so, valid signatures were made like this originally:
a = random
b = random
r = aG + bQ
s = r * modinv(b, N) % N
z = a * s (b, N)% N
but how can we have the same r yet different s and z?
i’ve got two ways to shift the aG and bQ to land on the same point r without knowing a and b. for method 1, I just shifted the points using a random t value.
for the first shift, I ditched the formula to reach b2. and for the second method, I ditched the formula to get to a3, all for security’s sake.
do these shifting methods give me different a and b values while keeping r the same but changing s and z? totally. in shift 1, with a specific formula, I can find different a2 and b2 values. to get a2, the formula was a2 = a + t. for shift 2, I used a random b3 value and eventually got a3.
and we all know that having the same r but different s and z actually gives you the k nonce and the private key.
no point in sharing the full formulas here since the admins would probably just erase them. but I believe some of you might figure out the math link I didn’t mention. just a missing piece… alright, later.
Changing R value to achieve different s and z
5 replies 279 views
To get double R you need original k value add in original z value itself
s_add = 1 (its up to you)
k = (your_k value)
z_add = k * s_add
r2 = r1
s2 = s1 + s_add
z2 = z1 + z_add
this is impossible to solve for recreating unknown K value
if we want to solve signature in todays technology, lattice attack and polynomials attack but in bruteforce way
Question: is your shifting method same pubkey recovered Y = (R*s-G*m)/r ??
your shifting method is interesting
If you look at the original formula I mention above, once you get the different a and b, it leads to the same r but different s and z. Typically if we use the conventional method of using same K nonce for the same r but different s and z, we still get different u1 and U2 values. Now I'm just starting from u1 and U2 first. So take the conventional method, get it's u1 and U2 values of two signatures that has the same r but different s and z, compute it's u1 and U2, then u1=a and U2 = b. You get the same signature. But in order for us who don't have the private key or K nonce to get to a valid same pubkey signatures. We use the shifting method. Where after getting the aG and bQ value, we use a random t value to get aG2 = aG + tG and bQ2 = bQ - tG.
This gives us the shifting value that leads to the same r.
r =aG + bQ and r = aG2 + bQ2.
Then to compute it's a and b value. It's just a2 = a + t , that's equal to aG when scalar multiplied.
now you are left with looking for b2. the formula to get b2 is ALMOST opposite but similar. then now u have a different a2 and b2 value that leads to the same r but due to its a2 and b2 value being different from a and b value , when the same formula is applied which is s= r * inv(b,n) and z = a * s (b, N) % n, we get the same r value but different s and z value that is valid for the same pubkey
Hey man... I replied wrongly. I meant to reply that to a person in my inbox. And yes...it does gives the same valid public key.
Here is the code. i had remove in method 1 how to get to b2 and in method 2 starting with random b value obviously for security reasons.
i study your method a little bit ,
your method fall into random pubkey Q same r value in signature, if we dont know d or k it is impossible to recreate it
my code below, the shifting method 1 is for u1 known and for method 2 is u2 known
it is same method even if we randomize u1 and u2 as long as R value is the same but different Q
this is not security concern but how security of secp256k1 becomes amazing
you do know that the formula above. r = aG + bQ, gives valid signature for the given public key, right? if it's not valid. meaning if it's not the same pubkey . the signature, even though valid for ecdsa secp256k1 but it would be invalid if the set of signatures doesn't point to the same pubkey? hahaha..ok. if you say so. 🤷♂️.. and stop using AI. ai that we have publicly can only work with what it already knows. not with new formulas. sometimes it works. most of the time, it doesn't.
you are right, AI has a limit , im comparing the result of the code from ai to my own code that doesnt need d or k but the result is same, as long as we cant solve this equation "doubler = ((z2*s1 - z1*s2) * modinv(r2*(s2-s1),n) % n)" , Ai known only this equation to solve d for doubler equation, we can try collab for this research, im trying different methods including all types of equation that doesnt appear by ai, but as of now the doubler methods is negative
note that in d in my code we can use "kx = (z1 * modinv(s1 - r1, n)) % n" as x and its k both same in all types of equation so we can use this as starting point for d
can i try your full code?? i have missed something?? or its about that we can try our own method that ai doesnt know because it has a limit??
Related topics
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- New Optional Hourglass Implementation is Live 3
- Ways to earn some sats by contributing to bitcoin core development 5
- Exploring the Potential and Challenges of a Kardashev-Scale Bitcoin Network 3