Bitcoin Forum
July 04, 2025, 12:47:06 AM *
News: Latest Bitcoin Core release: 29.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Reused Nonce r Between Different Private Keys – Possible MT19937 Issue
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Reused Nonce r Between Different Private Keys – Possible MT19937 Issue  (Read 140 times)
peakyclin77 (OP)
Newbie
*
Offline Offline

Activity: 24
Merit: 0


View Profile
April 09, 2025, 01:12:06 AM
 #1


I’ve identified a case involving multiple Bitcoin P2PKH transactions where the same ECDSA nonce r is reused across different private keys. The addresses are mathematically related, and the total funds involved are around 4 BTC.

We know that when the same nonce k is reused across signatures with different keys, we get two equations with three unknowns (k, d1, d2). This usually isn’t enough to recover any private key.

However, I’ve been investigating how k might have been generated. My analysis points to a cloned virtual environment using MT19937 (Mersenne Twister), likely with the same seed reused to generate multiple private keys or nonces across transactions.

This could explain how the same r appears in signatures from different keys. As MT19937 is not suitable for cryptographic use, predictable nonces may be involved.

Questions:

Has anyone seen a similar case involving MT19937 and nonce/key reuse?

Any known attacks or tools to reverse-engineer k or the seed from reused r values?

Is there any way to exploit this pattern to recover private keys?
nc50lc
Legendary
*
Offline Offline

Activity: 2828
Merit: 7352


Self-proclaimed Genius


View Profile
April 09, 2025, 07:56:48 AM
Last edit: April 09, 2025, 11:39:55 AM by nc50lc
 #2
Quote from: peakyclin77 on April 09, 2025, 01:12:06 AM
The addresses are mathematically related, and the total funds involved are around 4 BTC.
I'm just curious: please explain how the addresses are mathematically related.
Since if those are the common P2PKH addresses, those are just encoded "HASH160" of the public key.

BTW, there are a lot of old and new topics here that discussed unrelated transactions with matching R value.
Most of the legit ones are implementation bugs from old wallets or old versions of wallet that are still available today.
Check the advanced Forum Search function (/index.php?action=search) to check if the related addresses had already been discussed before.
ABCbits
Legendary
*
Offline Offline

Activity: 3290
Merit: 8876



View Profile
April 09, 2025, 09:03:59 AM
Merited by vapourminer (4), pooya87 (4)
 #3
Quote from: peakyclin77 on April 09, 2025, 01:12:06 AM
Has anyone seen a similar case involving MT19937 and nonce/key reuse?

Full disclosure of milksad vulnerability mention MT19937 used by older version of bx binary.

Quote from: https://milksad.info/disclosure.html
We follow the call path:
pseudo_random::fill(data_chunk& out) -> pseudo_random::next() -> pseudo_random::next(uint8_t begin, uint8_t end) -> std::mt19937& pseudo_random::get_twister()

Wait a moment. mt19937, twister - this uses the Mersenne Twister PRNG? 🤔
At this point, the first alarm bells are going off. Mersenne Twister is not a CSPRNG, so it shouldn’t be in any code path that generates secrets. One alarming property of the Mersenne Twister is that its internal state can be reversed by an attacker who knows a few hundred outputs, endangering the secrecy of the other outputs of the same stream that the attacker doesn’t know (in simplified terms).
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Reused Nonce r Between Different Private Keys – Possible MT19937 Issue
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!