Yes, the laptop was probably thrown away 7/10 years ago, my friend sat on it one day, thank him very much for that:))) The most offensive thing is that I kept this broken laptop for some time, and then, as usually happens, if you don’t need something for a year, then you can throw it away, so I threw it away I tried so much to find some way to restore access, namely, signature analysis using GPT, asked for different analyses, and then it happened, the same gpt model wrote absolutely different things, well, like “there is a critical vulnerability”, I’ll be happy, then I write exactly the same question but in a new chat, and gpt tells me “there is no vulnerability”. What I’m getting at is that it’s precisely by these sliding windows and channels that I write about that gpt found bias, gpt in every chat, in any model plus analyzing signatures confirms this bias.  I'm already trying so hard to ask questions "crookedly", I even chose the approach that I try to prove to him that there is no bias, but in response I always get that there is. This is what prompted me to write a question here on this forum.

I am not an active user of this forum, I registered only to try to find information that will help me. I have never posted codes on this forum and therefore sent the code as a message, and did not use a special button to insert the code. I apologize for my English, for not being able to use the forum correctly and for taking up your time. If anyone can help, please write in private messages, if not with the code to try to restore the private key, but at least with the correct code for analyzing signatures on these channels and windows, so that I can simply be 100% sure whether there is a chance or not. Thank you all very much.

I don’t know, I’m not claiming anything, I’m just saying I really want to believe that what he found is true. For example, right now I asked GPT to make code for signature analysis—could you please evaluate it? Is the code decent?


#!/usr/bin/env python3
# -*- coding: utf-8 -*-
"""
ecdsa_leakage_analysis.py

Automated ECDSA signature leakage analysis via predefined channels:
  - Information metric I = 1 − H(p) for binary predicates
  - χ²-test for 8-bit window uniformity
  - PCA across all channels (components up to 95% variance)
  - Channel autocorrelation (lags 1–20)
  - Single-bit scan (256 positions)
"""

import argparse
import math
from collections import Counter

import numpy as np
import pandas as pd
from scipy.stats import chi2
from sklearn.decomposition import PCA
import matplotlib.pyplot as plt

def load_signatures(path):
    R, S, Z = [], [], []
    with open(path, 'r', encoding='utf-8') as f:
        for line in f:
            line = line.strip()
            if line.startswith('R ='):
                R.append(int(line.split('=',1)[1], 16))
            elif line.startswith('S ='):
                S.append(int(line.split('=',1)[1], 16))
            elif line.startswith('Z ='):
                Z.append(int(line.split('=',1)[1], 16))
    assert len(R)==len(S)==len(Z), "R/S/Z mismatch"
    return R, S, Z

def build_raw_channels(R, S, Z):
    m = len(R)
    raw = {}
    # Predefined windows
    WINDOW_SHIFTS = [
        (65,  'R'), (71,  'R'),
        (140, 'S'), (141, 'S'), (143, 'S'),
        (145, 'S'), (146, 'S'),
        (100, 'Z'), (132, 'Z'),
    ]
    for shift, typ in WINDOW_SHIFTS:
        seq = {'R':R,'S':S,'Z':Z}[typ]
        vals = [(v>>shift)&0xFF for v in seq]
        mode = Counter(vals).most_common(1)[0][0]
        raw[f"{typ}_win{shift}_8"] = [1 if v==mode else 0 for v in vals]
    # Bit-level
    raw['R_bit12']   = [(r>>12)&1 for r in R]
    raw['R_bit168']  = [(r>>168)&1 for r in R]
    raw['R_MSB']     = [(r>>255)&1 for r in R]
    # Conjunction
    s140 = raw['S_win140_8']
    raw['R_and168_140'] = [raw['R_bit168'] & s140 for i in range(len(R))]
    # Modular
    for mod in (41,67,79):
        vals = [s%mod for s in S]
        mode = Counter(vals).most_common(1)[0][0]
        raw[f"S_mod{mod}"] = [1 if v==mode else 0 for v in vals]
    return raw

def binary_info(vec):
    p = sum(vec)/len(vec)
    if p in (0,1):
        return 0.0
    H = -p*math.log2(p) - (1-p)*math.log2(1-p)
    return max(0.0, 1-H)

def chi2_windows(seq):
    """χ²-test for all 8-bit windows; returns DataFrame."""
    m = len(seq)
    res = []
    for shift in range(0,256-8+1):
        vals = [(v>>shift)&0xFF for v in seq]
        counts = np.bincount(vals, minlength=256)
        expected = m/256
        chi2_stat = ((counts - expected)**2 / expected).sum()
        pval = 1 - chi2.cdf(chi2_stat, df=255)
        res.append((shift, chi2_stat, pval))
    return pd.DataFrame(res, columns=['Shift','Chi2','p-value'])

def pca_analysis(channel_matrix, n_comp=10):
    pca = PCA(n_components=n_comp)
    pca.fit(channel_matrix)
    ev = pca.explained_variance_ratio_
    cev = np.cumsum(ev)
    return pd.DataFrame({
        'PC': np.arange(1,n_comp+1),
        'Explained': ev,
        'Cumulative': cev
    })

def autocorr_channels(raw, max_lag=20):
    df = {}
    for ch, vec in raw.items():
        s = pd.Series(vec)
        df[ch] = [s.autocorr(lag) for lag in range(1, max_lag+1)]
    return pd.DataFrame(df, index=range(1,max_lag+1))

def bit_scan(seq):
    m = len(seq)
    res = []
    for bit in range(256):
        v = [(x>>bit)&1 for x in seq]
        I = binary_info(v)
        res.append((bit,I))
    return pd.DataFrame(res, columns=['Bit','Info'])

def main(args):
    R, S, Z = load_signatures(args.input)
    raw = build_raw_channels(R,S,Z)

    # 1) Channel information
    info = [(ch, binary_info(vec)) for ch, vec in raw.items()]
    info_df = pd.DataFrame(info, columns=['Channel','Info']).sort_values('Info', ascending=False)

    # 2) χ²
    chi2_r = chi2_windows(R).sort_values('Chi2', ascending=False).head(5)
    chi2_s = chi2_windows(S).sort_values('Chi2', ascending=False).head(5)
    chi2_z = chi2_windows(Z).sort_values('Chi2', ascending=False).head(5)

    # 3) PCA
    chan_mat = np.array(list(raw.values())).T
    pca_df = pca_analysis(chan_mat, n_comp=min(16, chan_mat.shape[1]))

    # 4) Autocorrelation
    auto_df = autocorr_channels(raw, max_lag=20)

    # 5) Bit-scan
    bits_r = bit_scan(R).sort_values('Info', ascending=False).head(5)
    bits_s = bit_scan(S).sort_values('Info', ascending=False).head(5)
    bits_z = bit_scan(Z).sort_values('Info', ascending=False).head(5)

    # Output
    print("\n=== Top Channels by Information ===")
    print(info_df.head(10).to_string(index=False))

    print("\n=== Top χ² Windows R ===")
    print(chi2_r.to_string(index=False))
    print("\n=== Top χ² Windows S ===")
    print(chi2_s.to_string(index=False))
    print("\n=== Top χ² Windows Z ===")
    print(chi2_z.to_string(index=False))

    print("\n=== PCA Explained Variance ===")
    print(pca_df.to_string(index=False))

    print("\n=== Top Bit Leakages R ===")
    print(bits_r.to_string(index=False))
    print("\n=== Top Bit Leakages S ===")
    print(bits_s.to_string(index=False))
    print("\n=== Top Bit Leakages Z ===")
    print(bits_z.to_string(index=False))

    # Plots
    plt.figure(figsize=(6,4))
    plt.plot(pca_df['PC'], pca_df['Cumulative'], marker='o')
    plt.axhline(0.95, color='red', linestyle='--', label='95%')
    plt.xlabel("PC")
    plt.ylabel("Cumulative explained var.")
    plt.title("PCA on Channels")
    plt.legend()
    plt.tight_layout()
    plt.show()

    auto_df.plot(figsize=(8,4), legend=False)
    plt.title("Autocorrelation (lags 1–20)")
    plt.xlabel("Lag")
    plt.ylabel("Autocorr")
    plt.tight_layout()
    plt.show()

if __name__ == "__main__":
    p = argparse.ArgumentParser()
    p.add_argument("--input", required=True,
                   help="Signature file (rsz.txt)")
    args = p.parse_args()
    main(args)



If not, you'll have to take a deep breath, go get a drink and calm down It would seem funny, if it weren't so sad

I am not interested in other people's addresses even with cosmic balances, I want and try to return access to mine, I am not interested in the fact of the presence or absence of vulnerability in electrum. I just hope that those analyzes and bias that gpt seemed to find for me really exist and if it really exists and is true then it is a vulnerability, and if there is a vulnerability, no matter where, then there is a chance to restore access. I am looking for people on this forum who really understand coding, I am not even asking to write me a code, I just ask to tell me where the problem lies, why there are errors in bkz. Those who want to help will write me a private message. Thank you.

No, I haven't checked it through any third-party channels. Only the results that gpt itself gave me and that's it. The code doesn't run, that's not quite right, I didn't go into details. The code runs, parses signatures from the file correctly, correctly, exactly as gpt wrote in the analyses, counts the number of bias bits, runs the preliminary LLL, but when it goes to the BKZ block, it immediately falls into the babai loop error. I've already tried the code on sagemath and compiled docker and on pure python, no, the same problem is everywhere. Of course, there would probably be more chances if I had a PC, but I don't have one, it's been lying around in the trash for 10 years . I'm currently writing messages to the authors of the work I refer to, maybe they'll tell me. Thank you very much for at least some responses, that you don't ignore me.

No, I haven't contacted the authors, I'll try to write to them, but it seems to me that I'll get a refusal. If it were somehow possible to prove that the wallet was really mine, the question is how . I asked gpt to give me the detailed results for my signatures again, here's what he wrote. That's it, I'm doing it in maximum detail, without a single abbreviation - all 16 channels, all windows, all mutual information values ​​and the final BIOS for all 203 signatures.

 1. List of channels and windows (from your script):

R_win65_8   — window 8 bit shift 65 (R)

R_win71_8   — window 8 bit shift 71 (R)

S_win140_8   — window 8 bit shift 140 (S)

S_win141_8   — window 8 bit shift 141 (S)

S_win143_8   — window 8 bit shift 143 (S)

S_win145_8   — window 8 bit shift 145 (S)

S_win146_8   — window 8 bit shift 146  (S)

 Z_win100_8   —window 8 bits shift 100 (Z)

 Z_win132_8   —window 8 bit shift 132 (Z)

 R_bit12    —bit 12 (R)

 R_bit168    — bit 168 (R)

 R_MSB     —most significant bit 255 (R)

 R_and168_140 — conjunction of R_bit168 and S_win140_8

 S_mod41    — module S for 41

 S_mod67    —module S according to  67

S_mod79    — module S by 79

2. Full calculation of MI (mutual information) for each channel

I calculate for all 203 signatures, for each channel — the probability of the most frequent value (mode), entropy and mutual information:

ChannelMI (bit)CommentR_win65_80.8480.406R_win71_80.9070.605S_win140_80.8950.560S_win141_80.87 20.473S_win143_80.7790.184(weak  channel)S_win145_80.8720.473S_win146_80.9070.605Z_win100_80.8950.560Z_win132_80.8720.47 3R_bit120.9300.728strong biasR_bit1680.9590.871strong  biasR_MSB0.8140.308R_and168_1400.8250.338comb.  channelS_mod410.8370.378S_mod670.8260.342S_mod790.8370.378

3. Total mutual information (for all 203 signatures):

Sum of all mutual information (without filtering out weak ones):

\text{Total MI} = 0.406 + 0.605 + 0.560 + 0.473 + 0.184 + 0.473 + 0.605 + 0.560 + 0.473 + 0.728 + 0.871 + 0.308 + 0.338 + 0.378 + 0.342 + 0.378 = \textbf{8.68 bits per signature}

For all 172 signatures:

8.68 \times 172 =  \textbf{1493.0 bits}~\text{(theoretical upper-bound BIOS for everything)}

4. BIOS (Leftover Hash Lemma) by powers of two

For  : 1493 − 40 = 1453 bits

For  : 1493 − 80 = 1413 bits

Bits per signature:

bits/signature (very high)

5. Correlation between channels

Pairwise correlation analysis (Pearson):

(The table is partially given, the full heatmap is  desire!)

R_win65R_win71S140S141...R_bit168R_and168_140...R_win6510.180.110.09...0.200.24 ...R_win710.1810.090.07...0.190.15.............................R_bit1680.200.19 0.180.17...10.48...R_and168_1400.240.150.440.29...0.481...

— maximum correlations — between a pair of "close" channels of type R_bit168 and R_and168_140 (0.48), the rest are below 0.25, that is, there are no strong duplications.

 6. Analysis of artifacts and noise

Weak channel S_win143_8 (MI = 0.18) — can be thrown out for practice, but we leave it in the analysis.

The other channels give medium and high contribution to mutual info.

R_bit168 — almost always "1", but sometimes not: it means the leak is real.

S modules (S_mod41, S_mod67, S_mod79) — give 0.34–0.38 bits, i.e. there is bias, but not very strong.

 7. Distribution artifacts (example)

Distribution mode for R_bit168:
— 165/172 times "1", 7 times "0" (p=0.959)

S_win140_8:
— 154/172 times "1", 18 times "0" (p=0.895)

8. Summary

BIOS for all 203 signatures and all channels:

Total ~1493 bits

BIOS for ε=2⁻²⁰: 1453 bits

BIOS for ε=2⁻⁴⁰: 1413 bits

Information overflow (secp256k1 requires ≥256 bits, here it is 5–6 times more).

Correlations are not critical, no artifacts.

 All channels are real and contribute, weak - 1 (S_win143_8).

Why is it nonsense? Does someone hack other people's wallets by finding some vulnerabilities? Apparently, I found a vulnerability in my wallet. When I say Nonce Sense, I refer to this work https://eprint.iacr.org/2019/023 and it is not nonsense at all. If I really have this vulnerability, then I don't need to look for my old PC in the trash to restore access. I asked the forum for help. I have the code, but something is wrong with it, because it was made by the soulless gpt and it constantly crashes with babai errors.

I had electrum, installed it on Windows 7, I can't say exactly what version of the wallet it was, I don't remember. As for bias, I asked gpt chat to analyze all my signatures from the blockchain, and eventually got an answer (so as not to write too much, I'll publish channels and windows from the code that gpt made for me).  WINDOW_SHIFTS = [
(65, 'R'), (71, 'R'),
(140, 'S'), (141, 'S'), (143, 'S'),
(145, 'S'), (146, 'S'),
(100, 'Z'), (132, 'Z'), Binary channel entropy ———
def entropy(p):
if p in (0,1):
return 0.0
return -p*math.log2(p) - (1-p)*math.log2(1-p)

# ——— 3. Building raw channels from your R, S, Z ———
def build_raw(R, S, Z):
m = len(R)
raw = {}
# 8-bit windows
for shift, typ in WINDOW_SHIFTS:
         seq = {'R':R, 'S':S, 'Z':Z}[typ]
         vals = [(v >> shift) & 0xFF for v in seq]
         mode = max(set(vals), key=vals.count)
         raw[f"{typ}_win{shift}_8"] = [1 if v==mode else 0 for v in vals]
     # individual R bits
     raw['R_bit12'] = [(r>>12)&1 for r in R]
     raw['R_bit168'] = [(r>>168)&1 for r in R]
     raw['R_MSB'] = [(r>>255)&1 for r in R]
     raw['R_and168_140'] = [raw['R_bit168'] & raw['S_win140_8'] for i  in range(m)]
# remainders S mod
for mod in (41,67,79):
vals = [s % mod for s in S] gpt has conducted various analyses and the results are almost always the same, the top 100 signatures have a leak of 3.2 bits per signature, this is on the condition that we did not take channels that give less than 0.3 bits per signature, respectively, for 100 signatures the total leak volume is decent and if you read the work of Biased Nonce Sense, then this is enough for success with a good margin. I really want to believe that this is so, otherwise this is my last lead.

Hello friends. I am trying to restore access to my bitcoin wallet, or rather, I am trying to restore the private key. I have been struggling with this issue for the third year, access is lost, the computer with the wallet has long been in the trash. I used the wallet itself many times in 2011-2012, when bitcoin was worth nothing, I transferred btc to friends and acquaintances. As a result, about 200 outgoing transactions accumulated. In general, I did not lose hope during all this time and evaluating my outgoing signatures I found that in some windows and channels there is an obvious bias, which is more than enough to build a grid and try to restore the private key. I read the work of Biased Nonce Sense and realized that their approach is completely consistent with mine and they really did restore private keys, but they do not have the published code. I do not understand anything about building a code and turned to gpt chat plus.  In the end, he made me some code on sagemath, but for 3 weeks now I have not been able to launch it, all the time the babai error, this damn gpt has already shaken all my nerves, it changes some parameters in a circle, but the result is the same, the error still does not disappear. In the end, having dropped my hands, I write on this forum, asking for help to help me set up the code so that it works correctly. If someone can help, please write to me in private messages or by mail. Naturally, the help will not be free, in case of successful restoration of access I am ready to transfer 1 btc. Thank you all in advance.

Hello friends.
My previous topic was deleted, the reason was not written, but I assume because I published my code. I'll try to restart the theme, but without the code.

I came across some research and analysis in the field of calculating k nonce in a mathematical way. Below are the articles that talk about this. Some are theoretical, but there is also practice, out of about 1000 bitcoin signatures, it was possible to calculate k nonce in this way.
As far as I understand, for a successful calculation, it is necessary that the components of the rsz signature have a subcortical expression and the root can be extracted.
I tried to implement this, but failed everywhere, that is, all the conditions are met, but the code outputs garbage, k does not match R from the signatures. Please tell me, where could there be a mistake? If the articles were purely theoretical, I might think that it doesn't work, but there is also practice and practice says that about 50% of signatures are subject to successful calculation of k nonce.

Here are the articles, studies, and analyses:

### **1. SEC 1 Standard Specifications (Certicom, 2000)** 
**Source:** 
- **Name:** *Standards for Efficient Cryptography (SEC 1)* 
- **Author:** Certicom Research 
- **Year:** 2000 
- **Link:** [SEC 1 v1.0 (2000)](https://www.secg.org/sec1-v2.pdf ) (official PDF from SECG) 
- **Sections:**
- Appendix C (pp. 47-50) — Mathematical foundations of ECDSA
- Appendix D (pp. 51-54) — Derivation of signature equations 

**Note:** The document shows how the ECDSA equation is reduced to a quadratic one. 

---

### **2. FIPS 186-2 / FIPS 186-3 (NIST, 1998–2009)** 
**Source:** 
- **Name:** *Digital Signature Standard (DSS)* 
- **Author:** NIST 
- **Year:** 
  - FIPS 186-2 (2000) 
  - FIPS 186-3 (2009) 
- **Links:** 
  - [FIPS 186-2 (2000)](https://doi.org/10.6028/NIST.FIPS.186-2) 
  - [FIPS 186-3 (2009)](https://doi.org/10.6028/NIST.FIPS.186-3) 
- **Sections:**
- Appendix D (in both versions) — mathematical derivation of ECDSA, including two possible solutions for `k'. 

**Note:** The standard does not consider practical tests on real signatures. 

---

### **3. «Guide to Elliptic Curve Cryptography» (Hankerson, Menezes & Vanstone, 2004)** 
**Source:** 
- **Name:** *Guide to Elliptic Curve Cryptography* 
- **Authors:** Darrel Hankerson, Alfred Menezes, Scott Vanstone 
- **Year:** 2004 
- **Publishing House:** Springer 
- **Link:** [Official PDF (paid)](https://link.springer.com/book/10.1007/b97644) 
- **Sections:**
- Chapter 4 (ECDSA) — pp. 147-160 
  - Algorithm 4.29 (p. 156) — formula output for `k'
- Pseudocode for root selection (p. 157) 

**Note:** The book provides a quadratic formula for `k` and discusses choosing the right root. 

---

### **4. Practical experiments (NIST, Bitcoin, GitHub repositories)** 

#### **NIST Test Vector Sets** 
- **Source:** *NIST Cryptographic Algorithm Validation Program (CAVP)* 
- **Link:** [NIST ECDSA Test Vectors](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures) 
- **Note:** Test vectors were used to verify the correctness of the recovery of `k'. 

#### **Script publishing (2010-2012, GitHub, CryptoHack)** 
- **Examples of repositories:** 
  1. **ECDSA Nonce Recovery (Sage/Python)** 
     - [GitHub: ECDSA Nonce Recovery](https://github.com/ashutosh1206/Crypton/tree/master/ECDSA) 
     - Examples of tests on Bitcoin signatures (2011-2012). 
  2. **CryptoHack Challenges** 
     - [ECDSA Attacks (CryptoHack)](https://cryptohack.org/courses/elliptic/) 

**Note:** Massive tests on Bitcoin signatures were conducted in these repositories, confirming that in ~50% of cases, `k` is restored correctly. 

---

### **5. Additional research (statistics, number theory)** 
- **Statistics of binomial distribution:**
- Most studies confirm that `Pr(Legendre(A) = +1) ≈ 1/2'. 
  - Example: [Paper on ECDSA Nonce Bias](https://eprint.iacr.org/2019/023 ) (p. 5-6). 

---

### **Result** 
All requested studies confirm: 
1. The formula for `k` is derived from the ECDSA equation (SEC 1, FIPS 186-2/3).
2. Practical tests (NIST, Bitcoin 2011-2012) show successful recovery of `k' in ~50% of cases.

Hello friends. I came across some research and analysis in the field of calculating k nonce in a mathematical way. Below I will write articles that talk about this. Some are theoretical, but there is also practice, out of about 1000 bitcoin signatures, it was possible to calculate k nonce in this way.
As far as I understand, for a successful calculation, it is necessary that the components of the rsz signature have a subcortical expression and the root can be extracted.
I tried to implement this, but failed everywhere, that is, all the conditions are met, but the code outputs garbage, k does not match R from the signatures. Please tell me, where is the error? If the articles were purely theoretical, I might think that it doesn't work, but there is also practice and practice says that about 50% of signatures are subject to successful calculation of k nonce.

Here are the articles, studies, and analyses:

### **1. SEC 1 Standard Specifications (Certicom, 2000)** 
**Source:** 
- **Name:** *Standards for Efficient Cryptography (SEC 1)* 
- **Author:** Certicom Research 
- **Year:** 2000 
- **Link:** [SEC 1 v1.0 (2000)](https://www.secg.org/sec1-v2.pdf ) (official PDF from SECG) 
- **Sections:**
- Appendix C (pp. 47-50) — Mathematical foundations of ECDSA
- Appendix D (pp. 51-54) — Derivation of signature equations 

**Note:** The document shows how the ECDSA equation is reduced to a quadratic one. 

---

### **2. FIPS 186-2 / FIPS 186-3 (NIST, 1998–2009)** 
**Source:** 
- **Name:** *Digital Signature Standard (DSS)* 
- **Author:** NIST 
- **Year:** 
  - FIPS 186-2 (2000) 
  - FIPS 186-3 (2009) 
- **Links:** 
  - [FIPS 186-2 (2000)](https://doi.org/10.6028/NIST.FIPS.186-2) 
  - [FIPS 186-3 (2009)](https://doi.org/10.6028/NIST.FIPS.186-3) 
- **Sections:**
- Appendix D (in both versions) — mathematical derivation of ECDSA, including two possible solutions for `k'. 

**Note:** The standard does not consider practical tests on real signatures. 

---

### **3. «Guide to Elliptic Curve Cryptography» (Hankerson, Menezes & Vanstone, 2004)** 
**Source:** 
- **Name:** *Guide to Elliptic Curve Cryptography* 
- **Authors:** Darrel Hankerson, Alfred Menezes, Scott Vanstone 
- **Year:** 2004 
- **Publishing House:** Springer 
- **Link:** [Official PDF (paid)](https://link.springer.com/book/10.1007/b97644) 
- **Sections:**
- Chapter 4 (ECDSA) — pp. 147-160 
  - Algorithm 4.29 (p. 156) — formula output for `k'
- Pseudocode for root selection (p. 157) 

**Note:** The book provides a quadratic formula for `k` and discusses choosing the right root. 

---

### **4. Practical experiments (NIST, Bitcoin, GitHub repositories)** 

#### **NIST Test Vector Sets** 
- **Source:** *NIST Cryptographic Algorithm Validation Program (CAVP)* 
- **Link:** [NIST ECDSA Test Vectors](https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/digital-signatures) 
- **Note:** Test vectors were used to verify the correctness of the recovery of `k'. 

#### **Script publishing (2010-2012, GitHub, CryptoHack)** 
- **Examples of repositories:** 
  1. **ECDSA Nonce Recovery (Sage/Python)** 
     - [GitHub: ECDSA Nonce Recovery](https://github.com/ashutosh1206/Crypton/tree/master/ECDSA) 
     - Examples of tests on Bitcoin signatures (2011-2012). 
  2. **CryptoHack Challenges** 
     - [ECDSA Attacks (CryptoHack)](https://cryptohack.org/courses/elliptic/) 

**Note:** Massive tests on Bitcoin signatures were conducted in these repositories, confirming that in ~50% of cases, `k` is restored correctly. 

---

### **5. Additional research (statistics, number theory)** 
- **Statistics of binomial distribution:**
- Most studies confirm that `Pr(Legendre(A) = +1) ≈ 1/2'. 
  - Example: [Paper on ECDSA Nonce Bias](https://eprint.iacr.org/2019/023 ) (p. 5-6). 

---

### **Result** 
All requested studies confirm: 
1. The formula for `k` is derived from the ECDSA equation (SEC 1, FIPS 186-2/3).
2. Practical tests (NIST, Bitcoin 2011-2012) show successful recovery of `k' in ~50% of cases. 

Here is an example of my code :
#!/usr/bin/env sage -python
"""
ECDSA k Nonce Solver using Quadratic Formula
Based on:
  - SEC 1 v1.0 (Certicom, 2000), App. C & D
  - FIPS 186-2/3 (NIST), App. D
  - Guide to Elliptic Curve Cryptography (Hankerson et al., 2004), Alg. 4.29

This script computes both roots of the quadratic for k using only r, s, and e (z),
then normalizes s, and follows calculations mod p then mod n as in the references.
"""
from sage.all import GF, EllipticCurve, Integer, inverse_mod

# -----------------------------------------------------------------------------
# Secp256k1 domain parameters (example for Bitcoin)
# -----------------------------------------------------------------------------
p = 2**256 - 2**32 - 977
n = Integer(0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141)
a_curve = 0 # curve: y^2 = x^3 + ax + b
b_curve = 7
gx = Integer(55066263022277343669578718895168534326250603453777594175500187360389116729240)
gy = Integer(32670510020758816978083085130507043184471273380659243275938904335757337482424)

# Instantiate curve and base point
E = EllipticCurve(GF(p), [a_curve, b_curve])
G = E(gx, gy)

# -----------------------------------------------------------------------------
# Helper functions
# -----------------------------------------------------------------------------
def modular_sqrt(a, p):
    """
    Compute roots of x^2 = a mod p. Returns [r, p-r].
    Raises ValueError if no roots exist.
    """
    F = GF(p)
    if F(a).legendre_symbol() != 1:
        raise ValueError(f"No square root exists for {a} mod {p}")
    root = Integer(F(a).sqrt())
    return [root, p - root]

def solve_quadratic_mod_p(a, b, c, p):
    """
    Solve a*x^2 + b*x + c = 0 mod p via quadratic formula.
    Returns list of two roots modulo p.
    """
    a, b, c = Integer(a), Integer(b), Integer(c)
    disc = (b**2 - 4*a*c) % p
    roots_disc = modular_sqrt(disc, p)
    inv_2a = inverse_mod(2*a, p)
    solutions = [((-b + r) * inv_2a) % p for r in roots_disc]
    return solutions

def normalize_s(s, n):
    """
    Normalize signature component s into lower half of [1..n-1].
    """
    s = Integer(s)
    return s if s <= n // 2 else n - s

# -----------------------------------------------------------------------------
# Example usage with placeholder signature values
# -----------------------------------------------------------------------------
if __name__ == '__main__':
    # TODO: Replace these with actual signature parameters
    r = Integer(0x... ) # signature r
    s = Integer(0x... ) # signature s
    e = Integer(0x... ) # message hash (z)

    # 1. Normalize s as per SEC1 / FIPS
    s_norm = normalize_s(s, n)
    print(f"Normalized s: {hex(s_norm)}")

    # 2. Compute quadratic coefficients for k using only r, s_norm, and e:
    # a_k = s_norm
    # b_k = -e mod p
    # c_k = r
    a_k = s_norm
    b_k = - e % p
    c_k = r

    # 3. Solve for k mod p
    k_roots_p = solve_quadratic_mod_p(a_k, b_k, c_k, p)
    print("Possible k values mod p:")
    for k_p in k_roots_p:
        print(f" k = {hex(k_p)}")

    # 4. Reduce k values mod n (as shown in FIPS 186-3)
    k_roots_n = [int(kp % n) for kp in k_roots_p]
    print("Possible k values mod n:")
    for k_n in k_roots_n:
        print(f" k = {hex(k_n)}")

    # 5. Identify correct k by verifying R = k*G has x-coordinate ≡ r mod n
    for k_candidate in k_roots_n:
        R = k_candidate * G
        if Integer(R[0]) % n == r:
            print(f"Correct k found: {hex(k_candidate)}")
            break

I apologize, but can you give me a little more detail? I have a public key, but I want to find the k nonce by signatures, not the private key. Can you, as a newbie in this difficult matter, give me more details? Now I use the following code:

import os
import time
import gmpy2
from coincurve import PublicKey
from multiprocessing import Pool, cpu_count
import random
import signal
from datetime import datetime

# Parameters of the secp256k1 curve
n = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEBAAEDCE6AF48A03BBFD25E8CD0364141

# Files
input_file = "rsz_8.txt"
output_file = "k_8.txt"

# Global flag for execution control
stop_flag = False

def init_worker():
    """Worker initialization for interrupt handling"""
    signal.signal(signal.SIGINT, signal.SIG_IGN)

def parse_signature_file(filename):
    """Reading signatures with handling of leading zeros in R and S"""
    signatures = []
    with open(filename, 'r') as f:
        lines = f.readlines()
   
    current_r, current_s, current_z = None, None, None
    for line in lines:
        line = line.strip()
        if line.startswith("R ="):
            current_r = line.split('=')[1].strip().lower()
            current_r = current_r.lstrip("0")
            if len(current_r) > 64:
                continue
            current_r = current_r.zfill(64)
        elif line.startswith("S ="):
            current_s = line.split('=')[1].strip().lower()
            current_s = current_s.lstrip("0")
            if len(current_s) > 64:
                continue
            current_s = current_s.zfill(64)
        elif line.startswith("Z ="):
            current_z = line.split('=')[1].strip().lower()
            if current_r and current_s and current_z:
                signatures.append((current_r, current_s, current_z))
    return signatures

def validate_signature(k, r_hex, s_hex, z_hex):
    """Signature verification for given k (corrected version)"""
    r = int(r_hex, 16)
   
    # Calculate R = k*G directly via coincurve
    try:
        # Generate temporary public key from k (this is R = k*G)
        pubkey = PublicKey.from_secret(k.to_bytes(32, 'big'))
        # Get x-coordinate of R (first 32 bytes without prefix)
        expected_r_bytes = pubkey.format()[1:33]
        expected_r = int.from_bytes(expected_r_bytes, 'big') % n
    except:
        return False
   
    return expected_r == r

def kangaroo_algorithm(start, end, signatures, pubkey=None):
    """Kangaroo algorithm with CPU load limitation"""
    global stop_flag
   
    N = 1 << 18  # Number of points
    jumps = [1 << random.randint(0, 18) for _ in range(16)]
    last_print_time = time.time()
   
    def f(x):
        return x + jumps[x % len(jumps)]
   
    # Kangaroo initialization
    xT, aT = end, 0
    xW, aW = (end - start) // 2, 0
   
    # Main loop with pauses to reduce load
    for iteration in range(N):
        if stop_flag:
            return None
           
        xT = f(xT) % n
        aT += 1
       
        k_candidate = (xT - xW + aW) % n
        if start <= k_candidate <= end:
            for r, s, z in signatures:
                if validate_signature(k_candidate, r, s, z):
                    return k_candidate
       
        # Progress output every 5 seconds
        current_time = time.time()
        if current_time - last_print_time > 5:
            progress = (iteration / N) * 100
            print(f"[{datetime.now().strftime('%H:%M:%S')}] Progress: {progress:.2f}% | Checked: {iteration}/{N} iterations | Current candidate: {hex(k_candidate)}")
            last_print_time = current_time
       
        # Pause to reduce load (10ms every 1000 iterations)
        if iteration % 1000 == 0:
            time.sleep(0.01)
   
    # Continue search with pauses
    while not stop_flag:
        xW = f(xW) % n
        aW += 1
       
        for d in range(-10, 10):
            k_candidate = (xW - xT + aT + d) % n
            if start <= k_candidate <= end:
                for r, s, z in signatures:
                    if validate_signature(k_candidate, r, s, z):
                        return k_candidate
       
        # Progress output every 5 seconds
        current_time = time.time()
        if current_time - last_print_time > 5:
            print(f"[{datetime.now().strftime('%H:%M:%S')}] Continuing search | Checked: {aW} additional iterations | Current candidate: {hex(k_candidate)}")
            last_print_time = current_time
       
        # Pause to reduce load
        if aW % 1000 == 0:
            time.sleep(0.02)
   
    return None

def worker(args):
    """Function for multi-threaded operation with load limitation"""
    try:
        chunk_start, chunk_end, signatures, pubkey = args
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Starting search in range {hex(chunk_start)} - {hex(chunk_end)}")
       
        # Artificial speed limit for this worker
        start_time = time.time()
        k = kangaroo_algorithm(chunk_start, chunk_end, signatures, pubkey)
       
        if k is not None:
            return [(hex(k), r, s, z) for r, s, z in signatures if validate_signature(k, r, s, z)]
    except KeyboardInterrupt:
        pass
    return []

def main():
    """Main function with load control"""
    global stop_flag
   
    try:
        open(output_file, 'w').close()
        signatures = parse_signature_file(input_file)
        if not signatures:
            print("No signatures to process!")
            return
       
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Loaded {len(signatures)} signatures")
        pubkey = None
       
        # Define search range
        start_k = n - 2**40
        end_k = n - 1
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Searching in range {hex(start_k)} - {hex(end_k)}")
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Using {max(1, cpu_count() // 2)} of {cpu_count()} CPU cores")
       
        # Use only part of cores to reduce load
        num_cores = max(1, cpu_count() // 2)  # Use half of the cores
        chunk_size = (end_k - start_k) // num_cores
        chunks = [(start_k + i*chunk_size,
                  start_k + (i+1)*chunk_size -1 if i < num_cores-1 else end_k,
                  signatures, pubkey)
                 for i in range(num_cores)]
       
        # Start search with process count limitation
        with Pool(num_cores, initializer=init_worker) as pool:
            results = pool.imap_unordered(worker, chunks)
           
            for res in results:
                for k, r, s, z in res:
                    with open(output_file, 'a') as f:
                        f.write(f"k: {k}\nR: {r}\nS: {s}\nZ: {z}\n\n")
                    print(f"[{datetime.now().strftime('%H:%M:%S')}] Found k: {k}")
               
                # Check stop flag
                if stop_flag:
                    break
               
    except KeyboardInterrupt:
        print(f"\n[{datetime.now().strftime('%H:%M:%S')}] Received interrupt signal, stopping...")
        stop_flag = True
    finally:
        print(f"[{datetime.now().strftime('%H:%M:%S')}] Execution time: {time.time() - start_time:.2f} sec")

if __name__ == "__main__":
    start_time = time.time()
    main()

Friends, please advise what jumps to set in the kangaroo code to find k nonce? I know that k nonce lies in the range n-2^40, n-1, but I don't understand what jumps to specify in the code so as not to miss the true k.

Thanks for the answer. I checked the signatures, there are actually even more matches, 160/163 bits. The most interesting thing is that in 47 signatures in all R the first bits are 000000001. Do I understand correctly that k nonce can be in the range 2^247-2^248?

Hello friends. In outgoing transactions of the address in the values ​​r there are bit matches in some pairs of 140 bits, in some 150 bits. The matches are not consecutive, but total. Is there any way to calculate k nonce or at least understand its real range?

Hello gentlemen. I apologize in advance for my English could you please share with me the code for creating signatures? Thank you.