krashfire (OP)
Member
 Offline
Activity: 119
Merit: 11
Life aint interesting without any cuts and bruises
|
 |
June 22, 2024, 11:47:33 AM |
|
Saw some comments of users looking for R,S,Z Signatures and public key sample for research purposes. So i created a script where you can have a little more details than you need. Its a simple script so you can do your various research that you wish on ECDSA Secp256k1 signatures. you can download it here. https://github.com/KrashKrash/ecdsa-rsz-signature
=== ECDSA Signature Details ===
BTC Address: 1JvF4Bn4yF6GThYEA7pfhp3j8Xb6wu2t8D
Private Key: edb01804beb2e95898648ae87f1fa072d53b3b6f4564e092065bac907f063b9d
Signature (r, s, z):
r: 634e6e5d85360927c64d66bdd616dc58ac6b72cd22fac01c544236b63734ad35
s: 7fe9088b3849cddb82f38ef9244a06c413addb38031ee01a38e675ff28579d8a
z: 6ad532092bb3f4ee012e61df35c95efc7d9e9fa5653c371bc843fa4b3627f01f
k (nonce): 695e5e4c01e8ac9d77b7ecdd9881d50bb397ff7e54e082240a19b714c4de7ef8
PubKey: 034f966cdcc502d17876270349736f6a20f13edb5eccb5a92d1c702a0e059a9ba9
Signature Verification: Valid
just a little more info for you who are just starting out to do the research, some call it z, some call it message(hash) some just call it h. but it means the same thing. message or m = the original message H(m) or h or z = the hash of the message H(m), h or z depending on who you talk to, is the hash of the message. same meaning. I just want to have this information out here so you don't waste your time thinking what is h and what is z. Good luck on your research. |
KRASH
|
|
|
Kpot87
Jr. Member
Offline
Activity: 40
Merit: 1
|
|
June 22, 2024, 05:50:33 PM |
|
Offtop, how if your twist attack?
|
|
|
|
|
krashfire (OP)
Member
Offline
Activity: 119
Merit: 11
Life aint interesting without any cuts and bruises
|
|
June 23, 2024, 01:29:59 AM |
|
Offtop, how if your twist attack?
thats done. awhile ago. |
KRASH
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 24, 2024, 10:21:41 AM
Last edit: June 25, 2024, 03:47:30 PM by jacky19790729 |
|
I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months # 130 Although only 1 rsz is known , but 1000 rsz can be produced using the public key, the nonce K value will be 240~256 bits 50% - nonce is 256 bit 25% - nonce is 254 bit 25% - nonce is 253~240 bit However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use lattice-attack # 130 Public Key ( Fix 2024/06/25 ) 0x633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852, 0xb078a17cc1558a9a4fa0b406f194c9a2b71d9a61424b533ceefe27408b3191e3 Address: 1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua I create some rsz as #130 , these are address "1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua" and the public keys are #130 public key # 130 rsz 1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9
# 130 rsz 2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2
# 130 rsz 3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e
# 130 rsz 4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632
# 130 rsz 5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04
....
....
....
|
|
|
|
|
krashfire (OP)
Member
Offline
Activity: 119
Merit: 11
Life aint interesting without any cuts and bruises
|
|
June 25, 2024, 06:11:27 AM |
|
I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months # 130 Although only one rsz is know , but 1000 rsz can be produced using the public key, the nonce K value will be 240~256 bits 50% - nonce is 256 bit 25% - nonce is 254 bit 25% - nonce is 253~240 bit However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use lattice-attack # 130 Public Key 0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70 create #130 rsz # 130 rsz 1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9
# 130 rsz 2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2
# 130 rsz 3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e
# 130 rsz 4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632
# 130 rsz 5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04
....
....
....
would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you |
KRASH
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 07:48:48 AM
Last edit: June 25, 2024, 08:02:55 AM by jacky19790729 |
|
would you mind sharing your code on how you leak the RSZ and how you create more sample for the given public key. thank you
https://bitcointalk.org/index.php?topic=5394249.100read it ....... garlonicon share his source code Even if I have 100,000 puzzle #130 r , s, z I still can't use lattice-attack crack ....Because the generated rsz and k values are unknown.... I used my private key and public key to see nonce K value ... From the probability, more than 50% is a 256-bit nonce K value ~~ It must be 252 bit or less bit ...... Unless you can know from these 100,000 rsz which nonce k bits are less than 252 bit , and select 88 group for lattice attack... This probability is lower than guessing any Bitcoin private key  N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141 if N <= 252 bit , we can use #130 public key to produce 70 ~ 100 fake rsz , and ECDSA will broken ~~~ Now, ECDSA is still safe |
|
|
|
|
JohnnyTX
Newbie
Offline
Activity: 2
Merit: 0
|
|
June 25, 2024, 02:15:25 PM |
|
Hi there! It looks like you all are crazy for nonces and signatures, so I have some special values for you  r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x24c8a42e8fe11d670633fa66ebedb1672c71a517a30cbbaa9e14f2d5a15a3783
z=SHA256('This is test 1.')
PubKey=0x3e42b3151f310f5f417f11b4c32d8360b22109dcc6432339243332b56cd596de, 0x7903116327cab6891b810588e4c909273c7eb013aea2162fa63afa1f11562b3a
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0x768a0e3b0cfb3c8d9b7899f59f480555176ef25eefa1e96d3ac575ba4ffe85fd
z=SHA256('This is test 2.')
PubKey=0xc79fa242694e3148c8d50e667010e0c221f6004d108692c5040ff139595ed081, 0x525bd76c21c8e2d45725a378c973a646d5971acd8f240322e5f1fdf0ed4f8589
r=0x678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb6
s=0xd17c5ed9fb37692cd152f381c4a3f16a896f96d26100310fe818d6963c402b25
z=SHA256('This is test 3.')
PubKey=0xc03657988e2baf31a1a1061a87fa3da20f166dc8a22c02658f6d325dec722d84, 0x97ffbac6bec2de2b8d9f9bcaeced8e56abdd0b3996b48153cf0a1a92dc2d5529
Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course. |
|
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 04:01:32 PM |
|
Hi there! It looks like you all are crazy for nonces and signatures, so I have some special values for you Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course. the same r value , we can recovery private key ........ but we are interested in recovering the private key of #puzzle 130 from a large set of r s z and public key ... But we need to know the bits of k , from every set of r s z ......... if anyone can know the bits of k from every r s z and public key , all bitcoin address that leaks the public key can recovery private key Of course, currently only 252 bit k can be recovery by the lattice attack. https://githubhelp.com/bitlogik/lattice-attack/issues/2 The authors of the lattice-attack mentioned that they were also unable to crack more than k > 252 bits~~~ For the topic "down to 2 bits", note that we never found a private key using our LatticeAttack software below 4 know bits, hence the restriction put in place that prevent the user to run it with lower than 4 bits. But we never performed long running time. Using higher RECOVERY_SEQUENCE "effort" block size, combined with a loop "-l" can be a way to recover key with 3 or even 2 bits. That would just require long running times (several hours), and no guarantee of result.
|
|
|
|
|
JohnnyTX
Newbie
Offline
Activity: 2
Merit: 0
|
|
June 25, 2024, 05:55:44 PM |
|
the same r value , we can recovery private key ........
These are not as easy as you may think. but we are interested in recovering the private key of #puzzle 130 from a large set of r s z and public key ...
But we need to know the bits of k , from every set of r s z .........
Well, then I have two more for you, but this public key doesn't point to the puzzle #130 it seems... # Public Key 0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70 # rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
With k2 = k1 + 1. |
|
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 06:56:02 PM |
|
Well, then I have two more for you, but this public key doesn't point to the puzzle #130 it seems...
# Public Key
0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70
I had edit my post ~~ fix it #130 public key 0x633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852, 0xb078a17cc1558a9a4fa0b406f194c9a2b71d9a61424b533ceefe27408b3191e3 and Provide 5 sets of my own generated rsz for #130 # 130 rsz 1 r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8 s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9 # 130 rsz 2 r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822 s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2 # 130 rsz 3 r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0 s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850 z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e # 130 rsz 4 r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9 z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632 # 130 rsz 5 r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9 s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04 1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua |
|
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 07:00:33 PM |
|
# rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
With k2 = k1 + 1. sorry......I can't recovery private key for this 2 rsz my result: k1 = 0 k2 = 1 Recovered Bitcoin public key: 028629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404 Bitcoin Address: 1Ln1NYjtCamBG2UZDTKcHqcaNLP8TUrKFe Recovered Bitcoin public key: 0395c632a7af384a67104afd5b6a4a5d882e782d232519c59084f0744d08093876 Bitcoin Address: 1P5TaCC8ZQohntb3NwRXQE5zFzB2De2Dvz show your private key .. ?? |
|
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
June 25, 2024, 08:39:34 PM |
|
# rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
With k2 = k1 + 1. sorry......I can't recovery private key for this 2 rsz my result: k1 = 0 k2 = 1 Recovered Bitcoin public key: 028629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404 Bitcoin Address: 1Ln1NYjtCamBG2UZDTKcHqcaNLP8TUrKFe Recovered Bitcoin public key: 0395c632a7af384a67104afd5b6a4a5d882e782d232519c59084f0744d08093876 Bitcoin Address: 1P5TaCC8ZQohntb3NwRXQE5zFzB2De2Dvz show your private key .. ?? You try bruteforce 02d7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410 ? |
[
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 09:14:59 PM |
|
# rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
You try bruteforce 02d7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410 ? no....bruteforce nonce k , that is impossible It's seem use 1 rsz convert to 2 rsz even know that k2 = k1 + 1 I still can't recovery private key |
|
|
|
|
jacky19790729
Jr. Member
Offline
Activity: 71
Merit: 8
|
|
June 25, 2024, 09:56:31 PM
Last edit: June 27, 2024, 06:08:49 AM by jacky19790729 |
|
# rsz 1
r=0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s=0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z=0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
# rsz 2
r=0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2
s=0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11
z=0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
def inv(a):
return pow(a, N - 2, N)
r1 = 0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410
s1 = 0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808
z1 = 0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b
HA = 0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410 * inv(0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2)
HA = HA % N
print("HA: %064x" % HA )
r2 = 0xafc4670c63a5677641ba51b0eb413f7d8be3cfeb100f2c2097eb57dd673d58c2 * HA
s2 = 0xe14e5906641085412561a083c002b76d6ac5a54372a9c811edc9e3b86b2dde11 * HA
z2 = 0x1b636df9eef267995d6918047ba3bafca25f693a47ff73c7c0d500cd4aa9783a * HA
z2 = z2 - s2
r2 = r2 % N
s2 = s2 % N
z2 = z2 % N
print("r1= 0x%064x " % r1 )
print("s1= 0x%064x " % s1 )
print("z1= 0x%064x " % z1 )
print("r2= 0x%064x " % r2 )
print("s2= 0x%064x " % s2 )
print("z2= 0x%064x " % z2 )
output: HA: e809a06f968e72e232e96f55e26f809d22d922681acca6904f12c4ba1b53018d r1 = 0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410 s1 = 0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808 z1 = 0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b r2= 0xd7232c0eed9a80a6e53d74b57d80cd892816b46c69157f8e543ee76dc21f8410 s2= 0xe6665792427b98ebd93cd43f694e03383c84af34b00e5f471c5cec5a24541808 z2= 0xc3479c8d5591597a4b12018ccacd0215528e584aa18125d63fac5c0c0c92588b r1 = r2 , s1 = s2 , z1 = z2 .......Your 2 rsz are from the same rsz |
|
|
|
|
|
