Topic: lattice-attack || how to run without error - page 2. (Read 2848 times)

Firstly if you are talking about lattice attack please be very carefully with definition ot this type attack:)
becouse there is no one "definition" for lattice attack.

Lattice attack can be used only then if we define what we want to take as result. WE have a lot of "lattice attack" types like: CVP, SVP Doubled CVP, and of course mysthic "SLE method". 

all of this lattice attack is designed for something to find. YOU CANT USE "codes" and put there r,s,z without some "modification" to algorithm and waiting for good result.

 
here example:

1.) if we have 1 transaction with remarks:
 privatekey up to 128 bit : with nonce up to 128 bit -> lattice attack will show privatekey

2.) if we have 100 transaction with remarks:
 privatekey up to 2**20 bit : with nonce up to 253 bit -> lattice attack will show privatekey

3.) if we have 480 transaction with remarks:
 privatekey up to 2**10 bit : with nonce up to 254 bit -> lattice attack will show privatekey

4.) if we have 10 transaction with remarks:
 privatekey up to 2**200 bit : with nonce up to 240 bit -> lattice attack will show privatekey


what can we deduct? lattice attack is only bounded result depends the range of privatekeys.

second problem "if you will use" CVP againts SVP you will be have another values.

I wanted to say, take the 100 bit puzzle data but show how it works with 256 bit. You can create signatures as there is a private key and explain how this lattice method works in the 256 bit range with examples. 

You can get that quite easily. Just pick any random key and combine it with some mask. For example:
Then, you can pretend that you don't know key100, and simply use "key100*G". If you want to produce N signatures, you can do that first, then hide that private key somewhere, and then try to crack your own key. You will get the same problems that you can get when trying to solve the real puzzle, but you will also have the chance to check if you are close enough or not.

Also note that producing any signature is not enough. Because you can obviously use "z/r" equal to "0bad" and "r/s" equal to "c0de", then you can safely assume that your key will have less than 120 bits. But even if you produce hundreds of such signatures, it won't help you, even if your public key and all of your "signature public key" will have a corresponding private key in 120-bit range. It is just not random enough. But on the other hand, if you will produce two random 120-bit signatures, you will probably recover your key. So, the randomness is the key.

No, because I don't know that yet. Also because I don't think 100-bit keys were broken by lattice attacks. More probably they were beaten by Kangaroo or similar algorithms that don't require valid signatures.

Thanks for the explanation.

Now we could take puzzle 100 data, so we can create enough random signatures as we have the private key. And with these signatures, can you explain how the lattice-method works?

Now I only know basic things, like for example how ECDSA works. Understanding how lattices works is ongoing, I need more time to come up with something useful. All what I already know is based on ECDSA properties. For example, if you have a public key, then you can add or subtract any number or public key, or you can multiply and divide it by any known number. And based on that I know that any signature is just a relation between the public key and the "signature public key".
So, if you have some public key Q, then you can choose some "(z/r)", and then choose some "(r/s)". Just because:
So, you can first choose some "(z/r)", then choose some "(r/s)", then you will get some "R", so you can convert it into "r" by taking "r=R.x", and then you can reach a valid "(r,s,z)" tuple for a given Q. All values will be random, but it doesn't matter for lattice if you have real data from the real blockchain or not. They are random. And the level of your randomness depends on how random is your picked "(z/r)" and "(r/s)", because it is just a linear transformation of adding some number and multiplying by some number to go from Q to R.

But in general, the properties of ECDSA allows you to pick any "(z/r)" and "(r/s)" values. That means, you can create any lattice you want. And then, the quality of your lattice can decide, if you can recover the keys or not, because if they are not random enough, then you will reach nothing. Trying to solve "x=2y" by adding "2x=4y" just won't work, that's why it should be random enough.

So, as you can see, I know ECDSA relations. But the most useful part is still missing, because I still don't know how to construct a proper lattice that would allow recovering some keys. I tried to use that to recover small keys, but my lattices failed for keys with 8 bits, so something is not right and I still have to dig deeper to produce some general solution for lattices.

yes, absolute waste of time
I try two times and quite

bro,this is waste of time only.

Good idea!

@garlonicon

Because you can explain this lattice method in a full example 

If you want, create a new thread, call it eg Lattice method explained
Take puzzle 100 data (or something else)
Make a step by step explanation in the OP.
People can ask, contribute and you can edit the OP.

Would be cool 

it not works
I try 100 RSZ
but it did not have real LEAK NONCE
so I try to use zero 0 nonces and try fake leak nonce by random number
I do test fake leak nonce by random number 1 bit to 16 bit
all got error
and error loop infinite
it is never work

maybe the script use nonce point in the right direction
when got the wrong nonce, it is an error

work perfectly only with generating data from script
or you can use some brain wallet leak address (yes, you got to know nonce)

you need a mathematician who can use this lattice attack

I think for lattice attack is interesting
but you need to develop to advance to use it
or maybe focus on one pubkey specific
first, need to develop to can used without leak nonnce

if want to use lattice attack, you need to understand in math of this method
for me too much advance for understanding

this lattice-attack research developer tells already in the video present if they succeed will be rich but if not success here they are present research paper to you know here

just idea impossible you can try using fake nonce random continue until meet but how to know correct leak nonce each
develop some script auto-generate fake nonce and run it loop until found but it needs minimum 100 rsz

kangaroo may be possible and better just need to new way walk to meet key fast

this is real work  ? i was try but unsoccesful.

Can you show real example ?

use JSON Formatter, JSON Beautifier from only
upload data.json to read easy

modify
json.dump(sigs_data, fout)
to
json.dump(sigs_data, fout, indent=3)

add RSZ yourself to replace generated RSZ
you need more than 100 RSZ to calculate
RSZ without leak nonce is useless
try fake nonce leak bit or zero bit is making script error with some loop error
try to use real from some brainwallet (yes we know both private key and nonce)

I confirm gen_data.py generate real data. it is the same real RSZ from a real transaction
example  Huobi-wallet   1HckjUpRGcrrRAtFaaCAUaGjsPx9oYmLaZ  million of RSZ
script do same confirm


just put your own RSZ to JSON format the same  gen_data.py generate data.json

you can use JSON format tools to read JSON data easy
or modify gen_data.py to dump JSON data with indent options will help to read JSON format easy

1. easy manual add, put your own RSZ only by one done.
2. do yourself made script read RSZ and write to JSON format

gen_data.py - as I understand it generates not real data. I want to insert my rsz (r,s, nonce - if I understood correctly) values collected from the blockchain.

I lost my scrypt for collect rsz, I try find it and message additionaly were

Maybe, Are you have any script for collecting thousands rsz?
but the problem is it is a 256-bit key not easy and it needs to develop high advance to do
maybe try a test with some brainwallets

but I would like to understand lattice first and how BKZ reduction: block size = 15 , it is works
can possibly use million block size or brute force it
I would like to try to modify the lattice-like use of kangaroo with collision
if not yet understand how it works, can not use it.

you try on real rsz from bitcoin blockchain ?

What is this BKZ reduction : block size = 15
I test with 4-bit leak nonce and signature between 50-90 set
many key losses and some key can calculate with BKZ reduction : block size = 15 and next untile con recover (some)

White box attacks, which those papers are about means the attacker is in full control of the computer that actually does the generation of the signature, and can measure timing and program flow during the generation of the signature. This is completely irrelevant to lattice attacks on weak nonces.

 

i not undertand this formulas, code too unfortunately.

Bro, provide any proof of work of your codes ? on github 1000+ attacks but they not work on real data.

generate sighs for this pub and find a key ?

04e36a3452c8921ea9e093ebb94f544cab434abadd796566280e05d5ae22fad6a2017cfa0647d6e 458b12848c03fac10e3c44ecf3911dc2f2da90afc1ccf36f9f9

?

---

@ecdsa123, help me in this thread pls ?

https://bitcointalksearch.org/topic/dividing-pubkey-for-attack-manual-from-me-5400202

thanks

. Cobras be sure better mathematician than me checked that, and they know that is useless.