Yes there are several ways.
1. When same K is used 2 times either in same or different Transaction, its trivial to calculate PVK. Its already extensively exploited.
2. When K values are closeby so that difference can be bruteforced quickly, then also PVK can be calculated.
3. When you somehow know the mathematical relationship between 2 K, like K2 =K1/2 or K2 = K1 + 1637737337373738373729826362936, whatever, then also PVK can be calculated.
4. When you have several Tx and there may be few bits common, either LSB or MSB, then also it's possible to calculate PVK through Lattice reduction. (Check minimum required Tx for Bit Leakage).
5. If the number of Tx is not sufficient for Lattice reduction but there is info about sufficient bit leakage, we could use the same Kangaroo solver approach on the Rvalue of Tx to get K.
6. We could mathematically generate Tx for known Leakage in Privatkeys and then try to bruteforce. For example Puzzle 130 is know to have a 126 bits Leakage in PVK. So several derived Tx from it can be considered for bruteforce.
7. There could be more which I am not aware of yet.
The main point is, there is no 100% sureshot method which will work on generic Tx. All different approaches either need some vulnerability or prior info or some bruteforce.
Hi iceland2k14,
i find those points very very important but have a question regarding point 3.
I was trying your scripts from
https://github.com/iceland2k14/rsz and trying to understand the Math (in the read me) but that's not easy.
my question, in point 3 you assume (just a luck) some combinations between k1 & k2 (which may or may not exist) and try to solve ... so which combinations are you using in the
rsz_rdiff_scan.py script.
Before i only knew about point 1 ..(i think that's when r1=r2) correct?
Regards,
Baboshka