Rsz

[glhncskn]

Hello. I saw that you had information in one of your posts on bitcointalk, I am writing here to reach you. There are two R values that are close to each other (belonging to the same private key). I want to calculate the private key. I want to calculate it by trying it as nonce k k+1 k+2, but I don't know the way and formula for this. Is there any code, tools etc you use for this? No, can you show it?

[battlenetcs]

Δm = m1 - m2

Δs = s1 - s2 k = (Δm / Δs) % n d = ((s1 * k - m1) / r1) % n

Py theoretical untested example!!!

def find_private_key(r1, s1, m1, r2, s2, m2, n):

# Calculate differences
delta_m = m1 - m2
delta_s = s1 - s2

# Calculate potential k
k = (delta_m * pow(delta_s, -1, n)) % n

# Calculate potential private key
d = ((s1 * k - m1) * pow(r1, -1, n)) % n

return d

Example data (actual signatures and messages needed*)

r1 = 123456789 s1 = 987654321 m1 = 123 r2 = 123456791 # r2 is close to r1 s2 = 987654321 m2 = 456 n = 115792089237316195423570985008687907852837564279074904382605163141518161494337 # order of the curve

Find private key

private_key = find_private_key(r1, s1, m1, r2, s2, m2, n) print("Recovered private key:", private_key)

---

From: glhncskn @.> Sent: Monday, March 18, 2024 10:59 PM To: albertobsd/keyhunt @.> Cc: Subscribed @.***> Subject: [albertobsd/keyhunt] Rsz (Issue #294)

Hello. I saw that you had information in one of your posts on bitcointalk, I am writing here to reach you. There are two R values that are close to each other (belonging to the same private key). I want to calculate the private key. I want to calculate it by trying it as nonce k k+1 k+2, but I don't know the way and formula for this. Is there any code, tools etc you use for this? No, can you show it?

— Reply to this email directly, view it on GitHubhttps://github.com/albertobsd/keyhunt/issues/294, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AFOHI237N2MVOJSPYLVUL23YY5PVFAVCNFSM6AAAAABE4NHVK6VHI2DSMVQWIX3LMV43ASLTON2WKOZSGE4TGNBUHA3TCMI. You are receiving this because you are subscribed to this thread.

[albertobsd]

Well

Give a man a fish and you feed him for a day; teach a man to fish and you feed him for a lifetime.

This is basic algebra with a twist of Modulo operations

Where come this from?

This come from the ECDSA signature process

https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages#ecdsa-sign

4.- Calculate the signature proof:

s = k^-1 ( z + r privatekey) (mod n)

the s value is public because it is the proof of the signature and that value can be achive with other public values too please check the ECDSA Verify Signature process ( https://cryptobook.nakov.com/digital-signatures/ecdsa-sign-verify-messages#ecdsa-verify-signature )

But K and Privatekey are unknown values so we have an equation with 2 unknown values

So if you have 2 set of RSZ values you have this

s1 = k1^-1 ( z1 + r1 privatekey) (mod n) s2 = k2^-1 ( z2 + r2 privatekey) (mod n)

The private key value is the same for both equations so we can actually rearrange some items

s1 k1 = z1 + r1 privatekey (mod n) s1 k1 - z1 = r1 privatekey (mod n) r1^-1 ( s1 * k1 - z1 ) (mod n) = privatekey

or privatekey = r1^-1 ( s1 * k1 - z1 ) (mod n)

Same for second set of values

privatekey = r2^-1 ( s2 * k2 - z2 ) (mod n)

So, since the private key is the same for both equations you can put it together

r1^-1 ( s1 k1 - z1 ) = r2^-1 ( s2 k2 - z2 ) (mod n)

But we still have two unknown values k1 and k2

So in your example where k1 = k2 + 1, ONLY in this kind of cases you can sustitute one of them

k1 = k2 + 1 or k2 = k1 - 1

right?

So you will end with some of the next equations: r1^-1 ( s1 (k2 + 1) - z1 ) = r2^-1 ( s2 k2 - z2 ) (mod n)

or

r1^-1 ( s1 k1 - z1 ) = r2^-1 ( s2 (k1 - 1 ) - z2 ) (mod n)

In this case With only one value unknown you can rearrange again and solve for k1 or k2 depending of the case

About the tools you can use python with some considerations for values with ^-1

Those values are the Inverse multiplicative of the orginal value in some way that r1 r1^-1 = 1 mod n or x x^-1 = 1 mod n

I guess that anyone can follow the operations from this point.

Here is when basic math becomes useful no?