I'm here again. I noticed a group of people still determined to somehow break Bitcoin wallets using this attack, especially the one implemented by
https://github.com/KrashKrash/Twist-Attack-Sub-Group-Attack
First, how would this attack work?
Partial Private Key Collection:
- Calculate small subgroups of each twist curve and attempt to compute the discrete logarithm within these subgroups to obtain partial private keys.
Coprime Verification:
- After collecting all partial private keys, verify if the subgroup orders are pairwise coprime, which is a requirement for applying the CRT (Chinese Remainder Theorem).
Combining Partial Keys Using CRT:
- If the subgroup orders are pairwise coprime, calculate the combined modulus by multiplying all subgroup orders.
- Use CRT to combine the partial private keys modulo their respective subgroup orders to obtain the private key modulo the combined modulus.
- If the combined modulus is greater than the order n of the secp256k1 curve, the private key modulo n can be recovered.
Alright, but in practice, this doesn't work.
Why? Because the combined modulus is, in most cases (if not all), much smaller than n, making recovery impossible.
Second point:
The cofactors of the secp256k1 curve are 1. This means there are no small-order subgroups within the curve that could be exploited. Additionally, the twist of secp256k1 also has a large prime order, similar to the original curve.
Third point:
Bitcoin implementations, such as the "libsecp256k1" library, perform checks to ensure that the points used are indeed on the curve. This prevents you from, for example, using points belonging to the twist or off-curve points to try and extract private key information.
In summary, these characteristics make the attack unfeasible.
If I made any mistakes in my explanation or spelling (English is not my native language), feel free to correct me.
Topic: The truth about: Twist Attack Sub Group Attack (Read 7 times)
Jump to: