Hey everyone,
I’ve got a couple of questions.
First off, can a wallet with at least 10 pairs of transactions that share only 5 characters in the R value be compromised using something like a Lattice attack?
Secondly, if the odds for a single pair are roughly 1 in a million, how can it be ten times that for multiple pairs?
Honestly, I can't figure out how to generate R in that way, even if I intentionally use a weak k (nonce) value. How could this even happen?
Sorry if my English isn’t perfect.
Question about Bitcoin's weak transaction nonce
14 replies 311 views
even if the Rs values have 30 characters in common its useless because the r value is really just the x value of the public key of the nonce used and whatever characters the Rs of the transactions have in common in reality their nonces could be randomly apart like first one have in between it and the second 20 quadrillion then next 45345 billion etc.... the points are completely unpredictable because of the mathematics behind their construction
Again, because of the math behind it, it's impossible for this to happen. But it did happen. The question is; if the probability of a 5-character match in two txs is 1 in 1 million, how can this happen 10 times?
It may be obvious but are you sure that you are looking at R value when you were checking those transactions and their signatures? You see signatures are encoded using DER encoding and there are certain bytes added in that which are always the same (eg. 4730440220 which is [stack size][sequence tag][sequence length][int tag][int length]).
yes, I am an expert in these areas and I develop software that performs mass vulnerability scanning.
Let me give you the full statistics;
- There are less than 200 outgoing Tx.
- In 32 pairs, 5 characters match in the same character order.
In 1 pair, 6 characters match.
This cannot be a coincidence, but I cannot understand how it can be.
I both check online and confirm, and I also query the database directly.
sample rsz ve nonce:)
https://prnt.sc/uMK3pg7M5N5N
K: 31907037269755274359319072740750448760229601659665891328416497670755906520033
R: 7BCF7CCABE56F54B6B53B8663318BD0ADCD8B 0007A87 2A299BD83919F69BAC34
p00yA87
Actually something comes to my mind.
In transactions lasting 2 years.
1000 btc volume.
A patient and humorous person,
or there was a factor that caused this order.
That was funny
But in all seriousness with a google search of the transactions I extracted from the address you posted in the screenshot above I found this: https://gist.github.com/jgilmour/6215961 that contains a list of similarly broken R values generated from a broken random number generator on Android. As you can see it is not "5 characters", it is reused k value generating the same R.
I believe it is related to this warning from 2013
https://bitcoin.org/en/alert/2013-08-11-android
no that's not the address, that was just to say I'm not new to the r topic.
and I purposely chose the example address from a topic you responded to.
I'm not writing the actual address because it still has a lot of btc.
https://bitcointalk.org/index.php?topic=5433479.0 (try1 = picture)
There is no known vulnerability at the address in question. There is only this situation that I discovered.
Uh OK. In that case it is hard to analyze it and know what truly is going on. 5 characters (assuming hex) is only 20 bits (out of 256) and its repetition doesn't really tell you much about what has happened and may not even be anything broken helping to solve the equation and finding the private key.
Lattice attack is possible only when you have some common values in K. Here you are talking about R, which has gone through already on curve. Now what makes it special is that even when there is some leakage in K, you can't detect it by looking at R. So those R might have all containing strong K, you never know.
Another interesting fact that it is happening for same address means it has either something to do with the K generation special wallet for making transaction or someone did it manually. But why?
In reality same 5 char on many different R means (if you take the analogy of Kangaroo algo) it is with DP20. Which can only happen approximately once for every 2^20 different K values.
So the real question is why would someone make Tx with selecting only those K values which in general happens 1 out of 1 million chance.
I'm far from being an expert in this subject.
Isn't the probability of finding "?00?A87" in a random 64-digit hex string 0.00553%.
How many R values did you search for that sequence? The probability of finding "?00?A87" in 100,000 random strings would be 99.6%
Check my math.
should be lower.
hexadecimal number.
16 possibilities and 7 characters in its character.
2^16 = 268,435,456 possibilities are also 1.
everyone can learn by scanning.
But I did not scan.
I went in the opposite direction with the help of Lagrange Interpolations.
With the help of this, I created a golden formula that can reach the result directly for certain modular numbers. Then I created it with a direct formula using this.
anyway, the secp256k1 curve was chosen because it was weak. they fooled people by saying it was fast. someone knew its weakness since the day it was published. They said no one else can solve it.. the traces in the wallet in question are proof of this. our big brother satoshi was already an nsa officer.
just kidding, of course I scanned. everyone relax.
where is the address
wallet must remain secure.
There are many patterns in R values, I am sharing some patterns for better understanding.
https://prnt.sc/hHPWbppNhfvl
Here is pattern script recover private key. https://crypto.stackexchange.com/questions/102514/recovering-nonce-in-ecdsa-with-known-shared-components-in-ecdsa
There is also lattice attack for that https://jsur.in/posts/2021-07-25-ijctf-2021-ecsign-writeup
whale_chainFull Member
Posts: 88 · Reputation: 664
#15Jul 9, 2018, 11:19 AM
Lattice attack are effective against cryptographic systems where the nonce is reusable or predictable. So in a scenario where the transactions have 5 characters in common, it will be much easy for attackers to exploit potential weaknesses.
Just like in your given scenario an attacker can collect enough samples in which the case study here is 10, then apply a technique known as lattice reduction algorithms (like the Lattice-based attack) to find the nonce k and possibly recover the private key which in conclusion having multiple transactions with 5 characters in common in the R value posses a potential risk.
This could be due to:
Nonce reuseAttackers control poor implementation ramdom of random number generator
?Reply
Sign in to reply to this topic
Related topics
- Curious about the 'Services' section in the peers of Bitcoin Core 6
- Ideas for Boosting Bitcoin's Transaction Capacity 3
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- Ways to earn some sats by contributing to bitcoin core development 5