Got a theoretical scenario here with some valid ECDSA signatures on the secp256k1 curve, and we’re not using RFC6979 (so nonces are random).
Some context:
We’ve got 7 private keys: d₁ to d₇
3 nonces (k₁, k₂, k₃) are reused across different keys (they can also be their negatives: -k)
In total, there are 9 valid ECDSA signatures in the format (r, s, z)
How the nonces were used:
d₁ used k₁, k₂, k₃ (or -k₁, -k₂, -k₃)
d₂ and d₃ used k₁ (or -k₁)
d₄ and d₅ used k₂ (or -k₂)
d₆ and d₇ used k₃ (or -k₃)
We don’t know any private keys or nonces beforehand.
So here’s my question:
Is this setup of 9 ECDSA equations with 10 unknowns definitely solvable mathematically?
I’m thinking since d₁ connects all the groups sharing nonces, it acts like a bridge through the whole system.
Just to make it clearer, here’s a simplified example using made-up numbers, not actual secp256k1 values, just to show how these equations are connected.
Everything is modulo a small fake order n = 101 for easy understanding.
Sample Signatures (just toy numbers):
Sig 1 (d₁, k₁): (r=17, s=64, z=35)
Sig 2 (d₁, k₂): (r=22, s=15, z=40)
Sig 3 (d₁, k₃): (r=30, s=45, z=50)
Sig 4 (d₂, k₁): (r=17, s=72, z=20)
Sig 5 (d₃, k₁): (r=17, s=33, z=55)
Sig 6 (d₄, k₂): (r=22, s=12, z=30)
Sig 7 (d₅, k₂): (r=22, s=90, z=70)
Sig 8 (d₆, k₃): (r=30, s=22, z=25)
Sig 9 (d₇, k₃): (r=30, s=18, z=90)
Unknowns:
Private keys: d₁ to d₇
Nonces: k₁ to k₃
Thanks!
You've got more unknowns than equations, so I would assume it is not solvable.
Of course, if there are a small set of nonces being used perhaps that's a sign that there are more known values than you might suspect. ... depending on what kind of profound brain damage produced this situation.
you can easy solve the puzzle
if you do have r value same that it has been repeated on 2 output transaction
and if you can extract r, s1, s2, z1, z2 you can get the privat key
with a simple math on python
If the same r is used in two different transactions signed by the same private key
s1 = (z1 + r*d) / k mod n
s2 = (z2 + r*d) / k mod n
you can isolate k and solve for d (the private key)
k = (z1 - z2) / (s1 - s2) mod n
d = ((s1 * k - z1) / r) mod n
There are also tools that you can use to see if your address has reused r value
https://github.com/CryptoApex23/reused_r_scanner
@mr.jeanfrancois
Hello
Explained before.
https://bitcointalk.org/index.php?topic=5526592.msg64958849#msg64958849
Need to know one of K1 to K3 or need to know one of D1 to D7 else impossible currently.
Ok, thank you for your feedback, but this case is quite different. Here, we have d1 as the pivot and some information about the k values. These nonces k1, k2, k3 follow one of the following specific patterns :
A total entropy per byte of 4.875/8, corresponding to a total entropy of 156 bits with 100 bits of leakage distributed, with 1 byte repeating.
A total entropy per byte of 4.9375/8, corresponding to a total entropy of 158 bits with 98 bits of leakage distributed, with 2 bytes repeating.
there are a few dormant BTC involved in wallets that have been fully compromised. It is certain that one of k1, k2, k3 follows exactly one of the models above