My question is related to weak signature vulnerability testing where a hypothetical attacker does not know the values of the nonce or private key itself, but can determine that the nonce ‘k1’ is designed by private key ‘d’ to message hash z , such that: k = 128 MSB bit of z + 128 bit MSB of d (privatekey)
example:
d= private key in hex
z= message hash
k= nonce; where nonce is equal first 128 bit of z + 128 bit of d
d= 0x036ed4f5f383049827edc4fe337f46f83a240b124242620b02b97552b2fc11a4
z= f55ab477c48f9afaf1a72ab448bf96b4a05f336f7a1e27e08993308dfaa783b5
k = f55ab477c48f9afaf1a72ab448bf96b4 + 036ed4f5f383049827edc4fe337f46f8
k= 0xf55ab477c48f9afaf1a72ab448bf96b4036ed4f5f383049827edc4fe337f46f8
signature:
r= 62326678398279634483781267842729177896577268934832461436294590773005653623297
s= 78373122694400608572761948114834235891083358005495335895684705221713649603747
z= 110976909682006680432155795488402189554785886863009729379902726621537291961269
I have searched the stack exchanges and various articles and research papers and have not found a workable solution to this problem. My own linear algebra is not as strong as I would like it (it’s been a number of years), and my attempts have not been successful.
Is there any way to calculate k or privatekey?
N: Finite field of the secp256k1
My question is related to weak signature vulnerability testing where a hypothetical attacker does not know the values of the nonce or private key itself, but can determine that the nonce ‘k1’ is designed by private key ‘d’ to message hash z , such that: k = 128 MSB bit of z + 128 bit MSB of d (privatekey)
example:
d= private key in hex
z= message hash
k= nonce; where nonce is equal first 128 bit of z + 128 bit of d
d= 0x036ed4f5f383049827edc4fe337f46f83a240b124242620b02b97552b2fc11a4
z= f55ab477c48f9afaf1a72ab448bf96b4a05f336f7a1e27e08993308dfaa783b5
k = f55ab477c48f9afaf1a72ab448bf96b4 + 036ed4f5f383049827edc4fe337f46f8
k= 0xf55ab477c48f9afaf1a72ab448bf96b4036ed4f5f383049827edc4fe337f46f8
signature:
r= 62326678398279634483781267842729177896577268934832461436294590773005653623297
s= 78373122694400608572761948114834235891083358005495335895684705221713649603747
z= 110976909682006680432155795488402189554785886863009729379902726621537291961269
I have searched the stack exchanges and various articles and research papers and have not found a workable solution to this problem. My own linear algebra is not as strong as I would like it (it’s been a number of years), and my attempts have not been successful.
Is there any way to calculate k or privatekey?
N: Finite field of the secp256k1