How this small puzzle was made.
The following were my objectives.
- Show the importance of K
- Show some math
- Show the properties of Endomorphism
- To make you think outside the box
Steps to make the puzzle...
1.- Search a remarkable address with privatekey in the public Domain
2.- Make a signature for that address
3.- Decode and extract the values of the Signature values ( R, S and Z )
4.- Calculate K with some code in Python or C
5.- Use an endomorphims value of K to generate a new Unused Address
6.- Send the prize to that new Address and publish the Puzzle.
Steps with the Values already used:
- The remarkable address used was the Address that is generated with the sha256 of an empty string ""
Code
echo -n | sha256sum
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 -
- The signature used was publish before.
- The values of that siganture can be easily extracted with a tool that i made
Final X, Y : c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9 0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa
Final R: c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9
Final S: 3fbd468ed282d42df2e32c64e7894abad3471fb06819043948d63660848d1a65
Final Z: ee1842cc42b2cd2dd37415bd7b92fc9380d3324a165f6362a4eedcd93f721e5b
Calculated address: 1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN
Calculated publickey uncompressed: 04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0fa8722476c7709c02559e3aa73aa03918ba2d492eea75abea235
Calculated publickey compressed: 03a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd
The signature match with the address and it is valid
-----BEGIN BITCOIN SIGNED MESSAGE-----
Easy puzzle with 0.0016 BTC @ https://t.me/keyhunters
-----BEGIN BITCOIN SIGNATURE-----
1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN
G8jtdFo0RCjSNC8p8qoaE/rhNh9k4uhuF2TqNgBEl2fpP71GjtKC1C3y4yxk54lKutNHH7BoGQQ5SNY2YISNGmU=
-----END BITCOIN SIGNATURE-----
- Calculate K with some code in Python or C
if you askme how to i get the Inverse of the original S value i use a C code, but then i realize that i can use my modmath tool for that:
./modmath 1 / 0x3fbd468ed282d42df2e32c64e7894abad3471fb06819043948d63660848d1a65
Result: 0xb44ae7316060a9f7af0049effddf65813df443267349cf2a37ca6cb5fb95b4f8
Originaly i use a C code, but it can be more easily to use Python
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
Sinv = 0xb44ae7316060a9f7af0049effddf65813df443267349cf2a37ca6cb5fb95b4f8
Z = 0xee1842cc42b2cd2dd37415bd7b92fc9380d3324a165f6362a4eedcd93f721e5b
R = 0xc8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9
dA = 0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
K = Sinv *(Z + R*dA) % N
hex(K)
The output:
>>> hex(K)
'0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746'
At this point we are in half way to solve the puzzle.
The math part of th puzzle is to use Algebra to reorder the Signature proof ecuation:
Originally
S = K^-1 * (Z + R *dA ) % N
It was just reorder:
K = S^-1 * (Z + R *dA ) % N
Usually if we already have the private key (dA) then the nonce (K) value is useless but as a practice exercise get the K value of each one of your Transactions is very good learning exercise.
- To use endomorphims to calcualte some Alternate Address from the K nonce we can use also modmath
./modmath 0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746 x 0xac9c52b33fa3cf1f5ad9e3fd77ed9ba4a880b9fc8ec739c2e0cfc810b51283ce
Result: 0x7191e2fd37f1b8657e471afde6d9bb52a287f33da902423abac278e9f5dcd23d
Then we only need to use a tool like calculatefromkey or some page like
https://www.bitaddress.org/ to get the compressed address from that KEY
Now than you already know how the puzzle was made then you know how to solve it, but i wan to show you three approach to solve it.
- Approach with the Y value.
If you get the RSZ values from the Second signature (Clues signature)
Command:
./verifymsg -v -a 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C -s "H+a3NLPvRfoVgYgZBhvSiGY1001ylS8D5IjRbkrJ/MjlsSTCZ+rC8OIHyCFRwSHwGtIWx+xGIeR4x3nTpl1FUvY=" -m "$(cat ~/text.txt)"
Final X, Y : e6b734b3ef45fa15818819061bd2886635d34d72952f03e488d16e4ac9fcc8e5 28f7b4f4501644cb0ea9dd09dfb5494b7537aa784518bd2af24c8c8b0b7476f2
Final R: e6b734b3ef45fa15818819061bd2886635d34d72952f03e488d16e4ac9fcc8e5
Final S: b124c267eac2f0e207c82151c121f01ad216c7ec4621e478c779d3a65d4552f6
Final Z: 80b5e209faa552bab934589fbc0d4727eb0431a32218a6f606d9a0486b1a42ec
Calculated address: 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
Calculated publickey compressed: 02ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a
Calculated publickey uncompressed: 04ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa
The signature match with the address and it is valid
-----BEGIN BITCOIN SIGNED MESSAGE-----
Clues
Behind the result of the equations there are some variables that should Be also a secret
Beyond all the discussions, it is worth mentioning that all the possible legacy addresses amount is 2Λ160
Every single Byte counts, how many Bytes have this message?
This is a signed message with ECDSA. There may be some questions about it.
- How do we know the math used in ECDSA is right?
- Can someone cheat or change a signed message made with ECDSA?
- Is it possible for two different messages to have the same signature?
- How can we be sure that the person who signs a message is the real owner of the secret key and not pretending?
AlbertoBSD
-----BEGIN BITCOIN SIGNATURE-----
17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
H+a3NLPvRfoVgYgZBhvSiGY1001ylS8D5IjRbkrJ/MjlsSTCZ+rC8OIHyCFRwSHwGtIWx+xGIeR4x3nTpl1FUvY=
-----END BITCOIN SIGNATURE-----
If you carefully check all the values here you can notice that Y value from the Nonce in the first message is the same tha the Y value of the publickey of the prize adress
You don't belive me? check:
First signaute fragment
Final X, Y : c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9 0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa
Second signature fragment
Calculated publickey uncompressed: 04ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa
Look carefully, if you don't know nothing about endomorphism you may ask to chatGPT or some other AI, or even ask in a forum, the may point you in the right way to solve it.
At this point if you missed the Y value in those publickeys you may need some glasses (No offence but the values were there visible for everyone)
- Approach with the keyhunt
Once than you already calculate the K value you can use keyhunt to search it:
./keyhunt -m address -f target.txt -e -r 414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
[+] Version 0.2.230507 Satoshi Quest (legacy), developed by AlbertoBSD
[+] Mode address
[+] Endomorphism enabled
[+] Setting search for btc adddress
[+] N = 0x100000000
[+] Range
[+] -- from : 0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
[+] -- to : 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
[+] Allocating memory for 1 elements: 0.00 MB
[+] Bloom filter for 1 elements.
[+] Loading data to the bloomfilter total: 0.03 MB
[+] Sorting data ... done! 1 values were loaded and sorted
Base key: 414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
Hit! Private Key: 7191e2fd37f1b8657e471afde6d9bb52a287f33da902423abac278e9f5dcd23d
pubkey: 02ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a
Address 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
rmd160 498fdccf23d5e95fc5b3b93a4b4c6dcd334f512d
^C
Behind the result of the equations there are some variables that should Be also a secret
This in my indirect way to tell you that you need to search for all the secrets in the equations. What Equations?
This is a signed message with ECDSA.
Well you need to search what kind of equatios are involved in the ECDSA process, i paste the proper link in the first post
Every single Byte counts, how many Bytes have this message?
With message i mean all the text that is begin signed in that second signature.
How many bytes it have, did you count it?
The message is 652 bytes, but if you select the characters in a text editor it only select 646 characters that including the Return lines,
Where comes this difference?
Use hexedit :
00000000 43 6C 75 65 73 0A CE 92 65 68 69 6E 64 20 74 68 65 20 72 65 73 75 6C 74 Clues...ehind the result
00000018 20 6F 66 20 74 68 65 20 65 71 75 61 74 69 6F 6E 73 20 74 68 65 72 65 20 of the equations there
00000030 61 72 65 20 73 6F 6D 65 20 76 61 72 69 61 62 6C 65 73 20 74 68 61 74 20 are some variables that
00000048 73 68 6F 75 6C 64 20 CE 92 65 20 61 6C 73 6F 20 61 20 73 65 63 72 65 74 should ..e also a secret
00000060 0A CE 92 65 79 6F 6E 64 20 61 6C 6C 20 74 68 65 20 64 69 73 63 75 73 73 ...eyond all the discuss
00000078 69 6F 6E 73 2C 20 69 74 20 69 73 20 77 6F 72 74 68 20 6D 65 6E 74 69 6F ions, it is worth mentio
00000090 6E 69 6E 67 20 74 68 61 74 20 61 6C 6C 20 74 68 65 20 70 6F 73 73 69 62 ning that all the possib
000000A8 6C 65 20 6C 65 67 61 63 79 20 61 64 64 72 65 73 73 65 73 20 61 6D 6F 75 le legacy addresses amou
000000C0 6E 74 20 69 73 20 32 CE 9B 31 36 30 0A 45 76 65 72 79 20 73 69 6E 67 6C nt is 2..160.Every singl
000000D8 65 20 CE 92 79 74 65 20 63 6F 75 6E 74 73 2C 20 68 6F 77 20 6D 61 6E 79 e ..yte counts, how many
000000F0 20 CE 92 79 74 65 73 20 68 61 76 65 20 74 68 69 73 20 6D 65 73 73 61 67 ..ytes have this messag
00000108 65 3F 0A 54 68 69 73 20 69 73 20 61 20 73 69 67 6E 65 64 20 6D 65 73 73 e?.This is a signed mess
00000120 61 67 65 20 77 69 74 68 20 45 43 44 53 41 2E 20 54 68 65 72 65 20 6D 61 age with ECDSA. There ma
00000138 79 20 62 65 20 73 6F 6D 65 20 71 75 65 73 74 69 6F 6E 73 20 61 62 6F 75 y be some questions abou
00000150 74 20 69 74 2E 0A 2D 20 48 6F 77 20 64 6F 20 77 65 20 6B 6E 6F 77 20 74 t it..- How do we know t
00000168 68 65 20 6D 61 74 68 20 75 73 65 64 20 69 6E 20 45 43 44 53 41 20 69 73 he math used in ECDSA is
00000180 20 72 69 67 68 74 3F 0A 2D 20 43 61 6E 20 73 6F 6D 65 6F 6E 65 20 63 68 right?.- Can someone ch
00000198 65 61 74 20 6F 72 20 63 68 61 6E 67 65 20 61 20 73 69 67 6E 65 64 20 6D eat or change a signed m
000001B0 65 73 73 61 67 65 20 6D 61 64 65 20 77 69 74 68 20 45 43 44 53 41 3F 0A essage made with ECDSA?.
000001C8 2D 20 49 73 20 69 74 20 70 6F 73 73 69 62 6C 65 20 66 6F 72 20 74 77 6F - Is it possible for two
000001E0 20 64 69 66 66 65 72 65 6E 74 20 6D 65 73 73 61 67 65 73 20 74 6F 20 68 different messages to h
000001F8 61 76 65 20 74 68 65 20 73 61 6D 65 20 73 69 67 6E 61 74 75 72 65 3F 0A ave the same signature?.
00000210 2D 20 48 6F 77 20 63 61 6E 20 77 65 20 62 65 20 73 75 72 65 20 74 68 61 - How can we be sure tha
00000228 74 20 74 68 65 20 70 65 72 73 6F 6E 20 77 68 6F 20 73 69 67 6E 73 20 61 t the person who signs a
00000240 20 6D 65 73 73 61 67 65 20 69 73 20 74 68 65 20 72 65 61 6C 20 6F 77 6E message is the real own
00000258 65 72 20 6F 66 20 74 68 65 20 73 65 63 72 65 74 20 6B 65 79 20 61 6E 64 er of the secret key and
00000270 20 6E 6F 74 20 70 72 65 74 65 6E 64 69 6E 67 3F 0A 0A 41 6C 62 65 72 74 not pretending?..Albert
00000288 6F 42 53 44 oBSD
If you see the Values of the characters and check for printable Characters maybe you will notice that some of them are missing in the printable part:
Those characters are: B and Λ (Beta and Lambda). You may not be an "expert" in soma field of study but you have google or all those new AI.
Check this questions on ChatGPT:
Q: Is there something oddly in the Text of the clues ?
A: Yes, there is something odd in the text of the clues. The oddity lies in the usage of the letter "B" (capital beta) instead of the letter "B" (capital bee) in several instances. It appears that the letter "B" has been mistakenly used instead of "B" throughout the text.
For example, the clues should read:
"Behind the result of the equations there are some variables that should be also a secret."
"Beyond all the discussions, it is worth mentioning that all the possible legacy addresses amount is 2^160."
"Every single Byte counts, how many Bytes have this message?"
The presence of the letter "B" instead of "B" seems to be a typographical error or an unintended character substitution. It is important to note this discrepancy and ensure that the correct letter "B" is used when interpreting the text and attempting to solve the puzzle.
Q: what is B and Λ and how they are related to eliptic curves
A: In the context of elliptic curves, B (Beta) and Λ (Lambda) are parameters that are often used to describe the equations of elliptic curves in a specific form known as Weierstrass form.
The Weierstrass form of an elliptic curve is given by the equation:
y^2 = x^3 + Ax + B,
where A and B are constants that depend on the specific curve. The values of A and B determine the shape and properties of the curve.
In this equation, B represents the constant term, which affects the vertical shift of the curve. It determines the y-coordinate of the point at infinity (the point that serves as the identity element in elliptic curve group operations).
Λ, on the other hand, is a parameter used in the definition of the group law on an elliptic curve. The group law specifies how to add two points on the curve to obtain a third point. Λ is related to the slope of the tangent line to the curve at a specific point. It is used to compute the x-coordinate of the sum of two points.
To summarize, B determines the vertical shift of the curve, while Λ is involved in the group law calculations on the curve. These parameters are important in describing and working with elliptic curves in the Weierstrass form.
As you see you can use the AI as entry point of information
What about the other clues?
- How do we know the math used in ECDSA is right?
- Can someone cheat or change a signed message made with ECDSA?
- Is it possible for two different messages to have the same signature?
- How can we be sure that the person who signs a message is the real owner of the secret key and not pretending?
Those are just valid question that you may ask to your self and search or think in what are some conditions mathematically needed to do something or prevent something.
That is all...
Regards