🖤

[digaran]

🖤

[garlonicon]

No, if you have a signature, you have only r-value. You don't know upfront if it is public key with "02" or "03" prefix. Also, you don't know if k-value is in upper or lower half (you don't know that for any public key, because it is always relative to the base point). But currently, if you want to make a standard transaction, then s-value of your signature has to be in a lower half, and then, based on the whole signature, you can check if it has "02" or "03" prefix for R-value.

[CrunchyF]

Hi there again with more trouble and questions, I'd appreciate the time you'd spend to respond.

Is it possible to determine which X coordinate of our k is -N  or is -k inverse without obviously looking at the k ?

No there is no knowed way to guess any information of private key  (your k) with any information of public key (your X coordinate), even little.

Every actual attack (Lattice Attack etc...) oblige the attacker to know a part of the private part. and it is not an attack on the elliptic curve cryptography itself but on bad way to use signature.
 
ECC (and every asymmetric cryptography like RSA) is based on the assumption that the derivation of a private key in a public key "seems" perfectly randomly distributed.

Just for fun i tried a lot a cryptanalysis technical (statistics on huge amount of keys, pattern identification, deep learning  ...) to find a bias in the distribution of key and believe me :
secp256k1 (curve used by bitcoin) seems really safe

[CrunchyF]

Well, I'm not interested in signatures and related stuff, the entire  elliptic curve system revolves around public keys, so that is the only entry point for me to try all I got and find the best solution. "If there are no known method to correctly guess the position of any X coordinate of k, then finding a way should be a goal.
I have been studying the secp256k1 for the past 2 months, and tried at least 40-50 methods to figure out which one could be used to crack  the target k by hand, not using automated existing tools.

What actually is bothering me is a lack of a safe environment to publish study results without worrying about other people exploiting them! Though I'm in the learning phase, no breakthroughs  yet!😉

Without to be paranoiac, I think that finding a weakness on ECC such secp256k1 and stay anonymous in a "safe place" is near impossible in this hyper-connected world
After this discover, billions of dollars will be instantly at the fingertips of the researcher(s) and at the friends well informed (notice that the most probable issue is that the price of bitcoin will drop to zero).

NSA, Armed forces, governments,research consortium,mathematicians,  big tech societies,   will deploy all possible technicals and humans resources to obtain the study (and not only the legals ways  ). just to insure that if secp256k1 is broken or partially broken means that the others curves (like the very close secp256r1 widely used) aren't compromised too.
Today every secures communications (website certificate, https, banks,stock exchange, cryptocurrencies, army, administration... on internet  use ECC.And a lot of our economy is based on the security of the communications.
The cake is simply too big...

[ecdsa123]

Firstly: all weaknesses of the secp256k1 curve should be made public. If there are undisclosed information, it means that secp256k1 is being used against us.
Secondly, the hidden actual control over Bitcoin poses a threat to our funds. It's better to know than not to know.
I will compare it to stock market actions.
If a company's CEO knows that his company will fail, he conceals the information, people buy stocks, and they lose their life savings.



I believe that there should be a separate section on Bitcointalk for Bitcoin vulnerabilities, where all algorithms, solutions, and weaknesses of secp256k1 are disclosed and made available to everyone, not just a select few. From what I know, the biggest thieves are mathematicians and scientists.

[ecdsa123]

but we are not talking about +-N

we are talking about weakness .

do you know secq256k1? (not secp256k1) and their parameters? check it out and think...


Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True

run in on https://sagecell.sagemath.org/

Code:

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

# Secp256k1

P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)

# Secq256k1

Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)

print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)

print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)

[pooya87]

I have been studying the secp256k1 for the past 2 months, and tried at least 40-50 methods to figure out which one could be used to crack  the target k by hand, not using automated existing tools.

Experts and mathematicians have been trying to crack elliptic curve cryptography ever since 1985 and they only have a handful of methods and haven't been able to make any meaningful progress. But good luck to you...

other coins copy pasted bitcoin's curve with a bit of modification, what is special about it?

Actually other coins that copy the ECC part of bitcoin, are creating an exact copy without any modification. The changes they make is elsewhere like the address encoding and PoW (eg. LTC, Doge, ETH) or they just replace the curve itself (eg. NIST P-256 in NEO).

What @ecdsa123 is doing has nothing to do with other coins though, they are just pointlessly manipulating the basics of the math behind the algorithm to sell a silly script to anybody who falls for it.

[ecdsa123]

@pooya87:
Am I offending you? I don't understand why you're saying that the scripts are stupid. Of course, everything in mathematics is manipulation. Searching for formulas based on appropriate assumptions. No one has said and will say that you can break the secp256k1 curve because there's nothing to break. Perhaps sha256, everything is transparent, the signature formula is transparent, there are no backdoors, but there is poor algorithm implementation by so-called developers. If my script works, what's the problem? There are plenty of bad transactions on the network that can be used to break a specific private key. So please don't insult others.

[COBRAS]

but we are not talking about +-N

we are talking about weakness .

do you know secq256k1? (not secp256k1) and their parameters? check it out and think...


Secp256k1 group order == Secq256k1 base field order: True
Secp256k1 base field order == Secq256k1 group order: True

run in on https://sagecell.sagemath.org/

Code:

p = 0xfffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f
q = 0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141

# Secp256k1

P = GF(p)
aP = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bP = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secp256k1 = EllipticCurve(P, (aP, bP))
Secp256k1.set_order(q)

# Secq256k1

Q = GF(q)
aQ = P(0x0000000000000000000000000000000000000000000000000000000000000000)
bQ = P(0x0000000000000000000000000000000000000000000000000000000000000007)
Secq256k1 = EllipticCurve(Q, (aQ, bQ))
Secq256k1.set_order(p)

print(
"Secp256k1 group order == Secq256k1 base field order:",
Secp256k1.order() == Secq256k1.base_field().cardinality()
)

print(
"Secp256k1 base field order == Secq256k1 group order:",
Secp256k1.base_field().cardinality() == Secq256k1.order()
)

and what is a order of this point ? looks like order of point is mach less then curve order ps not need talk what order of poiint = order of curve this is not throw

couse if add point with smaler order to point with bigger order result will be less then order of point with big order

[ecdsa123]

So adding -1G to x would subtract 1G from it if x is in +n, and adding -1G to x should add 1G to it if x is -n?

Or adding 1G to -x will subtract 1G from +x, and adding 1G to +x will subtract 1G from -x.

Isn't that the correct method to find out which x coordinate is -n or +n?

no there is no way calaculate or correcting method for solving which x coordinate is -n or +n.

maybe only BSGS -> but you have 2**128 possibilities to verified.