ECDSA Signature Scenario with Shared Nonces

4 replies 325 views
Posts: 9 · Reputation: 102
#1Oct 11, 2019, 12:16 AM
Got a theoretical scenario here with some valid ECDSA signatures on the secp256k1 curve, and we’re not using RFC6979 (so nonces are random). Some context: We’ve got 7 private keys: d₁ to d₇ 3 nonces (k₁, k₂, k₃) are reused across different keys (they can also be their negatives: -k) In total, there are 9 valid ECDSA signatures in the format (r, s, z) How the nonces were used: d₁ used k₁, k₂, k₃ (or -k₁, -k₂, -k₃) d₂ and d₃ used k₁ (or -k₁) d₄ and d₅ used k₂ (or -k₂) d₆ and d₇ used k₃ (or -k₃) We don’t know any private keys or nonces beforehand. So here’s my question: Is this setup of 9 ECDSA equations with 10 unknowns definitely solvable mathematically? I’m thinking since d₁ connects all the groups sharing nonces, it acts like a bridge through the whole system. Just to make it clearer, here’s a simplified example using made-up numbers, not actual secp256k1 values, just to show how these equations are connected. Everything is modulo a small fake order n = 101 for easy understanding. Sample Signatures (just toy numbers): Sig 1 (d₁, k₁): (r=17, s=64, z=35) Sig 2 (d₁, k₂): (r=22, s=15, z=40) Sig 3 (d₁, k₃): (r=30, s=45, z=50) Sig 4 (d₂, k₁): (r=17, s=72, z=20) Sig 5 (d₃, k₁): (r=17, s=33, z=55) Sig 6 (d₄, k₂): (r=22, s=12, z=30) Sig 7 (d₅, k₂): (r=22, s=90, z=70) Sig 8 (d₆, k₃): (r=30, s=22, z=25) Sig 9 (d₇, k₃): (r=30, s=18, z=90) Unknowns: Private keys: d₁ to d₇ Nonces: k₁ to k₃ Thanks!
6 Reply Quote Share
fox100Senior Member
Posts: 165 · Reputation: 1050
#2Oct 11, 2019, 02:12 AM
You've got more unknowns than equations, so I would assume it is not solvable. Of course, if there are a small set of nonces being used perhaps that's a sign that there are more known values than you might suspect. ... depending on what kind of profound brain damage produced this situation.
3 Reply Quote Share
Posts: 8 · Reputation: 176
#3Oct 13, 2019, 12:19 AM
you can easy solve the puzzle if you do have r value same that it has been repeated on 2 output transaction and if you can extract r, s1, s2, z1, z2  you can get the privat key with a simple math on python If the same r is used in two different transactions signed by the same private key s1 = (z1 + r*d) / k mod n  s2 = (z2 + r*d) / k mod n you can isolate k and solve for d (the private key) k = (z1 - z2) / (s1 - s2) mod n d = ((s1 * k - z1) / r) mod n There are also tools that you can use to see if your address has reused r value https://github.com/CryptoApex23/reused_r_scanner
1 Reply Quote Share
matrix_nodeFull Member
Posts: 85 · Reputation: 519
#4Oct 13, 2019, 12:29 AM
@mr.jeanfrancois Hello Explained before. https://bitcointalk.org/index.php?topic=5526592.msg64958849#msg64958849 Need to know one of K1 to K3 or need to know one of D1 to D7 else impossible currently.
2 Reply Quote Share
Posts: 9 · Reputation: 102
#5Oct 13, 2019, 06:08 AM
Ok, thank you for your feedback, but this case is quite different. Here, we have d1 as the pivot and some information about the k values. These nonces k1, k2, k3 follow one of the following specific patterns : A total entropy per byte of 4.875/8, corresponding to a total entropy of 156 bits with 100 bits of leakage distributed, with 1 byte repeating. A total entropy per byte of 4.9375/8, corresponding to a total entropy of 158 bits with 98 bits of leakage distributed, with 2 bytes repeating. there are a few dormant BTC involved in wallets that have been fully compromised. It is certain that one of k1, k2, k3 follows exactly one of the models above
4 Reply Quote Share

Related topics