1
$\begingroup$

This question stems up from my recent research work, I've tried different methods.

Is it possible to accurately know or get the parity (even or odd) of k (nonce) using r, s and z?

If yes, please provide a 100% possible solution for this, possibly a python script, I've tried using the y coordinate from k*G but it doesn't match for all, I need something universal.

Improve this question
$\endgroup$
8
  • 2
    $\begingroup$ The question's $z$ must be $H$ or $e$ in this definition of ECDSA. A common assumption would be that we also know the public key $Q$ (which we can't deduce fully from a valid signature). $\endgroup$ Commented May 20 at 12:29
  • $\begingroup$ @fgrieu I do think there's a github repository where someone posted a script which actually computes the two possible public_keys, given the signature values, even though sometimes it misses a zero, but does it have anything to do with getting the parity of k? $\endgroup$ Commented May 20 at 12:45
  • $\begingroup$ But actually I do have the public_key, and $z$ indeed is the message hash, easier for me to understand. $\endgroup$ Commented May 20 at 12:48
  • 1
    $\begingroup$ Anyone who could determine parity of k from a signature could solve DLP by iterating and thus break all reused Bitcoin keys and steal probably a hundred billion dollars. Do you think that has happened without anyone noticing? $\endgroup$ Commented May 20 at 23:54
  • 1
    $\begingroup$ Yes I do think it's impossible -- as the linked answer asserts. There are lots of very smart people in the world, many of them not perfectly ethical, and if none of them has done something that would be immensely profitable that's because none of them can do it. However, feel free to spend as much of your time as you wish. $\endgroup$ Commented May 22 at 0:10

0

Reset to default

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.