Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Re: I found a method to reverse public keys to private keys
by
mcdouglasx
on 12/02/2025, 01:04:04 UTC
Quote from: bitcoinend on February 11, 2025, 08:18:16 AM
Quote from: mcdouglasx on February 11, 2025, 03:47:43 AM
Quote from: De_to4ka on February 11, 2025, 12:39:36 AM
There have already been examples, what other proof do you need?

Reviewing their code, just to clarify, the trick seems to be that the signed message includes the nonce concatenated as part of the string. Somehow, the OP extracts the nonce from here, which allows them to derive the private key. In short, their code generates vulnerable signatures. The nonce should never be included in the message of a signature because it is a catastrophic vulnerability.

Code:
    def generate_signatures(self, priv, num_signatures=10):
        sigs = []
        for _ in range(num_signatures):
            nonce = random.randrange(1, 2**BIT_RANGE)
            note = str(os.urandom(25)) + str(nonce)
            msg = bytes(note, 'utf-8')
            private_key, public_key = self.make_keypair(priv)
            r, s, z = self.sign_message(priv, msg, nonce)
            sigs.append((z, r, s))
        return sigs

Nice observation,
You are correct,
But my trick works with also 256 bit random nonce if we have enough signatures

There is no such trick, if I create a script in a vulnerable way I can obviously take advantage of it for my own case and context, but it is useless for bitcoin. Consequently, if you need these conditions to be met for your method to work, then no, you are not violating bitcoin, you are just checking the vulnerabilities of your own implementation of custom signatures where the nonce is concatenated to the message and uses Mersenne Twister which is well known to be cryptographically unsafe due to its ability to be predicted.

A real test would be to work on signatures created using processes that comply with security standards. To start with, you can limit the nonce to 200 bits, but only that, without any other strange modifications.