· 6 years ago · Mar 21, 2019, 07:24 PM
1a, b, p = (1461501637330902918203684832716283019653785059324,
2 163235791306168110546604919403271579530548345413,
3 1461501637330902918203684832716283019653785059327)
4EC = EllipticCurve(Zmod(p), [a, b])
5order = EC.order()
6assert is_prime(p)
7assert is_prime(order)
8
9d = 364364 # Exploit Target
10k = randint(1, order-1) # Regarded as a CONSTANT
11
12### Set up ###
13e1 = 114514
14e2 = 8101919
15G = EC(598833001378563909320556562387727035658124457364,456273172676936625440583883939668862699127599796)
16Q = d*G
17
18### Sign ###
19R = k*G
20x1, y1 = R.xy()
21assert x1 != 0
22
23r1 = int(x1) % order
24s1 = int(inverse_mod(k, order)*(e1 + r1*d)) % order
25print "[+] Signature (r, s):", (r1, s1)
26assert s1 != 0
27
28r2 = int(x1) % order
29s2 = int(inverse_mod(k, order)*(e2 + r1*d)) % order
30print "[+] Signature (r, s):", (r2, s2)
31
32secret_key = (s1*e2 - s2*e1) * inverse_mod(r1*(s2 - s1), order) % order
33assert secret_key == d
34print "[+] Secret Key:", secret_key
35
36
37""" Result
38[+] Signature (r, s): (792433504635038039504724819886211414904349202268, 1318458564074579222123459149729903787074462100644)
39[+] Signature (r, s): (792433504635038039504724819886211414904349202268, 43412513872277201503092534320087992002705047654)
40[+] Secret Key: 364364
41"""