Quote
Now, let’s say we have two signatures. One has a fault and the other one is valid [2]. We then have (r,s) for the valid one, and (r_f,s_f) for the fault. These will be:
s_f = k^-1 * (h + d * r_f) (mod p)
s = k^-1 * (h + d * r) (mod p)
If r-value is wrong, then k-value is also wrong, both should change at the same time, if not, then other things like the base point has to change. If r-value is wrong and k-value is right, then something bad is going on.s_f = k^-1 * (h + d * r_f) (mod p)
s = k^-1 * (h + d * r) (mod p)
In general, I don't understand something or this article is suspicious:
1) their assumptions are quite strong, for example it is unlikely to get two signatures, where the signed message is identical
2) their calculations are tricky, for example in the middle of their calculations, they skip the signed message in their equations
3) they use some weird formatting, where I don't know if something is a multiplication, or maybe it is a dot, because it looks like accessing a member of a structure in C
Edit: Probably I should read the original source first to reproduce that, because it has better quality: https://www.usenix.org/system/files/sec22-sullivan.pdf