Topic: (closed) (Read 192 times)
With the code everything is ok. IT cannot be the same pubkey. And IT means there is problem with secp because there is constans value for specific transaction with another pubkey which is valid. And can be very easy calculated. Of course on this example for second privatekeys real nocne is n - nocne. But still doesnt knows why is the same solutions as r and s for the same message hash. This is questions. I was sure that r s z is uniqe.
Yes. IT is multiplication ecc generator of secp256k1
why it works?
Because when checking the signature, only the x-coordinate is checked, and since due to symmetry there are two points with the same X, there are two different private keys that lead to the same solution. To calculate the second possible key, it is enough to take a symmetrical nonce.
With your parameters from the example:
Code:
r= 69933057925445156103627311546056983351587171473600111963597898281808348149939
s= 99514802695095857543902537284008490009261385852143431210120625655251582757337
z= 12948693844049826047046411457108709640188688022302896372272988915976703455562
nonce= 76658540346477621248539633331872761318528094222023647613764244410682868036596
nonce_sym = (nonce * (n-1)) % n
priv1 = (modinv(r,n) * ((nonce * s) - z)) % n
print(priv1) #664613997892457936451903530140172288000
priv2 = (modinv(r,n) * ((nonce_sym * s) - z)) % n
print(priv2) #110623181588558332205237110447978292605510900347349684371947434845384786316778
I can't tell you what is wrong with your code, though I suspect that '*' is not doing what you think is to doing, so I wrote this simple python script:
It outputs this:
As you can see the public keys are not the same.
Code:
from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serialization
private_key_1 = ec.derive_private_key(664613997892457936451903530140172288000, ec.SECP256K1())
private_key_2 = ec.derive_private_key(110623181588558332205237110447978292605510900347349684371947434845384786316778, ec.SECP256K1())
public_key_1 = private_key_1.public_key()
serialized_public_key_1 = public_key_1.public_bytes(
encoding=serialization.Encoding.X962,
format=serialization.PublicFormat.CompressedPoint
)
print(serialized_public_key_1.hex())
public_key_2 = private_key_2.public_key()
serialized_public_key_2 = public_key_2.public_bytes(
encoding=serialization.Encoding.X962,
format=serialization.PublicFormat.CompressedPoint
)
print(serialized_public_key_2.hex())
It outputs this:
Code:
$ /bin/python3 ecc.py
0235837d0b32b721f7419eff16e0554f3ea7a723b70552bce041033793499394a1
029070ed75372ac4cf02628996c1a68bda13669ac146303d63b6d28cb29f6c21a1
As you can see the public keys are not the same.
Code:
...
pub1=private1*G
pub2=private2*G
...
I am not familiar with SageMath. Does the '*' operator here do ECC multiplication?
You've considered s1 equal with s2, but s is a value resulted from d and k. If r and s values are the same (as you've let), then either d values are the same or it's a collision.
This is the equation. Have you checked that it gives the same value for these two private keys?
Is this your code? Seems clumsy. I leave room to question function verify.
This is the equation. Have you checked that it gives the same value for these two private keys?
Code:
s = k^(-1) * (z + d * r) mod n
Is this your code? Seems clumsy. I leave room to question function verify.
a = Mod inv 2 * 1 = 1/2
pub * a = 1/2 pub = bew G
2 * new G = PUB.
priv * G = PUB TOO
this bug was found some esrs ago, I thin it was already patched
pub * a = 1/2 pub = bew G
2 * new G = PUB.
priv * G = PUB TOO
this bug was found some esrs ago, I thin it was already patched
Solved
Jump to: