Score:1

Crypto

ECDSA SECP256k1 curve - same-r-value-is-used-for-two-different-addresses

Ironic

2/16/24, 4:31 PM

Edited: changing the notation according request by fgrieu.

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

properties of secp256k1:

p = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141   # order of curve

It is according to: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces- link here: https://billatnapier.medium.com/ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-secp256k1-5758f1258b1d

It should work, but it doesn't.

I put transactions, nonces and privatekeys

Why can I not to take value private1 and private2?

It gives me value 0: please help

privkey1= 74151126465914553719682701372546590912032713247110001383204298192577238294259
privkey2= 65602009300807068992382438511465994464148703102269145684254988072233619429415

nonce1= 113430668354305125354139681412571553637810109882549088741100884487402919060793
nonce2= 88941376982568942091029320764989550225390065895384871037015643141890275775717

signature matches
#transaction from first privkey1

r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s1= 36665125934301679295764426496089959157670212057714313825462899262019004181013
h1= 45063904364969322573281122086971579379876583577391310824950725157431863085693

r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s3= 88414683103569280491867470526894992004240909646745888824999991880846576153983
h3= 96925863066810859394685400246217607442326685412593308871569663983290139782035

##transaction from second privkey2

r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s2= 48387795993880540164497955151292140905876432678370698441361372722465054520609
h2= 70890957235815785946608014568730757332857823983374044998781188028671033610413

r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s4= 94479523762013111191490500533227932711756342618388816229238677867942525385058
h4= 88400657509035765824159536685234267382896518494653799783594906135509259195161

How to calculate, the above privatekey? if I use link : Is it possible to decrypt an ECDSA private key if the same nonce is used across different private keys?

I got result 0 for privkey1 and privkey2.

where is problem?

for another example everything works fine. but in above version is problem.

386

1 + 3

elliptic-curves

secp256k1

Myria

2/17/24, 12:43 AM

Compared to the document you have linked, you have operations 2 and 3 swapped. Swap those then apply the formula for $x_1$ and $x_2$. Note that this arithmetic is done $\mod p$, so division by $r_1r_2(s_1s_4-s_2s_3)$ is actually multiplying by the modular inverse of $r_1r_2(s_1s_4-s_2s_3)$ $\mod p$. [moderator addition: the change suggested in this comment is now incorporated in the question by the OP].

Ironic

2/21/24, 9:38 PM

fgrieu: _"With your numbers there is $s_1s_4≡s_2s_3\pmod p$"_. Yes. but there must be solvable. the question is what kind change I must do.? Again: the same r1 and r2 as k1 and k2 (nonce1 and nonce2) used for 2 different privatekeys . the problem is s1s4= s2s3 mod p. How to change the calculation to take real privatekey1 and privatekey2?

fgrieu

2/22/24, 11:51 AM

To those proposing to close as a programming question: that's _not_ what the question is about. It's about a special condition $s_1s_4≡s_2s_3\pmod p$ in the values considered and how that condition makes it impossible to perform the calculation in the references. A reason I see to perhaps close the question is that this condition is artificial, with no explanation given about why it would hold.

Score:1

Crypto

fgrieu

2/21/24, 10:15 PM

I'll use the notation in the references, thus the question's privkey1, privkey2, nonce1, nonce2 are noted $x_1$, $x_2$, $k_1$, $k_2$; and the prime order of curve secp256k1 is noted $p$ (rather than the usual $n$).

The question mentions "(…) 4 transactions for 2 pubkeys with the same r1 and r2", but gives different values for r1 and r2. I'll read instead: 4 ECDSA signatures matching 2 private/public keys pairs using only 2 nonces, in the following arrangement:

hash	nonce	privkey	signature	equation$\pmod p$
$h_1$	$k_1$	$x_1$	$(r_1,s_1)$	$s_1k_1≡r_1x_1+h_1$
$h_2$	$k_1$	$x_2$	$(r_1,s_2)$	$s_2k_1≡r_1x_2+h_2$
$h_3$	$k_2$	$x_1$	$(r_2,s_3)$	$s_3k_2≡r_2x_1+h_3$
$h_4$	$k_2$	$x_2$	$(r_2,s_4)$	$s_4k_2≡r_2x_2+h_4$

The numbers given for $x_i$, $k_i$, $r_i$, $h_j$, $s_j$ for $i\in\{1,2\}$ and $j\in\{1,2,3,4\}$ all are in $(1,p)$; verify the equations; and $r_i$ is the function of $k_i$ prescribed by ECDSA on secp256k1, that is $r_i$ is the X coordinate of $k_i\,G$ reduced modulo $p$ (the reduction seldom makes a difference, and this is no exception).

But contrary to the references, it holds $s_1s_4≡s_2s_3\pmod p$. That prevents applying the method in the references to find $x_1$ and $x_2$, which requires that $r_1r_2(s_1s_4-s_2s_3)$ be invertible modulo $p$.

Under the assumption $h_1$, $h_2$, $h_3$, $h_4$ (or the corresponding signed messages) and $x_1$, $x_2$, $k_1$, $k_2$ are arbitrary, with the signatures derived from that, there is no reason $s_1s_4≡s_2s_3\pmod p$ would hold. That it holds makes the system of 4 equations with 4 unknowns $x_1$, $x_2$, $k_1$, $k_2$ impossible to solve from the signatures and hashes alone; we'd need some additional relation involving at least one of the unknowns $x_1$, $x_2$, $k_1$, $k_2$, but none is stated.

One possibility is that there's none to be found. The whole thing could be a decoy, a joke, perhaps a scam (which that comment suggests). One way to build the question's numbers would be that $s_4$ is computed as $s_1^{-1}\,s_2\,s_3\bmod p$, then $h_4$ is computed from $s_4$ rather than as the hash of some message.

+ 2

Ironic

2/22/24, 8:24 AM

unfornatelly it is not joke. I ask for this becouse it is solvable but I do not know how. There is a person which wants a lot money for "calculation", I tested him, and always he gave me right values of privatekeys, the one test was example which I put here . and I really don't know how he can calculate. Of course I have no money to buy from he.

fgrieu

2/22/24, 9:41 AM

@Ironic: If the test data in the question was all generated by you, please explain how that was (or better, make new test data where everything arbitrary is the SHA-256 hash of a distinct stated 1-byte input). Until you do, my opinion is that whoever generated that test data (or part thereof) is gaming or being gamed.

Elon Musk

I sit in a Tesla and translated this thread with Ai:

EN: ECDSA SECP256k1 curve - same-r-value-is-used-for-two-different-addresses

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.