GCD Bias in Signature Generation: Seeking Expert Help

2 replies 445 views
yield2011Member
Posts: 5 · Reputation: 119
#1Feb 27, 2020, 12:05 PM
So, where do I even start? A couple of months ago, I stumbled upon a crypto scam wallet linked to a pig butchering scam with loads of transactions. It struck me as suspicious, and I thought maybe there's a vulnerability in this wallet that could help get the funds back for the victims. As I dug deeper, I discovered that some of the earliest transactions show a GCD bias of around 39%. This was during the time when the random number generator for signatures was using prng before RFC 6797 was implemented. There’s a segment of about 3000 signatures in this wallet that all show this bias. After a lot of trial and error, including attempts to reuse keys and various failed lattice attacks, I'm stuck. I’ve hit a wall in trying to break the key and release the stolen funds from all the victims affected by this wallet. It processes thousands of transactions daily, and it looks like it's fixed its initial prng state, which makes it tough for anyone who tries to analyze its transactions and build a lattice for it they just fail since better rng has mixed things up over time. Just for fun, I started checking out some other wallets that have a similar pattern, with tons of transactions daily showing GCD bias initially, but then this bias smooths out over time. I could really use some help from anyone who understands this stuff and is up for assisting me in recovering the funds from this wallet. We’re talking about a huge amount of money, potentially in the hundreds of millions, and I’d really love to help those scammed get their money back.
6 Reply Quote Share
s33d_moonFull Member
Posts: 235 · Reputation: 715
#2Feb 27, 2020, 01:14 PM
From what you’re describing it does look like those early signatures probably came from a weak PRNG but a 30–40% bias alone usually isn’t enough to crack anything unless it stays consistent. Since the bias fades in later transactions that typically means the implementation improved which also explains why your lattice attempts hit a wall. If the goal is helping the victims, it may not be realistic to assume the wallet is still vulnerable. Most successful key recoveries come from repeated or leaked nonces not general bias. If you can share a small anonymized sample of the affected signatures I'm sure forum members especially the more technical legendaries would be able to tell quickly whether there’s anything actually exploitable.
3 Reply Quote Share
paul.ninjaFull Member
Posts: 152 · Reputation: 539
#3Feb 27, 2020, 05:20 PM
The right way to approach this is to stop looking at "all transactions ever" and carve out the earliest clean window where you know the bad RNG was in use and is stationary. That might be a few hundred or a couple thousand sigs, not tens of thousands. Anything after the fix is just poison for your lattice. On the practical side, if this really is tied to a pig-butchering operation with hundreds of millions flowing through, don't assume you're looking at a single hot wallet key that stayed unchanged for years. There are often multiple keys, scripts, services behind the scenes, and the funds you care about may have already been swept to harder targets long ago. Recovering one compromised key (if it's even possible) doesn't unwind the whole scam. I'm not trying to pour cold water on the effort, if you've genuinely found a wallet implementation leaking k and it's still being used, that's a big deal. But the gap between "my GCD plot looks funky" and "we can reliably recover a private key" is huge, and you really want a couple of people who live and breathe lattice attacks to sanity-check this before you burn yourself out chasing ghosts.
2 Reply Quote Share

Related topics