|
Title: Possible LLL Attack Opportunity? Bias Detected in 5 ECDSA Signatures Post by: peakyclin77 on May 13, 2025, 10:19:20 PM Hello everyone,
I'm still working on solving a puzzle posted at https://bitcointalk.org/index.php?topic=5535021.0 Today, I'm focusing on a specific key that might help trivialize solving half of the puzzle. This key's corresponding address is currently empty, and I've managed to collect a total of 5 valid ECDSA signatures related to it. Here's the analysis — I'm particularly looking into whether the signatures reveal enough bias to attempt a lattice (LLL) attack using only 5 samples. === Fine-Grained Analysis of S Distribution === S in [1, n/4]: 4/5 → 80.00% S in [1, n/8]: 3/5 → 60.00% S in [1, n/16]: 1/5 → 20.00% S in [1, n/32]: 1/5 → 20.00% S in [1, n/64]: 0/5 → 0.00% S in [1, n/128]: 0/5 → 0.00% Result: MAX BIAS: 4/5 signatures (80.00%) in [1, n/4] → Strong bias detected, likely due to a biased nonce k. === Exhaustive Bit Analysis of S === Total signatures: 5 Number of fixed bits (always 0 or 1): 16 Fixed bits: Bit 4: always 0 Bit 8: always 1 Bit 49: always 0 Bit 50: always 0 Bit 55: always 1 Bit 69: always 0 Bit 77: always 1 Bit 93: always 0 Bit 102: always 1 Bit 103: always 1 Bit 116: always 0 Bit 146: always 0 Bit 180: always 0 Bit 183: always 0 Bit 202: always 0 Bit 255: always 0 Max block of consecutive fixed bits: 2 bits (starting at bit 49) Low 8 bits of S: ['0x6e', '0x2a', '0x29', '0xe4', '0xcc'] Result: MAX BIAS: 16 fixed bits; max block = 2 bits → Strong bias detected, possibly due to structural patterns in k Can such a bias with only 5 signatures be sufficient to attempt an LLL attack? Any thoughts or experiences would be greatly appreciated. Thanks in advance! Title: Re: Possible LLL Attack Opportunity? Bias Detected in 5 ECDSA Signatures Post by: sdfasdf on June 24, 2025, 03:10:17 AM Hello everyone, I'm still working on solving a puzzle posted at https://bitcointalk.org/index.php?topic=5535021.0 Today, I'm focusing on a specific key that might help trivialize solving half of the puzzle. This key's corresponding address is currently empty, and I've managed to collect a total of 5 valid ECDSA signatures related to it. Here's the analysis — I'm particularly looking into whether the signatures reveal enough bias to attempt a lattice (LLL) attack using only 5 samples. === Fine-Grained Analysis of S Distribution === S in [1, n/4]: 4/5 → 80.00% S in [1, n/8]: 3/5 → 60.00% S in [1, n/16]: 1/5 → 20.00% S in [1, n/32]: 1/5 → 20.00% S in [1, n/64]: 0/5 → 0.00% S in [1, n/128]: 0/5 → 0.00% Result: MAX BIAS: 4/5 signatures (80.00%) in [1, n/4] → Strong bias detected, likely due to a biased nonce k. === Exhaustive Bit Analysis of S === Total signatures: 5 Number of fixed bits (always 0 or 1): 16 Fixed bits: Bit 4: always 0 Bit 8: always 1 Bit 49: always 0 Bit 50: always 0 Bit 55: always 1 Bit 69: always 0 Bit 77: always 1 Bit 93: always 0 Bit 102: always 1 Bit 103: always 1 Bit 116: always 0 Bit 146: always 0 Bit 180: always 0 Bit 183: always 0 Bit 202: always 0 Bit 255: always 0 Max block of consecutive fixed bits: 2 bits (starting at bit 49) Low 8 bits of S: ['0x6e', '0x2a', '0x29', '0xe4', '0xcc'] Result: MAX BIAS: 16 fixed bits; max block = 2 bits → Strong bias detected, possibly due to structural patterns in k Can such a bias with only 5 signatures be sufficient to attempt an LLL attack? Any thoughts or experiences would be greatly appreciated. Thanks in advance! Can you share your code because I went to test how your bias code was working? |