Timeline for Is it possible to get the parity of nonce used in ECDSA signature without knowing k?
Current License: CC BY-SA 4.0
9 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| May 23 at 17:13 | comment | added | иυэł | Thanks for that, but I'll try, just nine months spent studying cryptography and I'm deep into it, also if I find something close, I'll do well to alert you guys, not that I've not already tried, but my method is like $50%$ accurate, just wish me luck 🤞 | |
| May 22 at 0:10 | comment | added | dave_thompson_085 | Yes I do think it's impossible -- as the linked answer asserts. There are lots of very smart people in the world, many of them not perfectly ethical, and if none of them has done something that would be immensely profitable that's because none of them can do it. However, feel free to spend as much of your time as you wish. | |
| May 21 at 8:09 | comment | added | иυэł | You don't think it's impossible right? I'll say it just needs a little bit of thinking and maybe restructuring of some equations or algorithms. | |
| May 21 at 7:59 | comment | added | иυэł | @dave_thompson_085 Actually I a kinda tried that, using both $y$ and $-y$ but it doesn't match the parity for all, some are correct while some are not, also tried using the legendre symbol trick, both are a kind of 50% guess. If only I could be precise. | |
| May 20 at 23:54 | comment | added | dave_thompson_085 | Anyone who could determine parity of k from a signature could solve DLP by iterating and thus break all reused Bitcoin keys and steal probably a hundred billion dollars. Do you think that has happened without anyone noticing? | |
| May 20 at 12:48 | comment | added | иυэł | But actually I do have the public_key, and $z$ indeed is the message hash, easier for me to understand. | |
| May 20 at 12:45 | comment | added | иυэł | @fgrieu I do think there's a github repository where someone posted a script which actually computes the two possible public_keys, given the signature values, even though sometimes it misses a zero, but does it have anything to do with getting the parity of k? | |
| May 20 at 12:29 | comment | added | fgrieu♦ | The question's $z$ must be $H$ or $e$ in this definition of ECDSA. A common assumption would be that we also know the public key $Q$ (which we can't deduce fully from a valid signature). | |
| May 20 at 11:04 | history | asked | иυэł | CC BY-SA 4.0 |