 Show Posts
|
|
Pages: [1]
|
Z calculate from R, S EXAMPLE : R SR = 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5 S = 0xf65bfc44435a91814c142a3b8ee288a9183e6a3f012b84545d1fe334ccfac25e # target Z value for 0x9b076ad2fe6b2ce63acf4edf7fc82d5152d3c8bffb36b944da7a1cce038f544aR = 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5 S = 0x9cae782a191f3e742d9d4ff8f726d097a3a256af9fbc1faf16e7ec4d9fcf6feb # target Z value for 0x85e43d48a83d8713a0fe253bf6b1fc70b8ee780e54749dc500f2880b056c4383R = 0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798 S = 0xb0fc6f098d906534447438c18cd892ab2fea7b5a24b7715f46a2ece08cd281de # target Z value for 0x373e088a93b3a987eed3d62bbe5187a42d4e7e7ef6e94885ecb06b8575da6a46R = 0xc6047f9441ed7d6d3045406e95c07cd85c778e4b8cef3ca7abac09b95c709ee5 S = 0x70b862a9bd712fbc70e5a30152f7951f1b46d40087b83d4330ed4eb6f39d640c # target Z value for 0x5567c62af707649e8140c5257a6e308c384d6850a4daa172ca54e887fe8fcb8fFirst, we look at signatures: s=(z+rd)/k
sk=z+rd
sk-z=rd
(sk-z)/r=d
(s/r)k-(z/r)=d
(z/r)+d=(s/r)k
k=((z/r)+d)*(r/s) any formula to find z form r s my idea r/s = z  s/r =z s**r=z or r s using to calculate the valid z value |
|
|
|
S calculate From (priv_publickey _XY ,nonce_publickey_XY ,and Message(z)) hi, example data: priv_publickey _XY = px: 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694 py: 0x2f8af53270bf045f2258834b6dad7481ad6fca009d80f5b54697b08d104fc7b3 nonce_publickey_XY = px: 0xcabc3692f1f7ba75a8572dc5d270b35bcc00650534f6e5ecd6338e55355454d5 py: 0xafa7746c07a124cb59e190f00955952a7329591b805c4d9d04d34abe8a803a74 Message(z)) = 0x9b076ad2fe6b2ce63acf4edf7fc82d5152d3c8bffb36b944da7a1cce038f544a # S output need using S calculate From priv_publickey _XY ,nonce_publickey_XY ,and Message(z)S = 0xf65bfc44435a91814c142a3b8ee288a9183e6a3f012b84545d1fe334ccfac25e My question is how to calculate the S value using only d publickey _XY, k publickey _XY, and z. I understand the S calculation formula: s = (z+x*r)/k but I need another method to get S, s = (z+priv_publickey _XY*r)/nonce_publickey_XY # my idea this is right My English is a little bit Edit: share a possible idea. |
|
|
|
Thank you for your answer. What is nonces ?
I need them for tests and I need know nonces...
Br
Pubkey = 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 puzzle #120  --- k1 = 0x00000000000000000000000000000000025d46d0bccbc08eafa03912b3f2c206 r1 = 0x890895144c4a40cd18126d1ce6534e03ab909c8c3692f1cc108fec8e2e4dea97 s1 = 0x51bc4ff0a414d66113e354a7070f47eba8ab76035e776ed2123c7d5ee991b800 z1 = 0xf11d940943f16b4117aea030d0b0cf7f6781e99f2babe05daa574a10b072bc44 k2 = 0x00000000000000000000000000000000029c9ececdceab18cfba91146e5ded7e r2 = 0x2e772d6ea8cd5dc0b4f06a5f4e5ea057cb65b27a820acb0df711e2855052193f s2 = 0x83e65d972d090e8d975e5ed99f55c9bbc20fcf692344cf847f3639f4ff026d63 z2 = 0x625ed03aa7e42bb1f65e5546861807a0a52fc52cb20a6b4bdc32b2028e70904b k3 = 0x000000000000000000000000000000000141bf2eb7b3d7b7b5bbf78d4f28bcda r3 = 0xb32f2f28d07cd0a9cc139905e1875379b9349fd21ccb838e380215afa5f26eac s3 = 0x15d30ec6841a4e59bbb87bfc11ebf7cab78b5eb2e5ce742ebe7d07a060ebfc5b z3 = 0x3677c07287e8742faf74b964476405f1f153466b26234b3461b268ee00676ce8 121 bit : 3 r,s,z use LLL_nonce_leakage.py , you can found private key about 1~2 second Thank you !!!!  But, no logic with so big nonce, can you generate rsz with nonce 2**30 or less for ex to ,120 puzz pubkey ? What are you trying to do? cloud, you share your rsz code. |
|
|
|
Good day
Can someone provide 3 examples of r,s,z and nonce data ?
nonce need <= 100
?
Thank you very much.
R = 64c2e12a01585b692b28b3bfc172df41a865862719a45728298428bc790c48a7 S = 7e7597a8553fda5bb3ebf990a8671c009a9b25211e873ddaa834e64034c98a53 Z = c69268be9eabc84554c2f4905b3977502aa3d52f077bb51dd8cadb502e87b258 PubKey = 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 ====================================================================== [1] R = 4818f9d3c3ffa8d65678b626da395aaa34ea2bc5461ffbff5f32a4fe874865a5 S = 3374c6d2bd43e4414d678b17c9495b09802e10031eac18e5eea7e3d66676f1c1 Z = 25f297dd6a2a49dbb869b91f8b40d568e0d6e85d3ccc69e495da2552106316d0 PubKey = 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 |
|
|
|
May the birth of Jesus fill your heart with hope and your life with peace. Wishing you a joyful Christmas and a prosperous New Year! Merry Christmas! Today I would like to share with you about SLA Attack with enhanced HNP version. below you have the publick_key and 4 transactions for your lattice attack . You can check , by yourself -> the normal LLL, BKZ, and other version Lattice attack can't work. But do WE are sure? After the Merry Christmas I will explain you that is possible to get the privatekey, this is not magic, this is only math. But it is not means that we can break all transactions, it is not possible ( in this time)
pub_x=78818948780003756257317958050830555774114574049345167555502776053755203387740
pub_y=85310869649124623199239678595534894888310458014006292835496616516506069461339
#transaction 0
r0= 24588206389753509640811575274464895786743927888579903530421809444319483977945
s0= 6059631986729592015541657016422287276173820535531976323896631946703745342867
z0= 101598333805859088104460709339322323253967984469981980765513451043299277293155
#transaction 1
r1= 111221219393533092766757231205655148598387391688038680725887770855610516805909
s1= 42977158969606988178616173909829205963209865807459159238342890662517579355841
z1= 75271282682365162977006304314488289715934654579982163778286970938094294125550
#transaction 2
r2= 44123605128819602489001064361934486571234465815113913274010695678312575535453
s2= 88798687690890311252972811497043740005145032962565756682947865690983442775963
z2= 31168170417557643134092921420438134489495011575172141680151817407498816915579
#transaction 3
r3= 94338820713420177999285705783245931032780263864711798770837560147349744238820
s3= 60570772284192607377585619611192272505942195544881266954074409732220122802223
z3= 22531922170940191727384485876798017236093880276537969715100077948701801182677
After the Merry Christmas I will explain you that is possible to get the privatekey
explain?? share video link |
|
|
|
# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn))
# For most significant fix 128 bit leak at least 3 sig is required.
fix_bits = 128
out_file_name = 'pseudo_sig_rsz.txt'
kbits = 256 - fix_bits
....
................
for row in new_matrix:
potential_nonce_diff = row[0]
# print('k=', hex(potential_nonce_diff))
# modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3))
potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff)
potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn))
potential_priv_key = potential_priv_key % N
# print('PK=', hex(potential_priv_key))
# check if we found private key by comparing its public key with actual public key
if ice.scalar_multiplication(potential_priv_key) == pub:
print('-'*75)
print(f' found private key = {hex(potential_priv_key)}')
print('-'*75)
I can't understand this Python code. Anyone write the Sagemath code?
LLL_nonce_leakage.py -->> simple Sagemath code
download or clone the file from here to the same directory you have the LLL program. you need to use ice_secp256k1.dll or .so for linux to use this program.. https://github.com/iceland2k14/secp256k1Yes, I know, but I am asking for simple math for easy understanding.Please explain how LLL_nonce_leakage works, write simple math, or explain |
|
|
|
Added new information
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1
Any ideas if we have a signature another signature
d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2
Added new information
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1
Any ideas if we have a signature another signature
d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2
Where is the rsz value?? Give your RSZ value r=0x s=0x z=0x |
|
|
|
|
import olll
import random
import math
import secp256k1 as ice
G = ice.scalar_multiplication(1)
N = ice.N
# Secret key = x = (rns1 – r1sn)-1 (snm1 – s1mn – s1sn(k1 – kn))
# For most significant fix 128 bit leak at least 3 sig is required.
fix_bits = 128
out_file_name = 'pseudo_sig_rsz.txt'
kbits = 256 - fix_bits
#==============================================================================
def write_rsz_file(rr, ss, zz, pb):
with open(out_file_name, 'w') as f:
sz = len(rr)
for i in range(sz):
f.write('r = ' + hex(rr)[2:].zfill(64) + '\n')
f.write('s = ' + hex(ss)[2:].zfill(64) + '\n')
f.write('z = ' + hex(zz)[2:].zfill(64) + '\n')
f.write('pubkey = ' + pb.hex())
def modinv(v):
return pow(v, N-2, N)
def getx(Q):
return int(Q[1:33].hex(), 16)
def minimum_sigs_required(num_bits):
return math.ceil(1.03 * 4 / 3 * 256 / num_bits)
def identity_plus2(u, elem=1):
m=[[0 for x in range(u+2)] for y in range(u)]
for i in range(0,u):
m = elem
return m
#==============================================================================
n = 1 + minimum_sigs_required(fix_bits)
print(f'\n Fixed Nonce bits = {fix_bits} Minimum Signature Required = {n}')
# example secret = 0x7cf5d79d200207963474c64e64bde80ff4cb3e225b6ac5b6e958522fdab60578
secret = random.randint(1,N)
pub = ice.scalar_multiplication(secret)
print('###############################################################################')
print(f'secret: {hex(secret)}')
print(f'Pubkey: {pub.hex()}')
print('###############################################################################')
fixed_k_prefix = random.randrange(2**kbits, N)
#S = ((Z + (X * R)) / K) % N
z = [random.randrange(1, N) for i in range(n)]
nonces = [random.randrange(1, 2**kbits) + fixed_k_prefix for i in range(n)]
sigs_r = [getx(ice.scalar_multiplication(nonces)) for i in range(n)]
sigs_s = [( (z + secret * sigs_r) * modinv(nonces) )%N for i in range(n)]
sinv = [modinv(sigs_s) for i in range(n)]
write_rsz_file(sigs_r, sigs_s, z, pub)
###############################################################################
matrix = identity_plus2(n-1, N)
# Add last 2 rows
row, row2 = [], []
[zn, rn, sn] = [z[-1], sigs_r[-1], sigs_s[-1]]
rnsn_inv = rn * modinv(sn)
znsn_inv = zn * modinv(sn)
# 2nd to last row: [r1(s1^-1) - rn(sn^-1), ... , rn-1(sn-1^-1) - rn(sn^-1), 2^176/order, 0 ]
# last row: [m1(s1^-1) - mn(sn^-1), ... , mn-1(sn-1^-1) - mn(sn^-1), 0, 2^176]
for i in range(n-1):
row.append((sigs_r * modinv(sigs_s)) - rnsn_inv)
row2.append((z * modinv(sigs_s)) - znsn_inv)
# add last elements of last two rows, B = 2**(256-80) for yubikey
row.append((2**kbits) / N)
row.append(0)
row2.append(0)
row2.append(2**kbits)
matrix.append(row)
matrix.append(row2)
print(' Original Matrix')
print(matrix)
###############################################################################
new_matrix = olll.reduction(matrix, 0.75)
print('\n\n Reduced Matrix')
print(new_matrix)
for row in new_matrix:
potential_nonce_diff = row[0]
# print('k=', hex(potential_nonce_diff))
# modinv(r3 * s1 - r1 *s3) * (s3 * m1 - s1 * m3 - s1 * s3 *(k1 - k3))
potential_priv_key = (sn * z[0]) - (sigs_s[0] * zn) - (sigs_s[0] * sn * potential_nonce_diff)
potential_priv_key *= modinv((rn * sigs_s[0]) - (sigs_r[0] * sn))
potential_priv_key = potential_priv_key % N
# print('PK=', hex(potential_priv_key))
# check if we found private key by comparing its public key with actual public key
if ice.scalar_multiplication(potential_priv_key) == pub:
print('-'*75)
print(f' found private key = {hex(potential_priv_key)}')
print('-'*75)
I can't understand this Python code. Anyone write the Sagemath code?
LLL_nonce_leakage.py -->> simple Sagemath code
|
|
|
|
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
in case you need the full code i had use in sagemath.
import random
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [0, 7])
G = E.point( (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8))
r=0x
s=0x
z=0x
def egcd(a, b):
if a == 0:
return (b, 0, 1)
else:
g, y, x = egcd(b % a, a)
return (g, x - (b // a) * y, y)
def modinv(a, m):
g, x, y = egcd(a, m)
if g != 1:
raise Exception('modular inverse does not exist')
else:
return x % m
def make_public(r,s,z):
R = E.lift_x(Integer(r))
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
#R=u1*G + u2*public_key
#pub= R*modinv(u2,n) - u1*modinv(u2,n)%n
u_n2=modinv(u2,n)%n
u_n1=- u1*modinv(u2,n)%n
pub=u_n1*G + u_n2*R
pub2=u_n1*G + u_n2*(-R)
return pub,pub2
def verify(r, s,z,public_key):
w = int(modinv(s, n))
u1 = int((z * w) % n)
u2 = int((r * w) % n)
D=u1*G + u2*public_key
x,y=D.xy()
x=int(x)
if (r % n) == (x % n):
print( "signature matches")
else:
print("invalid signature")
pub1,pub2=make_public(r,s,z)
print("public_key1",pub1)
print("pub1_x=",hex(pub1.xy()[0]))
print("public_key2",pub2)
print("pub2_x=",hex(pub2.xy()[0]))
verify(r,s,z,pub1)
verify(r,s,z,pub2)
print()
# Function to check if a point's x-coordinate matches r
def check_k(k):
P = k * G
return P.x() == r
# Iterate to find the correct k
for i in range(1, n):
k = (r * i + z) * modinv(s, n) % n
if check_k(k):
print(f"Found correct k: {k}")
private_key = (s * k - z) * modinv(r, n) % n
print(f"Private Key: {private_key}")
break
Thank you very mach for your code, mister @COBRAS @krashfire Please give me an example rsz if your code works correctly. sample rsz r=0x s=0x z=0x And, if 2 signatures match how long, it takes to K nonce editi got error, public_key1 (37231416379298332252575862495769965965364321245932635159006725536777825338696 : 9676366176353189190669004767334277632269117223198125569199055354600699161111 : 1) pub1_x= 0x52503c225437e35c61b9ee5ec88ea71600e7a710dbebac88b27c2d1a667ac548 public_key2 (84773528361026042599480815013664408603889872484555722313313932231857335756436 : 21504221066078790871098131651817310599861599747961732812418866800256292472755 : 1) pub2_x= 0xbb6c1de01f36618ae05f7c183c22dfa8797e779f39537752c27e2dc045b0e694 signature matches
signature matches--------------------------------------------------------------------------- AttributeError Traceback (most recent call last) Cell In [1], line 83 81 for i in range(Integer(1), n): 82 k = (r * i + z) * modinv(s, n) % n ---> 83 if check_k(k): 84 print(f"Found correct k: {k}") 85 private_key = (s * k - z) * modinv(r, n) % n Cell In [1], line 78, in check_k(k) 76 def check_k(k): 77 P = k * G ---> 78 return P.x() == r File /home/sc_serv/sage/src/sage/structure/element.pyx:489, in sage.structure.element.Element.__getattr__() 487 AttributeError: 'LeftZeroSemigroup_with_category.element_class' object has no attribute 'blah_blah'... 488 """ --> 489 return self.getattr_from_category(name) 490 491 cdef getattr_from_category(self, name) noexcept: File /home/sc_serv/sage/src/sage/structure/element.pyx:502, in sage.structure.element.Element.getattr_from_category() 500 else: 501 cls = P._abstract_element_class --> 502 return getattr_from_other_class(self, cls, name) 503 504 def __dir__(self): File /home/sc_serv/sage/src/sage/cpython/getattr.pyx:362, in sage.cpython.getattr.getattr_from_other_class() 360 dummy_error_message.cls = type(self) 361 dummy_error_message.name = name --> 362 raise AttributeError(dummy_error_message) 363 att |
|
|
|
Recently, I was quite surprised, when I saw that there are six different n-values, matching different b-values in secp256k1: +-----+---------------------------------------------------------------------+
| b | n |
+-----+---------------------------------------------------------------------+
| 0x1 | 0xfffffffffffffffffffffffffffffffe06f23032560e83e138ea6fc857fb4794 |
| 0x2 | 0x1000000000000000000000000000000014551231950b75fc4402da1712fc9b71f |
| 0x3 | 0xffffffffffffffffffffffffffffffff4c43534ba6c5e3a57918113a87c50283 |
| 0x4 | 0x100000000000000000000000000000000b3bcacb4593a1c5a86e7eec3783af5dd |
| 0x6 | 0x100000000000000000000000000000001f90dcfcda9f17c1ec7159035a804b0cc |
| 0x7 | 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 |
+-----+---------------------------------------------------------------------+ How come from this n value? Where do you get this n value? edit: What is the base value. Those 1to7 values come from N |
|
|
|
|
