I noticed some folks here are looking for R, S, Z Signatures and public key examples for their research.
So, I whipped up a simple script that gives you more details than you might need. It's straightforward and should help you with your ECDSA Secp256k1 signature research.
You can grab it here. https://github.com/KrashKrash/ecdsa-rsz-signature
For those just getting started with this research, just a heads up some people refer to it as z, others as message(hash), and some simply call it h. But they all mean the same thing.
So, message or m = the original message.
H(m) or h or z = the hash of that message. Just keep in mind that H(m), h, or z all refer to the same thing: the hash of the message.
I wanted to put this info out there so you don’t waste time figuring out what h or z means. Good luck with your research!
I have been learning about ECDSA ( r s z, public key ,private key ) for about 2 months
# 130 Although only 1 rsz is known , but 1000 rsz can be produced using the public key, the nonce K value will be 240~256 bits
50% - nonce is 256 bit
25% - nonce is 254 bit
25% - nonce is 253~240 bit
However, more than 64 rsz must be leaked at the same time to leak more than 12 bits to use lattice-attack
# 130 Public Key ( Fix 2024/06/25 )
0x633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852, 0xb078a17cc1558a9a4fa0b406f194c9a2b71d9a61424b533ceefe27408b3191e3
Address: 1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua
I create some rsz as #130 , these are address "1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua" and the public keys are #130 public key
https://bitcointalk.org/index.php?topic=5394249.100
read it ....... garlonicon share his source code
Even if I have 100,000 puzzle #130 r , s, z
I still can't use lattice-attack crack ....Because the generated rsz and k values are unknown....
I used my private key and public key to see nonce K value ...
From the probability, more than 50% is a 256-bit nonce K value ~~ It must be 252 bit or less bit ......
Unless you can know from these 100,000 rsz which nonce k bits are less than 252 bit , and select 88 group for lattice attack...
This probability is lower than guessing any Bitcoin private key
N = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141
if N <= 252 bit , we can use #130 public key to produce 70 ~ 100 fake rsz , and ECDSA will broken ~~~ Now, ECDSA is still safe
Hi there!
It looks like you all are crazy for nonces and signatures, so I have some special values for you
Btw. I think that those who do serious research of this topic do not need your script, but all contributions are welcome, of course.
the same r value , we can recovery private key ........
but we are interested in recovering the private key of #puzzle 130 from a large set of r s z and public key ...
But we need to know the bits of k , from every set of r s z .........
if anyone can know the bits of k from every r s z and public key , all bitcoin address that leaks the public key can recovery private key
Of course, currently only 252 bit k can be recovery by the lattice attack.
https://githubhelp.com/bitlogik/lattice-attack/issues/2
The authors of the lattice-attack mentioned that they were also unable to crack more than k > 252 bits~~~
For the topic "down to 2 bits", note that we never found a private key using our LatticeAttack software below 4 know bits, hence the restriction put in place that prevent the user to run it with lower than 4 bits. But we never performed long running time. Using higher RECOVERY_SEQUENCE "effort" block size, combined with a loop "-l" can be a way to recover key with 3 or even 2 bits. That would just require long running times (several hours), and no guarantee of result.
These are not as easy as you may think.
Well, then I have two more for you, but this public key doesn't point to the puzzle #130 it seems...
# Public Key
0x8629507d9eef1748ec67ca2c4ab641fa0951d7f0bb0cf226f1c0f465a4e29404, 0x2237204a53021490adfec9f0b3f0732f5024181d50fde2dcfc7a428c992b8d70
With k2 = k1 + 1.
I had edit my post ~~ fix it #130
public key 0x633cbe3ec02b9401c5effa144c5b4d22f87940259634858fc7e59b1c09937852, 0xb078a17cc1558a9a4fa0b406f194c9a2b71d9a61424b533ceefe27408b3191e3
and Provide 5 sets of my own generated rsz for #130
# 130 rsz 1
r=0x56a37728d3036203ba57a2399ba282351b55e7b7a2660080a510732f373f18f8
s=0x6bf0c1501792f3184866f56a82b69ad17cb169105ed85350ca30f3e2070e032e
z=0x0042fe8868fbfa3d16b603af849bb81a35d6292651ab36a23af4c427d4265bf9
# 130 rsz 2
r=0x84812aade108ee63f12098f31e0819b36fcd4a4433fdbd29dbc8d94082e1a822
s=0xa7da5a2552d02a4551a23381fe4bcca9f1108d66cb0137712d9325d2a1fe4b4a
z=0x50825e90bcae246a62602d3719d895da1108545b3c09527ed1dbf599034cf0a2
# 130 rsz 3
r=0x1567a88d2dc54158afc135433f5bd7cb673a73ecd978626504fa7a972fc88eb0
s=0x0340b27310b89895c166c839b5a27fd6de1a271a8765de608c07e96539827850
z=0x503f919c88920407436211529abf8f8d2459d8aec963181dbaf822e20f162d0e
# 130 rsz 4
r=0x3facca914bf602c454b2e1332e4bd9db3482cdc648bc9f79328fed36de7babca
s=0xfe9797f9323c74e8b5d91937c4ea704f0a73e3aae536d8f051e7c77214a4a5a9
z=0xdde32a1d171f66168bc88211c5bbd1f0de2bc8aa504b70af8591f7619b6a3632
# 130 rsz 5
r=0x63444d8aa42965428ea68fa74976fe38772ba59e6e1b4f8682e6f6178ee4c1e9
s=0x33f53e75c58b289d094932407c4f1eac3156a0029c9a33f257485a0c3b5b497d
z=0xfe4573a2009e9f7985f8f366949757f001aaccc81da635ea3868c1d70b9a2e04
1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua
Which values? All values are special ;-)
First 3 signatures use Satoshi private key #1 as a nonce, but signed real messages (not random). Nobody noticed?
The fourth signature signs again real message, and with the same key also a private key of Puzzle #130 as input, there is no "why", that's an intention.
And finally the value of s2 shows the weakness of the private key here:
It is just an inversion of 0x82, nothing special. If you multiply 0x352b52b52b52b52b52b52b52b52b52b4e7c1db2bf914fdd54560dc7fb517156e by 0x82, you will get 0x1affffffffffffffffffffffffffffffddb0714c547ca8e64d3b2ff8d9f5b8e1dc as a result, which is equal to one, if you apply modulo n=0xfffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 on that.