Backdoor ve ecdsa

[Bglhn]

Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git

[1714722319]

1714722319

[1714722319]

1714722319

[1714722319]

1714722319

[odolvlobo]

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:

secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, s_i, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and s_i is a small value, k and s_i can be recovered. k = s_i * b obfuscates the fact that k is not random.

[iceland2k14]

In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py  where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

[Bglhn]

In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py  where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

can I use your script with real values? I couldn't find a way.

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:

secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, s_i, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and s_i is a small value, k and s_i can be recovered. k = s_i * b obfuscates the fact that k is not random.

So how can I find the value of b? Trial and error method for example? Is b an integer?

[odolvlobo]

So how can I find the value of b? Trial and error method for example? Is b an integer?

It is clearly stated that b is chosen by the attacker. Your questions indicate to me that it might help to learn more about cryptography before tackling the details of this subject.

[COBRAS]

Someone really think , what without signing, sending coins or sending message from victim to attacker this code can be work ?

if this code can work we can make fake publick key with some bits of victim publick key/private key,yes  ?

how ?

looks like this code , like a LLL dream.... LLL not work because all k in sighhnatuses have no 256 bit !

[COBRAS]

Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git

Author was delete repo

If someone interested, forked linck:


https://github.com/Hurd8x/backdoor-ecdsa

[Bglhn]

Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.

[COBRAS]

Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.

hi use leaked parts for matrix GF[2],but bitcoin is a GF[7] using a GF[2] very interesting moment.

And  I not understand what scryt find in final ? You know answer ? I ask openai and hi tell me what scrypt use for matrix differet r,s from different privkey-message pairs.... You undertand this momennt ?

First, instead of s_i be just chunks of S, we set s_i to be the result of a vector-matrix multiplication over GF(2) s_i := S*[M]. Here [M] is a public matrix constructed from the message being signed m, with dimensions chosen so that s_i is only a few bits long. To reconstruct S from s_i, the backdoor designer just solves a linear system of equations over GF(2). The advantage here is that this method is resistant to loss of some s_i, and the order in which s_i are recovered does not matter. Also, the backdoor designer gets immediate feedback on how many bits are still to be guessed from S!