Reuse Nonce Faulty Sig Attack

[krashfire]

In this article,
https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9

Author incremented the R signature.

Which I find quite difficult coz this method also requires you knowing the priv key to calculate for the faulty s signature. So my question is...

How can I safely increment the S and Hash value?

I tried

Code:

sf= sig.s + 1
hf= h +1 

Obviously, Its wrong. Coz the private key does not correspond to the correct address.


How do increment the S and H signatures
Correctly so I can find out the K and X Value?

Because I assume if I can correctly increment the signatures of S and H. I can solve K. When I solve K=nonce, I get D=Private Key.

[1715004784]

1715004784

[1715004784]

1715004784

[1715004784]

1715004784

[1715004784]

1715004784

[1715004784]

1715004784

[1715004784]

1715004784

[COBRAS]

R or Sci not remember exact is like public key. So ..

[pooya87]

You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning r_f should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.

[ymgve2]

You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning r_f should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.

The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. As OP have finally noticed, you can't create faulty signatures without the private key, so this attack means nothing if you already only have a single, valid, signature.

OP: Any kind of manipulation of an existing signature will create two linearly dependent signatures, which in practice is just the same as having a single signature. You can't use the info in the article to get a private key out of a single good signature in any way.

[BlackHatCoiner]

The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.

Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?

[krashfire]

The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.

Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?

Right?! Waste my time in researching his method. And I don't know why no one is calling this "professor" out yet. Felt scammed. Geez... 😂