1

[ecdsa123]

1

[COBRAS]

Try another rsz, after this  talk  aboutit working of this code...

[COBRAS]

Code:

private=25
k_key = 85
r=10368879287274847063683326775245528892741533064032799844366072780982279055029 
s=44682668155818600992173137533155827851900045079586924109984745069549131526906 
z=65042133943224045035503970676469909507838576791821421761396617141574358581175
print("k_key=",calc_k(private,int(r),int(s),int(z)))
print("private=",calc_x(k_key,int(r),int(s),int(z)))


r2 = 9882445446243370679019973441389370914782298169440461435976781902375353582684 
s2 = 2100982064131629085884104838554481736960146626300897659396216122167769160017 
z2 = 47314428532420400748220560251084582624892573278639669531863985966394700528682
print("k_key=",calc_k(private,int(r2),int(s2),int(z2)))
print("private=",calc_x(k_key,int(r2),int(s2),int(z2)))

the same r!=r2  but k is still the same.

any explanation?

Code:

k_key= (85, 115792089237316195423570985008687907852837564279074904382605163141518161494252)
private= (25, 115792089237316195423570985008687907852837564279074904382605163141518161494312)
k_key= (85, 115792089237316195423570985008687907852837564279074904382605163141518161494252)
private= (25, 115792089237316195423570985008687907852837564279074904382605163141518161494312)

because this i think :

private=25

kan you make same r with different private ?

[ymgve2]

Are you copy pasting correctly? In one of the pastes you write k_key = 85 and get r=10368879287274847063683326775245528892741533064032799844366072780982279055029, but that's for k_key = 115.

And I get verification failure with priv=25 anyway, are you sure the signatures are actually valid?

[COBRAS]

making fake pubkey is this vay:

original Q = G * k

copy of original Q = randomK1 *(this is a fake G: (modinv(randomK1))*Q )= Q original

I think in this crypt modinv do same operation, and posible to make fake r in this way.

[stanner.austin]

Hello
By using 2 same K or weak K is already known weakness of ECDSA nothing new on this. and this happened long time go. Now days K is not only secure random 256 bit but hashed to make sure get valid 256 bit random.

[fxsniper]

any explain what and why it is work? , and any attack?

What collision did you mean?

[n0nce]

Hello By using 2 same K or weak K is already known weakness of ECDSA nothing new on this. and this happened long time go. Now days K is not only secure random 256 bit but hashed to make sure get valid 256 bit random.

Exactly; it's also known as nonce reuse vulnerability.

Therefore, not only does a signer need to keep their secret key secret, but they also must keep all of their nonces they ever generate secret.

Anyhow, for a good while now, we've finally transitioned to Schnorr's signature scheme anyway, so I'd focus on that instead.
Interestingly, it has the same flaw.

Just as with the closely related signature algorithms DSA, ECDSA, and ElGamal, reusing the secret nonce value k on two Schnorr signatures of different messages will allow observers to recover the private key.[2] In the case of Schnorr signatures, this simply requires subtracting s s values:

s' − s = (k' − k) − x(e' − e).

If k' = k but e' ≠ e then x can be simply isolated. In fact, even slight biases in the value k or partial leakage of k can reveal the private key, after collecting sufficiently many signatures and solving the hidden number problem.

[vjudeu]

Just use some deterministic nonce, derived from the private key and some information around it. For example "function(privkey,message)" can be used to produce 256-bit pseudorandom value that will be strong enough for everyday use. The simplest thing would be just "k=SHA-256d(privkey||SHA-256d(message))", but I think we can do it better than that.