Pages:
Author

Topic: Nonce k and k +1 (ECDSA SIGNATURE) (Read 2266 times)

member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
May 22, 2024, 08:58:16 AM
#51
R1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
S1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
Z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48
R2 = 0x00ad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
S2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
Z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa
m = 1

Private KEY:  0xB493E748065400A61D7AFCB0BB852B36EC6D39A0BA41D65307DB568792EA3797

k1 = 0xC8334DE96BCD1073839831DD17A24173C3C2E3396CAB5FCD3544A83F5B476B85
r1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
s1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48

k2 = 0xC8334DE96BCD1073839831DD17A24173C3C2E3396CAB5FCD3544A83F5B476B86
r2 = 0xad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
s2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa

k2 = k1 + 1


Nonce is a secret key for pubkey 02+r
jr. member
Activity: 34
Merit: 2
May 21, 2024, 08:27:37 PM
#50
a slight tangent question on this topic....

When trying to acquire  data suitable to  calculate all desired components ( R,S, K, Z, etc...) are we better of :

A) searching through all transaction hashes of an address?

B)Searching through UTXOs hashes?

c) searching through spent only outputs hashes ?

D) searching throught unspent only outputs hashes?

Thanks!


jr. member
Activity: 82
Merit: 8
May 21, 2024, 02:31:12 PM
#49
R1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
S1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
Z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48
R2 = 0x00ad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
S2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
Z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa
m = 1

Private KEY:  0xB493E748065400A61D7AFCB0BB852B36EC6D39A0BA41D65307DB568792EA3797

k1 = 0xC8334DE96BCD1073839831DD17A24173C3C2E3396CAB5FCD3544A83F5B476B85
r1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
s1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48

k2 = 0xC8334DE96BCD1073839831DD17A24173C3C2E3396CAB5FCD3544A83F5B476B86
r2 = 0xad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
s2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa

k2 = k1 + 1
newbie
Activity: 30
Merit: 0
May 17, 2024, 12:56:10 AM
#48
I think this is best solution to break Ecdsa.
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
May 17, 2024, 12:07:43 AM
#47
We have r1 = r2 because k is not used to calculate it. This simplifies things further to (s1k1 - h1) mod n = (s2(k1 + M) - h2) mod n
I think you are mixing two different things here.
If k2==k1 then r2==r1
but
If k2!=k1 then r2!=r1 (the case where k2=k1 + M)
and you can't remove it.
Keep in mind that k is also a private key (the ephemeral key) with public key R and r is the x coordinate of it mod n. In other words k is used to calculate r.


interesting formula:

If k2!=k1 then r2!=r1 (the case where k2=k1 + M)
and you

Code for finding difference between k and k1+M
 While (k1+M != k:

         (k1+ M ) = (k1+M) - 1


I think what k1+M is a r , so make pubkey is easy and find  difference between two r is possible because the will be in a range of k . But what to do if difference is funded , what next can be ?
newbie
Activity: 30
Merit: 0
May 16, 2024, 06:34:18 AM
#46
Hello friends. Inspired by the table on iceland's rsz, I created code in phyton for the cases where k,k+1...k+m. Since there is no such example whose private key I know, I ask you to check it. If it works, I will publish it on github. As far as I can see, there is no such resource, we can all benefit from it. Can anyone who sees it please check it out and give their opinions?

Code:
def h(n):
    return hex(n).replace("0x","")

def extended_gcd(aa, bb):
    lastremainder, remainder = abs(aa), abs(bb)
    x, lastx, y, lasty = 0, 1, 1, 0
    while remainder:
        lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
        x, lastx = lastx - quotient*x, x
        y, lasty = lasty - quotient*y, y
    return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)

def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        raise ValueError
    return x % m
   
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141



R1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
S1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
Z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48
R2 = 0x00ad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
S2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
Z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa
m = 1

print (h(((S2*m*R1 + Z1*R2 - Z2*R1) * (S1*R2 - S2*R1)^(-1)) % N))



Hi I tried this and this don't worked for me.
newbie
Activity: 30
Merit: 0
March 19, 2024, 06:16:38 PM
#45
Hello friends. Inspired by the table on iceland's rsz, I created code in phyton for the cases where k,k+1...k+m. Since there is no such example whose private key I know, I ask you to check it. If it works, I will publish it on github. As far as I can see, there is no such resource, we can all benefit from it. Can anyone who sees it please check it out and give their opinions?

Code:
def h(n):
    return hex(n).replace("0x","")

def extended_gcd(aa, bb):
    lastremainder, remainder = abs(aa), abs(bb)
    x, lastx, y, lasty = 0, 1, 1, 0
    while remainder:
        lastremainder, (quotient, remainder) = remainder, divmod(lastremainder, remainder)
        x, lastx = lastx - quotient*x, x
        y, lasty = lasty - quotient*y, y
    return lastremainder, lastx * (-1 if aa < 0 else 1), lasty * (-1 if bb < 0 else 1)

def modinv(a, m):
    g, x, y = extended_gcd(a, m)
    if g != 1:
        raise ValueError
    return x % m
   
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141



R1 = 0x49bf1b1c8364c4179bd82a3be28b1a326c2c1b2d120c3264865ecbc4dbaed4b3
S1 = 0x4ad0d60d72880bf0a51d88d0d5138ffa3593273bd0b3d48a5afe04023db9c2c9
Z1 = 0x1362d682d8872a0451e5f0d86f743a62bf0730b57ddddc901668d837cbfa2f48
R2 = 0x00ad7991e3b3d36f6f17a22fad1faddc53e7c124e5b6626db172c79299fce5cfb6
S2 = 0x10ecd8352675027f74edc18180ac083d75a1488497c6c3078a5966015514ac46
Z2 = 0xfec02a5d53eb20a6e470b7c321e0da83ea6d677f600f67033abf4b0e6b8745aa
m = 1

print (h(((S2*m*R1 + Z1*R2 - Z2*R1) * (S1*R2 - S2*R1)^(-1)) % N))

newbie
Activity: 30
Merit: 0
March 19, 2024, 07:24:19 AM
#44
Hello friends. I have two RSZ values obtained from the transfer of a bitcoin address and I want to find the nonce/private key. I do not write the values for confidentiality reasons, but I give approximate values as an example. k can be k+1. I'm sure there are many people here who can figure this out, but I can't. Any python code formulas etc that can help me? is there? I need your ideas.
R1 = 00a61d1110016763ed34995c319a42ea81b96a593efb29a4a46880bd8fe955077f
S1=009a72c80ae72e6edbe93d96d0202cc73bdf4ed1630c23381b2891e2427393878
Z1=306801f94f8bed2d753a66c60a614f359ff94758937bc7f950a9865d33ce1092

R2 = 00a6f4e7382a1c878a740e113c313779bcaa2dc20af5c1ff6c2bb7011cfb278c0d
S2=009cbddcba33bd30b4caad188ab02552e68b74fd43946e5b5a7f593dd367a26d28
Z2=9c76db1673ded5f0028abe36ad3b47bc47973681530481a32e1e7dd2f66ba0fd

The values are here, R1-R2 and S1-S2 are close to each other. I don't know how to make the connection. And of course how to calculate this correctly. I would be grateful if you help.
jr. member
Activity: 43
Merit: 1
December 17, 2022, 06:01:22 PM
#43
How can one calculate a message hash?

You take the text input, whether it is some signed message text or a raw transaction, and then pass it through SHA256(SHA256(input)), and save the result as e.

For ECDSA done on the secp256k1 curve, such as all kinds of bitcoin signatures, we are done at this point and we can set h = e our message hash.

However for some other different curves, you have to take the leftmost n bits of e after the double SHA256 hash. Where n can be found from the group order of the curve. So for example, secp256k1's group order is about 2^256 so it's n would be 256.

Keep in mind that the leftmost n bits equals the entire length of e if log2(curve's group order) == bit length of hash function used. When we are using both double SHA256 and secp256k1 curve in ECDSA like we are now, we know the double SHA256 always outputs 256 bits so these two values are equal and the entirety of e is used as the message hash.

The above paragraph implies that you are able to use a different hash function other than double SHA256 provided that its number of bits of output is greater than log2(curve's group order), because smaller-length hash functions are not allowed to be used with larger curve orders.

you want say that H(m) of transaction? if message is empty/null it just sha256(sha256(020000000155010ca6a15764977be218d19259d3e021b80851a1338530ad40d612f07c4b5801000 0006a47304402202062fb0a71961e18f155a3d54b468f1560425a8bd8a7fc9c6064aac149a24108 02201e5469c0d89bb32faf087eabf1d631c35b829bc45e09a8728e88c320811b01fc01210248d31 3b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55ffffffff019808000000 0000001600143faaa7380c35d3d307b7caa3d2a1038fd3fe2c0500000000)) - and thats it?
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
December 09, 2022, 11:46:07 AM
#42
r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature


Code:
k1 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675914
k2 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675915

sage: r1/s1%N
109263722787838616791900575947640359553086907200677310074463510255775504782173

sage: r2/s2%N
109263722787838616791900575947640359553086907200677310074463510255775504782173


Can u give the sagemath or python code on how u do this.. Thank u so much.

I have never used sagemath before but this is sage code so it should work exactly as-is.

It might also work in Python just like that, considering that it uses GMP under the hood, but you might see exponents to the power of 10  instead of the actual number.
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 24, 2021, 11:17:09 AM
#41
How can one calculate a message hash?

You take the text input, whether it is some signed message text or a raw transaction, and then pass it through SHA256(SHA256(input)), and save the result as e.

For ECDSA done on the secp256k1 curve, such as all kinds of bitcoin signatures, we are done at this point and we can set h = e our message hash.

However for some other different curves, you have to take the leftmost n bits of e after the double SHA256 hash. Where n can be found from the group order of the curve. So for example, secp256k1's group order is about 2^256 so it's n would be 256.

Keep in mind that the leftmost n bits equals the entire length of e if log2(curve's group order) == bit length of hash function used. When we are using both double SHA256 and secp256k1 curve in ECDSA like we are now, we know the double SHA256 always outputs 256 bits so these two values are equal and the entirety of e is used as the message hash.

The above paragraph implies that you are able to use a different hash function other than double SHA256 provided that its number of bits of output is greater than log2(curve's group order), because smaller-length hash functions are not allowed to be used with larger curve orders.
newbie
Activity: 8
Merit: 0
March 24, 2021, 09:53:09 AM
#40
How can one calculate a message hash?
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
March 03, 2021, 01:24:35 PM
#39
I've been busy for the past few days ...
I would like to show that the topic signature is real and valid (in theory)



x, k, r, h and s are in the order of the curve and are fully accepted by the bitcoin protocol!


Satisfies all the math required of a valid signature

This is not the objective of this thread . I am still trying to find some method to resolve these signatures. And I'm also creating other fun things ... this other thread is very interesting https://bitcointalksearch.org/topic/m.56483595
member
Activity: 873
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
March 03, 2021, 06:46:19 AM
#38
So.... It is posible finde k with different s_1,b_1,z_1 and s_2,b_2,z_2 from one publick key transactions sign? Use a s_1,b_2, s_2=s_1,b_2  more easy I think...

P.s. please, if you don know exact, do not post a messages about unrial find a k without s_1=s_2

P.s. all optimists are welcome Smiley
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 21, 2021, 10:06:41 AM
#37
Fried my brain Shocked
What do you mean? We already know s1 s2 r1 r2 h1 and h2, the constants M and N which I introduced can be removed by setting to the values at the top of this post, and n is the group order of secp256k1. That only leaves us with k as the unknown. The whole right-hand side becomes a constant which makes k solvable.
Equation with only 1 variable and we were unable to solve it. I'm already getting agonized
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 21, 2021, 09:41:22 AM
#36
@bytcoin

Your question has been answered.  Please very carefully read over these two posts:

I really think this should work, unless I made a mistake in my math.  Did you double check all my algebra?
The problem is that with these specific values given in OP it is not possible to compute this particular case.
Whether you use my equation in that other topic to directly compute the private key (du) or first compute k with your equation here then compute private key from there, you'll get 0 which you can't compute its modular multiplicative inverse (ax ≡ 1 (mod m) where a=0 doesn't have an answer).
To be specific:
s2-1r2 - s1-1r1 = 0
Also
r's - rs' = 0
It's not really an ecdsa signature if you're just handed a hash. Tongue  Performing the hashing is integral to the process and without it you can generate all sorts of degenerate examples. ... including 'forged' 'signatures' for pubkeys where no one knows the private key.

@bytcoin, let me try to paraphrase these answers for you:

If my formula to find k (and then find the private key) OR the formula in the other thread that finds the private key directly OR any of the other correct formulas in this thread or any other thread do not work to find the private key then the signature is not a valid signature.

Do you understand now? 

Your question boils down to this:  If I create a totally invalid signature why do these formulas not work?

The answer is right there in your question:  The reason it does not work is that you started with an invalid signature.

I hope this help.

BurtW
I know that the concept of the signature is to prove data integrity, to prove that a person has a particular private key, to prove many other things. Now about these two signatures ... In theory, I prove that these two signatures on this topic are real and valid! Now in practice, it would even prove, but it would be totally impracticable and crazy to try brute force with pre image.
If you think it's more correct ... I can change the title and description.
k and k + 1 of signatures (theoretically real and valid)
Is there any method for solving these types of theoretically signatures?
Is it better this way?
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
February 20, 2021, 10:47:37 AM
#35
@bytcoin

Your question has been answered.  Please very carefully read over these two posts:

I really think this should work, unless I made a mistake in my math.  Did you double check all my algebra?
The problem is that with these specific values given in OP it is not possible to compute this particular case.
Whether you use my equation in that other topic to directly compute the private key (du) or first compute k with your equation here then compute private key from there, you'll get 0 which you can't compute its modular multiplicative inverse (ax ≡ 1 (mod m) where a=0 doesn't have an answer).
To be specific:
s2-1r2 - s1-1r1 = 0
Also
r's - rs' = 0
It's not really an ecdsa signature if you're just handed a hash. Tongue  Performing the hashing is integral to the process and without it you can generate all sorts of degenerate examples. ... including 'forged' 'signatures' for pubkeys where no one knows the private key.

@bytcoin, let me try to paraphrase these answers for you:

If my formula to find k (and then find the private key) OR the formula in the other thread that finds the private key directly OR any of the other correct formulas in this thread or any other thread do not work to find the private key then the signature is not a valid signature.

Do you understand now? 

Your question boils down to this:  If I create a totally invalid signature why do these formulas not work?

The answer is right there in your question:  The reason it does not work is that you started with an invalid signature.

I hope this help.

BurtW
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 19, 2021, 02:43:39 PM
#34
@NotATether I just finished the tests ... I tried three more equations, including yours. I modified the equations, tried other methods but no progress for today.
I know that we have only one unknown variant. That's what motivates me and gives me hope, but it's difficult! I may be talking nonsense, but for me this difficulty has to do with the security of ECDSA ... if we can really find some method that calculates these types of forged signatures it will be a great advance.
Today is done! I think these calculations are driving me crazy
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
February 19, 2021, 01:45:15 PM
#33
Fried my brain Shocked

Just use the third-to-last one, it's condensed and easy to understand.

k1 = (s2Mr2-1r1 - h2r2-1r1 + s1h1)(s1 - Ns2r2-1r1)-1 mod n

You're only interested in k,k+1 so just set N to 0 and M to 1 to get rid of at least one unnecessary term My mistake, you need to set N and M both to 1 to reduce it to k,k+1.

...

I was thinking yesterday before I went to sleep and I think we can hardly resolve this. It must be related to the security and integrity of ECDSA. I think the degree of difficulty is the same as solving a discrete logarithm. Certainly, an obstacle has been placed in a way that cannot be solved. Will not give up! What do you all think?


What do you mean? We already know s1 s2 r1 r2 h1 and h2, the constants M and N which I introduced can be removed by setting to the values at the top of this post, and n is the group order of secp256k1. That only leaves us with k as the unknown. The whole right-hand side becomes a constant which makes k solvable.
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 19, 2021, 10:59:26 AM
#32
Fried my brain Shocked

k1 = s1s2Mr2-1r1 - s1h2r2-1r1 + s1s1h1 - s2Mr2-1r1N-1s2-1r2r1-1 + h2r2-1r1N-1s2-1r2r1-1  - s1h1N-1s2-1r2r1-1 mod n

I was thinking yesterday before I went to sleep and I think we can hardly resolve this. It must be related to the security and integrity of ECDSA. I think the degree of difficulty is the same as solving a discrete logarithm. Certainly, an obstacle has been placed in a way that cannot be solved. Will not give up! What do you all think?
Pages:
Jump to: