Mini-puzzle for Puzzle #130

Status: SOLVED
Prize: 1.3 BCH, BSV, BTG
Creator: RetiredCoder
Start Date: 2024-12-14
Solve Date: 2024-12-15
Address: qz3yjg59ypg6jqpwhaxgvjj44jm4hdx0w5wsxw2qez

Description

This is a side-puzzle for Puzzle #130.

Given:

Message: Anything one man can imagine, other men can make real
Signature: IIONt3uYHbMh+vUnqDBGHP2gGu1Q2Fw0WnsKj05eT9P8KI2kGgPniiPirCd5IeLRnRdxeiehDxxsyn/VujUaX8o=

"There is about 700$ in BCH there, so hurry up!
And thanks to creator of original puzzles (Satoshi??) for a lot of fun!"

RetiredCoder on BitcoinTalk

Hints

The previous signed message posted by the creator:

Address: 1Fo65aKq8s8iquMt6weF1rku1moWVEd5Ua
Message: RetiredCoder is a winner for 120,125,130
Signature: IN6XCSv7fAIUioJ7T4ti2x4YmnOcd4FXmd9eb7Na6IofP0+ji8uxdhVEb6vG++vO77t9BS7KnOE2s6Sme38NT0I=

Solution

r1_1 = 02de97092bfb7c02148a827b4f8b62db1e189a739c77815799df5e6fb35ae88a1f
r2_1 = 02838db77b981db321faf527a830461cfda01aed50d85c345a7b0a8f4e5e4fd3fc
delta  = 031e283a9ebc4c50b0a93f27d411e69d0a97aad2a6d4ae26f5725f8b55fb5176f5
delta _k = 0xfffffffffffffffffffffffffffffffebaaedce6af487e246f4eac90b714b3bd
N- delta _k = 0x22175083b1fc19218d84

r1_2= 03de97092bfb7c02148a827b4f8b62db1e189a739c77815799df5e6fb35ae88a1f
r2_2= 03838db77b981db321faf527a830461cfda01aed50d85c345a7b0a8f4e5e4fd3fc
delta  = 021e283a9ebc4c50b0a93f27d411e69d0a97aad2a6d4ae26f5725f8b55fb5176f5
delta _k = 0x22175083b1fc19218d84

PK = 33e7665705359f04f28b88cf897c603c9

Explanation from the creator

Since it seems that the winner is not here, I will explain this riddle.

1. So we have a signature, we should check for weak K1, use kangaroos of course Smiley What's the range for search? Use a hint from the message, 80bit. Fails, it seems K1 is strong.

2. Remember that I posted another signature, take K2, may be K1==K2? No. So if we have both strong K1 and K2, what it can be? Remember that ECDSA Signature is vulnerable not only when K1==K2 but also if we know that K1 has some relation with K2, for example, K2=K1+1 (the simplest case). How to check it? Remember that R1=G*K1 and R2=G*K2 and we have these R1 and R2 points in signatures, so we can substract: PntDiff = R1 - R2 (and also try R2 - R1) and check if it's G. It's not G, ok, may be the difference is not 1 but more? We should try to solve PntDiff (both variants) with kangaroos. What's the range? Same, 80bits. And we can solve it, so now we have delta_K.

3. Now calculate, google or ask chatbot to get the formula: 

pk = ((delta_k * s1 * s2) + (z2 * s1) - (z1 * s2)) / (r1 * s2 - r2 * s1) [mod n]

That's all!

Links