Search content
Sort by
Showing 20 of 35 results by stilichovandal
Re: exponentially increase a database of sequential ordered public keys(brute-force)
I ran the below command and the BabyStep.bf file overwrites after it reached 2GB, could this be a bug?
./Bigdb -bs 1000000000
./Bigdb -bs 1000000000
It's not a bug, it's normal!
How can I create a database with 1,000,000,000 or bigger?
Re: exponentially increase a database of sequential ordered public keys(brute-force)
I ran the below command and the BabyStep.bf file overwrites after it reached 2GB, could this be a bug?
./Bigdb -bs 1000000000
./Bigdb -bs 1000000000
Update: final part #3 (RCKangaroo) is ready and will be released shortly.
Thank you,
I spent some time on it and here is what I understand.
Indeed Math. Random is called when a private key is generated, however, it's called many times in a loop. The result of math.random() varies because of the state variable used in Math.Random varies every time it's called. (The implementation of math.random depends on the browser)
while(rng_pptr < rng_psize) { // extract some randomness from Math.random()
t = Math.floor(65536 * Math.random());
rng_pool[rng_pptr++] = t >>> 8;
rng_pool[rng_pptr++] = t & 255;
This in turn is mixed with the time millisecond when the key is generated, I think there could be a small space to search when we know the exact time of key generation otherwise, I am assuming that the keyspace is large to search.
Indeed Math. Random is called when a private key is generated, however, it's called many times in a loop. The result of math.random() varies because of the state variable used in Math.Random varies every time it's called. (The implementation of math.random depends on the browser)
while(rng_pptr < rng_psize) { // extract some randomness from Math.random()
t = Math.floor(65536 * Math.random());
rng_pool[rng_pptr++] = t >>> 8;
rng_pool[rng_pptr++] = t & 255;
This in turn is mixed with the time millisecond when the key is generated, I think there could be a small space to search when we know the exact time of key generation otherwise, I am assuming that the keyspace is large to search.
I have already tried all possible timestamps for 32 BTC Puzzle with this method from
start_datetime = datetime(2010, 1, 1, 0, 0, 0)
end_datetime = datetime(2015, 1, 15, 19, 7, 14)
unfortunately, this puzzle was not created with that tool.
But you can try all other BTC addresses that have a positive balance using the same method.
Good luck.
start_datetime = datetime(2010, 1, 1, 0, 0, 0)
end_datetime = datetime(2015, 1, 15, 19, 7, 14)
unfortunately, this puzzle was not created with that tool.
But you can try all other BTC addresses that have a positive balance using the same method.
Good luck.
I am still working to implement math.random() as it was used in the older version of browsers.
Chrome and Firefox had slightly different methods.
Do you already have its implementation?
Hi all,
I want to present my work in process project ie, to try using Randstorm vulnerabiility for solving the puzzle.
Link to the Git repo.
https://github.com/Stilichov/Randstorm-for-puzzle
The idea is that, between 2010 and 2015, many exchanges and websites relied on BitcoinJS-lib v0.1.3 for Bitcoin wallet generation. The issue was that many browsers didn't use window.crypto.random, which led to entropy being collected from Math.random().
The Bitcoin Challenge Transaction was created in 2015, and the wallets were created with math.random()
I am still trying to replicate the vulnerable math.random() functions used in the older versions of the browser.
While the project is still work in progress, I welcome your feedback and ideas to implement the the old math.random() functions.
I want to present my work in process project ie, to try using Randstorm vulnerabiility for solving the puzzle.
Link to the Git repo.
https://github.com/Stilichov/Randstorm-for-puzzle
The idea is that, between 2010 and 2015, many exchanges and websites relied on BitcoinJS-lib v0.1.3 for Bitcoin wallet generation. The issue was that many browsers didn't use window.crypto.random, which led to entropy being collected from Math.random().
The Bitcoin Challenge Transaction was created in 2015, and the wallets were created with math.random()
I am still trying to replicate the vulnerable math.random() functions used in the older versions of the browser.
While the project is still work in progress, I welcome your feedback and ideas to implement the the old math.random() functions.
Re: Faster computations on secp160k1 than lambda and beta, because of gcd(p-1,n-1)
When we have secp256k1, then gcd between "p-1" and "n-1" is equal to 6. It means, that using lambda and beta is all we can do, because other factors are different, so it is hard to map private and public keys. However, when it comes to secp160k1, it seems to be different:
Code:
p=0xfffffffffffffffffffffffffffffffeffffac73
n=0x0100000000000000000001b8fa16dfab9aca16b6b3
print(factor(p-1))
print(factor(n-1))
print(gcd(p-1,n-1))
This is the output:n=0x0100000000000000000001b8fa16dfab9aca16b6b3
print(factor(p-1))
print(factor(n-1))
print(gcd(p-1,n-1))
Code:
2 * 3 * 5 * 7 * 113 * 61588775277324185343602394973294691093621473
2 * 3 * 5 * 8837 * 42918291593381467397 * 128449012680369359431471
30
Which means, that if the greatest common divisor is equal to 30, instead of 6, then it should be possible to get a better speedup, than by using lambda and beta alone. If so, then how this "efficiently computable endomorphism" looks like for secp160k1? Because using lambda and beta from secp256k1, and changing constants into secp160k1 will obviously give some results, but if the divisor is 30 instead, then I guess those equations are different, and it is possible to create a faster implementation. Am I right? Do you know, how to get those equations, where gcd is bigger than 6?2 * 3 * 5 * 8837 * 42918291593381467397 * 128449012680369359431471
30
That's a great find. How does working with secp160k1 help secp256k1? Is there a way to map one to the other?
Below are the endomorphism values for P and N; I am trying to figure out how to get the equations.
p=0xfffffffffffffffffffffffffffffffeffffac73
[1, 116413238536967823204912062004448726737640720821, 1192671444047713143517039375510234845319976240753, 320568492332623811159581411922637138849485810267, 170033768725603827466154123598115574507330393474, 888563150828732192317477979643480826024658399499, 459808123412383666504375194171595673260619233000, 506013106973151716048837162345055484894245883380, 756739066376840291689464290814729327749587999038, 914082931336101346080276401800062193637040619652, 888563150828732192317477979643480826024658399498, 343394884875415843299463132167146946522978512179, 774843300256341490735482619551103659225907196918, 436170574044216480529882878892092188900102188771, 744049162610497518614122278201946619129710226178, 1461501637330902918203684832716283019651637554290, 1345088398793935094998772770711834292913996833470, 268830193283189774686645457206048174331661313538, 1140933144998279107044103420793645880802151744024, 1291467868605299090737530709118167445144307160817, 572938486502170725886206853072802193626979154792, 1001693513918519251699309638544687346391018321291, 955488530357751202154847670371227534757391670911, 704762570954062626514220541901553691902049555253, 547418705994801572123408430916220826014596934639, 572938486502170725886206853072802193626979154793, 1118106752455487074904221700549136073128659042112, 686658337074561427468202213165179360425730357373, 1025331063286686437673801953824190830751535365520, 717452474720405399589562554514336400521927328113]
0x0100000000000000000001b8fa16dfab9aca16b6b3
[1, 1408470634914903571732066888580417336645162873119, 708713767398721337809629107989760271137717787930, 1151796019543683584915212041505571206301361534252, 41278637720562416563498774273562198366106105008, 69796346552658733766475001267285041190029755381, 459366475837133574597979692431231491490457423387, 719990520318696333937754171078776164365241746857, 595911485914207747779051672558094670244251938235, 780348846544327904014579629185545903813779011634, 69796346552658733766475001267285041190029755380, 512397478253132921069599719021683880242453713839, 11276752919974996128125063089015893227523958927, 905617103701427081067526546223393189340049567554, 739070208823765487451080854911983705447672906626, 1461501637330902918203686915170869725397159163570, 53031002415999346471620026590452388751996290452, 752787869932181580394057807181109454259441375641, 309705617787219333288474873665298519095797629319, 1420222999610340501640188140897307527031053058563, 1391705290778244184437211913903584684207129408190, 1002135161493769343605707222739638233906701740184, 741511117012206584265932744092093561031917416714, 865590151416695170424635242612775055152907225336, 681152790786575014189107285985323821583380151937, 1391705290778244184437211913903584684207129408191, 949104159077769997134087196149185845154705449732, 1450224884410927922075561852081853832169635204644, 555884533629475837136160368947476536057109596017, 722431428507137430752606060258886019949486256945]
Re: Can someone provide 3 examples of r,s,z and nonce data ?
Thank you for your answer. What is nonces ?
I need them for tests and I need know nonces...
Br
I need them for tests and I need know nonces...
Br
Pubkey = 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630
puzzle #120
---
k1 = 0x00000000000000000000000000000000025d46d0bccbc08eafa03912b3f2c206
r1 = 0x890895144c4a40cd18126d1ce6534e03ab909c8c3692f1cc108fec8e2e4dea97
s1 = 0x51bc4ff0a414d66113e354a7070f47eba8ab76035e776ed2123c7d5ee991b800
z1 = 0xf11d940943f16b4117aea030d0b0cf7f6781e99f2babe05daa574a10b072bc44
k2 = 0x00000000000000000000000000000000029c9ececdceab18cfba91146e5ded7e
r2 = 0x2e772d6ea8cd5dc0b4f06a5f4e5ea057cb65b27a820acb0df711e2855052193f
s2 = 0x83e65d972d090e8d975e5ed99f55c9bbc20fcf692344cf847f3639f4ff026d63
z2 = 0x625ed03aa7e42bb1f65e5546861807a0a52fc52cb20a6b4bdc32b2028e70904b
k3 = 0x000000000000000000000000000000000141bf2eb7b3d7b7b5bbf78d4f28bcda
r3 = 0xb32f2f28d07cd0a9cc139905e1875379b9349fd21ccb838e380215afa5f26eac
s3 = 0x15d30ec6841a4e59bbb87bfc11ebf7cab78b5eb2e5ce742ebe7d07a060ebfc5b
z3 = 0x3677c07287e8742faf74b964476405f1f153466b26234b3461b268ee00676ce8
121 bit : 3 r,s,z use LLL_nonce_leakage.py , you can found private key about 1~2 second
Thank you !!!!
But, no logic with so big nonce, can you generate rsz with nonce 2**30 or less for ex to ,120 puzz pubkey ?
Oh, your rsz is work in my scrypt
('K(pubkey)', (7629256135660504971600927553074108133507503631055291753784190722374696861083 : 25194535474527288837776266966493444390702606185675650052918194213452675896875 : 1)):
('BP', (114224221225710244008833485319885360327960624386540578738397512880450404677861 : 72429032990058375812461306873221236352211543024398501719746160220160202723318 : 1))
sys:1: DeprecationWarning: use the method .hex instead
See https://trac.sagemath.org/26756 for details.
('BP*i', (94396044595232036512156845067099144740980476962933515336874287249977680693713 : 103748817412717866899495297471464484401437733019173646860487930588615334617081 : 1))
stride', 61982023939864607551350919997648825866663898650636854501024779331813868694167, 'hex r', '890895144c4a40cd18126d1ce6534e03ab909c8c3692f1cc108fec8e2e4dea97', 'r %n:', '890895144c4a40cd18126d1ce6534e03ab909c8c3692f1cc108fec8e2e4dea97')
('start range', 109059656781699855293660303596617595953680596646633396165073266196958837652548)
yes!!!
('Found real k:', 3142775905973132413425035830673719814, 'i', 'i%n', 3142775905973132413425035830673719814, 'hex i%n', '25d46d0bccbc08eafa03912b3f2c206')
('i / stride', 108201930346108686079071460207770997208299616649283473366433152632256227467196)
can you please provide the link to the code you used to get this ?
Re: Private key recovery with 120 bit nonce leakage possible?
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?
not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce.
Re: Private key recovery with 120 bit nonce leakage possible?
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known
I should have been clearer. Yes, I have the signature and associated public key used to sign the message.
Re: Private key recovery with 120 bit nonce leakage possible?
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.
Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.
Regards,
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.
However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?
The question is, is it possible to get a private key for this?
Private key recovery with 120 bit nonce leakage possible?
Hi,
I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.
There is only one transaction available.
Is it possible to recover the recover the private key for this?
I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?
I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.
There is only one transaction available.
Is it possible to recover the recover the private key for this?
I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?
noob question.
how do you calculate stride?
is there a script for it or more explanation on how it can be calculated?
how do you calculate stride?
is there a script for it or more explanation on how it can be calculated?
looks like stride is the r signature.
Added new information
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1
Any ideas if we have a signature another signature
d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2
d1=(k1*s1-z1)/r1
k1=(d1*r1+z1)/s1
r1=(k1*s1-z1)/d1
s1=(d1*r1+z1)/k1
z1=k1*s1-d1*r1
Any ideas if we have a signature another signature
d2=k1^(n-2)-1
k2=k1^(n-2)
r2=(k2*s2-z2)/d2
s2=(d2*r2+z2)/k2
z2=k2*s2-d2*r2
I don't understand the question here.
Are you saying k1 ie x coordinate and k2 x coordinate are inverse to each other ? or the actual nonce is inverse?
Running this on GPU will be mush faster,. Let me see if i can write a CUDA program for this.
wow. Thank you. Please do. I still feel 6 weeks is too long though. I just got lucky.Can you please explain the logic behind this? GPU can probably reduce that few days. you can PM me if needed.
I don't actually have any range. It looked small to me.
So do you know a way to understand the relationship between two nonces?
So do you know a way to understand the relationship between two nonces?
If there were an easy way to find the relationship between 2 nonces, it would break the ECDSA.
Let's see it with an example,
R = k * G mod N
Where k is the random number, G is the Gen point, and N is the order of the curve.
If I take k randomly = 633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852
k* G = 02e9d4436e5e57ac598594faf9a04b8edc69a04096863ef4bd5a27dfcdc8c89fed (compressed)
k+1 * G = 0313e264d56097d32b38e23c6218b951ed02a684dccee5036388df1e6b94b5417a
The difference between them is enormous. I don't know numbers that generate consecutive public keys with slight differences.
When you say slight difference, how small is it? Do you have a range?
R = k * G mod N
Where k is the random number, G is the Gen point, and N is the order of the curve.
If I take k randomly = 633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852
k* G = 02e9d4436e5e57ac598594faf9a04b8edc69a04096863ef4bd5a27dfcdc8c89fed (compressed)
k+1 * G = 0313e264d56097d32b38e23c6218b951ed02a684dccee5036388df1e6b94b5417a
The difference between them is enormous. I don't know numbers that generate consecutive public keys with slight differences.
When you say slight difference, how small is it? Do you have a range?