Reused Z value

2 replies 62 views
Posts: 18 · Reputation: 238
#1Jun 29, 2022, 12:29 AM
So I've got this K value: 57693594628803274708875609257689291793313896681711523793281764510965395518430. In hex, it shows up as: 0x7f8d6ad886348454c238ca49ef01c7fde83925372c414e9e98827ea204ae73de. The most significant bit (MSB) is: 01111111100011010110101011011000. And the least significant bit (LSB) is: 00000100101011100111001111011110. Next, r is: 0x44022028cf3771072718602a8157c92b7d905c194ba38045a6177a06fd3dc362. For s, I've got: 0x38a60220520b4b1d36d55070419e21c1d0b47511d96477bbea459202ad3aa2e7. Then there's z, which is: 0xb9354ccf66a361b618f067f6c1244f1495776d7cb095be0ac1e86d0992d79cdd. Here's the script: 473044022028cf3771072718602a8157c92b7d905c194ba38045a6177a06fd3dc362e738a60220520b4b1d36d55070419e21c1d0b47511d96477bbea459202ad3aa2e72231e6c501210321369b6c054bf52f4f21091f1bebe71c8da184ef75d88b45a2f463bdf5f162af. I also have another K value: 41134620020427918509232437735715264323869950887026447086088473267917728820592. In hex, that's: 0x5af15eafdc0f849634732c16028047bc43358f6c16207fc2bf1fac8faaf0ad70. The MSB reads: 01011010111100010101111010101111. And the LSB is: 10101010111100001010110101110000. For r, it’s: 0xabe9088f1c430549d33070c4343d83b68fc6b7f798b778d3466126303eea4861. And s is: 0x2d23b76fe88bcfb2674feb500d56cb5603957d25b21dfadedd4d029cf9d35b8b. The z value stays the same as before: 0xb9354ccf66a361b618f067f6c1244f1495776d7cb095be0ac1e86d0992d79cdd. Here's the script for this one: 483045022100abe9088f1c430549d33070c4343d83b68fc6b7f798b778d3466126303eea486102202d23b76fe88bcfb2674feb500d56cb5603957d25b21dfadedd4d029cf9d35b8b01210321369b6c054bf52f4f21091f1bebe71c8da184ef75d88b45a2f463bdf5f162af. Lastly, another K value: 57812917839694142708293111517794561297960475000280608277966594035734982329126. In hex, that's: 0x7fd0f3b066dc682f38a391f58c560f4e3caba5f2e37d3803ca837e682dfa8326. The MSB is: 01111111110100001111001110110000. The LSB is: 00101101111110101000001100100110. For r here, it’s just: 0x4402200bfde30fc.
6 Reply Quote Share
sage_moonSenior Member
Posts: 273 · Reputation: 1371
#2Jun 29, 2022, 06:34 AM
The fact that two or more signatures share z (the message) does not imply any risk to the signatures. If this were mathematically vulnerable, it would mean that multi-signatures, Lightning Network channels, and other instances where the same message or TX is signed multiple times would be at risk. This answer might help you understand it better: Exposing private key by signing the same message twice? The thread I mentioned is a bit old, so I don't recommend waking it up by commenting, since you started this one.
4 Reply Quote Share
im_apeHero Member
Posts: 629 · Reputation: 3824
#3Jun 29, 2022, 09:23 AM
Considering the ECDSA equation is s = k−1(z + r*d) (mod n) and the fact that we always have s, z and r values for any signature, it doesn't look like having the same z value would change anything that could help solve the equation to find any of its two variables (private key and ephemeral key). The reason why having same r value helps us compute the private key is because same r also means same k reducing the number of variables to one if you have more than one signature.
2 Reply Quote Share

Related topics