Technical question about RSZ signature

[Nivison]

I am trying to create a duplicate R transaction set to study from I calculated the second S value for the second signature, How Can I calculate the second Z value from the first Z value without the nonce or private key in the equation.

Example

Code:

X = 0x00c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96
K = 0x007a1a7e52797fc8caaa435d2a4dace39158504bf204fbe19f14dbb427faee50ae
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141


R = 96110991714138747756460882573165355495294553455766427630556072689024184367825
S = 31156575478450364329439900697479132585341859457080654718650411361231741206078
Z = 87244814473377946459021394573120624638544621973526661110335002719552586402926
S1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259

Z1 = 93180677400834919588362567850445577135037955949578918319954060512580571683805 # This is what i want to calculate without using K or X


print (((0-(((S * K) - (X * -R)))) % N)) # currently using this formula it includes the use of K and X

[pooya87]

Z is calculated based on the transaction itself (in simple terms it is a hash computed using the transaction data) not based on nonce or the private key.
But as far as the mathematics is concerned if you have the nonce (k), private key (d) and signature (r and s) then you should be able to compute z too. It's a simple matter of solving s = k⁻¹(z + rd) mod n with only one unknown variable.

[NotATether]

Z is calculated based on the transaction itself (in simple terms it is a hash computed using the transaction data) not based on nonce or the private key.

It is very easy to get the raw transaction. You don't have to create it yourself from the signed transaction, you can simply use the getrawtransaction RPC method on a node running with the -txindex option turned on. The transaction data is stored in the "hex" output key, which my instincts say should be unserialized into byte form before hashing to get Z.

[garlonicon]

The transaction data is stored in the "hex" output key, which my instincts say should be unserialized into byte form before hashing to get Z.

That would be too easy, because then the signature would have to sign itself. So, you have to modify it by replacing inputs in the right way, by appending sighashes, and by adjusting the transaction, according to those sighashes. See: https://bitcoin.stackexchange.com/questions/3374/how-to-redeem-a-basic-tx#answer-5241

[pooya87]

which my instincts say should be unserialized into byte form before hashing to get Z.

That would give us the transaction ID which is useless for computing z. In order to get z we have to take extra steps based on the output script type that is being spent. For example for legacy outputs (P2PK/P2PKH/P2SH/etc) you'll have to replace the signature script of input that is being spent with the spending script (that is redeem script for P2SH) and others with an empty script. For SegWit (P2WPKH/P2WSH/P2TR) it is more complicated as multiple intermediate hashes are computed based on inputs, outputs and other data in transaction then they are combined to get a final hash that is used as z.

[Nivison]

Here is an example of what I am trying to do.

Python

Code:

X = 0x00c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96
K = 0x007a1a7e52797fc8caaa435d2a4dace39158504bf204fbe19f14dbb427faee50ae
N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141


R = 96110991714138747756460882573165355495294553455766427630556072689024184367825
S = 31156575478450364329439900697479132585341859457080654718650411361231741206078
Z = 87244814473377946459021394573120624638544621973526661110335002719552586402926
S1 = 84635513758865831094131084311208775267495704821994249663954751780286420288259

Z1 = 93180677400834919588362567850445577135037955949578918319954060512580571683805 # This is what i want to calculate without using K or X


print (((0-(((S * K) - (X * -R)))) % N)) # currently using this formula it includes the use of K and X

[garlonicon]

You could tell explicitly that it was transaction 9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1, that would be easier. So, you start with the whole transaction, as you can see in the network. First, just decode it:

Code:

decoderawtransaction 0100000002f64c603e2f9f4daf70c2f4252b2dcdb07cc0192b7238bc9c3dacbae555baf701010000008a4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ffffffffff29f841db2ba0cafa3a2a893cd1d8c3e962e8678fc61ebe89f415a46bc8d9854a010000008a4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ffffffffff01a0860100000000001976a91470792fb74a5df745bac07df6fe020f871cbb293b88ac00000000
{
  "txid": "9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1",
  "hash": "9ec4bc49e828d924af1d1029cacf709431abbde46d59554b62bc270e3b29c4b1",
  "version": 1,
  "size": 402,
  "vsize": 402,
  "weight": 1608,
  "locktime": 0,
  "vin": [
    {
      "txid": "01f7ba55e5baac3d9cbc38722b19c07cb0cd2d2b25f4c270af4d9f2f3e604cf6",
      "vout": 1,
      "scriptSig": {
        "asm": "30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e01 04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff",
        "hex": "4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff"
      },
      "sequence": 4294967295
    },
    {
      "txid": "4a85d9c86ba415f489be1ec68f67e862e9c3d8d13c892a3afacaa02bdb41f829",
      "vout": 1,
      "scriptSig": {
        "asm": "30440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab01 04dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff",
        "hex": "4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff"
      },
      "sequence": 4294967295
    }
  ],
  "vout": [
    {
      "value": 0.00100000,
      "n": 0,
      "scriptPubKey": {
        "asm": "OP_DUP OP_HASH160 70792fb74a5df745bac07df6fe020f871cbb293b OP_EQUALVERIFY OP_CHECKSIG",
        "desc": "addr(1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm)#smaknce2",
        "hex": "76a91470792fb74a5df745bac07df6fe020f871cbb293b88ac",
        "address": "1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm",
        "type": "pubkeyhash"
      }
    }
  ]
}

After decoding a signature, everything matches:

Code:

r=d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
s=44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
sighash=01 (SIGHASH_ALL)

So, let's get z-value. First, we parse our transaction:

Code:

version=01000000
inputCount=02
firstPrevTx=f64c603e2f9f4daf70c2f4252b2dcdb07cc0192b7238bc9c3dacbae555baf701
firstPrevIndex=01000000
firstScriptSize=8a
firstScriptSig=4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1022044e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff
firstSequence=ffffffff
secondPrevTx=29f841db2ba0cafa3a2a893cd1d8c3e962e8678fc61ebe89f415a46bc8d9854a
secondPrevIndex=01000000
secondScriptSize=8a
secondScriptSig=4730440220d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad102209a5f1c75e461d7ceb1cf3cab9013eb2dc85b6d0da8c3c6e27e3a5a5b3faa5bab014104dbd0c61532279cf72981c3584fc32216e0127699635c2789f549e0730c059b81ae133016a69c21e23f1859a95f06d52b7bf149a8f2fe4e8535c8a829b449c5ff
secondSequence=ffffffff
outputCount=01
outputAmount=a086010000000000
outputScript=1976a91470792fb74a5df745bac07df6fe020f871cbb293b88ac
locktime=00000000

Then, we remove all input scripts, and put the previous output script in the input we want to sign:

Code:

version=01000000
inputCount=02
firstPrevTx=f64c603e2f9f4daf70c2f4252b2dcdb07cc0192b7238bc9c3dacbae555baf701
firstPrevIndex=01000000
firstScriptSize=19
firstScriptSig=76a91470792fb74a5df745bac07df6fe020f871cbb293b88ac
firstSequence=ffffffff
secondPrevTx=29f841db2ba0cafa3a2a893cd1d8c3e962e8678fc61ebe89f415a46bc8d9854a
secondPrevIndex=01000000
secondScriptSize=00
secondSequence=ffffffff
outputCount=01
outputAmount=a086010000000000
outputScript=1976a91470792fb74a5df745bac07df6fe020f871cbb293b88ac
locktime=00000000

We can try to decode it, to make sure the format is still correct:

Code:

decoderawtransaction 0100000002f64c603e2f9f4daf70c2f4252b2dcdb07cc0192b7238bc9c3dacbae555baf701010000001976a91470792fb74a5df745bac07df6fe020f871cbb293b88acffffffff29f841db2ba0cafa3a2a893cd1d8c3e962e8678fc61ebe89f415a46bc8d9854a0100000000ffffffff01a0860100000000001976a91470792fb74a5df745bac07df6fe020f871cbb293b88ac00000000
{
  "txid": "e36738ef15c78f5264ca7a03347ea55aed31e6972b30db774eca561b935f7a56",
  "hash": "e36738ef15c78f5264ca7a03347ea55aed31e6972b30db774eca561b935f7a56",
  "version": 1,
  "size": 151,
  "vsize": 151,
  "weight": 604,
  "locktime": 0,
  "vin": [
    {
      "txid": "01f7ba55e5baac3d9cbc38722b19c07cb0cd2d2b25f4c270af4d9f2f3e604cf6",
      "vout": 1,
      "scriptSig": {
        "asm": "OP_DUP OP_HASH160 70792fb74a5df745bac07df6fe020f871cbb293b OP_EQUALVERIFY OP_CHECKSIG",
        "hex": "76a91470792fb74a5df745bac07df6fe020f871cbb293b88ac"
      },
      "sequence": 4294967295
    },
    {
      "txid": "4a85d9c86ba415f489be1ec68f67e862e9c3d8d13c892a3afacaa02bdb41f829",
      "vout": 1,
      "scriptSig": {
        "asm": "",
        "hex": ""
      },
      "sequence": 4294967295
    }
  ],
  "vout": [
    {
      "value": 0.00100000,
      "n": 0,
      "scriptPubKey": {
        "asm": "OP_DUP OP_HASH160 70792fb74a5df745bac07df6fe020f871cbb293b OP_EQUALVERIFY OP_CHECKSIG",
        "desc": "addr(1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm)#smaknce2",
        "hex": "76a91470792fb74a5df745bac07df6fe020f871cbb293b88ac",
        "address": "1BFhrfTTZP3Nw4BNy4eX4KFLsn9ZeijcMm",
        "type": "pubkeyhash"
      }
    }
  ]
}

Then, we add our sighash, so we append "01000000" to the end of this transaction. Then, we can double hash it with SHA-256:

Code:

SHA-256(0100000002f64c603e2f9f4daf70c2f4252b2dcdb07cc0192b7238bc9c3dacbae555baf701010000001976a91470792fb74a5df745bac07df6fe020f871cbb293b88acffffffff29f841db2ba0cafa3a2a893cd1d8c3e962e8678fc61ebe89f415a46bc8d9854a0100000000ffffffff01a0860100000000001976a91470792fb74a5df745bac07df6fe020f871cbb293b88ac0000000001000000)=3b30a740b8fbc0d254d08e60a175f2ede828c215b1b1f919bca8de55ac8d41ba
SHA-256(3b30a740b8fbc0d254d08e60a175f2ede828c215b1b1f919bca8de55ac8d41ba)=c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e

Here we have it: z-value is equal to c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e.

Edit: Also, if you have all needed values, you can easily get z-value directly, without any hashing:

Code:

s=(z+rd)/k
sk=z+rd
z=sk-rd
s=44e1ff2dfd8102cf7a47c21d5c9fd5701610d04953c6836596b4fe9dd2f53e3e
k=7a1a7e52797fc8caaa435d2a4dace39158504bf204fbe19f14dbb427faee50ae
r=d47ce4c025c35ec440bc81d99834a624875161a26bf56ef7fdc0f5d52f843ad1
d=c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96
n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141
sk=797035d79964e4b74fbbef4460379c410261cd01de43278bc2a7efaa541dd8e9
rd=b88d652eff3056cebfe1e72343c6ca67d7e3daf5a1f76e366680d6619cdbcdbc
sk-rd=c0e2d0a89a348de88fda08211c70d1d7e52ccef2eb9459911bf977d587784c6e