same-r-value-is-used-for-two-different-addresses

whanau

member

Activity: 119

Merit: 36

Quote from: abadon666999 on October 31, 2022, 05:42:51 AM

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

Please could you explain how you recovered these keys. Like the OP in the link above, I get the same wrong answer.

I don't understand where all the extra inputs come from in the diagram (I am no mathematician!).
I can see the first 3 items in the diagram relate to the public keys and R values in the OP but where do the rest come from?
Thank you

ecdsa123

jr. member

Activity: 211

Merit: 105

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

it is according: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-
link here: https://billatnapier.medium.com/ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-secp256k1-5758f1258b1d

it should work, but not work.

I put transactions, nonces and privatekeys

why I can't take value private1 and private2?

it give me value 0:
please help

Code:

privkey1= 74151126465914553719682701372546590912032713247110001383204298192577238294259
privkey2= 65602009300807068992382438511465994464148703102269145684254988072233619429415

nonce1= 113430668354305125354139681412571553637810109882549088741100884487402919060793
nonce2= 88941376982568942091029320764989550225390065895384871037015643141890275775717

signature matches
#transaction from first privkey1

r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s1= 36665125934301679295764426496089959157670212057714313825462899262019004181013
z1= 45063904364969322573281122086971579379876583577391310824950725157431863085693

r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s2= 88414683103569280491867470526894992004240909646745888824999991880846576153983
z2= 96925863066810859394685400246217607442326685412593308871569663983290139782035

##transaction from second privkey2

r3= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s3= 48387795993880540164497955151292140905876432678370698441361372722465054520609
z3= 70890957235815785946608014568730757332857823983374044998781188028671033610413

r4= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s4= 94479523762013111191490500533227932711756342618388816229238677867942525385058
z4= 88400657509035765824159536685234267382896518494653799783594906135509259195161

Minase

member

Activity: 72

Merit: 43

interesting topic
i have tried the following formula k = (z1 + r1*x1)/s1 but something is quite wrong with my calculations
everything is ok with (Z + R*X) but when i do the division with S the result is a very small number.
should i do another operation? mod inv? thanks
//edit
nvm found my error Grin

pooya87

legendary

Activity: 3472

Merit: 10611

Quote from: ecdsa123 on December 12, 2022, 11:41:51 AM

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

I don't think it is mathematically possible to solve this since you have 2 equations with 3 variables (k, d1, d2). Having two signatures for each key isn't giving us any edge either.

stanner.austin

member

Activity: 69

Merit: 53

@ecdsa123
Hello
If you have 2 R(K*G) for 1 private key it's easy to crack K. Z should not be 0 or 1.
if you found your known R in any public transaction you can crack his private key because you know value of R.
Link you posted is already using private key 1 then same nonce(K) with 2 transaction which make it weak and easily to recover K. algo (k = (m1-m2)/(s1-s2) ) once you have K you can recover X(Private key it self)

ecdsa123

jr. member

Activity: 211

Merit: 105

Code:

pubkey1_x =  99849857272418179203502331812772464642887864474228053990188623690904651999129
pubkey1_y =  1427797404910626570500832234950755155093850504348462442758540057225302018468
r1 =  96237046584217664204542395357030341151517669115118687572669691568567295250092
s1 =  95006782634967620310046902852157931507299895684785249809080193173792975818459
z1 =  86395623326853627167317806149581085219268370512647587563101267886017349997301

pubkey2_x =  47495987005760132411635953872279669890191779154515453545814791098010712870383
pubkey2_y =  86787612282282135351658653763637707760556816601543638392353231308614605552123
r2 =  96237046584217664204542395357030341151517669115118687572669691568567295250092
s2 =  52017465008291881853391545710652858992883078951377816905212945896722844055950
z2 =  88420324448681996600780430039089167455950427891235143177887263095884698317180

so what is privatekey1 and privatekey2 or nonce?

my algo has tested it and after two weeks I found solutions.

This is only prepared for testing purpose. no bitcoins on address:)

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

I already explained all this previously in this post: https://bitcointalksearch.org/topic/m.61215046

Quote from: ecdsa123 on November 10, 2022, 04:59:09 PM

So he didn't inform that he know the first privatekey.

He did:

Quote from: abadon666999 on October 31, 2022, 05:42:51 AM

i have recovered privatekey address 1

Quote from: ecdsa123 on November 11, 2022, 06:56:42 AM

so what is privatekey1 and privatekey2 or nonce?

You are asking the wrong question. OP has said he already knows the private key from the first transaction, and has therefore managed to recover k. As pointed out, with this knowledge of k, s, and z for the second transaction, then the second transaction's private key can be calculated.

stanner.austin

member

Activity: 69

Merit: 53

@ecdsa123
You did not understand question still please read again.

If you want example from my testing here is it.

Code:

private Key 1000
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=df051cdb85ce3de01852a88716b3a03af61b82b23fb238be2b78fafe49fbe083
Z=4a3833b105b518411570325efce62626fc35078da1549d77a0140a60b3cac119

Because i know private key is 1000 i can recover K with algo
k = (m+x*r)/s
so K = 803d9488926a7c55f372066146329e0c390e5d5f170f27cd1bcf8b05b4c97f6

Unknown private key 
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=f9ba1fe4400435a9f7fcadafe66a46a5dcfa4e6952f5dca25da1f21b5eaf71dd
Z=f57bc228876209fe510b5b25d0db373cb387612e57b135fd06e15560b53a1ca2

As same R i already know K i can recover private key of unknown one.
x = (s*k-m)/r

so X = 25d5a5f313a692270e6c8a8f6e3265f1c337b4297e671e89a0c045e6e232bf15

for better understanding use this.
https://github.com/nlitsme/bitcoinexplainer

ecdsa123

jr. member

Activity: 211

Merit: 105

@abadon666999 has asked about how to discover two privatekeys when we have two transactions with the same r but with differents pubkeys.

So he didn't inform that he know the first privatekey.

So yours "calculation" above are wrong in this case.

Of course according "modificate algebra as triangle" can be used for explore this topic.

but still it is expensive as power which we need to solve with LLL reduction.

stanner.austin

member

Activity: 69

Merit: 53

@ecdsa123
hello
May be you did not read full message of him?

Here he confirmed about privatekey for 1 address.

Quote from: abadon666999 on October 31, 2022, 04:54:26 AM

the problem is that i can recover only privatekey of 1 address

Here he ask help about privatekey for 2 address.

Quote from: abadon666999 on October 31, 2022, 04:54:26 AM

i have need of recover privatekey address 2
what is correct formula for recover the privatekey of address 1 and address 2 that have same R used in 2 different address?
thanks for your help

Give me 2 pair of R,S,Z with both have same R let me show you second pair is recovered or not.

I don't know what make you think my answer is wrong its not.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: stanner.austin on November 10, 2022, 07:33:57 AM

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

Alright, just wanted to make sure that anyone coming in to ask about same K values also get accommodated here.

stanner.austin

member

Activity: 69

Merit: 53

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

NotATether

legendary

Activity: 1568

Merit: 6660

bitcoincleanup.com / bitmixlist.org

Quote from: stanner.austin on November 09, 2022, 03:58:21 AM

You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

If you already have the nonce then you don't need the second transaction... assuming it was created with the same nonce then you can simply compute the signed transaction again with the private key.

stanner.austin

member

Activity: 69

Merit: 53

@abadon666999
Hello
You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

To recover second message private key use this one more user friendly.
https://github.com/nlitsme/bitcoinexplainer

abadon666999

newbie

Activity: 78

Merit: 0

Quote from: o_e_l_e_o on October 31, 2022, 06:28:10 AM

Quote from: abadon666999 on October 31, 2022, 06:04:57 AM

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

strange...no error

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: abadon666999 on October 31, 2022, 06:04:57 AM

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

abadon666999

newbie

Activity: 78

Merit: 0

Quote from: o_e_l_e_o on October 31, 2022, 05:49:51 AM

Quote from: abadon666999 on October 31, 2022, 05:42:51 AM

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

first of all..thanks for your help
i have done equation
i have k
i have that x1 = x2
than i have only privatekey address 1
it's very strange

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: abadon666999 on October 31, 2022, 05:42:51 AM

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

abadon666999

newbie

Activity: 78

Merit: 0

Quote from: o_e_l_e_o on October 31, 2022, 05:38:25 AM

Quote from: abadon666999 on October 31, 2022, 04:54:26 AM

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

m1   scalar:0x......................
m2   scalar:0x......................
r   scalar:0x.......................
s1   scalar:0x......................
s2   scalar:0x.......................
k   scalar:0x.......................
x1   scalar:0x = to x2
x2   scalar:0x = to x1

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

o_e_l_e_o

legendary

Activity: 2268

Merit: 18711

Quote from: abadon666999 on October 31, 2022, 04:54:26 AM

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

Topic: same-r-value-is-used-for-two-different-addresses (Read 479 times)