|
Title: why it works? it should'nt Post by: ecdsa123 on September 06, 2022, 03:46:53 PM why it works? it should'nt
d=(s*k - z) / r Code: d = 17297868438860976900 see r of k*G isn't 114792231439225299071653076175597454642404629309811484913662796330298864240204 Title: Re: why it works? it should'nt Post by: akaki on September 06, 2022, 05:43:16 PM r is wrong.
ECDSA multiplication using k*Gpoint gives : R=(42804120235550333264601566912095829673031312040987116166863779393812842042729, 68663269101170998966556989191669958292218975994528865773618353809041762691493) thus r=Rx=42804120235550333264601566912095829673031312040987116166863779393812842042729 Title: Re: why it works? it should'nt Post by: ecdsa123 on September 06, 2022, 05:55:39 PM Code: I know that r is wrong. Question why when you will calculate d with wrong r -> result will be good value. and when you will calculate k (nonce) with wrong r -> result will be good value k=(d*r - z)/s %n k=k Code:
Title: Re: why it works? it should'nt Post by: akaki on September 06, 2022, 06:05:40 PM If r is wrong then s is also wrong.
The right s should be 99827946738399009248825444711200031423675392728917187111450168157978195192231. If you are using both wrong r and s, you are just balancing the equation to get d. Title: Re: why it works? it should'nt Post by: garlonicon on September 06, 2022, 08:21:17 PM Quote why it works? Because you don't touch any public keys at all. If your G is "02 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", then your "r=(k*G).x" should be equal to "(2706155104*0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798).x", so "r=5ea246048650e98edc5abf3b4c1cd410f2aeb93cfa8e66f21d6051342c725569" would be correct. However, if your "r=fdca19bd0e1a0721b21f9c3726df30f69409e005897fa6cd1a564d3a7ce7064c" is correct, and your "k=00000000000000000000000000000000000000000000000000000000a14ca660" is also correct, then your G has to be "03 CE660BE32AABB306C0E634CB436A2D46DB6CCB1C25A86E83A94AF766F78ED6B5".You can always calculate things without touching public keys. But then, if your base point is not the same, you won't get the right result. You can always assume that G is different, and that k=1. You will always get d=something if you change your G. The problem is: your public key does not match. Title: Re: why it works? it should'nt Post by: COBRAS on September 06, 2022, 10:02:04 PM Quote why it works? Because you don't touch any public keys at all. If your G is "02 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", then your "r=(k*G).x" should be equal to "(2706155104*0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798).x", so "r=5ea246048650e98edc5abf3b4c1cd410f2aeb93cfa8e66f21d6051342c725569" would be correct. However, if your "r=fdca19bd0e1a0721b21f9c3726df30f69409e005897fa6cd1a564d3a7ce7064c" is correct, and your "k=00000000000000000000000000000000000000000000000000000000a14ca660" is also correct, then your G has to be "03 CE660BE32AABB306C0E634CB436A2D46DB6CCB1C25A86E83A94AF766F78ED6B5".You can always calculate things without touching public keys. But then, if your base point is not the same, you won't get the right result. You can always assume that G is different, and that k=1. You will always get d=something if you change your G. The problem is: your public key does not match. Yes, i think you exactly right aboup multiply sig to pubkey. Can you make a BAD trasaction sighnature to code from this articke https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9 ?? br Title: Re: why it works? it should'nt Post by: garlonicon on September 07, 2022, 04:45:30 AM Quote Now, let’s say we have two signatures. One has a fault and the other one is valid [2]. We then have (r,s) for the valid one, and (r_f,s_f) for the fault. These will be: If r-value is wrong, then k-value is also wrong, both should change at the same time, if not, then other things like the base point has to change. If r-value is wrong and k-value is right, then something bad is going on.s_f = k^-1 * (h + d * r_f) (mod p) s = k^-1 * (h + d * r) (mod p) In general, I don't understand something or this article is suspicious: 1) their assumptions are quite strong, for example it is unlikely to get two signatures, where the signed message is identical 2) their calculations are tricky, for example in the middle of their calculations, they skip the signed message in their equations 3) they use some weird formatting, where I don't know if something is a multiplication, or maybe it is a dot, because it looks like accessing a member of a structure in C Edit: Probably I should read the original source first to reproduce that, because it has better quality: https://www.usenix.org/system/files/sec22-sullivan.pdf |