# [Crypto] secp256k1: is it theoretically possible to generate same signature with different key, message hash and k?

## Solution 1:

We want $$(r,s)$$ same for two different set of $$d,k,h$$

In ECDSA

• $$r = x_0([k]G) \bmod n$$ where $$k \in [1,n-1]$$ and $$x_o$$ is the x-coordinate of the scalar multiplication $$[k]G$$
• $$s = k^{-1}\cdot (h+r\cdot d)$$ where $$h$$ is the left most bits of $$h$$ to fit in the group order ( for simplicity we called it $$h$$ again).

Now we want same $$(r,s)$$ for $$d,k,h$$ and $$d',k',h'$$

• $$r = x_0([k]G) = x_0([k']G)$$ although this may indicate that $$k=k'$$ it is not. The reason is that the coordinate field $$p$$ is smaller than the order $$n$$ of the base point. Therefore we can have solutions other than the trivial.

• $$s = k^{-1}\cdot (h+r\cdot d) = k'^{-1}\cdot (h'+r\cdot d')$$,

then with $$k'=k$$ we have;

\begin{align} (d'-d)\cdot r &= (h-h') \\ \end{align}

then with $$k'\neq k$$ with $$c = k^{-1}$$ and $$c' = k'^{-1}$$ ( for our eyes) we have;

\begin{align} c'\cdot h + c' \cdot r \cdot d &= c\cdot h' + c \cdot r \cdot d' \\ c'\cdot h -c\cdot h' &= c \cdot c \cdot d' -c' \cdot r \cdot d \\ c'\cdot h -c\cdot h' &= r \cdot ( c \cdot d' -c' \cdot d) \\ \end{align}

As we can see by knowing $$r$$;

Either

• we need to find a proper $$d'$$ for a given $$d$$ for given different hash values. This is free since we found the private key by just arithmetics.
• OR, we need to find a message that produces desired hash value $$h'$$ so that we have equality. This is hard since we need to break pre-image resistance of SHA256.

As we can see it is possible but hard.

For the case $$k'\neq k$$ the calculations are similar.

## Solution 2:

For a given private key $$d$$, random $$k$$ and message hash $$h$$: is it possible that there exists a different set of $$d$$, $$k$$ and $$h$$ which produces the same ECDSA signature using the $$\text{secp256k1}$$ curve?

Yes, and further it's easy to explicitly compute an alternate $$(d',k',h')$$ that matches all reasonable meanings of "different set of $$d$$, $$k$$ and $$h$$":

• different tuples: $$(d',k',h')\ne(d,k,h)$$
• pairwise different values: $$d'\ne d$$, $$k'\ne k$$, and $$h'\ne h$$ (which implies the above)
• different sets: $$\{d',k',h'\}\ne\{d,k,h\}$$, which is literally what's asked, but rather exotic: order of elements does not matter in sets, thus $$\{1,2,3\}=\{2,3,1\}$$, and $$\{1,1,2\}=\{2,2,1\}$$. Also, that set equality has two different possible meanings depending on if we assimilate hashes (like $$h$$) to integers (like $$k$$ and $$d$$) for the purpose of comparison, which is a matter of convention.

"Same signature" means $$(r,s)$$ is unchanged, that is $$r$$ and $$s$$ both are unchanged.

In ECDSA, $$r$$ is unchanged if and only if $$k'=k$$ or $$k'=n-k$$. I settle for $$k'=n-k$$, which implies $$k'\ne k$$ because $$n$$ is odd.

Given the above, $$s$$ is unchanged if and only $$k'^{-1}\,(h'+r\,d')\equiv k^{-1}\,(h+r\,d)\pmod n$$. That is $$h+h'+r\,(d+d')\equiv0\pmod n$$, thus $$d'=-d-r^{-1}\,(h+h')\bmod n$$.

Thus we only need to

• compute $$r$$ the normal way (if it's not a given),
• select a different $$h'$$ (overwhelmingly likely, it's enough to hash a different message; otherwise, we retry with another message),
• compute $$k'\gets n-k$$ and $$d'\gets-d-r^{-1}\,(h+h')\bmod n$$.

That insures $$(d',k',h')$$ yields the same signature $$(r,s)$$ as $$(d,k,h)$$ does, with $$k'\ne k$$ and $$h'\ne h$$, and overwhelmingly likely $$d'\ne d$$ (otherwise, we retry with another message/$$h'$$).

If we do not assimilate bitsrings and integers, $$h'\ne h\implies\{d',k',h'\}\ne\{d,k,h\}$$. If we do, it's overwhelmingly likely that $$h'$$ is neither $$d'$$ nor $$k'$$ (otherwise, we retry with another message/$$h'$$).

## Solution 3:

It is totally possible and fairly easy to see without any advanced maths. The curve has order n (n Points in the curve) the private key d is [0... n-1] and the random number k [1... n-1] and there are 2^256 possible values for h. So there are n*(n-1)*2^256 possible inputs (d, k, h combinations). The output is r, s. Where r is there x part of a point so there are definitely not more (actually less) values than there are points on the curve and s is taken mod n, so there are not more than n possible values for that either.

So in total there are around nn2^256 inputs for maximal than n*n signatures. So the pigeonhole principle tells us that there must be multiple inputs that produce the same output.