Hello,
This is a short-term announcement: the time from the appearance of the announcement to the end of the purchase opportunity is 128 hours.
For sale:
Two scripts in SageMath for attacking transaction signatures - they work for two pairs of transaction signatures r1, s1, z1, and r2, s2, z2:
The attack presents results when the nonces are generated from the half of the message hash concatenated with the part of the private key:
a. k = h_{msb} || d_{msb}
b. k = h_{lsb} || d_{msb}
c. k = h_{lsb} || d_{lsb}
d. k = h_{msb} || d_{lsb}
e. k = d_{msb} || h_{msb}
f. k = d_{lsb} || h_{msb}
g. k = d_{lsb} || h_{lsb}
h. k = d_{msb} || h_{lsb}
The attack results when the nonces are generated from the half of the message hash concatenated with the part of the private key.
If we have two nonces k_0 and k_1 generated with the previous half-half formula, if we take the difference we get:
css
a. k_0 - k_1 = s_0^{-1}h_0 - s_1^{-1}h_1 + \left(s_0^{-1}h_0 - s_1^{-1}h_1 \right)d = h_{0,msb} - h_{1,msb}
and variations of the half-half nonce generation as from point 1.
We have found a linear equation on d with all other values known. It gives a very fast way of solving the equation and recovering the private key d. However, two nonces and thus two signatures from the same private key are required.
Contact:
freediscasus@gmail.com or on bitcointalk.org
Price: 1 BTC
