why it works? it should'nt

[ecdsa123]

why it works? it should'nt

d=(s*k - z) / r

Code:

d = 17297868438860976900  
k = 2706155104 
r = 114792231439225299071653076175597454642404629309811484913662796330298864240204
s = 5053942539770103579701350824871298641333011651975462818690909436892446986439
z = 48081857163558325212574375116762847358614850483118137681250849966396433292551

see r of k*G isn't 114792231439225299071653076175597454642404629309811484913662796330298864240204

[1715647853]

1715647853

[1715647853]

1715647853

[akaki]

r is wrong.

ECDSA multiplication using k*Gpoint gives :

R=(42804120235550333264601566912095829673031312040987116166863779393812842042729, 68663269101170998966556989191669958292218975994528865773618353809041762691493)

thus r=Rx=42804120235550333264601566912095829673031312040987116166863779393812842042729

[ecdsa123]

Code:

I know that r is wrong.

Question why when you will calculate d with wrong r -> result will be good value.
and when you will calculate k (nonce) with wrong r -> result will be good value


k=(d*r - z)/s %n
k=k

Code:

 
 
p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
a = 0
b = 7
G = (0x79be667ef9dcbbac55a06295ce870b07029bfcdb2dce28d959f2815b16f81798, 0x483ada7726a3c4655da4fbfc0e1108a8fd17b448a68554199c47d08ffb10d4b8)
n = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

E = EllipticCurve(GF(p), [a, b])
G = E(G)

d = 17297868438860976900  
k = 2706155104 
r = 114792231439225299071653076175597454642404629309811484913662796330298864240204
s = 5053942539770103579701350824871298641333011651975462818690909436892446986439
z = 48081857163558325212574375116762847358614850483118137681250849966396433292551


d1=(s*k - z)/r %n
print(d1==d)

k2=(z + r*d)/s %n
print(k2==k)

[akaki]

If r is wrong then s is also wrong.

The right s should be 99827946738399009248825444711200031423675392728917187111450168157978195192231.

If you are using both wrong r and s, you are just balancing the equation to get d.

[garlonicon]

why it works?

Because you don't touch any public keys at all. If your G is "02 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", then your "r=(k*G).x" should be equal to "(2706155104*0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798).x", so "r=5ea246048650e98edc5abf3b4c1cd410f2aeb93cfa8e66f21d6051342c725569" would be correct. However, if your "r=fdca19bd0e1a0721b21f9c3726df30f69409e005897fa6cd1a564d3a7ce7064c" is correct, and your "k=00000000000000000000000000000000000000000000000000000000a14ca660" is also correct, then your G has to be "03 CE660BE32AABB306C0E634CB436A2D46DB6CCB1C25A86E83A94AF766F78ED6B5".

You can always calculate things without touching public keys. But then, if your base point is not the same, you won't get the right result. You can always assume that G is different, and that k=1. You will always get d=something if you change your G. The problem is: your public key does not match.

[COBRAS]

why it works?

Because you don't touch any public keys at all. If your G is "02 79BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798", then your "r=(k*G).x" should be equal to "(2706155104*0279BE667EF9DCBBAC55A06295CE870B07029BFCDB2DCE28D959F2815B16F81798).x", so "r=5ea246048650e98edc5abf3b4c1cd410f2aeb93cfa8e66f21d6051342c725569" would be correct. However, if your "r=fdca19bd0e1a0721b21f9c3726df30f69409e005897fa6cd1a564d3a7ce7064c" is correct, and your "k=00000000000000000000000000000000000000000000000000000000a14ca660" is also correct, then your G has to be "03 CE660BE32AABB306C0E634CB436A2D46DB6CCB1C25A86E83A94AF766F78ED6B5".

You can always calculate things without touching public keys. But then, if your base point is not the same, you won't get the right result. You can always assume that G is different, and that k=1. You will always get d=something if you change your G. The problem is: your public key does not match.

Yes, i think you exactly right aboup multiply sig to pubkey.

Can you make a BAD  trasaction sighnature  to code from this articke  https://medium.com/asecuritysite-when-bob-met-alice/ecdsa-signatures-can-be-cracked-with-one-good-signature-and-one-bad-one-2d8bc71949e9 ??

br

[garlonicon]

Now, let’s say we have two signatures. One has a fault and the other one is valid [2]. We then have (r,s) for the valid one, and (r_f,s_f) for the fault. These will be:
s_f = k^-1 * (h + d * r_f) (mod p)
s = k^-1 * (h + d * r) (mod p)

If r-value is wrong, then k-value is also wrong, both should change at the same time, if not, then other things like the base point has to change. If r-value is wrong and k-value is right, then something bad is going on.

In general, I don't understand something or this article is suspicious:
1) their assumptions are quite strong, for example it is unlikely to get two signatures, where the signed message is identical
2) their calculations are tricky, for example in the middle of their calculations, they skip the signed message in their equations
3) they use some weird formatting, where I don't know if something is a multiplication, or maybe it is a dot, because it looks like accessing a member of a structure in C

Edit: Probably I should read the original source first to reproduce that, because it has better quality: https://www.usenix.org/system/files/sec22-sullivan.pdf