Bitcoin Forum
May 06, 2024, 11:19:12 AM *
News: Latest Bitcoin Core release: 27.0 [Torrent]
 
   Home   Help Search Login Register More  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Private key recovery with 120 bit nonce leakage possible?
Pages: [1]
« previous topic next topic »
  Print  
Author Topic: Private key recovery with 120 bit nonce leakage possible?  (Read 134 times)
stilichovandal (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 5


View Profile
April 26, 2024, 12:59:33 AM
 #1
Hi,

I have a hypothetical scenario where I know precisely 120 bits (out of 256) of the nonce used to create the signature for a transaction.

There is only one transaction available.


Is it possible to recover the recover the private key for this?

I assume that a lattice attack is not possible as we need more than one signature; what other possible attacks are available in this scenario?
1714994352
Hero Member
*
Offline Offline

Posts: 1714994352

View Profile Personal Message (Offline)

Ignore
1714994352
1714994352
Reply with quote  #2
1714994352
Report to moderator
The Bitcoin network protocol was designed to be extremely flexible. It can be used to create timed transactions, escrow transactions, multi-signature transactions, etc. The current features of the client only hint at what will be possible in the future.
Advertised sites are not endorsed by the Bitcoin Forum. They may be unsafe, untrustworthy, or illegal in your jurisdiction.
1714994352
Hero Member
*
Offline Offline

Posts: 1714994352

View Profile Personal Message (Offline)

Ignore
1714994352
1714994352
Reply with quote  #2
1714994352
Report to moderator
stanner.austin
Member
**
Offline Offline

Activity: 67
Merit: 53


View Profile
April 26, 2024, 10:32:45 AM
 #2
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,
stilichovandal (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 5


View Profile
April 26, 2024, 12:46:44 PM
 #3
Quote from: stanner.austin on April 26, 2024, 10:32:45 AM
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
jacky19790729
Jr. Member
*
Online Online

Activity: 56
Merit: 8


View Profile
April 26, 2024, 05:25:13 PM
 #4
Quote from: stilichovandal on April 26, 2024, 12:46:44 PM
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known
stilichovandal (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 5


View Profile
April 26, 2024, 07:28:51 PM
 #5
Quote from: jacky19790729 on April 26, 2024, 05:25:13 PM
Quote from: stilichovandal on April 26, 2024, 12:46:44 PM
Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?

If you have only one signatures
I think the same difficulty as Puzzle #136 but with public key had known



I should have been clearer. Yes, I have the signature and associated public key used to sign the message.
cassondracoffee
Newbie
*
Offline Offline

Activity: 11
Merit: 0


View Profile
April 26, 2024, 08:17:46 PM
 #6
Quote from: stilichovandal on April 26, 2024, 12:46:44 PM
Quote from: stanner.austin on April 26, 2024, 10:32:45 AM
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh
stilichovandal (OP)
Newbie
*
Offline Offline

Activity: 28
Merit: 5


View Profile
April 26, 2024, 10:19:14 PM
 #7
Quote from: cassondracoffee on April 26, 2024, 08:17:46 PM
Quote from: stilichovandal on April 26, 2024, 12:46:44 PM
Quote from: stanner.austin on April 26, 2024, 10:32:45 AM
Hello
You can calculate with simple python
int(1.03 * 4 / 3 * 256 / 120)
Result is 2 min need.

Result is tested and can be verify with https://github.com/bitlogik/lattice-attack your self too.

Regards,


Thank you. Yes, I have seen this, and based on the calculation, I need three signatures for the lattice attack.
For the lattice attack to work, I don't need to know the nonce; as long as the bits (120 in this case) are the same for three signatures, it works.

However, in my scenario, I know the 120 bits of nonce.
Eg.
If my nonce is
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F, I know that nonce starts with E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh

The question is, is it possible to get a private key for this?
How do you calculate E036153289470F858562CC4DAA5359 from E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F .what method you are using to calculate this value?
E036153289470F858562CC4DAA5359381246C709F6193B68367727D39D999F8F
E036153289470F858562CC4DAA5359?HuhHuhHuhHuhHuhHuhHuhHuhHuhHuhHuh





not possible to calculate it from the x value ie r.. I have generated r myself and hence I know the actual nonce.
Pages: [1]
  Print  
Bitcoin Forum > Bitcoin > Development & Technical Discussion > Private key recovery with 120 bit nonce leakage possible?
 « previous topic next topic »
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.19 | SMF © 2006-2009, Simple Machines Valid XHTML 1.0! Valid CSS!