Topic: Nonce k and k +1 (ECDSA SIGNATURE) - page 2. (Read 2266 times)

So let me see if I understand this correctly, and for brevity all sides of each equation are mod n.

(s₁k₁ - h₁)r₁^-1 mod n = (s₂(Nk₁ + M) - h₂)r₂^-1 mod n

(s₁k₁ - h₁) mod n = (s₂(Nk₁ + M) - h₂)r₂^-1r₁ mod n

(s₁k₁ - h₁) mod n = (Ns₂k₁ + s₂M - h₂)r₂^-1r₁ mod n

(s₁k₁ - h₁) mod n = Ns₂k₁r₂^-1r₁ + s₂Mr₂^-1r₁ - h₂r₂^-1r₁ mod n

s₁k₁ - Ns₂k₁r₂^-1r₁ mod n =  s₂Mr₂^-1r₁ - h₂r₂^-1r₁ + s₁h₁ mod n (this is the one you corrected, all I did differently is I injected an N term. You missed an s₁ at the end)

k₁(s₁ - Ns₂r₂^-1r₁) mod n =  s₂Mr₂^-1r₁ - h₂r₂^-1r₁ + s₁h₁ mod n

k₁ = (s₂Mr₂^-1r₁ - h₂r₂^-1r₁ + s₁h₁)(s₁ - Ns₂r₂^-1r₁)^-1 mod n


While this is correct, I could expand the right hand side to remove all those parentheses but it would look like a hairy mess and I will leave it as an exercise for the reader I'm a sucker for finishing what I started so the final result is:

k₁ = s₁s₂Mr₂^-1r₁ - s₁h₂r₂^-1r₁ + s₁s₁h₁ - s₂Mr₂^-1r₁N^-1s₂^-1r₂r₁^-1 + h₂r₂^-1r₁N^-1s₂^-1r₂r₁^-1  - s₁h₁N^-1s₂^-1r₂r₁^-1 mod n

which can naturally be simplified to

k₁ = s₁s₂Mr₂^-1r₁ - s₁h₂r₂^-1r₁ + 2s₁h₁ - MN^-1 + h₂N^-1s₂^-1  - s₁h₁N^-1s₂^-1r₂r₁^-1 mod n

The terms without an M or N can be cached if you code this which'll save a some runtime, assuming signatures and message hashes are constant (which means we're just brute-forcing k by assuming the other k is different from k by a linear term, Nk + M).

@NotATether Sometimes, my comments are confusing. My English is not good. I'm sorry.
I created a spreadsheet here on my computer. If the calculation of the two signatures, result in one of these results:

84116094074080348475330923628085381068004819051024688231235408808498228990658
115421525668746794300572425383651760936474682288376011738901581099735267291166
75779132765082272339365318603976127143129139578655065948953011818747694903968
32721048879590668468057403381344519604794634274281442143310950080100256809376
73945527799545926295868811396190775221755301413228649694146980038976859413881
83071040357725526955513581627343388248042930004793462239294213061417904684961
110900498335176639903790421791145116630753202651925129197353093911482849572115
100915994223500593859265530587355021827054480090260046643398682409155495014021
18772090316994453489815097488437362913349084079003363299774406415210330663724
47226580324836868909364298177641258714214836472397407238813848770680029086521
56529777543389028600359529180589793809150046410530956964827364144104464543696
68565508912479326514206686831046649138622727806677497143791314370838132407816
95614300240862244467441604468469811057219298200932829791855660913288043519424
91853994770595467928679085106674415264953937877422163279062103074479382308082
70340029117077187103609015206390689046236439143934658628690673731161038123272
56288579777741994839950743658321865276315378685235290603150428105356141792460
114077498629986369252568485796816272967465715858922414102041658195335049229411
59503509459574200583620241350366042576522185593839613779454735036162019701877
3157016186039629198989683176712727066004916479529634997551227882338456118091
113972727122455751122606348709450118426555794247055235259681988180640808438349
78050106958269618215705840346149000019834478654902500371716973685533534066650
34169847425881711646023480055546162114713522315602218622530542999194715662193
73621331483084656777597982069714150546901789628714569435738760993298398924203
81622241811434483777547504953141745738124041963472685760074620142323445832144
70340029117077187103609015206390689046236439143934658628690673731161038123272
44718176830454434898540719422248360645570272508025487909509951706716265490856
95614300240862244467441604468469811057219298200932829791855660913288043519424
103424397717883027870089109342747919895699044054631965972702579473119258609686
21101819692638526149317216481479108956505606170114713781324009606425162496681
12367691519433167553481875665939987957138520224442938409902583668398902884651
112635073051276566224581301831975180786832647799545269385053935259179705376246
34169847425881711646023480055546162114713522315602218622530542999194715662193
37741982279046577207865144662538907833003085624172404010888189455984627427687
113972727122455751122606348709450118426555794247055235259681988180640808438349
42170757754231538645973002938973757305935774650360334946866402148219762570134
1819362114860444300964636299237789426281770032019669122923174960877353055988

My spreadsheet will find the private key and it will also be possible to create a formula that solves all the signatures we are trying to calculate.

For example:
p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123

w = (h1*h2 -r1+r2/s1*s2) if the result was: 1819362114860444300964636299237789426281770032019669122923174960877353055988 or any of those others ... my spreadsheet finds the value x and it will also be possible to create a method that solves all types of signatures.

I'll use your equation ... it looks very efficient! If it works, you will enter the history of bitcoin. I think this thread will yield a lot of comments

I would like to remember

The denominator value in mod N with the numbers you gave is 0

It does change everything. You can't just ignore the multiplied value in here
The correct thing is:
(s₁k₁ - s₂k₁r₂^-1r₁) mod n = (s₂Mr₂^-1r₁ - h₂r₂^-1r₁ + h₁) mod n

Good catch. Fortunately this doesn't change the solution much, only r₂^-1r₁ has to be added at the right hand side of all the solutions and to simplify things further they aren't multiplied by k.


The good thing about this is that I only need two signatures, one is for a known k, the other from an unknown k which is related to the first k somehow. By changing the value of the other k (ie trying different formulas to calculate it), I can brute force the unknown k by using Taylor series to expand any complex terms in the equation for unknown k like exp(x) or log(x), and then take the resulting polynomial of k and find it's root.

I'll try to find a method for it today.


What are all those numbers you posted at the bottom,  one of the ECDSA variables?

I think you are mixing two different things here.
If k₂==k₁ then r₂==r₁
but
If k₂!=k₁ then r₂!=r₁ (the case where k₂=k₁ + M)
and you can't remove it.
Keep in mind that k is also a private key (the ephemeral key) with public key R and r is the x coordinate of it mod n. In other words k is used to calculate r.

@NotATether you did a great search! I liked your method.Do you need more signatures like these? Today I didn’t have much free time, but tomorrow I will have more time to try to find new methods.
Today I only had time to analyze the formulas that worked for the other thread ... I modified the formulas to try to calculate here ... I had some advances!

p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123

Any method that results in one of these results ... will be a huge step forward to create some formula that calculates the private key of these types of signatures.

84116094074080348475330923628085381068004819051024688231235408808498228990658
115421525668746794300572425383651760936474682288376011738901581099735267291166
75779132765082272339365318603976127143129139578655065948953011818747694903968
32721048879590668468057403381344519604794634274281442143310950080100256809376
73945527799545926295868811396190775221755301413228649694146980038976859413881
83071040357725526955513581627343388248042930004793462239294213061417904684961
110900498335176639903790421791145116630753202651925129197353093911482849572115
100915994223500593859265530587355021827054480090260046643398682409155495014021
18772090316994453489815097488437362913349084079003363299774406415210330663724
47226580324836868909364298177641258714214836472397407238813848770680029086521
56529777543389028600359529180589793809150046410530956964827364144104464543696
68565508912479326514206686831046649138622727806677497143791314370838132407816
95614300240862244467441604468469811057219298200932829791855660913288043519424
91853994770595467928679085106674415264953937877422163279062103074479382308082
70340029117077187103609015206390689046236439143934658628690673731161038123272
56288579777741994839950743658321865276315378685235290603150428105356141792460
114077498629986369252568485796816272967465715858922414102041658195335049229411
59503509459574200583620241350366042576522185593839613779454735036162019701877
3157016186039629198989683176712727066004916479529634997551227882338456118091
113972727122455751122606348709450118426555794247055235259681988180640808438349
78050106958269618215705840346149000019834478654902500371716973685533534066650
34169847425881711646023480055546162114713522315602218622530542999194715662193
73621331483084656777597982069714150546901789628714569435738760993298398924203
81622241811434483777547504953141745738124041963472685760074620142323445832144
70340029117077187103609015206390689046236439143934658628690673731161038123272
44718176830454434898540719422248360645570272508025487909509951706716265490856
95614300240862244467441604468469811057219298200932829791855660913288043519424
103424397717883027870089109342747919895699044054631965972702579473119258609686
21101819692638526149317216481479108956505606170114713781324009606425162496681
12367691519433167553481875665939987957138520224442938409902583668398902884651
112635073051276566224581301831975180786832647799545269385053935259179705376246
34169847425881711646023480055546162114713522315602218622530542999194715662193
37741982279046577207865144662538907833003085624172404010888189455984627427687
113972727122455751122606348709450118426555794247055235259681988180640808438349
42170757754231538645973002938973757305935774650360334946866402148219762570134
1819362114860444300964636299237789426281770032019669122923174960877353055988

Have you by any chance read this? https://eprint.iacr.org/2019/023.pdf

It describes methods which let us compute private keys if we have multiple signatures but using the same nonce. So maybe we can take the stuff there and apply it to the case we have a bunch of signatures with k and k+1 nonces. And by extension, k + constant M nonces.

First off it says if we know k then we can just get the private key with d_A = (sk - h)r^-1 mod n. But here we have two signature that use k and k+1. I suppose we can do some sort of attack with this by discovering the k of one signature and then "assuming" that for a large list of (r,s) signatures, that some of them have k+1, k+2, ... or k+M nonces.

It also gives the case of two signatures having the same nonce, where you can recover the private key by doing d_A = (h₁ - h₂)(s₁ - s₂)^-1 mod -n.

Now we have s₁ = k₁^-1(h₁ + d_Ar₁) mod n and s₂ = k₂^-1(h₂ + d_Ar₂) mod n.

That means d_A = (s₁k₁ - h₁)r₁^-1 mod n = (s₂k₂ - h₂)r₂^-1 mod n. We have r₁ = r₂ because k is not used to calculate it. This simplifies things further to (s₁k₁ - h₁) mod n = (s₂(k₁ + M) - h₂) mod n

(s₁k₁ - h₁) mod n = (s₂k₁ + s₂M - h₂) mod n.

Let's take this last equation and use algebra to move k₁ to the left.

(s₁k₁ - s₂k₁) mod n = (s₂M - h₂ + h₁) mod n

k₁(s₁ - s₂) mod n = (s₂M - h₂ + h₁) mod n

k₁ = (s₂M + h₁ - h₂)(s₁ - s₂)^-1  mod n (I just reordered h1 in front of h2 which doesn't change the equation)

Where M =1 if you are using k,k+1 and M=2 if you have k,k+2, etc. and it works for M=0 and negative M as well (which you'd use for k,k-1, k,k-2, and so on.

---

EDIT: If we plug Nk + M instead of just k + M, following the proof derivation above (which I can repost for this particular case if you want) gives us k₁ = (s₂M + h₁ - h₂)(s₁ - s₂N)^-1  mod n. I'm sure there's a formula for k₂ being an arbitrary polynomial of k₁, I'm still trying to find one for that.

EDIT2: for k,k²+M we have k₁(s₁ - s₂) + s₂k₁² mod n = (s₂M - h₂ + h₁) mod n. So at this point it seems that you have to calculate terms of a series find the root of this polynomial if you want an solve for arbitrary k2 = a + bk1 + ck1^2 + ...

@BurtW I would like to thank you for trying to help me!I value and try to learn from all the comments from the bitcoin community.
Answering your question ... is k and k + 1.The private key is the same for all signatures.

sig = 1

h = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s = 14810718830809274529170993651437030466460552688297005873719201854608653306524
k = 87244814473377946459021394573120624638544621973526661110335002719552586402926
x = 74071287274168731384314914382498140270634658281328726941106265589917762050271

sig = 2

h = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s = 75792077109774170129890375817094910949609540422199126584222852124036872408123
k = 87244814473377946459021394573120624638544621973526661110335002719552586402927
x = 74071287274168731384314914382498140270634658281328726941106265589917762050271

The purpose of this thread is to find some method that calculates this type of signatures...to find k or x.

The point of my last reply is that I assume there is no 'message' in these cases,  instead of some material hashed the values were just chosen in order to result in the singularity.

This is the data that works:


This is the data that does not work:


p, h1, r1, s1 and r2 are identical in both data sets.  This means you used the same private/public key pair and the same starting value for k in both cases.

However the values of h2 and s2 are different between the two cases.

What exactly did you change between the working and the not working case?  Just the message?  For sure you started with the same k value.

Since both cases use k for the first value and you are claiming that the second k value in both cases is k + 1 then it looks like maybe all you did was change the message?

@NotATether Exactly! You understand me perfectly! I think this has not yet been explored or little known ... It would be a different method. I'm doing a lot of research and calculations ... every week I'm discovering interesting things

I was going to say something similar. Have you thought of making a table of k,k+1 pairs that have no solution so we can see if there is some pattern among them? Maybe they have some property we don't know yet that makes this formula invalid.

In the other thread... many formulas work, but in this one I believe that none work.
Maybe using Bleichenbacher’s or similar I can solve this 2 signatures of this thread
I think you need approximately 500 signatures to discover the private key

This is more difficult
https://bitcointalksearch.org/topic/m.56365768

I think some users didn't understand me ... Maybe it's because my English is not good and they also need to pay more attention.
English is not my language, I will try to be more objective!

1- I know the other thread! I am the author of another thread similar to this one! I managed almost everything "manually" including public keys and signatures!


2- In the other thread I was wondering if 2 signatures with the same private key and with k and k +1 was vulnerable. They said yes! So I asked them to teach me how it was calculated to discover the private key


3- On the other thread ...a second signature is different from this thread here. Although in the 2 thread 2 signatures use the same private key and were also generated with k and k +1. in the thread another... the equations, algebras and formulas worked!

p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 711922952377524543467576566144169816136170490747613227449590530659320692002
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 56412229366601912356674994073152925730313351483910294670205660420888695151902

This formulas works:

d_U = (1 - s₂^-1e₂ + s₁^-1e₁) * (s₂^-1r₂ - s₁^-1r₁)^-1 (mod n)

d = 74071287274168731384314914382498140270634658281328726941106265589917762050271

p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 711922952377524543467576566144169816136170490747613227449590530659320692002
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 56412229366601912356674994073152925730313351483910294670205660420888695151902

Replaces s1 with its modular multiplicative inverse and s2 with its modular multiplicative inverse

x = (1+s1*h1-s2*h2)/(s2*r2-s1*r1)

x = 74071287274168731384314914382498140270634658281328726941106265589917762050271


Many others work ... but the 2 signatures of this thread although it also uses the same private key and with the nonce k to k + 1...no equation or formula or algebra or magic works!

p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123

d_U = (1 - s₂^-1e₂ + s₁^-1e₁) * (s₂^-1r₂ - s₁^-1r₁)^-1 (mod n)

d = 0

Does not work!

p  = 115792089237316195423570985008687907852837564279074904382605163141518161494337
h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123

Replaces s1 with its modular multiplicative inverse and s2 with its modular multiplicative inverse

x = (1+s1*h1-s2*h2)/(s2*r2-s1*r1)

x = 0

Does not work!


4- My final conclusion ... Not all signatures are vulnerable when the same private key is used and with the nonces k and k + 1 and also the 2 signatures of the first post are not vulnerable because there is no equation formula or algebra or magic to solve!


5- Thanks to everyone! I'm learning a lot from the bitcoin community!

@gmaxwell In my point of view ... If you have h (m), r and s being a valid signature, it is a real signature yes ... but it depends only on your

@Coding Enthusiast Exactly! I believe that nobody knows any formula or equation or algebra or magic that solves this

@MixMAx123 When I said to calculate the 2 signatures ... I was referring to the calculation to find k or x

By revealing k, you have already made its private key vulnerable to calculate. (And I already showed you how in the thread Coding Enthusiast linked.)

That's the reason why ECDSA specifically requires that a cryptographically secure nonce k has to be chosen and not something trivial such as k+1 or k mod [some prime] or even some pseudorandom generator that derives two successive k without resetting the seed. If you use anything other than a true RNG to get k then it will always be computationally feasible to find some formula that takes two successively generated k values and the algorithm that generates the next k, that runs in polynomial time.

By definition, if you can reverse a cryptographic algorithm in polynomial time then that itself is a vulnerability.

EDIT: and to answer the question in your other thread (you didn't have to make another one), no you cannot, because the only equation in ECDSA that uses the private key, s = k^-1(z + rd_A), has an unknown k, and you can't derive the private key from a signature without it which is exactly why you're supposed to securely generate your nonce.