Bitcoin weak transaction nonce question

[rdenkye]

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

second; for a single pair, the probability is approximately 1 in a million, how can it be 10 times.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

(I apologize for my translation English.)

[farou9]

even if the Rs values have 30 characters in common its useless because the r value is really just the x value of the public key of the nonce used and whatever characters the Rs of the transactions have  in common in reality their nonces could be randomly apart like first one have in between it and the second 20 quadrillion then next 45345 billion etc.... the points are completely unpredictable because of the mathematics behind their  construction

[rdenkye]

Again, because of the math behind it, it's impossible for this to happen. But it did happen. The question is; if the probability of a 5-character match in two txs is 1 in 1 million, how can this happen 10 times?

[pooya87]

It may be obvious but are you sure that you are looking at R value when you were checking those transactions and their signatures? You see signatures are encoded using DER encoding and there are certain bytes added in that which are always the same (eg. 4730440220 which is [stack size][sequence tag][sequence length][int tag][int length]).

[rdenkye]

It may be obvious but are you sure that you are looking at R value when you were checking those transactions and their signatures? You see signatures are encoded using DER encoding and there are certain bytes added in that which are always the same (eg. 4730440220 which is [stack size][sequence tag][sequence length][int tag][int length]).

yes, I am an expert in these areas and I develop software that performs mass vulnerability scanning.

Let me give you the full statistics;
- There are less than 200 outgoing Tx.
- In 32 pairs, 5 characters match in the same character order.
In 1 pair, 6 characters match.

This cannot be a coincidence, but I cannot understand how it can be.


I both check online and confirm, and I also query the database directly.

sample rsz ve nonce:)
https://prnt.sc/uMK3pg7M5N5N

It may be obvious but are you sure that you are looking at R value when you were checking those transactions and their signatures? You see signatures are encoded using DER encoding and there are certain bytes added in that which are always the same (eg. 4730440220 which is [stack size][sequence tag][sequence length][int tag][int length]).

K: 31907037269755274359319072740750448760229601659665891328416497670755906520033
R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34
                                                                           p00yA87

Actually something comes to my mind.
In transactions lasting 2 years.
1000 btc volume.
A patient and humorous person,
or there was a factor that caused this order.

[pooya87]

K: 31907037269755274359319072740750448760229601659665891328416497670755906520033
R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34
                                                                           p00yA87

That was funny

But in all seriousness with a google search of the transactions I extracted from the address you posted in the screenshot above I found this: https://gist.github.com/jgilmour/6215961 that contains a list of similarly broken R values generated from a broken random number generator on Android. As you can see it is not "5 characters", it is reused k value generating the same R.

I believe it is related to this warning from 2013
https://bitcoin.org/en/alert/2013-08-11-android

[rdenkye]

no that's not the address, that was just to say I'm not new to the r topic.
and I purposely chose the example address from a topic you responded to.

I'm not writing the actual address because it still has a lot of btc.

https://bitcointalk.org/index.php?topic=5433479.0 (try1 = picture)

There is no known vulnerability at the address in question. There is only this situation that I discovered.

[pooya87]

Uh OK. In that case it is hard to analyze it and know what truly is going on. 5 characters (assuming hex) is only 20 bits (out of 256) and its repetition doesn't really tell you much about what has happened and may not even be anything broken helping to solve the equation and finding the private key.

[iceland2k14]

Lattice attack is possible only when you have some common values in K. Here you are talking about R, which has gone through already on curve. Now what makes it special is that even when there is some leakage in K, you can't detect it by looking at R. So those R might have all containing strong K, you never know.
Another interesting fact that it is happening for same address means it has either something to do with the K generation special wallet for making transaction or someone did it manually. But why?
In reality same 5 char on many different R means (if you take the analogy of Kangaroo algo) it is with DP20. Which can only happen approximately once for every 2^20 different K values.

So the real question is why would someone make Tx with selecting only those K values which in general happens 1 out of 1 million chance.

[odolvlobo]

K: 31907037269755274359319072740750448760229601659665891328416497670755906520033
R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34
                                                                           p00yA87

I'm far from being an expert in this subject.

Isn't the probability of finding "?00?A87" in a random 64-digit hex string 0.00553%.

How many R values did you search for that sequence? The probability of finding "?00?A87" in 100,000 random strings would be 99.6%

Check my math.

[rdenkye]

K: 31907037269755274359319072740750448760229601659665891328416497670755906520033
R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34
                                                                           p00yA87

I'm far from being an expert in this subject.

Isn't the probability of finding "?00?A87" in a random 64-digit hex string 0.00553%.

How many R values did you search for that sequence? The probability of finding "?00?A87" in 100,000 random strings would be 99.6%

Check my math.

should be lower.
hexadecimal number.
16 possibilities and 7 characters in its character.
2^16 = 268,435,456 possibilities are also 1.
everyone can learn by scanning.

But I did not scan.
I went in the opposite direction with the help of Lagrange Interpolations.
With the help of this, I created a golden formula that can reach the result directly for certain modular numbers. Then I created it with a direct formula using this.

anyway, the secp256k1 curve was chosen because it was weak. they fooled people by saying it was fast. someone knew its weakness since the day it was published. They said no one else can solve it.. the traces in the wallet in question are proof of this. our big brother satoshi was already an nsa officer.

just kidding, of course I scanned. everyone relax.

[AbadomRSZ]

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

second; for a single pair, the probability is approximately 1 in a million, how can it be 10 times.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

(I apologize for my translation English.)

where is the address

[rdenkye]

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

second; for a single pair, the probability is approximately 1 in a million, how can it be 10 times.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

(I apologize for my translation English.)

where is the address

wallet must remain secure.
There are many patterns in R values, I am sharing some patterns for better understanding.

https://prnt.sc/hHPWbppNhfvl

[dexizer7799]

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

second; for a single pair, the probability is approximately 1 in a million, how can it be 10 times.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

(I apologize for my translation English.)

Here is pattern script recover private key. https://crypto.stackexchange.com/questions/102514/recovering-nonce-in-ecdsa-with-known-shared-components-in-ecdsa

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

second; for a single pair, the probability is approximately 1 in a million, how can it be 10 times.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

(I apologize for my translation English.)

There is also lattice attack for that https://jsur.in/posts/2021-07-25-ijctf-2021-ecsign-writeup

[Pablo-wood]

Hello,
I have 2 questions;
first; can a wallet with at least 10 pairs of transactions with only 5 characters in common in the R value be cracked with a Lattice attack etc. method?

Lattice attack are effective against cryptographic systems where the nonce is reusable or predictable. So in a scenario where the transactions have 5 characters in common, it will be much easy for attackers to exploit potential weaknesses.

Just like in your given scenario an attacker can collect enough samples in which the case study here is 10, then apply a technique known as lattice reduction algorithms (like the Lattice-based attack) to find the nonce k and possibly recover the private key which in conclusion having multiple transactions with 5 characters in common in the R value posses a potential risk.

I cannot create R in such a pattern even if I want to by giving the k(nonce) value weak. How could this have happened?

This could be due to:

• Nonce reuse
• Attackers control
• poor implementation ramdom of random number generator