@Sansa_Stark
If you have 2 different S for same private key or public key then its possible to break X,K
If you have 2 same R of different private key or public key and have 1 of private key still you can break X,K each others.
Chance of having same R is less then 0.00000001% all possible issue related to same R are eliminated many year go.
Topic: the same r and the same s but another xpubkey - page 2. (Read 445 times)
Quote
is there any possibility to found "K" as nonce?
No, because you can start from r=1, s=1, use R as 020000000000000000000000000000000000000000000000000000000000000001, and then choose any z-value you want. You can also choose R=G, then s will be the x-value of the base point, then you will have "d=const-(z/const)". Because it is possible to choose any public key as a signature nonce and make multiple signatures with the same r and s, reaching random z-values, it is impossible to break that, just because then breaking any key would be possible.
Hello
Is any way to recover k as nonce (r in transaction) when we have two or more transactions for 2 or more diff pubkeys?
with informartion : r = r and s=s (it means all s is the same , and all r (nonce) are the same)
only message hash is different and xpubkey is different.
example:
the nonce used for this example is
k = 86006170020059030419694064257100848158479312228443658208588163077306574850307
# transaction 1
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z1= 81550283294213774526750480549508848506784961076269394706854338639766815622493
private_key= 5263766247322699202248800353990561120926407954519219308434909686134852297665
print(ecdsa_verify(private_key*P, z1, r1, s1))
# transaction 2
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z2= 112710939834674381891490534574286238812990049775193245234732798801085022004640
private_key2= 18053941553956308838190635484463951897269933417088761207596304974788524979748
print(ecdsa_verify(private_key2*P, z2, r1, s1))
# transaction 3
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z3= 110548948083746279701632615734640929686598089716293774722132137960638193691299
private_key3= 22600770345200368895146862074361256781354839926598930725374757459334004043901
print(ecdsa_verify(private_key3*P, z3, r1, s1))
accoding :
S*k - r*x = z
we have
S1*k - r1*x1 = z1
S1*k - r1*x2 = z2
S1*k - r1*x3 = z3
so :
we can detect : what is beetwen equation "linear" distance:
S1*k - r1*x1 = z1
S1*k - r1*x2 = z2
===
s1*k - s1*k - r1*x1 + r1*x2 = z1-z2 => (x2 - x1) = (z1 - z2) *inverse_mod(r1,n) mod n
but is there any possibility to found "K" as nonce?
If for you is good to give any clue , you are so welcome.
regards Sansa
Is any way to recover k as nonce (r in transaction) when we have two or more transactions for 2 or more diff pubkeys?
with informartion : r = r and s=s (it means all s is the same , and all r (nonce) are the same)
only message hash is different and xpubkey is different.
example:
the nonce used for this example is
k = 86006170020059030419694064257100848158479312228443658208588163077306574850307
# transaction 1
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z1= 81550283294213774526750480549508848506784961076269394706854338639766815622493
private_key= 5263766247322699202248800353990561120926407954519219308434909686134852297665
print(ecdsa_verify(private_key*P, z1, r1, s1))
# transaction 2
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z2= 112710939834674381891490534574286238812990049775193245234732798801085022004640
private_key2= 18053941553956308838190635484463951897269933417088761207596304974788524979748
print(ecdsa_verify(private_key2*P, z2, r1, s1))
# transaction 3
r1 = 77043604703837860533853444406453725082195756835019831845050964553536863633142
s1= 77156945794617562845248853605957385196967721348292410152565322709143296655454
z3= 110548948083746279701632615734640929686598089716293774722132137960638193691299
private_key3= 22600770345200368895146862074361256781354839926598930725374757459334004043901
print(ecdsa_verify(private_key3*P, z3, r1, s1))
accoding :
S*k - r*x = z
we have
S1*k - r1*x1 = z1
S1*k - r1*x2 = z2
S1*k - r1*x3 = z3
so :
we can detect : what is beetwen equation "linear" distance:
S1*k - r1*x1 = z1
S1*k - r1*x2 = z2
===
s1*k - s1*k - r1*x1 + r1*x2 = z1-z2 => (x2 - x1) = (z1 - z2) *inverse_mod(r1,n) mod n
but is there any possibility to found "K" as nonce?
If for you is good to give any clue , you are so welcome.
regards Sansa
Jump to: