

#transaction  0
r0= 24588206389753509640811575274464895786743927888579903530421809444319483977945
s0= 6059631986729592015541657016422287276173820535531976323896631946703745342867
z0= 101598333805859088104460709339322323253967984469981980765513451043299277293155

#transaction  1
r1= 111221219393533092766757231205655148598387391688038680725887770855610516805909
s1= 42977158969606988178616173909829205963209865807459159238342890662517579355841
z1= 75271282682365162977006304314488289715934654579982163778286970938094294125550

#transaction  2
r2= 44123605128819602489001064361934486571234465815113913274010695678312575535453
s2= 88798687690890311252972811497043740005145032962565756682947865690983442775963
z2= 31168170417557643134092921420438134489495011575172141680151817407498816915579

#transaction  3
r3= 94338820713420177999285705783245931032780263864711798770837560147349744238820
s3= 60570772284192607377585619611192272505942195544881266954074409732220122802223
z3= 22531922170940191727384485876798017236093880276537969715100077948701801182677


Quote
After the Merry Christmas I will explain you that is possible to get the privatekey

explain?? share video link
7  Bitcoin / Development & Technical Discussion / Re: LLL_nonce_leakage.py -->> simple Sagemath code on: April 17, 2024, 03:43:15 AM


# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn))
# For most significant fix 128 bit leak at least 3 sig is required.
fix_bits = 128
out_file_name = 'pseudo_sig_rsz.txt'

kbits = 256 - fix_bits

....
................

for row in new_matrix:
    potential_nonce_diff = row[0]
#    print('k=', hex(potential_nonce_diff))
#    modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3))
    potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff)
    potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn))
    potential_priv_key = potential_priv_key % N
#    print('PK=', hex(potential_priv_key))
 
    # check if we found private key by comparing its public key with actual public key
    if ice.scalar_multiplication(potential_priv_key) == pub:
        print('-'*75)
        print(f' found private key = {hex(potential_priv_key)}')
        print('-'*75)



I can't understand this Python code. Anyone write the Sagemath code?
LLL_nonce_leakage.py -->> simple Sagemath code


download or clone the file from here to the same directory you have the LLL program. you need to use ice_secp256k1.dll or .so for linux to use this program..
https://github.com/iceland2k14/secp256k1
Yes, I know, but I am asking for simple math for easy understanding.
Please explain how LLL_nonce_leakage works, write simple math, or explain
8  Bitcoin / Development & Technical Discussion / Re: ECDSA 1/k on: April 15, 2024, 11:16:07 AM

Added new information
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1

Any ideas if we have a signature another signature

d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2



Added new information
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1

Any ideas if we have a signature another signature

d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2


Where is the rsz value?? Give your RSZ value

r=0x
s=0x
z=0x
9  Bitcoin / Development & Technical Discussion / LLL_nonce_leakage.py -->> simple Sagemath code on: April 15, 2024, 10:42:55 AM
import olll
import random
import math
import secp256k1 as ice

G = ice.scalar_multiplication(1)
N = ice.N

# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn))
# For most significant fix 128 bit leak at least 3 sig is required.
fix_bits = 128
out_file_name = 'pseudo_sig_rsz.txt'

kbits = 256 - fix_bits


#==============================================================================
def write_rsz_file(rr, ss, zz, pb):
    with open(out_file_name, 'w') as f:
        sz = len(rr)
        for i in range(sz):
            f.write('r      = ' + hex(rr)[2:].zfill(64) + '\n')
            f.write('s      = ' + hex(ss)[2:].zfill(64) + '\n')
            f.write('z      = ' + hex(zz)[2:].zfill(64) + '\n')
        f.write('pubkey = ' + pb.hex())
       
def modinv(v):
    return pow(v, N-2, N)

def getx(Q):
    return int(Q[1:33].hex(), 16)

def minimum_sigs_required(num_bits):
    return math.ceil(1.03 * 4 / 3 * 256 / num_bits)

def identity_plus2(u, elem=1):
    m=[[0 for x in range(u+2)] for y in range(u)]
    for i in range(0,u):
        m = elem
    return m
#==============================================================================
n = 1 + minimum_sigs_required(fix_bits)
print(f'\n Fixed Nonce bits = {fix_bits}           Minimum Signature Required = {n}')


# example secret = 0x7cf5d79d200207963474c64e64bde80ff4cb3e225b6ac5b6e958522fdab60578
secret = random.randint(1,N)
pub = ice.scalar_multiplication(secret)
print('###############################################################################')
print(f'secret: {hex(secret)}')
print(f'Pubkey: {pub.hex()}')
print('###############################################################################')

fixed_k_prefix = random.randrange(2**kbits, N)

#S = ((Z + (X * R)) / K) % N
z = [random.randrange(1, N) for i in range(n)]
nonces = [random.randrange(1, 2**kbits) + fixed_k_prefix for i in range(n)]
sigs_r = [getx(ice.scalar_multiplication(nonces)) for i in range(n)]
sigs_s = [( (z + secret * sigs_r) * modinv(nonces) )%N for i in range(n)]
sinv   = [modinv(sigs_s) for i in range(n)]

write_rsz_file(sigs_r, sigs_s, z, pub)
###############################################################################
matrix = identity_plus2(n-1, N)

# Add last 2 rows
row, row2 = [], []
[zn, rn, sn] = [z[-1], sigs_r[-1], sigs_s[-1]]
rnsn_inv = rn * modinv(sn)
znsn_inv = zn * modinv(sn)


# 2nd to last row: [r1(s1^-1) - rn(sn^-1), ... , rn-1(sn-1^-1) - rn(sn^-1), 2^176/order, 0 ]
# last row: [m1(s1^-1) - mn(sn^-1), ... , mn-1(sn-1^-1) - mn(sn^-1), 0, 2^176]
for i in range(n-1):
    row.append((sigs_r * modinv(sigs_s)) - rnsn_inv)
    row2.append((z * modinv(sigs_s)) - znsn_inv)

# add last elements of last two rows, B = 2**(256-80) for yubikey
row.append((2**kbits) / N)
row.append(0)
row2.append(0)
row2.append(2**kbits)
 
matrix.append(row)
matrix.append(row2)

print(' Original Matrix')
print(matrix)
###############################################################################
new_matrix = olll.reduction(matrix, 0.75)
print('\n\n Reduced Matrix')
print(new_matrix)

for row in new_matrix:
    potential_nonce_diff = row[0]
#    print('k=', hex(potential_nonce_diff))
#    modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3))
    potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff)
    potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn))
    potential_priv_key = potential_priv_key % N
#    print('PK=', hex(potential_priv_key))
 
    # check if we found private key by comparing its public key with actual public key
    if ice.scalar_multiplication(potential_priv_key) == pub:
        print('-'*75)
        print(f' found private key = {hex(potential_priv_key)}')
        print('-'*75)



I can't understand this Python code. Anyone write the Sagemath code?
LLL_nonce_leakage.py -->> simple Sagemath code

10  Bitcoin / Development & Technical Discussion / Re: Calculating K nonce on: April 09, 2024, 02:46:47 PM
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.

in case you need the full code i had use in sagemath.

Code:

import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

E = EllipticCurve(GF(p), [0, 7])

G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))

r=0x
s=0x
z=0x

def egcd(a, b):

    if a == 0:

        return (b, 0, 1)

    else:

        g, y, x = egcd(b % a, a)

        return (g, x - (b // a) * y, y)
def modinv(a, m):

    g, x, y = egcd(a, m)

    if g != 1:

        raise Exception('modular inverse does not exist')

    else:

        return x % m

def make_public(r,s,z):
    R = E.lift_x(Integer(r))
    w = int(modinv(s, n))
    u1 = int((z * w) % n)
    u2 = int((r * w) % n)
    #R=u1*G + u2*public_key
    #pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
    u_n2=modinv(u2,n)%n
    u_n1=- u1*modinv(u2,n)%n
    
    pub=u_n1*G + u_n2*R
    pub2=u_n1*G + u_n2*(-R)
    return pub,pub2

def verify(r, s,z,public_key):
    w = int(modinv(s, n))
    u1 = int((z * w) % n)
    u2 = int((r * w) % n)
    D=u1*G + u2*public_key
    x,y=D.xy()
    x=int(x)

    if (r % n) == (x % n):
        print( "signature matches")
        
    else:
        print("invalid signature")

pub1,pub2=make_public(r,s,z)

print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))

verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()

# Function to check if a point's x-coordinate matches r
def check_k(k):
    P = k * G
    return P.x() == r

# Iterate to find the correct k
for i in range(1, n):
    k = (r * i + z) * modinv(s, n) % n
    if check_k(k):
        print(f"Found correct k: {k}")
        private_key = (s * k - z) * modinv(r, n) % n
        print(f"Private Key: {private_key}")
        break






Thank you very mach for your code, mister Wink
@COBRAS
@krashfire

Please give me an example rsz if your code works correctly.
sample rsz Huh
r=0x
s=0x
z=0x
And, if 2 signatures match how long, it takes to K nonce



edit
i got error,

public_key1 (37231416379298332252575862495769965965364321245932635159006725536777825338696 : 9676366176353189190669004767334277632269117223198125569199055354600699161111 : 1)
pub1_x= 0x52503c225437e35c61b9ee5ec88ea71600e7a710dbebac88b27c2d1a667ac548
public_key2 (84773528361026042599480815013664408603889872484555722313313932231857335756436 : 21504221066078790871098131651817310599861599747961732812418866800256292472755 : 1)
pub2_x= 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694
signature matches
signature matches


---------------------------------------------------------------------------
AttributeError                            Traceback (most recent call last)
Cell In [1], line 83
     81 for i in range(Integer(1), n):
     82     k = (r * i + z) * modinv(s, n) % n
---> 83     if check_k(k):
     84         print(f"Found correct k: {k}")
     85         private_key = (s * k - z) * modinv(r, n) % n

Cell In [1], line 78, in check_k(k)
     76 def check_k(k):
     77     P = k * G
---> 78     return P.x() == r

File /home/sc_serv/sage/src/sage/structure/element.pyx:489, in sage.structure.element.Element.__getattr__()
    487         AttributeError: 'LeftZeroSemigroup_with_category.element_class' object has no attribute 'blah_blah'...
    488     """
--> 489     return self.getattr_from_category(name)
    490
    491 cdef getattr_from_category(self, name) noexcept:

File /home/sc_serv/sage/src/sage/structure/element.pyx:502, in sage.structure.element.Element.getattr_from_category()
    500     else:
    501         cls = P._abstract_element_class
--> 502     return getattr_from_other_class(self, cls, name)
    503
    504 def __dir__(self):

File /home/sc_serv/sage/src/sage/cpython/getattr.pyx:362, in sage.cpython.getattr.getattr_from_other_class()
    360     dummy_error_message.cls = type(self)
    361     dummy_error_message.name = name
--> 362     raise AttributeError(dummy_error_message)
    363 att
11  Bitcoin / Development & Technical Discussion / Re: Pairs of matching n-values in secp256k1 with changed b-values on: March 24, 2024, 06:20:56 AM
Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1:
Code:
+-----+---------------------------------------------------------------------+
| b   | n                                                                   |
+-----+---------------------------------------------------------------------+
| 0x1 |  0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x3 |  0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| 0x7 |  0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+
How come from this n value?
Where do you get this n value?

edit:
What is the base value. Those 1to7 values come from N
Pages: [1]
Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!