 Show Posts
|
|
Pages: [1] 2 3 4 »
|
Hi This is my version if you have private key or may need to bf. def Get_Nonce_K_With_Private_Key(r,s,z,x):
if (x == 0 ):
return 0;
sinv = pow(s,N-2,N)
t1 = (x*r) % N
t2 = (z+t1) % N
myK = (sinv*t2) % N
if (myK == 0 ):
return 0;
if ((myK*G).x.num == r):
return myK
return 0
But you can always do R == K * G to find out if you really found valid K or not. Regards, |
|
|
|
|
@IdMineThat
Hello
My view is on puzzle 1000 BTC is creator is in this forum and watching.
It was started as puzzle 32 BTC from private key range 1 to 160 bit . as you know creator recharged unsolved puzzle to match current market price with another 872 BTC at 16-04-2023.
Rule is simple, use your coding skill solve math and take price. There is no risk of having such key and collecting price when its given as rewards.
Puzzle is specially designed for bit range 1 to 160 .
In normal world any secure platform wallet will provide you full 256 bit private key which is much more secure..
But if someone hacked/stolen/cheated for any BTC private key it must be considered illegal may face criminal charges depending on real private key owner country.
Puzzle also show reality that no one can yet break 160 bit of private key in Bitcoin.
|
|
|
|
|
Hello
My answer following.
1) 2009
2) satoshi
3) store value or currency
4) Ethereum ETH
5) public key can be public shown to any one as address to receive fund. private key is must keep in private to send fund,sign message etc.
6) any one who own 51% or more mining power, can make this attack on bitcoin for double spending for his own benefits.
7) double-spending is term used to define spending same value multiple time.
8 ) 04 march 2020 (i googled this i was not sure about date but i remember year 2020)
9 ) e₹
Happy Independence
Regards,
|
|
|
|
|
Hello
Its possible if you know K of that R Or if you know one of private key.
|
|
|
|
|
@zahid888
My opinion on this puzzle creation main purpose is only to see how secure bitcoin private key, if key are less than 256 bits. specially 160 bits or less.
Creator himself have lots of bitcoin to run & refill this challenge.
There is no relation with random numbers to each others so far i can find.
Each time any random number is created its use entry op for his startup then use that as starting point to encrypt next one.
Your last post about thiery of startup seed is not valid for my point of view, it may land same number on low bit due to not having big ranges on lower bits, but it will not help on 32 bit or higher.
So far only hope for this puzzle still relays on bruteforce,BSGS,lattice attack etc. still need tools like keyhunt or more ideas. Pools are good idea still no perfect way to divide range or split range with active users etc.
ps:i like to say thank you to creator only this way public can see bitcoin private key even 160 bit random is not possible to break, so 256 bit is impossible.
|
|
|
|
You can use pretty much any cipher. It's not restricted to ECB, CBC, or anything like that.
Hello It's not about restriction its about security & purpose of use. for example you can use most case aes-cbc-128 its simple and secure. but still there are case people use aes-ctr & aes-gcm Almost all AES(other then ECB mode) provide good security. There are also WhiteBox-AES CTR/CBC provide more security then standard. |
|
|
|
|
Hello
This is group of Rijndael family AES.
AES-ECB-128
AES-CBC-128
AES-CBC-256
AES-CTR-128
AES-CTR-256
AES-GCM-256
etc etc
You can use any coding language you know to this via openssl & other non depended on lib ways.
What your exactly requirement ? i can help on any cryptography related work.
|
|
|
|
|
Hello
In developers coding terms
M = message
H = Hashed message or hash
Z = bitcoin specific for double SHA2
K = nonce to randomize your sign output.
X = bitcoin specific for private key
|
|
|
|
can you share code?
dont forget pay to member 1200 sure, when it will be work, maybe i will pay more. previous was invalid data my fault sorry # transaction 1 & 2 first privkey
priv1= 74151126465914553719682701372546590912032713247110001383204298192577238294259
nonce1= 113430668354305125354139681412571553637810109882549088741100884487402919060793
r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s1= 36665125934301679295764426496089959157670212057714313825462899262019004181013
z1= 45063904364969322573281122086971579379876583577391310824950725157431863085693
nonce2= 88941376982568942091029320764989550225390065895384871037015643141890275775717
r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s3= 115535488843869076151238217034945605348288249901213567246114164482038361011381
z3= 70890957235815785946608014568730757332857823983374044998781188028671033610413
# 2 -transaction 3 & 4 - second privkey
priv2= 65602009300807068992382438511465994464148703102269145684254988072233619429415
nonce1= 113430668354305125354139681412571553637810109882549088741100884487402919060793
r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s2= 38201930909181021929363545653126029092310200493193739546604231428387022946196
z2= 96925863066810859394685400246217607442326685412593308871569663983290139782035
nonce2= 88941376982568942091029320764989550225390065895384871037015643141890275775717
r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s4= 66755642063685386713485274914216908026179826727440247880714653645256904375187
z4= 618391849825900336304504678084876520197902749480544893171844571313024934814
normal calculate not work, modulo 0 any one help? Hello K1 fac77baf5d1dd051987bf8335065d59d14bd41fe778340f0ef1482457b7c6539
K2 c4a309118b2505dad8df1d6053573bab6b4629fc0bf296d19fe2847ec90b94e5
Signature r1=522ea268a7952d5ccd5a5bf37fc8327a7f70ed323c1e1627449592bf3d652b26, s1=5da53ccaaf8cc2926c3e6d0a5cdf93a3f3aa4f9da7b2839101c78c57cc71c4b2
Signature r1_1=522ea268a7952d5ccd5a5bf37fc8327a7f70ed323c1e1627449592bf3d652b26, s2=547586d2f6f6af809ed061a3619e51f480e976a7637fc09fa91db5f7fba1bf94
Signature r2=5a9682047a7b6437075db7961a67b66b0f829d8947f2fde62dcb9cfd872cc614, s3=341b2787dc687cf04a1ae278a4a6384dd7c7480e5d4e5eb807a984f7158653fb
Signature r2_1=5a9682047a7b6437075db7961a67b66b0f829d8947f2fde62dcb9cfd872cc614, s4=93965abd5b6ac399cd51dd5cbb800574a43bec69e56664148dc155c8dccf7b93
Private key (x1): a3f00cdfad7e7785444f2f3c5ec9386fa218a5b457c4291bee66bbba37025ef4
Private recovered (x1): a3f00cdfad7e7785444f2f3c5ec9386fa218a5b457c4291bee66bbba37025ef4
Private1 Matched ?: True
Private key (x2): 91096be3f5c726814b64cf26449f401417c73e648d16e1f45bd02d0883081827
Private recovered (x2): 91096be3f5c726814b64cf26449f401417c73e648d16e1f45bd02d0883081827
Private2 Matched ?: True
There is some relation with odd/even i guess, if i add + 1 in private key 1 i am able to get results else inverse is zero.. So may be your tweaked data need to change some odd/even formula for h4 or may need to bigger number. |
|
|
|
Hello Here is code its same as link you posted nothing special. #!/usr/bin/env python3
import ecdsa
import random
import libnum
import hashlib
import sys
G = ecdsa.SECP256k1.generator
order = G.order()
priv1 = 74151126465914553719682701372546590912032713247110001383204298192577238294259 #random.randrange(1,order)
Public_key = ecdsa.ecdsa.Public_key(G, G * priv1)
x1 = ecdsa.ecdsa.Private_key(Public_key, priv1)
priv2 = 65602009300807068992382438511465994464148703102269145684254988072233619429415 #random.randrange(1,order)
Public_key2 = ecdsa.ecdsa.Public_key(G, G * priv2)
x2 = ecdsa.ecdsa.Private_key(Public_key2, priv2)
k1 = 113430668354305125354139681412571553637810109882549088741100884487402919060793 #random.randrange(1, order)
k2 = 88941376982568942091029320764989550225390065895384871037015643141890275775717 #random.randrange(1, order)
h1 = 45063904364969322573281122086971579379876583577391310824950725157431863085693 #int(hashlib.sha256(msg1.encode()).hexdigest(),base=16)
h2 = 96925863066810859394685400246217607442326685412593308871569663983290139782035 #int(hashlib.sha256(msg2.encode()).hexdigest(),base=16)
h3 = 70890957235815785946608014568730757332857823983374044998781188028671033610413 #int(hashlib.sha256(msg3.encode()).hexdigest(),base=16)
h4 = 88400657509035765824159536685234267382896518494653799783594906135509259195161 #int(hashlib.sha256(msg4.encode()).hexdigest(),base=16)
x1sig1 = x1.sign(h1, k1)
x1sig2 = x1.sign(h3, k2)
r1,s1 = x1sig1.r,x1sig1.s
r2,s3 = x1sig2.r,x1sig2.s
#r1,s1 = 37172049453198803628923372374682424137153412099188977901809252086397375163174,36665125934301679295764426496089959157670212057714313825462899262019004181013 #x1sig1.r,x1sig1.s
#r2,s3 = 40974080779974461932858835766108658066940207003253964846620894290420102383124,88414683103569280491867470526894992004240909646745888824999991880846576153983 #x1sig2.r,x1sig2.s
#r1_1,s2 = 37172049453198803628923372374682424137153412099188977901809252086397375163174,48387795993880540164497955151292140905876432678370698441361372722465054520609 #x2sig1.r,x2sig1.s
#r2_1,s4 = 40974080779974461932858835766108658066940207003253964846620894290420102383124,94479523762013111191490500533227932711756342618388816229238677867942525385058 #x2sig2.r,x2sig2.s
x2sig1 = x2.sign(h2, k1)
x2sig2 = x2.sign(h4, k2)
r1_1,s2 = x2sig1.r,x2sig1.s
r2_1,s4 = x2sig2.r,x2sig2.s
print("valinv " + hex(r1*r2*(s1*s4-s2*s3)% order ))
print (f"Signature r1={r1}, s1={s1}")
print (f"Signature r1_1={r1_1}, s2={s2}")
print (f"Signature r2={r2}, s3={s3}")
print (f"Signature r2_1={r2_1}, s4={s4}")
valinv = libnum.invmod( r1*r2*(s1*s4-s2*s3),order)
x1rec = ((h1*r2*s2*s3-h2*r2*s1*s3-h3*r1*s1*s4+h4*r1*s1*s3 ) * valinv) % order
x2rec = ((h1*r2*s2*s4-h2*r2*s1*s4-h3*r1*s2*s4+h4*r1*s2*s3 ) * valinv) % order
print ("\nPrivate key (x1):",hex(priv1)[2:])
print ("\nPrivate recovered (x1): ",hex(x1rec)[2:])
print ("\nPrivate1 Matched ?: ",priv1 ==x1rec)
print ("\nPrivate key (x2):",hex(priv2)[2:])
print ("\nPrivate recovered (x2):",hex(x2rec)[2:])
print ("\nPrivate2 Matched ?: ",priv2 ==x2rec)
|
|
|
|
@ecdsa123 Hello You have invalid data.. By using your private keys and nonce and hash data as Z, i get diff results and recovery work fine. valinv 0xeb9e061fe21f308537cde4b70c98d4d0f819630c4efe968cd9171765c4d4c96
Signature r1=37172049453198803628923372374682424137153412099188977901809252086397375163174, s1=36665125934301679295764426496089959157670212057714313825462899262019004181013
Signature r1_1=37172049453198803628923372374682424137153412099188977901809252086397375163174, s2=38201930909181021929363545653126029092310200493193739546604231428387022946196
Signature r2=40974080779974461932858835766108658066940207003253964846620894290420102383124, s3=115535488843869076151238217034945605348288249901213567246114164482038361011381
Signature r2_1=40974080779974461932858835766108658066940207003253964846620894290420102383124, s4=94479523762013111191490500533227932711756342618388816229238677867942525385058
Private key (x1): a3f00cdfad7e7785444f2f3c5ec9386fa218a5b457c4291bee66bbba37025ef3
Private recovered (x1): a3f00cdfad7e7785444f2f3c5ec9386fa218a5b457c4291bee66bbba37025ef3
Private1 Matched ?: True
Private key (x2): 91096be3f5c726814b64cf26449f401417c73e648d16e1f45bd02d0883081827
Private recovered (x2): 91096be3f5c726814b64cf26449f401417c73e648d16e1f45bd02d0883081827
Private2 Matched ?: True
|
|
|
|
|
@ecdsa123
Hello
If you have 2 R(K*G) for 1 private key it's easy to crack K. Z should not be 0 or 1.
if you found your known R in any public transaction you can crack his private key because you know value of R.
Link you posted is already using private key 1 then same nonce(K) with 2 transaction which make it weak and easily to recover K. algo (k = (m1-m2)/(s1-s2) ) once you have K you can recover X(Private key it self)
|
|
|
|
|
@GiladLeef
Hello
In case anyone bruteforce 64bit wallet or public key, he may use BSGS algo, it's sufficient up to 10 bytes 80bits full range.
For you example if you don't had private key of this you may start bruteforce with starting point 0x01ffffffffffffff to 0xffffffffffffffff to match public key or his half point still result time near to same if used random instead of liner attack. liner may be fast but no one use liner due to random bruteforce is most recommend. (0x2000000000000000 or 0x1000000000000000 i mean.)
Also half point not useful on 256 bit key or near to him because it will always give you same bit range as half.
|
|
|
|
|
@GiladLeef
This been discuss here before if i remember correctly .
0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a1 is just (order_N //2 + 1 )
This don't help on bruteforce for example your private key is still in 64bit and your half part is still in 64bit. also test with odd number you will see negative results.
|
|
|
|
1) What's "KP nonce". Did you mean "K nonce"? 2) What are you trying to accomplish? How can I modify this so I can recreate a 100 signatures with the same public key with k nonce known. Correct me if I'm wrong: Given d the private key, and k the random number that is used, you want to create signatures with different s values. As far as I can see from the code, there's only a variable d, so it's impossible (by altering only that part of the code). Hi... This is the full code
import argparse
import random
import json
import ecdsa_lib
def generates_signatures(number_sigs, message, kbits, data_type, curve):
print("Preparing Data")
d_key = random.randrange(ecdsa_lib.curve_n(curve))
print("Private key to be found (as demo) :")
print(hex(d_key))
sigs = []
sz_curve = ecdsa_lib.curve_size(curve)
kbi = int(2 ** kbits)
print(f"Generating {number_sigs} signatures with curve {curve.upper()}")
print(f" leaking {kbits} bits for k ({data_type}) ...")
if message is not None:
msg = message.encode("utf8")
# Always hash message provided with SHA2-256, whatever
hash_int = ecdsa_lib.sha2_int(msg)
for _ in range(number_sigs):
if message is None:
# Use a random different message for each signature
# Note : there is no associated message from the hash
# Do not ever that in practice, this is insecure, only here for demo
hash_int = random.randrange(ecdsa_lib.curve_n(curve))
# Compute signatures with k (nonce), r, s
sig_info = ecdsa_lib.ecdsa_sign_kout(hash_int, d_key, curve)
# pack and save data as : r, s, k%(2^bits) (partial k : "kp")
sigs.append(
{
"r": sig_info[0],
"s": sig_info[1],
"kp": sig_info[2] % kbi
if data_type == "LSB"
else sig_info[2] >> (sz_curve - kbits),
}
)
if message is None:
sigs[-1]["hash"] = hash_int
ret = {
"curve": curve.upper(),
"public_key": ecdsa_lib.privkey_to_pubkey(d_key, curve),
"known_type": data_type,
"known_bits": kbits,
"signatures": sigs,
}
if message is not None:
ret["message"] = list(msg)
return ret
if __name__ == "__main__":
parser = argparse.ArgumentParser(
description="Generate random demo data for ECDSA attack."
)
parser.add_argument(
"-f",
default="data.json",
help="File name output",
metavar="fileout",
)
parser.add_argument(
"-m",
help="Message string",
metavar="msg",
)
parser.add_argument(
"-c", default="secp256k1", help="Elliptic curve name", metavar="curve"
)
parser.add_argument(
"-b",
default=6,
type=int,
help="Number of known bits (at least 4)",
metavar="nbits",
)
parser.add_argument(
"-t", default="LSB", help="bits type : MSB or LSB", metavar="type"
)
parser.add_argument(
"-n",
default=1000,
type=int,
help="Number of signatures to generate",
metavar="num",
)
arg = parser.parse_args()
sigs_data = generates_signatures(arg.n, arg.m, arg.b, arg.t, arg.c)
with open(arg.f, "w") as fout:
json.dump(sigs_data, fout)
print(f"File {arg.f} written with all data.")
] I need to recreate a lattice attack scenario against my own wallet. Hence I need to create at least 100 signatures for the attack. Hello I don't know what so hard on this. You just need to replace this line d_key = random.randrange(ecdsa_lib.curve_n(curve)) with your own key for example d_key = 0x1000 this will generate your private key if its(0x1000 in hex) 1000 sign because default generation. In case you want to customize K_nonce not private key it self(D_key) you have to specify it while using at this line sig_info = ecdsa_lib.ecdsa_sign_kout(hash_int, d_key, curve) change to sig_info = ecdsa_lib.ecdsa_sign_kout(hash_int, d_key, curve,0x2222222222) 0x2222222222 is K_nonce this is just example. |
|
|
|
@ecdsa123 You did not understand question still please read again. If you want example from my testing here is it. private Key 1000
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=df051cdb85ce3de01852a88716b3a03af61b82b23fb238be2b78fafe49fbe083
Z=4a3833b105b518411570325efce62626fc35078da1549d77a0140a60b3cac119
Because i know private key is 1000 i can recover K with algo
k = (m+x*r)/s
so K = 803d9488926a7c55f372066146329e0c390e5d5f170f27cd1bcf8b05b4c97f6
Unknown private key
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=f9ba1fe4400435a9f7fcadafe66a46a5dcfa4e6952f5dca25da1f21b5eaf71dd
Z=f57bc228876209fe510b5b25d0db373cb387612e57b135fd06e15560b53a1ca2
As same R i already know K i can recover private key of unknown one.
x = (s*k-m)/r
so X = 25d5a5f313a692270e6c8a8f6e3265f1c337b4297e671e89a0c045e6e232bf15
for better understanding use this. https://github.com/nlitsme/bitcoinexplainer |
|
|
|
@ecdsa123 hello May be you did not read full message of him? Here he confirmed about privatekey for 1 address. the problem is that i can recover only privatekey of 1 address
Here he ask help about privatekey for 2 address. i have need of recover privatekey address 2
what is correct formula for recover the privatekey of address 1 and address 2 that have same R used in 2 different address?
thanks for your help
Give me 2 pair of R,S,Z with both have same R let me show you second pair is recovered or not. I don't know what make you think my answer is wrong its not. |
|
|
|
|
@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.
My answer is correct & i already tested before posting.
|
|
|
|
|
