Print Page - Nonce in secp256k1 ECDSA

Title: Nonce in secp256k1 ECDSA
Post by: peakyclin77 on September 26, 2025, 09:38:05 PM

Hello everyone,

Here, the k values seem predictable and deterministic.

R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321
R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1

Relative Distance Ratio (Distance / n):
Fraction: 0.000000000000003751

Title: Re: Nonce in secp256k1 ECDSA
Post by: iceland2k14 on September 28, 2025, 05:01:04 AM

How is it predictable ?

The mathematical distance between R1 & R2 has nothing to do with the actual distance between their corresponding nonces. let me give you an example.

R1 = 0xa03aba6c1d66b0adff5f523b05ae59226b75a3c89c5755728d4278b4d02dec0
R2 = 0xd95ae6aa449d8243d4fc55ffa443c3f9982d235d4237fe0c187dba73b075b71d

Do you see how much is the mathematical distance between them. They looks to totally totally very far. No similarity at all. But if i say to you that they are very close and in fact in your terms of Relative Distance Ratio (Distance /N) they are = 0.00000000000000000000000000000000000000000000000000000000000000000000000000004 318

Title: Re: Nonce in secp256k1 ECDSA
Post by: flapduck on September 28, 2025, 09:02:28 PM

Quote from: peakyclin77 on September 26, 2025, 09:38:05 PM

r = x(k*G) mod n. Closeness of r1 and r2 says nothing about k1 and k2. The x map and the mod reduction destroy any simple distance relation. You can see tiny r gaps from unrelated nonces.

Quote from: peakyclin77 on September 26, 2025, 09:38:05 PM

Agreed. Measure distance in scalar space, not by comparing r or x(R). Without k or leaked bits there is no handle. Real issues are nonce reuse, biased RNG, or partial-bit leaks that enable lattice attacks.

Bitcoin Forum

Bitcoin => Development & Technical Discussion => Topic started by: peakyclin77 on September 26, 2025, 09:38:05 PM