lattice-attack || how to run without error - page 5.

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: bigvito19 on May 16, 2022, 06:46:57 AM

Quote from: COBRAS on May 16, 2022, 06:17:55 AM

Quote from: bigvito19 on May 16, 2022, 06:05:41 AM

I was attempting to use this but did get a lot if errors.

Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only:

code: https://asecuritysite.com/ecc/ecd

desryption:

https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/

how to modify code for work with 256 bit sighnatures ?

I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd

k1 = random.randrange(1, pow(2, 256))
k2 = random.randrange(1, pow(2, 256))

private key ot found.

only message"private kwy", but no second message "privatevkey found"

bigvito19

full member

Activity: 706

Merit: 111

Quote from: COBRAS on May 16, 2022, 06:17:55 AM

Quote from: bigvito19 on May 16, 2022, 06:05:41 AM

I was attempting to use this but did get a lot if errors.

Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only:

code: https://asecuritysite.com/ecc/ecd

desryption:

https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/

how to modify code for work with 256 bit sighnatures ?

I already told you to just change lines 17 and 18 to 256 and it will work https://asecuritysite.com/ecc/ecd

k1 = random.randrange(1, pow(2, 256))
k2 = random.randrange(1, pow(2, 256))

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: bigvito19 on May 16, 2022, 06:05:41 AM

I was attempting to use this but did get a lot if errors.

Linck with code and descryption for recovering private key from sighnatures. Code in python for work with 128 bit nonce only:

code: https://asecuritysite.com/ecc/ecd

desryption:

https://blog.trailofbits.com/2020/06/11/ecdsa-handle-with-care/

hoe to modify code for work with 256 bit sighnatures ?

bigvito19

full member

Activity: 706

Merit: 111

I was attempting to use this but did get a lot if errors.

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: vjudeu on April 28, 2022, 02:51:31 PM

Quote

but lattice attack fail with "infinite loop in babai"

There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.

Quote

Unless both value is random its not working and no way to leak nonce on that case. any idea ?

The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.

Bast choice use a sighnatures from 1 transaction but with multiply ouputs. All sighnatures will be with same lenght and z value, bat i not shure all same z sighs is good or bad.

Quote from: COBRAS on April 28, 2022, 04:23:35 PM

Quote from: vjudeu on April 28, 2022, 02:51:31 PM

Quote

but lattice attack fail with "infinite loop in babai"

There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.

Quote

Unless both value is random its not working and no way to leak nonce on that case. any idea ?

The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.

Bast choice use a sighnatures from 1 transaction but with multiply ouputs. All sighnatures will be with same lenght and z value, bat i not shure all same z sighs is good or bad.

And order p+1,p-1 maybe help too

This is another interistig, I think. All this codes find a PRIVATE KEYS OF EC PUBLICK KEYS !!!:

https://crypto.stackexchange.com/questions/25644/elliptic-curve-brute-forcing

https://crypto.stackexchange.com/questions/6061/discrete-logs-on-elliptic-curve-with-embedding-degree-3-with-the-mov-attack/6071#6071

https://pastebin.com/jGB9sTq8

Need try this codes for secp256k1

This sage code contain all examples hot to modify previous codes for secp256k1

https://github.com/christianlundkvist/blog/blob/master/2020_05_26_secp256k1_twist_attacks/secp256k1_twist_attacks.md

Try someone modify codes, what result you get ?

Please not talk what this codes not work befo try. In any book no info, what if divide 120 publick key to 2^40, you get 2^80 pubkey, and posible to additionaly downgrade 2^40 pubkeys to 2^20 pubkeys. And Zielar, for ex, can hack easy 2^80 pubkey, with 2^20 pubkeys, because hi has money and we are not have. Share any of your result to others in this thread, this knowlage is realy hard, chanses what someone will be more faster then you and get any publick key privkey is very small, but if we are share knolage maybe we get result, and not only blablabla...

Regards

Enother method for finding privkey from professor of cryptography

https://replit.com/@billbuchanan/gomov

Try please modify this code and share results, I cant do all work along !

Br.

Patented scalar multyplication 30% faster then doublevand add

https://ethresear.ch/t/introducing-bandersnatch-a-fast-elliptic-curve-built-over-the-bls12-381-scalar-field/9957

Lattice attack ex, i not try. Try someone ?

Use trick in nonce... Roll Eyes

https://github.com/mimoo/SSL-TLS-ECDSA-timing-attack/blob/master/setup/client/offline/lattice.sage

[moderator's note: consecutive posts merged]

vjudeu

copper member

Activity: 903

Merit: 2248

Quote

but lattice attack fail with "infinite loop in babai"

There are errors in this code, so if it cannot find the private key by using LLL reduction, it will go to other algorithms and will fail. Or there are missing assertions, so some arguments are passed into some algorithms, and you reach things like dividing by zero, in some internal implementation of some other algorithms. That usually happens when you have one tweaked signature instead of having two different signatures.

Quote

Unless both value is random its not working and no way to leak nonce on that case. any idea ?

The randomness is the thing that can feed LLL to produce the key. If you have only one signature (you can always do that, just by starting from one fake random signature), you cannot just tweak that single signature and expect it to behave in the same way as two different signatures. They are still connected, because you only slightly tweaked it, so it looks like trying to solve x=2y equation by adding 2x=4y equation. It will not help you. Also, x+1=2y+1 will not help you either. You need something like x=y+1, then you will know that x=2 and y=1.

stanner.austin

member

Activity: 69

Merit: 53

@garlonicon
Is there any reason why attack fail one of random value is liner ?
For example i used
u =randint(1, N);
v = randint(1, N);
then loop it
u = u +1 keep v same to get LSB of nonce only increasing.
but lattice attack fail with "infinite loop in babai"

Unless both value is random its not working and no way to leak nonce on that case. any idea ?

garlonicon

copper member

Activity: 821

Merit: 1992

Quote

but i don't why you use pseudo random value for z/r and s/r

Because then it can be similar to some real signature in a real transaction. Hash functions are perfect for getting pseudorandom values that has some nice properties. I could use small values like 1,2,3, I could invent values like 1234567890, but hashing something gives you some pseudorandom value, so it is easier to just call some hash function and make it deterministic, than to invent your own way of getting random values. Also, there are just examples, so I don't need truly random numbers and I can just make it pseudorandom. Another reason is that if you want to test things, you can hash small numbers, like SHA-256("1"), and reproduce that easily, without storing all hashes.

CrunchyF

jr. member

Activity: 56

Merit: 26

Hi garlonicon.

Please can u explain this part of your code?

Code:

z/r=SHA-256("120-bit puzzle")=c43bc2e003908850dda3ff2fec69c3028027260ea7eef98746260eb83abe0a18
s/r=SHA-256("garlonicon")=272fc6644fedff1a897d6034bed23f61859e99440ee699033307976590316723

I understand that you calculate a new signature from R = pubkey.x
but i don't why you use pseudo random value for z/r and s/r

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: fxsniper on April 26, 2022, 08:11:49 AM

Quote from: stanner.austin on April 25, 2022, 07:20:30 AM

@fxsniper
lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z, leak data need else this attack will not work.
Still, there is no way to leak or know 4 bit even for generated or original signed R.

Thank you I try 4 bit already, I use by command
python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t MSB -n 50
python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t LSB -n 50

I found some key lattice-attack can not be found the key. lattice-attack can not be found 100%

I think lattice-attack is not worked for solve puzzle

We are just users of lattice, just users use it
if lattice-attack it works I think many mathematics use it for

however, if using lattice-attack should be doing like use Kangaroo solve ECDSA need developer code and apply it a new one

I believe all methods on the internet that publish still can not use for solve puzzle #120
A better method is used generate a key to sample and create new one algorithm that can find key

I develop my own method based on dividing pubkey, but for found root divifer (dividing without float part) needs pubkeys in amount of down range, for ex if down to 40 bit, need 2^40 pubkeys !!

Lattice work, but lattice not most good method, also for ex https://github.com/malb/bdd-predicate

fxsniper

member

Activity: 406

Merit: 47

Quote from: stanner.austin on April 25, 2022, 07:20:30 AM

@fxsniper
lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z, leak data need else this attack will not work.
Still, there is no way to leak or know 4 bit even for generated or original signed R.

Thank you I try 4 bit already, I use by command
python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t MSB -n 50
python gen_data.py -f data1.json -m "HelloYou" -c SECP256R1 -b 4 -t LSB -n 50

I found some key lattice-attack can not be found the key. lattice-attack can not be found 100%

I think lattice-attack is not worked for solve puzzle

We are just users of lattice, just users use it
if lattice-attack it works I think many mathematics use it for

however, if using lattice-attack should be doing like use Kangaroo solve ECDSA need developer code and apply it a new one

I believe all methods on the internet that publish still can not use for solve puzzle #120
A better method is used generate a key to sample and create new one algorithm that can find key

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: stanner.austin on April 25, 2022, 07:20:30 AM

@ymgve2
To generate fake r,s,z you can use public point and calculate 2 random and add it.
For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order

u = randint(1, N)
v = randint(1, N)
r = (u*G+v*PublicKey).x.num % N;
s = r * pow(v, N-2, N) % N
z = u * s % N

Now you have valid r,s,z pair for that public key.

@fxsniper
lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work.
Still there is no way to leak or know 4 bit even for generated or original signed R.

I thinnk posible try with MSB OR LSB 0000 OR 0000 0000

Z IS a sighned message, i thin it is in data(i dont remember exact)

garlonicon

copper member

Activity: 821

Merit: 1992

Quote

With that method, you don't know anything about the nonce, since it would be k = u + v*priv and you don't know the private key. So it will not be weak, and useless for lattice attacks.

You are almost right. Almost, because you can try using non-random values and see, what would happen then, and why it can be useful for some attacks.

ymgve2

full member

Activity: 161

Merit: 230

Quote from: stanner.austin on April 25, 2022, 07:20:30 AM

@ymgve2
To generate fake r,s,z you can use public point and calculate 2 random and add it.
For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order

u = randint(1, N)
v = randint(1, N)
r = (u*G+v*PublicKey).x.num % N;
s = r * pow(v, N-2, N) % N
z = u * s % N

Now you have valid r,s,z pair for that public key.

@fxsniper
lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work.
Still there is no way to leak or know 4 bit even for generated or original signed R.

With that method, you don't know anything about the nonce, since it would be k = u + v*priv and you don't know the private key. So it will not be weak, and useless for lattice attacks.

stanner.austin

member

Activity: 69

Merit: 53

@ymgve2
To generate fake r,s,z you can use public point and calculate 2 random and add it.
For example G is ecdsa SECP256k1 generator, PublicKey is ecdsa point, N is order

u = randint(1, N)
v = randint(1, N)
r = (u*G+v*PublicKey).x.num % N;
s = r * pow(v, N-2, N) % N
z = u * s % N

Now you have valid r,s,z pair for that public key.

@fxsniper
lattice attacks script leak 6 bit when use gen_data.py but you can use 4 bit too its minimum and 100 r,s,z,leak data need else this attack will not work.
Still there is no way to leak or know 4 bit even for generated or original signed R.

fxsniper

member

Activity: 406

Merit: 47

I try to test with private key 120-bit script can fine 120-bit key (just modify the script random number from curve 256bit to random 120 bit)

if like to test with puzzle 120 how to implement to hash (z)

in the sample, file generate data.json have only R and S and 8bit leak nonce
What is the data message at the end file on data.json

it is just for testing (possible not works)

ymgve2

full member

Activity: 161

Merit: 230

Quote from: garlonicon on April 22, 2022, 02:32:47 PM

Quote

Realy ? Generate someonevfakecrsz please forvwalid bupkey, and for ex valid s...

No problem. There are fake r,s,z values for the public key from the Genesis Block:

Quote

Code:

fake_signatures.py 04678afdb0fe5548271967f1a67130b7105cd6a828e03909a67962e0ea1f61deb649f6bc3f4cef38c4f35504e51ec112de5c384df7ba0b8d578a4c702b6bf11d5f
981c008269574d9bb73a2e781270e2163297b3d3ca9645b5e0664ffcbb19e78a,3cc2a888bae4811e75e64e19f2ce668951a3520e93e31a74b4cd4e9ce9508839,ed97aea4f9b66aca0c41ac88c2f0d90ef2ad269af0951ba2b07c70f7d1542b3c
53b9632a4250eb518426a545daa99fc6a72addfcb62714fbe81e269cd9ee39e8,62cbe3cc5eec2cbcbf61793a1d94414b43536c0e9219da703be5f141c46fa364,166db19e268d41b8cb76eedb50c57969635bcce2218b1921df45656a24de751a
a050e9237241c02d17684df9b9039fd707fcecb2fbd9d46af95dfeb6ef1daaa3,5e3bd1a08a7418066e4231adbfa23cc969617bb67f35a5f9a4d1ebae9a196fc7,a20a81207eb5aa382759debfc3ca98d4a3cf85474c9dbb6684dbd5bae3abe58d
9f2e42881a9cd3ddd088ebc77857beb9929c42e76e3b3ab7d1928652d2b731cf,0a4353b1fe7c167d63eaa45aeb23f83d219fd31ca74a17adc84cb18bc3184833,32a9cacbb64e5679eb40dfca1192bccc3db0e19d63d1e68286fe119d7d494c8a
a46f5889983efb70e00927f5afeeb2c4042783ca36525968657e339416a6bd8d,185c697570158909298fb10019d7a3e62ed647e9a6ecd1992f3d3098a498eec9,dcd110dd05f2ef9bb46639b0abe858a545bc61f1cd0e5462f41e7003d5f68bba
8ca48464e4dd3789ec41b83827b93e840471cfce2c8e6349e4087f56c335991f,6fb96292e9a2e5480085d9b8f69bd6aa62cee3b76b090cd5d5e25f8ce253adea,b6b20ab75d2ad6e8e79fe3fdc9e28a66e2a6acecfe87a7f33cb5c3fba1d070d3

Those signatures are only fake, because there is no known transaction that can be hashed to any of this z-value. That's the only reason, but from lattice point of view, they are as good as any real signatures, there is no difference in this attack, because knowing relations between nonces or some bits of private keys or nonces is more important than having a real signature.

So, if you want to break for example puzzle 120, you don't need two real weak signatures. You need two any weak signatures, that are valid from ECDSA point of view, and that will pass lattice attack (because you cannot use for example N and N-1, they are too close and if one signature will be a tweaked version of another one, it will obviously not work). You don't need any real transaction that can be hashed to z-value, because after breaking the private key, you could make it and sign it from scratch.

How did you generate those fake signatures, though? I'm assuming you did some manipulation of an existing signature, which means the new signatures will have a linear relationship with the original and each other, making them useless for lattice attacks. Are they even weak, or does the process generate a completely random unknown nonce?

stanner.austin

member

Activity: 69

Merit: 53

@garlonicon
above example is leak known bit atlast 4 bit need, with min 90 sign else attack will not work.
so each r,s with 0 to 15 (4 bit) need to be test.
each result with 90 sign look like lot of processing power need for this.

if possible to design Matrix to test each 4 bit with each pair of r,s then may be this attack is possible.
but i don't think this possible. is it ?

COBRAS

member

Activity: 873

Merit: 22

$$P2P BTC BRUTE.JOIN NOW ! https://uclck.me/SQPJk

Quote from: fxsniper on April 23, 2022, 12:43:53 AM

I try to learn and understand math
Did I understand correctly?
this script method use leak nonce that generates to recover private key right?
script it not use way collect data from all data from signature with?
this lattice-attack use only one signature with leak 8-bit leak nonce to calculate correctly?
just loop search from 1000 signature until found one can calculate

You have a scrypt with "loop" ? I can provide file rsz sighnatures from any bitcoin afress with outgoin trsnsactions....

litecoin_messiah

sr. member

Activity: 356

Merit: 268

https://youtu.be/RgbrpmJ49r4

Topic: lattice-attack || how to run without error - page 5. (Read 3185 times)