Bitcoin Forum>Bitcoin>Development & Technical Discussion
Author

Topic: same-r-value-is-used-for-two-different-addresses (Read 482 times)

whanau
member
Activity: 119
Merit: 36
same-r-value-is-used-for-two-different-addresses
February 15, 2023, 04:26:39 PM
#18
Quote from: abadon666999 on October 31, 2022, 05:42:51 AM
i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

Please could you explain how you recovered these keys. Like the OP in the link above, I get the same wrong answer.

I don't understand where all the extra inputs come from in the diagram (I am no mathematician!).
I can see the first 3 items in the diagram relate to the public keys and R values in the OP but where do the rest come from?
Thank you
Minase
member
Activity: 72
Merit: 43
Re: same-r-value-is-used-for-two-different-addresses
December 13, 2022, 08:32:00 AM
#17
interesting topic
i have tried the following formula k = (z1 + r1*x1)/s1 but something is quite wrong with my calculations
everything is ok with (Z + R*X) but when i do the division with S the result is a very small number.
should i do another operation? mod inv? thanks
//edit
nvm found my error  Grin
pooya87
legendary
Activity: 3472
Merit: 10611
Re: same-r-value-is-used-for-two-different-addresses
December 13, 2022, 06:16:38 AM
#16
Quote from: ?? on ??
I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.
I don't think it is mathematically possible to solve this since you have 2 equations with 3 variables (k, d1, d2). Having two signatures for each key isn't giving us any edge either.
stanner.austin
member
Activity: 69
Merit: 53
Re: same-r-value-is-used-for-two-different-addresses
December 13, 2022, 05:55:15 AM
#15
@ecdsa123
Hello
If you have 2 R(K*G) for 1 private key it's easy to crack K. Z should not be 0 or 1.
if you found your known R in any public transaction you can crack his private key because you know value of R.
Link you posted is already using  private key 1 then same nonce(K) with 2 transaction which make it weak and easily to recover K. algo (k = (m1-m2)/(s1-s2) ) once you have K you can recover X(Private key it self)
o_e_l_e_o
legendary
Activity: 2268
Merit: 18711
Re: same-r-value-is-used-for-two-different-addresses
November 12, 2022, 09:23:44 AM
#14
I already explained all this previously in this post: https://bitcointalksearch.org/topic/m.61215046

Quote from: ?? on ??
So he didn't inform that he know the first privatekey.
He did:
Quote from: abadon666999 on October 31, 2022, 05:42:51 AM
i have recovered privatekey address 1

Quote from: ?? on ??
so what is privatekey1 and privatekey2 or nonce?
You are asking the wrong question. OP has said he already knows the private key from the first transaction, and has therefore managed to recover k. As pointed out, with this knowledge of k, s, and z for the second transaction, then the second transaction's private key can be calculated.
stanner.austin
member
Activity: 69
Merit: 53
Re: same-r-value-is-used-for-two-different-addresses
November 11, 2022, 07:28:50 AM
#13
@ecdsa123
You did not understand question still please read again.

If you want example from my testing here is it.

Code:
private Key 1000
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=df051cdb85ce3de01852a88716b3a03af61b82b23fb238be2b78fafe49fbe083
Z=4a3833b105b518411570325efce62626fc35078da1549d77a0140a60b3cac119

Because i know private key is 1000 i can recover K with algo
k = (m+x*r)/s
so K = 803d9488926a7c55f372066146329e0c390e5d5f170f27cd1bcf8b05b4c97f6

Unknown private key
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=f9ba1fe4400435a9f7fcadafe66a46a5dcfa4e6952f5dca25da1f21b5eaf71dd
Z=f57bc228876209fe510b5b25d0db373cb387612e57b135fd06e15560b53a1ca2

As same R i already know K i can recover private key of unknown one.
x = (s*k-m)/r

so X = 25d5a5f313a692270e6c8a8f6e3265f1c337b4297e671e89a0c045e6e232bf15

for better understanding use this.
https://github.com/nlitsme/bitcoinexplainer

stanner.austin
member
Activity: 69
Merit: 53
Re: same-r-value-is-used-for-two-different-addresses
November 11, 2022, 05:59:14 AM
#12
@ecdsa123
hello
May be you did not read full message of him?

Here he confirmed about privatekey for 1 address.
Quote from: abadon666999 on October 31, 2022, 04:54:26 AM
the problem is that i can recover only privatekey of 1 address

Here he ask help about privatekey for 2 address.
Quote from: abadon666999 on October 31, 2022, 04:54:26 AM
i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?
thanks for your help

Give me 2 pair of R,S,Z with both have same R let me show you second pair is recovered or not.

I don't know what make you think my answer is wrong its not.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: same-r-value-is-used-for-two-different-addresses
November 10, 2022, 01:28:24 PM
#11
Quote from: stanner.austin on November 10, 2022, 07:33:57 AM
@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

Alright, just wanted to make sure that anyone coming in to ask about same K values also get accommodated here.
stanner.austin
member
Activity: 69
Merit: 53
Re: same-r-value-is-used-for-two-different-addresses
November 10, 2022, 07:33:57 AM
#10
@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.
NotATether
legendary
Activity: 1568
Merit: 6660
bitcoincleanup.com / bitmixlist.org
Re: same-r-value-is-used-for-two-different-addresses
November 09, 2022, 10:58:26 PM
#9
Quote from: stanner.austin on November 09, 2022, 03:58:21 AM
You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

If you already have the nonce then you don't need the second transaction... assuming it was created with the same nonce then you can simply compute the signed transaction again with the private key.
stanner.austin
member
Activity: 69
Merit: 53
Re: same-r-value-is-used-for-two-different-addresses
November 09, 2022, 03:58:21 AM
#8
@abadon666999
Hello
You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

To recover second message private key use this one more user friendly.
https://github.com/nlitsme/bitcoinexplainer

abadon666999
newbie
Activity: 78
Merit: 0
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 09:23:50 AM
#7
Quote from: o_e_l_e_o on October 31, 2022, 06:28:10 AM
Quote from: abadon666999 on October 31, 2022, 06:04:57 AM
-snip-
Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s2 and z2 and using them to calculate the second private key.


strange...no error
o_e_l_e_o
legendary
Activity: 2268
Merit: 18711
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 06:28:10 AM
#6
Quote from: abadon666999 on October 31, 2022, 06:04:57 AM
-snip-
Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s2 and z2 and using them to calculate the second private key.
abadon666999
newbie
Activity: 78
Merit: 0
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 06:04:57 AM
#5
Quote from: o_e_l_e_o on October 31, 2022, 05:49:51 AM
Quote from: abadon666999 on October 31, 2022, 05:42:51 AM
yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...
If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z1 + r1*x1)/s1

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x2 = (k*s2 - z2)/r2

first of all..thanks for your help
 i have done equation
i have k
i have that x1 = x2
than i have only privatekey address 1
it's very strange
o_e_l_e_o
legendary
Activity: 2268
Merit: 18711
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 05:49:51 AM
#4
Quote from: abadon666999 on October 31, 2022, 05:42:51 AM
yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...
If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z1 + r1*x1)/s1

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x2 = (k*s2 - z2)/r2
abadon666999
newbie
Activity: 78
Merit: 0
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 05:42:51 AM
#3
Quote from: o_e_l_e_o on October 31, 2022, 05:38:25 AM
Quote from: abadon666999 on October 31, 2022, 04:54:26 AM
i have 2 addresses that have same R value
I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

m1   scalar:0x......................
m2   scalar:0x......................
r   scalar:0x.......................
s1   scalar:0x......................
s2   scalar:0x.......................
k   scalar:0x.......................
x1   scalar:0x = to x2
x2   scalar:0x = to x1

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2
o_e_l_e_o
legendary
Activity: 2268
Merit: 18711
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 05:38:25 AM
#2
Quote from: abadon666999 on October 31, 2022, 04:54:26 AM
i have 2 addresses that have same R value
I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.
abadon666999
newbie
Activity: 78
Merit: 0
Re: same-r-value-is-used-for-two-different-addresses
October 31, 2022, 04:54:26 AM
#1
hi all
i have 2 addresses that have same R value
address 1         same R
address 2         same R
i know R
i know S1    and S2
i know M signed message or Z    M1   and  M2
When a signing secret was used to sign two different messages, you can recover the signing secret with this calculation:
 k = (m1-m2)/(s1-s2)
the problem is that i can recover only privatekey of 1 address
i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?

thanks for your help
Bitcoin Forum>Bitcoin>Development & Technical Discussion
Jump to: