Author

Topic: Reused R values (Read 706 times)

member
Activity: 119
Merit: 36
March 21, 2023, 07:58:11 PM
#11
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n

= (s2-h2+s1h1)s1-1 - (s2-h2+s1h1)r1-1

Which is just s2h1-h2s1 - s2r1-1 +h2r1-1+s1h1r1-1.


I am no mathematician, but I cannot see from the above how k can be calculated with the same values for s. s1 and s2 are even being used in the example.
Nor can I get   k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n to produce the correct output even with different s values. Perhaps I am not forming the code correctly?

this python code works but you need 2 different values for s.
k = modinv(s, N) * (z1 + r * (z1*s2 - z2*s1) * modinv((r*(s1-s2)), N)) % N .

What am I missing? Is it possible to calculate k correctly with identical s values? Thanks
member
Activity: 119
Merit: 36
March 18, 2023, 01:58:56 PM
#10
Thank you for taking the trouble to reply.

I am using k = (s2 - z2 + s1*z1)*s1 - modinv(r, N) % N for the python code (after many other variations) but I still cannot get it to work.
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
z = h in the earlier posts

This is the transaction I am trying to prove it against :- F2B7EB7089C895B9B16CB4DDDF9F8307F1065FC670C7726B5BE708FF6AA6E1F1
which includes 2 identical r,s , 00819a0eb55d9cc.....(empty, abandoned address!)
any help would be appreciated

legendary
Activity: 3472
Merit: 10611
March 17, 2023, 11:08:51 PM
#9
All my attempts come out with a k value much more than 256 bits.
That's probably because you forgot to compute the remainder, that is the modulo operation at the end using the secp256k1 curve order N.
member
Activity: 119
Merit: 36
March 17, 2023, 10:12:32 PM
#8

the nonce k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n

= (s2-h2+s1h1)s1-1 - (s2-h2+s1h1)r1-1

Which is just s2h1-h2s1 - s2r1-1 +h2r1-1+s1h1r1-1.


Would some kind soul please show me how k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n would be coded in Python? All my attempts come out with a k value much more than 256 bits.
Thank you
newbie
Activity: 8
Merit: 0
March 24, 2021, 06:53:34 AM
#7
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n

= (s2-h2+s1h1)s1-1 - (s2-h2+s1h1)r1-1

Which is just s2h1-h2s1 - s2r1-1 +h2r1-1+s1h1r1-1.

Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k-1(h1 + r1 dA) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want).

dA the private key = (s1*k-h1)r1-1 OR (s2*k-h2)r2-1.

How do you get the message hash? And is it possible to calculate using sagemath? >>> https://sagecell.sagemath.org/
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
March 23, 2021, 11:41:13 PM
#6
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n

= (s2-h2+s1h1)s1-1 - (s2-h2+s1h1)r1-1

Which is just s2h1-h2s1 - s2r1-1 +h2r1-1+s1h1r1-1.

Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k-1(h1 + r1 dA) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want).

dA the private key = (s1*k-h1)r1-1 OR (s2*k-h2)r2-1.
jr. member
Activity: 56
Merit: 26
March 23, 2021, 04:22:34 PM
#5
I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.

In  this case where R1=R2 and S1=S2 It's impossible to recover the private key. And it probably come from an invalid TX because in the bitcoin protocol signature you might not have two S identical

But there is different case where you can recover private key from bad use of R.

if you find for the same address two TXS with the same R and different S the private key can be easily recover with a simple formula. Before that you have to recover the Z parameter (hash of the previous tx output). If you have the private key you can easily find the nonce  (k) that generate the R (supposed to be random).


After if you find an second address using the same R than above (even in only one TX). you will be able to recover the second privkey.

this case of R reusing is only possible if a issue was made on the creation of the TX
for example:
bad number random generator.
bad implementation of a TX by a developper who coded tx 'by hand'.


But as you know,  knowing a private key doesn't mean than the bitcoin are yours (in a ethical way).

 
newbie
Activity: 8
Merit: 0
March 23, 2021, 03:05:15 PM
#4
I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.
legendary
Activity: 3472
Merit: 4801
March 23, 2021, 02:36:50 PM
#3
Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the latest technology advancement.

You are mistaken.

If the user is using faulty software which re-uses the same R value for more than one signature, then IT IS EASY to calculate the private key.

For example, see this thread:
https://bitcointalksearch.org/topic/reused-r-values-again-581411
legendary
Activity: 1512
Merit: 4795
Leading Crypto Sports Betting & Casino Platform
March 23, 2021, 02:07:12 PM
#2
The r and S-values including a signature hash are contained in ECDSA signatures used in signing bitcoin transactions. The reason why addresses should not be reused has nothing to do with ECDSA signatures, people are advised not to reuse addresses because of privacy, all transaction made by a single address can be tracked on blockchain, while this can be difficult or impossible if same address is not reused.

Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the recentnt technology advancement.
newbie
Activity: 8
Merit: 0
March 23, 2021, 01:24:23 PM
#1
Is it possible to calculate a private to an address when  the address has reused both  R values and S values?
Jump to: