Queschion

[Hurd8x]

Can you help please. I thant to make test with week secret key, I take a 18051648 from file alg.gp and make publick from 18051648*5000000000000000000 = 90258240000000000000000000.

I right understand what this secret key is week in logick of you research/work, and if put this publick key to input(copy/paste) of file secp256k1.gp scrypt show whot pubkey has week secret key ?

div32 = [18051648]; */

18051648*5000000000000000000 = 90258240000000000000000000

publick key ( 16779802772638444730579276278823564595636786319815479120401207103285459070860,34210086820532492478042369517721515623610476339070818327603657009885957099183)

Thank you.

[enh11]

In general is not possible to know whether a public key has been generated from a weak secret key. You can run the test on the key you have generated with test_key(public_key, bound), where bound is 32,64,128 or 160. I tried this test with your key within a bound of 32 and no match has been found. You can try with other bounds but please note, this will require a quit a lot of memory, thus, maybe your computer can't perform this test. Moreover, the way you generate your secret key is in general unsafe, in particular because it is only 27 digit number, thus, other attacks can break it. Try the command sk = random(q) to generate a large-size random key (where q is the prime-order of the base field in secp265k1.gp code); then you can run the test on the corresponding public key. Actually, the probability that the key is weak is very low.

[Hurd8x]

In general is not possible to know whether a public key has been generated from a weak secret key. You can run the test on the key you have generated with test_key(public_key, bound), where bound is 32,64,128 or 160. I tried this test with your key within a bound of 32 and no match has been found. You can try with other bounds but please note, this will require a quit a lot of memory, thus, maybe your computer can't perform this test. Moreover, the way you generate your secret key is in general unsafe, in particular because it is only 27 digit number, thus, other attacks can break it. Try the command sk = random(q) to generate a large-size random key (where q is the prime-order of the base field in secp265k1.gp code); then you can run the test on the corresponding public key. Actually, the probability that the key is weak is very low.

Scrypt print:

print("Type test_key(you_public_key,bound_for_the_test) to test your key"); /*

but then put ((x,y,) ,bound), scrypt answer "too many parameters).

Your private and public keys have been generated! Type sk to visualize you secret key and pk to visualize the public key. ? pk [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] ? test_key( (15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663),32) syntax error, unexpected ')', expecting )-> or ',': ...4039457584007908834671663 ),Mod(424978395212936 ^--------------------- ^- ? test_key((Mod (15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663,32) syntax error, unexpected $end, expecting )-> or ',' or ')': ...9457584007908834671663,32)

?

Can you please provide example of weak secret key ?

Thank you very mach .

[enh11]

Any key generated by the function key_pairs_gen() is a weak keys, in fact, in the code you can see that the private key is generated inside a subgroup of order 18051648.

pk= [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)]

is an example of a public key whose corresponding private key is weak. If you run test_key(pk,32) you will get

private key detected: 44348743552956812846079094070520967561910055000250760028817952285884041702560

[Hurd8x]

Any key generated by the function key_pairs_gen() is a weak keys, in fact, in the code you can see that the private key is generated inside a subgroup of order 18051648.

pk= [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)]

is an example of a public key whose corresponding private key is weak. If you run test_key(pk,32) you will get

private key detected: 44348743552956812846079094070520967561910055000250760028817952285884041702560

Thank you very mach.

But groop of private not exact 18051648 ?

because private 44348743552956812846079094070520967561910055000250760028817952285884041702560 % i == 0 only at this i (range from 18051648 to 1) so groop(generator) of private one of this i ?:

privte % i = 0x0 i 13180745 privte % i = 0x0 i 10544596 privte % i = 0x0 i 5272298 privte % i = 0x0 i 2636149 privte % i = 0x0 i 68320 privte % i = 0x0 i 34160 privte % i = 0x0 i 17080 privte % i = 0x0 i 13664 privte % i = 0x0 i 9760 privte % i = 0x0 i 8540 privte % i = 0x0 i 6832 privte % i = 0x0 i 4880 privte % i = 0x0 i 4270 privte % i = 0x0 i 3416 privte % i = 0x0 i 2440 privte % i = 0x0 i 2135 privte % i = 0x0 i 1952 privte % i = 0x0 i 1708 privte % i = 0x0 i 1220 privte % i = 0x0 i 1120 privte % i = 0x0 i 976 privte % i = 0x0 i 854 privte % i = 0x0 i 610 privte % i = 0x0 i 560 privte % i = 0x0 i 488 privte % i = 0x0 i 427 privte % i = 0x0 i 305 privte % i = 0x0 i 280 privte % i = 0x0 i 244 privte % i = 0x0 i 224 privte % i = 0x0 i 160 privte % i = 0x0 i 140 privte % i = 0x0 i 122 privte % i = 0x0 i 112 privte % i = 0x0 i 80 privte % i = 0x0 i 70 privte % i = 0x0 i 61 privte % i = 0x0 i 56 privte % i = 0x0 i 40 privte % i = 0x0 i 35 privte % i = 0x0 i 32 privte % i = 0x0 i 28 privte % i = 0x0 i 20 privte % i = 0x0 i 16 privte % i = 0x0 i 14 privte % i = 0x0 i 10 privte % i = 0x0 i 8 privte % i = 0x0 i 7 privte % i = 0x0 i 5 privte % i = 0x0 i 4 privte % i = 0x0 i 2 privte % i = 0x0 i 1

[enh11]

Sorry, I'm not understanding your question.

[Hurd8x]

Sorry, I'm not understanding your question.

Hello, my queschion.Scrypy secp256k1.gp print what 18051648 is divider, but private key not divides without floating part to 18051648.

How understand what 18051648 as divider ?

Ps for my experiments I moree need run a scrypt256k1.gp without error, after this I think I can answer to my question by myself.

Thank you very mach. Thank you.

[enh11]

Now I understand. It is slightly more complicated than that. Private keys are not multiple of 18051648. Private keys are power of z mod q, where z is a primitive root mod q.

If you have modified the path in secp256k1.gp script, then run gp and type \r /path/secp256k1.gp (remember, this I like the main script). Then enter pk= [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] and run the test test_key(pk,32)

[Hurd8x]

er

Now I understand. It is slightly more complicated than that. Private keys are not multiple of 18051648. Private keys are power of z mod q, where z is a primitive root mod q.

If you have modified the path in secp256k1.gp script, then run gp and type \r /path/secp256k1.gp (remember, this I like the main script). Then enter pk= [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] and run the test test_key(pk,32)

error,

break> pk= [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] break> test_key(pk,32) Point to be tested: [Mod(15082517359000147371703545448537779779783703943154367759348226164272700643883, 115792089237316195423570985008687907853269984665640564039457584007908834671663), Mod(42497839521293684573184706198506912554809336488225568870647095025902454102392, 115792089237316195423570985008687907853269984665640564039457584007908834671663)] Divisor: 18051648 at top-level: test_key(pk,32) ^--------------- in function test_key: ...ound==32,foreach(div32,d, bsgs(public_key,d)),i ^--------------------- in function bsgs: ...int("Divisor: "d);m=ceil(sqrt(d))+1;zd=lift(Mo ^--------------------- in function sqrt: test_key(pk,32) ^--------------- in function test_key: ...ound==32,foreach(div32,d, bsgs(public_key,d)),i ^--------------------- in function bsgs: ...P,lift(Mod(zd,p)^(mi))); ** foreach(bs,baby_step, ^--------------------- not a function in function call Break loop: type 'break' to go back to GP *** prompt break[2]>