Calculating $K,N,X$ in ECDSA?

Question

I'm confused with the parameter $n$, whether the parameter $n$ is the support point FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFF FFFFFFFE FFFFFC2F or what? for example I got

R =      0x00656073615d18ef82d884366dfcf8f84fd1a95ee7ae431ad8f23a30f7ecc5489c 
S =      0x00705324ea8a6f796c9c38df621ee07fd86515308a33e1f5acf2d6ae436c4a67ba 
Z =      0x00264e4672395b1fe67c9c6a6787ad69490585bc45ee7a046593620b1c0ccafb56 
PubKey = 0x0414aa791606c386003a5c3fbdf9c81f6fb1272597ed78f6524c79eee71112cbdb2ead122bd32427aa4f953324ce6b1eb6e83c3067b02cb8da0151b66e5c202188 

but I can't calculate value $K,N$ and $X$? I've tried many times but can't find the correct value?

---

Note on notation:

• $X$ is the private key.
• $Z$ is the hash of the message.
• The rest follows standard notation.

Answer 1

As pointed out by the answer on Bitcoin.SE you don't calculate neither $N,K$ nor $X$.

$N$ is the order of the generator of the subgroup in which you perform ECDSA and is fixed for any given standard parameter set, such as secp256k1. That is, you use it as a constant just like you would use $a,b$ and $p$ of the parameter set as a constant. If you really wanted to compute it yourself, you have to use Schoof's algorithm, which however is really quite complex.

$K$ is a secret per-signed-message value, that you normally either generate uniformly at random from the range $[0,N)$ or use RFC 6979 to compute a value based upon your private key and the message and potentially some additional randomness. Note that given only a signature and other public information it is usually impossibly to infer $K$.

It appears that $X$ is supposed to be the private key of a given associated public key. Again $X$ is chosen uniformly at random from $[0,N)$ by the owner of the public / private key and it is in general impossible to recover $X$ given only public information, i.e. if you only know $R,S,N,Z$ and the public key, you can't infer $X$. However if you have a signature for which you know $K$ or a couple of signatures with non-uniform choice of $K$, then you can indeed infer $X$.