Author

Topic: Small puzzle about ECDSA and other ECC things (Solved) (Read 232 times)

hero member
Activity: 862
Merit: 662
So what was the answer to this puzzle? I mean what did we learn from it exactly?

- Calculate the K value when you have the privatekey
- understand that K nonce is like another privatekey
- Endomorphims
- Use algebra to reorder the equations.
- To use every single hint, or oddly data.
- To search on any search engine available.

Great puzzle Alberto.

I hope to see more of them in future.  Wink

Thank you, I am going to make some of them, but I am not be able to sponsor more prizes like that, but I may add another kind of reward.
copper member
Activity: 1330
Merit: 899
🖤😏
So what was the answer to this puzzle? I mean what did we learn from it exactly?
hero member
Activity: 1220
Merit: 612
OGRaccoon
Great puzzle Alberto.

I hope to see more of them in future.  Wink
hero member
Activity: 862
Merit: 662
How this small puzzle was made.

The following were my objectives.
- Show the importance of K
- Show some math
- Show the properties of Endomorphism
- To make you think outside the box

Steps to make the puzzle...
1.- Search a remarkable address with privatekey in the public Domain
2.- Make a signature for that address
3.- Decode and extract the values of the Signature values ( R, S and Z )
4.- Calculate K with some code in Python or C
5.- Use an endomorphims value of K to generate a new Unused Address
6.- Send the prize to that new Address and publish the Puzzle.


Steps with the Values already used:
  • The remarkable address used was the Address that is generated with the sha256 of an empty string ""

Code
Code:
echo -n |  sha256sum
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855  -

  • The signature used was publish before.
  • The values of that siganture can be easily extracted with a tool that i made
Code:
Final X, Y : c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9 0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa
Final R: c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9
Final S: 3fbd468ed282d42df2e32c64e7894abad3471fb06819043948d63660848d1a65
Final Z: ee1842cc42b2cd2dd37415bd7b92fc9380d3324a165f6362a4eedcd93f721e5b
Calculated address: 1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN
Calculated publickey uncompressed: 04a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd5b8dec5235a0fa8722476c7709c02559e3aa73aa03918ba2d492eea75abea235
Calculated publickey compressed: 03a34b99f22c790c4e36b2b3c2c35a36db06226e41c692fc82b8b56ac1c540c5bd

The signature match with the address and it is valid

-----BEGIN BITCOIN SIGNED MESSAGE-----
Easy puzzle with 0.0016 BTC @ https://t.me/keyhunters
-----BEGIN BITCOIN SIGNATURE-----
1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN
G8jtdFo0RCjSNC8p8qoaE/rhNh9k4uhuF2TqNgBEl2fpP71GjtKC1C3y4yxk54lKutNHH7BoGQQ5SNY2YISNGmU=
-----END BITCOIN SIGNATURE-----


  • Calculate K with some code in Python or C

if you askme how to i get the Inverse of the original S value i use a C code, but then i realize that i can use my modmath tool for that:

Code:
./modmath 1 / 0x3fbd468ed282d42df2e32c64e7894abad3471fb06819043948d63660848d1a65
Result: 0xb44ae7316060a9f7af0049effddf65813df443267349cf2a37ca6cb5fb95b4f8

Originaly i use a C code, but it can be more easily to use Python

Code:
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
Sinv = 0xb44ae7316060a9f7af0049effddf65813df443267349cf2a37ca6cb5fb95b4f8
Z = 0xee1842cc42b2cd2dd37415bd7b92fc9380d3324a165f6362a4eedcd93f721e5b
R = 0xc8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9
dA = 0xe3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
K = Sinv *(Z + R*dA) % N
hex(K)


The output:
Code:
>>> hex(K)
'0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746'

At this point we are in half way to solve the puzzle.

The math part of th puzzle is to use Algebra to reorder the Signature proof ecuation:

Originally
S = K^-1 * (Z + R *dA ) % N

It was just reorder:
K = S^-1 * (Z + R *dA ) % N

Usually if we already have the private key (dA) then the nonce (K) value is useless but as a practice exercise get the K value of each one of your Transactions is very good learning exercise.

  • To use endomorphims to calcualte some Alternate Address from the K nonce we can use also modmath
Code:
./modmath 0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746 x 0xac9c52b33fa3cf1f5ad9e3fd77ed9ba4a880b9fc8ec739c2e0cfc810b51283ce
Result: 0x7191e2fd37f1b8657e471afde6d9bb52a287f33da902423abac278e9f5dcd23d

Then we only need to use a tool like calculatefromkey or some page like https://www.bitaddress.org/ to get the compressed address from that KEY

Now than you already know how the puzzle was made then you know how to solve it, but i wan to show you three approach to solve it.

  • Approach with the Y value.

If you get the RSZ values from the Second signature (Clues signature)

Command:

Code:
./verifymsg -v -a 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C -s "H+a3NLPvRfoVgYgZBhvSiGY1001ylS8D5IjRbkrJ/MjlsSTCZ+rC8OIHyCFRwSHwGtIWx+xGIeR4x3nTpl1FUvY=" -m "$(cat ~/text.txt)"
Final X, Y : e6b734b3ef45fa15818819061bd2886635d34d72952f03e488d16e4ac9fcc8e5 28f7b4f4501644cb0ea9dd09dfb5494b7537aa784518bd2af24c8c8b0b7476f2
Final R: e6b734b3ef45fa15818819061bd2886635d34d72952f03e488d16e4ac9fcc8e5
Final S: b124c267eac2f0e207c82151c121f01ad216c7ec4621e478c779d3a65d4552f6
Final Z: 80b5e209faa552bab934589fbc0d4727eb0431a32218a6f606d9a0486b1a42ec
Calculated address: 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
Calculated publickey compressed: 02ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a
Calculated publickey uncompressed: 04ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa

The signature match with the address and it is valid

-----BEGIN BITCOIN SIGNED MESSAGE-----
Clues
Behind the result of the equations there are some variables that should Be also a secret
Beyond all the discussions, it is worth mentioning that all the possible legacy addresses amount is 2Λ160
Every single Byte counts, how many Bytes have this message?
This is a signed message with ECDSA. There may be some questions about it.
- How do we know the math used in ECDSA is right?
- Can someone cheat or change a signed message made with ECDSA?
- Is it possible for two different messages to have the same signature?
- How can we be sure that the person who signs a message is the real owner of the secret key and not pretending?

AlbertoBSD
-----BEGIN BITCOIN SIGNATURE-----
17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
H+a3NLPvRfoVgYgZBhvSiGY1001ylS8D5IjRbkrJ/MjlsSTCZ+rC8OIHyCFRwSHwGtIWx+xGIeR4x3nTpl1FUvY=
-----END BITCOIN SIGNATURE-----

If you carefully check all the values here you can notice that Y value from the Nonce in the first message is the same tha the Y value of the publickey of the prize adress
You don't belive me? check:

First signaute fragment
Code:
Final X, Y : c8ed745a344428d2342f29f2aa1a13fae1361f64e2e86e1764ea3600449767e9 0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa

Second signature fragment
Code:
Calculated publickey uncompressed: 04ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a0a119788b20caec8a773785c8008eeba3286e35ceb4f7f4df158c280fc338caa

Look carefully, if you don't know nothing about endomorphism you may ask to chatGPT or some other AI, or even ask in a forum, the may point you in the right way to solve it.
At this point if you missed the Y value in those publickeys you may need some glasses (No offence but the values were there visible for everyone)


  • Approach with the keyhunt

Once than you already calculate the K value you can use keyhunt to search it:

Code:
./keyhunt -m address -f target.txt -e -r 414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
[+] Version 0.2.230507 Satoshi Quest (legacy), developed by AlbertoBSD
[+] Mode address
[+] Endomorphism enabled
[+] Setting search for btc adddress
[+] N = 0x100000000
[+] Range
[+] -- from : 0x414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
[+] -- to   : 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
[+] Allocating memory for 1 elements: 0.00 MB
[+] Bloom filter for 1 elements.
[+] Loading data to the bloomfilter total: 0.03 MB
[+] Sorting data ... done! 1 values were loaded and sorted
Base key: 414bbbb61505e0304ec9399dff8967ce5619a10e5829d3b06ea44295c4166746
Hit! Private Key: 7191e2fd37f1b8657e471afde6d9bb52a287f33da902423abac278e9f5dcd23d
pubkey: 02ec24fc672cf31509d75fb84d2ae5b2faa862aa54344a2db451e42d620e5eac2a
Address 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
rmd160 498fdccf23d5e95fc5b3b93a4b4c6dcd334f512d
^C

  • Approach with the clues.
Code:
Behind the result of the equations there are some variables that should Be also a secret

This in my indirect way to tell you that you need to search for all the secrets in the equations. What Equations?

Code:
This is a signed message with ECDSA.

Well you need to search what kind of equatios are involved in the ECDSA process, i paste the proper link in the first post

Code:
Every single Byte counts, how many Bytes have this message?

With message i mean all the text that is begin signed in that second signature.
How many bytes it have, did you count it?

The message is 652 bytes, but if you select the characters in a text editor it only select 646 characters that including the Return lines,
Where comes this difference?

Use hexedit :
Code:
00000000   43 6C 75 65  73 0A CE 92  65 68 69 6E  64 20 74 68  65 20 72 65  73 75 6C 74  Clues...ehind the result
00000018   20 6F 66 20  74 68 65 20  65 71 75 61  74 69 6F 6E  73 20 74 68  65 72 65 20   of the equations there
00000030   61 72 65 20  73 6F 6D 65  20 76 61 72  69 61 62 6C  65 73 20 74  68 61 74 20  are some variables that
00000048   73 68 6F 75  6C 64 20 CE  92 65 20 61  6C 73 6F 20  61 20 73 65  63 72 65 74  should ..e also a secret
00000060   0A CE 92 65  79 6F 6E 64  20 61 6C 6C  20 74 68 65  20 64 69 73  63 75 73 73  ...eyond all the discuss
00000078   69 6F 6E 73  2C 20 69 74  20 69 73 20  77 6F 72 74  68 20 6D 65  6E 74 69 6F  ions, it is worth mentio
00000090   6E 69 6E 67  20 74 68 61  74 20 61 6C  6C 20 74 68  65 20 70 6F  73 73 69 62  ning that all the possib
000000A8   6C 65 20 6C  65 67 61 63  79 20 61 64  64 72 65 73  73 65 73 20  61 6D 6F 75  le legacy addresses amou
000000C0   6E 74 20 69  73 20 32 CE  9B 31 36 30  0A 45 76 65  72 79 20 73  69 6E 67 6C  nt is 2..160.Every singl
000000D8   65 20 CE 92  79 74 65 20  63 6F 75 6E  74 73 2C 20  68 6F 77 20  6D 61 6E 79  e ..yte counts, how many
000000F0   20 CE 92 79  74 65 73 20  68 61 76 65  20 74 68 69  73 20 6D 65  73 73 61 67   ..ytes have this messag
00000108   65 3F 0A 54  68 69 73 20  69 73 20 61  20 73 69 67  6E 65 64 20  6D 65 73 73  e?.This is a signed mess
00000120   61 67 65 20  77 69 74 68  20 45 43 44  53 41 2E 20  54 68 65 72  65 20 6D 61  age with ECDSA. There ma
00000138   79 20 62 65  20 73 6F 6D  65 20 71 75  65 73 74 69  6F 6E 73 20  61 62 6F 75  y be some questions abou
00000150   74 20 69 74  2E 0A 2D 20  48 6F 77 20  64 6F 20 77  65 20 6B 6E  6F 77 20 74  t it..- How do we know t
00000168   68 65 20 6D  61 74 68 20  75 73 65 64  20 69 6E 20  45 43 44 53  41 20 69 73  he math used in ECDSA is
00000180   20 72 69 67  68 74 3F 0A  2D 20 43 61  6E 20 73 6F  6D 65 6F 6E  65 20 63 68   right?.- Can someone ch
00000198   65 61 74 20  6F 72 20 63  68 61 6E 67  65 20 61 20  73 69 67 6E  65 64 20 6D  eat or change a signed m
000001B0   65 73 73 61  67 65 20 6D  61 64 65 20  77 69 74 68  20 45 43 44  53 41 3F 0A  essage made with ECDSA?.
000001C8   2D 20 49 73  20 69 74 20  70 6F 73 73  69 62 6C 65  20 66 6F 72  20 74 77 6F  - Is it possible for two
000001E0   20 64 69 66  66 65 72 65  6E 74 20 6D  65 73 73 61  67 65 73 20  74 6F 20 68   different messages to h
000001F8   61 76 65 20  74 68 65 20  73 61 6D 65  20 73 69 67  6E 61 74 75  72 65 3F 0A  ave the same signature?.
00000210   2D 20 48 6F  77 20 63 61  6E 20 77 65  20 62 65 20  73 75 72 65  20 74 68 61  - How can we be sure tha
00000228   74 20 74 68  65 20 70 65  72 73 6F 6E  20 77 68 6F  20 73 69 67  6E 73 20 61  t the person who signs a
00000240   20 6D 65 73  73 61 67 65  20 69 73 20  74 68 65 20  72 65 61 6C  20 6F 77 6E   message is the real own
00000258   65 72 20 6F  66 20 74 68  65 20 73 65  63 72 65 74  20 6B 65 79  20 61 6E 64  er of the secret key and
00000270   20 6E 6F 74  20 70 72 65  74 65 6E 64  69 6E 67 3F  0A 0A 41 6C  62 65 72 74   not pretending?..Albert
00000288   6F 42 53 44                                                                   oBSD

If you see the Values of the characters and check for printable Characters maybe you will notice that some of them are missing in the printable part:

Those characters are: B and Λ (Beta and Lambda). You may not be an "expert" in soma field of study but you have google or all those new AI.

Check this questions on ChatGPT:

Code:
Q: Is there something oddly in the Text of the clues ?

A: Yes, there is something odd in the text of the clues. The oddity lies in the usage of the letter "B" (capital beta) instead of the letter "B" (capital bee) in several instances. It appears that the letter "B" has been mistakenly used instead of "B" throughout the text.

For example, the clues should read:

"Behind the result of the equations there are some variables that should be also a secret."
"Beyond all the discussions, it is worth mentioning that all the possible legacy addresses amount is 2^160."
"Every single Byte counts, how many Bytes have this message?"
The presence of the letter "B" instead of "B" seems to be a typographical error or an unintended character substitution. It is important to note this discrepancy and ensure that the correct letter "B" is used when interpreting the text and attempting to solve the puzzle.


Q: what is B and Λ and how they are related to eliptic curves

A: In the context of elliptic curves, B (Beta) and Λ (Lambda) are parameters that are often used to describe the equations of elliptic curves in a specific form known as Weierstrass form.

The Weierstrass form of an elliptic curve is given by the equation:

y^2 = x^3 + Ax + B,

where A and B are constants that depend on the specific curve. The values of A and B determine the shape and properties of the curve.

In this equation, B represents the constant term, which affects the vertical shift of the curve. It determines the y-coordinate of the point at infinity (the point that serves as the identity element in elliptic curve group operations).

Λ, on the other hand, is a parameter used in the definition of the group law on an elliptic curve. The group law specifies how to add two points on the curve to obtain a third point. Λ is related to the slope of the tangent line to the curve at a specific point. It is used to compute the x-coordinate of the sum of two points.

To summarize, B determines the vertical shift of the curve, while Λ is involved in the group law calculations on the curve. These parameters are important in describing and working with elliptic curves in the Weierstrass form.


As you see you can use the AI as entry point of information


What about the other clues?
Code:
- How do we know the math used in ECDSA is right?
- Can someone cheat or change a signed message made with ECDSA?
- Is it possible for two different messages to have the same signature?
- How can we be sure that the person who signs a message is the real owner of the secret key and not pretending?

Those are just valid question that you may ask to your self and search or think in what are some conditions mathematically needed to do something or prevent something.

That is all...

Regards
hero member
Activity: 862
Merit: 662
So what was the answer anyways? Could you at least  give us some closure. Lol

I will publish it when a second person solve the puzzle.
copper member
Activity: 1330
Merit: 899
🖤😏
Wow.. the puzzle was redeem so fast... but it already continue, i will send ‎0.0024 BTC to the first person to make a valid text signature with this address 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C.

Paste it here o in the telegram channel.

Regards!

So what was the answer anyways? Could you at least  give us some closure. Lol
hero member
Activity: 862
Merit: 662
Wow.. the puzzle was redeem so fast... but it already continue, i will send ‎0.0024 BTC to the first person to make a valid text signature with this address 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C.

Paste it here o in the telegram channel.

Regards!
copper member
Activity: 1330
Merit: 899
🖤😏
This address uncompressed
1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN

Belongs to empty string SHA-256 hash used as private key :

e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

Chop chop fellow hunters, dive into the world of keys and hashes. Note the address has 0.00313110 BTC and not 0.0016. Good luck with my clues.😉
hero member
Activity: 862
Merit: 662
Hi everyone.

To keep me some busy i made a small Puzzle for the members of my group in telegram.

The Prize is in this Address: 17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C it have near 100$ USD at current price.

The puzzle is contained here:

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
Easy puzzle with 0.0016 BTC @ https://t.me/keyhunters
-----BEGIN SIGNATURE-----
1HZwkjkeaoZfTSaJxDw6aKkxp45agDiEzN
G8jtdFo0RCjSNC8p8qoaE/rhNh9k4uhuF2TqNgBEl2fpP71GjtKC1C3y4yxk54lKutNHH7BoGQQ5SNY2YISNGmU=
-----END BITCOIN SIGNED MESSAGE-----

I did this yesterday and it bring some spark of interest so here are some clues

Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
Clues
Behind the result of the equations there are some variables that should Be also a secret
Beyond all the discussions, it is worth mentioning that all the possible legacy addresses amount is 2Λ160
Every single Byte counts, how many Bytes have this message?
This is a signed message with ECDSA. There may be some questions about it.
- How do we know the math used in ECDSA is right?
- Can someone cheat or change a signed message made with ECDSA?
- Is it possible for two different messages to have the same signature?
- How can we be sure that the person who signs a message is the real owner of the secret key and not pretending?

AlbertoBSD
-----BEGIN SIGNATURE-----
17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
H+a3NLPvRfoVgYgZBhvSiGY1001ylS8D5IjRbkrJ/MjlsSTCZ+rC8OIHyCFRwSHwGtIWx+xGIeR4x3nTpl1FUvY=
-----END BITCOIN SIGNED MESSAGE-----

In case that the forum messup the message here is the previous signed message in a text file https://drive.google.com/file/d/1cWlCo7ycY2-jTg575wIukx1p9YJFS2If/view?usp=sharing i already checked it and it is valid

I sugest to you read ALL the documentation available.  Roll Eyes

The ECDSA documentation is here:
https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages

Here is a tool to verify the signatures easily
https://reinproject.org/bitcoin-signature-tool/#verify

About this puzzle it don't need any big computer power, but some small calcualtions are needed.
There is not a single tool that solve this puzzle with a single line command you need to know what are you doing.

If someone found the solution notify me here or in telegram.

Regards



Solved
Messages with their signatures:

@cryptobank_miki https://t.me/keyhunters/25845
Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
I redeemed the puzzle, thanks Alberto!
-----BEGIN SIGNATURE-----
17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
IOxI39y3LonkrRkxh87shzE2b93OjKbpiVQ87lR2bUIbtD7t3vuy1vfeJpN92doYWxkWmUG8JQTxBypjb+XZ5z8=
-----END BITCOIN SIGNED MESSAGE-----

@sazilariel https://t.me/keyhunters/26241
Code:
-----BEGIN BITCOIN SIGNED MESSAGE-----
Thank you Alberto for the fun!
-----BEGIN SIGNATURE-----
17hxfkNjHb2d68PFcUKHeLLwbcwnXBTa9C
H3+k7aiNOw/oXNjf9cuvQ+4aRd0QCLWWBgQ4epnYf4upO5DhsL/DB4qlD7ngEY6gqQExNw5MgZBqW2716p8BNVA=
-----END BITCOIN SIGNED MESSAGE-----


Jump to: