Question about Bitcoin's weak transaction nonce

14 replies 311 views
falc0n100Member
Posts: 22 · Reputation: 219
#1Jul 6, 2018, 08:00 AM
Hey everyone, I’ve got a couple of questions. First off, can a wallet with at least 10 pairs of transactions that share only 5 characters in the R value be compromised using something like a Lattice attack? Secondly, if the odds for a single pair are roughly 1 in a million, how can it be ten times that for multiple pairs? Honestly, I can't figure out how to generate R in that way, even if I intentionally use a weak k (nonce) value. How could this even happen? Sorry if my English isn’t perfect.
6 Reply Quote Share
nonce1337Full Member
Posts: 62 · Reputation: 333
#2Jul 6, 2018, 09:01 AM
even if the Rs values have 30 characters in common its useless because the r value is really just the x value of the public key of the nonce used and whatever characters the Rs of the transactions have  in common in reality their nonces could be randomly apart like first one have in between it and the second 20 quadrillion then next 45345 billion etc.... the points are completely unpredictable because of the mathematics behind their  construction
4 Reply Quote Share
falc0n100Member
Posts: 22 · Reputation: 219
#3Jul 6, 2018, 02:01 PM
Again, because of the math behind it, it's impossible for this to happen. But it did happen. The question is; if the probability of a 5-character match in two txs is 1 in 1 million, how can this happen 10 times?
4 Reply Quote Share
im_apeHero Member
Posts: 629 · Reputation: 3824
#4Jul 6, 2018, 02:51 PM
It may be obvious but are you sure that you are looking at R value when you were checking those transactions and their signatures? You see signatures are encoded using DER encoding and there are certain bytes added in that which are always the same (eg. 4730440220 which is [stack size][sequence tag][sequence length][int tag][int length]).
2 Reply Quote Share
falc0n100Member
Posts: 22 · Reputation: 219
#5Jul 6, 2018, 04:33 PM
yes, I am an expert in these areas and I develop software that performs mass vulnerability scanning. Let me give you the full statistics; - There are less than 200 outgoing Tx. - In 32 pairs, 5 characters match in the same character order. In 1 pair, 6 characters match. This cannot be a coincidence, but I cannot understand how it can be. I both check online and confirm, and I also query the database directly. sample rsz ve nonce:) https://prnt.sc/uMK3pg7M5N5N K: 31907037269755274359319072740750448760229601659665891328416497670755906520033 R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34                                                                            p00yA87 Actually something comes to my mind. In transactions lasting 2 years. 1000 btc volume. A patient and humorous person, or there was a factor that caused this order.
3 Reply Quote Share
im_apeHero Member
Posts: 629 · Reputation: 3824
#6Jul 7, 2018, 06:47 AM
That was funny But in all seriousness with a google search of the transactions I extracted from the address you posted in the screenshot above I found this: https://gist.github.com/jgilmour/6215961 that contains a list of similarly broken R values generated from a broken random number generator on Android. As you can see it is not "5 characters", it is reused k value generating the same R. I believe it is related to this warning from 2013 https://bitcoin.org/en/alert/2013-08-11-android
4 Reply Quote Share
falc0n100Member
Posts: 22 · Reputation: 219
#7Jul 7, 2018, 08:13 AM
no that's not the address, that was just to say I'm not new to the r topic. and I purposely chose the example address from a topic you responded to. I'm not writing the actual address because it still has a lot of btc. https://bitcointalk.org/index.php?topic=5433479.0 (try1 = picture) There is no known vulnerability at the address in question. There is only this situation that I discovered.
4 Reply Quote Share
im_apeHero Member
Posts: 629 · Reputation: 3824
#8Jul 8, 2018, 03:34 AM
Uh OK. In that case it is hard to analyze it and know what truly is going on. 5 characters (assuming hex) is only 20 bits (out of 256) and its repetition doesn't really tell you much about what has happened and may not even be anything broken helping to solve the equation and finding the private key.
0 Reply Quote Share
eric.maxiMember
Posts: 35 · Reputation: 232
#9Jul 8, 2018, 05:48 PM
Lattice attack is possible only when you have some common values in K. Here you are talking about R, which has gone through already on curve. Now what makes it special is that even when there is some leakage in K, you can't detect it by looking at R. So those R might have all containing strong K, you never know. Another interesting fact that it is happening for same address means it has either something to do with the K generation special wallet for making transaction or someone did it manually. But why? In reality same 5 char on many different R means (if you take the analogy of Kangaroo algo) it is with DP20. Which can only happen approximately once for every 2^20 different K values. So the real question is why would someone make Tx with selecting only those K values which in general happens 1 out of 1 million chance.
6 Reply Quote Share
paul2017Senior Member
Posts: 218 · Reputation: 1426
#10Jul 8, 2018, 06:42 PM
I'm far from being an expert in this subject. Isn't the probability of finding "?00?A87" in a random 64-digit hex string 0.00553%. How many R values did you search for that sequence? The probability of finding "?00?A87" in 100,000 random strings would be 99.6% Check my math.
1 Reply Quote Share
falc0n100Member
Posts: 22 · Reputation: 219
#11Jul 8, 2018, 09:09 PM
should be lower. hexadecimal number. 16 possibilities and 7 characters in its character. 2^16 = 268,435,456 possibilities are also 1. everyone can learn by scanning. But I did not scan. I went in the opposite direction with the help of Lagrange Interpolations. With the help of this, I created a golden formula that can reach the result directly for certain modular numbers. Then I created it with a direct formula using this. anyway, the secp256k1 curve was chosen because it was weak. they fooled people by saying it was fast. someone knew its weakness since the day it was published. They said no one else can solve it.. the traces in the wallet in question are proof of this. our big brother satoshi was already an nsa officer. just kidding, of course I scanned. everyone relax.
2 Reply Quote Share
sam.minerMember
Posts: 10 · Reputation: 116
#12Jul 9, 2018, 01:40 AM
where is the address
2 Reply Quote Share
falc0n100Member
Posts: 22 · Reputation: 219
#13Jul 9, 2018, 02:08 AM
wallet must remain secure. There are many patterns in R values, I am sharing some patterns for better understanding. https://prnt.sc/hHPWbppNhfvl
2 Reply Quote Share
ericn0v4Member
Posts: 19 · Reputation: 106
#14Jul 9, 2018, 07:17 AM
Here is pattern script recover private key. https://crypto.stackexchange.com/questions/102514/recovering-nonce-in-ecdsa-with-known-shared-components-in-ecdsa There is also lattice attack for that https://jsur.in/posts/2021-07-25-ijctf-2021-ecsign-writeup
3 Reply Quote Share
whale_chainFull Member
Posts: 88 · Reputation: 664
#15Jul 9, 2018, 11:19 AM
Lattice attack are effective against cryptographic systems where the nonce is reusable or predictable. So in a scenario where the transactions have 5 characters in common, it will be much easy for attackers to exploit potential weaknesses. Just like in your given scenario an attacker can collect enough samples in which the case study here is 10, then apply a technique known as lattice reduction algorithms (like the Lattice-based attack) to find the nonce k and possibly recover the private key which in conclusion having multiple transactions with 5 characters in common in the R value posses a potential risk. This could be due to: Nonce reuseAttackers control poor implementation ramdom of random number generator
2 Reply Quote Share
?Reply
Sign in to reply to this topic

Related topics