Reused R nonce faulty signature attack

[krashfire]

i recreate the attack and modify the code based on this article.

https://asecuritysite.com/ecdsa/ecd7

it does work in giving out the private keys.

Code:

import ecdsa
import random
import libnum
import hashlib
import sys

P = 2^256 - 2^32 - 2^9 - 2^8 - 2^7 - 2^6 - 2^4 - 1
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
order = N
priv1 = 20
G = (31504125288796341338541169388783846543997786027594142627385926708036691251730,
29015715595623874326232564738946807912877814040423899127791236573353650594580)


k = int(input("K:"))
if k < 1 or k > 2**127:
   raise ValueError("Input is out of range")

r = 66117490189936270206987461679613764204679654666049042771015493508015054858077
s = 49674599047379925216583523329074143648157909613025861611589669633503106636260
h = 99349198094759850433167046658148287296315819226051723223179339267006213272520

msg="HelloHello"



# Now generate a fault
rf = r
sf = (libnum.invmod(k,order)*(h+priv1*rf)) % order
hf = int(hashlib.sha256(msg.encode()).hexdigest(),base=16)
k = hf*(s-sf) * libnum.invmod(sf*r-s*rf,order)
valinv = libnum.invmod( (sf*r-s*rf),order)
dx = (hf*(s-sf)* valinv) % order

print(f"k: {k}")
print(f"Sig 1 (Good): r1={r}, s1={s}, h1={h}")
print(f"Sig 2 (Faulty): r2={rf}, s2={sf}, h2={hf}")
print (f"\nRecovered private key: {dx}")

however, the private keys given are not of the targeted wallet address. so nope, your bitcoins are still safe.
my inputs could be wrong though, correct me if im wrong. thank u so much.

Code:

K:2410
k: -8798166015846973725561614309791304655239378187079711764294056475330149015934906772429315822306934901393705779350762680499808112349218839583434901201485582221473728750380597901824590880328183205377959771799530340013137323794330090
Sig 1 (Good): r1=66117490189936270206987461679613764204679654666049042771015493508015054858077, s1=49674599047379925216583523329074143648157909613025861611589669633503106636260, h1=99349198094759850433167046658148287296315819226051723223179339267006213272520
Sig 2 (Faulty): r2=66117490189936270206987461679613764204679654666049042771015493508015054858077, s2=94761076309972293894096285019617727370519309086943504219315190442656806572338, h2=11209404430005450692776394377220775389388011163944676048947869460159787075727

Recovered private key: 37708835787268217211476314887030394677427639753441187644516074530096113903948

[krashfire]

it is not finished.

try your self. secp256k1 if you add abstract thinking you will see "there are another properties" that you can use.

You should observe the values as output and think what is going on and test it.

a lot of us had make thousend test to verify thousends posiibilities.

some times you must "go away" and create you own pattern , sometimes expand "calculation" for new  coeffs.

I still observe and have a good result.


no one on this forum will really share with his knowledge. TRY Harder and be positive.

🥰🥰

[CrunchyF]

it is not finished.

try your self. secp256k1 if you add abstract thinking you will see "there are another properties" that you can use.

You should observe the values as output and think what is going on and test it.

a lot of us had make thousend test to verify thousends posiibilities.

some times you must "go away" and create you own pattern , sometimes expand "calculation" for new  coeffs.

I still observe and have a good result.


no one on this forum will really share with his knowledge. TRY Harder and be positive.

🥰🥰

This attack is not applicable to Bitcoin. Because you need that the message are the same in the two signature (it not possible in the blockchain)