ECDSA Under Attack: Lattice Sieving and Fourier Analysis

6 replies 87 views
benseedFull Member
Posts: 60 · Reputation: 461
#1Jul 27, 2021, 05:20 PM
I stumbled upon this research... https://eprint.iacr.org/2024/296 The author was able to uncover the private key using multiple signatures with less than 4 bits of nonce leakage. My issue is that I don't have the k nonce. There's zero leakage. I don't know the private key or the original message used. So, I tweaked the script a bit. If it takes under 4 bits of nonce leakage to find the private key, I figured I could somehow 'leak' the 6 bits of the k nonce. I'm planning to test every possible pattern (my script will run through all 262,144 combinations). Just to note, I'm using only CPU and it should take about 22 hours to go through everything. I've been trying to follow the approach laid out in the research as closely as possible. What I'm curious about is why you think my method might not work? Where could I be messing up in my code? Thanks a lot. I really value your thoughts. P.S. I've taken out some library imports to keep it clearer.
3 Reply Quote Share
benseedFull Member
Posts: 60 · Reputation: 461
#2Jul 27, 2021, 09:40 PM
I was warn about this yesterday. I totally forgot about it when i was coding. thank you so much for the reminder. I appreciate it.
1 Reply Quote Share
ryanhawkMember
Posts: 5 · Reputation: 67
#3Jul 28, 2021, 03:14 AM
I made some adjustments to the code, but there are small nuances with the selection of signatures
4 Reply Quote Share
omega_bearFull Member
Posts: 116 · Reputation: 780
#4Jul 30, 2021, 10:27 AM
Code find privkey ?
4 Reply Quote Share
ryanhawkMember
Posts: 5 · Reputation: 67
#5Jul 31, 2021, 12:55 PM
https://eprint.iacr.org/2024/296
0 Reply Quote Share
sam.minerMember
Posts: 10 · Reputation: 116
#6Jul 31, 2021, 05:17 PM
to test if the script is functional there are 3 signatures with the k nonce of just 20 bits. r =  0x6f007fe0bc2a1a0f6d944b8d4a2353e48833e1f6be178f87f293068b25d6d96e s =  0xea5459e9fb80101fbc261b90c59bf20dc497f5f71c90356c9530d035d32bd023 z =  0x840131231b57268049ccbd6b2c84408251b935cb951c069ecb86cf8d4755bf34 k =  0xb37b1 r =  0xdc52f02499d8859b4be4a517898e23f42bd409d5d1ef0f9e49edf775c49aab93 s =  0x120e526332349b7ebe20565240feeb224ed1f0886990d70513a83cb6d941c648 z =  0xa4075d10756be846ad1156e878de2d43b8585e3baf7617b1f164e4c52956419 k =  0x9d59 r =  0xb52b260367f658f3527bfca721358daaa8a115d9566ba966ffdff77e103fd6b1 s =  0x1e7454c7321b93e0c8b85bfdc5801a2e0f29dd62724c3cd1b26a699a486661c5 z =  0xbd0636aac51faf14a7d3439ea4abd1d28095f2836e95d5eea3fbe68a4baaee52 k =  0x2a78a private key; 0x1a838b13505b26867 pubkey: 0430210c23b1a047bc9bdbb13448e67deddc108946de6de639bcc75d47c0216b1be383c4a8ed4fa c77c0d2ad737d8499a362f483f8fe39d1e86aaed578a9455dfc
1 Reply Quote Share
omega_bearFull Member
Posts: 116 · Reputation: 780
#7Jul 31, 2021, 07:19 PM
you try scrypt ? Result ? Try recover nonce or priv from this sighnatures ? r=861a00ee94221ccd4a4557f558f989642657187aad741dcb4298a13571859d49 nonce start with 0x4000000... s = 1 z= 0 r = fda403bfcb379b95a27ac76754fe77808e96b43419e33583cf5aba7d49c72f2d s = 1 z = 0 nonce start with 0x04000000... r =3031b819c8bbdb7484bf70ca79542da5566900dca414b9519302ca74b332bf72 nonce start with 0x00400000... s = 1 z = 0 Nonce from 254 to 255 bit What is a full nonce or privkey  ? Pubkey were this R used:          049c48b9367e0f42212c05e97d7af3534fe94673713c1cded5393fd6705f89fa5a05f0f60069f50 0e81490f26bcaf25d45e21a1a95954a416711555b05fab15941
3 Reply Quote Share

Related topics