search

marcvincenti / bitp0wn

Algorithms to re-compute a private key, to fake signatures and some other funny things with Bitcoin.
104 stars 63 forks source link

Question about curve parameters #3

Open OSoup opened 5 years ago

OSoup commented 5 years ago

Hi, I try to learn and I have to make some connections. You have in the code below values: P = 10177 A = 1 B = P-1 G = (1,1) N = 10331

What should be the values in case of btc when I know the public key, K = (x,y) so I know x and y? P=115792089237316195423570985008687907853269984665640564039457584007908834671663 ??? A = ??? B = P-1 G = (??,??) N = ??

Thank you!

marcvincenti commented 5 years ago

Hello, Bitcoin use the Secp256k1 curve.

# Elliptic curve parameters (secp256k1)

P = 2**256 - 2**32 - 977
N = 115792089237316195423570985008687907852837564279074904382605163141518161494337
A = 0
B = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
G = (Gx, Gy)
mertgonul commented 5 years ago

Added secp256k1 parameters and decreased "N" to lower one to test it but it is only searching can't find any result.

#!/usr/bin/env python

from bitcoin import change_curve, fast_add, fast_multiply, inv
import random

# define a 16-bits curve (not secure)
P = 2**256 - 2**32 - 977
N = 10331
A = 0
B = 7
Gx = 55066263022277343669578718895168534326250603453777594175500187360389116729240
Gy = 32670510020758816978083085130507043184471273380659243275938904335757337482424
G = (Gx, Gy)
change_curve(P, N, A, B, G[0], G[1])

# generate private and public key
k = random.randint(1, N)
Q = fast_multiply(G, k)
print("SEARCH - {0}".format(k))

# Pollard rho
def new_xab(x, a, b):
    S = x[0] % 3
    if S == 0:
        a = (a + 1) % N
        x = fast_add(x, G)
    elif S == 1:
        a = (a * 2) % N
        b = (b * 2) % N
        x = fast_add(x, x)
    elif S == 2:
        b = (b + 1) % N
        x = fast_add(x, Q)
    return x, a, b

x=X=(0,0); a=A=0; b=B=0;
for i in range(N):
    x, a, b = new_xab(x, a, b)
    X, A, B = new_xab(X, A, B)
    X, A, B = new_xab(X, A, B)
    if x == X:
        if b == B:
            print("NOT FOUND")
        else:
            k = ((a - A) * inv(B - b, N)) % N
            print("FOUND  - {0}".format(k))
        break
marcvincenti commented 5 years ago

@mertgonul N should be the order of the curve in Z_P. It means that you have to reduce P first (with P a prime number) and then you should calculate N such that N is the order of the curve (i.e. G x P = G). To find N you can define some bounds with Hasse's theorem and try to determine with an algo of your choice (for P being not too big, you can use the bsgs algorithm). If you don't want to code this all by yourself, i've started a script to help everyone generate testing curves, but it doesn't work every time, i need a PR or some help here.