Pages:
Author

Topic: Nonce k and k +1 (ECDSA SIGNATURE) - page 3. (Read 2250 times)

staff
Activity: 4242
Merit: 8672
February 17, 2021, 02:02:52 AM
#11
It's not really an ecdsa signature if you're just handed a hash. Tongue  Performing the hashing is integral to the process and without it you can generate all sorts of degenerate examples. ... including 'forged' 'signatures' for pubkeys where no one knows the private key.
legendary
Activity: 1040
Merit: 2785
Bitcoin and C♯ Enthusiast
February 17, 2021, 12:43:30 AM
#10
I really think this should work, unless I made a mistake in my math.  Did you double check all my algebra?
The problem is that with these specific values given in OP it is not possible to compute this particular case.
Whether you use my equation in that other topic to directly compute the private key (du) or first compute k with your equation here then compute private key from there, you'll get 0 which you can't compute its modular multiplicative inverse (ax ≡ 1 (mod m) where a=0 doesn't have an answer).
To be specific:
s2-1r2 - s1-1r1 = 0
Also
r's - rs' = 0
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
February 16, 2021, 06:44:16 PM
#9
Please check my work but I think that if you know k is being incremented then you can simply calculate the private key.

All of the variables and terminology in this post are from https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Given two different messages with two different signatures we have:

First message and signature (m, r, s)
Second message and signature (m', r', s')

From each message we can derive the z value (hash of the message) so:

First message and signature (m, r, s, z)
Second message and signature (m', r', s', z')

Therefore:  ks = z + rdA and k's' = z' + r'dA

Therefore:  (sk - z)/r = (s'k' - z')/r'

But in this case k' = k + 1 so:

(sk - z)/r = (s'(k + 1) - z')/r'

So all you have to do is solve for k.  All the other values:  s, z, r, s', z', and r' are all known.

(sk - z)/r = (s'(k + 1) - z')/r'

rr'[(sk - z)/r] = rr'[(s'(k + 1) - z')/r']

r'(sk - z) = r(s'(k + 1) - z')

r'sk - r'z = rs'(k + 1) - rz'

r'sk - r'z = rs'k + rs' - rz'

r'sk - rs'k = r'z + rs' - rz'

k(r's - rs') = r'z + rs' - rz'

k = (r'z + rs' - rz') / (r's - rs') all mod operations, of course.

Once you know k you can simply calculate the private key, dA


Also note that any scheme where k' = k + n is vulnerable, n does not have to be just one.
Does not work for this 2 signatures

Did you do all the operations mod n where n is the bit length of the group order?

I really think this should work, unless I made a mistake in my math.  Did you double check all my algebra?

I believe I wasted my time since there is a perfectly good solution/proof that shows how easy it is to get the private key if you know the relationship between the two k values in your other thread here:

https://bitcointalksearch.org/topic/--5316741
full member
Activity: 161
Merit: 168
February 16, 2021, 06:37:28 PM
#8
If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!
The private key of these signatures is already known ... but no equation, formula or algebra is known to calculate these 2 signatures

Sure it's possible! The result of the calculation of signatures is only: "true" or "false".
The calculation bases for signatures are well known. It is the main task of checking the signature of every Bitcoin node, which is done 100 times per second. Your shown signatures can also be checked in this way.
The formula for this has been shown to you several times by many users and me, as well as it has been calculated here for you.
I cannot follow you and understand which questions are still unanswered for you.
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 16, 2021, 05:39:23 PM
#7
Please check my work but I think that if you know k is being incremented then you can simply calculate the private key.

All of the variables and terminology in this post are from https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Given two different messages with two different signatures we have:

First message and signature (m, r, s)
Second message and signature (m', r', s')

From each message we can derive the z value (hash of the message) so:

First message and signature (m, r, s, z)
Second message and signature (m', r', s', z')

Therefore:  ks = z + rdA and k's' = z' + r'dA

Therefore:  (sk - z)/r = (s'k' - z')/r'

But in this case k' = k + 1 so:

(sk - z)/r = (s'(k + 1) - z')/r'

So all you have to do is solve for k.  All the other values:  s, z, r, s', z', and r' are all known.

(sk - z)/r = (s'(k + 1) - z')/r'

rr'[(sk - z)/r] = rr'[(s'(k + 1) - z')/r']

r'(sk - z) = r(s'(k + 1) - z')

r'sk - r'z = rs'(k + 1) - rz'

r'sk - r'z = rs'k + rs' - rz'

r'sk - rs'k = r'z + rs' - rz'

k(r's - rs') = r'z + rs' - rz'

k = (r'z + rs' - rz') / (r's - rs') all mod operations, of course.

Once you know k you can simply calculate the private key, dA


Also note that any scheme where k' = k + n is vulnerable, n does not have to be just one.
Does not work for this 2 signatures
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 16, 2021, 05:38:24 PM
#6
If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!
The private key of these signatures is already known ... but no equation, formula or algebra is known to calculate these 2 signatures
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 16, 2021, 05:36:39 PM
#5
r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature


Code:
k1 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675914
k2 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675915

sage: r1/s1%N
109263722787838616791900575947640359553086907200677310074463510255775504782173

sage: r2/s2%N
109263722787838616791900575947640359553086907200677310074463510255775504782173


My knowledge is limited, but I think 2 signatures with different h (m) r and s ... are not the same signature
legendary
Activity: 2646
Merit: 1137
All paid signature campaigns should be banned.
February 16, 2021, 05:11:05 PM
#4
Please check my work but I think that if you know k is being incremented then you can simply calculate the private key.

All of the variables and terminology in this post are from https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Given two different messages with two different signatures we have:

First message and signature (m, r, s)
Second message and signature (m', r', s')

From each message we can derive the z value (hash of the message) so:

First message and signature (m, r, s, z)
Second message and signature (m', r', s', z')

Therefore:  ks = z + rdA and k's' = z' + r'dA

Therefore:  (sk - z)/r = (s'k' - z')/r'

But in this case k' = k + 1 so:

(sk - z)/r = (s'(k + 1) - z')/r'

So all you have to do is solve for k.  All the other values:  s, z, r, s', z', and r' are all known.

(sk - z)/r = (s'(k + 1) - z')/r'

rr'[(sk - z)/r] = rr'[(s'(k + 1) - z')/r']

r'(sk - z) = r(s'(k + 1) - z')

r'sk - r'z = rs'(k + 1) - rz'

r'sk - r'z = rs'k + rs' - rz'

r'sk - rs'k = r'z + rs' - rz'

k(r's - rs') = r'z + rs' - rz'

k = (r'z + rs' - rz') / (r's - rs') all mod operations, of course.

Once you know k you can simply calculate the private key, dA


Also note that any scheme where k' = k + n is vulnerable, n does not have to be just one.
full member
Activity: 161
Merit: 168
February 16, 2021, 05:09:43 PM
#3
If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!
member
Activity: 73
Merit: 19
February 16, 2021, 03:38:35 PM
#2
r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature


Code:
k1 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675914
k2 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675915

sage: r1/s1%N
109263722787838616791900575947640359553086907200677310074463510255775504782173

sage: r2/s2%N
109263722787838616791900575947640359553086907200677310074463510255775504782173
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
February 16, 2021, 01:40:49 PM
#1
I was informed that the same private key using k and k + 1 respectively in two different signatures was vulnerable ... I think that not all signatures generated in this way are vulnerable!
These two signatures were generated by the same private key and with nonces k and k + 1 respectively! Is there a formula or equation to make them vulnerable?

sig = 1
3045022100dcf17de661e280dbf62e03ef1655d1baaabc301da9fc6b29a63e52e7780c115d02202 0be91ddd5598e22fa43014172df5312275fbdb462a2e9855c7a7433138a4a9c01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): bb1e00d2027efd3085b83de2a3602a8ea49e0c9d5b821cd6291d5feefd410303

-------------------------------------------------------------------------------------------------------------------------------
sig = 2
3045022100fe53a1f944263756330a54b2c5a1c5e8afb001e0074f067dd3e408349d2a9d6802210 0a790cba1e3b60e8a75de69efd7e7af1bf0e2543137da79aed2d6409616120c3b01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): 3be295398c9e7048e32c7a30d413f82d7f8b3029ab37d110181744fe0acab452

--------------------------------------------------------------------------------------------------------------------------------

h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123
Pages:
Jump to: