|
|
|
bigvito19
|
 |
May 16, 2022, 11:46:57 AM |
|
I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecdk1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) |
|
|
|
|
COBRAS
Member
 Offline
Activity: 887
Merit: 22
|
|
May 16, 2022, 12:36:08 PM |
|
I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecdk1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" |
[
|
|
|
|
bigvito19
|
|
May 16, 2022, 01:12:47 PM |
|
I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecdk1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" What private key it was looking for because it was random |
|
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 16, 2022, 01:26:25 PM |
|
I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecdk1 = random.randrange(1, pow(2, 256)) k2 = random.randrange(1, pow(2, 256)) private key ot found. only message"private kwy", but no second message "privatevkey found" What private key it was looking for because it was random yes random, you can replace generetated r,s from rundom to r,s from vitcoiin sighnature, after it will be not rundom. but, rhis wersion for 128 bit nonce. btx is a 252-256 bit nonce |
[
|
|
|
stanner.austin
Member
Offline
Activity: 67
Merit: 53
|
|
May 17, 2022, 12:58:07 PM |
|
@COBRAS
Its different attack with lowest nonce under 127 bit & his weakness.
Only bitlogik lattice-attack is most powerful i can feel.
For example if you have any private key under 128 bit. for example puzzle 120.
If you use liner random value or single known higher random(0xf000000000000000000000000000000000000000000000000000000000000000) to start with and divide it in each time till 100 sign is made.(after 51 sign can use 128 bit random to make sign.)
You just have 33 or less nonce kp to worry about, because rest is 0 on MSB
i tested on my single pc with 16 thread its not powerful to cover it.
need atlast 128 thread with 4/5 pc to finish whole range fast.
|
|
|
|
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 17, 2022, 02:44:29 PM |
|
@COBRAS
Its different attack with lowest nonce under 127 bit & his weakness.
Only bitlogik lattice-attack is most powerful i can feel.
For example if you have any private key under 128 bit. for example puzzle 120.
If you use liner random value or single known higher random(0xf000000000000000000000000000000000000000000000000000000000000000) to start with and divide it in each time till 100 sign is made.(after 51 sign can use 128 bit random to make sign.)
You just have 33 or less nonce kp to worry about, because rest is 0 on MSB
i tested on my single pc with 16 thread its not powerful to cover it.
need atlast 128 thread with 4/5 pc to finish whole range fast.
So, you need 128 or 4*128 thread ? 64 thread is possible, I think 128 possible too. Your code work with less 128 but nonce, you tested it ? P.s. then I try with 0000 msb and lsb, nothing found with his lattice attack. R. |
[
|
|
|
|
garlonicon
|
|
May 18, 2022, 09:07:39 PM |
|
Only bitlogik lattice-attack is most powerful i can feel. I tried it, but it is somewhat buggy. You can take 120-bit key and use two random 120-bit values to get as many 240-bit signatures as you need (because first you will add one random 120-bit number to another 120-bit number, and then you will multiply that by another 120-bit value, by choosing the right range, you can always make sure that the first 16 bits are zero). No matter how many 240-bit k-values in signatures I had, I could never reach any 120-bit key from that. LLL is going through that without printing any key, and then another algorithms have some bugs, because there are "infinite loop in babai" and other similar messages in their internal implementation. So, I partially know how to attack 120-bit keys, but I cannot do that in practice (because this code is buggy, it would take some time to fix it). |
|
|
|
|
stanner.austin
Member
Offline
Activity: 67
Merit: 53
|
|
May 19, 2022, 08:53:44 AM |
|
@garlonicon
i don't think its bug.
"infinite loop in babai"
I think it's like math divide by 0 on lattice attack.
First calculated sign must be higher int value like i have posted.
0xf000000000000000000000000000000000000000000000000000000000000000
Later sign can use divide by 14 or 10 etc, til int reach to 2 then can use random 128 bit int and all this is valid and give first 33 only non zero MSB rest all are 0 starting K on MSB.
i have tested with all possible combination no matter what i try i can't go lower then 33 kp requirement for 4 bit leaking.
|
|
|
|
|
|
garlonicon
|
|
May 19, 2022, 04:39:22 PM |
|
i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly). |
|
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 20, 2022, 02:03:49 AM |
|
i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly). Hello, did you try this code ? Maybe this code had no bag, and more "powerful" for this talk, because has 3;algorithm include lattice https://github.com/malb/bdd-predicate |
[
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 20, 2022, 03:04:49 AM |
|
@garlonicon You know how to downgrade pubkey range ? I try, but with div or substraction but this like how to shut to the the galaxy from the gun. Task is finding very small range, for ex 2^80, need search this 2^80 in 2^119 so, about 549755813888 publick of 2^80 in range 2^119+2^119(total 1/2 of 2^150. Substraction had same difficulty's. Then substract, after you get pubkey smaller then target pubkey, difficulties of pubkey start grow, against fail...  It is possible make fake rsz for known pubkey ? Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ? Br |
[
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 20, 2022, 04:25:36 AM |
|
i don't think its bug It is a bug, because the code should not inform you that "something went wrong", but should give you the exact reason of what was wrong, and also why it could be wrong. Scripts should not just crash if you feed them with invalid entries. They should tell you, what is the correct format and why something does not work. So, "infinite loop in babai" says nothing. It says that there is some loop and that loop is infinite. But there could be a lot of reasons, actually, an assertion saying that "value==something" was false in file "sample.py" on line 123 would be a lot better than that. Also, I think that signatures are random enough, they are just random 240-bit values that are not connected at all. Adding random 120-bit and multiplying the result by random 120-bit will shuffle and mix everything, no matter what was the key we started with. And we can get infinitely many signatures, so there always will be enough to try this kind of attack (also because there was an example with only six known bits that was solved correctly). I have a communication with bitlogic (lattice-attack code)r previously. If you can explain what a bag I cab ask him for remove bag, or you can send him message directly. |
[
|
|
|
ecdsa123
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
May 20, 2022, 06:59:27 PM |
|
@garlonicon
It is possible make fake rsz for known pubkey ?
Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ?
Br
yes Cobras we can make valid transactions for pubkey, only then when this pubkey has minimum one output i need : pubkey (x,y) , and transaction output as r s z then I make perform "gauss reduction for this pubkey", result will be: pubkey (still the same) new r,s,z valid for this pubkey (valid means : ecdsa verify) |
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 20, 2022, 08:19:51 PM |
|
@garlonicon
It is possible make fake rsz for known pubkey ?
Can someone generate rsz for pubkey 120 for ex , in format of lattice-attack script or bkz-preducate ?
Br
yes Cobras we can make valid transactions for pubkey, only then when this pubkey has minimum one output i need : pubkey (x,y) , and transaction output as r s z then I make perform "gauss reduction for this pubkey", result will be: pubkey (still the same) new r,s,z valid for this pubkey (valid means : ecdsa verify) I will make for 120, and simple with many transaction. Little later today or tomorrow. Don go far away from this thread |
[
|
|
|
ecdsa123
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
May 20, 2022, 08:27:12 PM |
|
no problem. now I writing my own attack: example : I have pubkey with one output r,s,z so I know r,s,z we all know that if r (which is nonce*G) -> so if nonce is less 125 bit -> lattice standard reduction will find privatekey when we have only one output (one transaction) so : We can make perform "new" transaction as below with loop: new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit then test in lattice that r (as nonce*G is in 0 to 125 bit)  if not -> then minus 2**i bit and so on:) |
|
|
|
COBRAS
Member
Offline
Activity: 887
Merit: 22
|
|
May 20, 2022, 08:36:43 PM |
|
no problem. now I writing my own attack: example : I have pubkey with one output r,s,z so I know r,s,z we all know that if r (which is nonce*G) -> so if nonce is less 125 bit -> lattice standard reduction will find privatekey when we have only one output (one transaction) so : We can make perform "new" transaction as below with loop: new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit then test in lattice that r (as nonce*G is in 0 to 125 bit) if not -> then minus 2**i bit and so on:) You really can make code for this , and code for gauss reduction ? P.s. I will provide rsz for you any way |
[
|
|
|
ecdsa123
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
May 20, 2022, 08:40:22 PM |
|
yes,
|
|
|
|
|
garlonicon
|
|
May 20, 2022, 09:05:37 PM |
|
i need : pubkey (x,y) , and transaction output as r s z You need only pubkey. For lattice attack, your r,s,z can be faked, it will be as useful as something collected from some real transaction. new r_new,s_new,h_new for the same pubkey as old_nonce minus 2**i bit The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1. And that's why it would be better to start with 120-bit key, and make a lot of 240-bit signatures. You need some randomness to make it. I think getting it squared should be random enough to reveal the key, but this code still does not work for me, this "infinite loop in babai" is annoying and simply means that LLL found nothing, so other algorithms were used (and they failed somehow). |
|
|
|
|
|
