Menu:
crack demo
curve calculator
curve demo
bitcoin transaction
unittest
Author: Willem Hengeveld, itsme@xs4all.nl,
Source: on github.
Several example calculations with the bitcoin parameters. In these calculations the following parameters are used:
- p - the curve base prime field, this is used for calculations involving coordinates.
- G - the fixed generator point
- n - the curve group order, this is the total number of points.
- x - the secret key, a value between 0 and the group order
- k - the signing secret, a value between 0 and the group order
- px, py - the coordinates of the public key point, values between 0 and the coordinate order
- r - the first part of the signature, a value between 0 and the coordinate order
- s - the first part of the signature, a value between 0 and the group order
- m - the message, a value between 0 and the group order
- Y - the public key
Note that in bitcoin calculations the message is the hash of the prepared transaction.
Also note that in bitcoin the s value is required to be between 0 and half the group order, you have to take the negative when it is larger.
Example, cracking a key using secret-reuse
The calculation is: k = (m1-m2)/(s1-s2)
And then calculate x in the same way as in the next example.
Example, cracking a key using known secret
x = (s*k-m)/r
Example, calculate a public key
Y = G * x
Example, sign a message with a secret key
r = xcoord(G*k), s = (m+x*r)/k
Example, verify a message signature.
G*m+Y*r==R*s
Example, find pubkey.
Y = (R*s-G*m)/r
Example, find signing secret.
k = (m+x*r)/s
Example, add points.
Example, multiply point by a number.
Example, divide point by a number.
multiply by the modular inverse in GFn
Decompress a point
y = sqrt(x^3+a*x+b)
You can decompress from `y` as well.
x = cuberoot(y^2-7)
This works, because for the secp256k1 curve, 'a' is zero.
Validate point.
checks that: y2 == x3+a*x+b