Bitcoin Forum
June 25, 2024, 06:39:47 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: R,S,Z , K nonce and public key Signature samples  (Read 124 times)
krashfire (OP)
Member
**
Offline Offline

Activity: 119
Merit: 11

Life aint interesting without any cuts and bruises


View Profile
June 22, 2024, 11:47:33 AM
 #1

Saw some comments of users looking for R,S,Z Signatures and public key sample for research purposes.

So i created a script where you can have a little more details than you need. Its a simple script so you can do your various research that you wish on ECDSA Secp256k1 signatures.

you can download it here. https://github.com/KrashKrash/ecdsa-rsz-signature

Code:

=== ECDSA Signature Details ===

BTC Address: 1JvF4Bn4yF6GThYEA7pfhp3j8Xb6wu2t8D
Private Key: edb01804beb2e95898648ae87f1fa072d53b3b6f4564e092065bac907f063b9d

Signature (r, s, z):
  r: 634e6e5d85360927c64d66bdd616dc58ac6b72cd22fac01c544236b63734ad35
  s: 7fe9088b3849cddb82f38ef9244a06c413addb38031ee01a38e675ff28579d8a
  z: 6ad532092bb3f4ee012e61df35c95efc7d9e9fa5653c371bc843fa4b3627f01f
  k (nonce): 695e5e4c01e8ac9d77b7ecdd9881d50bb397ff7e54e082240a19b714c4de7ef8
PubKey: 034f966cdcc502d17876270349736f6a20f13edb5eccb5a92d1c702a0e059a9ba9

Signature Verification: Valid



just a little more info for you who are just starting out to do the research, some call it z, some call it message(hash) some just call it h. but it means the same thing.

message or m  = the original message
H(m) or h or z = the hash of the message
H(m), h or z depending on who you talk to, is the hash of the message. same meaning.

I just want to have this information out here so you don't waste your time thinking what is h and what is z. Good luck on your research.

KRASH
Kpot87
Jr. Member
*
Offline Offline

Activity: 40
Merit: 1


View Profile
June 22, 2024, 05:50:33 PM
 #2

Offtop, how if your twist attack?
krashfire (OP)
Member
**
Offline Offline

Activity: 119
Merit: 11

Life aint interesting without any cuts and bruises


View Profile
June 23, 2024, 01:29:59 AM
 #3

Offtop, how if your twist attack?
thats done. awhile ago.

KRASH
jacky19790729
Jr. Member
*
Offline Offline

Activity: 67
Merit: 8


View Profile
June 24, 2024, 10:21:41 AM
Last edit: Today at 03:47:30 PM by jacky19790729
 #4

I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months

# 130 Although only 1  rsz  is  known , but 1000 rsz can be produced using the public key,  the nonce K value will be 240~256 bits

50% - nonce is 256 bit
25% - nonce is 254 bit
25% - nonce is 253~240 bit

However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use  lattice-attack

# 130  Public Key ( Fix  2024/06/25 )
0x633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852, 0xb078a17cc1558a9a4fa0b406f194c9a2b71d9a61424b533ceefe27408b3191e3

Address:    1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua

I create some rsz as #130 , these are address  "1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua"  and the public keys are #130 public key
 
Code:
# 130   rsz  1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9

# 130   rsz  2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2

# 130   rsz  3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e

# 130   rsz  4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632

# 130   rsz  5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04

....
....
....


krashfire (OP)
Member
**
Offline Offline

Activity: 119
Merit: 11

Life aint interesting without any cuts and bruises


View Profile
Today at 06:11:27 AM
 #5

I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months

# 130 Although only one rsz  is  know , but 1000 rsz can be produced using the public key,  the nonce K value will be 240~256 bits

50% - nonce is 256 bit
25% - nonce is 254 bit
25% - nonce is 253~240 bit

However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use  lattice-attack

# 130  Public Key
0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70

create #130 rsz   
Code:
# 130   rsz  1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9

# 130   rsz  2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2

# 130   rsz  3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e

# 130   rsz  4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632

# 130   rsz  5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04

....
....
....




would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you

KRASH
jacky19790729
Jr. Member
*
Offline Offline

Activity: 67
Merit: 8


View Profile
Today at 07:48:48 AM
Last edit: Today at 08:02:55 AM by jacky19790729
 #6

would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you


https://bitcointalk.org/index.php?topic=5394249.100

read it ....... garlonicon share his source code
Even if I have 100,000 puzzle #130 r , s, z
I still can't use lattice-attack crack ....Because the generated rsz and k values ​​are unknown....
I used my private key and public key to see nonce  K value ...

From the probability, more than 50% is a 256-bit nonce K value ~~ It must be 252 bit or less bit ......
Unless you can know from these 100,000 rsz which nonce k bits are less than 252 bit , and select 88 group for lattice attack...
This probability is lower than guessing any Bitcoin private key   Cry Cry

N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

if N <= 252 bit , we can use  #130 public key to produce 70 ~ 100  fake rsz ,  and  ECDSA  will broken ~~~ Now, ECDSA is still safe

JohnnyTX
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
Today at 02:15:25 PM
 #7

Hi there!
It looks like you all are crazy for nonces and signatures, so I have some special values for you  Wink

Code:
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x24c8a42e8fe11d670633fa66ebedb1672c71a517a30cbbaa9e14f2d5a15a3783
z=SHA256('This is test 1.')
PubKey=0x3e42b3151f310f5f417f11b4c32d8360b22109dcc6432339243332b56cd596de, 0x7903116327cab6891b810588e4c909273c7eb013aea2162fa63afa1f11562b3a

r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x768a0e3b0cfb3c8d9b7899f59f480555176ef25eefa1e96d3ac575ba4ffe85fd
z=SHA256('This is test 2.')
PubKey=0xc79fa242694e3148c8d50e667010e0c221f6004d108692c5040ff139595ed081, 0x525bd76c21c8e2d45725a378c973a646d5971acd8f240322e5f1fdf0ed4f8589

r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0xd17c5ed9fb37692cd152f381c4a3f16a896f96d26100310fe818d6963c402b25
z=SHA256('This is test 3.')
PubKey=0xc03657988e2baf31a1a1061a87fa3da20f166dc8a22c02658f6d325dec722d84, 0x97ffbac6bec2de2b8d9f9bcaeced8e56abdd0b3996b48153cf0a1a92dc2d5529

Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course.
jacky19790729
Jr. Member
*
Offline Offline

Activity: 67
Merit: 8


View Profile
Today at 04:01:32 PM
 #8

Hi there!
It looks like you all are crazy for nonces and signatures, so I have some special values for you  Wink
Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course.

the same r value , we can recovery private key ........

but we are interested in recovering the private key of #puzzle 130 from a large set of r s z and public key ...

But we need to know the bits of  k , from every set of r s z .........

if anyone can know the bits of k from every r s z and public key  ,  all bitcoin address that leaks the public key can recovery private key

Of course, currently only 252 bit k can be recovery by the lattice attack.

https://githubhelp.com/bitlogik/lattice-attack/issues/2 
The authors of the lattice-attack mentioned that they were also unable to crack more than k > 252 bits~~~

For the topic "down to 2 bits", note that we never found a private key using our LatticeAttack software below 4 know bits, hence the restriction put in place that prevent the user to run it with lower than 4 bits. But we never performed long running time. Using higher RECOVERY_SEQUENCE "effort" block size, combined with a loop "-l" can be a way to recover key with 3 or even 2 bits. That would just require long running times (several hours), and no guarantee of result.

JohnnyTX
Newbie
*
Offline Offline

Activity: 2
Merit: 0


View Profile
Today at 05:55:44 PM
 #9

the same r value , we can recovery private key ........
These are not as easy as you may think.

but we are interested in recovering the private key of #puzzle 130 from a large set of r s z and public key ...

But we need to know the bits of  k , from every set of r s z .........

Well, then I have two more for you, but this public key doesn't point to the puzzle #130 it seems...
# Public Key
0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70

Code:
# rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b

# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
With k2 = k1 + 1.

Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!