Backdoor ve ecdsa | Bitcointalksearch.org

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: Bglhn on April 05, 2024, 10:37:22 AM

Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.

hi use leaked parts for matrix GF[2],but bitcoin is a GF[7] using a GF[2] very interesting moment.

And I not understand what scryt find in final ? You know answer ? I ask openai and hi tell me what scrypt use for matrix differet r,s from different privkey-message pairs.... You undertand this momennt ?

First, instead of s_i be just chunks of S, we set s_i to be the result of a vector-matrix multiplication over GF(2) s_i := S*[M]. Here [M] is a public matrix constructed from the message being signed m, with dimensions chosen so that s_i is only a few bits long. To reconstruct S from s_i, the backdoor designer just solves a linear system of equations over GF(2). The advantage here is that this method is resistant to loss of some s_i, and the order in which s_i are recovered does not matter. Also, the backdoor designer gets immediate feedback on how many bits are still to be guessed from S!

Bglhn

newbie

Activity: 30

Merit: 0

Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: Bglhn on April 03, 2024, 04:14:25 PM

Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git

Author was delete repo

If someone interested, forked linck:

https://github.com/Hurd8x/backdoor-ecdsa

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Someone really think , what without signing, sending coins or sending message from victim to attacker this code can be work ?

if this code can work we can make fake publick key with some bits of victim publick key/private key,yes ?

how ?

looks like this code , like a LLL dream.... LLL not work because all k in sighhnatuses have no 256 bit !

odolvlobo

legendary

Activity: 4466

Merit: 3391

Quote from: Bglhn on April 04, 2024, 02:39:38 AM

So how can I find the value of b? Trial and error method for example? Is b an integer?

It is clearly stated that b is chosen by the attacker. Your questions indicate to me that it might help to learn more about cryptography before tackling the details of this subject.

Bglhn

newbie

Activity: 30

Merit: 0

Quote from: iceland2k14 on April 04, 2024, 12:29:22 AM

In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

can I use your script with real values? I couldn't find a way.

Quote from: odolvlobo on April 03, 2024, 05:35:57 PM

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:

secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, s_i, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and s_i is a small value, k and s_i can be recovered. k = s_i * b obfuscates the fact that k is not random.

So how can I find the value of b? Trial and error method for example? Is b an integer?

iceland2k14

jr. member

Activity: 36

Merit: 68

In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

odolvlobo

legendary

Activity: 4466

Merit: 3391

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:

secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, s_i, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and s_i is a small value, k and s_i can be recovered. k = s_i * b obfuscates the fact that k is not random.

Bglhn

newbie

Activity: 30

Merit: 0

Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git

Topic: Backdoor ve ecdsa (Read 212 times)