Bitcoin Forum
December 15, 2024, 03:12:57 PM *
News: Latest Bitcoin Core release: 28.0 [Torrent]
 
   Home   Help Search Login Register More  
Pages: [1]
  Print  
Author Topic: 1  (Read 369 times)
ecdsa123 (OP)
Jr. Member
*
Offline Offline

Activity: 51
Merit: 109


View Profile
May 17, 2022, 02:14:18 PM
Last edit: August 31, 2024, 02:58:08 PM by ecdsa123
 #1

1
COBRAS
Member
**
Offline Offline

Activity: 1046
Merit: 24


View Profile
May 17, 2022, 02:58:36 PM
 #2

Try another rsz, after this  talk  aboutit working of this code...

[
COBRAS
Member
**
Offline Offline

Activity: 1046
Merit: 24


View Profile
May 18, 2022, 02:16:57 AM
 #3

Code:
private=25
k_key = 85
r=10368879287274847063683326775245528892741533064032799844366072780982279055029
s=44682668155818600992173137533155827851900045079586924109984745069549131526906
z=65042133943224045035503970676469909507838576791821421761396617141574358581175
print("k_key=",calc_k(private,int(r),int(s),int(z)))
print("private=",calc_x(k_key,int(r),int(s),int(z)))


r2 = 9882445446243370679019973441389370914782298169440461435976781902375353582684
s2 = 2100982064131629085884104838554481736960146626300897659396216122167769160017
z2 = 47314428532420400748220560251084582624892573278639669531863985966394700528682
print("k_key=",calc_k(private,int(r2),int(s2),int(z2)))
print("private=",calc_x(k_key,int(r2),int(s2),int(z2)))



the same r!=r2  but k is still the same.

any explanation?

Code:
k_key= (85, 115792089237316195423570985008687907852837564279074904382605163141518161494252)
private= (25, 115792089237316195423570985008687907852837564279074904382605163141518161494312)
k_key= (85, 115792089237316195423570985008687907852837564279074904382605163141518161494252)
private= (25, 115792089237316195423570985008687907852837564279074904382605163141518161494312)

because this i think :

private=25

kan you make same r with different private ?


[
ymgve2
Full Member
***
Offline Offline

Activity: 162
Merit: 230


View Profile
May 18, 2022, 02:45:29 AM
 #4

Are you copy pasting correctly? In one of the pastes you write k_key = 85 and get r=10368879287274847063683326775245528892741533064032799844366072780982279055029, but that's for k_key = 115.

And I get verification failure with priv=25 anyway, are you sure the signatures are actually valid?
COBRAS
Member
**
Offline Offline

Activity: 1046
Merit: 24


View Profile
May 18, 2022, 02:59:15 AM
 #5

making fake pubkey is this vay:

original Q = G * k

copy of original Q = randomK1 *(this is a fake G: (modinv(randomK1))*Q )= Q original

I think in this crypt modinv do same operation, and posible to make fake r in this way.



[
stanner.austin
Member
**
Offline Offline

Activity: 70
Merit: 53


View Profile
May 18, 2022, 08:39:57 AM
Merited by vapourminer (2), ABCbits (1)
 #6

Hello
By using 2 same K or weak K is already known weakness of ECDSA nothing new on this. and this happened long time go. Now days K is not only secure random 256 bit but hashed to make sure get valid 256 bit random.
fxsniper
Member
**
Offline Offline

Activity: 406
Merit: 47


View Profile
May 18, 2022, 11:55:02 AM
 #7

any explain what and why it is work? , and any attack?

What collision did you mean?

n0nce
Hero Member
*****
Offline Offline

Activity: 910
Merit: 5935


not your keys, not your coins!


View Profile WWW
May 18, 2022, 11:40:31 PM
 #8

Hello By using 2 same K or weak K is already known weakness of ECDSA nothing new on this. and this happened long time go. Now days K is not only secure random 256 bit but hashed to make sure get valid 256 bit random.
Exactly; it's also known as nonce reuse vulnerability.
Therefore, not only does a signer need to keep their secret key secret, but they also must keep all of their nonces they ever generate secret.

Anyhow, for a good while now, we've finally transitioned to Schnorr's signature scheme anyway, so I'd focus on that instead.
Interestingly, it has the same flaw.

Just as with the closely related signature algorithms DSA, ECDSA, and ElGamal, reusing the secret nonce value k on two Schnorr signatures of different messages will allow observers to recover the private key.[2] In the case of Schnorr signatures, this simply requires subtracting s s values:

s' − s = (k' − k) − x(e' − e).

If k' = k but e' ≠ e then x can be simply isolated. In fact, even slight biases in the value k or partial leakage of k can reveal the private key, after collecting sufficiently many signatures and solving the hidden number problem.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
vjudeu
Copper Member
Legendary
*
Offline Offline

Activity: 909
Merit: 2301



View Profile
May 19, 2022, 05:21:29 AM
 #9

Just use some deterministic nonce, derived from the private key and some information around it. For example "function(privkey,message)" can be used to produce 256-bit pseudorandom value that will be strong enough for everyday use. The simplest thing would be just "k=SHA-256d(privkey||SHA-256d(message))", but I think we can do it better than that.

█▀▀▀











█▄▄▄
▀▀▀▀▀▀▀▀▀▀▀
e
▄▄▄▄▄▄▄▄▄▄▄
█████████████
████████████▄███
██▐███████▄█████▀
█████████▄████▀
███▐████▄███▀
████▐██████▀
█████▀█████
███████████▄
████████████▄
██▄█████▀█████▄
▄█████████▀█████▀
███████████▀██▀
████▀█████████
▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀▀
c.h.
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▀█











▄▄▄█
▄██████▄▄▄
█████████████▄▄
███████████████
███████████████
███████████████
███████████████
███░░█████████
███▌▐█████████
█████████████
███████████▀
██████████▀
████████▀
▀██▀▀
Pages: [1]
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!