Bitcoin Forum
July 30, 2025, 10:43:10 AM *
News: Latest Bitcoin Core release: 29.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Reused Z
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Reused Z  (Read 170 times)
bnm2610906 (OP)
Newbie
*
Offline Offline

Activity: 19
Merit: 0


View Profile
July 06, 2025, 05:16:47 PM
 #1
K: 57693594628803274708875609257689291793313896681711523793281764510965395518430
K (hex): 0x7f8d6ad886348454c238ca49ef01c7fde83925372c414e9e98827ea204ae73de
K MSB: 01111111100011010110101011011000
K LSB: 00000100101011100111001111011110
r: 0x44022028cf3771072718602a8157c92b7d905c194ba38045a6177a06fd3dc362
s: 0x38a60220520b4b1d36d55070419e21c1d0b47511d96477bbea459202ad3aa2e7
z: 0xb9354ccf66a361b618f067f6c1244f1495776d7cb095be0ac1e86d0992d79cdd
Script: 473044022028cf3771072718602a8157c92b7d905c194ba38045a6177a06fd3dc362e738a602205 20b4b1d36d55070419e21c1d0b47511d96477bbea459202ad3aa2e72231e6c501210321369b6c05 4bf52f4f21091f1bebe71c8da184ef75d88b45a2f463bdf5f162af

K: 41134620020427918509232437735715264323869950887026447086088473267917728820592
K (hex): 0x5af15eafdc0f849634732c16028047bc43358f6c16207fc2bf1fac8faaf0ad70
K MSB: 01011010111100010101111010101111
K LSB: 10101010111100001010110101110000
r: 0xabe9088f1c430549d33070c4343d83b68fc6b7f798b778d3466126303eea4861
s: 0x2d23b76fe88bcfb2674feb500d56cb5603957d25b21dfadedd4d029cf9d35b8b
z: 0xb9354ccf66a361b618f067f6c1244f1495776d7cb095be0ac1e86d0992d79cdd
Script: 483045022100abe9088f1c430549d33070c4343d83b68fc6b7f798b778d3466126303eea4861022 02d23b76fe88bcfb2674feb500d56cb5603957d25b21dfadedd4d029cf9d35b8b01210321369b6c 054bf52f4f21091f1bebe71c8da184ef75d88b45a2f463bdf5f162af

K: 57812917839694142708293111517794561297960475000280608277966594035734982329126
K(hex): 0x7fd0f3b066dc682f38a391f58c560f4e3caba5f2e37d3803ca837e682dfa8326
K MSB: 01111111110100001111001110110000
K LSB: 00101101111110101000001100100110
r: 0x4402200bfde30fc1a4a05a263aefa1627eea9c4649ca5c445648a7f33de43b68
s: 0xb34e0220639938ce29ab4a32d8d518ee893c96e79c582c7fe916282868ec1783
z: 0xb9354ccf66a361b618f067f6c1244f1495776d7cb095be0ac1e86d0992d79cdd
Script: 47304402200bfde30fc1a4a05a263aefa1627eea9c4649ca5c445648a7f33de43b68afb34e02206 39938ce29ab4a32d8d518ee893c96e79c582c7fe916282868ec1783ac9afef101210321369b6c05 4bf52f4f21091f1bebe71c8da184ef75d88b45a2f463bdf5f162af


I found a duplicate Z-value Does this help with recovery I don't understand very well I used RSZK to restore the private key will become 1 Does this have anything to do with lattice attack?
mcdouglasx
Sr. Member
****
Offline Offline

Activity: 714
Merit: 373



View Profile WWW
July 10, 2025, 02:31:58 AM
Merited by vapourminer (2), pooya87 (2)
 #2
The fact that two or more signatures share z (the message) does not imply any risk to the signatures.
If this were mathematically vulnerable, it would mean that multi-signatures, Lightning Network channels, and other instances where the same message or TX is signed multiple times would be at risk.

This answer might help you understand it better: Exposing private key by signing the same message twice?

The thread I mentioned is a bit old, so I don't recommend waking it up by commenting, since you started this one.
▄▄█████████████████▄▄
▄█████████████████████▄
███▀▀█████▀▀░░▀▀███████
██▄░░▀▀░░▄▄██▄░░█████
█████░░░████████░░█████
████▌░▄░░█████▀░░██████
███▌░▐█▌░░▀▀▀▀░░▄██████
███░░▌██░░▄░░▄█████████
███▌░▀▄▀░░█▄░░█████████
████▄░░░▄███▄░░▀▀█▀▀███
██████████████▄▄░░░▄███
▀█████████████████████▀
▀▀█████████████████▀▀
Rainbet.com
CRYPTO CASINO & SPORTSBOOK
|
█▄█▄█▄███████▄█▄█▄█
███████████████████
███████████████████
███████████████████
█████▀█▀▀▄▄▄▀██████
█████▀▄▀████░██████
█████░██░█▀▄███████
████▄▀▀▄▄▀███████
█████████▄▀▄███
█████████████████
███████████████████
██████████████████
███████████████████
 
 $20,000 
WEEKLY RAFFLE
|



█████████
█████████ ██
▄▄█░▄░▄█▄░▄░█▄▄
▀██░▐█████▌░██▀
▄█▄░▀▀▀▀▀░▄█▄
▀▀▀█▄▄░▄▄█▀▀▀
▀█▀░▀█▀
10K
WEEKLY
RACE		100K
MONTHLY
RACE		|

██









█████
███████
████████▄
██████████▄▄
█████████████▄
███████████████▄
░▄████████████████▄
▄██████████████████▄
███████████████▀████
██████████▀██████████
██████████████████
░█████████████████▀
░░▀███████████████▀
████▀▀██████████▀▀
████████████████████   ██
 
[..►PLAY..]
 
████████   ██████████████
pooya87
Legendary
*
Offline Offline

Activity: 3892
Merit: 11786



View Profile
July 10, 2025, 07:25:08 AM
 #3
Considering the ECDSA equation is s = k−1(z + r*d) (mod n) and the fact that we always have s, z and r values for any signature, it doesn't look like having the same z value would change anything that could help solve the equation to find any of its two variables (private key and ephemeral key).

The reason why having same r value helps us compute the private key is because same r also means same k reducing the number of variables to one if you have more than one signature.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Reused Z
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!