Bitcoin Forum>Bitcoin>Development & Technical Discussion
Pages:
Author

Topic: Nonce k and k +1 (ECDSA SIGNATURE) - page 3. (Read 1857 times)

bytcoin
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 06:38:24 PM
#6
Quote from: MixMAx123 on February 16, 2021, 06:09:43 PM
If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!
The private key of these signatures is already known ... but no equation, formula or algebra is known to calculate these 2 signatures
bytcoin
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 06:36:39 PM
#5
Quote from: mamuu on February 16, 2021, 04:38:35 PM
r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature


Code:
k1 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675914
k2 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675915

sage: r1/s1%N
109263722787838616791900575947640359553086907200677310074463510255775504782173

sage: r2/s2%N
109263722787838616791900575947640359553086907200677310074463510255775504782173


My knowledge is limited, but I think 2 signatures with different h (m) r and s ... are not the same signature
BurtW
legendary
Activity: 2646
Merit: 1131
All paid signature campaigns should be banned.
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 06:11:05 PM
#4
Please check my work but I think that if you know k is being incremented then you can simply calculate the private key.

All of the variables and terminology in this post are from https://en.wikipedia.org/wiki/Elliptic_Curve_Digital_Signature_Algorithm

Given two different messages with two different signatures we have:

First message and signature (m, r, s)
Second message and signature (m', r', s')

From each message we can derive the z value (hash of the message) so:

First message and signature (m, r, s, z)
Second message and signature (m', r', s', z')

Therefore:  ks = z + rdA and k's' = z' + r'dA

Therefore:  (sk - z)/r = (s'k' - z')/r'

But in this case k' = k + 1 so:

(sk - z)/r = (s'(k + 1) - z')/r'

So all you have to do is solve for k.  All the other values:  s, z, r, s', z', and r' are all known.

(sk - z)/r = (s'(k + 1) - z')/r'

rr'[(sk - z)/r] = rr'[(s'(k + 1) - z')/r']

r'(sk - z) = r(s'(k + 1) - z')

r'sk - r'z = rs'(k + 1) - rz'

r'sk - r'z = rs'k + rs' - rz'

r'sk - rs'k = r'z + rs' - rz'

k(r's - rs') = r'z + rs' - rz'

k = (r'z + rs' - rz') / (r's - rs') all mod operations, of course.

Once you know k you can simply calculate the private key, dA


Also note that any scheme where k' = k + n is vulnerable, n does not have to be just one.
MixMAx123
full member
Activity: 161
Merit: 168
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 06:09:43 PM
#3
If k is not random, like here, the private key is exposed. It can be easily calculated here!
And I've already calculated this on a similar thread.
There is no need for a formula to make these transactions vulnerable, because the gate is already open here!
mamuu
member
Activity: 71
Merit: 19
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 04:38:35 PM
#2
r1/s1 mod order = r2/s2 mod order

it's same signature, no diffrent signature


Code:
k1 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675914
k2 == 109263722787838616791900575947640359553086907200677310074463510255775504782173*x + 33373073398809441106621025265904429856170478887328914010434069704980389675915

sage: r1/s1%N
109263722787838616791900575947640359553086907200677310074463510255775504782173

sage: r2/s2%N
109263722787838616791900575947640359553086907200677310074463510255775504782173
bytcoin
member
Activity: 211
Merit: 20
$$$$$$$$$$$$$$$$$$$$$$$$$
Re: Nonce k and k +1 (ECDSA SIGNATURE)
February 16, 2021, 02:40:49 PM
#1
I was informed that the same private key using k and k + 1 respectively in two different signatures was vulnerable ... I think that not all signatures generated in this way are vulnerable!
These two signatures were generated by the same private key and with nonces k and k + 1 respectively! Is there a formula or equation to make them vulnerable?

sig = 1
3045022100dcf17de661e280dbf62e03ef1655d1baaabc301da9fc6b29a63e52e7780c115d02202 0be91ddd5598e22fa43014172df5312275fbdb462a2e9855c7a7433138a4a9c01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): bb1e00d2027efd3085b83de2a3602a8ea49e0c9d5b821cd6291d5feefd410303

-------------------------------------------------------------------------------------------------------------------------------
sig = 2
3045022100fe53a1f944263756330a54b2c5a1c5e8afb001e0074f067dd3e408349d2a9d6802210 0a790cba1e3b60e8a75de69efd7e7af1bf0e2543137da79aed2d6409616120c3b01

Public key: 02c811f01a6182c8f6641fa692a997eebe4ea4241ead22bb3b98ae43e9d32fd32b

h(m): 3be295398c9e7048e32c7a30d413f82d7f8b3029ab37d110181744fe0acab452

--------------------------------------------------------------------------------------------------------------------------------

h1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259
r1 = 99935505760319748698811422354322418311203851828465328908708024011195996180829
s1 = 14810718830809274529170993651437030466460552688297005873719201854608653306524
h2 = 27086795414784162292297506376302057554366609881154614249233399373002336547922
r2 = 115035229747891778996889965749694763606205313739267493174821202115705061416296
s2 = 75792077109774170129890375817094910949609540422199126584222852124036872408123
Pages:
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: