Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: Reuse Nonce Faulty Sig Attack (Read 166 times)

krashfire
jr. member
Activity: 96
Merit: 6
Life aint interesting without any cuts and bruises
Reuse Nonce Faulty Sig Attack
January 21, 2023, 11:17:08 AM
#6
Quote from: BlackHatCoiner on January 19, 2023, 02:15:07 PM
Quote from: ymgve2 on January 19, 2023, 12:08:38 PM
The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.
Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?

Right?! Waste my time in researching his method. And I don't know why no one is calling this "professor" out yet. Felt scammed. Geez... 😂
BlackHatCoiner
legendary
Activity: 1344
Merit: 6415
Farewell, Leo
Re: Reuse Nonce Faulty Sig Attack
January 19, 2023, 02:15:07 PM
#5
Quote from: ymgve2 on January 19, 2023, 12:08:38 PM
The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.
Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?
ymgve2
full member
Activity: 161
Merit: 230
Re: Reuse Nonce Faulty Sig Attack
January 19, 2023, 12:08:38 PM
#4
Quote from: pooya87 on January 19, 2023, 12:40:52 AM
You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.

The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. As OP have finally noticed, you can't create faulty signatures without the private key, so this attack means nothing if you already only have a single, valid, signature.

OP: Any kind of manipulation of an existing signature will create two linearly dependent signatures, which in practice is just the same as having a single signature. You can't use the info in the article to get a private key out of a single good signature in any way.
pooya87
legendary
Activity: 3402
Merit: 10424
Re: Reuse Nonce Faulty Sig Attack
January 19, 2023, 12:40:52 AM
#3
You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.
COBRAS
member
Activity: 814
Merit: 20
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
Re: Reuse Nonce Faulty Sig Attack
January 18, 2023, 08:18:30 PM
#2
R or Sci not remember exact is like public key. So ..
krashfire
jr. member
Activity: 96
Merit: 6
Life aint interesting without any cuts and bruises
Re: Reuse Nonce Faulty Sig Attack
January 18, 2023, 02:31:19 PM
#1
In this article,
https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9

Author incremented the R signature.

Which I find quite difficult coz this method also requires you knowing the priv key to calculate for the faulty s signature. So my question is...

How can I safely increment the S and Hash value?

I tried

Code:
sf= sig.s + 1
hf= h +1

Obviously, Its wrong. Coz the private key does not correspond to the correct address.


How do increment the S and H signatures
Correctly so I can find out the K and X Value?

Because I assume if I can correctly increment the signatures of S and H. I can solve K. When I solve K=nonce, I get D=Private Key.

Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: