lattice-attack || how to run without error

[COBRAS]

@ecdsa, collect some real rsz from blockchain and try your code ?

can use 1 transaction with many output. Posibl it will be more easy for use

thx.

[COBRAS]

@ecdsa, collect some real rsz from blockchain and try your code ?

can use 1 transaction with many output. Posibl it will be more easy for use

thx.

it is useless. as inform if you know subrange it is 6 hours. if not "time is years ior milleniums",
I have use to try : https://eprint.iacr.org/2022/385     White-Box
 

and here pdf: https://eprint.iacr.org/2022/385.pdf

how get subranges  ? code for get them pls ?

[COBRAS]

show priv of 120, 125 or 130 bit ouzzle ?

pls

[COBRAS]

. Cobras be sure better mathematician than me checked that, and they know that is useless.

 

i not undertand this formulas, code too unfortunately.

Bro, provide any proof of work of your codes ? on github 1000+ attacks but they not work on real data.

generate sighs for this pub and find a key ?

04e36a3452c8921ea9e093ebb94f544cab434abadd796566280e05d5ae22fad6a2017cfa0647d6e 458b12848c03fac10e3c44ecf3911dc2f2da90afc1ccf36f9f9

?


@ecdsa123, help me in this thread pls ?

https://bitcointalk.org/index.php?topic=5400202.0

thanks

[ymgve2]

@ecdsa, collect some real rsz from blockchain and try your code ?

can use 1 transaction with many output. Posibl it will be more easy for use

thx.

it is useless. as inform if you know subrange it is 6 hours. if not "time is years ior milleniums",
I have use to try : https://eprint.iacr.org/2022/385     White-Box
 

and here pdf: https://eprint.iacr.org/2022/385.pdf

White box attacks, which those papers are about means the attacker is in full control of the computer that actually does the generation of the signature, and can measure timing and program flow during the generation of the signature. This is completely irrelevant to lattice attacks on weak nonces.

[fxsniper]

What is this BKZ reduction : block size = 15
I test with 4-bit leak nonce and signature between 50-90 set
many key losses and some key can calculate with BKZ reduction : block size = 15 and next untile con recover (some)

[COBRAS]

What is this BKZ reduction : block size = 15
I test with 4-bit leak nonce and signature between 50-90 set
many key losses and some key can calculate with BKZ reduction : block size = 15 and next untile con recover (some)

you try on real rsz from bitcoin blockchain ?

[fxsniper]

you try on real rsz from bitcoin blockchain ?

Maybe, Are you have any script for collecting thousands rsz?
but the problem is it is a 256-bit key not easy and it needs to develop high advance to do
maybe try a test with some brainwallets

but I would like to understand lattice first and how BKZ reduction: block size = 15 , it is works
can possibly use million block size or brute force it
I would like to try to modify the lattice-like use of kangaroo with collision
if not yet understand how it works, can not use it.

[COBRAS]

you try on real rsz from bitcoin blockchain ?

Maybe, Are you have any script for collecting thousands rsz?
but the problem is it is a 256-bit key not easy and it needs to develop high advance to do
maybe try a test with some brainwallets

but I would like to understand lattice first and how BKZ reduction: block size = 15 , it is works
can possibly use million block size or brute force it
I would like to try to modify the lattice-like use of kangaroo with collision
if not yet understand how it works, can not use it.

I lost my scrypt for collect rsz, I try find it and message additionaly were

[PrivatePerson]

https://github.com/bitlogik/lattice-attack

How do you prepare the list to be loaded into this script?

gen_data.py is make data for use it

run script  gen_data.py
then you got file data.json
and run  lattice_attack.py

or

run script  gen_data.py -f filename
then you got the file filename.json
and run  lattice_attack.py -f filename

I test already if not have a leak nonce it not works
test with a fake nonce leak (random) it never works

gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.

[fxsniper]

gen_data.py generate real data. By real, i mean valid ECDSA data. If you want to use own data, you should run gen_data.py and see it's output JSON file to know format data accepted by this tool.

I confirm gen_data.py generate real data. it is the same real RSZ from a real transaction
example  Huobi-wallet   1HckjUpRGcrrRAtFaaCAUaGjsPx9oYmLaZ  million of RSZ
script do same confirm

gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.

just put your own RSZ to JSON format the same  gen_data.py generate data.json

you can use JSON format tools to read JSON data easy
or modify gen_data.py to dump JSON data with indent options will help to read JSON format easy

1. easy manual add, put your own RSZ only by one done.
2. do yourself made script read RSZ and write to JSON format

[fxsniper]

gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.

use JSON Formatter, JSON Beautifier from only
upload data.json to read easy

modify
json.dump(sigs_data, fout)
to
json.dump(sigs_data, fout, indent=3)

add RSZ yourself to replace generated RSZ
you need more than 100 RSZ to calculate
RSZ without leak nonce is useless
try fake nonce leak bit or zero bit is making script error with some loop error
try to use real from some brainwallet (yes we know both private key and nonce)

[COBRAS]

gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.

use JSON Formatter, JSON Beautifier from only
upload data.json to read easy

modify
json.dump(sigs_data, fout)
to
json.dump(sigs_data, fout, indent=3)

add RSZ yourself to replace generated RSZ
you need more than 100 RSZ to calculate
RSZ without leak nonce is useless
try fake nonce leak bit or zero bit is making script error with some loop error
try to use real from some brainwallet (yes we know both private key and nonce)

this is real work  ? i was try but unsoccesful.

Can you show real example ?

[fxsniper]

this is real work  ? i was try but unsoccesful.

Can you show real example ?

it not works
I try 100 RSZ
but it did not have real LEAK NONCE
so I try to use zero 0 nonces and try fake leak nonce by random number
I do test fake leak nonce by random number 1 bit to 16 bit
all got error
and error loop infinite
it is never work

maybe the script use nonce point in the right direction
when got the wrong nonce, it is an error

work perfectly only with generating data from script
or you can use some brain wallet leak address (yes, you got to know nonce)

you need a mathematician who can use this lattice attack

I think for lattice attack is interesting
but you need to develop to advance to use it
or maybe focus on one pubkey specific
first, need to develop to can used without leak nonnce

if want to use lattice attack, you need to understand in math of this method
for me too much advance for understanding

this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here

just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each
develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz

kangaroo may be possible and better just need to new way walk to meet key fast

[casinotester0001]

Can you show real example ?

Good idea!

But I don't know, why I am so important?

@garlonicon

Because you can explain this lattice method in a full example 

If you want, create a new thread, call it eg Lattice method explained
Take puzzle 100 data (or something else)
Make a step by step explanation in the OP.
People can ask, contribute and you can edit the OP.

Would be cool 

[COBRAS]

this is real work  ? i was try but unsoccesful.

Can you show real example ?

it not works
I try 100 RSZ
but it did not have real LEAK NONCE
so I try to use zero 0 nonces and try fake leak nonce by random number
I do test fake leak nonce by random number 1 bit to 16 bit
all got error
and error loop infinite
it is never work

maybe the script use nonce point in the right direction
when got the wrong nonce, it is an error

work perfectly only with generating data from script
or you can use some brain wallet leak address (yes, you got to know nonce)

you need a mathematician who can use this lattice attack

I think for lattice attack is interesting
but you need to develop to advance to use it
or maybe focus on one pubkey specific
first, need to develop to can used without leak nonnce

if want to use lattice attack, you need to understand in math of this method
for me too much advance for understanding

this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here

just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each
develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz

kangaroo may be possible and better just need to new way walk to meet key fast

bro,this is waste of time only.

[fxsniper]

bro, this is waste of time only.

yes, absolute waste of time
I try two times and quite

[garlonicon]

@garlonicon

Because you can explain this lattice method in a full example 

If you want, create a new thread, call it eg Lattice method explained
Take puzzle 100 data (or something else)
Make a step by step explanation in the OP.
People can ask, contribute and you can edit the OP.

Would be cool 

Now I only know basic things, like for example how ECDSA works. Understanding how lattices works is ongoing, I need more time to come up with something useful. All what I already know is based on ECDSA properties. For example, if you have a public key, then you can add or subtract any number or public key, or you can multiply and divide it by any known number. And based on that I know that any signature is just a relation between the public key and the "signature public key".

Code:

s=(z+rd)/k
sk=z+rd
sk-z=rd
rd=sk-z
d=(sk-z)/r
d=(s/r)k-(z/r)
d*G=(s/r)*k*G-(z/r)*G
Q=(s/r)*R-(z/r)*G

So, if you have some public key Q, then you can choose some "(z/r)", and then choose some "(r/s)". Just because:

Code:

(Q+(z/r)*G)*(r/s)*G=R

So, you can first choose some "(z/r)", then choose some "(r/s)", then you will get some "R", so you can convert it into "r" by taking "r=R.x", and then you can reach a valid "(r,s,z)" tuple for a given Q. All values will be random, but it doesn't matter for lattice if you have real data from the real blockchain or not. They are random. And the level of your randomness depends on how random is your picked "(z/r)" and "(r/s)", because it is just a linear transformation of adding some number and multiplying by some number to go from Q to R.

But in general, the properties of ECDSA allows you to pick any "(z/r)" and "(r/s)" values. That means, you can create any lattice you want. And then, the quality of your lattice can decide, if you can recover the keys or not, because if they are not random enough, then you will reach nothing. Trying to solve "x=2y" by adding "2x=4y" just won't work, that's why it should be random enough.

So, as you can see, I know ECDSA relations. But the most useful part is still missing, because I still don't know how to construct a proper lattice that would allow recovering some keys. I tried to use that to recover small keys, but my lattices failed for keys with 8 bits, so something is not right and I still have to dig deeper to produce some general solution for lattices.

[casinotester0001]

Thanks for the explanation.

Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. And with these signatures, can you explain how the lattice-method works?

[garlonicon]

Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key.

You can get that quite easily. Just pick any random key and combine it with some mask. For example:

Code:

SHA-256("100-bit")=5f446017ab7a558fae2e58e7a5433ed6d3659024d0e5cb34dd479a80e5395802
              mask=00000000000000000000000000000000000000000000ffffffffffffffffffff
            key100=00000000000000000000000000000000000000000000cb34dd479a80e5395802

Then, you can pretend that you don't know key100, and simply use "key100*G". If you want to produce N signatures, you can do that first, then hide that private key somewhere, and then try to crack your own key. You will get the same problems that you can get when trying to solve the real puzzle, but you will also have the chance to check if you are close enough or not.

Also note that producing any signature is not enough. Because you can obviously use "z/r" equal to "0bad" and "r/s" equal to "c0de", then you can safely assume that your key will have less than 120 bits. But even if you produce hundreds of such signatures, it won't help you, even if your public key and all of your "signature public key" will have a corresponding private key in 120-bit range. It is just not random enough. But on the other hand, if you will produce two random 120-bit signatures, you will probably recover your key. So, the randomness is the key.

And with these signatures, can you explain how the lattice-method works?

No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures.