del

[COBRAS]

it was easy : first nonce is....


so. your first r = 95781203938134771654748299032707231792956540686382340872008587989453366815619
nonce k = 1050579349868621761136446930980763481

do I need calculate priv?

so ..works!

Hi !!

Then I use my scrypt, I get:

Inputs:

Message. - 1

Nonce - 1050579349868621761136446930980763481

Privkey -
792377483100611830733857591710555576

I get R
 95781203938134771654748299032707231792956540686382340872008587989453366815619

S - 80727512625679490130821917141198584466211136904971132112411065595033151255463

And recover privkey, this is my out:

Privkey - 792377483100611830733857591710555576

Does a my R,S and nonse right for message "1" ?

Regards.

P.s. Congratulate you with your scrypt !!!

P.s. To All, provide me test messages, nonce, r,s I will try find a privkey and you will say me privkey valid or not.

Only 1 complet to 1 privkey for 1 pcs r,s,nonce,message.

??

[stilichovandal]

interesting script.
let's make another test,

below are the transactions generated ..

tra1= 1
z1= 76876030023415608668423338825784187452811639173959320017817337455802041964103
r1= 29160437407760520088247392323108134391883974944341759721909486038392263934252
s1= 88057664668158915012604599595493011104336144057048137151796684081161455068940

tra2= 2
z2= 61263116138134401525028229058918539609568640472628708541655291156521288618248
r2= 11549193954947596960703021534561318910687537033109530363590706949861810191464
s2= 13855753320462738868894436900000308125592534663165802454975929237386525551901

tra3= 3
z3= 94120272562392704147662507148139386415636002525757800768256455290364818983329
r3= 13235484545503092834351146107583288106526331893492330386542837886995039286857
s3= 113471888736454597898872446719734211059501085408597184281019577940003149168065

tra4= 4
z4= 99367284209844177315046616821185029528460822746665482351687345968205433531175
r4= 21288395071614272342731373579454206117249664754398039513644770673861859644939
s4= 73413879352532156241008151728886908980344895524488338859086767531496556394060

tra5= 5
z5= 69060216405924095583792910129380620270055713256952020221932327399807627102551
r5= 73000033343383277415474287756201732147913599806018084676911334919205184318951
s5= 87072726453737444924441523106612425315322987277779002678423286525578748401182

tra6= 6
z6= 92618601610473019371617964490946613446123192049470928113333991628587023928412
r6= 28067093485624905318698514057355456753086537066210474707760282283107230161754
s6= 81570316168538325691556352611345952414389273074007052937069015984756717263806

tra7= 7
z7= 64467069221879581988935526952178802798904578325721403807573521890371858623272
r7= 40928812080096313007619676294314551308323264286042053123514365242236661911514
s7= 1025329956085058380108911065381202269358907493178639449598067535198228526723

tra8= 8
z8= 72495741802917349120327698487760807911457277460026498073086860211586960327565
r8= 66378711205276032381995546935653475100643276511913002418773726587229576821881
s8= 108667454887055533668950227498601121583301007111191340394989504444791689053341

tra9= 9
z9= 78468020509772362123932250401279947970863640371108253522122735757309805907599
r9= 19231849856468166709561956160822737309083319782875295366880812480857879465237
s9= 2515169593593730466049902241306205711031444354734218814410691392439616554389

tra10= 10
z10= 78060509642529765276222634915143859953530748675308663141797340870084401854707
r10= 56781478814500394128333645854821980053762351020682230423318068363007571952796
s10= 8225138324074299127136188647123494944401351632612802372258470782812066336142

tra11= 11
z11= 79779827977136050305633476576385475751837262413801195246508844247195592956474
r11= 42569001943452434099942841287472883596088766927308919058922517240095023952305
s11= 1407663125118136808095389526630427676124736628716353500388345820111796001963

tra12= 12
z12= 106595513637886365274814102808291057278198427947604804923492103024132298662073
r12= 82416951132458437959864195479573279283096423098842842786194452820181884122047
s12= 16199057421916147554949358350810895793907227884540563767261972649834152748107

tra13= 13
z13= 68489560520876775568471829325504723427546860570677632392865683298027878436623
r13= 97942681488182315702560424236758409557001611486493184883333474649302628551040
s13= 73733576094385257028905244483867697271765712587658384121942578933083863131832

tra14= 14
z14= 88824913088586937091819419238438566701164343626280360487024697411739517103707
r14= 54289814375981922050958676638679327321247871495949246283904693248453246656483
s14= 91832431429520445149775820905320653634764190190929933708848042218874834508501

tra15= 15
z15= 85652327308811831382436205738266460574222300027367907748239792342952828973440
r15= 16613711354407097236850928854924361601015689306227892348440906864631885091973
s15= 80840039291427506062454499523631109705679566193223311715899795877750967539328

tra16= 16
z16= 65060641157937371808555230733609853408909684112561988842072826300674063030547
r16= 104272014795452675535604260916341363821801933757316993779707566144315357534767
s16= 86623263268148577559494707215944538702409651713369659284047337653056673517623

tra17= 17
z17= 111828740236090006688693495832192963032795368231157257335682470941267007171558
r17= 89073547190536414618222055280881620385309523951183694730779807318963214062280
s17= 109852499300962433164815238778976004880948668774843008897372116247815588738702

tra18= 18
z18= 98824167654958447904489072947892095719405536039819629922932614656069882836190
r18= 80987801020493569105412481143009310543451106437305306879480172043706552070200
s18= 33017440135053449429258988709931326418137982872316712662094074998694479956568

tra19= 19
z19= 64307891501710594612236762901627124305599192466451363765179703547459709187480
r19= 21793799379832572713485577223088553086939424517472399285847216328442532064794
s19= 57621584260137986132128912542938486391934345981617370353522147947744830696635

tra20= 20
z20= 87311263504060842953223757709363617585048656968711362882688595327084899926608
r20= 58944493751340891960057257317550109107802599663133688394628165694699116166302
s20= 78661678553724693559058028336158306051073544759382911835052759016056395015517

tra21= 21
z21= 85846385515466853782022953566659546519630368523799342752436473930357927040631
r21= 6002735972245524477516556767980019540936244579324152202005870420240057764448
s21= 6096604835397983429571849012761639775661587856381434059954190328993227033547

priv : 163933502030832404384531025411662545

it is correct, I must confirm that your script really works.

[a.a]

Well check your pms

[lostrelic]

maybe some one want test on range from 2**1 to 2**240 bit?

I can’t DM you due to message limits can you send the script to DM and if successfully works you will be tipped for your work?

Regards Relic

[COBRAS]

maybe some one want test on range from 2**1 to 2**240 bit?

Easy.

Provide bitcoin transaction  message, nonce,r,s

[a.a]

When providing nonce should we also provide the privatekey so that you can check if it is the correct one?

[COBRAS]

When providing nonce should we also provide the privatekey so that you can check if it is the correct one?

Yeas !!!

You can not provide a privkey. I not wary about privkey.

[a.a]

Oh shut up cobras. Your script does not do shit. Interiawp is doing a lattice attack on the nonces to retrieve them. Your script does not even retrieve the nonce, but needs the nonce in the first place. So please spam your own garbage thread.

[COBRAS]

R,s,z generates only for inputs transaction.

Is it posible generate with scrypt "virtual" test transaction to real publick key(empty, without money any old publick key for ex) and get valid r,s,z for this transaction and this real publick key ?

Thanks.
]

[COBRAS]

If someone ready to buy go to my thread

https://bitcointalk.org/index.php?topic=5370215.0

[TheArchaeologist]

Is it posible generate with scrypt "virtual" test transaction to real publick key(empty, without money any old publick key for ex) and get valid r,s,z for this transaction and this real publick key ?

Transactions to a public key (so a P2PKH transaction), where this "real" public key is on the receiving end will not make any difference. You need signatures made by the corresponding private key and those will obviously only occur whenever an outgoing transaction is made for the lattice attack to work.

If you want to have some more info on how this kind of attack works read this study called "Biased Nonce Sense: Lattice Attacks against
Weak ECDSA Signatures in Cryptocurrencies". PDF here -> https://eprint.iacr.org/2019/023.pdf

[CryptoSh1va]

...fixed R value, not a random R value.

pm me

[cixegz]

this is normal math sqrt√(x)^2,
      test value: 4^2 = 16, next root return 4
                       -8^2= 64,next root return 8

how to bitcoin Publickey x and y use to  sqrt example: √(x,y)^2
how to calculate sqrt for bitcoin publickey teach me please

example1:x,y
px: e493dbf1c10d80f3581e4904930b1404cc6c13900ee0758474fa94abe8c4cd13   py: 51ed993ea0d455b75642e2098ea51448d967ae33bfbdfe40cfe97bdc47739922 #privatekey 4
px: 421f5fc9a21065445c96fdb91c0c1e2f2431741c72713b4b99ddcb316f31e9fc   py: 2b90f16d11dabdb616f6db7e225d1e14743034b37b223115db20717ad1cd6781 #privatekey 4^2 = 16
ans
px: e493dbf1c10d80f3581e4904930b1404cc6c13900ee0758474fa94abe8c4cd13   py: 51ed993ea0d455b75642e2098ea51448d967ae33bfbdfe40cfe97bdc47739922 #privatekey √16 = 4

example2:
px: 2f01e5e15cca351daff3843fb70f3c2f0a1bdd05e5af888a67784ef3e10a2a01   py: a3b25758beac66b6d6c2f7d5ecd2ec4b3d1dec2945a489e84a25d3479342132b # -8
px: ed3bace23c5e17652e174c835fb72bf53ee306b3406a26890221b4cef7500f88   py: e57a6f571288ccffdcda5e8a7a1f87bf97bd17be084895d0fce17ad5e335286e # -8^ = 64
ans
px: 2f01e5e15cca351daff3843fb70f3c2f0a1bdd05e5af888a67784ef3e10a2a01   py: 5c4da8a741539949293d082a132d13b4c2e213d6ba5b7617b5da2cb76cbde904 # √64 = 8

how does work explain. do u understad my problem ,i speak little english

[PrivatePerson]

strange. It is correct.

Btw. I modified your script:

Code:

import collections
import hashlib
import random
import os

EllipticCurve_1 = collections.namedtuple('EllipticCurve', 'name p a b g n h')

curve = EllipticCurve_1(
    'secp256k1',
    # Field characteristic.
    p=0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f,
    # Curve coefficients.
    a=0,
    b=7,
    # Base point.
    g=(0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798,
       0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8),
    # Subgroup order.
    n=0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141,
    # Subgroup cofactor.
    h=1,
)


# Modular arithmetic ##########################################################

def inverse_mod(k, p):
    """Returns the inverse of k modulo p.
    This function returns the only integer x such that (x * k) % p == 1.
    k must be non-zero and p must be a prime.
    """
    if k == 0:
        raise ZeroDivisionError('division by zero')

    if k < 0:
        # k ** -1 = p - (-k) ** -1  (mod p)
        return p - inverse_mod(-k, p)

    # Extended Euclidean algorithm.
    s, old_s = 0, 1
    t, old_t = 1, 0
    r, old_r = p, k

    while r != 0:
        quotient = old_r // r
        old_r, r = r, old_r - quotient * r
        old_s, s = s, old_s - quotient * s
        old_t, t = t, old_t - quotient * t

    gcd, x, y = old_r, old_s, old_t

    assert gcd == 1
    assert (k * x) % p == 1

    return x % p


# Functions that work on curve points #########################################

def is_on_curve(point):
    """Returns True if the given point lies on the elliptic curve."""
    if point is None:
        # None represents the point at infinity.
        return True

    x, y = point

    return (y * y - x * x * x - curve.a * x - curve.b) % curve.p == 0


def point_neg(point):
    """Returns -point."""
    assert is_on_curve(point)

    if point is None:
        # -0 = 0
        return None

    x, y = point
    result = (x, -y % curve.p)

    assert is_on_curve(result)

    return result


def point_add(point1, point2):
    """Returns the result of point1 + point2 according to the group law."""
    assert is_on_curve(point1)
    assert is_on_curve(point2)

    if point1 is None:
        # 0 + point2 = point2
        return point2
    if point2 is None:
        # point1 + 0 = point1
        return point1

    x1, y1 = point1
    x2, y2 = point2

    if x1 == x2 and y1 != y2:
        # point1 + (-point1) = 0
        return None

    if x1 == x2:
        # This is the case point1 == point2.
        m = (3 * x1 * x1 + curve.a) * inverse_mod(2 * y1, curve.p)
    else:
        # This is the case point1 != point2.
        m = (y1 - y2) * inverse_mod(x1 - x2, curve.p)

    x3 = m * m - x1 - x2
    y3 = y1 + m * (x3 - x1)
    result = (x3 % curve.p,
              -y3 % curve.p)

    assert is_on_curve(result)

    return result


def scalar_mult(k, point):
    """Returns k * point computed using the double and point_add algorithm."""
    assert is_on_curve(point)

    if k % curve.n == 0 or point is None:
        return None

    if k < 0:
        # k * point = -k * (-point)
        return scalar_mult(-k, point_neg(point))

    result = None
    addend = point

    while k:
        if k & 1:
            # Add.
            result = point_add(result, addend)

        # Double.
        addend = point_add(addend, addend)

        k >>= 1

    assert is_on_curve(result)

    return result


# Keypair generation and ECDSA ################################################

def make_keypair(private):
    """Generates a random private-public key pair."""
    private_key = private#random.randrange(1, curve.n)
    public_key = scalar_mult(private_key, curve.g)

    return private_key, public_key


def hash_message(message):
    """Returns the truncated SHA512 hash of the message."""
    message_hash = hashlib.sha512(message).digest()
    e = int.from_bytes(message_hash, 'big')

    # FIPS 180 says that when a hash needs to be truncated, the rightmost bits
    # should be discarded.
    z = e >> (e.bit_length() - curve.n.bit_length())

    assert z.bit_length() <= curve.n.bit_length()

    return z


def sign_message(private_key, message,nonce):
    z = hash_message(message)

    r = 0
    s = 0
    half_mod=57896044618658097711785492504343953926418782139537452191302581570759080747169
   
    while not r or not s:
        k = nonce# random.randrange(1, curve.n)
        x, y = scalar_mult(k, curve.g)

        r = x % curve.n
        s = ((z + r * private_key) * inverse_mod(k, curve.n)) % curve.n
        if s> half_mod:
            s=curve.n -s
        if s<0:
            s=s%curve.n
   
     
    return r, s,z

def verify_signature(public_key, message, signature):
    z=message
   
    r, s = signature

    w = inverse_mod(s, curve.n)
    u1 = (z * w) % curve.n
    u2 = (r * w) % curve.n

    x, y = point_add(scalar_mult(u1, curve.g),
                     scalar_mult(u2, public_key))

    if (r % curve.n) == (x % curve.n):
        return 'signature matches'
    else:
        return 'invalid signature'

def egcd(a, b):
    "Euclidean greatest common divisor"
    if a == 0:
        return (b, 0, 1)
    else:
        g, y, x = egcd(b % a, a)
        return (g, x - (b // a) * y, y)

def modinv(a, m):
    "Modular inverse"
    # in Python 3.8 you can simply return pow(a,-1,m)
    g, x, y = egcd(a, m)
    if g != 1:
        raise Exception('modular inverse does not exist')
    else:
        return x % m

   
 
   
def make_val(priv,nonce,msg,id):   

        private, public = make_keypair(priv)
         
        r,s,z = sign_message(private, msg,nonce)
         
        print()
        print("tra"+str(id)+"=", id)
       
        print("z"+str(id)+"=",z)
        print("r"+str(id)+"=",r)
        print("s"+str(id)+"=",s)
       
         
        return private,public,nonce,r,s,z
 
   
import random

a=2**119                                             # min nonce range
c=2**120                                  # max nonce range
priv=random.randrange(a,c)  # here put real privatekey for testing address

print("priv=",priv)

for i in range(1,22):
    priv=priv
    nonce=random.randrange(a,c)
    war= str(os.urandom(25)) + str(nonce)         # message for hash you can change
    msg= bytes(war, 'utf-8')
    make_val(priv,nonce,msg,i)
 

Can you explain what this script does?
How to set input parameters?