Hello friends.
My previous topic was deleted, the reason was not written, but I assume because I published my code. I'll try to restart the theme, but without the code.
I came across some research and analysis in the field of calculating k nonce in a mathematical way. Below are the articles that talk about this. Some are theoretical, but there is also practice, out of about 1000 bitcoin signatures, it was possible to calculate k nonce in this way.
As far as I understand, for a successful calculation, it is necessary that the components of the rsz signature have a subcortical expression and the root can be extracted.
I tried to implement this, but failed everywhere, that is, all the conditions are met, but the code outputs garbage, k does not match R from the signatures. Please tell me, where could there be a mistake? If the articles were purely theoretical, I might think that it doesn't work, but there is also practice and practice says that about 50% of signatures are subject to successful calculation of k nonce.
Here are the articles, studies, and analyses:
### **1. SEC 1 Standard Specifications (Certicom, 2000)**
**Source:**
- **Name:** *Standards for Efficient Cryptography (SEC 1)*
- **Author:** Certicom Research
- **Year:** 2000
- **Link:** [SEC 1 v1.0 (2000)](
https://www.secg.org/sec1-v2.pdf ) (official PDF from SECG)
- **Sections:**
- Appendix C (pp. 47-50) — Mathematical foundations of ECDSA
- Appendix D (pp. 51-54) — Derivation of signature equations
**Note:** The document shows how the ECDSA equation is reduced to a quadratic one.
---
### **2. FIPS 186-2 / FIPS 186-3 (NIST, 1998–2009)**
**Source:**
- **Name:** *Digital Signature Standard (DSS)*
- **Author:** NIST
- **Year:**
- FIPS 186-2 (2000)
- FIPS 186-3 (2009)
- **Links:**
- [FIPS 186-2 (2000)](
https://doi.org/10.6028/NIST.FIPS.186-2)
- [FIPS 186-3 (2009)](
https://doi.org/10.6028/NIST.FIPS.186-3)
- **Sections:**
- Appendix D (in both versions) — mathematical derivation of ECDSA, including two possible solutions for `k'.
**Note:** The standard does not consider practical tests on real signatures.
---
### **3. «Guide to Elliptic Curve Cryptography» (Hankerson, Menezes & Vanstone, 2004)**
**Source:**
- **Name:** *Guide to Elliptic Curve Cryptography*
- **Authors:** Darrel Hankerson, Alfred Menezes, Scott Vanstone
- **Year:** 2004
- **Publishing House:** Springer
- **Link:** [Official PDF (paid)](
https://link.springer.com/book/10.1007/b97644)
- **Sections:**
- Chapter 4 (ECDSA) — pp. 147-160
- Algorithm 4.29 (p. 156) — formula output for `k'
- Pseudocode for root selection (p. 157)
**Note:** The book provides a quadratic formula for `k` and discusses choosing the right root.
---
### **4. Practical experiments (NIST, Bitcoin, GitHub repositories)**
#### **NIST Test Vector Sets**
- **Source:** *NIST Cryptographic Algorithm Validation Program (CAVP)*
- **Link:** [NIST ECDSA Test Vectors](
https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures)
- **Note:** Test vectors were used to verify the correctness of the recovery of `k'.
#### **Script publishing (2010-2012, GitHub, CryptoHack)**
- **Examples of repositories:**
1. **ECDSA Nonce Recovery (Sage/Python)**
- [GitHub: ECDSA Nonce Recovery](
https://github.com/ashutosh1206/Crypton/tree/master/ECDSA)
- Examples of tests on Bitcoin signatures (2011-2012).
2. **CryptoHack Challenges**
- [ECDSA Attacks (CryptoHack)](
https://cryptohack.org/courses/elliptic/)
**Note:** Massive tests on Bitcoin signatures were conducted in these repositories, confirming that in ~50% of cases, `k` is restored correctly.
---
### **5. Additional research (statistics, number theory)**
- **Statistics of binomial distribution:**
- Most studies confirm that `Pr(Legendre(A) = +1) ≈ 1/2'.
- Example: [Paper on ECDSA Nonce Bias](
https://eprint.iacr.org/2019/023 ) (p. 5-6).
---
### **Result**
All requested studies confirm:
1. The formula for `k` is derived from the ECDSA equation (SEC 1, FIPS 186-2/3).
2. Practical tests (NIST, Bitcoin 2011-2012) show successful recovery of `k' in ~50% of cases.