Could There Be an LLL Attack Chance? Noticed Bias in 5 ECDSA Signatures

1 reply 75 views
orbit23Member
Posts: 19 · Reputation: 159
#1Jan 18, 2019, 06:54 PM
Hey folks, I’m still trying to crack a puzzle I found here. Right now, I’m digging into a specific key that could make solving part of the puzzle way easier. This key’s address is empty at the moment, and I’ve gathered 5 valid ECDSA signatures that are linked to it. Here’s what I’ve found I’m really curious if these signatures show enough bias to give a shot at a lattice (LLL) attack with just these 5. === Detailed Breakdown of S Distribution === S in [1, n/4]: 4/5 → 80.00% S in [1, n/8]: 3/5 → 60.00% S in [1, n/16]: 1/5 → 20.00% S in [1, n/32]: 1/5 → 20.00% S in [1, n/64]: 0/5 → 0.00% S in [1, n/128]: 0/5 → 0.00% Result: MAX BIAS: 4/5 signatures (80.00%) in [1, n/4] → Strong bias detected, likely caused by a biased nonce k. === Full Bit Analysis of S === Total signatures: 5 Count of fixed bits (always 0 or 1): 16 Fixed bits: Bit 4: always 0 Bit 8: always 1 Bit 49: always 0 Bit 50: always 0 Bit 55: always 1 Bit 69: always 0 Bit 77: always 1 Bit 93: always 0 Bit 102: always 1 Bit 103: always 1 Bit 116: always 0 Bit 146: always 0 Bit 180: always 0 Bit 183: always 0 Bit 202: always 0 Bit 255: always 0 Max sequence of consecutive fixed bits: 2 bits (starting at bit 49) Low 8 bits of S: ['0x6e', '0x2a', '0x29', '0xe4', '0xcc'] Result: MAX BIAS: 16 fixed bits; max block = 2 bits → Strong bias noticed, maybe due to some structural patterns in k. So, can we use this bias from just 5 signatures to make an attempt?
2 Reply Quote Share
real_hashMember
Posts: 9 · Reputation: 112
#2Jan 19, 2019, 12:40 AM
Can you share your code because I went to test how your bias code was working?
3 Reply Quote Share

Related topics