|
|
|
If you see garbage posts (off-topic, trolling, spam, no point, etc.), use the "report to moderator" links. All reports are investigated, though you will rarely be contacted about your reports.
|
|
|
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
|
|
ABCbits
Legendary
Offline
Activity: 2870
Merit: 7483
Crypto Swap Exchange
|
All question you asked already answered on the repository. what is data.json From https://github.com/bitlogik/lattice-attack#use, data.json contain some information needed to perform lattice attack.
how to make it
You can either make it manually or use gen_data.pypython3 gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 8 -t MSB -n 50
how to run without error
You need to specify what kind of error you encountered. Have you fulfilled requirements which mentioned at https://github.com/bitlogik/lattice-attack#requirements?
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 16, 2022, 08:56:53 AM |
|
Some problems with install fpylll
Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04
pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git
All command try installs not successful both on os windows and Linux
using conda not successful too conda install -c conda-forge fpylll
all methods include update apt too
sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll
pip install Cython
all fail
|
|
|
|
ABCbits
Legendary
Offline
Activity: 2870
Merit: 7483
Crypto Swap Exchange
|
|
April 16, 2022, 12:22:41 PM Merited by pooya87 (3), Welsh (3) |
|
Some problems with install fpylll
Developer using Ubuntu >= 20.04 So try on Ubuntu 20.04
pip install git+https://github.com/bitlogik/lattice-attack pip install git+https://github.com/fplll/fpylll.git
All command try installs not successful both on os windows and Linux
using conda not successful too conda install -c conda-forge fpylll
all methods include update apt too
sudo add-apt-repository universe sudo apt update sudo apt install python3-fpylll
pip install Cython
all fail
There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem. git clone https://github.com/bitlogik/lattice-attack cd lattice-attack/ sudo apt install python3-cryptography python3-fpylll python3 gen_data.py # generate example data python3 lattice_attack.py -f data.json # perform attack with example data
This is the output. ----- Lattice ECDSA Attack ----- Loading data from file data.json Running with 6 bits of k (LSB) Starting recovery attack (curve SECP256K1) Constructing matrix Solving matrix ... LLL reduction Key found \o/ 0xb75d59be7755c7af999687b769aeac541422ace964eb92d00f1c9a8017b1b7f9
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 16, 2022, 01:28:10 PM |
|
There might be problem with your Ubuntu 20.04 or library's setup.py. I tried it on Debian 11 (inside VM) and could run the library without any problem.
Thank you ETFbitcoin I do a quick test on Debian in WSL2 windows, it is works I got same result run on Debian no problem
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 16, 2022, 02:42:20 PM |
|
it is just mathematics research and it needs some leaked information to calculate, can not attack ECDSA that no leak data
|
|
|
|
COBRAS
Member
Offline
Activity: 850
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
|
|
April 16, 2022, 07:23:19 PM |
|
it is just mathematics research and it needs some leaked information to calculate, can not attack ECDSA that no leak data
Last bit is posible to recovery maybe, or use nonse what probably has msb in zeros....
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 19, 2022, 05:07:10 AM |
|
just random idea if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit I mean lattice-attack can solve weak nonce 128 bit and 256 bit private key if can modify to change calculate strong nonce but weak private key meybe can use for solve 120 bit puzzle but 120 bit puzzle have only R and S one set only
|
|
|
|
garlonicon
|
|
April 19, 2022, 07:13:43 AM |
|
if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key.
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 19, 2022, 07:50:15 AM |
|
if can modify lattice-attack or cam switch from weak nonce to calculate weak private key may be possible to use solve puzzle 120-160 bit It is possible, but there is only one problem: you need two signatures. And you need two random signatures, not just two any signatures. Lattice is not that deterministic, you cannot use N and N-1 as your 120-bit nonce. I tried solving this Taproot testnet puzzle transaction: 448b81b2b3c2c8558d268e4f515ff38eb6367d156babbc3733a14834a5a6e7b0. My conclusion is: even for small keys (like 8-bit key) it is not so deterministic. You need a sufficiently random and weak key, you cannot just use any key. right it requires two sign for calculate I would like to try to check weak nonce from key generate if know private key how to calculate to know nonce in python
|
|
|
|
garlonicon
|
|
April 19, 2022, 08:12:15 AM Last edit: April 19, 2022, 08:22:27 AM by garlonicon |
|
Just use your public key as R-value in your signature. address=17s2b9ksz5y7abUm92cHwG8jEPCzK3dLnT pubkey=02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 R=02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 SHA-256("120-bit puzzle")=c43bc2e003908850dda3ff2fec69c3028027260ea7eef98746260eb83abe0a18 SHA-256("garlonicon")=272fc6644fedff1a897d6034bed23f61859e99440ee699033307976590316723 s=(z+rd)/k sk=z+rd sk-z=rd d=(sk-z)/r d=(s/r)k-(z/r) d+(z/r)=(s/r)k Q+(z/r)=(s/r)R z/r=SHA-256("120-bit puzzle")=c43bc2e003908850dda3ff2fec69c3028027260ea7eef98746260eb83abe0a18 s/r=SHA-256("garlonicon")=272fc6644fedff1a897d6034bed23f61859e99440ee699033307976590316723 R=02ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 (s/r)R=02276385F22DF0977507516B945B57AC6A74EFEA22E957098B25BDE461696774A0 Q=(s/r)R-(z/r) (z/r)*G=0315523C6FD9EBA6DB17B946888CA76AE0D3C2B53AB63901ABCAFA0D0A07552DEE -(z/r)*G=0215523C6FD9EBA6DB17B946888CA76AE0D3C2B53AB63901ABCAFA0D0A07552DEE Q=02B77D94ADE49B1FF647E012ACD91CF15A7DA1D553CC386E52D9C42E717FAEA4D0 z=(z/r)*r r=ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 z=2de0c47667be3d8a1a36140df763c4a6243ba04663863d761fa552d8d7791c03 s=(s/r)*r s=2e92f964982c1337f36ca51cd0ca5cfce0526295a03597cc0ddf72babf55d065 Final signature: Q=02B77D94ADE49B1FF647E012ACD91CF15A7DA1D553CC386E52D9C42E717FAEA4D0 z=2de0c47667be3d8a1a36140df763c4a6243ba04663863d761fa552d8d7791c03 r=ceb6cbbcdbdf5ef7150682150f4ce2c6f4807b349827dcdbdd1f2efa885a2630 s=2e92f964982c1337f36ca51cd0ca5cfce0526295a03597cc0ddf72babf55d065 Edit: if know private key how to calculate to know nonce in python s=(z+rd)/k sk=z+rd k=(z+rd)/s sk-z=rd d=(sk-z)/r Final equations: If you know k, you can get d. If you know d, you can get k. It is a pair of connected numbers.
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 19, 2022, 04:01:56 PM |
|
Final equations: If you know k, you can get d. If you know d, you can get k. It is a pair of connected numbers. I try use this calculate puzzle #115 but it now work Can you help to samplecalculate puzzle #115
|
|
|
|
garlonicon
|
|
April 20, 2022, 05:50:23 PM |
|
Can you help to samplecalculate puzzle #115 So, let's see: address=1NLbHuJebVwUZ1XqDjsAyfTRUPwDQbemfv pubkey=0248d313b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55 sig1=3045022100c3f5243089c5fc55cb215bb54d6e94f1fb09820a3e917cf52633ab9a5cea20af02207efcf46cbcad512b19d0b72788f21e63d4ccffb2c21f98638176f7816c87ebd301 der1a=3045022100 r1=c3f5243089c5fc55cb215bb54d6e94f1fb09820a3e917cf52633ab9a5cea20af der1b=0220 s1=7efcf46cbcad512b19d0b72788f21e63d4ccffb2c21f98638176f7816c87ebd3 sighash1=01 sig2=30440220228e890f24db246b0220b0491c78a6f186dcdcb5a927a3b86ffd3b0b03fe6e2602203b4f5ae90419881143e4185820e63616b92d1f394e9414a89d79bc7b90a1c5d001 der2a=30440220 r2=228e890f24db246b0220b0491c78a6f186dcdcb5a927a3b86ffd3b0b03fe6e26 der2b=0220 s2=3b4f5ae90419881143e4185820e63616b92d1f394e9414a89d79bc7b90a1c5d0 sighash2=01 First signature: Q=0248d313b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55 d=0000000000000000000000000000000000060f4d11574f5deee49961d9609ac6 transaction1=020000000215cda65f1e46982fc082b15c8dbb60985d12a7e60b0c742263608cc9349f3808720000001976a914ea0f2b7576bd098921fce9bfebe37f6383e639a488acfdffffff6441384445a0f426ee689e2532e41fc6947dda41558026b80f5b1dfd7c58455d3f00000000fdffffff01f792da0600000000160014d66c2e960c57e689ffa24142bc94636a54eb2ea669b0090001000000 z1=SHA-256(SHA-256(transaction1))=2294cb823a880052d1513223d3c078f8518e277373d40b43ada4a07afa045159 r1=c3f5243089c5fc55cb215bb54d6e94f1fb09820a3e917cf52633ab9a5cea20af s1=7efcf46cbcad512b19d0b72788f21e63d4ccffb2c21f98638176f7816c87ebd3 k1=(z1+r1d)/s1 n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 r1d=534d2b5e5932693b7dd30266d83afdd17ef2433f4498395c8f95b959fa4ad0ae z1+r1d=75e1f6e093ba698e4f24348aabfb76c9d0806ab2b86c44a03d3a59d4f44f2207 1/s1=582ac1bddcecd0488fb1cdded830126ef1246df1888b6495c564604613618179 k1=3a974e9b3b1015f5bf711dc34e53fe95dc1ee2183e938e32f3bd34ce7e4b9fad k1*G=02C3F5243089C5FC55CB215BB54D6E94F1FB09820A3E917CF52633AB9A5CEA20AF r1=c3f5243089c5fc55cb215bb54d6e94f1fb09820a3e917cf52633ab9a5cea20af r1=(k1*G).x (valid) Second signature: Q=0248d313b0398d4923cdca73b8cfa6532b91b96703902fc8b32fd438a3b7cd7f55 d=0000000000000000000000000000000000060f4d11574f5deee49961d9609ac6 transaction2=020000000215cda65f1e46982fc082b15c8dbb60985d12a7e60b0c742263608cc9349f38087200000000fdffffff6441384445a0f426ee689e2532e41fc6947dda41558026b80f5b1dfd7c58455d3f0000001976a914ea0f2b7576bd098921fce9bfebe37f6383e639a488acfdffffff01f792da0600000000160014d66c2e960c57e689ffa24142bc94636a54eb2ea669b0090001000000 z2=SHA-256(SHA-256(transaction2))=98399882da0936868e7d21e7c971d8896d0897b99d8c141e6bf679ee829e9835 r2=228e890f24db246b0220b0491c78a6f186dcdcb5a927a3b86ffd3b0b03fe6e26 s2=3b4f5ae90419881143e4185820e63616b92d1f394e9414a89d79bc7b90a1c5d0 k2=(z2+r2d)/s2 n=fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141 r2d=bb719705669b86f216fdef762715302bd7afa1e4985b206f5e06ed09121757be z2+r2d=53ab2f8840a4bd78a57b115df08708b68a095cb7869e94520a2b086ac47faeb2 1/s2=c1c01cfeefcba2cc824751307b5964e292f602cc05dfa8f6bc359850dd726a6d k2=0656c9a7c7bb58c5b632cb88ac6a42d7e224f3595077e100f10c0d72622612fc k2*G=02228E890F24DB246B0220B0491C78A6F186DCDCB5A927A3B86FFD3B0B03FE6E26 r2=228e890f24db246b0220b0491c78a6f186dcdcb5a927a3b86ffd3b0b03fe6e26 r2=(k2*G).x (valid)
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 21, 2022, 05:43:22 AM |
|
So, let's see: First signature: Second signature:
Thank you garlonicon I try to understand math (still stuck with calculate by manual step by step)
|
|
|
|
COBRAS
Member
Offline
Activity: 850
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
|
|
April 21, 2022, 08:25:16 PM |
|
So, let's see: First signature: Second signature:
Thank you garlonicon I try to understand math (still stuck with calculate by manual step by step) R,s,z is only for outgoing transaction !!!
|
|
|
|
garlonicon
|
|
April 22, 2022, 03:51:52 AM |
|
R,s,z is only for outgoing transaction !!! Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful.
|
|
|
|
|
COBRAS
Member
Offline
Activity: 850
Merit: 22
$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk
|
|
April 22, 2022, 07:09:26 PM |
|
R,s,z is only for outgoing transaction !!! Yes. But you can always use fake outgoing transaction and choose some z-value, where you don't know any matching transaction. For some attacks, this approach is also useful, even if you don't know any transaction that can use your signature. In lattice attacks, you can use any z-value, you don't care about transactions, because restoring keys is the only thing you can do in such attack, so fake z-value is also useful. Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... For crack aftervthis sighnatures ? Original rsz is 99% imposible to crack because different lenght if r,s,z - from x...to ..y for 1 pubkey etc...
|
|
|
|
garlonicon
|
|
April 22, 2022, 07:32:47 PM |
|
Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s... No problem. There are fake r,s,z values for the public key from the Genesis Block: fake_signatures.py 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f 981c008269574d9bb73a2e781270e2163297b3d3ca9645b5e0664ffcbb19e78a,3cc2a888bae4811e75e64e19f2ce668951a3520e93e31a74b4cd4e9ce9508839,ed97aea4f9b66aca0c41ac88c2f0d90ef2ad269af0951ba2b07c70f7d1542b3c 53b9632a4250eb518426a545daa99fc6a72addfcb62714fbe81e269cd9ee39e8,62cbe3cc5eec2cbcbf61793a1d94414b43536c0e9219da703be5f141c46fa364,166db19e268d41b8cb76eedb50c57969635bcce2218b1921df45656a24de751a a050e9237241c02d17684df9b9039fd707fcecb2fbd9d46af95dfeb6ef1daaa3,5e3bd1a08a7418066e4231adbfa23cc969617bb67f35a5f9a4d1ebae9a196fc7,a20a81207eb5aa382759debfc3ca98d4a3cf85474c9dbb6684dbd5bae3abe58d 9f2e42881a9cd3ddd088ebc77857beb9929c42e76e3b3ab7d1928652d2b731cf,0a4353b1fe7c167d63eaa45aeb23f83d219fd31ca74a17adc84cb18bc3184833,32a9cacbb64e5679eb40dfca1192bccc3db0e19d63d1e68286fe119d7d494c8a a46f5889983efb70e00927f5afeeb2c4042783ca36525968657e339416a6bd8d,185c697570158909298fb10019d7a3e62ed647e9a6ecd1992f3d3098a498eec9,dcd110dd05f2ef9bb46639b0abe858a545bc61f1cd0e5462f41e7003d5f68bba 8ca48464e4dd3789ec41b83827b93e840471cfce2c8e6349e4087f56c335991f,6fb96292e9a2e5480085d9b8f69bd6aa62cee3b76b090cd5d5e25f8ce253adea,b6b20ab75d2ad6e8e79fe3fdc9e28a66e2a6acecfe87a7f33cb5c3fba1d070d3 Those signatures are only fake, because there is no known transaction that can be hashed to any of this z-value. That's the only reason, but from lattice point of view, they are as good as any real signatures, there is no difference in this attack, because knowing relations between nonces or some bits of private keys or nonces is more important than having a real signature. So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch.
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 45
|
|
April 23, 2022, 05:43:53 AM |
|
I try to learn and understand math Did I understand correctly? this script method use leak nonce that generates to recover private key right? script it not use way collect data from all data from signature with? this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly? just loop search from 1000 signature until found one can calculate
|
|
|
|
|