Bitcoin Forum
December 14, 2024, 04:23:55 AM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: How to generate publick key from R,S,Z sighnature ?  (Read 354 times)
COBRAS (OP)
Member
**
Offline Offline

Activity: 1044
Merit: 24


View Profile
December 11, 2021, 03:58:13 AM
 #1

Subj.


Looking for a python scrypt or code for transaction with 1 and many inputs/outputs.

Huh

Thanks.

[
OddyseyGames
Jr. Member
*
Offline Offline

Activity: 39
Merit: 9


View Profile
December 11, 2021, 08:22:14 AM
 #2

Hi. If I am not mistaken, then you can use this library for your purposes.

https://github.com/petertodd/python-bitcoinlib
stanner.austin
Member
**
Offline Offline

Activity: 70
Merit: 53


View Profile
December 11, 2021, 09:33:00 AM
 #3

@COBRAS
If you have Random(R)/sign(S)/message hash(Z) you can use simple algo.
pub = (R*S-G*Z) / R
BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1736
Merit: 8449


Fiatheist


View Profile WWW
December 11, 2021, 01:24:51 PM
Last edit: December 11, 2021, 03:35:46 PM by BlackHatCoiner
 #4

I'm utterly confused by the title and the OP. Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible, if it's the latter then what you want is the bitcoin-cli decoderawtransaction in python.

python-bitcoinlib should have this.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3668
Merit: 11107


Crypto Swap Exchange


View Profile
December 11, 2021, 01:58:14 PM
Merited by BlackHatCoiner (4), ABCbits (3), hugeblack (2)
 #5

Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible,
It is possible.

The logical way is to just read the transaction and almost all signatures come with their public key and viola you have the public key!

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2). This way you can recover a number of possible public keys from signature and message.
Cryptography libraries that support ECC should have this option. In bitcoin libraries you may find it used in message verification methods.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
COBRAS (OP)
Member
**
Offline Offline

Activity: 1044
Merit: 24


View Profile
December 11, 2021, 02:35:51 PM
 #6

Do you want to derive the public key from the R, S, Z values or from a transaction raw that may have many inputs/outputs? If it's the former, it's impossible,
It is possible.

The logical way is to just read the transaction and almost all signatures come with their public key and viola you have the public key!

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2). This way you can recover a number of possible public keys from signature and message.
Cryptography libraries that support ECC should have this option. In bitcoin libraries you may find it used in message verification methods.

I thant filter rsz for needed pubkeyvand remove all what have not exact needed pubkey.

[
BlackHatCoiner
Legendary
*
Offline Offline

Activity: 1736
Merit: 8449


Fiatheist


View Profile WWW
December 11, 2021, 02:40:03 PM
Merited by hugeblack (1)
 #7

The other way is to perform what is known as public key recovery operation (section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2).

True. Learnt something new today.

Quote from: section 4.1.6 of Standards for Efficient Cryptography 1 vol. 2
Actions: Find public key Q as follows.

1. For j from 0 to h do the following.
1.1. Let x = r + jn.
1.2. Convert the integer x to an octet string X of length mlen using the conversion routine
specified in Section 2.3.7, where mlen = (log2p)/8 or mlen = m/8.
1.3. Convert the octet string X to an elliptic curve point R using the conversion routine
specified in Section 2.3.4. If this conversion routine outputs “invalid”, then do another
iteration of Step 1.
1.4. If nRO, then do another iteration of Step 1.
1.5. Compute e from M using Steps 2 and 3 of ECDSA signature verification.
1.6. For k from 1 to 2 do the following.
1.6.1. Compute a candidate public key as:
Q = r-1(sR − eG).
1.6.2. Verify that Q is the authentic public key. (For example, verify the signature of a
certification authority in a certificate which has been truncated by the omission of
Q from the certificate.) If Q is authenticated, stop and output Q.
1.6.3. Change R to −R.

I'd be thankful if you represented the implementation of this as I don't understand what's R. Here's a pair of R, S, Z:
Code:
20206c79208eeb03c8ecab3c17a3e9efae5953460c71dff6306ecda4a12533c8, 3604945cde5ea4f3d3f3d4eb007a589b6763c25d5f765bbbadbd554f70abd8ad, 836d795b585d8014d3f015791d183da57e7caf6a678135c345af78b2bfa9317a

 I googled and found a stackexchange post, but I can't seem to get this:
Quote
First, you find the two points R, R′ which have the value r as the x-coordinate r.

Is R = r * G?

Also, if you can derive the public key from R, S, Z why do we have to provide it in the scriptSig? It only takes space and hence, makes the transaction fee greater.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
pooya87
Legendary
*
Offline Offline

Activity: 3668
Merit: 11107


Crypto Swap Exchange


View Profile
December 11, 2021, 03:05:47 PM
Merited by ABCbits (2), BlackHatCoiner (2)
 #8

I'd be thankful if you represented the implementation of this as I don't understand what's R.
In python and in csharp and C

In an ECDSA signature "r" is the x coordinate of the point "R". You can compute the full point R(x,y) by assuming y was even for this case.

Quote
Quote
First, you find the two points R, R′ which have the value r as the x-coordinate r.
Essentially this is what we do when we are verifying transactions but the public key is compressed. But since there we have the y odd/even-ness we can compute only one point but if we don't know it (like the case with r) we have 2 points.

Quote
Also, if you can derive the public key from R, S, Z why do we have to provide it in the scriptSig? It only takes space and hence, makes the transaction fee greater.
Because recovering public keys is an expensive operation and if we omit public keys from our scripts then verifying blocks and transactions become slower. Also we can recover multiple public keys (up to 4 for secp256k1) which would make verification that much slower.
On top of that, we are using hash of the public key and public key has to exist to satisfy OP_SOMEHASH OP_EQUALVERIFY.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
mamuu
Member
**
Offline Offline

Activity: 79
Merit: 20


View Profile
December 11, 2021, 03:31:46 PM
 #9

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs

https://github.com/Sean-Bradley/ECDSA_secp256k1_JordonMatrix_nodejs/blob/master/getPubKeyFromRSZ.py

1DWA3Sa8i6eHVWV4AG4UP2SBhYB2XrfiHW
COBRAS (OP)
Member
**
Offline Offline

Activity: 1044
Merit: 24


View Profile
December 11, 2021, 04:40:30 PM
 #10


Thanks. To All !!!

[
fxsniper
Member
**
Offline Offline

Activity: 406
Merit: 47


View Profile
December 13, 2021, 11:27:37 AM
 #11

COBRAS,
Did you try idea puzzle #120 use that script flip/reverse convert from public key to R S Z and try use RSZ to recover private key.
I try read from code it is very complex math I can not code.
but it is good idea to try do it
COBRAS (OP)
Member
**
Offline Offline

Activity: 1044
Merit: 24


View Profile
December 13, 2021, 02:03:37 PM
 #12

COBRAS,
Did you try idea puzzle #120 use that script flip/reverse convert from public key to R S Z and try use RSZ to recover private key.
I try read from code it is very complex math I can not code.
but it is good idea to try do it

I dont know any nethod how to get privkey from only one sighnature, so i recomend not qaste your time to try get privkey only from one  z or rsz

[
fxsniper
Member
**
Offline Offline

Activity: 406
Merit: 47


View Profile
December 21, 2021, 01:35:29 AM
Last edit: December 21, 2021, 07:29:48 AM by achow101
 #13


I dont know any nethod how to get privkey from only one sighnature, so i recomend not qaste your time to try get privkey only from one  z or rsz

Ok,
I just understand method use RSZ is can use only if bad transaction/signature use same R value or other way use same nonce  or use something duplicate or share it will can find difference, but if not have sorting duplicate it can not use to find keys




How to fix this script
I found sometime script give result wrong by mission one zero at last y value for uncompressed pub key

uncompressed public key 130 character but script give result 129 character compare result it is missing one zero
COBRAS (OP)
Member
**
Offline Offline

Activity: 1044
Merit: 24


View Profile
December 21, 2021, 02:16:46 AM
 #14


How to fix this script
I found sometime script give result wrong by mission one zero at last y value for uncompressed pub key

uncompressed public key 130 character but script give result 129 character compare result it is missing one zero


https://github.com/iceland2k14/rsz

[
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!