Author

Topic: Backdoor ve ecdsa (Read 224 times)

member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
April 05, 2024, 10:55:30 AM
#9
Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.


hi use leaked parts for matrix GF[2],but bitcoin is a GF[7] using a GF[2] very interesting moment.

And  I not understand what scryt find in final ? You know answer ? I ask openai and hi tell me what scrypt use for matrix differet r,s from different privkey-message pairs.... You undertand this momennt ?

First, instead of s_i be just chunks of S, we set s_i to be the result of a vector-matrix multiplication over GF(2) s_i := S*[M]. Here [M] is a public matrix constructed from the message being signed m, with dimensions chosen so that s_i is only a few bits long. To reconstruct S from s_i, the backdoor designer just solves a linear system of equations over GF(2). The advantage here is that this method is resistant to loss of some s_i, and the order in which s_i are recovered does not matter. Also, the backdoor designer gets immediate feedback on how many bits are still to be guessed from S!
newbie
Activity: 30
Merit: 0
April 05, 2024, 10:37:22 AM
#8
Yes, I asked a question and it was deleted. I don't understand why.
I've been searching on the internet, but I still haven't figured out how to use the leaked parts.
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
April 05, 2024, 09:24:57 AM
#7
Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git

Author was delete repo

If someone interested, forked linck:


https://github.com/Hurd8x/backdoor-ecdsa

member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
April 04, 2024, 03:56:07 PM
#6
Someone really think , what without signing, sending coins or sending message from victim to attacker this code can be work ?

if this code can work we can make fake publick key with some bits of victim publick key/private key,yes  ?

how ?

looks like this code , like a LLL dream.... LLL not work because all k in sighhnatuses have no 256 bit !
legendary
Activity: 4522
Merit: 3426
April 04, 2024, 02:05:14 PM
#5
So how can I find the value of b? Trial and error method for example? Is b an integer?

It is clearly stated that b is chosen by the attacker. Your questions indicate to me that it might help to learn more about cryptography before tackling the details of this subject.
newbie
Activity: 30
Merit: 0
April 04, 2024, 02:39:38 AM
#4
In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py  where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.

can I use your script with real values? I couldn't find a way.

In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:
secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, si, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and si is a small value, k and si can be recovered. k = si * b obfuscates the fact that k is not random.

So how can I find the value of b? Trial and error method for example? Is b an integer?
jr. member
Activity: 37
Merit: 68
April 04, 2024, 12:29:22 AM
#3
In a similar way I have a simulation script in python https://github.com/iceland2k14/rsz/blob/main/LLL_nonce_leakage.py  where some Random signatures are prepared with Leakage in 128 bits and then assuming they are are from Real Tx, they are solved using LLL reduction to print the PrivateKey.
legendary
Activity: 4522
Merit: 3426
April 03, 2024, 05:35:57 PM
#2
In short, the attacker influences the selection of the nonce in such a way that a portion of a secret can be derived from each signature.

The secret to be leaked can be anything, but it is just a random value in the example code:

Code:
secret_to_leak = randscalar()

The nonce, k, is computed by multiplying a small portion, si, of the secret, S, by a value, b, known only to the attacker. Since b is known by the attacker and si is a small value, k and si can be recovered. k = si * b obfuscates the fact that k is not random.
newbie
Activity: 30
Merit: 0
April 03, 2024, 04:14:25 PM
#1
Hello friends.
I came across a source code on github. backdoor ecdsa. I displayed it with the rsz values I discovered. but I couldn't make any sense. What exactly are the leaked values and what do they do? Does anyone have knowledge about this?

https://github.com/oreparaz/backdoor-ecdsa.git
Jump to: