fxsniper
Member
Offline
Activity: 406
Merit: 47
|
|
August 30, 2022, 04:01:28 PM |
|
gen_data.py generate real data. By real, i mean valid ECDSA data. If you want to use own data, you should run gen_data.py and see it's output JSON file to know format data accepted by this tool.
I confirm gen_data.py generate real data. it is the same real RSZ from a real transaction example Huobi-wallet 1HckjUpRGcrrRAtFaaCAUaGjsPx9oYmLaZ million of RSZ script do same confirm gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.
just put your own RSZ to JSON format the same gen_data.py generate data.json you can use JSON format tools to read JSON data easy or modify gen_data.py to dump JSON data with indent options will help to read JSON format easy 1. easy manual add, put your own RSZ only by one done. 2. do yourself made script read RSZ and write to JSON format
|
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 47
|
|
August 30, 2022, 04:12:14 PM |
|
gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.
use JSON Formatter, JSON Beautifier from only upload data.json to read easy modify json.dump(sigs_data, fout) to json.dump(sigs_data, fout, indent=3) add RSZ yourself to replace generated RSZ you need more than 100 RSZ to calculate RSZ without leak nonce is useless try fake nonce leak bit or zero bit is making script error with some loop error try to use real from some brainwallet (yes we know both private key and nonce)
|
|
|
|
COBRAS
Member
Offline
Activity: 892
Merit: 22
|
|
August 31, 2022, 12:12:59 AM |
|
gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.
use JSON Formatter, JSON Beautifier from only upload data.json to read easy modify json.dump(sigs_data, fout) to json.dump(sigs_data, fout, indent=3) add RSZ yourself to replace generated RSZ you need more than 100 RSZ to calculate RSZ without leak nonce is useless try fake nonce leak bit or zero bit is making script error with some loop error try to use real from some brainwallet (yes we know both private key and nonce) this is real work ? i was try but unsoccesful. Can you show real example ?
|
[
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 47
|
|
August 31, 2022, 01:46:07 AM |
|
this is real work ? i was try but unsoccesful.
Can you show real example ?
it not works I try 100 RSZ but it did not have real LEAK NONCE so I try to use zero 0 nonces and try fake leak nonce by random number I do test fake leak nonce by random number 1 bit to 16 bit all got error and error loop infinite it is never work maybe the script use nonce point in the right direction when got the wrong nonce, it is an error work perfectly only with generating data from script or you can use some brain wallet leak address (yes, you got to know nonce) you need a mathematician who can use this lattice attack I think for lattice attack is interesting but you need to develop to advance to use it or maybe focus on one pubkey specific first, need to develop to can used without leak nonnce if want to use lattice attack, you need to understand in math of this method for me too much advance for understanding this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz kangaroo may be possible and better just need to new way walk to meet key fast
|
|
|
|
casinotester0001
Member
Offline
Activity: 196
Merit: 67
|
|
August 31, 2022, 05:38:38 PM |
|
Can you show real example ?
Good idea! But I don't know, why I am so important?
@garlonicon Because you can explain this lattice method in a full example If you want, create a new thread, call it eg Lattice method explainedTake puzzle 100 data (or something else) Make a step by step explanation in the OP. People can ask, contribute and you can edit the OP. Would be cool
|
|
|
|
COBRAS
Member
Offline
Activity: 892
Merit: 22
|
|
September 01, 2022, 12:19:36 AM |
|
this is real work ? i was try but unsoccesful.
Can you show real example ?
it not works I try 100 RSZ but it did not have real LEAK NONCE so I try to use zero 0 nonces and try fake leak nonce by random number I do test fake leak nonce by random number 1 bit to 16 bit all got error and error loop infinite it is never work maybe the script use nonce point in the right direction when got the wrong nonce, it is an error work perfectly only with generating data from script or you can use some brain wallet leak address (yes, you got to know nonce) you need a mathematician who can use this lattice attack I think for lattice attack is interesting but you need to develop to advance to use it or maybe focus on one pubkey specific first, need to develop to can used without leak nonnce if want to use lattice attack, you need to understand in math of this method for me too much advance for understanding this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz kangaroo may be possible and better just need to new way walk to meet key fast bro,this is waste of time only.
|
[
|
|
|
fxsniper
Member
Offline
Activity: 406
Merit: 47
|
|
September 01, 2022, 11:13:18 AM |
|
bro, this is waste of time only.
yes, absolute waste of time I try two times and quite
|
|
|
|
garlonicon
|
|
September 02, 2022, 04:41:36 AM |
|
@garlonicon Because you can explain this lattice method in a full example If you want, create a new thread, call it eg Lattice method explainedTake puzzle 100 data (or something else) Make a step by step explanation in the OP. People can ask, contribute and you can edit the OP. Would be cool Now I only know basic things, like for example how ECDSA works. Understanding how lattices works is ongoing, I need more time to come up with something useful. All what I already know is based on ECDSA properties. For example, if you have a public key, then you can add or subtract any number or public key, or you can multiply and divide it by any known number. And based on that I know that any signature is just a relation between the public key and the "signature public key". s=(z+rd)/k sk=z+rd sk-z=rd rd=sk-z d=(sk-z)/r d=(s/r)k-(z/r) d*G=(s/r)*k*G-(z/r)*G Q=(s/r)*R-(z/r)*G So, if you have some public key Q, then you can choose some "(z/r)", and then choose some "(r/s)". Just because: So, you can first choose some "(z/r)", then choose some "(r/s)", then you will get some "R", so you can convert it into "r" by taking "r=R.x", and then you can reach a valid "(r,s,z)" tuple for a given Q. All values will be random, but it doesn't matter for lattice if you have real data from the real blockchain or not. They are random. And the level of your randomness depends on how random is your picked "(z/r)" and "(r/s)", because it is just a linear transformation of adding some number and multiplying by some number to go from Q to R. But in general, the properties of ECDSA allows you to pick any "(z/r)" and "(r/s)" values. That means, you can create any lattice you want. And then, the quality of your lattice can decide, if you can recover the keys or not, because if they are not random enough, then you will reach nothing. Trying to solve "x=2y" by adding "2x=4y" just won't work, that's why it should be random enough. So, as you can see, I know ECDSA relations. But the most useful part is still missing, because I still don't know how to construct a proper lattice that would allow recovering some keys. I tried to use that to recover small keys, but my lattices failed for keys with 8 bits, so something is not right and I still have to dig deeper to produce some general solution for lattices.
|
|
|
|
casinotester0001
Member
Offline
Activity: 196
Merit: 67
|
|
September 02, 2022, 10:29:34 AM |
|
Thanks for the explanation. Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. And with these signatures, can you explain how the lattice-method works?
|
|
|
|
garlonicon
|
|
September 02, 2022, 05:22:22 PM |
|
Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. You can get that quite easily. Just pick any random key and combine it with some mask. For example: SHA-256("100-bit")=5f446017ab7a558fae2e58e7a5433ed6d3659024d0e5cb34dd479a80e5395802 mask=00000000000000000000000000000000000000000000ffffffffffffffffffff key100=00000000000000000000000000000000000000000000cb34dd479a80e5395802 Then, you can pretend that you don't know key100, and simply use "key100*G". If you want to produce N signatures, you can do that first, then hide that private key somewhere, and then try to crack your own key. You will get the same problems that you can get when trying to solve the real puzzle, but you will also have the chance to check if you are close enough or not. Also note that producing any signature is not enough. Because you can obviously use "z/r" equal to "0bad" and "r/s" equal to "c0de", then you can safely assume that your key will have less than 120 bits. But even if you produce hundreds of such signatures, it won't help you, even if your public key and all of your "signature public key" will have a corresponding private key in 120-bit range. It is just not random enough. But on the other hand, if you will produce two random 120-bit signatures, you will probably recover your key. So, the randomness is the key. And with these signatures, can you explain how the lattice-method works? No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures.
|
|
|
|
casinotester0001
Member
Offline
Activity: 196
Merit: 67
|
|
September 02, 2022, 10:57:23 PM |
|
And with these signatures, can you explain how the lattice-method works? No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures. I wanted to say, take the 100 bit puzzle data but show how it works with 256 bit. You can create signatures as there is a private key and explain how this lattice method works in the 256 bit range with examples.
|
|
|
|
ecdsa123
Full Member
Offline
Activity: 211
Merit: 105
Dr WHO on disney+
|
|
September 03, 2022, 09:14:02 AM |
|
Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:) becouse there is no one "definition" for lattice attack. Lattice attack can be used only then if we define what we want to take as result. WE have a lot of "lattice attack" types like: CVP, SVP Doubled CVP, and of course mysthic "SLE method". all of this lattice attack is designed for something to find. YOU CANT USE "codes" and put there r,s,z without some "modification" to algorithm and waiting for good result. here example: 1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey 2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey 3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey 4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey what can we deduct? lattice attack is only bounded result depends the range of privatekeys. second problem "if you will use" CVP againts SVP you will be have another values.
|
|
|
|
casinotester0001
Member
Offline
Activity: 196
Merit: 67
|
|
September 03, 2022, 10:56:37 AM |
|
here example:
1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey
2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey
3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey
4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey
For 256-bit ECDSA with 8-bit leakage, I guess 50 (even 40) is enough. source: https://crypto.stackexchange.com/questions/98323/help-breaking-ecdsa-with-biased-nonces
|
|
|
|
COBRAS
Member
Offline
Activity: 892
Merit: 22
|
|
September 03, 2022, 12:13:48 PM |
|
Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:) becouse there is no one "definition" for lattice attack. Lattice attack can be used only then if we define what we want to take as result. WE have a lot of "lattice attack" types like: CVP, SVP Doubled CVP, and of course mysthic "SLE method". all of this lattice attack is designed for something to find. YOU CANT USE "codes" and put there r,s,z without some "modification" to algorithm and waiting for good result. here example: 1.) if we have 1 transaction with remarks: privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey 2.) if we have 100 transaction with remarks: privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey 3.) if we have 480 transaction with remarks: privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey 4.) if we have 10 transaction with remarks: privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey what can we deduct? lattice attack is only bounded result depends the range of privatekeys. second problem "if you will use" CVP againts SVP you will be have another values. hi You was show some yours results of finding privkey. i apologise you maybe has more knolage then others. But, no codes for test, and fxsniper , me, and other peoples try and has no results.... so lattice "attack" waste of time for 90% of pioples. show working code for continue talk...
|
[
|
|
|
BHWallet
Newbie
Offline
Activity: 62
Merit: 0
|
|
September 03, 2022, 11:07:52 PM |
|
Can someone post a working python script for basic lattice attack? Thanks
|
|
|
|
BHWallet
Newbie
Offline
Activity: 62
Merit: 0
|
|
September 04, 2022, 05:44:50 PM |
|
Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:) becouse there is no one "definition" for lattice attack.
That's true, but GitHub repository of this tool ( lattice-attack) already state what kind of attack it perform. It uses linear matrices and lattice basis reduction to solve a Shortest Vector Problem from a Hidden Number Problem.
Can someone post a working python script for basic lattice attack? Thanks
If you mean working script besides lattice-attack which mentioned by OP, i only can suggest script from this blog https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/. Did you even read this thread buddy? Both no working OP script and the article you shared is already there and it's useless. Still waiting for working script...thanks in advance!
|
|
|
|
PrivatePerson
Member
Offline
Activity: 174
Merit: 12
|
|
September 04, 2022, 06:56:05 PM |
|
--snip--
gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain. gen_data.py generate real data. By real, i mean valid ECDSA data. If you want to use own data, you should run gen_data.py and see it's output JSON file to know format data accepted by this tool. I don't understand how it knows which address I want to attack? python3 gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 8 -t MSB -n 50 There are many addresses in the blockchain in 100+ transactions, how to check them for weak bits using this attack? I collected 1000+ rsz from one address, is it possible to use it? P.S.Sorry for my english, it's very difficult for me to translate.
|
|
|
|
garlonicon
|
|
September 05, 2022, 04:33:40 AM |
|
I don't understand how it knows which address I want to attack? It doesn't. All things are executed locally. All keys are random and all private keys are known. If you want to attack real keys, you have to change that code, because it is only an example, where all private keys are first generated, and then limited to some range. Then, this generator only can show you that the attack works in practice: for locally generated keys, it can find a solution. If you want to attack for example 120-bit key, then you have to modify that code. For example I tried using 120-bit "z/r" and 120-bit "r/s". Then, from 120-bit puzzle key, I've got 240-bit nonces. If you add N-bit number with N-bit number, the result has N+1 bits. If you multiply N-bit number by M-bit number, you can get M+N bits. By combining those two rules, your nonces could have: "(bit(119)+bit(119))*bit(120)=bit(120)*bit(120)=bit(240)". Then, after checking 100 random signatures that are guaranteed to have no more than 240 bits, you can see that it doesn't work. It is not random enough. It would work if you could use some 120-bit key, add some 256-bit value, multiply it by another 256-bit value, and somehow reach 240-bit value. But as it is not the case, the randomness in "z/r" and "r/s" is not sufficient to recover any key in that way, because both added and multiplied values are not random enough.
|
|
|
|
BHWallet
Newbie
Offline
Activity: 62
Merit: 0
|
|
September 12, 2022, 10:41:52 AM |
|
I don't understand how it knows which address I want to attack? It doesn't. All things are executed locally. All keys are random and all private keys are known. If you want to attack real keys, you have to change that code, because it is only an example, where all private keys are first generated, and then limited to some range. Then, this generator only can show you that the attack works in practice: for locally generated keys, it can find a solution. If you want to attack for example 120-bit key, then you have to modify that code. For example I tried using 120-bit "z/r" and 120-bit "r/s". Then, from 120-bit puzzle key, I've got 240-bit nonces. If you add N-bit number with N-bit number, the result has N+1 bits. If you multiply N-bit number by M-bit number, you can get M+N bits. By combining those two rules, your nonces could have: "(bit(119)+bit(119))*bit(120)=bit(120)*bit(120)=bit(240)". Then, after checking 100 random signatures that are guaranteed to have no more than 240 bits, you can see that it doesn't work. It is not random enough. It would work if you could use some 120-bit key, add some 256-bit value, multiply it by another 256-bit value, and somehow reach 240-bit value. But as it is not the case, the randomness in "z/r" and "r/s" is not sufficient to recover any key in that way, because both added and multiplied values are not random enough. Can you share your modified code?
|
|
|
|
garlonicon
|
Here is my modified version of "gen_data.py": #!/usr/bin/env python3
# Random demo data generator for Lattice ECDSA Attack # Copyright (C) 2021 Antoine Ferron - BitLogiK # # This program is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # You should have received a copy of the GNU General Public License # along with this program. If not, see <https://www.gnu.org/licenses/>. #
import argparse import random import json
import ecdsa_lib
from fpylll import LLL, BKZ, IntegerMatrix
def reduce_lattice(lattice, block_size=None): if block_size is None: return LLL.reduction(lattice) return BKZ.reduction( lattice, BKZ.Param( block_size=block_size, strategies=BKZ.DEFAULT_STRATEGY, auto_abort=True, ), )
def test_result(mat, target_pubkey, curve): mod_n = ecdsa_lib.curve_n(curve) for row in mat: candidate = row[-2] % mod_n if candidate > 0: cand1 = candidate cand2 = mod_n - candidate if target_pubkey == ecdsa_lib.privkey_to_pubkey(cand1, curve): return cand1 if target_pubkey == ecdsa_lib.privkey_to_pubkey(cand2, curve): return cand2 return 0
def build_matrix(sigs, curve, num_bits, bits_type, hash_val): num_sigs = len(sigs) n_order = ecdsa_lib.curve_n(curve) curve_card = 2 ** ecdsa_lib.curve_size(curve) lattice = IntegerMatrix(num_sigs + 2, num_sigs + 2) kbi = 2 ** num_bits inv = ecdsa_lib.inverse_mod if hash_val is not None: hash_i = hash_val if bits_type == "LSB": for i in range(num_sigs): lattice[i, i] = 2 * kbi * n_order if hash_val is None: hash_i = sigs[i]["hash"] lattice[num_sigs, i] = ( 2 * kbi * ( inv(kbi, n_order) * (sigs[i]["r"] * inv(sigs[i]["s"], n_order)) % n_order ) ) lattice[num_sigs + 1, i] = ( 2 * kbi * ( inv(kbi, n_order) * (sigs[i]["kp"] - hash_i * inv(sigs[i]["s"], n_order)) % n_order ) + n_order ) else: # MSB for i in range(num_sigs): lattice[i, i] = 2 * kbi * n_order if hash_val is None: hash_i = sigs[i]["hash"] lattice[num_sigs, i] = ( 2 * kbi * ((sigs[i]["r"] * inv(sigs[i]["s"], n_order)) % n_order) ) lattice[num_sigs + 1, i] = ( 2 * kbi * ( sigs[i]["kp"] * (curve_card // kbi) - hash_i * inv(sigs[i]["s"], n_order) ) + n_order ) lattice[num_sigs, num_sigs] = 1 lattice[num_sigs + 1, num_sigs + 1] = n_order return lattice
MINIMUM_BITS = 4 RECOVERY_SEQUENCE = [None, 15, 25, 40, 50, 60] SIGNATURES_NUMBER_MARGIN = 1.03
def minimum_sigs_required(num_bits, curve_name): curve_size = ecdsa_lib.curve_size(curve_name) return int(SIGNATURES_NUMBER_MARGIN * 4 / 3 * curve_size / num_bits)
def recover_private_key( signatures_data, h_int, pub_key, curve, bits_type, num_bits, loop ):
# Is known bits > 4 ? # Change to 5 for 384 and 8 for 521 ? if num_bits < MINIMUM_BITS: print( "This script requires fixed known bits per signature, " f"and at least {MINIMUM_BITS}" ) return False
# Is there enough signatures ? n_sigs = minimum_sigs_required(num_bits, curve) if n_sigs > len(signatures_data): print("Not enough signatures") return False
loop_var = True while loop_var: sigs_data = random.sample(signatures_data, n_sigs)
lattice = build_matrix(sigs_data, curve, num_bits, bits_type, h_int)
for effort in RECOVERY_SEQUENCE: lattice = reduce_lattice(lattice, effort) res = test_result(lattice, pub_key, curve) if res: return res loop_var = loop if loop: print("One more try")
return 0
def lattice_attack_cli(file_name, loop): try: with open(file_name, "r") as fdata: data = json.load(fdata) except FileNotFoundError: print(f"Data file '{file_name}' was not found.") return except IOError: print(f"Data file {file_name} can't be accessed.") return except json.JSONDecodeError: print("Data file content is not JSON compatible.") return message = data.get("message") if message: hash_int = ecdsa_lib.sha2_int(bytes(message)) else: hash_int = None # Signal to use a hash per sig, sig data curve_string = data["curve"] data_type = data["known_type"] known_bits = data["known_bits"] signatures = data["signatures"] q_target = data["public_key"] if not ecdsa_lib.check_publickey(q_target, curve_string): print( f"Public key data invalid, not on the given {curve_string.upper()} curve." ) return if loop: print("Will shuffle loop until the key found.") result = recover_private_key( signatures, hash_int, q_target, curve_string, data_type, known_bits, loop ) if result: return result return 0
def get_p_value(): return 115792089237316195423570985008687907853269984665640564039457584007908834671663
def add_point(px,py,qx,qy): if(px==qx): return double_point(px,py) p_value=get_p_value() almost_inverse=qx-px+p_value almost_second=qy-py+p_value almost_c=(almost_second*ecdsa_lib.inverse_mod(almost_inverse,p_value)) c=almost_c%p_value rx=((c*c)+(2*p_value)-(px+qx))%p_value ry=(c*(px-rx+p_value)+p_value-py)%p_value return [rx,ry]
def double_point(px,py): p_value=get_p_value() triple_px_square=3*px*px double_py=2*py inverse_double_py=ecdsa_lib.inverse_mod(double_py,p_value) c=(triple_px_square*inverse_double_py)%p_value c_square=(c*c)%p_value minus_2_px=(2*(p_value-px))%p_value rx=(c_square+minus_2_px)%p_value ry=(c*(px-rx+p_value)+p_value-py)%p_value return [rx,ry]
def multiply_point(px,py,number): has_final_point=False final_point=[0,0] added_point=[px,py] while(number!=0): if(number%2!=0): if not has_final_point: final_point=added_point has_final_point=True else: final_point=add_point(final_point[0],final_point[1],added_point[0],added_point[1]) number=number//2 added_point=double_point(added_point[0],added_point[1]) return final_point
def generates_signatures(curve): puzzle120=int("00000000000000000000000000000000007fffffffffffffffffffffffffffff",16) known_bits=16 n_value=ecdsa_lib.curve_n(curve) Q_point=[93499419120076195219278579763555015417347613618260420189054155605804414805552,19494200143356336257404688340550956357466777176798681646526975620299854296492] sigs = [] for index in range(100): binaryIndex=(index*2).to_bytes(32,'big') binaryIndex2=(index*2+1).to_bytes(32,'big') hashedIndex=ecdsa_lib.sha2_int(binaryIndex) hashedIndex2=ecdsa_lib.sha2_int(binaryIndex2) #print(binaryIndex.hex(),hex(hashedIndex)) #print(binaryIndex2.hex(),hex(hashedIndex2)) z_value_with_r=(hashedIndex%puzzle120) #random.randrange(puzzle120) added_point=ecdsa_lib.privkey_to_pubkey(z_value_with_r,curve) final_point=add_point(Q_point[0],Q_point[1],added_point[0],added_point[1]) r_value_with_s=(hashedIndex2%puzzle120) #random.randrange(puzzle120) print(hex(z_value_with_r),hex(r_value_with_s)) R_point=multiply_point(final_point[0],final_point[1],r_value_with_s) r_value=R_point[0] s_value_with_r=ecdsa_lib.inverse_mod(r_value_with_s,n_value) s_value=(s_value_with_r*r_value)%n_value z_value=(z_value_with_r*r_value)%n_value sigs.append( { "r": r_value, "s": s_value, "kp": 0, "hash": z_value } ) ret = { "curve": curve.upper(), "public_key": Q_point, "known_type": "MSB", "known_bits": known_bits, "signatures": sigs, } return ret
if __name__ == "__main__": curve="secp256k1" n_value=ecdsa_lib.curve_n(curve) sigs_data = generates_signatures(curve) with open("data.json", "w") as fout: json.dump(sigs_data, fout) ''' d_value=lattice_attack_cli("data.json", False) if(d_value==0): print("failed") else: r_value=sigs_data["signatures"][0]["r"] s_value=sigs_data["signatures"][0]["s"] z_value=sigs_data["signatures"][0]["hash"] rd_value=(r_value*d_value)%n_value rd_plus_z_value=(rd_value+z_value)%n_value inverted_s_value=ecdsa_lib.inverse_mod(s_value,n_value) k_value=(rd_plus_z_value*inverted_s_value)%n_value print("privkey:",hex(k_value)) ''' Of course, this code is messy, and it contains things like commented-out code, and some testing code from previous steps. And it is a raw dump of what I left a few months ago. And the most important thing is that it doesn't work, so it should be modified to be usable. But this is what I left before switching to other stuff, because my conclusion was that I need more mathematical knowledge to properly find out, why it fails.
|
|
|
|
|