Ninjastic
PostEdited versionsQuotes to this post
Post was edited
 3 months ago (view)
Post
Topic
Board Development & Technical Discussion
Merits 2 from 1 user
Re: is it possible to figure out how k was chosen?
by
CrunchyF
on 19/04/2025, 22:15:28 UTC
⭐ Merited by Cricktor (2)
Surprisingly the way to generate the k from 1LN4yp6rQALjwg53SKsi44teq1fp2v5wqR doesn't seems weak.

This my method to say that

Step 1 :
recovered every tx signed by 1LN4yp6rQALjwg53SKsi44teq1fp2v5wqR (total sent136 BTC!!!!)
Step2 :
identified the two input where  r==b42646001435ec60a40982735c4e73d31be13d0086be394eaf5ce10b0f38f689
Step 3:
recovered k for this two input  with nonce reused formula
Code:
k=((Z1-Z2)*modinv((S1-S2),N))%N
Code:
priv=((k*S1-Z1)*modinv(R1,N))%N

this is the result:
Code:
k=26475164152595312352287465285862042771800478662956312110460154998405937836058 (base10)
Code:
priv=28608884601749819904852249207473436882265395560722309163084982020290971201593 (base10)

But 1 sample of k is too low to see a patern or some biased entropy so  I made the assumption that every k was generate with the same (probably) weak RNG.

Step 4:
recovered every k for 1LN4yp6rQALjwg53SKsi44teq1fp2v5wqR (priv = 28608884601749819904852249207473436882265395560722309163084982020290971201593) with this formula
Code:
k=(R*priv+Z)*modinv(S,N)


there is 675 different k for 1LN4yp6rQALjwg53SKsi44teq1fp2v5wqR
removed the one the two duplicate ( not to false entropy)

Step 5 : used a bunch of rng testing statiscal test from this google repo :
http://[code]https://github.com/google/paranoid_crypto[/code]

this is the result (p values of tests)
!! A bad p_value is very low (for ex 10e-7)
(0.7526555431379823, 'Frequency')
(0.8922205625150528, 'LongestRuns')
(0.17401029065157583, 'Runs')
(0.09841635668060003, 'BinaryMatrixRank')
(0.133636, 'LargeBinaryMatrixRank_64_*_64')
(0.711212, 'LargeBinaryMatrixRank_128_*_128')
(0.711212, 'LargeBinaryMatrixRank_256_*_256')
(0.13004210277109796, 'OverlappingTemplateMatching')
(0.9204344990860858, 'UniversalImpl1')
(0.7418997106144236, 'UniversalImpl2')
(0.9851583654051379, 'LinearComplexity_dist')
(0.32331377641368286, 'LinearComplexity_extreme')
(0.5797307681237995, 'ApproximateEntropy_0')
(0.7235022428413989, 'ApproximateEntropy_1')
(0.6577288253868533, 'ApproximateEntropy_2')
(0.49821641104893855, 'ApproximateEntropy_3')
(0.6156687031532114, 'ApproximateEntropy_4')
(0.45974516471567906, 'ApproximateEntropy_5')
(0.21884604607320576, 'ApproximateEntropy_6')
(0.2414807578348784, 'ApproximateEntropy_7')
(0.15020972293729182, 'ApproximateEntropy_8')
(0.18459092265541552, 'Spectral')
(0.4303553446832167, 'RandomWalk_0')
(0.7000550793665439, 'RandomWalk_1')
(0.7229207109153853, 'LatticeFindBias')


The latest test is the more important and perform a Lattice Reduction with samples of k. It is very powerful to identify a bias in a lcg or a lot of weak prng (according to this docs of the library :https://github.com/google/paranoid_crypto/blob/main/docs/ecdsa_signature_tests.md