Author

Topic: Reuse Nonce Faulty Sig Attack (Read 190 times)

member
Activity: 127
Merit: 14
Life aint interesting without any cuts and bruises
January 21, 2023, 10:17:08 AM
#6
The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.
Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?

Right?! Waste my time in researching his method. And I don't know why no one is calling this "professor" out yet. Felt scammed. Geez... 😂
legendary
Activity: 1512
Merit: 7340
Farewell, Leo
January 19, 2023, 01:15:07 PM
#5
The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key.
Correct me if I'm wrong, but the author generates two signatures using the same k. Sig 1 (the good) and Sig 2 (the faulty). So with s1 != s2, r1 = r2, which is one equation away from working out d. Then, for some reason, he increases r2 by 1 (as we can see in his test), and recovers the private key. My question is: what's different? We know that reusing k can make an attacker calculate the private key. Why adding up 1 in r2?
full member
Activity: 162
Merit: 230
January 19, 2023, 11:08:38 AM
#4
You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.

The article is about fault injection, where a faulty signature (in this case, made with a r value that's different from what it should be) and a valid signature is used to extract the private key. As OP have finally noticed, you can't create faulty signatures without the private key, so this attack means nothing if you already only have a single, valid, signature.

OP: Any kind of manipulation of an existing signature will create two linearly dependent signatures, which in practice is just the same as having a single signature. You can't use the info in the article to get a private key out of a single good signature in any way.
legendary
Activity: 3472
Merit: 10611
January 18, 2023, 11:40:52 PM
#3
You can't just increment h and s!
H is the hash of the message and is not predictable let alone be incrementable and s is computed using k, h, r, d so again it is also no incrementable.

The article also makes little sense to me, since you can't have the same k but different r values since r is computed using k (multiplied by G) meaning rf should be equal to r already otherwise it is computed from a different k value which means the equations used there are all wrong.
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
January 18, 2023, 07:18:30 PM
#2
R or Sci not remember exact is like public key. So ..
member
Activity: 127
Merit: 14
Life aint interesting without any cuts and bruises
January 18, 2023, 01:31:19 PM
#1
In this article,
https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9

Author incremented the R signature.

Which I find quite difficult coz this method also requires you knowing the priv key to calculate for the faulty s signature. So my question is...

How can I safely increment the S and Hash value?

I tried

Code:
sf= sig.s + 1
hf= h +1

Obviously, Its wrong. Coz the private key does not correspond to the correct address.


How do increment the S and H signatures
Correctly so I can find out the K and X Value?

Because I assume if I can correctly increment the signatures of S and H. I can solve K. When I solve K=nonce, I get D=Private Key.

Jump to: