(closed)

[ecdsa123]

Solved

[1714883462]

1714883462

[1714883462]

1714883462

[1714883462]

1714883462

[1714883462]

1714883462

[1714883462]

1714883462

[COBRAS]

a = Mod inv 2 * 1 = 1/2

pub * a = 1/2 pub = bew G

2 * new G = PUB.


priv * G = PUB TOO

this bug was found some esrs ago, I thin it was already patched

[BlackHatCoiner]

You've considered s1 equal with s2, but s is a value resulted from d and k. If r and s values are the same (as you've let), then either d values are the same or it's a collision.

This is the equation. Have you checked that it gives the same value for these two private keys?

Code:

s = k^(-1) * (z + d * r) mod n

Is this your code? Seems clumsy. I leave room to question function verify.

[odolvlobo]

Code:

...
pub1=private1*G
pub2=private2*G
...

I am not familiar with SageMath. Does the '*' operator here do ECC multiplication?

[odolvlobo]

I can't tell you what is wrong with your code, though I suspect that '*' is not doing what you think is to doing, so I wrote this simple python script:

Code:

from cryptography.hazmat.primitives.asymmetric import ec
from cryptography.hazmat.primitives import serialization

private_key_1 = ec.derive_private_key(664613997892457936451903530140172288000, ec.SECP256K1())
private_key_2 = ec.derive_private_key(110623181588558332205237110447978292605510900347349684371947434845384786316778, ec.SECP256K1())

public_key_1 = private_key_1.public_key()
serialized_public_key_1 = public_key_1.public_bytes(
    encoding=serialization.Encoding.X962,
    format=serialization.PublicFormat.CompressedPoint
)
print(serialized_public_key_1.hex())

public_key_2 = private_key_2.public_key()
serialized_public_key_2 = public_key_2.public_bytes(
    encoding=serialization.Encoding.X962,
    format=serialization.PublicFormat.CompressedPoint
)
print(serialized_public_key_2.hex())

It outputs this:

Code:

$ /bin/python3 ecc.py
0235837d0b32b721f7419eff16e0554f3ea7a723b70552bce041033793499394a1
029070ed75372ac4cf02628996c1a68bda13669ac146303d63b6d28cb29f6c21a1

As you can see the public keys are not the same.

[_Counselor]

why it works?

Because when checking the signature, only the x-coordinate is checked, and since due to symmetry there are two points with the same X, there are two different private keys that lead to the same solution. To calculate the second possible key, it is enough to take a symmetrical nonce.

With your parameters from the example:

Code:

r= 69933057925445156103627311546056983351587171473600111963597898281808348149939
s= 99514802695095857543902537284008490009261385852143431210120625655251582757337
z= 12948693844049826047046411457108709640188688022302896372272988915976703455562

nonce= 76658540346477621248539633331872761318528094222023647613764244410682868036596

nonce_sym = (nonce * (n-1)) % n

priv1 = (modinv(r,n) * ((nonce * s) - z)) % n

print(priv1) #664613997892457936451903530140172288000

priv2 = (modinv(r,n) * ((nonce_sym * s) - z)) % n

print(priv2) #110623181588558332205237110447978292605510900347349684371947434845384786316778