Nonce in secp256k1 ECDSA

2 replies 114 views
orbit23Member
Posts: 19 · Reputation: 159
#1May 15, 2021, 05:26 AM
Hey folks, I've noticed that the k values look a bit too predictable and deterministic. R1 = 0x5660647957179a737ee9f43d69ea7923ed179680acaea311986ba7bde67dd321 R2 = 0x566064795718a8c41789a5e3947f17cb2932dca737037bce9b49c7a75f606ce1 If we check the Relative Distance Ratio (Distance / n): Fraction: 0.000000000000003751
4 Reply Quote Share
eric.maxiMember
Posts: 35 · Reputation: 232
#2May 15, 2021, 05:57 AM
How is it predictable ? The mathematical distance between R1 & R2 has nothing to do with the actual distance between their corresponding nonces. let me give you an example. R1 = 0xa03aba6c1d66b0adff5f523b05ae59226b75a3c89c5755728d4278b4d02dec0 R2 = 0xd95ae6aa449d8243d4fc55ffa443c3f9982d235d4237fe0c187dba73b075b71d Do you see how much is the mathematical distance between them. They looks to totally totally very far. No similarity at all. But if i say to you that they are very close and in fact in your terms of Relative Distance Ratio (Distance /N) they are = 0.00000000000000000000000000000000000000000000000000000000000000000000000000004 318
4 Reply Quote Share
luckyapeFull Member
Posts: 77 · Reputation: 599
#3May 15, 2021, 06:26 AM
r = x(k*G) mod n. Closeness of r1 and r2 says nothing about k1 and k2. The x map and the mod reduction destroy any simple distance relation. You can see tiny r gaps from unrelated nonces. Agreed. Measure distance in scalar space, not by comparing r or x(R). Without k or leaked bits there is no handle. Real issues are nonce reuse, biased RNG, or partial-bit leaks that enable lattice attacks.
0 Reply Quote Share

Related topics