-
Notifications
You must be signed in to change notification settings - Fork 3
Expand file tree
/
Copy pathconversation_export.txt
More file actions
118 lines (98 loc) · 4.46 KB
/
Copy pathconversation_export.txt
File metadata and controls
118 lines (98 loc) · 4.46 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
SHAMIR SECRET SHARING VULNERABILITY ANALYSIS
=============================================
PROBLEM STATEMENT:
------------------
A 12-word BIP39 mnemonic was split using Shamir Secret Sharing (3-of-5 threshold).
Two shares are provided, and we need to find the third share to recover the original mnemonic.
Target Address: bc1qyj... (pubkey hash: 17f33b1f8ef28ac93e4b53753e3817d56a95750e)
Derivation Path: m/84'/0'/0'/0/0
GIVEN SHARES:
-------------
Share 1: session cigar grape merry useful churn fatal thought very any arm unaware
Share 2: clock fresh security field caution effort gorilla speed plastic common tomato echo
ANALYSIS:
---------
1. Share Indices (extracted from last word's lower 4 bits):
- Share 1 index (x1): 3
- Share 2 index (x2): 15
2. Share Entropy (16 bytes each, without checksum):
- Share 1: c4451d9745defe5194e707f2e1442ef6
- Share 2: 2b6b9b0b2af24a8d592e88a605cf9022
3. Implementation Details:
- Uses GF(256) Galois Field arithmetic
- Polynomial degree: 2 (for 3-of-5 threshold)
- Each byte of entropy is processed independently
VULNERABILITY REFERENCES:
-------------------------
1. Armory Wallet Vulnerability:
- https://btcarmory.com/fragmented-backup-vuln/
- https://bitcointalk.org/index.php?topic=2199659.0
- Issue: Non-cryptographic RNG for polynomial coefficients
2. HTC Exodus Vulnerability:
- https://donjon.ledger.com/Stealing-all-HTC-Exodus-users/
- Issue: Weak MAC allowing brute-force attacks
3. GitHub Issue #23:
- https://github.com/bitaps-com/pybtc/issues/23
- Issue: Share index stored in last 4 bits of last word
ATTEMPTED APPROACHES:
---------------------
1. Linear Polynomial Assumption:
- Assumed polynomial is degree 1 instead of 2 (vulnerability in coefficient generation)
- Tried to recover secret using only 2 shares
- Result: Failed - hash mismatch
2. Pattern-Based Third Share:
- Tried XOR of two shares
- Tried duplicate shares
- Tried all-zeros and all-0xFF patterns
- Result: Failed - no match found
3. Brute-Force with Different Indices:
- Tried all possible third share indices (0-15)
- Combined with various entropy patterns
- Result: Failed - computationally infeasible for full 16-byte entropy
TECHNICAL DETAILS:
------------------
GF(256) Implementation:
- Primitive polynomial: 0x11B (x^8 + x^4 + x^3 + x + 1)
- Operations: addition (XOR), multiplication (using log/exp tables)
- Lagrange interpolation for polynomial reconstruction
BIP84 Derivation:
- Path: m/84'/0'/0'/0/0
- Uses PBKDF2-HMAC-SHA512 for seed generation
- ECDSA with SECP256k1 curve
- Compressed public key format
CHALLENGES:
-----------
1. Full brute-force of 16-byte entropy is computationally infeasible (2^128 possibilities)
2. Without knowing the exact vulnerability in the implementation, it's difficult to reduce search space
3. The vulnerability may require:
- Knowledge of the RNG seed used for coefficient generation
- Access to timing information or side-channel data
- Additional shares or metadata
NEXT STEPS:
-----------
1. Analyze the exact JavaScript implementation for specific vulnerabilities
2. Check if there's a pattern in how coefficients were generated
3. Look for mathematical relationships between the two shares
4. Consider if there's additional information (like creation timestamp) that could help
5. Examine if the GF(256) implementation has any weaknesses
CODE FILES CREATED:
-------------------
1. recover_mnemonic.py - Initial recovery attempt using linear interpolation
2. brute_force_third_share.py - Pattern-based brute force approach
3. exploit_vulnerability.py - Multiple vulnerability exploitation methods
CONCLUSION:
-----------
The recovery of the original mnemonic requires either:
- Finding a specific vulnerability in the implementation that reduces entropy
- Having additional information about the third share
- Performing an extensive brute-force search (computationally expensive)
The problem as stated suggests there should be a vulnerability that makes recovery feasible,
but without more specific information about the implementation flaw, a complete solution
remains elusive.
RECOMMENDATIONS:
----------------
1. Review the exact version of the bitaps implementation used
2. Check if there are any known vulnerabilities in that specific version
3. Analyze the random number generator used for coefficient generation
4. Look for any patterns or weaknesses in the share generation process
5. Consider if there's metadata or additional context that could help narrow the search space