Help with Lattice Attack Error

8 replies 320 views
benseedFull Member
Posts: 60 · Reputation: 461
#1May 22, 2017, 10:45 PM
Hey everyone, I could use some assistance. 1) I keep running into this error after downloading the program from here. I was trying to check for weak edcsa, but I can't get this tool to work right. Even when I use the example that comes with it and run gen_data.py, it just doesn't cooperate. Is there something specific I need to tweak? So when I run this: python3 lattice_attack.py It shows: Lattice ECDSA Attack Loading data from file data.json Running with 6 bits of k (LSB) Starting recovery attack (curve SECP256K1) Constructing matrix Solving matrix ... LLL reduction Traceback (most recent call last): File "/home/krash/lattack/lattice_attack.py", line 259, in <module> lattice_attack_cli(arg.f, arg.l) File "/home/krash/lattack/lattice_attack.py", line 239, in lattice_attack_cli result = recover_private_key( File "/home/krash/lattack/lattice_attack.py", line 195, in recover_private_key res = test_result(lattice, pub_key, curve) File "/home/krash/lattack/lattice_attack.py", line 93, in test_result if target_pubkey == ecdsa_lib.privkey_to_pubkey(cand1, curve): File "/home/krash/lattack/ecdsa_lib.py", line 129, in privkey_to_pubkey ec.derive_private_key(pv_key_int, ec_backend, backends.default_backend()) File "/usr/lib/python3/dist-packages/cryptography/hazmat/primitives/asymmetric/ec.py", line 332, in derive_private_key raise TypeError("private_value must be an integer type.") TypeError: private_value must be an integer type. What the heck is going on? 2) Also, if I want to put in my own data like (RSZ, hashes), which file do I need to modify?
2 Reply Quote Share
matrix_nodeFull Member
Posts: 85 · Reputation: 519
#2May 23, 2017, 07:47 AM
Hello If you have sage installed this conflict with fpylll integers. Possible solution is just use int(cand1) and int(cand2)  to avoid this. For second question. public transtion R,S,Z don't have leaked nonce. bitlogik lattice attack need leaked nonce min 4 bit with 100 sign pairs. If you consider you have weak nonce pairs in your R,S,Z you can use sage method from https://github.com/daedalus/BreakingECDSAwithLLL This one don't need leaked nonce bit but its attack on weak nonce data in R.
2 Reply Quote Share
SilentBridgeSenior Member
Posts: 124 · Reputation: 827
#3May 23, 2017, 08:19 AM
Did you install the dependencies and follow what's on the readme? It tells you how to edit the json file with your own information on what you know of your private key and coordinates of the public key, this is why I ask, maybe it's a step you've missed.
6 Reply Quote Share
benseedFull Member
Posts: 60 · Reputation: 461
#4May 23, 2017, 10:48 AM
Thank you so much. it works now. however, im just wondering and im doing it correctly because the generated data as shown is the same as the key found.   the generated data of Priv Key is the same as Key Found? python3 gen_data.py && python3 lattice_attack.py Preparing Data Private key to be found (as demo) : 0x416e7cb879e0e2d89aa6ad9e3426bf386a957a1c8f94c7907b528abc8eada15b Generating 1000 signatures with curve SECP256K1  leaking 6 bits for k (LSB)  ... File data.json written with all data.  ----- Lattice ECDSA Attack ----- Loading data from file data.json Running with 6 bits of k (LSB) Starting recovery attack (curve SECP256K1) Constructing matrix Solving matrix ... LLL reduction Key found \o/ 0x416e7cb879e0e2d89aa6ad9e3426bf386a957a1c8f94c7907b528abc8eada15b
0 Reply Quote Share
benseedFull Member
Posts: 60 · Reputation: 461
#5May 25, 2017, 07:47 AM
ah yes..i got that now. just for everyone who is reading this sake (and mine too) , is it enough to just give the public keys without giving the coordinates and the RSZ?
0 Reply Quote Share
cyberp1x3lFull Member
Posts: 56 · Reputation: 294
#6May 25, 2017, 01:00 PM
from OP maybe the problem is from the python version try to test on a different python version to solve a problem recommend with python 3.7 try this
3 Reply Quote Share
SilentBridgeSenior Member
Posts: 124 · Reputation: 827
#7May 25, 2017, 04:25 PM
The public key might be the coordinates already (if it's uncompressed) if it's compressed then you should probably run it through something that can give you both coordinates just to be safe. Afaik, uncompressed public keys start with hexadecimal 04 (0x04) and compressed public keys start with hexadecimals (02 or 03) as identifiers. I think your other question about using RSZ was answered also but maybe you could confirm that once you get something going or explain what it is that you're asking.
3 Reply Quote Share
benseedFull Member
Posts: 60 · Reputation: 461
#8May 25, 2017, 09:05 PM
this was posted back in september 2022. i already figure it out. it was the fpylll library. cant run with sagemath. need to uninstall the sagemath and then fpylll can be use.
5 Reply Quote Share
gw3i1337Full Member
Posts: 148 · Reputation: 495
#9May 25, 2017, 09:59 PM
Hello. How to find lsb or msb bit leak in lattice attack? Is there a method for this?
4 Reply Quote Share

Related topics