same-r-value-is-used-for-two-different-addresses

[abadon666999]

hi all
i have 2 addresses that have same R value
address 1         same R
address 2         same R
i know R
i know S1    and S2
i know M signed message or Z    M1   and  M2
When a signing secret was used to sign two different messages, you can recover the signing secret with this calculation:
 k = (m1-m2)/(s1-s2)
the problem is that i can recover only privatekey of 1 address
i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?

thanks for your help

[ecdsa123]

simply you can't according algebra.

you have in math something like:

r1,s1,z1 of addres1 and r1,s2,z2 of addres2

and you have equation:

a*addres1 = b*addres2

so:
addres1 = b*addres2/a
addres2 = a*addres1/b

addres1-addres2 = b*addres2/a - a*addres1/b

after computional of this equation
in this example you have b*s1/a=a*s2/b -> is the same - when you make perdorm calc -> you have zero.

but there can be chance if and only if linear distance beetween addres 1 and adress 2 is less than 127 bit.

[o_e_l_e_o]

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

[abadon666999]

i have 2 addresses that have same R value

I assume by this you mean you have two transactions which are sending coins from two different addresses but use the same r value.

The answer in that case is you cannot recover the private keys. To do this you need at least two transactions which are using the same private key and reuse the same r value. You cannot use two transactions with different private keys but the same r value.

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

m1   scalar:0x......................
m2   scalar:0x......................
r   scalar:0x.......................
s1   scalar:0x......................
s2   scalar:0x.......................
k   scalar:0x.......................
x1   scalar:0x = to x2
x2   scalar:0x = to x1

i have checked this old post
https://bitcoin.stackexchange.com/questions/37673/same-r-value-is-used-for-two-different-addresses-finding-z1-and-z2-value-and-pr
and have recovered privatekey 1 and privatekey 2

[o_e_l_e_o]

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

[abadon666999]

yes correct
i have recovered privatekey address 1
but i can't recover privatekey address 2...

If you have the private key for the first transaction, then you can calculate the k value as follows, where x is the private key:

k = (z₁ + r₁*x₁)/s₁

Once you know k, which you say is reused in the second transaction, then you can just rearrange the equation above to calculate the private key for the second transaction:

x₂ = (k*s₂ - z₂)/r₂

first of all..thanks for your help
 i have done equation
i have k
i have that x1 = x2
than i have only privatekey address 1
it's very strange

[o_e_l_e_o]

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

[abadon666999]

-snip-

Are you sure you are using the correct s and z in the second equation? You say you have k, and you should only have one r value if k is being reused, so it should simply be a case of taking s₂ and z₂ and using them to calculate the second private key.

strange...no error

[stanner.austin]

@abadon666999
Hello
You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

To recover second message private key use this one more user friendly.
https://github.com/nlitsme/bitcoinexplainer

[NotATether]

You can use second message sign/message for already discovered K to break X.
x = (s*k-m)/r

If you already have the nonce then you don't need the second transaction... assuming it was created with the same nonce then you can simply compute the signed transaction again with the private key.

[stanner.austin]

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

[NotATether]

@NotATether
Hello
OP ask question how can he recover second address private key if he have same R of first one.
If he have private key of first, it won't work on second because its not same as second public key.
He already mention about 2 different address, so his question is 2 private key using same R= (K*G) How to discover private key of second one.

My answer is correct & i already tested before posting.

Alright, just wanted to make sure that anyone coming in to ask about same K values also get accommodated here.

[ecdsa123]

@abadon666999  has asked about how to discover two privatekeys when we have two transactions with the same r but with differents pubkeys.

So he didn't inform that he know the first privatekey.

So yours "calculation" above are wrong in this case.

Of course according "modificate algebra as triangle" can be used for explore this topic.


but still it is expensive as power which we need to solve with LLL reduction.

[stanner.austin]

@ecdsa123
hello
May be you did not read full message of him?

Here he confirmed about privatekey for 1 address.

the problem is that i can recover only privatekey of 1 address

Here he ask help about privatekey for 2 address.

i have need of recover privatekey address 2
what is correct formula  for recover the privatekey of address 1   and address 2 that have same R used in 2 different address?
thanks for your help

Give me 2 pair of R,S,Z with both have same R let me show you second pair is recovered or not.

I don't know what make you think my answer is wrong its not.

[ecdsa123]

Code:

pubkey1_x =  99849857272418179203502331812772464642887864474228053990188623690904651999129
pubkey1_y =  1427797404910626570500832234950755155093850504348462442758540057225302018468
r1 =  96237046584217664204542395357030341151517669115118687572669691568567295250092
s1 =  95006782634967620310046902852157931507299895684785249809080193173792975818459
z1 =  86395623326853627167317806149581085219268370512647587563101267886017349997301

pubkey2_x =  47495987005760132411635953872279669890191779154515453545814791098010712870383
pubkey2_y =  86787612282282135351658653763637707760556816601543638392353231308614605552123
r2 =  96237046584217664204542395357030341151517669115118687572669691568567295250092
s2 =  52017465008291881853391545710652858992883078951377816905212945896722844055950
z2 =  88420324448681996600780430039089167455950427891235143177887263095884698317180

so what is privatekey1 and privatekey2 or nonce?

my algo has tested it and after two weeks I found solutions.

This is only prepared for testing purpose. no bitcoins on address:)

[stanner.austin]

@ecdsa123
You did not understand question still please read again.

If you want example from my testing here is it.

Code:

private Key 1000
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=df051cdb85ce3de01852a88716b3a03af61b82b23fb238be2b78fafe49fbe083
Z=4a3833b105b518411570325efce62626fc35078da1549d77a0140a60b3cac119

Because i know private key is 1000 i can recover K with algo
k = (m+x*r)/s
so K = 803d9488926a7c55f372066146329e0c390e5d5f170f27cd1bcf8b05b4c97f6

Unknown private key 
R=95461d77ad349268a8668b9846db26dcb8eec2f1c5a2e6ef9f13f7fbcf9ef2f6
S=f9ba1fe4400435a9f7fcadafe66a46a5dcfa4e6952f5dca25da1f21b5eaf71dd
Z=f57bc228876209fe510b5b25d0db373cb387612e57b135fd06e15560b53a1ca2

As same R i already know K i can recover private key of unknown one.
x = (s*k-m)/r

so X = 25d5a5f313a692270e6c8a8f6e3265f1c337b4297e671e89a0c045e6e232bf15 

for better understanding use this.
https://github.com/nlitsme/bitcoinexplainer

[o_e_l_e_o]

I already explained all this previously in this post: https://bitcointalk.org/index.php?topic=5418919.msg61215046#msg61215046

So he didn't inform that he know the first privatekey.

He did:

i have recovered privatekey address 1

so what is privatekey1 and privatekey2 or nonce?

You are asking the wrong question. OP has said he already knows the private key from the first transaction, and has therefore managed to recover k. As pointed out, with this knowledge of k, s, and z for the second transaction, then the second transaction's private key can be calculated.

[ecdsa123]

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

it is according: ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-
link here:  https://billatnapier.medium.com/ecdsa-revealing-the-private-key-from-four-signed-message-two-keys-and-shared-nonces-secp256k1-5758f1258b1d

it should work, but not work.

I put transactions, nonces and privatekeys

why I can't take value private1 and private2?

it give me value 0:
please help

Code:

privkey1= 74151126465914553719682701372546590912032713247110001383204298192577238294259
privkey2= 65602009300807068992382438511465994464148703102269145684254988072233619429415

nonce1= 113430668354305125354139681412571553637810109882549088741100884487402919060793
nonce2= 88941376982568942091029320764989550225390065895384871037015643141890275775717

signature matches
#transaction from first privkey1

r1= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s1= 36665125934301679295764426496089959157670212057714313825462899262019004181013
z1= 45063904364969322573281122086971579379876583577391310824950725157431863085693

r2= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s2= 88414683103569280491867470526894992004240909646745888824999991880846576153983
z2= 96925863066810859394685400246217607442326685412593308871569663983290139782035

##transaction from second privkey2

r3= 37172049453198803628923372374682424137153412099188977901809252086397375163174
s3= 48387795993880540164497955151292140905876432678370698441361372722465054520609
z3= 70890957235815785946608014568730757332857823983374044998781188028671033610413

r4= 40974080779974461932858835766108658066940207003253964846620894290420102383124
s4= 94479523762013111191490500533227932711756342618388816229238677867942525385058
z4= 88400657509035765824159536685234267382896518494653799783594906135509259195161

[stanner.austin]

@ecdsa123
Hello
If you have 2 R(K*G) for 1 private key it's easy to crack K. Z should not be 0 or 1.
if you found your known R in any public transaction you can crack his private key because you know value of R.
Link you posted is already using  private key 1 then same nonce(K) with 2 transaction which make it weak and easily to recover K. algo (k = (m1-m2)/(s1-s2) ) once you have K you can recover X(Private key it self)

[pooya87]

I have prepared 4 transactions for 2 pubkeys with the same r1 and r2.

I don't think it is mathematically possible to solve this since you have 2 equations with 3 variables (k, d1, d2). Having two signatures for each key isn't giving us any edge either.