test

[ecdsa123]

[hexan123]

2000$ is a good price for brake bitcoin transaction .

Maybe I'm stupid, but the first example give me private key:
115792089237316195423570985008687907851824985096824206522838950949005526276248
in second example i have your right key:
1012579182250697859766212192512635217927

PS. I don't know how to calculate it

hexan/bD

[albert0bsd]

What is task : find math solution for finding the privatekey , you can use lattice, or other ( no bsgs, no pollard no index, no brute force)
you can use only transactions values ( k1,k2 and privatekey is only for testing knowledge)

I have an answer for you, There is no known way to obtain that value/equation.

That should break ECDSA

For what you are asking 2000$ USD is a little, minimum reward amount should be 20 million of bitcoins or at least all the balance on address with more than two spends

This remember me the fake puzzle of Bitcoin puzzle (3,350.00 BTC's )

[citb0in]

Today I give you possibility to earn $2000 in btc.

how will you pay? Put the $ 2,000 into a wallet with the private key that we should find, so the lucky guy can take the award. Everything else is a joke

[digaran]

Can you at least provide more information about the methods used to achieve what you are asking?
What I want to know, how does lattice attack work and are there any available tools for it? I just need to understand the concept, if you have any useful sources to give, it'd be great.

[albert0bsd]

You can see them in this video: Biased Nonce Sense Lattice attacks against weak ECDSA signatures in the wild

The solve it with lattices the k nonces need to have some kind of biased, but the problem is that you need many of them and there is no way to known if they are biased or not.



About tools for you have the iceland repository of rsz have some tool for it, but the las time that I try to test it with my own biased examples it doesn't work.

https://github.com/iceland2k14/rsz

[vjudeu]

If I setup the pubkey with transaction I have no guarance to take the solution.

Technically, it could be possible to create a Script, that will force to reveal the private key. The easiest way is to have OP_CAT, but this is beyond Bitcoin. However, some tricks are still possible, for example you can create two signatures in your output, and then require revealing a public key, that will connect both of them. And to be absolutely sure, you can require a third signature for that derived key, that will be different than two previous signatures. Also, to keep the same z-value, you can wrap all of that in OP_CHECKMULTISIG, for example by using 3-of-3 multisig, where all three keys and signatures will be dynamically adjusted. And then, some P2WSH or P2TR should be standard. Or you can try it out on testnet3 first, and make sure that the input data is useful enough, and then do the same thing with the real key you want to break.

everything is clear -> you must give a working algorithm.

This is also something you can require in your Script. Even if something is not directly supported, you can still create some longer Script, or even a chain of transactions, that would allow all of that. Because still, we have for example opcodes, which works on 32-bit values. And that is enough to for example build a custom script, that would be unlocked, if you would break N rounds of SHA-256. Of course, the naive approach does not scale, so for that reason you should probably start with testnet3 anyway. Or even with something like custom LN-based script, but I guess that would be harder to start with.

[COBRAS]

Hi users:)

Today I give you possibility to earn $2000 in btc.

I put two trasactions (below), for testing I add the nonce k1 and k2 , and the privatekey as pr1.

What is task : find math solution for finding the privatekey , you can use lattice, or other ( no bsgs, no pollard no index, no brute force)
you can use only transactions values ( k1,k2 and privatekey is only for testing knowledge)

everything is clear -> you must give a working algorithm.

privatekey = 1012579182250697859766212192512635217927
 

Code:

r1=91569536891656778098714370566123400538808691962301036137348069575478543413371    
s1=21986343255696161951638838250895082624842596755182648655691313830200114210986
z1=6438777035962518887320975299969341061899935085590046638463194556599680845483
k1= 5853058856940450056452093598338931896    
 
 

r2=61519875576959414226926169384481904657930768090393239472847547225569960244009     
s2=29672653379714264364848115664009668074279832200087452759694676488206965592960     
z2=4050084529116149167467364769454239620376951321631508848629310185885835508238
k2= 7445435163608072498280972003769376603     

only 2pcs of rsz and rsz ? for ltc needs 100 pcs

i hav scrypt of lattice for 100 pcs if rsz and nonce less then 250 bit

[garlonicon]

in this example when the nonces are less than 129 bit -> you need only two transactioons for lattice attack.

You should note one important thing: for puzzle 120 and puzzle 125, you have private keys with many zeroes. But nobody revealed the private key anyway, even though there are two or more transactions for each of them. Which means, you need a nonce, that has many zeroes, not the key itself! And that difference is quite important. Surprisingly, you can swap a key with a nonce, or even do a bitwise-swap, but it does not help in this specific case.

Another important thing to note, is that lattice is far from perfect, and can give you no results, even if your keys are quite small. I had some cases, where 8-bit keys were not broken, because some numbers were not aligned well. So, this is not the attack, that always works, even if someone will give you the proper algorithm, it can still fail for some specific keys.

So, good luck, but remember: lattice is not a solution for all problems, and it can easily fail even for weak keys (you can try using only lattice for all known keys in the puzzle, and see, how far you will get, you may be surprised, how many keys could fail).

[albert0bsd]

You should note one important thing: for puzzle 120 and puzzle 125, you have private keys with many zeroes. But nobody revealed the private key anyway, even though there are two or more transactions for each of them. Which means, you need a nonce, that has many zeroes, not the key itself! And that difference is quite important. Surprisingly, you can swap a key with a nonce, or even do a bitwise-swap, but it does not help in this specific case.

@garlonicon this is far away one of the best and simply answer in this topic that i've seen, I reach more or less to the same conclution some two months ago. I try to reorder/combine/add/subtract and other weird operations with the Signature proofs that we have on puzzle 120 and 125 without any success. I did all this thing trying to construct manually the LLL matrix but i see that is not possible interchange the privatekey and the nonce in this way.

Another important thing to note, is that lattice is far from perfect, and can give you no results, even if your keys are quite small. I had some cases, where 8-bit keys were not broken, because some numbers were not aligned well. So, this is not the attack, that always works, even if someone will give you the proper algorithm, it can still fail for some specific keys.

This is last part is some new for me now that you mention it it make a lot of sense, i am not a LLL expert, but I can explain a little bit this part and why it is not perfect.

In the video that i mention before : Biased Nonce Sense Lattice attacks against weak ECDSA signatures in the wild

We have some values in the Series of linear equations like:

Code:

K1 -t1d - a1 = 0 mod N
K2 -t2d - a2 = 0 mod N
K3 -t3d - a3 = 0 mod N
...
Kn -tnd - an = 0 mod N

And we need to write a matrix like in the image:



If you see carefuly we are omitting those constans a1, a2, ... an

Those values aren't necesary to construct the matrix becuase the lattice nature can more or less handle some of those "errors" but as you mention it is not always the case.

In the video Nadia said that more or less like:

Kind of high level version of this attacks is the if ummh, the secret nonce is kind or is small then the system of equations likely has only one solution and lattice can magically find it

Video at time: 5:53

[COBRAS]

@Cobras

in this example when the nonces are less than 129 bit -> you need only two transactioons for lattice attack.

but in this example of transaction "normal lll attack" cannot be done.
The output is not privatekey, but "s" signature from has been made.

the output will be 162 or 81  and it is correct , but it is not privatekey.

That means, there is possible take privatekey but I need someone who is master of Lattice equation.

understand.

I was talk about making lattixe attack with him in telegramm, he has a knowlage of formulas


https://github.com/malb/bdd-predicate