Author

Topic: Nonce reuse fault attack on secp256k1 (Read 191 times)

full member
Activity: 161
Merit: 230
December 09, 2022, 07:56:31 PM
#6
Do you know what the word "fault" implies?

Take a closer look at the code, especially this part:

Code:
# Now generate a fault
rf = sig.r+1
sf=(libnum.invmod(k,order)*(h+priv1*rf)) % order

To do this attack with this example code, you need to already know the private key to generate the faulty sf value.
member
Activity: 127
Merit: 14
Life aint interesting without any cuts and bruises
December 09, 2022, 06:51:33 PM
#5
You said "crack any wallet" though. Fault attacks can not be used to crack any wallet. They can only be used when you have some amount of control over the system that signs/creates a wallet at the moment of signing/creation.



Alright... Are you here to argue with me on what's the word used or would you like to blame the author for the word used?  Have you actually tried this method? I understand your meaning and the general meaning of fault attack.

HOWEVER, that's what the author of this website claim it is.

SO... despite of the choice of words used..

What or how can I modify this script so that it accepts my r, s, h and public key inputs?

Quote

#python fault.py
Message: Hello
k: 2377122631336757091406456643105226705197917127899304611236234685727643570878493 8957571817458862979584232284037410229596452277879610955286764320595345098952800 839149842089242517072957658427855833009982523662157423292631792006806365
Sig 1 (Good): r=41552918092331466876589119583071324014922831660434505150350778883250206623908, s=103219685505031464720805837014021801697332755430913759423777864063262658295904
Sig 2 (Faulty): r=41552918092331466876589119583071324014922831660434505150350778883250206623909, s=30990528248984818891301551608571623728524592243310248921245102910474460702403

Generated private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792

Recovered private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792
full member
Activity: 161
Merit: 230
December 09, 2022, 03:41:55 PM
#4
You said "crack any wallet" though. Fault attacks can not be used to crack any wallet. They can only be used when you have some amount of control over the system that signs/creates a wallet at the moment of signing/creation.
member
Activity: 127
Merit: 14
Life aint interesting without any cuts and bruises
December 09, 2022, 03:32:50 PM
#3
Yeah. Agreed. I was thinking the same thing.. Click the link. The author too call it fault attack.

Hmm maYbe I should edit the subject of this topic.
full member
Activity: 161
Merit: 230
December 09, 2022, 03:22:59 PM
#2
Fault attacks means you induce hardware faults during the creation of the wallet/keys/signatures. It is completely useless for attacking pre-existing wallets/transactions.
member
Activity: 127
Merit: 14
Life aint interesting without any cuts and bruises
December 09, 2022, 02:46:00 PM
#1
Hi, I was wondering whether anyone had tried Nonce Reuse fault attack on SECP256K1.

It seems so much easier to crack any wallet with this attack. Read here> https://asecuritysite.com/ecdsa/ecd7

I had tried lattice attack on my wallet address for 5 weeks now. It works but really slow.

I am considering starting a new attack for my research. Your inputs are greatly appreciated.

How can i modify this script to accept my R,S,H and public keys ? Please help. Thank You so much.  Cheesy



Code is here.

Quote

import ecdsa
import random
import libnum
import hashlib
import sys


G = ecdsa.SECP256k1.generator
order = G.order()

priv1 = random.randrange(1,order)
 
Public_key = ecdsa.ecdsa.Public_key(G, G * priv1)
d = ecdsa.ecdsa.Private_key(Public_key, priv1)

k = random.randrange(1, 2**127)

msg="Hello"

if (len(sys.argv)>1):
   msg=(sys.argv[1])



h = int(hashlib.sha256(msg.encode()).hexdigest(),base=16)
sig = d.sign(h, k)


r,s = sig.r,sig.s

# Now generate a fault
rf = sig.r+1
sf=(libnum.invmod(k,order)*(h+priv1*rf)) % order

k = h*(s-sf) * libnum.invmod(sf*r-s*rf,order)


valinv = libnum.invmod( (sf*r-s*rf),order)

dx =(h*(s-sf)* valinv) % order

print(f"Message: {msg}")
print(f"k: {k}")

print(f"Sig 1 (Good): r={r}, s={s}")
print(f"Sig 2 (Faulty): r={rf}, s={sf}")

print (f"\nGenerated private key: {priv1}")
print (f"\nRecovered private key: {dx}")

Result is here.

Quote
#python fault.py
Message: Hello
k: 2377122631336757091406456643105226705197917127899304611236234685727643570878493 8957571817458862979584232284037410229596452277879610955286764320595345098952800 839149842089242517072957658427855833009982523662157423292631792006806365
Sig 1 (Good): r=41552918092331466876589119583071324014922831660434505150350778883250206623908, s=103219685505031464720805837014021801697332755430913759423777864063262658295904
Sig 2 (Faulty): r=41552918092331466876589119583071324014922831660434505150350778883250206623909, s=30990528248984818891301551608571623728524592243310248921245102910474460702403

Generated private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792

Recovered private key: 89452984132331904393121726602673115409896713988677951449044374033056235521792

Jump to: