{"id":858,"date":"2022-02-10T08:03:34","date_gmt":"2022-02-10T08:03:34","guid":{"rendered":"http:\/\/www.selinuxplus.com\/?p=858"},"modified":"2022-02-10T08:08:35","modified_gmt":"2022-02-10T08:08:35","slug":"potential-ecdsa-disasters-repeated-nonce","status":"publish","type":"post","link":"http:\/\/www.selinuxplus.com\/?p=858","title":{"rendered":"Potential ECDSA disasters: Repeated nonce"},"content":{"rendered":"\n<p><strong>Private Key<\/strong> Integer d<\/p>\n\n\n\n<p><strong>Public Key<\/strong> Curve point Q = dG<\/p>\n\n\n\n<p><strong><em>Signature Generation<\/em><\/strong><\/p>\n\n\n\n<p><strong>Message Hash:<\/strong> h <\/p>\n\n\n\n<p>Per-Signature \u201cnonce\u201d: Integer k <\/p>\n\n\n\n<p>Signature on h: (r, s) r = x(kG) s = k ^{-1} (h + dr) mod n<\/p>\n\n\n\n<p><strong>Potential pitfall #2 <\/strong><\/p>\n\n\n\n<p>If k is ever reused to sign distinct messages h 1 , h 2 , it is revealed<\/p>\n\n\n\n<p>k = (h 1 \u2212 h 2 )(s 1 \u2212 s 2 ) ^{-1} mod n<\/p>\n\n\n\n<p>and thus the long-term private key d is revealed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">#!\/bin\/python3.8<br>r =0x0861cce1da15fc2dd79f1164c4f7b3e6c1526e7e8d85716578689ca9a5dc349d<br>s1=0x6cf26e2776f7c94cafcee05cc810471ddca16fa864d13d57bee1c06ce39a3188<br>s2=0x4ba75bdda43b3aab84b895cfd9ef13a477182657faaf286a7b0d25f0cb9a7de2<br>z1=0x01b125d18422cdfa7b153f5bcf5b01927cf59791d1d9810009c70cd37b14f4e6<br>z2=0x339ff7b1ced3a45c988b3e4e239ea745db3b2b3fda6208134691bd2e4a37d6e1<br># This function is from<br># https:\/\/github.com\/tlsfuzzer\/python-ecdsa\/blob\/master\/src\/ecdsa\/numbertheory.py<br>def inverse_mod(a, m):<br>    \"\"\"Inverse of a mod m.\"\"\"<br>    if a == 0:  # pragma: no branch<br>        return 0<br>    return pow(a, -1, m)<br><br># Magic: https:\/\/en.bitcoin.it\/wiki\/Secp256k1<br>p = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141<br><br>for (i, j) in [(1,1),(1,-1),(-1,1),(-1,-1)]:<br>    z = z1 - z2<br>    s = s1*i + s2*j<br>    r_inv = inverse_mod(r, p)<br>    s_inv = inverse_mod(s, p)<br>    k = (z * s_inv) % p<br>    d = (r_inv * (s1 * k - z1)) % p<br>    print(f\"Private key: {hex(d)}, {hex(k)}\")<br><\/pre>\n\n\n\n<pre class=\"wp-block-preformatted\">Private key: 0xe773cf35fce567d0622203c28f67478a3361bae7e6eb4366b50e1d27eb1ed82e, 0xaf7c9dd92162167d6aad26238f206284c30183941986caad8c0eaf8f14d9da46<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>Private Key Integer d Pub&hellip;<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[183],"tags":[188,184,185,187,24],"_links":{"self":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/858"}],"collection":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=858"}],"version-history":[{"count":5,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/858\/revisions"}],"predecessor-version":[{"id":864,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=\/wp\/v2\/posts\/858\/revisions\/864"}],"wp:attachment":[{"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=858"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=858"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.selinuxplus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=858"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}