COBRAS
Member
Offline
Activity: 850
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
|
|
May 22, 2022, 07:27:51 PM Last edit: May 24, 2022, 11:28:14 AM by mprep |
|
First, we look at signatures: s=(z+rd)/k sk=z+rd sk-z=rd (sk-z)/r=d (s/r)k-(z/r)=d (z/r)+d=(s/r)k k=((z/r)+d)*(r/s) Then, things are quite simple: But we can do more than that: z/r=120_bit_number_v1 r/s=120_bit_number_v2 k=(120_bit_number_v1+d)*120_bit_number_v2 If "d" is our 120_bit_privkey, then first we add another 120_bit number to that (we can use 119-bit numbers to be 100% sure). Then, we have 121-bit number at most, it cannot be bigger. And if we multiply that by another 119-bit number (just to be sure), then we will have 121+119=240 bits in our result. It cannot be bigger than that, because if you multiply M-bit number by N-bit number, then the result has at most M+N bits. So, in this way I can be absolutely sure that if "d" is a 120-bit number, then "k" is a 240-bit number. In the same way, it is possible to generate many signatures with many different N-bit values. But it is still not enough to use that in a lattice attack, because it needs some randomness in the right places, so something else is also needed to make it. Edit: show your code def generates_signatures(curve): puzzle120=int("00000000000000000000000000000000007fffffffffffffffffffffffffffff",16) #119-bit to be 100% sure to not fall into 241-bit range known_bits=16 n_value=ecdsa_lib.curve_n(curve) Q_point=[93499419120076195219278579763555015417347613618260420189054155605804414805552,19494200143356336257404688340550956357466777176798681646526975620299854296492] sigs = [] for index in range(100): binaryIndex=(index*2).to_bytes(32,'big') binaryIndex2=(index*2+1).to_bytes(32,'big') hashedIndex=ecdsa_lib.sha2_int(binaryIndex) hashedIndex2=ecdsa_lib.sha2_int(binaryIndex2) z_value_with_r=(hashedIndex%puzzle120) added_point=ecdsa_lib.privkey_to_pubkey(z_value_with_r,curve) final_point=add_point(Q_point[0],Q_point[1],added_point[0],added_point[1]) r_value_with_s=(hashedIndex2%puzzle120) R_point=multiply_point(final_point[0],final_point[1],r_value_with_s) r_value=R_point[0] s_value_with_r=ecdsa_lib.inverse_mod(r_value_with_s,n_value) s_value=(s_value_with_r*r_value)%n_value z_value=(z_value_with_r*r_value)%n_value sigs.append( { "r": r_value, "s": s_value, "kp": 0, "hash": z_value } ) ret = { "curve": curve.upper(), "public_key": Q_point, "known_type": "MSB", "known_bits": known_bits, "signatures": sigs, } return ret can we add to sighnatures 121 bit what starts with 000000 ? this will.make lsb from our sighs ? if we thant divede is more easy, I try this method on publick key. For removing trandfer from + area to - area, is more good start with pubkey * -1, this will transfer pubkey priv range from -1 to -1-rage, result will belarge than -1, and range will be simple without start from 1 to N,, -N to -F, and will be -N to -F...
this is puzzle 100 privkey ./md 0xaf55fc59c335c8ec67ed24826 - 0xfffffffffffffffffffffffff Result: fffffffffffffffffffffffffffffffebaaedce1a4a865d7f32eed534f088968 then subsract too mach, tlrange will be shifted to negative area, and nothin will be found in positivevsearch range but then start from negative area result will be maybe negative too ./md 0xfffffffffffffffffffffffffffffffebaaedcdbb9e8da9f8c75cfc65163f91b + 0xffffffffffffffffffffffff Result: fffffffffffffffffffffffffffffffebaaedcdcb9e8da9f8c75cfc65163f91a so search in negative area is more good I think. but found how many need substeact is not solved me. then subsract too mach privkey if publey start accumulate more bits, not substract. ps maybe this info will be helpfull
[code]I have rewrite code for sagemath
from hashlib import sha256
import struct
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f a = 0 b = 7 G = (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8) n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [a, b]) G = E(G)
def bytes_to_long(s): """bytes_to_long(strinng) : long Convert a byte string to a long integer. This is (essentially) the inverse of long_to_bytes(). """ acc = 0L unpack = struct.unpack length = len(s) if length % 4: extra = (4 - length % 4) s = b('\000') * extra + s length = length + extra for i in range(0, length, 4): acc = (acc << 32) + unpack('>I', s[i:i+4])[0] return acc def H(m): h = sha256() h.update(m) return bytes_to_long(h.digest()) def egcd(a, b): "Euclidean greatest common divisor" if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y)
def modinv(a, m): "Modular inverse" # in Python 3.8 you can simply return pow(a,-1,m) g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % m def verify(pub,r, s, m): v1 = m*modinv(s, n) % n v2 = r*modinv(s, n) % n V = v1*G + v2*pub x,y=V.xy() return int(x) % n == r,hex(int(v1)),hex(int(v2)) def calc_k(num,r,s,z): k=(r*num + z)*modinv(s,n)%n return k,n-k sign=[] ge=[]
def calc_x(a,b,r,s,z): #x1 = (z1 -b)*modinv(a*s1-r1,n)%n x_a =(z -b)%n x_b=(a*s-r)%n if x_b != 0: return (x_a*modinv(x_b,n)%n)%n return 0 def generates_signatures(): puzzle120=16 n_value=n sigs = [] private=50 Qp=private*G for index in range(130): print("---- index",index) binaryIndex=int((index*3)).to_bytes(32,'big') binaryIndex2=int((index*2+1)).to_bytes(32,'big') hashedIndex=H(binaryIndex) hashedIndex2=H(binaryIndex2) z_value_with_r=(hashedIndex%puzzle120) added_point= int(z_value_with_r)*G final_point=Qp+added_point r_value_with_s=(hashedIndex2%puzzle120) print(r_value_with_s) if r_value_with_s!=0: R_point=final_point*int(r_value_with_s) x,y=R_point.xy() r_value=int(x) s_value_with_r=int(modinv(r_value_with_s,n)%n) s_value=int((s_value_with_r*r_value)%n) z_value=((z_value_with_r*r_value)%n) print("r", r_value) print("s", s_value) print("hash", z_value) k,k1=calc_k(private,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) print(verify(Qp,r_value,s_value,z_value)) wy,b,a=verify(Qp,r_value,s_value,z_value) x=calc_x(int(a,16),int(b,16),int(r_value),int(s_value),int(z_value)) print("x",x) k,k1=calc_k(x,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) t=tuple([r_value,s_value,z_value]) if t not in sign: sign.append(t) for le in range(0,1000): k2=(k*2**le)%n ge.append(int(k2)) ge.append(int(n-k2)) generates_signatures()
here is part of output: ---- index 18 9 r 63933145574282734898435981717146773918756897333098319278256437952015461322467 s 97164196692832900318159208530884680987624427476291405550721397771404732420314 hash 0 k 450 115792089237316195423570985008687907852837564279074904382605163141518161493887 k 0x1c2 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f (True, '0x0', '0x9') x 0 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 you thant say what this is real nonce ? I think generator must be for ex y = X^400, x is a generator. . Br
Cobras: ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 this value 115792089237316195423570985008687907852837564279074904382605163141518161493887 = n-450 so d*(-1)%n = n-d but according Garlonicon Generator ( yes, it is master math deduction Bravo for Garlonicon), we can use it: becouse: ---- index 18 37929 r 106052440004676334409650332163651951923042923173423795888106072423870533309482 s 86487388237072824922585675463188678676341543446573502861944943782026730667995 hash 110763458801388154151046907647238024857062280457110140174709389756661623888001 k 1495388754 115792089237316195423570985008687907852837564279074904382605163141516666105583 k 0x5921d252 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8c77146eef (True, '0x5904e250', '0x9429') x 0 k 1493492304 115792089237316195423570985008687907852837564279074904382605163141516668002033 k 0x5904e250 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8c77315ef1 ---- index 19 21317 r 18103990796095223393229492283858137777181144560247153354193996653271708547693 s 71995424062587838315307175718789388226264777318544777869325093881612562000023 hash 74553635558632807494232092124236529938587320104480240499961671012084809061673 k 139541082 115792089237316195423570985008687907852837564279074904382605163141518021953255 k 0x8513a5a 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cc7e506e7 (True, '0x840f6e0', '0x5345') x 0 k 138475232 115792089237316195423570985008687907852837564279074904382605163141518023019105 k 0x840f6e0 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cc7f54a61 we know a part of k for any transaction(index) see Index 19: real k in transaction : k 139541082but we know to real part as bits from this k : k 138475232we can try use Lcd algorithm. Tomorrow I will try check. ok, waiting result with big interest ps 139541082 13 is 2 bytes, so 16 bits, this is enoth for finding priv... for all other transaction we have 2 bytes 2 ) try please find 2 bytes it will be good too .... I know what you know this, but maybe you forget avout it.. regards
[code]I have rewrite code for sagemath
from hashlib import sha256
import struct
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f a = 0 b = 7 G = (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8) n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [a, b]) G = E(G)
def bytes_to_long(s): """bytes_to_long(strinng) : long Convert a byte string to a long integer. This is (essentially) the inverse of long_to_bytes(). """ acc = 0L unpack = struct.unpack length = len(s) if length % 4: extra = (4 - length % 4) s = b('\000') * extra + s length = length + extra for i in range(0, length, 4): acc = (acc << 32) + unpack('>I', s[i:i+4])[0] return acc def H(m): h = sha256() h.update(m) return bytes_to_long(h.digest()) def egcd(a, b): "Euclidean greatest common divisor" if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y)
def modinv(a, m): "Modular inverse" # in Python 3.8 you can simply return pow(a,-1,m) g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % m def verify(pub,r, s, m): v1 = m*modinv(s, n) % n v2 = r*modinv(s, n) % n V = v1*G + v2*pub x,y=V.xy() return int(x) % n == r,hex(int(v1)),hex(int(v2)) def calc_k(num,r,s,z): k=(r*num + z)*modinv(s,n)%n return k,n-k sign=[] ge=[]
def calc_x(a,b,r,s,z): #x1 = (z1 -b)*modinv(a*s1-r1,n)%n x_a =(z -b)%n x_b=(a*s-r)%n if x_b != 0: return (x_a*modinv(x_b,n)%n)%n return 0 def generates_signatures(): puzzle120=16 n_value=n sigs = [] private=50 Qp=private*G for index in range(130): print("---- index",index) binaryIndex=int((index*3)).to_bytes(32,'big') binaryIndex2=int((index*2+1)).to_bytes(32,'big') hashedIndex=H(binaryIndex) hashedIndex2=H(binaryIndex2) z_value_with_r=(hashedIndex%puzzle120) added_point= int(z_value_with_r)*G final_point=Qp+added_point r_value_with_s=(hashedIndex2%puzzle120) print(r_value_with_s) if r_value_with_s!=0: R_point=final_point*int(r_value_with_s) x,y=R_point.xy() r_value=int(x) s_value_with_r=int(modinv(r_value_with_s,n)%n) s_value=int((s_value_with_r*r_value)%n) z_value=((z_value_with_r*r_value)%n) print("r", r_value) print("s", s_value) print("hash", z_value) k,k1=calc_k(private,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) print(verify(Qp,r_value,s_value,z_value)) wy,b,a=verify(Qp,r_value,s_value,z_value) x=calc_x(int(a,16),int(b,16),int(r_value),int(s_value),int(z_value)) print("x",x) k,k1=calc_k(x,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) t=tuple([r_value,s_value,z_value]) if t not in sign: sign.append(t) for le in range(0,1000): k2=(k*2**le)%n ge.append(int(k2)) ge.append(int(n-k2)) generates_signatures()
here is part of output: ---- index 18 9 r 63933145574282734898435981717146773918756897333098319278256437952015461322467 s 97164196692832900318159208530884680987624427476291405550721397771404732420314 hash 0 k 450 115792089237316195423570985008687907852837564279074904382605163141518161493887 k 0x1c2 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f (True, '0x0', '0x9') x 0 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 you thant say what this is real nonce ? I think generator must be for ex y = X^400, x is a generator. . Br Someone, please, upload sage scryot to transfer.sh I from phone, very hard copy/paste without lost tabulation Regards
@ecdsa123 is any news about lcd ? br
[code]I have rewrite code for sagemath
from hashlib import sha256
import struct
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f a = 0 b = 7 G = (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8) n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
E = EllipticCurve(GF(p), [a, b]) G = E(G)
def bytes_to_long(s): """bytes_to_long(strinng) : long Convert a byte string to a long integer. This is (essentially) the inverse of long_to_bytes(). """ acc = 0L unpack = struct.unpack length = len(s) if length % 4: extra = (4 - length % 4) s = b('\000') * extra + s length = length + extra for i in range(0, length, 4): acc = (acc << 32) + unpack('>I', s[i:i+4])[0] return acc def H(m): h = sha256() h.update(m) return bytes_to_long(h.digest()) def egcd(a, b): "Euclidean greatest common divisor" if a == 0: return (b, 0, 1) else: g, y, x = egcd(b % a, a) return (g, x - (b // a) * y, y)
def modinv(a, m): "Modular inverse" # in Python 3.8 you can simply return pow(a,-1,m) g, x, y = egcd(a, m) if g != 1: raise Exception('modular inverse does not exist') else: return x % m def verify(pub,r, s, m): v1 = m*modinv(s, n) % n v2 = r*modinv(s, n) % n V = v1*G + v2*pub x,y=V.xy() return int(x) % n == r,hex(int(v1)),hex(int(v2)) def calc_k(num,r,s,z): k=(r*num + z)*modinv(s,n)%n return k,n-k sign=[] ge=[]
def calc_x(a,b,r,s,z): #x1 = (z1 -b)*modinv(a*s1-r1,n)%n x_a =(z -b)%n x_b=(a*s-r)%n if x_b != 0: return (x_a*modinv(x_b,n)%n)%n return 0 def generates_signatures(): puzzle120=16 n_value=n sigs = [] private=50 Qp=private*G for index in range(130): print("---- index",index) binaryIndex=int((index*3)).to_bytes(32,'big') binaryIndex2=int((index*2+1)).to_bytes(32,'big') hashedIndex=H(binaryIndex) hashedIndex2=H(binaryIndex2) z_value_with_r=(hashedIndex%puzzle120) added_point= int(z_value_with_r)*G final_point=Qp+added_point r_value_with_s=(hashedIndex2%puzzle120) print(r_value_with_s) if r_value_with_s!=0: R_point=final_point*int(r_value_with_s) x,y=R_point.xy() r_value=int(x) s_value_with_r=int(modinv(r_value_with_s,n)%n) s_value=int((s_value_with_r*r_value)%n) z_value=((z_value_with_r*r_value)%n) print("r", r_value) print("s", s_value) print("hash", z_value) k,k1=calc_k(private,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) print(verify(Qp,r_value,s_value,z_value)) wy,b,a=verify(Qp,r_value,s_value,z_value) x=calc_x(int(a,16),int(b,16),int(r_value),int(s_value),int(z_value)) print("x",x) k,k1=calc_k(x,r_value,s_value,z_value) print("k",k,k1) print("k",hex(k),hex(k1)) t=tuple([r_value,s_value,z_value]) if t not in sign: sign.append(t) for le in range(0,1000): k2=(k*2**le)%n ge.append(int(k2)) ge.append(int(n-k2)) generates_signatures()
here is part of output: ---- index 18 9 r 63933145574282734898435981717146773918756897333098319278256437952015461322467 s 97164196692832900318159208530884680987624427476291405550721397771404732420314 hash 0 k 450 115792089237316195423570985008687907852837564279074904382605163141518161493887 k 0x1c2 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f (True, '0x0', '0x9') x 0 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] formule "450 / 9 = priv" not work for all sighns. I thin is very hard or inposivle crack with lattice . Method very expesive of time... [moderator's note: consecutive posts merged]
|