ecdsa123 (OP)
Full Member
 Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
here is address : 14NWDXkQwcGN1Pd9fboL8npVynD5SfyJAE and output from address above as transaction from 2016-05-09 12:45: https://www.blockchain.com/btc/tx/b5add54960756c58ebabb332c5ef89098d2c3b8f2107b939ec542178e846108b decoding above transaction as r,s,z: r = 0x83fe1c06236449b69a7bee5be422c067d02c4ce3f4fa3756bd92c632f971de06
s = 0x7405249d2aa9184b688f5307006fddc3bd4a7eb89294e3be3438636384d64ce7
z = 0x070239c013e8f40c8c2a0e608ae15a6b1bb4b8fbcab3cff151a6e4e8e05e10b7
pubkey = 0x0283FE1C06236449B69A7BEE5BE422C067D02C4CE3F4FA3756BD92C632F971DE06
so : someone has cracked it :
nonce used for this transaction is as k:
k= 0x70239C013E8F40C8C2A0E608AE15A6B23D4A09295BE678B21A5F1DCEAE1F634
now : compare z (message hash) with nonce k :
z = [b]0x070239c013e8f40c8c2a0e608ae15a6b[/b]1bb4b8fbcab3cff151a6e4e8e05e10b7
k= [b]0x070239C013E8F40C8C2A0E608AE15A6B[/b]23D4A09295BE678B21A5F1DCEAE1F634
as we see part of z is the same as integer value of used nonce k.
Question 1: How and why it has been happen? |
|
|
|
|
|
|
|
|
Even in the event that an attacker gains more than 50% of the network's
computational power, only transactions sent by the attacker could be
reversed or double-spent. The network would not be destroyed.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10505
|
 |
December 08, 2022, 08:35:56 AM |
|
so : someone has cracked it :
Question 1: How and why it has been happen?
This is a very old puzzle where someone created a brainwallet using the phrase "bitcoin is awesome" and the private key of this address has been known for the past 10 years. If by "cracked it" you mean solved the brainwallet puzzle, then yes. As for the Question, in later years others may have tried to have some fun with the existing puzzle by sending coins there and/or spend the coins in this known address with weird nonce values. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 08, 2022, 08:38:49 AM |
|
yes, but I'm asking about not private key, but nonce used in transaction.
this is weird.
that nonce k is the same as message hash in first 16 bytes
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10505
|
|
December 08, 2022, 10:32:01 AM |
|
yes, but I'm asking about not private key, but nonce used in transaction.
this is weird.
that nonce k is the same as message hash in first 16 bytes
It could be a lot of things, as I said it could be someone just having fun trolling others watching this puzzle key or it could be a broken code that someone was testing using this key maybe someone watching the key to steal the coins sent to it. When generating k deterministically using RFC6979 you use the message digest (z) too. A broken implementation could have messed up and after computing the final HMAC copied the result in the second half of an output that had the original digest in its first half. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 08, 2022, 12:16:52 PM |
|
is any way for check that:
"When generating k deterministically using RFC6979 you use the message digest (z) too. A broken implementation could have messed up and after computing the final HMAC copied the result in the second half of an output that had the original digest in its first half"
?
|
|
|
|
pooya87
Legendary
Offline
Activity: 3430
Merit: 10505
|
|
December 08, 2022, 12:34:13 PM |
|
The only way to check it is to find out who sent these and ask them how or why they did it like that. Everything else is just guesswork.
|
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
NotATether
Legendary
Offline
Activity: 1582
Merit: 6697
bitcoincleanup.com / bitmixlist.org
|
|
December 08, 2022, 05:57:42 PM |
|
is any way for check that:
"When generating k deterministically using RFC6979 you use the message digest (z) too. A broken implementation could have messed up and after computing the final HMAC copied the result in the second half of an output that had the original digest in its first half"
?
Depends heavily on the wallet software, so if you know which one sent the transaction, you can just go through the source code, or assembly if it's proprietary, and study the nonce implementation used there. |
.
.BLACKJACK ♠ FUN. | | | ███▄██████
██████████████▀
████████████
█████████████████
████████████████▄▄
░█████████████▀░▀▀
██████████████████
░██████████████
█████████████████▄
░██████████████▀
████████████
███████████████░██
██████████ | | CRYPTO CASINO &
SPORTS BETTING | | │ | | │ | ▄▄███████▄▄
▄███████████████▄
███████████████████
█████████████████████
███████████████████████
█████████████████████████
█████████████████████████
█████████████████████████
███████████████████████
█████████████████████
███████████████████
▀███████████████▀
███████████████████ | | .
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 09, 2022, 04:17:53 PM |
|
I have genereate almost about 100 task for find similiar result under testing (generate by my self with knowing private key and nonce)
I do not know how he did it.
any help?
|
|
|
|
|
ymgve2
|
|
December 09, 2022, 04:50:41 PM |
|
This is someone's broken deterministic nonce generation.
Small hint: What's the SHA256 hash of "bitcoin is awesome" which is the private key of the transaction?
|
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 09, 2022, 04:59:32 PM |
|
I know exactly private key and nonce used in this transaction
I'm just trying understand is that nonce and message hash has the same value as first 32 bytes was did by hand or problem with software:)
|
|
|
|
|
ymgve2
|
|
December 09, 2022, 05:04:32 PM |
|
You didn't understand.
Where do you think the last 16 bytes of the nonce comes from?
|
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 09, 2022, 05:19:17 PM |
|
z is message hash from transaction
k is integer of nonce used in transaction
z = 0x070239c013e8f40c8c2a0e608ae15a6b1bb4b8fbcab3cff151a6e4e8e05e10b7
k= 0x070239C013E8F40C8C2A0E608AE15A6B23D4A09295BE678B21A5F1DCEAE1F634
the same part MSB of k and MSB of z are the same
0x070239C013E8F40C8C2A0E608AE15A6B == 0x070239c013e8f40c8c2a0e608ae15a6b
MSB of nonce == MSB of message hash (z)
|
|
|
|
|
ymgve2
|
|
December 09, 2022, 05:21:13 PM |
|
privkey is 23d4a09295be678b21a5f1dceae1f634a69c1b41775f680ebf8165266471401b
second part of nonce is 23d4a09295be678b21a5f1dceae1f634
|
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 09, 2022, 05:24:49 PM |
|
privkey is 23d4a09295be678b21a5f1dceae1f634a69c1b41775f680ebf8165266471401b
second part of nonce is 23d4a09295be678b21a5f1dceae1f634
thanks  so do you think it is by hand generate or "problem with hmac"? |
|
|
|
|
ymgve2
|
|
December 09, 2022, 05:30:49 PM |
|
It seems like some homebrew way of creating a (bad) deterministic nonce. It's too simple and clean to be just a coding mistake.
And it's bad because reusing part of the unhashed private keys and z means the nonce can now be expressed purely as a linear function of other parts of the signing process.
|
|
|
|
|
ecdsa123 (OP)
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
December 09, 2022, 05:33:25 PM |
|
is any way to check by algorithm that the part of msb of message hash is a part for nonce?
I tried analyze and have a problem with that
|
|
|
|
|
