Skip to content

Instantly share code, notes, and snippets.

@robot-dreams
Created Jan 7, 2022
Embed
What would you like to do?
Challenge 002

Previous: Challenge 001

This one is based on Exercise 19.1 of A Graduate Course in Applied Cryptography.

The poor signer realized their mistake and upgraded their implementation to randomly generate (private) nonces. Unfortunately, they also didn't get the memo to use a secure PRNG, and ended up using a Linear Congruential Generator instead.

You're given Schnorr signatures on two different messages signed by the same private key. Although the signatures both verify under BIP-340, the two private nonces are related via r2 = a * r1 + b, where a = 31337 and b = 69420.

Can you still extract the signer's private key?


Public Key

21922E7D5988A711123794D70B19C2827B1630BC2AB99887418D9EF4AFDB1AC2

Message 1

49276D20626574746572207769746820636F6465207468616E20776974682077

Signature 1

19D6493FBA397CDD1C1E10F9AB51E65531D587D7C53C04673779E1A307AC795CF801B1BF3D103771F74C5F70BB3A3557D87E5116294A9ABD357DC4367D123C9D

Message 2

4265696E67206F70656E20736F75726365206D65616E7320616E796F6E652063

Signature 2

0293422DCE97000231B98AFE3CBE405601D4129296AB902822514DF9B2F0BC9D7FC2B9C64FA080688D020407900CE9DE887B9CBB25C34280DAB6E172CC39C2F0

Bonus Challenge

If the signer happened to use a = 1337 instead of a = 31337, there's a good chance your attack will now fail. Can you fix the issue?

Hint: How is BIP-340 able to use only 32 bytes to store a public key?

Public Key

21922E7D5988A711123794D70B19C2827B1630BC2AB99887418D9EF4AFDB1AC2

Message 1

49276D20626574746572207769746820636F6465207468616E20776974682077

Signature 1

19D6493FBA397CDD1C1E10F9AB51E65531D587D7C53C04673779E1A307AC795CF801B1BF3D103771F74C5F70BB3A3557D87E5116294A9ABD357DC4367D123C9D

Message 2

4265696E67206F70656E20736F75726365206D65616E7320616E796F6E652063

Signature 2

B0D1BB19E0FDC76FF9702EF847D486B39F78DFAF59A3AE5D88C6FE44A1E4ED46110C668DA0C408E4B5A8DBD021B56FE82A2A816962D19C2D7747ED32DCCA3396
@robot-dreams
Copy link
Author

Well, they form a cyclic group if you exclude 0, and that's all I meant :) the element a.e1 - e2 has to be nonzero

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment