Bitcoin Forum
May 12, 2024, 06:46:46 PM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Nonce reuse fault attack on secp256k1
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Nonce reuse fault attack on secp256k1  (Read 155 times)
krashfire (OP)
Jr. Member
*
Offline Offline

Activity: 105
Merit: 6

Life aint interesting without any cuts and bruises


View Profile
December 09, 2022, 07:46:00 PM
Last edit: December 10, 2022, 12:29:14 AM by krashfire
Merited by n0nce (1)
 #1
Hi, I was wondering whether anyone had tried Nonce Reuse fault attack on SECP256K1.

It seems so much easier to crack any wallet with this attack. Read here> https://asecuritysite.com/ecdsa/ecd7

I had tried lattice attack on my wallet address for 5 weeks now. It works but really slow.

I am considering starting a new attack for my research. Your inputs are greatly appreciated.

How can i modify this script to accept my R,S,H and public keys ? Please help. Thank You so much.  Cheesy



Code is here.

Quote

import ecdsa
import random
import libnum
import hashlib
import sys


G = ecdsa.SECP256k1.generator
order = G.order()

priv1 = random.randrange(1,order)
 
Public_key = ecdsa.ecdsa.Public_key(G, G * priv1)
d = ecdsa.ecdsa.Private_key(Public_key, priv1)

k = random.randrange(1, 2**127)

msg="Hello"

if (len(sys.argv)>1):
   msg=(sys.argv[1])



h = int(hashlib.sha256(msg.encode()).hexdigest(),base=16)
sig = d.sign(h, k)


r,s = sig.r,sig.s

# Now generate a fault
rf = sig.r+1
sf=(libnum.invmod(k,order)*(h+priv1*rf)) % order

k = h*(s-sf) * libnum.invmod(sf*r-s*rf,order)


valinv = libnum.invmod( (sf*r-s*rf),order)

dx =(h*(s-sf)* valinv) % order

print(f"Message: {msg}")
print(f"k: {k}")

print(f"Sig 1 (Good): r={r}, s={s}")
print(f"Sig 2 (Faulty): r={rf}, s={sf}")

print (f"\nGenerated private key: {priv1}")
print (f"\nRecovered private key: {dx}")

Result is here.

Quote
#python fault.py
Message: Hello
k: 2377122631336757091406456643105226705197917127899304611236234685727643570878493 8957571817458862979584232284037410229596452277879610955286764320595345098952800 839149842089242517072957658427855833009982523662157423292631792006806365
Sig 1 (Good): r=41552918092331466876589119583071324014922831660434505150350778883250206623908, s=103219685505031464720805837014021801697332755430913759423777864063262658295904
Sig 2 (Faulty): r=41552918092331466876589119583071324014922831660434505150350778883250206623909, s=30990528248984818891301551608571623728524592243310248921245102910474460702403

Generated private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792

Recovered private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792
KRASH
1715539606
Hero Member
*
Offline Offline

Posts: 1715539606

View Profile Personal Message (Offline)

Ignore
1715539606
1715539606
Reply with quote  #2
1715539606
Report to moderator
1715539606
Hero Member
*
Offline Offline

Posts: 1715539606

View Profile Personal Message (Offline)

Ignore
1715539606
1715539606
Reply with quote  #2
1715539606
Report to moderator
1715539606
Hero Member
*
Offline Offline

Posts: 1715539606

View Profile Personal Message (Offline)

Ignore
1715539606
1715539606
Reply with quote  #2
1715539606
Report to moderator
Transactions must be included in a block to be properly completed. When you send a transaction, it is broadcast to miners. Miners can then optionally include it in their next blocks. Miners will be more inclined to include your transaction if it has a higher transaction fee.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1715539606
Hero Member
*
Offline Offline

Posts: 1715539606

View Profile Personal Message (Offline)

Ignore
1715539606
1715539606
Reply with quote  #2
1715539606
Report to moderator
1715539606
Hero Member
*
Offline Offline

Posts: 1715539606

View Profile Personal Message (Offline)

Ignore
1715539606
1715539606
Reply with quote  #2
1715539606
Report to moderator
ymgve2
Full Member
***
Offline Offline

Activity: 161
Merit: 230


View Profile
December 09, 2022, 08:22:59 PM
 #2
Fault attacks means you induce hardware faults during the creation of the wallet/keys/signatures. It is completely useless for attacking pre-existing wallets/transactions.
krashfire (OP)
Jr. Member
*
Offline Offline

Activity: 105
Merit: 6

Life aint interesting without any cuts and bruises


View Profile
December 09, 2022, 08:32:50 PM
Last edit: December 10, 2022, 12:45:12 AM by krashfire
 #3
Yeah. Agreed. I was thinking the same thing.. Click the link. The author too call it fault attack.

Hmm maYbe I should edit the subject of this topic.
KRASH
ymgve2
Full Member
***
Offline Offline

Activity: 161
Merit: 230


View Profile
December 09, 2022, 08:41:55 PM
 #4
You said "crack any wallet" though. Fault attacks can not be used to crack any wallet. They can only be used when you have some amount of control over the system that signs/creates a wallet at the moment of signing/creation.
krashfire (OP)
Jr. Member
*
Offline Offline

Activity: 105
Merit: 6

Life aint interesting without any cuts and bruises


View Profile
December 09, 2022, 11:51:33 PM
 #5
Quote from: ymgve2 on December 09, 2022, 08:41:55 PM
You said "crack any wallet" though. Fault attacks can not be used to crack any wallet. They can only be used when you have some amount of control over the system that signs/creates a wallet at the moment of signing/creation.



Alright... Are you here to argue with me on what's the word used or would you like to blame the author for the word used?  Have you actually tried this method? I understand your meaning and the general meaning of fault attack.

HOWEVER, that's what the author of this website claim it is.

SO... despite of the choice of words used..

What or how can I modify this script so that it accepts my r, s, h and public key inputs?

Quote

#python fault.py
Message: Hello
k: 2377122631336757091406456643105226705197917127899304611236234685727643570878493 8957571817458862979584232284037410229596452277879610955286764320595345098952800 839149842089242517072957658427855833009982523662157423292631792006806365
Sig 1 (Good): r=41552918092331466876589119583071324014922831660434505150350778883250206623908, s=103219685505031464720805837014021801697332755430913759423777864063262658295904
Sig 2 (Faulty): r=41552918092331466876589119583071324014922831660434505150350778883250206623909, s=30990528248984818891301551608571623728524592243310248921245102910474460702403

Generated private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792

Recovered private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792
KRASH
ymgve2
Full Member
***
Offline Offline

Activity: 161
Merit: 230


View Profile
December 10, 2022, 12:56:31 AM
 #6
Do you know what the word "fault" implies?

Take a closer look at the code, especially this part:

Code:
# Now generate a fault
rf = sig.r+1
sf=(libnum.invmod(k,order)*(h+priv1*rf)) % order

To do this attack with this example code, you need to already know the private key to generate the faulty sf value.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Nonce reuse fault attack on secp256k1
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!