How can my private key be revealed if I use the same nonce while generating the signature?
I know it is well understood that it is not a good practice to use the same nonce while generating the signatures, but I am not getting the math right.
Assume I have some UTXOs that are controlled by my private key Q. Say I have spent two of the UTXOs using nonce 'N' to generate my signature. Now the (R,S) components of the signature are public and the transactions are public so everyone has access to them.
S1 = N^(-1)*[hash(m1) + Q*R] mod p
S2 = N^(-1)*[hash(m2) + Q*R] mod p
S1 - S2 = N^(-1)*[hash(m1) - hash(m2)] mod p
Even though we know S1, S2, m1 and m2, isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
private-key signature cryptography
asked 16 hours ago
Ugam KamatUgam Kamat
42112
add a comment |
I know it is well understood that it is not a good practice to use the same nonce while generating the signatures, but I am not getting the math right.
Assume I have some UTXOs that are controlled by my private key Q. Say I have spent two of the UTXOs using nonce 'N' to generate my signature. Now the (R,S) components of the signature are public and the transactions are public so everyone has access to them.
S1 = N^(-1)*[hash(m1) + Q*R] mod p
S2 = N^(-1)*[hash(m2) + Q*R] mod p
S1 - S2 = N^(-1)*[hash(m1) - hash(m2)] mod p
Even though we know S1, S2, m1 and m2, isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
private-key signature cryptography
asked 16 hours ago
Ugam KamatUgam Kamat
42112
add a comment |
I know it is well understood that it is not a good practice to use the same nonce while generating the signatures, but I am not getting the math right.
Assume I have some UTXOs that are controlled by my private key Q. Say I have spent two of the UTXOs using nonce 'N' to generate my signature. Now the (R,S) components of the signature are public and the transactions are public so everyone has access to them.
S1 = N^(-1)*[hash(m1) + Q*R] mod p
S2 = N^(-1)*[hash(m2) + Q*R] mod p
S1 - S2 = N^(-1)*[hash(m1) - hash(m2)] mod p
Even though we know S1, S2, m1 and m2, isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
private-key signature cryptography
asked 16 hours ago
Ugam KamatUgam Kamat
42112
I know it is well understood that it is not a good practice to use the same nonce while generating the signatures, but I am not getting the math right.
Assume I have some UTXOs that are controlled by my private key Q. Say I have spent two of the UTXOs using nonce 'N' to generate my signature. Now the (R,S) components of the signature are public and the transactions are public so everyone has access to them.
S1 = N^(-1)*[hash(m1) + Q*R] mod p
S2 = N^(-1)*[hash(m2) + Q*R] mod p
S1 - S2 = N^(-1)*[hash(m1) - hash(m2)] mod p
Even though we know S1, S2, m1 and m2, isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
private-key signature cryptography
private-key signature cryptography
asked 16 hours ago
Ugam KamatUgam Kamat
42112
asked 16 hours ago
Ugam KamatUgam Kamat
42112
asked 16 hours ago
Ugam KamatUgam Kamat
42112
asked 16 hours ago
Ugam KamatUgam Kamat
42112
asked 16 hours ago
Ugam KamatUgam Kamat
42112
42112
add a comment |
add a comment |
2 Answers
2
active
oldest
votes
isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
No, it is not. This does not require finding the discrete logarithm at all. Solving the discrete logarithm is finding the exponent to a known base. However in this problem we are trying to find the base and know what the exponent is. Furthermore, this known exponent is -1 for which finding the base of something raise to -1 is to raise the result to -1 again, i.e. taking the inverse of the inverse.
There are algorithms that exist to find the modular inverse of a number which is how N^(-1) is found in the first place. To find N, you just need to take the inverse of N^(-1) because of the identity that an inverse an inverse is the element itself.
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
add a comment |
Let me rewrite your question in a different notation, where all lowercase values are integers and uppercase values are points.
- The group generator is G (a known constant).
- The private key is q, its corresponding public key is Q = qG.
- The nonce is n, its corresponding point is R = nG.
- The X coordinate of R is r.
- The hash function is h(x).
- A signature is (r,s), where s is computed as n-1(h(m) + qr).
- A signature is valid iff r = x(s-1(h(m)G + rQ)).
Now for the two signatures it holds that:
- s1 = n-1(h(m1) + qr)
- s2 = n-1(h(m2) + qr)
- s1 - s2 = n-1(h(m1) - h(m2))
- n = (s1 - s2)-1(h(m1) - h(m2))
As s1 and s2 are just integers, (s1 - s2)-1 can be trivially computed using a modular inverse; there are no elliptic curve points involved here (over which this problem would be hard).
Once you know n, you can find q by rewriting the first equation:
- ns1 = h(m1) + qr
- ns1 - h(m1) = qr
- q = r-1(ns1 - h(m1))
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
add a comment |
Your Answer
StackExchange.ready(function() {
var channelOptions = {
tags: "".split(" "),
id: "308"
};
initTagRenderer("".split(" "), "".split(" "), channelOptions);
StackExchange.using("externalEditor", function() {
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled) {
StackExchange.using("snippets", function() {
createEditor();
});
}
else {
createEditor();
}
});
function createEditor() {
StackExchange.prepareEditor({
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader: {
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
},
noCode: true, onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
});
}
});
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85638%2fhow-can-my-private-key-be-revealed-if-i-use-the-same-nonce-while-generating-the%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
2 Answers
2
active
oldest
votes
2 Answers
2
active
oldest
votes
active
oldest
votes
active
oldest
votes
isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
No, it is not. This does not require finding the discrete logarithm at all. Solving the discrete logarithm is finding the exponent to a known base. However in this problem we are trying to find the base and know what the exponent is. Furthermore, this known exponent is -1 for which finding the base of something raise to -1 is to raise the result to -1 again, i.e. taking the inverse of the inverse.
There are algorithms that exist to find the modular inverse of a number which is how N^(-1) is found in the first place. To find N, you just need to take the inverse of N^(-1) because of the identity that an inverse an inverse is the element itself.
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
add a comment |
isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
No, it is not. This does not require finding the discrete logarithm at all. Solving the discrete logarithm is finding the exponent to a known base. However in this problem we are trying to find the base and know what the exponent is. Furthermore, this known exponent is -1 for which finding the base of something raise to -1 is to raise the result to -1 again, i.e. taking the inverse of the inverse.
There are algorithms that exist to find the modular inverse of a number which is how N^(-1) is found in the first place. To find N, you just need to take the inverse of N^(-1) because of the identity that an inverse an inverse is the element itself.
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
add a comment |
isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
No, it is not. This does not require finding the discrete logarithm at all. Solving the discrete logarithm is finding the exponent to a known base. However in this problem we are trying to find the base and know what the exponent is. Furthermore, this known exponent is -1 for which finding the base of something raise to -1 is to raise the result to -1 again, i.e. taking the inverse of the inverse.
There are algorithms that exist to find the modular inverse of a number which is how N^(-1) is found in the first place. To find N, you just need to take the inverse of N^(-1) because of the identity that an inverse an inverse is the element itself.
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
isn't solving for N^(-1), and hence N, becomes equivalent to finding the solution to the discrete logarithm?
No, it is not. This does not require finding the discrete logarithm at all. Solving the discrete logarithm is finding the exponent to a known base. However in this problem we are trying to find the base and know what the exponent is. Furthermore, this known exponent is -1 for which finding the base of something raise to -1 is to raise the result to -1 again, i.e. taking the inverse of the inverse.
There are algorithms that exist to find the modular inverse of a number which is how N^(-1) is found in the first place. To find N, you just need to take the inverse of N^(-1) because of the identity that an inverse an inverse is the element itself.
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
answered 15 hours ago
Andrew Chow♦Andrew Chow
33k42462
33k42462
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
add a comment |
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
Isn't the order of how the equation is written same as the public key generation? You have [hash(m1) - hash(m2)] as the base and N^(-1) as the exponent?
– Ugam Kamat
14 hours ago
1
1
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
No. [hash(m1) - hash(m2)] is an integer, not a elliptic curve point. N^(-1) is also an integer. So this formula is just integer multiplication. It is not exponentiation nor is it curve point multiplication (the two things that have discrete log problems). Thus it is not solving any discrete logarithm.
– Andrew Chow♦
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
That's what I was looking for. So since N^(-1)*[hash(m1) - hash(m2)] is just integer multiplication modulo p vs curve point addition.
– Ugam Kamat
14 hours ago
add a comment |
Let me rewrite your question in a different notation, where all lowercase values are integers and uppercase values are points.
- The group generator is G (a known constant).
- The private key is q, its corresponding public key is Q = qG.
- The nonce is n, its corresponding point is R = nG.
- The X coordinate of R is r.
- The hash function is h(x).
- A signature is (r,s), where s is computed as n-1(h(m) + qr).
- A signature is valid iff r = x(s-1(h(m)G + rQ)).
Now for the two signatures it holds that:
- s1 = n-1(h(m1) + qr)
- s2 = n-1(h(m2) + qr)
- s1 - s2 = n-1(h(m1) - h(m2))
- n = (s1 - s2)-1(h(m1) - h(m2))
As s1 and s2 are just integers, (s1 - s2)-1 can be trivially computed using a modular inverse; there are no elliptic curve points involved here (over which this problem would be hard).
Once you know n, you can find q by rewriting the first equation:
- ns1 = h(m1) + qr
- ns1 - h(m1) = qr
- q = r-1(ns1 - h(m1))
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
add a comment |
Let me rewrite your question in a different notation, where all lowercase values are integers and uppercase values are points.
- The group generator is G (a known constant).
- The private key is q, its corresponding public key is Q = qG.
- The nonce is n, its corresponding point is R = nG.
- The X coordinate of R is r.
- The hash function is h(x).
- A signature is (r,s), where s is computed as n-1(h(m) + qr).
- A signature is valid iff r = x(s-1(h(m)G + rQ)).
Now for the two signatures it holds that:
- s1 = n-1(h(m1) + qr)
- s2 = n-1(h(m2) + qr)
- s1 - s2 = n-1(h(m1) - h(m2))
- n = (s1 - s2)-1(h(m1) - h(m2))
As s1 and s2 are just integers, (s1 - s2)-1 can be trivially computed using a modular inverse; there are no elliptic curve points involved here (over which this problem would be hard).
Once you know n, you can find q by rewriting the first equation:
- ns1 = h(m1) + qr
- ns1 - h(m1) = qr
- q = r-1(ns1 - h(m1))
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
add a comment |
Let me rewrite your question in a different notation, where all lowercase values are integers and uppercase values are points.
- The group generator is G (a known constant).
- The private key is q, its corresponding public key is Q = qG.
- The nonce is n, its corresponding point is R = nG.
- The X coordinate of R is r.
- The hash function is h(x).
- A signature is (r,s), where s is computed as n-1(h(m) + qr).
- A signature is valid iff r = x(s-1(h(m)G + rQ)).
Now for the two signatures it holds that:
- s1 = n-1(h(m1) + qr)
- s2 = n-1(h(m2) + qr)
- s1 - s2 = n-1(h(m1) - h(m2))
- n = (s1 - s2)-1(h(m1) - h(m2))
As s1 and s2 are just integers, (s1 - s2)-1 can be trivially computed using a modular inverse; there are no elliptic curve points involved here (over which this problem would be hard).
Once you know n, you can find q by rewriting the first equation:
- ns1 = h(m1) + qr
- ns1 - h(m1) = qr
- q = r-1(ns1 - h(m1))
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
Let me rewrite your question in a different notation, where all lowercase values are integers and uppercase values are points.
- The group generator is G (a known constant).
- The private key is q, its corresponding public key is Q = qG.
- The nonce is n, its corresponding point is R = nG.
- The X coordinate of R is r.
- The hash function is h(x).
- A signature is (r,s), where s is computed as n-1(h(m) + qr).
- A signature is valid iff r = x(s-1(h(m)G + rQ)).
Now for the two signatures it holds that:
- s1 = n-1(h(m1) + qr)
- s2 = n-1(h(m2) + qr)
- s1 - s2 = n-1(h(m1) - h(m2))
- n = (s1 - s2)-1(h(m1) - h(m2))
As s1 and s2 are just integers, (s1 - s2)-1 can be trivially computed using a modular inverse; there are no elliptic curve points involved here (over which this problem would be hard).
Once you know n, you can find q by rewriting the first equation:
- ns1 = h(m1) + qr
- ns1 - h(m1) = qr
- q = r-1(ns1 - h(m1))
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
edited 14 hours ago
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
answered 14 hours ago
Pieter WuillePieter Wuille
47.7k399161
47.7k399161
add a comment |
add a comment |
Thanks for contributing an answer to Bitcoin Stack Exchange!
- Please be sure to answer the question. Provide details and share your research!
But avoid …
- Asking for help, clarification, or responding to other answers.
- Making statements based on opinion; back them up with references or personal experience.
To learn more, see our tips on writing great answers.
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
StackExchange.ready(
function () {
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2fbitcoin.stackexchange.com%2fquestions%2f85638%2fhow-can-my-private-key-be-revealed-if-i-use-the-same-nonce-while-generating-the%23new-answer', 'question_page');
}
);
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Sign up or log in
StackExchange.ready(function () {
StackExchange.helpers.onClickDraftSave('#login-link');
});
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Sign up using Google
Sign up using Facebook
Sign up using Email and Password
Post as a guest
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
Required, but never shown
