same-r-value-is-used-for-two-different-addresses

[abadon666999]

hi all
i have 2 addresses that have same R value
address 1         same R
address 2         same R
i know R
i know S1    and S2
i know M signed message or Z    M1   and  M2
When a signing secret was used to sign two different messages, you can recover the signing secret with this calculation:
 k = (m1-m2)/(s1-s2)
the problem is that i can recover only privatekey of 1 address
i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?

thanks for your help

[o_e_l_e_o]

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

[abadon666999]

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

m1   scalar:0x......................
m2   scalar:0x......................
r   scalar:0x.......................
s1   scalar:0x......................
s2   scalar:0x.......................
k   scalar:0x.......................
x1   scalar:0x = to x2
x2   scalar:0x = to x1

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

[o_e_l_e_o]

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

[abadon666999]

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

first of all..thanks for your help
 i have done equation
i have k
i have that x1 = x2
than i have only privatekey address 1
it's very strange

[o_e_l_e_o]

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

[abadon666999]

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

strange...no error

[stanner.austin]

@abadon666999
Hello
You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

To recover second message private key use this one more user friendly.
https://github.com/nlitsme/bitcoinexplainer

[NotATether]

You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

If you already have the nonce then you don't need the second transaction... assuming it was created with the same nonce then you can simply compute the signed transaction again with the private key.

[stanner.austin]

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

[NotATether]

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

Alright, just wanted to make sure that anyone coming in to ask about same K values also get accommodated here.

[stanner.austin]

@ecdsa123
hello
May be you did not read full message of him?

Here he confirmed about privatekey for 1 address.

the problem is that i can recover only privatekey of 1 address

Here he ask help about privatekey for 2 address.

i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?
thanks for your help

Give me 2 pair of R,S,Z with both have same R let me show you second pair is recovered or not.

I don't know what make you think my answer is wrong its not.

[stanner.austin]

@ecdsa123
You did not understand question still please read again.

If you want example from my testing here is it.

Code:

private Key 1000
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=df051cdb85ce3de01852a88716b3a03af61b82b23fb238be2b78fafe49fbe083
Z=4a3833b105b518411570325efce62626fc35078da1549d77a0140a60b3cac119

Because i know private key is 1000 i can recover K with algo
k = (m+x*r)/s
so K = 803d9488926a7c55f372066146329e0c390e5d5f170f27cd1bcf8b05b4c97f6

Unknown private key 
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=f9ba1fe4400435a9f7fcadafe66a46a5dcfa4e6952f5dca25da1f21b5eaf71dd
Z=f57bc228876209fe510b5b25d0db373cb387612e57b135fd06e15560b53a1ca2

As same R i already know K i can recover private key of unknown one.
x = (s*k-m)/r

so X = 25d5a5f313a692270e6c8a8f6e3265f1c337b4297e671e89a0c045e6e232bf15 

for better understanding use this.
https://github.com/nlitsme/bitcoinexplainer

[o_e_l_e_o]

I already explained all this previously in this post: https://bitcointalk.org/index.php?topic=5418919.msg61215046#msg61215046

So he didn't inform that he know the first privatekey.

He did:

i have recovered privatekey address 1

so what is privatekey1 and privatekey2 or nonce?

You are asking the wrong question. OP has said he already knows the private key from the first transaction, and has therefore managed to recover k. As pointed out, with this knowledge of k, s, and z for the second transaction, then the second transaction's private key can be calculated.

[stanner.austin]

@ecdsa123
Hello
If you have 2 R(K*G) for 1 private key it's easy to crack K. Z should not be 0 or 1.
if you found your known R in any public transaction you can crack his private key because you know value of R.
Link you posted is already using  private key 1 then same nonce(K) with 2 transaction which make it weak and easily to recover K. algo (k = (m1-m2)/(s1-s2) ) once you have K you can recover X(Private key it self)

[pooya87]

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

I don't think it is mathematically possible to solve this since you have 2 equations with 3 variables (k, d1, d2). Having two signatures for each key isn't giving us any edge either.

[Minase]

interesting topic
i have tried the following formula k = (z1 + r1*x1)/s1 but something is quite wrong with my calculations
everything is ok with (Z + R*X) but when i do the division with S the result is a very small number.
should i do another operation? mod inv? thanks
//edit
nvm found my error 

[whanau]

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

Please could you explain how you recovered these keys. Like the OP in the link above, I get the same wrong answer.

I don't understand where all the extra inputs come from in the diagram (I am no mathematician!).
I can see the first 3 items in the diagram relate to the public keys and R values in the OP but where do the rest come from?
Thank you