What is vusi?vusi is a Rust library and CLI for detecting ECDSA signature vulnerabilities and recovering private keys from flawed signatures. If two signatures share a nonce (same r value), the private key is mathematically recoverable - vusi automates this detection and extraction.
Attack TypesNonce Reuse (default)
The classic ECDSA failure. When two signatures use the same nonce k, the private key can be recovered using:
- k = (z1 - z2) / (s1 - s2)
- privkey = (s * k - z) / r
vusi groups signatures by (r, pubkey), detects reuse, and recovers the key.
Polynonce (feature-gated)
Detects polynomial relationships between nonces across multiple signatures. Requires --features polynonce.
Biased Nonce (feature-gated)
Lattice-based attack for nonces with known bit bias. Uses LLL reduction via rug. Requires --features biased-nonce.
Planned AttacksMore attack types are tracked on GitHub and in active development:
- LCG nonce detection - predictable nonces from linear congruential generators
- Related nonce attack - exploiting algebraic relationships between nonces
- Half-half attack - single-signature key recovery under specific conditions
- Side-channel timing detection - identifying timing leaks in signature generation
See open issues:
https://github.com/oritwoen/vusi/issuesHow It Works1. Feed signatures as JSON or CSV (auto-detected)
2. Each signature needs: r, s, z (message hash) as decimal strings, optional pubkey
3. vusi groups by shared r values and runs the selected attack
4. Outputs recovered private keys with confidence score (1.0 if pubkey known, 0.8 otherwise)
Usage# Analyze from file
vusi analyze signatures.json
# Analyze from stdin
echo '[{"r":"...","s":"...","z":"..."}]' | vusi analyze
# JSON output
vusi --json analyze signatures.json
Input format (JSON):
[
{
"r": "6819641642398...",
"s": "5111069398017...",
"z": "4834837306435...",
"pubkey": null
}
]
Exit codes: 0 = clean, 1 = vulnerabilities found, 2 = error.
ValidationAll input values are strictly validated - no leading zeros, no values >= secp256k1 order n, decimal strings only. Test vectors use real Bitcoin transaction 89380c9fb072cbb5... with mathematically verified key recovery.
Part of unsek ecosystemvusi is part of
unsek - a cryptographic security research framework:
-
vuke - Vulnerable key generation research (brainwallet, PRNG, derivation bugs)
-
kangaroo - Pollard's Kangaroo ECDLP solver (GPU)
-
boha - Crypto puzzle & bounty data library
-
shaha - Hash database builder + reverse lookup
-
vgen - Vanity address generator (GPU)
Links- GitHub:
https://github.com/oritwoen/vusi- crates.io:
https://crates.io/crates/vusi- Docs:
https://docs.rs/vusi- DeepWiki:
https://deepwiki.com/oritwoen/vusiFeedback, issues and PRs welcome.
