Previous: Challenge 001
This one is based on Exercise 19.1 of A Graduate Course in Applied Cryptography.
The poor signer realized their mistake and upgraded their implementation to randomly generate (private) nonces. Unfortunately, they also didn't get the memo to use a secure PRNG, and ended up using a Linear Congruential Generator instead.
You're given Schnorr signatures on two different messages signed by the same private key. Although the signatures both verify under BIP-340, the two private nonces are related via r2 = a * r1 + b
, where a = 31337
and b = 69420
.
Can you still extract the signer's private key?
21922E7D5988A711123794D70B19C2827B1630BC2AB99887418D9EF4AFDB1AC2
49276D20626574746572207769746820636F6465207468616E20776974682077
19D6493FBA397CDD1C1E10F9AB51E65531D587D7C53C04673779E1A307AC795CF801B1BF3D103771F74C5F70BB3A3557D87E5116294A9ABD357DC4367D123C9D
4265696E67206F70656E20736F75726365206D65616E7320616E796F6E652063
0293422DCE97000231B98AFE3CBE405601D4129296AB902822514DF9B2F0BC9D7FC2B9C64FA080688D020407900CE9DE887B9CBB25C34280DAB6E172CC39C2F0
If the signer happened to use a = 1337
instead of a = 31337
, there's a good chance your attack will now fail. Can you fix the issue?
Hint: How is BIP-340 able to use only 32 bytes to store a public key?
21922E7D5988A711123794D70B19C2827B1630BC2AB99887418D9EF4AFDB1AC2
49276D20626574746572207769746820636F6465207468616E20776974682077
19D6493FBA397CDD1C1E10F9AB51E65531D587D7C53C04673779E1A307AC795CF801B1BF3D103771F74C5F70BB3A3557D87E5116294A9ABD357DC4367D123C9D
4265696E67206F70656E20736F75726365206D65616E7320616E796F6E652063
B0D1BB19E0FDC76FF9702EF847D486B39F78DFAF59A3AE5D88C6FE44A1E4ED46110C668DA0C408E4B5A8DBD021B56FE82A2A816962D19C2D7747ED32DCCA3396
@siv2r You're right (well, except you still do need
a.e1 - e2
to be invertible). The failure fora = 1337
is not an issue with this attack (in general), but a specific implementation detail of BIP-340.