Ninjastic
PostEdited versionsQuotes to this post
Post was deleted
 2 months ago (view)
Post
Topic
Board Development & Technical Discussion
Re: I found a method to reverse public keys to private keys
by
nikolayspb
on 30/04/2025, 16:18:31 UTC
Quote from: dexizer7799 on March 05, 2025, 08:40:34 AM
Test this script, it created by me, this can recover up to 249 bits for up to 256 private key.

https://github.com/dexizer7799/lattice-attack-secp256k1

Below is the translation of the user query from Russian to English, followed by a detailed response in English based on the provided thinking trace.

### Translated Query
"Translate this into English"

Since the query asks for a translation but does not specify what "this" refers to, I assume it pertains to the thinking trace provided, which is a mix of Russian and English discussing a method for recovering private keys in ECDSA signatures. However, as the instruction is to answer the query using the thinking trace and provide a complete, self-contained response, I will interpret the task as translating the key concepts of the thinking trace into English and explaining them clearly for the user, focusing on the method, its mechanics, and its applicability.

---

### Response in English

#### Overview of the Private Key Recovery Method
The discussion revolves around a method proposed by a user named *bitcoinend* on the BitcoinTalk forum, aimed at recovering private keys from ECDSA (Elliptic Curve Digital Signature Algorithm) signatures. This method exploits a specific vulnerability: the inclusion of the *nonce* (a random number used in the signature process) within the signed message. By extracting this nonce, one can compute the private key using the components of an ECDSA signature.

#### How the Method Works
In ECDSA, a digital signature consists of two values, **R** and **S**, generated from a private key, a message hash (**Z**), and a nonce (**K**). The private key (**D**) can be derived if the nonce is known, using the formula:

**D = (S * K - Z) / R mod N**

Where:
- **D**: Private key
- **K**: Nonce (random number)
- **Z**: Hash of the message
- **R, S**: Signature components
- **N**: Order of the elliptic curve (for Bitcoin’s secp256k1 curve, a large constant)

The vulnerability arises when the nonce is naively included in the message being signed, such as concatenating it with random data. For example, a Python snippet from the discussion illustrates this flawed approach:

```python
note = str(os.urandom(25)) + str(nonce)  # Nonce appended to random bytes
msg = bytes(note, 'utf-8')               # Message includes nonce
r, s, z = sign_message(priv, msg, nonce) # Signature generated
```

If an attacker can extract the nonce from the signed message, they can plug it into the ECDSA formula along with **R**, **S**, and **Z** to compute the private key. The method requires around 10 such signatures to be effective, especially when the nonce and private key are artificially limited to smaller sizes (e.g., less than 200 bits), far below Bitcoin’s standard 256-bit security.

#### Example Data
The discussion provides sample data to test the method:
- **Public Key (Hex)**: `031f7b4d773de256a16526c6d2226d617e141250272b9f4521acc6db97d0e95cce`
- **Signature 1**:
  - R: `0x3076de63523a586e3f0050c1d0960977f1eaf26803d5dfbd139eec1df30480f2`
  - S: `0x99a06d579865d4e5f608945a668dad03aa64baf1520b21efc2f90971c207f383`
  - Z: `0x8055c4701f995b0c59c86e5c8a93706a7ea424035feec9a8641e8e5a763e7a20`

These examples assume the nonce is embedded in the message, allowing its extraction and subsequent private key calculation.

#### Requirements and Limitations
- **Number of Signatures**: At least 10 signatures are needed, possibly to account for variability or to refine the attack in controlled tests.
- **Size Constraint**: The method works best when the nonce and private key are less than 200 bits, a significant deviation from Bitcoin’s 256-bit standard, making it impractical for real-world scenarios.
- **Non-Standard Practice**: Including the nonce in the message is not part of standard cryptographic protocols and represents a deliberate security flaw introduced for demonstration purposes.

#### Applicability to Bitcoin
In real Bitcoin transactions, this method is largely inapplicable. Bitcoin uses **RFC 6979**, a standard for deterministically generating nonces based on the private key and message, ensuring the nonce is never exposed or reused in a way that could be exploited. This deterministic approach eliminates the vulnerability the method relies on. Forum users, such as *franky1*, challenge its practicality by suggesting tests against early Satoshi Nakamoto transactions (e.g., holding 195 BTC unspent for 15 years), which remain secure, reinforcing that standard Bitcoin implementations are immune to this attack.

#### Comparison to Other Attacks
Unlike lattice-based attacks, which recover private keys from partial nonce leaks and require more signatures (e.g., 71 signatures for a 5-bit leak, 7 for a 56-bit leak), this method claims efficiency with just 10 signatures for a 240-bit nonce. However, its reliance on an exposed nonce limits its relevance compared to more general cryptographic attacks.

#### Community Discussion
The BitcoinTalk thread, active from February 9, 2025, to at least April 30, 2025, includes skepticism and debate. Users question the method’s real-world utility, pointing to its dependence on contrived conditions (small keys, exposed nonces) rather than flaws in Bitcoin’s protocol. Test cases and scripts (e.g., from a GitHub repository) are shared, but the consensus leans toward the method being a theoretical exercise rather than a practical threat.

#### Conclusion
The method proposed by *bitcoinend* demonstrates a way to recover private keys by exploiting a non-standard practice of embedding the nonce in the signed message. It requires around 10 signatures and works effectively with smaller nonce sizes (e.g., <200 bits). However, its applicability is confined to artificial scenarios and does not pose a risk to standard Bitcoin transactions, which adhere to secure nonce generation practices like RFC 6979. The discussion highlights both the creativity of the approach and its practical limitations in the context of real-world cryptography.

---

This response translates and synthesizes the key ideas from the thinking trace into a clear, standalone explanation in English, addressing the method’s mechanics, examples, and relevance while ignoring extraneous details like specific forum page links or redundant test data.