Author

Topic: issue calculating key from reused R (Read 136 times)

member
Activity: 69
Merit: 53
January 02, 2023, 04:53:21 AM
#4
how did you find such a transaction that was using same R?
is there a tool available for the calculcation which takes those values as input argument and output the resulting private key?
Hello
You can use Same R cracker utility at following link.
offline https://github.com/nlitsme/bitcoinexplainer
online https://rawcdn.githack.com/nlitsme/bitcoinexplainer/aa50e86e8c72c04a7986f5f7c43bc2f98df94107/ecdsacrack.html

I have tested this work stable no bug.

Also possible in python
Code:
def Crack_K_Same_R(R,S1,S2,H1,H2):
t1 = pow((S1-S2), N-2, N)
TestK = 0
TestK = ((H1-H2) * t1) % N
if ((TestK*G).x.num == R):
print("!!!Winner!!! %064X " % TestK );
exit();
print("Not valid. %064X " % t1)

Once you have K = nonce you can extract private key X
newbie
Activity: 72
Merit: 0
January 02, 2023, 04:17:38 AM
#3
how did you find such a transaction that was using same R?
is there a tool available for the calculcation which takes those values as input argument and output the resulting private key?
newbie
Activity: 10
Merit: 2
December 30, 2022, 04:47:28 AM
#2
nevermind, calculated key is correct it was just the encoding to wif that was not handled correctly Smiley
newbie
Activity: 10
Merit: 2
December 30, 2022, 04:23:47 AM
#1
For address 1G4TqNcKTRRuQ3brQSv85Fohf3jQiaGAbL, there are 2 transactions with signatures using the same R:
- 47faedac99c414f103d7f81f409382d19a0e3b98064096f4c446dceadfff689c vout 0
- 01653d5194cde351de1e1c23f3fa5fde25b98cb0068bc5a0c749f8dfccdc4ac1 vout 0

I extract the R, S, Z values as follows:
TX1:
     R: 615e47355ff14f5b00af8943813db16d69c8421ef1145029fd164b29db2c286b
     S: 00861e1477082d4c7443146fcb42741ee6798437a5d44437c7e33d863e730bb426
     Z: c67381a96fcc81ee9d69e252dd112b084871b23a23a8341cc7dbee6d48d8e2c6

TX2:
     R: 615e47355ff14f5b00af8943813db16d69c8421ef1145029fd164b29db2c286b
     S: 008dc69f90f6d94040dc4cd51f297d3d518d04622dcc65f3489804175b681b5b38
     Z: f98bcd3057809e67641b57d51a2d492aa0a49395edbffd58cc819b6e6d844c29

From here I should be able to calculate the private key with the formula
(z2*s1 - z1*s2) * inverse(r*(s2-s1),p) % p

This however results in the raw key 72716422e10951e92990260d905e1006587d162b06fbd890f4105783d88aa26 which translates to the WIF equivalents of 17c3rHrHLSZBnwu3n9JdmjVBPviyGFTxse / 1PWZNyvQmk9GZnivcgboRdWS6me1SkzGje.

This method seems to work for other examples but with this one the resulting key is wrong. What could be the cause?
Jump to: