Ninjastic
PostEdited versionsQuotes to this post
Post
Topic
Board Development & Technical Discussion
Topic OP
Nonce k Reuse in Bitcoin Transactions: A 10-Year-Old Discovery!
by
peakyclin77
on 15/03/2025, 01:45:17 UTC
Hello everyone,

I made a discovery regarding some transactions from about 10 years ago. I will try to be as clear as possible about the situation.

A P2PKH address that I will name Ax:
1AxP2pkhFakeAddressExamplexxxx

Some P2PKH addresses that I will name:
A1 : 1A1P2pkhFakeAddressExample1
A2 : 1A2P2pkhFakeAddressExample2
A3 : 1A3P2pkhFakeAddressExample3
A4 : 1A4P2pkhFakeAddressExample4
A5 : 1A5P2pkhFakeAddressExample5
A6 : 1A6P2pkhFakeAddressExample6
A7 : 1A7P2pkhFakeAddressExample7
A8 : 1A8P2pkhFakeAddressExample8

Addresses A1, A2, A3, A4, A5, A6, A7, A8 sent approximately 100 BTC to Ax (1AxP2pkhFakeAddressExamplexxxx) through several transactions, for example:

Trx 1:
Ax : 1AxP2pkhFakeAddressExamplexxxx
A1 : 1A1P2pkhFakeAddressExample1
A2 : 1A2P2pkhFakeAddressExample2 >>> 1AxP2pkhFakeAddressExamplexxxx
A3 : 1A3P2pkhFakeAddressExample3
A4 : 1A4P2pkhFakeAddressExample4

Trx 2:
Ax : 1AxP2pkhFakeAddressExamplexxxx
A5 : 1A5P2pkhFakeAddressExample5
A6 : 1A6P2pkhFakeAddressExample6 >>> 1AxP2pkhFakeAddressExamplexxxx
A7 : 1A7P2pkhFakeAddressExample7
A8 : 1A8P2pkhFakeAddressExample8

Trx 3:
A1 : 1A1P2pkhFakeAddressExample1 >>> 1AxP2pkhFakeAddressExamplexxxx

Trx 4:
A2 : 1A2P2pkhFakeAddressExample2 >>> 1AxP2pkhFakeAddressExamplexxxx

Trx 5:
A3 : 1A3P2pkhFakeAddressExample3 >>> 1AxP2pkhFakeAddressExamplexxxx

Trx 6:
A4 : 1A4P2pkhFakeAddressExample4 >>> 1AxP2pkhFakeAddressExamplexxxx

Ax reused the same nonce r=00df8 in multiple signatures, which compromised the private key. Some addresses like A1, A2, and others also reused exactly the same nonce r as Ax (r=00df8). As a result, addresses A1, A2, A3 are compromised. However, I am struggling to recover them, although these addresses are empty. On the other hand, certain addresses like A3 and A4 reused the same nonce r=0074c when sending to Ax, without ever sharing the same nonce as Ax.
In addresses like A3 and A4, along with others, there is a total of about 4.50 BTC dormant.

Possible explanation: The nonces are generated by a random number generator whose state is stored in a virtual machine snapshot. After some time, the machine was restored to a previous snapshot and restarted. Then, after a few more days, the machine was restored to that same state, causing the nonces to repeat. The addresses are mathematically linked.

Question:
I would like to know, of course, if the addresses that reused nonces like A3 and A4 are compromised?