isarac3 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 23, 2021, 06:24:23 PM |
|
Is it possible to calculate a private to an address when the address has reused both R values and S values?
|
|
|
|
|
|
Even in the event that an attacker gains more than 50% of the network's
computational power, only transactions sent by the attacker could be
reversed or double-spent. The network would not be destroyed.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
|
|
Charles-Tim
Legendary
Offline
Activity: 1540
Merit: 4837
|
|
March 23, 2021, 07:07:12 PM Last edit: March 23, 2021, 07:41:48 PM by Charles-Tim |
|
The r and S-values including a signature hash are contained in ECDSA signatures used in signing bitcoin transactions. The reason why addresses should not be reused has nothing to do with ECDSA signatures, people are advised not to reuse addresses because of privacy, all transaction made by a single address can be tracked on blockchain, while this can be difficult or impossible if same address is not reused.
Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the recentnt technology advancement.
|
. .HUGE. | | | | | | █▀▀▀▀ █ █ █ █ █ █ █ █ █ █ █ █▄▄▄▄ | ▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀ . CASINO & SPORTSBOOK ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ | ▀▀▀▀█ █ █ █ █ █ █ █ █ █ █ █ ▄▄▄▄█ | | |
|
|
|
DannyHamilton
Legendary
Offline
Activity: 3388
Merit: 4615
|
Also, private key can not be calculated from addresses, or from anything related to transaction, it is not even possible to calculate private key from public key, also not possible to brute force private key from public key with the latest technology advancement.
You are mistaken. If the user is using faulty software which re-uses the same R value for more than one signature, then IT IS EASY to calculate the private key. For example, see this thread: https://bitcointalk.org/index.php?topic=581411.0
|
|
|
|
isarac3 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 23, 2021, 08:05:15 PM |
|
I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.
|
|
|
|
CrunchyF
Jr. Member
Offline
Activity: 54
Merit: 26
|
|
March 23, 2021, 09:22:34 PM |
|
I have seen an address where two transactions share similar r values and similar s values. I have once calculated a private key for a bitcoin address with two similar r values and a different s values. But this one has similar r values and similar s values.
In this case where R1=R2 and S1=S2 It's impossible to recover the private key. And it probably come from an invalid TX because in the bitcoin protocol signature you might not have two S identical But there is different case where you can recover private key from bad use of R. if you find for the same address two TXS with the same R and different S the private key can be easily recover with a simple formula. Before that you have to recover the Z parameter (hash of the previous tx output). If you have the private key you can easily find the nonce (k) that generate the R (supposed to be random). After if you find an second address using the same R than above (even in only one TX). you will be able to recover the second privkey. this case of R reusing is only possible if a issue was made on the creation of the TX for example: bad number random generator. bad implementation of a TX by a developper who coded tx 'by hand'. But as you know, knowing a private key doesn't mean than the bitcoin are yours (in a ethical way).
|
|
|
|
NotATether
Legendary
Offline
Activity: 1596
Merit: 6724
bitcoincleanup.com / bitmixlist.org
|
|
March 24, 2021, 04:41:13 AM |
|
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier. By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get: H here represents the message hash. the nonce k = (s2 - h2 + s1h1)(s1 - r1) -1 mod n = (s2-h2+s1h1)s1 -1 - (s2-h2+s1h1)r1 -1Which is just s2h1-h2s1 - s2r1 -1 +h2r1 -1+s1h1r1 -1. Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k -1(h 1 + r 1 d A) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want). dA the private key = (s1*k-h1)r1 -1 OR (s2*k-h2)r2 -1.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
isarac3 (OP)
Newbie
Offline
Activity: 8
Merit: 0
|
|
March 24, 2021, 11:53:34 AM |
|
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier. By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get: H here represents the message hash. the nonce k = (s2 - h2 + s1h1)(s1 - r1) -1 mod n = (s2-h2+s1h1)s1 -1 - (s2-h2+s1h1)r1 -1Which is just s2h1-h2s1 - s2r1 -1 +h2r1 -1+s1h1r1 -1. Now that we have k, which is required to get the private key, we can change variables of the ECDSA equation s = k -1(h 1 + r 1 d A) to dA the private key (we don't have to use (h1,r1,s1); you can also use (h2,r2,s2) if you want). dA the private key = (s1*k-h1)r1 -1 OR (s2*k-h2)r2 -1. How do you get the message hash? And is it possible to calculate using sagemath? >>> https://sagecell.sagemath.org/
|
|
|
|
whanau
Member
Offline
Activity: 116
Merit: 30
|
|
March 18, 2023, 03:12:32 AM |
|
the nonce k = (s2 - h2 + s1h1)(s1 - r1)-1 mod n
= (s2-h2+s1h1)s1-1 - (s2-h2+s1h1)r1-1
Which is just s2h1-h2s1 - s2r1-1 +h2r1-1+s1h1r1-1.
Would some kind soul please show me how k = (s2 - h2 + s1h1)(s1 - r1) -1 mod n would be coded in Python? All my attempts come out with a k value much more than 256 bits. Thank you
|
|
|
|
pooya87
Legendary
Offline
Activity: 3444
Merit: 10530
|
|
March 18, 2023, 04:08:51 AM |
|
All my attempts come out with a k value much more than 256 bits.
That's probably because you forgot to compute the remainder, that is the modulo operation at the end using the secp256k1 curve order N.
|
. .BLACKJACK ♠ FUN. | | | ███▄██████ ██████████████▀ ████████████ █████████████████ ████████████████▄▄ ░█████████████▀░▀▀ ██████████████████ ░██████████████ █████████████████▄ ░██████████████▀ ████████████ ███████████████░██ ██████████ | | CRYPTO CASINO & SPORTS BETTING | | │ | | │ | ▄▄███████▄▄ ▄███████████████▄ ███████████████████ █████████████████████ ███████████████████████ █████████████████████████ █████████████████████████ █████████████████████████ ███████████████████████ █████████████████████ ███████████████████ ▀███████████████▀ ███████████████████ | | .
|
|
|
|
whanau
Member
Offline
Activity: 116
Merit: 30
|
|
March 18, 2023, 06:58:56 PM |
|
Thank you for taking the trouble to reply.
I am using k = (s2 - z2 + s1*z1)*s1 - modinv(r, N) % N for the python code (after many other variations) but I still cannot get it to work. N = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 z = h in the earlier posts
This is the transaction I am trying to prove it against :- F2B7EB7089C895B9B16CB4DDDF9F8307F1065FC670C7726B5BE708FF6AA6E1F1 which includes 2 identical r,s , 00819a0eb55d9cc.....(empty, abandoned address!) any help would be appreciated
|
|
|
|
whanau
Member
Offline
Activity: 116
Merit: 30
|
|
March 22, 2023, 12:58:11 AM |
|
It is quite definitely possible to retrieve the private key because reusig R implies you reused the secret nonce K, and reusing S just makes the calculation easier. By plugging in numbers in this post, and using the fact that r1 = r2, s1 = s2, you get: H here represents the message hash. the nonce k = (s2 - h2 + s1h1)(s1 - r1) -1 mod n = (s2-h2+s1h1)s1 -1 - (s2-h2+s1h1)r1 -1Which is just s2h1-h2s1 - s2r1 -1 +h2r1 -1+s1h1r1 -1. I am no mathematician, but I cannot see from the above how k can be calculated with the same values for s. s1 and s2 are even being used in the example. Nor can I get k = (s2 - h2 + s1h1)(s1 - r1) -1 mod n to produce the correct output even with different s values. Perhaps I am not forming the code correctly? this python code works but you need 2 different values for s. k = modinv(s, N) * (z1 + r * (z1*s2 - z2*s1) * modinv((r*(s1-s2)), N)) % N . What am I missing? Is it possible to calculate k correctly with identical s values? Thanks
|
|
|
|
|