Topic: Nonce k and k +1 (ECDSA SIGNATURE) - page 3. (Read 2365 times)

The problem is that with these specific values given in OP it is not possible to compute this particular case.
Whether you use my equation in that other topic to directly compute the private key (d_u) or first compute k with your equation here then compute private key from there, you'll get 0 which you can't compute its modular multiplicative inverse (ax ≡ 1 (mod m) where a=0 doesn't have an answer).
To be specific:
s₂^-1r₂ - s₁^-1r₁ = 0
Also
r's - rs' = 0

Did you do all the operations mod n where n is the bit length of the group order?

I really think this should work, unless I made a mistake in my math.  Did you double check all my algebra?

I believe I wasted my time since there is a perfectly good solution/proof that shows how easy it is to get the private key if you know the relationship between the two k values in your other thread here:

https://bitcointalksearch.org/topic/--5316741

Sure it's possible! The result of the calculation of signatures is only: "true" or "false".
The calculation bases for signatures are well known. It is the main task of checking the signature of every Bitcoin node, which is done 100 times per second. Your shown signatures can also be checked in this way.
The formula for this has been shown to you several times by many users and me, as well as it has been calculated here for you.
I cannot follow you and understand which questions are still unanswered for you.

Does not work for this 2 signatures

The private key of these signatures is already known ... but no equation, formula or algebra is known to calculate these 2 signatures

My knowledge is limited, but I think 2 signatures with different h (m) r and s ... are not the same signature

Please check my work but I think that if you know k is being incremented then you can simply calculate the private key.

All of the variables and terminology in this post are from https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Given two different messages with two different signatures we have:

First message and signature (m, r, s)
Second message and signature (m', r', s')

From each message we can derive the z value (hash of the message) so:

First message and signature (m, r, s, z)
Second message and signature (m', r', s', z')

Therefore:  ks = z + rd_A and k's' = z' + r'd_A

Therefore:  (sk - z)/r = (s'k' - z')/r'

But in this case k' = k + 1 so:

(sk - z)/r = (s'(k + 1) - z')/r'

So all you have to do is solve for k.  All the other values:  s, z, r, s', z', and r' are all known.

(sk - z)/r = (s'(k + 1) - z')/r'

rr'[(sk - z)/r] = rr'[(s'(k + 1) - z')/r']

r'(sk - z) = r(s'(k + 1) - z')

r'sk - r'z = rs'(k + 1) - rz'

r'sk - r'z = rs'k + rs' - rz'

r'sk - rs'k = r'z + rs' - rz'

k(r's - rs') = r'z + rs' - rz'

k = (r'z + rs' - rz') / (r's - rs') all mod operations, of course.

Once you know k you can simply calculate the private key, d_A


Also note that any scheme where k' = k + n is vulnerable, n does not have to be just one.

If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!

r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature

I was informed that the same private key using k and k + 1 respectively in two different signatures was vulnerable ... I think that not all signatures generated in this way are vulnerable!
These two signatures were generated by the same private key and with nonces k and k + 1 respectively! Is there a formula or equation to make them vulnerable?

sig = 1
3045022100dcf17de661e280dbf62e03ef1655d1baaabc301da9fc6b29a63e52e7780c115d02202 0be91ddd5598e22fa43014172df5312275fbdb462a2e9855c7a7433138a4a9c01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): bb1e00d2027efd3085b83de2a3602a8ea49e0c9d5b821cd6291d5feefd410303

-------------------------------------------------------------------------------------------------------------------------------
sig = 2
3045022100fe53a1f944263756330a54b2c5a1c5e8afb001e0074f067dd3e408349d2a9d6802210 0a790cba1e3b60e8a75de69efd7e7af1bf0e2543137da79aed2d6409616120c3b01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): 3be295398c9e7048e32c7a30d413f82d7f8b3029ab37d110181744fe0acab452

--------------------------------------------------------------------------------------------------------------------------------

h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123