Editing Pay for private keys (section)

= Pay for private key contracts in Ethereum =

Believe it or not - it’s not exactly easy to do this in Ethereum either because Ethereum doesn’t allow you to directly generate and verify ECDSA key-pairs from within a contract [0]. The solution is to use a function called [http://solidity.readthedocs.io/en/develop/units-and-global-variables.html ecrecover] that we can exploit to implement pay for private key contracts in Solidity.

Here’s how it works. ECDSA signatures have a few components that matter, s and r. The r value is generated either from a deterministic look at the message to sign OR from a random number, where the s value is uniquely determined by the message that is signed.

The idea is that the r value created for a signature should always be unique with respect to the same public key. Or to put this another way, if you can get 2 valid signatures for the same public key that contain the same r value but with ''different'' s values then you can effectively recover the priv key.

'''To implement this in Solidity requires that you:'''

# Generate two signatures for unique messages with duplicate r values.
# Call ecrecover on both signatures and check that the public key returned matches the public key whose private key we’re paying for.
# Check that the r values are the same; That s in both sigs are unique; And to make things less complex for recovery - check that v is the same for both signatures [1][2].

I have implemented the first step [https://github.com/robertsdotpm/pay_for_private_keys/blob/master/backdoor_sigs.py as a Python program] that generates an ECDSA key pair using the Bitcoin curve and then generates provably insecure signatures. This is what the output looks like:

<pre>Enter an Ethereum address that can redeem the coins: [enter is default]
Priv key = 0dbddccbd9c0397ae80d9ba2a01e625b71dae3413598ae21fe4d3e0cea2c5d67
Pub key = 049c1c62c019dc8156671f1e74aff64b2a102bedf29f33dc52abdb80dba70a95a3e37058f85d38771e6034715787d36877a57f4a739b1d3cdd62e738d4f8ad3d3c
Address = 0xfc2a2603163b3e3386507c28de32f560e33b25bc
r1 = 66b47c56dfc6d319786c6a7e4f3271426181766898208d5bcc06a1c8e3975c4f
s1 = 09781316b4b9188a074c152feecb3aceda224fb88d4b616011697baeeaeb7988
s2 = 6e1bc76f6796e950c9c072000fa69c53d4655323fdadde2ecb2e3874d231696e
hm1 = 6d255fc3390ee6b41191da315958b7d6a1e5b17904cc7683558f98acc57977b4
hm2 = 4da432f1ecd4c0ac028ebde3a3f78510a21d54087b161590a63080d33b702b8d
v1 = 1c
v2 = 1c
m1 = test1
m2 = test2
solution hash = a0365a69d289ebc16179c38dcf52770605c9920c702f6d751ccb0019b055b852
Eth input = 
 &quot;0x6d255fc3390ee6b41191da315958b7d6a1e5b17904cc7683558f98acc57977b4&quot;, 28, &quot;0x66b47c56dfc6d319786c6a7e4f3271426181766898208d5bcc06a1c8e3975c4f&quot;, &quot;0x09781316b4b9188a074c152feecb3aceda224fb88d4b616011697baeeaeb7988&quot;, &quot;0x4da432f1ecd4c0ac028ebde3a3f78510a21d54087b161590a63080d33b702b8d&quot;, &quot;0x6e1bc76f6796e950c9c072000fa69c53d4655323fdadde2ecb2e3874d231696e&quot;, &quot;0xcfd31d218dccc9b553458f1b6c4ace40dada01f7&quot;, &quot;0xcfd31d218dccc9b553458f1b6c4ace40dada01f7&quot;, 0
Recovery 1 = 049c1c62c019dc8156671f1e74aff64b2a102bedf29f33dc52abdb80dba70a95a3e37058f85d38771e6034715787d36877a57f4a739b1d3cdd62e738d4f8ad3d3c
Ver sig hm1 from rec = True
Ver sig hm1 from attack = True
Recovery 2 = 049c1c62c019dc8156671f1e74aff64b2a102bedf29f33dc52abdb80dba70a95a3e37058f85d38771e6034715787d36877a57f4a739b1d3cdd62e738d4f8ad3d3c
Ver sig hm2 from rec = True
Ver sig hm2 from attack = True</pre>
'''Now send this to [https://github.com/robertsdotpm/pay_for_private_keys/blob/master/truffle/contracts/PayForPrivKey.sol our Ethereum contract] and here is what the steps are:'''

# Create a new instance of the PayForPrivKey contract and specify the Ethereum address for the public key whose private key you want to find. The Python program converts the ECDSA pub key to an Ethereum address for you automatically :) So copy-paste.
# Create a commitment. This means you’re just hashing all the solution values for the backdoored signatures along with the address that you want to receive an Ether reward at. When you run the Python script it asks for a destination address (there is a default Ethereum address there for testing already.)
# Copy paste the solution_hash into the CommitSolutionHash function. It will return an index number that you should save.
# Wait for the min_block number so you don’t get h4x0red by blockchain devs.
# Prove that you know the solution by revealing the commitment. There is a function in the Solidity contract call ProvePrivKey that takes most of the data above to prove you know the private key. I have made things easier – just copy and paste the Ethereum input string directly into this function and replace the index number at the end with the result from step 3.
# Enjoy your new Ether.

Note: I haven’t deployed this to testnet or mainnet yet because my Internet is currently terrible, but if anyone wants to deploy this to either network hit me up over email with a contract address.

<span id="atomic-storage-contracts"></span>