|
Title: lattice-attack || how to run without error Post by: mausuv on April 12, 2022, 08:48:24 AM any one make video for lattice-attack project
what is data.json :( ,how to make it how to run without error this is git https://github.com/bitlogik/lattice-attack send video my mail : thinkeasy123@protonmail.com or upload youtube send link please.. Title: Re: lattice-attack || how to run without error Post by: ABCbits on April 12, 2022, 12:02:08 PM All question you asked already answered on the repository.
what is data.json :( From https://github.com/bitlogik/lattice-attack#use (https://github.com/bitlogik/lattice-attack#use), data.json contain some information needed to perform lattice attack. how to make it You can either make it manually or use gen_data.py Code: python3 gen_data.py Code: python3 gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 8 -t MSB -n 50 how to run without error You need to specify what kind of error you encountered. Have you fulfilled requirements which mentioned at https://github.com/bitlogik/lattice-attack#requirements (https://github.com/bitlogik/lattice-attack#requirements)? Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 16, 2022, 08:56:53 AM Some problems with install fpylll Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04 pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git All command try installs not successful both on os windows and Linux using conda not successful too conda install -c conda-forge fpylll all methods include update apt too sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll pip install Cython all fail Title: Re: lattice-attack || how to run without error Post by: ABCbits on April 16, 2022, 12:22:41 PM Some problems with install fpylll Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04 pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git All command try installs not successful both on os windows and Linux using conda not successful too conda install -c conda-forge fpylll all methods include update apt too sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll pip install Cython all fail There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem. Code: git clone https://github.com/bitlogik/lattice-attack This is the output. Code: ----- Lattice ECDSA Attack ----- Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 16, 2022, 01:28:10 PM There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem. Thank you ETFbitcoin I do a quick test on Debian in WSL2 windows, it is works I got same result run on Debian no problem Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 16, 2022, 02:42:20 PM it is just mathematics research and it needs some leaked information to calculate, can not attack ECDSA that no leak data Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 16, 2022, 07:23:19 PM it is just mathematics research and it needs some leaked information to calculate, can not attack ECDSA that no leak data Last bit is posible to recovery maybe, or use nonse what probably has msb in zeros.... Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 19, 2022, 05:07:10 AM just random idea
if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit I mean lattice-attack can solve weak nonce 128 bit and 256 bit private key if can modify to change calculate strong nonce but weak private key meybe can use for solve 120 bit puzzle but 120 bit puzzle have only R and S one set only Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 19, 2022, 07:13:43 AM Quote if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key.Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 19, 2022, 07:50:15 AM Quote if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key.right it requires two sign for calculate I would like to try to check weak nonce from key generate if know private key how to calculate to know nonce in python Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 19, 2022, 08:12:15 AM Just use your public key as R-value in your signature.
Code: address=17s2b9ksz5y7abUm92cHwG8jEPCzK3dLnT Code: Q=02B77D94ADE49B1FF647E012ACD91CF15A7DA1D553CC386E52D9C42E717FAEA4D0 Edit: Quote if know private key how to calculate to know nonce in python Code: s=(z+rd)/k Code: k=(z+rd)/s Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 19, 2022, 04:01:56 PM Final equations: Code: k=(z+rd)/s I try use this calculate puzzle #115 but it now work Can you help to samplecalculate puzzle #115 Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 20, 2022, 05:50:23 PM Quote Can you help to samplecalculate puzzle #115 So, let's see:Code: address=1NLbHuJebVwUZ1XqDjsAyfTRUPwDQbemfv Code: Q=0248d313b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55 Code: Q=0248d313b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55 Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 21, 2022, 05:43:22 AM So, let's see: First signature: Second signature: Thank you garlonicon I try to understand math (still stuck with calculate by manual step by step) Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 21, 2022, 08:25:16 PM So, let's see: First signature: Second signature: Thank you garlonicon I try to understand math (still stuck with calculate by manual step by step) R,s,z is only for outgoing transaction !!! Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 22, 2022, 03:51:52 AM Quote R,s,z is only for outgoing transaction !!! Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful.Title: Re: lattice-attack || how to run without error Post by: litecoin_messiah on April 22, 2022, 05:45:09 PM don't we use secp256k1 this is r1
Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 22, 2022, 07:09:26 PM Quote R,s,z is only for outgoing transaction !!! Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful.Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... For crack aftervthis sighnatures ? Original rsz is 99% imposible to crack because different lenght if r,s,z - from x...to ..y for 1 pubkey etc... Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 22, 2022, 07:32:47 PM Quote Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... No problem. There are fake r,s,z values for the public key from the Genesis Block:Quote Code: fake_signatures.py 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch. Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 23, 2022, 05:43:53 AM I try to learn and understand math Did I understand correctly? this script method use leak nonce that generates to recover private key right? script it not use way collect data from all data from signature with? this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly? just loop search from 1000 signature until found one can calculate Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 23, 2022, 06:14:28 AM Quote this script method use leak nonce that generates to recover private key right? Yes.Quote script it not use way collect data from all data from signature with? You only need a public key and r,s,z values. They don't have to be collected from real transactions, they only have to be correct from ECDSA point of view.Quote this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly? The number of bits is configurable, you can set it to any value you want. And based on that number of leaked bits, you need more or less signatures to run this code.Quote just loop search from 1000 signature until found one can calculate No, this code doesn't work for 1000 signatures. It is focused on a small number of signatures. If you provide more of them, then some of them will be picked randomly. If you have a lot of known bits, then one signature is enough. If you have less, then maybe two, maybe three. There is a function in this code that can tell you how many signatures you need, it depends on how many bits are known. But the maximum is somewhere around 100 as far as I can tell, using more signatures will cause it to pick some of them and work on a smaller number of signatures.Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 23, 2022, 09:10:52 AM this script it is the same of lattice-attack or not https://asecuritysite.com/signatures/ecd I see it is using LLL and reduction same from sample how can expand the matrix to very large enough can search number sorry I do not yet understand clear in math of lattice algorithms Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 23, 2022, 10:03:19 AM Quote this script it is the same of lattice-attack or not Yes, it is. You can even use the same signatures and import them to your python script to see, that it will also find the same private key.Quote I see it is using LLL and reduction same Yes, because LLL is the first step in your python script.Quote from sample how can expand the matrix to very large enough can search number You can find the source article for the page you mentioned in your post: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/Quote sorry I do not yet understand clear in math of lattice algorithms Keep reading, take your time. ECDSA, lattice attacks, hash functions, all of those things belong to advanced maths, so it is normal that it takes some time to learn.Title: Re: lattice-attack || how to run without error Post by: litecoin_messiah on April 23, 2022, 06:18:01 PM https://youtu.be/RgbrpmJ49r4 (https://youtu.be/RgbrpmJ49r4)
Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 24, 2022, 03:18:51 AM I try to learn and understand math Did I understand correctly? this script method use leak nonce that generates to recover private key right? script it not use way collect data from all data from signature with? this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly? just loop search from 1000 signature until found one can calculate You have a scrypt with "loop" ? I can provide file rsz sighnatures from any bitcoin afress with outgoin trsnsactions.... Title: Re: lattice-attack || how to run without error Post by: stanner.austin on April 24, 2022, 08:23:44 AM @garlonicon
above example is leak known bit atlast 4 bit need, with min 90 sign else attack will not work. so each r,s with 0 to 15 (4 bit) need to be test. each result with 90 sign look like lot of processing power need for this. if possible to design Matrix to test each 4 bit with each pair of r,s then may be this attack is possible. but i don't think this possible. is it ? Title: Re: lattice-attack || how to run without error Post by: ymgve2 on April 24, 2022, 06:07:46 PM Quote Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... No problem. There are fake r,s,z values for the public key from the Genesis Block:Quote Code: fake_signatures.py 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch. How did you generate those fake signatures, though? I'm assuming you did some manipulation of an existing signature, which means the new signatures will have a linear relationship with the original and each other, making them useless for lattice attacks. Are they even weak, or does the process generate a completely random unknown nonce? Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 25, 2022, 03:11:51 AM I try to test with private key 120-bit script can fine 120-bit key (just modify the script random number from curve 256bit to random 120 bit)
if like to test with puzzle 120 how to implement to hash (z) in the sample, file generate data.json have only R and S and 8bit leak nonce What is the data message at the end file on data.json it is just for testing (possible not works) Title: Re: lattice-attack || how to run without error Post by: stanner.austin on April 25, 2022, 12:20:30 PM @ymgve2
To generate fake r,s,z you can use public point and calculate 2 random and add it. For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order u = randint(1, N) v = randint(1, N) r = (u*G+v*PublicKey).x.num % N; s = r * pow(v, N-2, N) % N z = u * s % N Now you have valid r,s,z pair for that public key. @fxsniper lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work. Still there is no way to leak or know 4 bit even for generated or original signed R. Title: Re: lattice-attack || how to run without error Post by: ymgve2 on April 25, 2022, 02:49:36 PM @ymgve2 To generate fake r,s,z you can use public point and calculate 2 random and add it. For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order u = randint(1, N) v = randint(1, N) r = (u*G+v*PublicKey).x.num % N; s = r * pow(v, N-2, N) % N z = u * s % N Now you have valid r,s,z pair for that public key. @fxsniper lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work. Still there is no way to leak or know 4 bit even for generated or original signed R. With that method, you don't know anything about the nonce, since it would be k = u + v*priv and you don't know the private key. So it will not be weak, and useless for lattice attacks. Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 25, 2022, 03:57:50 PM Quote With that method, you don't know anything about the nonce, since it would be k = u + v*priv and you don't know the private key. So it will not be weak, and useless for lattice attacks. You are almost right. Almost, because you can try using non-random values and see, what would happen then, and why it can be useful for some attacks.Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 26, 2022, 12:33:58 AM @ymgve2 To generate fake r,s,z you can use public point and calculate 2 random and add it. For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order u = randint(1, N) v = randint(1, N) r = (u*G+v*PublicKey).x.num % N; s = r * pow(v, N-2, N) % N z = u * s % N Now you have valid r,s,z pair for that public key. @fxsniper lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work. Still there is no way to leak or know 4 bit even for generated or original signed R. I thinnk posible try with MSB OR LSB 0000 OR 0000 0000 Z IS a sighned message, i thin it is in data(i dont remember exact) Title: Re: lattice-attack || how to run without error Post by: fxsniper on April 26, 2022, 01:11:49 PM @fxsniper lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z, leak data need else this attack will not work. Still, there is no way to leak or know 4 bit even for generated or original signed R. Thank you I try 4 bit already, I use by command python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t MSB -n 50 python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t LSB -n 50 I found some key lattice-attack can not be found the key. lattice-attack can not be found 100% I think lattice-attack is not worked for solve puzzle We are just users of lattice, just users use it if lattice-attack it works I think many mathematics use it for however, if using lattice-attack should be doing like use Kangaroo solve ECDSA need developer code and apply it a new one I believe all methods on the internet that publish still can not use for solve puzzle #120 A better method is used generate a key to sample and create new one algorithm that can find key Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 26, 2022, 01:36:41 PM @fxsniper lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z, leak data need else this attack will not work. Still, there is no way to leak or know 4 bit even for generated or original signed R. Thank you I try 4 bit already, I use by command python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t MSB -n 50 python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t LSB -n 50 I found some key lattice-attack can not be found the key. lattice-attack can not be found 100% I think lattice-attack is not worked for solve puzzle We are just users of lattice, just users use it if lattice-attack it works I think many mathematics use it for however, if using lattice-attack should be doing like use Kangaroo solve ECDSA need developer code and apply it a new one I believe all methods on the internet that publish still can not use for solve puzzle #120 A better method is used generate a key to sample and create new one algorithm that can find key I develop my own method based on dividing pubkey, but for found root divifer (dividing without float part) needs pubkeys in amount of down range, for ex if down to 40 bit, need 2^40 pubkeys !! Lattice work, but lattice not most good method, also for ex https://github.com/malb/bdd-predicate Title: Re: lattice-attack || how to run without error Post by: CrunchyF on April 28, 2022, 09:14:35 AM Hi garlonicon. Please can u explain this part of your code? Code: z/r=SHA-256("120-bit puzzle")=c43bc2e003908850dda3ff2fec69c3028027260ea7eef98746260eb83abe0a18I understand that you calculate a new signature from R = pubkey.x but i don't why you use pseudo random value for z/r and s/r Title: Re: lattice-attack || how to run without error Post by: garlonicon on April 28, 2022, 03:48:04 PM Quote but i don't why you use pseudo random value for z/r and s/r Because then it can be similar to some real signature in a real transaction. Hash functions are perfect for getting pseudorandom values that has some nice properties. I could use small values like 1,2,3, I could invent values like 1234567890, but hashing something gives you some pseudorandom value, so it is easier to just call some hash function and make it deterministic, than to invent your own way of getting random values. Also, there are just examples, so I don't need truly random numbers and I can just make it pseudorandom. Another reason is that if you want to test things, you can hash small numbers, like SHA-256("1"), and reproduce that easily, without storing all hashes.Title: Re: lattice-attack || how to run without error Post by: stanner.austin on April 28, 2022, 04:51:11 PM @garlonicon
Is there any reason why attack fail one of random value is liner ? For example i used u =randint(1, N); v = randint(1, N); then loop it u = u +1 keep v same to get LSB of nonce only increasing. but lattice attack fail with "infinite loop in babai" Unless both value is random its not working and no way to leak nonce on that case. any idea ? Title: Re: lattice-attack || how to run without error Post by: vjudeu on April 28, 2022, 07:51:31 PM Quote but lattice attack fail with "infinite loop in babai" There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.Quote Unless both value is random its not working and no way to leak nonce on that case. any idea ? The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.Title: Re: lattice-attack || how to run without error Post by: COBRAS on April 28, 2022, 09:23:35 PM Quote but lattice attack fail with "infinite loop in babai" There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.Quote Unless both value is random its not working and no way to leak nonce on that case. any idea ? The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.Bast choice use a sighnatures from 1 transaction but with multiply ouputs. All sighnatures will be with same lenght and z value, bat i not shure all same z sighs is good or bad. Quote but lattice attack fail with "infinite loop in babai" There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.Quote Unless both value is random its not working and no way to leak nonce on that case. any idea ? The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.Bast choice use a sighnatures from 1 transaction but with multiply ouputs. All sighnatures will be with same lenght and z value, bat i not shure all same z sighs is good or bad. And order p+1,p-1 maybe help too This is another interistig, I think. All this codes find a PRIVATE KEYS OF EC PUBLICK KEYS !!!: https://crypto.stackexchange.com/questions/25644/elliptic-curve-brute-forcing https://crypto.stackexchange.com/questions/6061/discrete-logs-on-elliptic-curve-with-embedding-degree-3-with-the-mov-attack/6071#6071 https://pastebin.com/jGB9sTq8 Need try this codes for secp256k1 This sage code contain all examples hot to modify previous codes for secp256k1 https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md Try someone modify codes, what result you get ? Please not talk what this codes not work befo try. In any book no info, what if divide 120 publick key to 2^40, you get 2^80 pubkey, and posible to additionaly downgrade 2^40 pubkeys to 2^20 pubkeys. And Zielar, for ex, can hack easy 2^80 pubkey, with 2^20 pubkeys, because hi has money and we are not have. Share any of your result to others in this thread, this knowlage is realy hard, chanses what someone will be more faster then you and get any publick key privkey is very small, but if we are share knolage maybe we get result, and not only blablabla... Regards Enother method for finding privkey from professor of cryptography https://replit.com/@billbuchanan/gomov Try please modify this code and share results, I cant do all work along ! Br. Patented scalar multyplication 30% faster then doublevand add https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957 Lattice attack ex, i not try. Try someone ? Use trick in nonce... ::) https://github.com/mimoo/SSL-TLS-ECDSA-timing-attack/blob/master/setup/client/offline/lattice.sage [moderator's note: consecutive posts merged] Title: Re: lattice-attack || how to run without error Post by: bigvito19 on May 16, 2022, 11:05:41 AM I was attempting to use this but did get a lot if errors.
Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 16, 2022, 11:17:55 AM I was attempting to use this but did get a lot if errors. Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only: code: https://asecuritysite.com/ecc/ecd desryption: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ hoe to modify code for work with 256 bit sighnatures ? Title: Re: lattice-attack || how to run without error Post by: bigvito19 on May 16, 2022, 11:46:57 AM I was attempting to use this but did get a lot if errors. Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only: code: https://asecuritysite.com/ecc/ecd desryption: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ how to modify code for work with 256 bit sighnatures ? I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd k1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 16, 2022, 12:36:08 PM I was attempting to use this but did get a lot if errors. Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only: code: https://asecuritysite.com/ecc/ecd desryption: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ how to modify code for work with 256 bit sighnatures ? I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd k1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" Title: Re: lattice-attack || how to run without error Post by: bigvito19 on May 16, 2022, 01:12:47 PM I was attempting to use this but did get a lot if errors. Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only: code: https://asecuritysite.com/ecc/ecd desryption: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ how to modify code for work with 256 bit sighnatures ? I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd k1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" What private key it was looking for because it was random Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 16, 2022, 01:26:25 PM I was attempting to use this but did get a lot if errors. Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only: code: https://asecuritysite.com/ecc/ecd desryption: https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ how to modify code for work with 256 bit sighnatures ? I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd k1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" What private key it was looking for because it was random yes random, you can replace generetated r,s from rundom to r,s from vitcoiin sighnature, after it will be not rundom. but, rhis wersion for 128 bit nonce. btx is a 252-256 bit nonce Title: Re: lattice-attack || how to run without error Post by: stanner.austin on May 17, 2022, 12:58:07 PM @COBRAS
Its different attack with lowest nonce under 127 bit & his weakness. Only bitlogik lattice-attack is most powerful i can feel. For example if you have any private key under 128 bit. for example puzzle 120. If you use liner random value or single known higher random(0xf000000000000000000000000000000000000000000000000000000000000000) to start with and divide it in each time till 100 sign is made.(after 51 sign can use 128 bit random to make sign.) You just have 33 or less nonce kp to worry about, because rest is 0 on MSB i tested on my single pc with 16 thread its not powerful to cover it. need atlast 128 thread with 4/5 pc to finish whole range fast. Title: Re: lattice-attack || how to run without error Post by: bigvito19 on May 17, 2022, 01:55:21 PM I got the bitlogik lattice-attack to work https://github.com/bitlogik/lattice-attack
So how do I go about attacking an public key or public keys? Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 17, 2022, 02:44:29 PM @COBRAS Its different attack with lowest nonce under 127 bit & his weakness. Only bitlogik lattice-attack is most powerful i can feel. For example if you have any private key under 128 bit. for example puzzle 120. If you use liner random value or single known higher random(0xf000000000000000000000000000000000000000000000000000000000000000) to start with and divide it in each time till 100 sign is made.(after 51 sign can use 128 bit random to make sign.) You just have 33 or less nonce kp to worry about, because rest is 0 on MSB i tested on my single pc with 16 thread its not powerful to cover it. need atlast 128 thread with 4/5 pc to finish whole range fast. So, you need 128 or 4*128 thread ? 64 thread is possible, I think 128 possible too. Your code work with less 128 but nonce, you tested it ? P.s. then I try with 0000 msb and lsb, nothing found with his lattice attack. R. Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 18, 2022, 09:07:39 PM Quote Only bitlogik lattice-attack is most powerful i can feel. I tried it, but it is somewhat buggy. You can take 120-bit key and use two random 120-bit values to get as many 240-bit signatures as you need (because first you will add one random 120-bit number to another 120-bit number, and then you will multiply that by another 120-bit value, by choosing the right range, you can always make sure that the first 16 bits are zero). No matter how many 240-bit k-values in signatures I had, I could never reach any 120-bit key from that. LLL is going through that without printing any key, and then another algorithms have some bugs, because there are "infinite loop in babai" and other similar messages in their internal implementation.So, I partially know how to attack 120-bit keys, but I cannot do that in practice (because this code is buggy, it would take some time to fix it). Title: Re: lattice-attack || how to run without error Post by: stanner.austin on May 19, 2022, 08:53:44 AM @garlonicon
i don't think its bug. "infinite loop in babai" I think it's like math divide by 0 on lattice attack. First calculated sign must be higher int value like i have posted. 0xf000000000000000000000000000000000000000000000000000000000000000 Later sign can use divide by 14 or 10 etc, til int reach to 2 then can use random 128 bit int and all this is valid and give first 33 only non zero MSB rest all are 0 starting K on MSB. i have tested with all possible combination no matter what i try i can't go lower then 33 kp requirement for 4 bit leaking. Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 19, 2022, 04:39:22 PM Quote i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly).Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 20, 2022, 02:03:49 AM Quote i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly).Hello, did you try this code ? Maybe this code had no bag, and more "powerful" for this talk, because has 3;algorithm include lattice https://github.com/malb/bdd-predicate Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 20, 2022, 03:04:49 AM @garlonicon
You know how to downgrade pubkey range ? I try, but with div or substraction but this like how to shut to the the galaxy from the gun. Task is finding very small range, for ex 2^80, need search this 2^80 in 2^119 so, about 549755813888 publick of 2^80 in range 2^119+2^119(total 1/2 of 2^150. Substraction had same difficulty's. Then substract, after you get pubkey smaller then target pubkey, difficulties of pubkey start grow, against fail... ??? It is possible make fake rsz for known pubkey ? Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ? Br Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 20, 2022, 04:25:36 AM Quote i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly).I have a communication with bitlogic (lattice-attack code)r previously. If you can explain what a bag I cab ask him for remove bag, or you can send him message directly. Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 20, 2022, 06:59:27 PM @garlonicon It is possible make fake rsz for known pubkey ? Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ? Br yes Cobras we can make valid transactions for pubkey, only then when this pubkey has minimum one output i need : pubkey (x,y) , and transaction output as r s z then I make perform "gauss reduction for this pubkey", result will be: pubkey (still the same) new r,s,z valid for this pubkey (valid means : ecdsa verify) Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 20, 2022, 08:19:51 PM @garlonicon It is possible make fake rsz for known pubkey ? Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ? Br yes Cobras we can make valid transactions for pubkey, only then when this pubkey has minimum one output i need : pubkey (x,y) , and transaction output as r s z then I make perform "gauss reduction for this pubkey", result will be: pubkey (still the same) new r,s,z valid for this pubkey (valid means : ecdsa verify) I will make for 120, and simple with many transaction. Little later today or tomorrow. Don go far away from this thread Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 20, 2022, 08:27:12 PM no problem.
now I writing my own attack: example : I have pubkey with one output r,s,z so I know r,s,z we all know that if r (which is nonce*G) -> so if nonce is less 125 bit -> lattice standard reduction will find privatekey when we have only one output (one transaction) so : We can make perform "new" transaction as below with loop: new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit then test in lattice that r (as nonce*G is in 0 to 125 bit):) if not -> then minus 2**i bit and so on:) Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 20, 2022, 08:36:43 PM no problem. now I writing my own attack: example : I have pubkey with one output r,s,z so I know r,s,z we all know that if r (which is nonce*G) -> so if nonce is less 125 bit -> lattice standard reduction will find privatekey when we have only one output (one transaction) so : We can make perform "new" transaction as below with loop: new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit then test in lattice that r (as nonce*G is in 0 to 125 bit):) if not -> then minus 2**i bit and so on:) You really can make code for this , and code for gauss reduction ? P.s. I will provide rsz for you any way Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 20, 2022, 08:40:22 PM yes,
Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 20, 2022, 09:05:37 PM Quote i need : pubkey (x,y) , and transaction output as r s z You need only pubkey. For lattice attack, your r,s,z can be faked, it will be as useful as something collected from some real transaction.Quote new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit Quote The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1. And that's why it would be better to start with 120-bit key, and make a lot of 240-bit signatures. You need some randomness to make it. I think getting it squared should be random enough to reveal the key, but this code still does not work for me, this "infinite loop in babai" is annoying and simply means that LLL found nothing, so other algorithms were used (and they failed somehow).Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 21, 2022, 06:22:14 AM why randomnes? example : private key = 2**254 nonce = 2**200 and I have one r,s,z as r = nonce *G I dont know k but know r,s,z and pubkey then: 1. make new transaction for this pubkey as k - 2**10 > it is nonce 2*190 -> new s , new z -> check in lattice -> not find k 2. make new transaction for this pubkey as k - 2**20 > it is nonce 2*180 -> new s , new z -> check in lattice -> not find k ..... 20. new transaction for this pubkey as k - 2**80 > it is nonce 2*120 -> new s , new z -> check in lattice -> : founded k:) then calculate private key:) Bro, I cant find a my crypt fir getting all rsz from 1 adress, but for one rsz this utill is good: https://github.com/iceland2k14/rsz waiting from you generated rsz data with nonce <=128 bit ps code for calculating how many bits in r: file = open('r.txt', 'r+') for address in file.readlines(): num = int(address) length = len(bin(num)) length -=2 print ("total number of bits: ", length) Title: Re: lattice-attack || how to run without error Post by: brainless on May 21, 2022, 09:01:32 AM i don;t understand original RSZ from 120I can make valid new transactions from valid transaction but need pubkey and r,s,z from this transaction if you give me pubkey and r,s,z then I will give you sample :) few transactions as valid R: 00a285a9151ac1f9c40e88a2a80b79c702336536462a9390fd00dda999da45420a S: 1844883eb808df18a9138ee2c13439ecf716799edcf073772f2696e4f9384f58 Z: 7e17cf7c5b7ccfaa4c7c05874e4fb4f12661662b8e33188e2e62b3739931ade5 PubKey: 02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 21, 2022, 12:18:57 PM Code: #puzzle 120 bit you need only one of this transaction - outgoing transaction Title: Re: lattice-attack || how to run without error Post by: stanner.austin on May 21, 2022, 01:40:31 PM @COBRAS
hello This is puzzle 120 public calculated 100 sample with 120 bit random data MSB 16 bits is must "0000" in nonce, tested with multiple 120 bit range my own sample private keys. https://pastebin.com/RTg4PVv0 For LLL.reduction its no issue but BKZ.reduction will show error "infinite loop in babai" Same in liner random. This can't be fixed so far i know. Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 21, 2022, 05:03:28 PM @ecdsa123
You get all data what you need for make lattice ? cobras: here you have new transactions generate for pubkey it has been designed from the original from blockchain. check below: Code: #puzzle 120 bit how many none bit in sighs ? for latticce i think alll sighs mast be same bits. But yours trans N2 is not equeilto others transaction by lenght - r2 is bigger then r at other sighs it is the same bits as original r it is designed : original transaction : nonce k->unknown first transaction: nonce + 10 | or nonce + 100 (sorry don;t remember) second transaction: nonce + 20 | or nonce + 200 (sorry don;t remember) third transaction: nonce + 30 | or nonce + 300 (sorry don;t remember) fourth transaction: nonce + 40 | or nonce + 400 (sorry don;t remember) where nonce is still the same from original transaction has msb or lsb ? you make gauss reduction for them ? on this adress only 1 transaction for output transaction, doing something with input transaction and add them to lattice matrix bad idia.... then you will modify sighs from 256 bit to 100 ? in this example : all 4 transactions have the same msb - more than 240 bit can you generate for puz 120, 89 sighns with nonce not more 2^248 ? you can do it without msb or lsb no one can, unless you know the privkey but you can make reductions, it take times, and you have to write algorithm to this. it is simple -> math and 128 cores, or GPU and coder which can implement algorithm in c++ at the moment i'm almost finish math equation for this. yoy can find 128 core at https://vast.ai/ [moderator's note: consecutive posts merged] Title: Re: lattice-attack || how to run without error Post by: bigvito19 on May 21, 2022, 11:10:03 PM This is an example from the data.json file from https://github.com/bitlogik/lattice-attack
{"curve": "SECP256K1", "public_key": [66412380102939781024918160349386680014552536369061587637080774389860461092925, 43765600116551195273677149966008783624760986110490190619082891899095205821463], "known_type": "LSB", "known_bits": 6, "signatures": [{"r": 77527664235581399957092079345479688400475999610428178825522649055070157244692, "s": 27028479468528243957334746793835087615740874028178347534667218420099431266524, "kp": 51, "hash": 36925504434266069211917383521197840104244330385311344434522880060028429358956}, {"r": 1695214956238129249280118258814363243967244974939577175204794511553033886344, "s": 84915535421556974430475608108845062567200591001138706902138971666887762297461, "kp": 23, "hash": 76485972818364982894032873079629726025969313708578174583231327504986349400949}, {"r": 109269381046386034156037076068908319933850763940108273610325408412215759654951, "s": 48609197671516297208867726715248596584655415925682996149314879813291177259719, "kp": 49, "hash": 8857850795789766547675189849758610890848461200122419912004299328172940180927}, {"r": 41835540276419198058500360048414380626372941221767888918686846392248041576696, "s": 1825469084617584873286736453038639812754935222429578990673573348028125348352, "kp": 29, "hash": 11771613120662486178657899205469606751879506909643902145426207541353014498651}, {"r": 107103142771724135475440435595118756234545765813796109423691918131480012001322, "s": 76403726951992633295737606623610572293691262686449016257400538234410247449075, "kp": 44, "hash": 109029154205057617106956764551702586575882058359417649302233515615948131520073}, {"r": 54544573696288124190943111180088654937224138523771919858599448193516058012815, "s": 75774534848938869077595821409914703967303095416625781047518021857023231109081, "kp": 44, "hash": Is this the public key its trying to look for [66412380102939781024918160349386680014552536369061587637080774389860461092925, 43765600116551195273677149966008783624760986110490190619082891899095205821463] ? So I convert the r,s,z into decimal, I see the r and s. Which one is the z, is it the kp? I'm trying to see what goes where. Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 21, 2022, 11:46:54 PM This is an example from the data.json file from https://github.com/bitlogik/lattice-attack {"curve": "SECP256K1", "public_key": [66412380102939781024918160349386680014552536369061587637080774389860461092925, 43765600116551195273677149966008783624760986110490190619082891899095205821463], "known_type": "LSB", "known_bits": 6, "signatures": [{"r": 77527664235581399957092079345479688400475999610428178825522649055070157244692, "s": 27028479468528243957334746793835087615740874028178347534667218420099431266524, "kp": 51, "hash": 36925504434266069211917383521197840104244330385311344434522880060028429358956}, {"r": 1695214956238129249280118258814363243967244974939577175204794511553033886344, "s": 84915535421556974430475608108845062567200591001138706902138971666887762297461, "kp": 23, "hash": 76485972818364982894032873079629726025969313708578174583231327504986349400949}, {"r": 109269381046386034156037076068908319933850763940108273610325408412215759654951, "s": 48609197671516297208867726715248596584655415925682996149314879813291177259719, "kp": 49, "hash": 8857850795789766547675189849758610890848461200122419912004299328172940180927}, {"r": 41835540276419198058500360048414380626372941221767888918686846392248041576696, "s": 1825469084617584873286736453038639812754935222429578990673573348028125348352, "kp": 29, "hash": 11771613120662486178657899205469606751879506909643902145426207541353014498651}, {"r": 107103142771724135475440435595118756234545765813796109423691918131480012001322, "s": 76403726951992633295737606623610572293691262686449016257400538234410247449075, "kp": 44, "hash": 109029154205057617106956764551702586575882058359417649302233515615948131520073}, {"r": 54544573696288124190943111180088654937224138523771919858599448193516058012815, "s": 75774534848938869077595821409914703967303095416625781047518021857023231109081, "kp": 44, "hash": Is this the public key its trying to look for [66412380102939781024918160349386680014552536369061587637080774389860461092925, 43765600116551195273677149966008783624760986110490190619082891899095205821463] ? So I convert the r,s,z into decimal, I see the r and s. Which one is the z, is it the kp? I'm trying to see what goes where. Read careful example file and will find all you need. first kp for ex = 51.hash is a z Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 22, 2022, 06:53:07 AM Quote can you generate for puz 120, 89 sighns with nonce not more 2^248 ? Quote no one can, unless you know the privkey It is the opposite, everyone can do that. As I said, you only need the public key: https://pastebin.com/4fxUSrZTCode: x=0xceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 Title: Re: lattice-attack || how to run without error Post by: stanner.austin on May 22, 2022, 08:43:55 AM @garlonicon
Confuse with nonce and random int use in signing ? Even with nonce 1 random int in sign always in 250 or higher bit. From public key we can multiply random int which increase public key hidden number known as K, so random int is a * K = R is generated. Code: private key 0x1000 Now same public key with 120 bit random int for multiplication Code: K: 0x000000000000000000000000000000079d523ff7bb533dc6d6fabf75a30ac000 as you see, K is multiply whatever value we use for random int. How ever there is one more thing if we multiply any public key with (N//2)+1 strange K come if private key is EVEN. This break private key in half. K is half of private key so R is half of public key. Example Code: K: 0x0000000000000000000000000000000000000000000000000000000000000800 Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 22, 2022, 02:37:29 PM First, we look at signatures:
Code: s=(z+rd)/k Code: z/r=random Code: z/r=120_bit_number_v1 Edit: Quote show your code Code: def generates_signatures(curve): Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 22, 2022, 07:21:40 PM @garlonicon, @ecdsa123 please reascthis pdf file. This is intresting fresh methos with success >60% but need deper knowlage of math and python then what I have. https://eprint.iacr.org › ...PDF A Tale of Three Signatures: practical attack of ECDSA with wNAF You will find this pdf easy in google. Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 22, 2022, 07:25:08 PM Quote becouse now it is generator , you have connected transactions They are not, because it is used for hashing. So, you have SHA-256 of that. You can put "random" numbers here, but hashing can make it easier to reproduce each result when needed.Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 22, 2022, 07:27:51 PM First, we look at signatures: Code: s=(z+rd)/k Code: z/r=random Code: z/r=120_bit_number_v1 Edit: Quote show your code Code: def generates_signatures(curve): can we add to sighnatures 121 bit what starts with 000000 ? this will.make lsb from our sighs ? if we thant divede is more easy, I try this method on publick key. For removing trandfer from + area to - area, is more good start with pubkey * -1, this will transfer pubkey priv range from -1 to -1-rage, result will belarge than -1, and range will be simple without start from 1 to N,, -N to -F, and will be -N to -F... this is puzzle 100 privkey ./md 0xaf55fc59c335c8ec67ed24826 - 0xfffffffffffffffffffffffff Result: fffffffffffffffffffffffffffffffebaaedce1a4a865d7f32eed534f088968 then subsract too mach, tlrange will be shifted to negative area, and nothin will be found in positivevsearch range but then start from negative area result will be maybe negative too ./md 0xfffffffffffffffffffffffffffffffebaaedcdbb9e8da9f8c75cfc65163f91b + 0xffffffffffffffffffffffff Result: fffffffffffffffffffffffffffffffebaaedcdcb9e8da9f8c75cfc65163f91a so search in negative area is more good I think. but found how many need substeact is not solved me. then subsract too mach privkey if publey start accumulate more bits, not substract. ps maybe this info will be helpfull Code: [code]I have rewrite code for sagemath here is part of output: Code: ---- index 18 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 you thant say what this is real nonce ? I think generator must be for ex y = X^400, x is a generator. . Br Cobras: ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 this value 115792089237316195423570985008687907852837564279074904382605163141518161493887 = n-450 so d*(-1)%n = n-d :) but according Garlonicon Generator ( yes, it is master math deduction Bravo for Garlonicon), we can use it: becouse: Code: ---- index 18 we know a part of k for any transaction(index) see Index 19: real k in transaction : k 139541082 but we know to real part as bits from this k : k 138475232 we can try use Lcd algorithm. Tomorrow I will try check. :) ok, waiting result with big interest ps 139541082 13 is 2 bytes, so 16 bits, this is enoth for finding priv... for all other transaction we have 2 bytes 2 ) try please find 2 bytes it will be good too .... :) I know what you know this, but maybe you forget avout it.. :) regards Code: [code]I have rewrite code for sagemath here is part of output: Code: ---- index 18 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] ./md 450 x -1 Result: fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0363f7f = 115792089237316195423570985008687907852837564279074904382605163141518161493887 this is inversion of 450 you thant say what this is real nonce ? I think generator must be for ex y = X^400, x is a generator. . Br Someone, please, upload sage scryot to transfer.sh I from phone, very hard copy/paste without lost tabulation Regards @ecdsa123 is any news about lcd ? br Code: [code]I have rewrite code for sagemath here is part of output: Code: ---- index 18 so according above: private key = 50 k= 450 how the nonce k is calculated from pubkey (private key) simple: a*d + b = k nonce here a=9 and b = 0 so 9* 50 + 0 = 450 confirm : (True, '0x0', '0x9') it is generator it is useless. [/code] formule "450 / 9 = priv" not work for all sighns. I thin is very hard or inposivle crack with lattice . Method very expesive of time... [moderator's note: consecutive posts merged] Title: Re: lattice-attack || how to run without error Post by: NotATether on May 24, 2022, 03:53:24 AM formule "450 / 9 = priv" not work for all sighns. I thin is very hard or inposivle crack with lattice . Method very expesive of time... Have you ran benchmarks on this program? GNU/Linux has a "time" command which you can use to measure the running time of a program. Maybe a little modular invert doesn't take much time but when you start doing that to hundreds of signatures, you start to notice the slwness. Alternatively, you can gain a (limited) performance speedup by converting it to C language utilizing pthreads. Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 24, 2022, 04:43:10 AM formule "450 / 9 = priv" not work for all sighns. I thin is very hard or inposivle crack with lattice . Method very expesive of time... Have you ran benchmarks on this program? GNU/Linux has a "time" command which you can use to measure the running time of a program. Maybe a little modular invert doesn't take much time but when you start doing that to hundreds of signatures, you start to notice the slwness. Alternatively, you can gain a (limited) performance speedup by converting it to C language utilizing pthreads. Lattice is about 500 sighnatures max. not cheched perfofance. but, formula 450 /9 work not for all sighnatures. interesting check know part, I nit checked ... ni tine for this. If know part finder work ithis is a good new, and this enoth for find priv ecdsa123, not answered, naybe hi provide something more interesting, will see modular inv can make illusion of saccess, and add unknown var to formula. Then in fornula only uknown vars and them modification this maybe can be false positive results.Maybe ecdsa123, find false positive result and not writing more... @ecdsa123, come on, lets talk, maybe we find something usefull :) Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 24, 2022, 06:56:33 AM I thin is very hard or inposivle crack with lattice . Method very expesive of time... ecdsa123, not answered, naybe hi provide something more interesting, will see modular inv can make illusion of saccess, and add unknown var to formula. Then in fornula only uknown vars and them modification this maybe can be false positive results.Maybe ecdsa123, find false positive result and not writing more... @ecdsa123, come on, lets talk, maybe we find something usefull :) first need speak with @Garlonicon after a lot of tests...it could be works:) it is really hard but not impossible. @Garlonicon, please write to me or change for allow to receive e-mail from newbie. We really need to talk it is important for us both. Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 24, 2022, 03:38:54 PM Quote or change for allow to receive e-mail from newbie Changed. But I don't know, why I am so important? ECDSA security can be discussed publicly, for example here, in this topic. People should be aware of all possible attacks and be ready to deal with them. But of course I can also respond to private messages, no problem.Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 24, 2022, 09:05:08 PM Quote or change for allow to receive e-mail from newbie Changed. But I don't know, why I am so important? ECDSA security can be discussed publicly, for example here, in this topic. People should be aware of all possible attacks and be ready to deal with them. But of course I can also respond to private messages, no problem.Yes, discus publicly. Sacces can be in 0,1%. Maybe someone can add good things to discus Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 24, 2022, 10:07:52 PM Cobras,
it is almost impossible. There could be chance , but implement enviroment for this , it is not for one person. first -> please read WhiteBox find on google. Title: Re: lattice-attack || how to run without error Post by: iceland2k14 on May 25, 2022, 05:32:59 AM As you can see, it works. There are 100 signatures. Lattice cannot reveal the solution, no matter that all signatures are in 240-bit range. By checking "z/r" and "r/s", you can make sure that all of my signatures are in the correct range, just assume that the private key is in 120-bit range, and do addition/multiplication to see the range of the signature nonces. Signatures derived this way is most likely reaching to degenerate system of equations incomprehensible by Lattice reduction. Title: Re: lattice-attack || how to run without error Post by: CrunchyF on May 26, 2022, 02:50:58 PM Signatures derived this way is most likely reaching to degenerate system of equations incomprehensible by Lattice reduction. can u explain more please? Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 26, 2022, 04:18:35 PM I think I understand. I guess it means that such attack is trying to solve x=2y by adding 2x=4y. It won't work. Why? Because it would be "degenerate system of equations", so it won't produce any new solutions, everything will be as unknown, as it was before.
Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 04:53:42 PM I think I understand. I guess it means that such attack is trying to solve x=2y by adding 2x=4y. It won't work. Why? Because it would be "degenerate system of equations", so it won't produce any new solutions, everything will be as unknown, as it was before. ecdsa123 realy find partial nonce ? Title: Re: lattice-attack || how to run without error Post by: garlonicon on May 26, 2022, 05:37:06 PM Quote ecdsa123 realy find partial nonce ? I don't know. For now, I don't have any proof. No moved coins, no revealed keys, so not yet. But I think it will soon be obvious, is this attack successful or not (today, I guess it will fail).Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 26, 2022, 07:31:30 PM below output:
private key :101391487656071791739308955354353221 it is very hard (really hard), but not impossible. analyse outputs so: generate 2 x 8 transactions as: 1 to 8 and 1 to 8 as negative. and r = s :D so : leak : 0x000000000000000000000000000000000000001386fc7de303201ef7a5128b85 leak : 0x000000000000013870c7de303201ef7a5128b8415b03821cfcdfe1085aed747a joint together and perform ENHP + doubled reduction with pruned we can sii that output on 16 bits is our privatekey. but -> this is for "theoretically" when you know exactly what range bit is you pubkey, without this knowledge , those attack is useless. Code: ---- index 2 ps. time for finding if you know "subrange" almost 6 hours. without knowing subrange - years years years Ps. Cobras be sure better mathematician than me checked that, and they know that is useless. Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 08:00:09 PM below output: private key :101391487656071791739308955354353221 it is very hard (really hard), but not impossible. analyse outputs so: generate 2 x 8 transactions as: 1 to 8 and 1 to 8 as negative. and r = s :D so : leak : 0x000000000000000000000000000000000000001386fc7de303201ef7a5128b85 leak : 0x000000000000013870c7de303201ef7a5128b8415b03821cfcdfe1085aed747a joint together and perform ENHP + doubled reduction with pruned we can sii that output on 16 bits is our privatekey. but -> this is for "theoretically" when you know exactly what range bit is you pubkey, without this knowledge , those attack is useless. Code: ---- index 2 ps. time for finding if you know "subrange" almost 6 hours. without knowing subrange - years years years Ps. Cobras be sure better mathematician than me checked that, and they know that is useless. Hi. k and k in your code is input ? can you provide code and more description what is what ? thx Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 26, 2022, 08:01:40 PM no.
K is nonce in integer (for testing to know) input are r,s,z generate by script from Garlonicon with my "modification". Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 08:13:11 PM @ecdsa, collect some real rsz from blockchain and try your code ?
can use 1 transaction with many output. Posibl it will be more easy for use thx. Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 26, 2022, 08:39:18 PM @ecdsa, collect some real rsz from blockchain and try your code ? can use 1 transaction with many output. Posibl it will be more easy for use thx. it is useless. as inform if you know subrange it is 6 hours. if not "time is years ior milleniums", I have use to try : https://eprint.iacr.org/2022/385 White-Box and here pdf: https://eprint.iacr.org/2022/385.pdf Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 08:58:50 PM @ecdsa, collect some real rsz from blockchain and try your code ? can use 1 transaction with many output. Posibl it will be more easy for use thx. it is useless. as inform if you know subrange it is 6 hours. if not "time is years ior milleniums", I have use to try : https://eprint.iacr.org/2022/385 White-Box and here pdf: https://eprint.iacr.org/2022/385.pdf how get subranges ? code for get them pls ? Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 26, 2022, 09:13:40 PM page no 18 in pdf
Code: Finding the inversion of the nonce. During the computation of s, the nonce k so for us important is last sentence: They are expressed as linear combinations so modificate garlonicon script for linear combination which you can easy calculate. WHola. ende finish but is not for real " transactions", it is very very hard Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 09:16:02 PM show priv of 120, 125 or 130 bit ouzzle ?
pls Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on May 26, 2022, 09:29:54 PM . Cobras be sure better mathematician than me checked that, and they know that is useless.
Title: Re: lattice-attack || how to run without error Post by: COBRAS on May 26, 2022, 10:01:24 PM . Cobras be sure better mathematician than me checked that, and they know that is useless. ::) i not undertand this formulas, code too unfortunately. Bro, provide any proof of work of your codes ? on github 1000+ attacks but they not work on real data. generate sighs for this pub and find a key ? 04e36a3452c8921ea9e093ebb94f544cab434abadd796566280e05d5ae22fad6a2017cfa0647d6e 458b12848c03fac10e3c44ecf3911dc2f2da90afc1ccf36f9f9 ? @ecdsa123, help me in this thread pls ? https://bitcointalk.org/index.php?topic=5400202.0 thanks Title: Re: lattice-attack || how to run without error Post by: ymgve2 on May 28, 2022, 10:38:58 PM @ecdsa, collect some real rsz from blockchain and try your code ? can use 1 transaction with many output. Posibl it will be more easy for use thx. it is useless. as inform if you know subrange it is 6 hours. if not "time is years ior milleniums", I have use to try : https://eprint.iacr.org/2022/385 White-Box and here pdf: https://eprint.iacr.org/2022/385.pdf White box attacks, which those papers are about means the attacker is in full control of the computer that actually does the generation of the signature, and can measure timing and program flow during the generation of the signature. This is completely irrelevant to lattice attacks on weak nonces. Title: Re: lattice-attack || how to run without error Post by: fxsniper on June 05, 2022, 10:28:09 AM What is this BKZ reduction : block size = 15 I test with 4-bit leak nonce and signature between 50-90 set many key losses and some key can calculate with BKZ reduction : block size = 15 and next untile con recover (some) Title: Re: lattice-attack || how to run without error Post by: COBRAS on June 05, 2022, 03:14:03 PM What is this BKZ reduction : block size = 15 I test with 4-bit leak nonce and signature between 50-90 set many key losses and some key can calculate with BKZ reduction : block size = 15 and next untile con recover (some) you try on real rsz from bitcoin blockchain ? Title: Re: lattice-attack || how to run without error Post by: fxsniper on June 06, 2022, 01:27:07 AM you try on real rsz from bitcoin blockchain ? Maybe, Are you have any script for collecting thousands rsz? but the problem is it is a 256-bit key not easy and it needs to develop high advance to do maybe try a test with some brainwallets but I would like to understand lattice first and how BKZ reduction: block size = 15 , it is works can possibly use million block size or brute force it I would like to try to modify the lattice-like use of kangaroo with collision if not yet understand how it works, can not use it. Title: Re: lattice-attack || how to run without error Post by: COBRAS on June 06, 2022, 01:46:26 AM you try on real rsz from bitcoin blockchain ? Maybe, Are you have any script for collecting thousands rsz? but the problem is it is a 256-bit key not easy and it needs to develop high advance to do maybe try a test with some brainwallets but I would like to understand lattice first and how BKZ reduction: block size = 15 , it is works can possibly use million block size or brute force it I would like to try to modify the lattice-like use of kangaroo with collision if not yet understand how it works, can not use it. I lost my scrypt for collect rsz, I try find it and message additionaly were Title: Re: lattice-attack || how to run without error Post by: PrivatePerson on August 29, 2022, 01:29:01 PM https://github.com/bitlogik/lattice-attack How do you prepare the list to be loaded into this script?gen_data.py is make data for use it run script gen_data.py then you got file data.json and run lattice_attack.py or run script gen_data.py -f filename then you got the file filename.json and run lattice_attack.py -f filename I test already if not have a leak nonce it not works test with a fake nonce leak (random) it never works Title: Re: lattice-attack || how to run without error Post by: fxsniper on August 30, 2022, 04:01:28 PM gen_data.py generate real data. By real, i mean valid ECDSA data. If you want to use own data, you should run gen_data.py and see it's output JSON file to know format data accepted by this tool. I confirm gen_data.py generate real data. it is the same real RSZ from a real transaction example Huobi-wallet 1HckjUpRGcrrRAtFaaCAUaGjsPx9oYmLaZ million of RSZ script do same confirm gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain. just put your own RSZ to JSON format the same gen_data.py generate data.json you can use JSON format tools to read JSON data easy or modify gen_data.py to dump JSON data with indent options will help to read JSON format easy 1. easy manual add, put your own RSZ only by one done. 2. do yourself made script read RSZ and write to JSON format Title: Re: lattice-attack || how to run without error Post by: fxsniper on August 30, 2022, 04:12:14 PM gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain. use JSON Formatter, JSON Beautifier from only upload data.json to read easy modify json.dump(sigs_data, fout) to json.dump(sigs_data, fout, indent=3) add RSZ yourself to replace generated RSZ you need more than 100 RSZ to calculate RSZ without leak nonce is useless try fake nonce leak bit or zero bit is making script error with some loop error try to use real from some brainwallet (yes we know both private key and nonce) Title: Re: lattice-attack || how to run without error Post by: COBRAS on August 31, 2022, 12:12:59 AM gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain. use JSON Formatter, JSON Beautifier from only upload data.json to read easy modify json.dump(sigs_data, fout) to json.dump(sigs_data, fout, indent=3) add RSZ yourself to replace generated RSZ you need more than 100 RSZ to calculate RSZ without leak nonce is useless try fake nonce leak bit or zero bit is making script error with some loop error try to use real from some brainwallet (yes we know both private key and nonce) this is real work ? i was try but unsoccesful. Can you show real example ? Title: Re: lattice-attack || how to run without error Post by: fxsniper on August 31, 2022, 01:46:07 AM this is real work ? i was try but unsoccesful. Can you show real example ? it not works I try 100 RSZ but it did not have real LEAK NONCE so I try to use zero 0 nonces and try fake leak nonce by random number I do test fake leak nonce by random number 1 bit to 16 bit all got error and error loop infinite it is never work maybe the script use nonce point in the right direction when got the wrong nonce, it is an error work perfectly only with generating data from script or you can use some brain wallet leak address (yes, you got to know nonce) you need a mathematician who can use this lattice attack I think for lattice attack is interesting but you need to develop to advance to use it or maybe focus on one pubkey specific first, need to develop to can used without leak nonnce if want to use lattice attack, you need to understand in math of this method for me too much advance for understanding this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz kangaroo may be possible and better just need to new way walk to meet key fast Title: Re: lattice-attack || how to run without error Post by: casinotester0001 on August 31, 2022, 05:38:38 PM Can you show real example ? Good idea!But I don't know, why I am so important? @garloniconBecause you can explain this lattice method in a full example :) If you want, create a new thread, call it eg Lattice method explained Take puzzle 100 data (or something else) Make a step by step explanation in the OP. People can ask, contribute and you can edit the OP. Would be cool 8) Title: Re: lattice-attack || how to run without error Post by: COBRAS on September 01, 2022, 12:19:36 AM this is real work ? i was try but unsoccesful. Can you show real example ? it not works I try 100 RSZ but it did not have real LEAK NONCE so I try to use zero 0 nonces and try fake leak nonce by random number I do test fake leak nonce by random number 1 bit to 16 bit all got error and error loop infinite it is never work maybe the script use nonce point in the right direction when got the wrong nonce, it is an error work perfectly only with generating data from script or you can use some brain wallet leak address (yes, you got to know nonce) you need a mathematician who can use this lattice attack I think for lattice attack is interesting but you need to develop to advance to use it or maybe focus on one pubkey specific first, need to develop to can used without leak nonnce if want to use lattice attack, you need to understand in math of this method for me too much advance for understanding this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz kangaroo may be possible and better just need to new way walk to meet key fast bro,this is waste of time only. Title: Re: lattice-attack || how to run without error Post by: fxsniper on September 01, 2022, 11:13:18 AM bro, this is waste of time only. yes, absolute waste of time I try two times and quite Title: Re: lattice-attack || how to run without error Post by: garlonicon on September 02, 2022, 04:41:36 AM Quote @garlonicon Now I only know basic things, like for example how ECDSA works. Understanding how lattices works is ongoing, I need more time to come up with something useful. All what I already know is based on ECDSA properties. For example, if you have a public key, then you can add or subtract any number or public key, or you can multiply and divide it by any known number. And based on that I know that any signature is just a relation between the public key and the "signature public key".Because you can explain this lattice method in a full example :) If you want, create a new thread, call it eg Lattice method explained Take puzzle 100 data (or something else) Make a step by step explanation in the OP. People can ask, contribute and you can edit the OP. Would be cool 8) Code: s=(z+rd)/k Code: (Q+(z/r)*G)*(r/s)*G=R But in general, the properties of ECDSA allows you to pick any "(z/r)" and "(r/s)" values. That means, you can create any lattice you want. And then, the quality of your lattice can decide, if you can recover the keys or not, because if they are not random enough, then you will reach nothing. Trying to solve "x=2y" by adding "2x=4y" just won't work, that's why it should be random enough. So, as you can see, I know ECDSA relations. But the most useful part is still missing, because I still don't know how to construct a proper lattice that would allow recovering some keys. I tried to use that to recover small keys, but my lattices failed for keys with 8 bits, so something is not right and I still have to dig deeper to produce some general solution for lattices. Title: Re: lattice-attack || how to run without error Post by: casinotester0001 on September 02, 2022, 10:29:34 AM Thanks for the explanation.
Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. And with these signatures, can you explain how the lattice-method works? Title: Re: lattice-attack || how to run without error Post by: garlonicon on September 02, 2022, 05:22:22 PM Quote Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. You can get that quite easily. Just pick any random key and combine it with some mask. For example:Code: SHA-256("100-bit")=5f446017ab7a558fae2e58e7a5433ed6d3659024d0e5cb34dd479a80e5395802Also note that producing any signature is not enough. Because you can obviously use "z/r" equal to "0bad" and "r/s" equal to "c0de", then you can safely assume that your key will have less than 120 bits. But even if you produce hundreds of such signatures, it won't help you, even if your public key and all of your "signature public key" will have a corresponding private key in 120-bit range. It is just not random enough. But on the other hand, if you will produce two random 120-bit signatures, you will probably recover your key. So, the randomness is the key. Quote And with these signatures, can you explain how the lattice-method works? No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures.Title: Re: lattice-attack || how to run without error Post by: casinotester0001 on September 02, 2022, 10:57:23 PM Quote And with these signatures, can you explain how the lattice-method works? No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures.Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on September 03, 2022, 09:14:02 AM Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:)
becouse there is no one "definition" for lattice attack. Lattice attack can be used only then if we define what we want to take as result. WE have a lot of "lattice attack" types like: CVP, SVP Doubled CVP, and of course mysthic "SLE method". all of this lattice attack is designed for something to find. YOU CANT USE "codes" and put there r,s,z without some "modification" to algorithm and waiting for good result. here example: 1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey 2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey 3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey 4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey what can we deduct? lattice attack is only bounded result depends the range of privatekeys. second problem "if you will use" CVP againts SVP you will be have another values.:) Title: Re: lattice-attack || how to run without error Post by: casinotester0001 on September 03, 2022, 10:56:37 AM here example: For 256-bit ECDSA with 8-bit leakage, I guess 50 (even 40) is enough.1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey 2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey 3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey 4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey source: https://crypto.stackexchange.com/questions/98323/help-breaking-ecdsa-with-biased-nonces (https://crypto.stackexchange.com/questions/98323/help-breaking-ecdsa-with-biased-nonces) Title: Re: lattice-attack || how to run without error Post by: COBRAS on September 03, 2022, 12:13:48 PM Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:) becouse there is no one "definition" for lattice attack. Lattice attack can be used only then if we define what we want to take as result. WE have a lot of "lattice attack" types like: CVP, SVP Doubled CVP, and of course mysthic "SLE method". all of this lattice attack is designed for something to find. YOU CANT USE "codes" and put there r,s,z without some "modification" to algorithm and waiting for good result. here example: 1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey 2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey 3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey 4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey what can we deduct? lattice attack is only bounded result depends the range of privatekeys. second problem "if you will use" CVP againts SVP you will be have another values.:) hi You was show some yours results of finding privkey. i apologise you maybe has more knolage then others. But, no codes for test, and fxsniper , me, and other peoples try and has no results.... so lattice "attack" waste of time for 90% of pioples. show working code for continue talk... Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 03, 2022, 11:07:52 PM Can someone post a working python script for basic lattice attack? Thanks
Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 04, 2022, 05:44:50 PM Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:) becouse there is no one "definition" for lattice attack. That's true, but GitHub repository of this tool (lattice-attack) already state what kind of attack it perform. Quote from: https://github.com/bitlogik/lattice-attack It uses linear matrices and lattice basis reduction to solve a Shortest Vector Problem from a Hidden Number Problem. Can someone post a working python script for basic lattice attack? Thanks If you mean working script besides lattice-attack which mentioned by OP, i only can suggest script from this blog https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/ (https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/). Still waiting for working script...thanks in advance! Title: Re: lattice-attack || how to run without error Post by: PrivatePerson on September 04, 2022, 06:56:05 PM --snip-- gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.gen_data.py generate real data. By real, i mean valid ECDSA data. If you want to use own data, you should run gen_data.py and see it's output JSON file to know format data accepted by this tool. I don't understand how it knows which address I want to attack? Code: python3 gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 8 -t MSB -n 50 I collected 1000+ rsz from one address, is it possible to use it? P.S.Sorry for my english, it's very difficult for me to translate. Title: Re: lattice-attack || how to run without error Post by: garlonicon on September 05, 2022, 04:33:40 AM Quote I don't understand how it knows which address I want to attack? It doesn't. All things are executed locally. All keys are random and all private keys are known. If you want to attack real keys, you have to change that code, because it is only an example, where all private keys are first generated, and then limited to some range. Then, this generator only can show you that the attack works in practice: for locally generated keys, it can find a solution.If you want to attack for example 120-bit key, then you have to modify that code. For example I tried using 120-bit "z/r" and 120-bit "r/s". Then, from 120-bit puzzle key, I've got 240-bit nonces. If you add N-bit number with N-bit number, the result has N+1 bits. If you multiply N-bit number by M-bit number, you can get M+N bits. By combining those two rules, your nonces could have: "(bit(119)+bit(119))*bit(120)=bit(120)*bit(120)=bit(240)". Then, after checking 100 random signatures that are guaranteed to have no more than 240 bits, you can see that it doesn't work. It is not random enough. It would work if you could use some 120-bit key, add some 256-bit value, multiply it by another 256-bit value, and somehow reach 240-bit value. But as it is not the case, the randomness in "z/r" and "r/s" is not sufficient to recover any key in that way, because both added and multiplied values are not random enough. Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 12, 2022, 10:41:52 AM Quote I don't understand how it knows which address I want to attack? It doesn't. All things are executed locally. All keys are random and all private keys are known. If you want to attack real keys, you have to change that code, because it is only an example, where all private keys are first generated, and then limited to some range. Then, this generator only can show you that the attack works in practice: for locally generated keys, it can find a solution.If you want to attack for example 120-bit key, then you have to modify that code. For example I tried using 120-bit "z/r" and 120-bit "r/s". Then, from 120-bit puzzle key, I've got 240-bit nonces. If you add N-bit number with N-bit number, the result has N+1 bits. If you multiply N-bit number by M-bit number, you can get M+N bits. By combining those two rules, your nonces could have: "(bit(119)+bit(119))*bit(120)=bit(120)*bit(120)=bit(240)". Then, after checking 100 random signatures that are guaranteed to have no more than 240 bits, you can see that it doesn't work. It is not random enough. It would work if you could use some 120-bit key, add some 256-bit value, multiply it by another 256-bit value, and somehow reach 240-bit value. But as it is not the case, the randomness in "z/r" and "r/s" is not sufficient to recover any key in that way, because both added and multiplied values are not random enough. Title: Re: lattice-attack || how to run without error Post by: garlonicon on September 12, 2022, 06:11:58 PM Here is my modified version of "gen_data.py":
Code: #!/usr/bin/env python3 Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 14, 2022, 01:11:36 PM Here is my modified version of "gen_data.py": Code: #!/usr/bin/env python3 Thanks for sharing, but I this code is too much for me, can't get it to work. I hope someone will sort it out soon and explain the attack in a understandable way Title: Re: lattice-attack || how to run without error Post by: COBRAS on September 14, 2022, 07:17:20 PM Here is my modified version of "gen_data.py": Code: #!/usr/bin/env python3 Bro, can try talk with Antoine Ferron - BitLogiK at his github ? I think he can help modify code to working condition ??? https://github.com/bitlogik/lattice-attack/issues ps a I was talk with him previously, he is ansver to queschion. Becausd I dont know what exact scrypt do, for me hard will talk with him... Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 15, 2022, 04:54:35 PM Bro, can try talk with Antoine Ferron - BitLogiK at his github ? I think he can help modify code to working condition ??? https://github.com/bitlogik/lattice-attack/issues ps a I was talk with him previously, he is ansver to queschion. Becausd I dont know what exact scrypt do, for me hard will talk with him... That's actually a great idea, if you guys want we could offer the creator some $ to edit the code. Title: Re: lattice-attack || how to run without error Post by: ecdsa123 on September 15, 2022, 05:04:01 PM I can rewrite those code , for easy and understanding -> python with sage version
my propose $100 on my btc account, of course before start work Title: Re: lattice-attack || how to run without error Post by: COBRAS on September 15, 2022, 07:50:56 PM Bro, can try talk with Antoine Ferron - BitLogiK at his github ? I think he can help modify code to working condition ??? https://github.com/bitlogik/lattice-attack/issues ps a I was talk with him previously, he is ansver to queschion. Becausd I dont know what exact scrypt do, for me hard will talk with him... That's actually a great idea, if you guys want we could offer the creator some $ to edit the code. For talk about $$ for coder of original scrypt for rsz generation, we need to know, what is difference of original and modified versions of scrypt, and what not work in the scrypt. May be this is imposible to solve ... unfortunately. I have a telegramm of original scrypt developer, and first of all we ned try ask him for free help and message post to devevrloper iesues in github on link what I provide previously in this thread. ??? br Title: Re: lattice-attack || how to run without error Post by: COBRAS on September 15, 2022, 07:52:55 PM I can rewrite those code , for easy and understanding -> python with sage version my propose $100 on my btc account, of course before start work and waht will be your new code doing ? generate sighnatures like original scrypt without rial world use posibble ? br Title: Re: lattice-attack || how to run without error Post by: BHWallet on September 16, 2022, 09:35:01 AM Bro, can try talk with Antoine Ferron - BitLogiK at his github ? I think he can help modify code to working condition ??? https://github.com/bitlogik/lattice-attack/issues ps a I was talk with him previously, he is ansver to queschion. Becausd I dont know what exact scrypt do, for me hard will talk with him... That's actually a great idea, if you guys want we could offer the creator some $ to edit the code. For talk about $$ for coder of original scrypt for rsz generation, we need to know, what is difference of original and modified versions of scrypt, and what not work in the scrypt. May be this is imposible to solve ... unfortunately. I have a telegramm of original scrypt developer, and first of all we ned try ask him for free help and message post to devevrloper iesues in github on link what I provide previously in this thread. ??? br Just ask him can he edit the script in such a way that the user is able to paste a list of public keys or addresses and the script will go through that list and search for weaknesses. You can invite the creator to this thread. Title: Re: lattice-attack || how to run without error Post by: PrivatePerson on October 19, 2022, 08:20:49 PM If I understand correctly from the answers on github, the creator does not want to change his code.
Title: Re: lattice-attack || how to run without error Post by: krashfire on November 08, 2022, 04:33:06 PM First, we look at signatures: Code: s=(z+rd)/k Code: z/r=random Code: z/r=120_bit_number_v1 Edit: Quote show your code Code: def generates_signatures(curve): I tested your code. I believe the output gave several R and S value. I wish you had continue finishing the script. Z value and Kp didn't come out. What do I need to add in the script so that the Z_hash value and kp can be output? Title: Re: lattice-attack || how to run without error Post by: krashfire on December 04, 2022, 12:50:08 PM Some problems with install fpylll Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04 pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git All command try installs not successful both on os windows and Linux using conda not successful too conda install -c conda-forge fpylll all methods include update apt too sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll pip install Cython all fail remove sagemath and it will work. somehow fpylll clash with sagemath and it does not run properly. removing sagemath will solve your issue. in debian, #apt remove sagemath #apt update then run your lattice_attack.py again. Title: Re: lattice-attack || how to run without error Post by: vhh on January 31, 2023, 07:07:15 PM If I understand correctly from the answers on github, the creator does not want to change his code. Well, the code is working as it should, so why should he change it? It finds the priv key from multiple signatures, when some LSB or MSB of each signature nonce is leaked. Title: Re: lattice-attack || how to run without error Post by: Bglhn on March 18, 2024, 11:09:26 AM Hello friends. I've been trying to learn for a while. Where and how do you find the known bit value and Lbs/mbs? No matter what I did, I could not perform a successful lattice attack. I'm sorry for my English and my inexperience. I'm trying to learn.
|