Lattice Attack Public Key Conversion

[krashfire]

Hi everyone..

1) I tried putting in my given public key.. but the output returns as invalid. am i suppose to convert the raw given public key in a bitcoin transaction before using lattice? what shoud i convert it to?

2) If all i had is the public key, can the lattice attack program still work?

3)if i must give the r,s,kp values besides the public key, which website gives very technical details of a bitcoin transaction? i know 2coins is now defunct. is there any similar website?

based on https://github.com/bitlogik/lattice-attack

i have read the READ.md but im still not very clear. hence, im here aking you experts.

Thank you so much on your advice.

[1714574770]

1714574770

[stanner.austin]

Hello
lattice-attack need public key = coordinates.
if public is is compressed(02 or 03 in starting) you have to decompress it and use x/y coordinates of them.
You don't need 6000 signatures its depend on leaked bit lowest bit leak is 4 need 100 signatures .

ps: i prefer to answer public instead of private unless its too sensitive information.

[ABCbits]

3)if i must give the r,s,kp values besides the public key, which website gives very technical details of a bitcoin transaction? i know 2coins is now defunct. is there any similar website?

Not website, but you can use this script https://github.com/iceland2k14/rsz. I tested it for few minutes and it works without any problem.

Code:

$ git clone https://github.com/iceland2k14/rsz
$ cd rsz
$ python3 getz_input.py -txid 27d47157ee0557db28e8a28e6295cab69ee409d2eb642172e2a86091c5e173d0

Starting Program...
====================================================================== 
[Input Index #: 0]
     R: 3d9bc5aec4e53f59b03bc4866453a94b673e99f67bd69d2915a39964d4918a98
     S: 28637de6101936def68c0cfd831c7a73227b8ba7ef1c70ddba6e69d2e628775a
     Z: f3612c362cf925c4dc902957353454bf04bdcc3e874372800a8e69f6daa7a19f
PubKey: 031ca4aa8c1bec706e817e9d74b356bcab13625061c541052ddd9e6352cba6911e

But take note this script doesn't support Witness data, so you can't use it to get R/S/Z value from Bech32 address and SegWit wrapped on P2SH address.

[krashfire]

3)if i must give the r,s,kp values besides the public key, which website gives very technical details of a bitcoin transaction? i know 2coins is now defunct. is there any similar website?

Not website, but you can use this script https://github.com/iceland2k14/rsz. I tested it for few minutes and it works without any problem.

Code:

$ git clone https://github.com/iceland2k14/rsz
$ cd rsz
$ python3 getz_input.py -txid 27d47157ee0557db28e8a28e6295cab69ee409d2eb642172e2a86091c5e173d0

Starting Program...
====================================================================== 
[Input Index #: 0]
     R: 3d9bc5aec4e53f59b03bc4866453a94b673e99f67bd69d2915a39964d4918a98
     S: 28637de6101936def68c0cfd831c7a73227b8ba7ef1c70ddba6e69d2e628775a
     Z: f3612c362cf925c4dc902957353454bf04bdcc3e874372800a8e69f6daa7a19f
PubKey: 031ca4aa8c1bec706e817e9d74b356bcab13625061c541052ddd9e6352cba6911e

But take note this script doesn't support Witness data, so you can't use it to get R/S/Z value from Bech32 address and SegWit wrapped on P2SH address.

Mine is a P2SH address. yes i have this program. it doesnt work on my P2SH address. is there any other website or script u can recommend specifically for P2SH addresses?

[BHWallet]

Can anyone explain in a more simple way how to run this lattice attack? Thanks

[CrunchyF]

Can anyone explain in a more simple way how to run this lattice attack? Thanks

Yes if you want i can try to resume the  lattice attack in a simple way but i have to know what sort of leakage in the nonce of the signature  are you attempt in the signatures you want to attack?

-a small nonce for ex a nonce between 1 to 2^128  instead of 1 to 2^256 like this :

000000000000000000000000000000003fc87113fa3119661528d1ead67fd97c
00000000000000000000000000000000c9b514fe70e73b4762e893ad7fa927b9
00000000000000000000000000000000bccd31a9026c3b39220ab2d185b40800
0000000000000000000000000000000075c73909c9d056ec09c5394ebd043364
00000000000000000000000000000000a86b35d428b45d48be1b4995c8c8b4ad
00000000000000000000000000000000b08ad648ce95649a0d893e7d7b596503
...

-a leakage in the MSB or LSB of signatures (for ex you know the first 8 bits of the nonce value)

8798269c708d7cdcf5c8d81a3e6e5f8770dbfaebfd0130e70bd4cf1ecf8adbd1
08a31e897638a5bf4c3adc3daaaf3d8f1241b30ac46fea3e0f154547b01380df
51bf53e79da24d83649ff8396cfb81b6c02d4c6a65776d40217c7b8b66cf6000
d279f11b49061bc8c804ceea19327956beaaf16b84383a10df39db88e457f993
44159fa36129f20e644542b83c8bd8b5eb22a1bd78bdc2787c0de106b20962c5
be46afb29211a3a68149533eaaecd2b817d7fe3584085fbe329ac8751bffe703

it assumes that you know the bold value before performing the attack


-a weak generation of nonce with fixed bits for ex the 16th bytes of the  nonce have always  the value "FD" (you don't have to know what value but only that the bits at a fixed position are always the same).

f62a05c0e4fab585df2a0e020e87b62fdbfc6112306de89c2e692ac22c34a412
c357830e65c5a66c63152c51911e0a3fdbd4dd208d990a661b3fc0efa951c208
884299a0e2f15bb800ac4139bb4892afd22a141456d399d0c2ed8250e2683036
3cd1ab221edf28805abef9b0a44d05cfdc1d3d43896d062d96ae5a65499d092c
5fe0366612732cada1caac8e2d71277fd94f2abd74e0fa0042786c30695a756d
6c79fe6d34c51e311c356fec4a290d7fd7fe27c9f776c172a965a9b8e7f0f9da

with a little trick this last attack can be really powerful because you don't have to know where the fixed bits are

[COBRAS]

--snip--

But take note this script doesn't support Witness data, so you can't use it to get R/S/Z value from Bech32 address and SegWit wrapped on P2SH address.

Mine is a P2SH address. yes i have this program. it doesnt work on my P2SH address. is there any other website or script u can recommend specifically for P2SH addresses?

I'm not aware of tool which can parse signature and get R,S,Z automatically from P2SH address. After P2SH address could do LOTS of things such as P2WPKH-in-P2SH, P2WSH-in-P2SH, multi signature or even custom puzzle challenge. I know there's set of Bitcoin cryptography tool https://github.com/demining/CryptoDeepTools, but i never try it myself.

His soft work only with his DEMO SIGHNATURES ONLY !!!! WE ARE BUY HIS SOFT AND KNOW WHAT TALK ABOUT !!!!

[COBRAS]

Can anyone explain in a more simple way how to run this lattice attack? Thanks

Yes if you want i can try to resume the  lattice attack in a simple way but i have to know what sort of leakage in the nonce of the signature  are you attempt in the signatures you want to attack?

-a small nonce for ex a nonce between 1 to 2^128  instead of 1 to 2^256 like this :

000000000000000000000000000000003fc87113fa3119661528d1ead67fd97c
00000000000000000000000000000000c9b514fe70e73b4762e893ad7fa927b9
00000000000000000000000000000000bccd31a9026c3b39220ab2d185b40800
0000000000000000000000000000000075c73909c9d056ec09c5394ebd043364
00000000000000000000000000000000a86b35d428b45d48be1b4995c8c8b4ad
00000000000000000000000000000000b08ad648ce95649a0d893e7d7b596503
...

-a leakage in the MSB or LSB of signatures (for ex you know the first 8 bits of the nonce value)

8798269c708d7cdcf5c8d81a3e6e5f8770dbfaebfd0130e70bd4cf1ecf8adbd1
08a31e897638a5bf4c3adc3daaaf3d8f1241b30ac46fea3e0f154547b01380df
51bf53e79da24d83649ff8396cfb81b6c02d4c6a65776d40217c7b8b66cf6000
d279f11b49061bc8c804ceea19327956beaaf16b84383a10df39db88e457f993
44159fa36129f20e644542b83c8bd8b5eb22a1bd78bdc2787c0de106b20962c5
be46afb29211a3a68149533eaaecd2b817d7fe3584085fbe329ac8751bffe703

it assumes that you know the bold value before performing the attack


-a weak generation of nonce with fixed bits for ex the 16th bytes of the  nonce have always  the value "FD" (you don't have to know what value but only that the bits at a fixed position are always the same).

f62a05c0e4fab585df2a0e020e87b62fdbfc6112306de89c2e692ac22c34a412
c357830e65c5a66c63152c51911e0a3fdbd4dd208d990a661b3fc0efa951c208
884299a0e2f15bb800ac4139bb4892afd22a141456d399d0c2ed8250e2683036
3cd1ab221edf28805abef9b0a44d05cfdc1d3d43896d062d96ae5a65499d092c
5fe0366612732cada1caac8e2d71277fd94f2abd74e0fa0042786c30695a756d
6c79fe6d34c51e311c356fec4a290d7fd7fe27c9f776c172a965a9b8e7f0f9da

with a little trick this last attack can be really powerful because you don't have to know where the fixed bits are

Good Day. How to detect P2SH transaction then parsing transaction hash?
p.s. your answer is good. You first man on phoroom who know something about lattice... regsrd

[MisterCooper]

--snip--

I know there's set of Bitcoin cryptography tool https://github.com/demining/CryptoDeepTools, but i never try it myself.

His soft work only with his DEMO SIGHNATURES ONLY !!!! WE ARE BUY HIS SOFT AND KNOW WHAT TALK ABOUT !!!!

I don't know about other part of the script, but i can run script to get R,S,Z from arbitrary raw transaction hex. Here are the steps to run the script,

Code:

$ git clone https://github.com/demining/CryptoDeepTools
$ cd CryptoDeepTools/02BreakECDSAcryptography/
$ python2 -m pip install -r requirements.txt
$ python2 cat breakECDSA.py [RAW TX HEX]

Example on raw TX, where all input is P2PKH[1].

Code:

$ python2 breakECDSA.py 0100000001f65499107b1714a70409c528d4ca2214516dd62005ddac99848cf55350fe75f1000000006b483045022100c27f019f3112e3dbf4f067e057d6b20e9a5bb847f47e65ba7769bf62eb5192a5022070c77e2c0b3570594e5aec0166b3a08b958d0aedde8d07e917ee9831641a3cc801210369e03e2c91f0badec46c9c903d9e9edae67c167b9ef9b550356ee791c9a40896ffffffff0249e36002000000001976a9149f21a07a0c7c3cf65a51f586051395762267cdaf88ace0aa1500000000001976a91421937d90affbc4161261cfc5e70380d79c39434988ac00000000
R = 0xc27f019f3112e3dbf4f067e057d6b20e9a5bb847f47e65ba7769bf62eb5192a5
S = 0x70c77e2c0b3570594e5aec0166b3a08b958d0aedde8d07e917ee9831641a3cc8
Z = 0x761ef44d70339fdccd39673c3a1eec03b9fa0481fb1b30bf43c77dca4de44d2d

PUBKEY = 0369e03e2c91f0badec46c9c903d9e9edae67c167b9ef9b550356ee791c9a40896

======================================================================

But this script doesn't work on P2WPKH[2] or P2WPKH-in-P2SH[3] input, so it's not useful for OP use case though.

Code:

$ python2 breakECDSA.py 020000000001015a7130573012f88d469fe96fe3feb0df66118bd459a10d1fda7ed08dcaea6bbd0100000000fdffffff02e0604b00000000001600145c9dac79b08e617da2de963a041a464e4c49679a0734124400000000160014f60834ef165253c571b11ce9fa74e46692fc5ec102483045022100914440a21cfff72ad3cfc48927fccd78600046d7c02d4e756f1c44f5cd0be08d022002f03e397c7c5ac6fde1815ddefde2972ec383bbf476d2bfd4721a974b51be290121026e5628506ecd33242e5ceb5fdafe4d3066b5c0f159b3c05a621ef65f177ea28600000000
Traceback (most recent call last):
  File "breakECDSA.py", line 10, in <module>
    m = txnUtils.parseTxn(tx)
  File "../CryptoDeepTools/02BreakECDSAcryptography/txnUtils.py", line 37, in parseTxn
    sigLen = int(script[0:2], 16)
ValueError: invalid literal for int() with base 16: ''
$ python2 breakECDSA.py 010000000001022a366de4b96167e42337790043299ac614e0bc05bf8ba340e927d9f3868889af01000000171600147d452b9add3914b1c5c0f88be47898b64c373c4bffffffff1d775117f15b2a9579528bd3cf2fe8c79fa9f8fa1d52cd110bb6fa3dd6caca650a00000017160014537fe4df8143216b1c21872457091a0c458ccd1cffffffff0240420f000000000017a914d732316b111b38ce6ea70906e3a782513aae6bd4873c0602000000000017a914621aa60b0e81cc8bea3ded10387bf825b9e941f187024730440220305cd635d21b95630249f914c48cbb1a7601e4886fc0fc816a64a228d2cc75d3022021b1852fd4e54d096357f9b1c95c04ce5b08528b7d9a9e02c1b89bf552029e71012103eb738067a660c75f78f10bf96ec3bd406d8b3d9520e107a03282bd7d58c23d5f02473044022001ade616cb553ee09bee7f02deed603ebf4fb29825c77e44d2cd61a10df99881022055c22cd77e2aeff7978f02fb087101eacf036d48018fff3ba84b0e2098e7709f012103cea6d75c21cedabb2795496aaf6d0e522b197666feb601ce08eac71f63ded7e500000000
Traceback (most recent call last):
  File "breakECDSA.py", line 10, in <module>
    m = txnUtils.parseTxn(tx)
  File "/home/user/Desktop/CryptoDeepTools/02BreakECDSAcryptography/txnUtils.py", line 37, in parseTxn
    sigLen = int(script[0:2], 16)
ValueError: invalid literal for int() with base 16: ''

[1] https://mempool.space/tx/4747c73ae788b8c00bb87914abd17ebef5c48572aa4642c84f00a6a40820c1d3
[2] https://mempool.space/tx/574df3b2aa53c61701ec3831d72a9e1abcfa8f50dd1c37a98e338c71dc9f80d1
[3] https://mempool.space/tx/9bd507520021888e9cb5b3ce5a6e25892e38de4ecab8690e264b3ab41f995547

You are getting an error because you have not installed Python 2.7
Do the following commands:

Code:

git clone https://github.com/demining/CryptoDeepTools.git

cd CryptoDeepTools/02BreakECDSAcryptography/

sudo apt install python2-minimal

wget https://bootstrap.pypa.io/pip/2.7/get-pip.py

sudo python2 get-pip.py

pip2 install -r requirements.txt

Run the script next!

[bjpark]

Can anyone explain in a more simple way how to run this lattice attack? Thanks

Yes if you want i can try to resume the  lattice attack in a simple way but i have to know what sort of leakage in the nonce of the signature  are you attempt in the signatures you want to attack?

-a small nonce for ex a nonce between 1 to 2^128  instead of 1 to 2^256 like this :

000000000000000000000000000000003fc87113fa3119661528d1ead67fd97c
00000000000000000000000000000000c9b514fe70e73b4762e893ad7fa927b9
00000000000000000000000000000000bccd31a9026c3b39220ab2d185b40800
0000000000000000000000000000000075c73909c9d056ec09c5394ebd043364
00000000000000000000000000000000a86b35d428b45d48be1b4995c8c8b4ad
00000000000000000000000000000000b08ad648ce95649a0d893e7d7b596503
...

-a leakage in the MSB or LSB of signatures (for ex you know the first 8 bits of the nonce value)

8798269c708d7cdcf5c8d81a3e6e5f8770dbfaebfd0130e70bd4cf1ecf8adbd1
08a31e897638a5bf4c3adc3daaaf3d8f1241b30ac46fea3e0f154547b01380df
51bf53e79da24d83649ff8396cfb81b6c02d4c6a65776d40217c7b8b66cf6000
d279f11b49061bc8c804ceea19327956beaaf16b84383a10df39db88e457f993
44159fa36129f20e644542b83c8bd8b5eb22a1bd78bdc2787c0de106b20962c5
be46afb29211a3a68149533eaaecd2b817d7fe3584085fbe329ac8751bffe703

it assumes that you know the bold value before performing the attack


-a weak generation of nonce with fixed bits for ex the 16th bytes of the  nonce have always  the value "FD" (you don't have to know what value but only that the bits at a fixed position are always the same).

f62a05c0e4fab585df2a0e020e87b62fdbfc6112306de89c2e692ac22c34a412
c357830e65c5a66c63152c51911e0a3fdbd4dd208d990a661b3fc0efa951c208
884299a0e2f15bb800ac4139bb4892afd22a141456d399d0c2ed8250e2683036
3cd1ab221edf28805abef9b0a44d05cfdc1d3d43896d062d96ae5a65499d092c
5fe0366612732cada1caac8e2d71277fd94f2abd74e0fa0042786c30695a756d
6c79fe6d34c51e311c356fec4a290d7fd7fe27c9f776c172a965a9b8e7f0f9da

with a little trick this last attack can be really powerful because you don't have to know where the fixed bits are

Good Day. How to detect P2SH transaction then parsing transaction hash?
p.s. your answer is good. You first man on phoroom who know something about lattice... regsrd

f62a05c0e4fab585df2a0e020e87b62fdbfc6112306de89c2e692ac22c34a412
c357830e65c5a66c63152c51911e0a3fdbd4dd208d990a661b3fc0efa951c208
884299a0e2f15bb800ac4139bb4892afd22a141456d399d0c2ed8250e2683036
3cd1ab221edf28805abef9b0a44d05cfdc1d3d43896d062d96ae5a65499d092c
5fe0366612732cada1caac8e2d71277fd94f2abd74e0fa0042786c30695a756d
6c79fe6d34c51e311c356fec4a290d7fd7fe27c9f776c172a965a9b8e7f0f9da

Does the value containing the fd character mean the private key value of the R value in the R, S, and Z values?

[Kpot87]

No, its k_nonce value from witch you received R

[GR Sasa]

Hello guys,

Lets take Satoshies old mined addresses, they have public key exposed.

PubKey: 0405f818748aecbc8c67a4e61a03cee506888f49480cf343363b04908ed51e25b9615f244c38311 983fb0f5b99e3fd52f255c5cc47a03ee2d85e78eaf6fa76bb9d

is there a way to perform this trick to attack/try to get the private key of one of Satoshies mined old address using the his public key?

if yes, i would like for someone to  give me a example using the public key given above.

Thanks.

[ymgve2]

If there was a way, Satoshi's coins would have been gone already.