Hey folks,
I've noticed that the k values look a bit too predictable and deterministic.
R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321
R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1
If we check the Relative Distance Ratio (Distance / n):
Fraction: 0.000000000000003751
Nonce in secp256k1 ECDSA
2 replies 114 views
How is it predictable ?
The mathematical distance between R1 & R2 has nothing to do with the actual distance between their corresponding nonces. let me give you an example.
R1 = 0xa03aba6c1d66b0adff5f523b05ae59226b75a3c89c5755728d4278b4d02dec0
R2 = 0xd95ae6aa449d8243d4fc55ffa443c3f9982d235d4237fe0c187dba73b075b71d
Do you see how much is the mathematical distance between them. They looks to totally totally very far. No similarity at all. But if i say to you that they are very close and in fact in your terms of Relative Distance Ratio (Distance /N) they are = 0.00000000000000000000000000000000000000000000000000000000000000000000000000004 318
r = x(k*G) mod n. Closeness of r1 and r2 says nothing about k1 and k2. The x map and the mod reduction destroy any simple distance relation. You can see tiny r gaps from unrelated nonces.
Agreed. Measure distance in scalar space, not by comparing r or x(R). Without k or leaked bits there is no handle. Real issues are nonce reuse, biased RNG, or partial-bit leaks that enable lattice attacks.
Related topics
- Looking for 3 examples of r, s, z and nonce data 19
- Bitcoin Core displaying coins (UTXOs) in a new tab 13
- Are you in favor of BIP-110? Let's get a Bitcoin poll going. 0
- Erlay seems to have some issues here’s a better proposal for a bitcoin protocol without invites 3
- New Optional Hourglass Implementation is Live 3
- Ways to earn some sats by contributing to bitcoin core development 5