Reused R values | Bitcointalksearch.org

whanau

member

Activity: 119

Merit: 36

Quote from: NotATether on March 23, 2021, 11:41:13 PM

It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

= (s2-h2+s1h1)s1^-1 - (s2-h2+s1h1)r1^-1

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

I am no mathematician, but I cannot see from the above how k can be calculated with the same values for s. s1 and s2 are even being used in the example.
Nor can I get k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n to produce the correct output even with different s values. Perhaps I am not forming the code correctly?

this python code works but you need 2 different values for s.
k = modinv(s, N) * (z1 + r * (z1*s2 - z2*s1) * modinv((r*(s1-s2)), N)) % N .

What am I missing? Is it possible to calculate k correctly with identical s values? Thanks

whanau

member

Activity: 119

Merit: 36

Thank you for taking the trouble to reply.

I am using k = (s2 - z2 + s1*z1)*s1 - modinv(r, N) % N for the python code (after many other variations) but I still cannot get it to work.
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
z = h in the earlier posts

This is the transaction I am trying to prove it against :- F2B7EB7089C895B9B16CB4DDDF9F8307F1065FC670C7726B5BE708FF6AA6E1F1
which includes 2 identical r,s , 00819a0eb55d9cc.....(empty, abandoned address!)
any help would be appreciated

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: whanau on March 17, 2023, 10:12:32 PM

All my attempts come out with a k value much more than 256 bits.

That's probably because you forgot to compute the remainder, that is the modulo operation at the end using the secp256k1 curve order N.

whanau

member

Activity: 119

Merit: 36

Quote from: NotATether on March 23, 2021, 11:41:13 PM

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

= (s2-h2+s1h1)s1^-1 - (s2-h2+s1h1)r1^-1

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

Would some kind soul please show me how k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n would be coded in Python? All my attempts come out with a k value much more than 256 bits.
Thank you

isarac3

newbie

Activity: 8

Merit: 0

Quote from: NotATether on March 23, 2021, 11:41:13 PM

It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

= (s2-h2+s1h1)s1^-1 - (s2-h2+s1h1)r1^-1

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k^-1(h₁ + r₁ d_A) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want).

dA the private key = (s1*k-h1)r1^-1 OR (s2*k-h2)r2^-1.

How do you get the message hash? And is it possible to calculate using sagemath? >>> https://sagecell.sagemath.org/

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier.

By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get:

H here represents the message hash.

the nonce k = (s2 - h2 + s1h1)(s1 - r1)^-1 mod n

= (s2-h2+s1h1)s1^-1 - (s2-h2+s1h1)r1^-1

Which is just s2h1-h2s1 - s2r1^-1 +h2r1^-1+s1h1r1^-1.

Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k^-1(h₁ + r₁ d_A) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want).

dA the private key = (s1*k-h1)r1^-1 OR (s2*k-h2)r2^-1.

CrunchyF

jr. member

Activity: 56

Merit: 26

Quote from: isarac3 on March 23, 2021, 03:05:15 PM

I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.

In this case where R1=R2 and S1=S2 It's impossible to recover the private key. And it probably come from an invalid TX because in the bitcoin protocol signature you might not have two S identical

But there is different case where you can recover private key from bad use of R.

if you find for the same address two TXS with the same R and different S the private key can be easily recover with a simple formula. Before that you have to recover the Z parameter (hash of the previous tx output). If you have the private key you can easily find the nonce (k) that generate the R (supposed to be random).

After if you find an second address using the same R than above (even in only one TX). you will be able to recover the second privkey.

this case of R reusing is only possible if a issue was made on the creation of the TX
for example:
bad number random generator.
bad implementation of a TX by a developper who coded tx 'by hand'.

But as you know, knowing a private key doesn't mean than the bitcoin are yours (in a ethical way).

isarac3

newbie

Activity: 8

Merit: 0

I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.

DannyHamilton

legendary

Activity: 3472

Merit: 4801

Quote from: Charles-Tim on March 23, 2021, 02:07:12 PM

Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the latest technology advancement.

You are mistaken.

If the user is using faulty software which re-uses the same R value for more than one signature, then IT IS EASY to calculate the private key.

For example, see this thread:
https://bitcointalksearch.org/topic/reused-r-values-again-581411

Charles-Tim

legendary

Activity: 1512

Merit: 4795

Leading Crypto Sports Betting & Casino Platform

The r and S-values including a signature hash are contained in ECDSA signatures used in signing bitcoin transactions. The reason why addresses should not be reused has nothing to do with ECDSA signatures, people are advised not to reuse addresses because of privacy, all transaction made by a single address can be tracked on blockchain, while this can be difficult or impossible if same address is not reused.

Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the recentnt technology advancement.

isarac3

newbie

Activity: 8

Merit: 0

Is it possible to calculate a private to an address when the address has reused both R values and S values?

Topic: Reused R values (Read 706 times)