Skip to content

Instantly share code, notes, and snippets.

@rllola

rllola/ecdsa_private_recovering.py

Last active October 5, 2022 22:50
Show Gist options
  • Save rllola/8ff9c49b86cde7bc4a18363ce36a54a5 to your computer and use it in GitHub Desktop.
Save rllola/8ff9c49b86cde7bc4a18363ce36a54a5 to your computer and use it in GitHub Desktop.
Download ZIP
Recover private key from ECDSA signature
Raw
ecdsa_private_recovering.py
#!/usr/bin/env python3
from Crypto.Util.number import inverse
import ecdsa
import random
import hashlib
C = ecdsa.SECP256k1
G = C.generator
n = C.order
super_private_key = 3
# Not so random cryptographic nonce (that's a secret)
k = 6
# Signing message 1
hash_message_1 = int(hashlib.sha256(b'thats cause you cant kick flip Greg').hexdigest(),16)
## Calculate R
p1 = k * G
r = p1.x()
## Calculate S
s1 = (inverse( k, n ) * (hash_message_1 + (super_private_key * r) % n)) % n
## RS signature
print("r:{}, s:{}".format(r,s1))
# Signing message 2
hash_message_2 = int(hashlib.sha256(b'Jesus est venu par minou').hexdigest(),16)
## Calculate R
p1 = k * G
r = p1.x()
## Calculate S
s2 = (inverse( k, n ) * (hash_message_2 + (super_private_key * r) % n)) % n
## RS signature
print("r:{}, s:{}".format(r,s2))
# You should notice we have the r value
# Now lets calculate our R value
# see https://youtu.be/f2s3_UG9IPU?t=1282
k_guess = (hash_message_1 - hash_message_2)*inverse(s1 - s2, n) % n
print("k found: {}".format(k_guess))
d = (s1*k - hash_message_1) * inverse(r, n) % n
print("The private key: {}".format(d))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment