now I have technically describe new attack on signatures.
First we need one real transactions from blockchain.
example how it works:
first we have real transaction from blockchain
priv=== 1330526069999549579810939684362649600
pubkey= (26686030231749997386274586994399641863273895748427576630051089008283072067350 : 54483650367674181843335588890513656660823502160133150009796767862694718263804 : 1)
nonce 11128820602893116608636598074285053631355
message hash 1461085587864777944258754510341079118428755797929507325335754054223122196164
---------------
signed transaction:
r= 85435537706642068490671400446618693125526036774773983663913295931638219965198
s= 47610302762509648819747243266510390317573873102300816389111854664757664922831
z= 1461085587864777944258754510341079118428755797929507325335754054223122196164
---------------
reducted nonced by forging: new nonce= 173887821920204947009946844910703962989
we will be looking for this in our modified BKZ algorithm! = 173887821920204947009946844910703962989
reducted output transaction with new nonce:
r2= 5591084094819452342486089748431489080983483868306238544428299296892889089388
s2= 38952186237066770453904693063698410231377805905398348895602722748842231284529
z2= 107514375978011926418990979996332259148557660698153909767323164125547704826197
---------------
---
algorithm 1 - little magic
Z2A 96332207788373021734018800499469280986590692961541432678466565531761926647421
new D= 57896044618658097711785492504343953926333168754647349267377419087988091415276 57896044618658097711785492504343953926504395524427555115227744053530070079061 171226769780205847850324965541978663785 2661052139999099159621879368725299200 168565717640206748690703086173253364585
new D= sp 57896044618658097711785492504343953926333168754647349267377419087988091415276 171226769780205847850324965541978663785 2661052139999099159621879368725299204
new D= sp 85613384890102923925162482770989331892 84282858820103374345351543086626682292
new D= sp -86943910960102473504973422455351981497
s3 36156644189657044282661648189482665690886063971245229623388573100395786739835 z2 96332207788373021734018800499469280986590692961541432678466565531761926647421
signature matches
za 76872326339429848044466615990250654120343821644007960974327967922005691800505 38919762897886347379104369018437253732493742635066943408277195219512469693832
sa 72313288379314088565323296378965331381772127942490459246777146200791573479670 43478800858002106858247688629722576471065436336584445135828016940726588014667
test
signature matches
ver hpol 1
r2 5591084094819452342486089748431489080983483868306238544428299296892889089388 36156644189657044282661648189482665690886063971245229623388573100395786739835 93536665740963295562775755625253536446098951027388313406252415883315482102727
priv new= 171226769780205847850324965541978663784 173887821920204947009946844910703962989
se 75108830426723814736566341253181075922263869876643578518991295849238018024364 74076784292020121873223571116034909579852079709854841702113818273559247255811
signature matches
du 84282858820103374345351543086626682290 173887821920204947009946844910703962989
---
algorithm 2 - little magic 2 (two separate algorithm workin on differential system )
Z2A 2904454930334635680392174484507329457687064155691482473574599577815321510636
new D= 57896044618658097711785492504343953926507056576567554214387365932898795378261 57896044618658097711785492504343953926330507702507350168217797208619366116076 115792089237316195423570985008687907852661015405014700336435594417238732232152 2661052139999099159621879368725299200 115792089237316195423570985008687907852658354352874701237275972537870006932952
new D= sp 57896044618658097711785492504343953926507056576567554214387365932898795378261 115792089237316195423570985008687907852661015405014700336435594417238732232152 -115792089237316195423570985008687907852487127583094495389425647572328028269163
new D= sp -88274437030102023084784362139714631093 -89604963100101572664595301824077280693
new D= sp -260831732880307420514920267366055944482
s3 41747728284476496625147737937914154771869547839551468167816872397288675829223 z2 2904454930334635680392174484507329457687064155691482473574599577815321510636
signature matches
za 5808909860669271360784348969014658915374128311382964947149199155630643021272 109983179376646924062786636039673248937463435967691939435455963985887518473065
sa 83495456568952993250295475875828309543739095679102936335633744794577351658446 32296632668363202173275509132859598309098468599971968046971418346940809835891
test
r2 5591084094819452342486089748431489080983483868306238544428299296892889089388 41747728284476496625147737937914154771869547839551468167816872397288675829223 5699996977744361851635219358723073998178806089844601745788749226261766055330
priv new= 231584178474632390847141970017375815705498579684089604719040757558756893726488 173887821920204947009946844910703962989
se 80699914521543267079052431001612565003247353744949817063419595146130907113752 8604451908078997532027393843230403455865870245536084219363348804077087565966
signature matches
du 115792089237316195423570985008687907852747959315974802809940567839694084213647 89604963100101572664595301824077280690
---
joint two ouput transactions as one -
TEST1 - performed BKZ
possible key: 115792089237316195423570985008687907852663676457154699435595216296607457531348 -115792089237316195423570985008687907852489788635234494488585269451696753568359 463168356949264781694283940034751631410654705828618797742380865186429830125392
possible key: 115792089237316195423570985008687907852376802797348309857113788308975179141518 -115792089237316195423570985008687907851916041315621715331622413476432196788699 463168356949264781694283940034751631409507211189393239428455153235900716566072
possible key: 115792089237316195423570985008687907852268199097885712469653005605329084729251 -115792089237316195423570985008687907851698833916696520556700848069140007964165 463168356949264781694283940034751631409072796391542849878612022421316338917004
possible key: 662756062416008126655095842073465785036 115792089237316195423570985008687907851512052154242888129294971457371229924265 2651024249664032506620383368293863140144
possible key: 115792089237316195423570985008687907852596201265485298254040702935805107973339 -115792089237316195423570985008687907852354838251895692125476242730092054452341 463168356949264781694283940034751631410384805061941193016162811743220431893356
possible key: 173887821920204947009946844910703962989 115792089237316195423570985008687907852489788635234494488585269451696753568359 695551287680819788039787379642815851956
as we see we have a last output our new modified nonced:)
This is numerical way.
But this is not means - that secp256k1 is broken. no. you have 2**64 possibility.
